IGF 2017 - Day 3 - Room IX - OF70 Cybersecurity 2.0: Leveraging the Multistakeholder Model to Develop and Deploy Cybersecurity Policy

 

The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> MODERATOR: Hi, everyone.  We'll be starting the next session in two minutes.  Good afternoon, everyone.  We're going to kick off the session.  If I could ask everyone to take their seats.  Thank you for joining us today for this IGF session, this open forum on multistakeholder and cybersecurity.  The title of the session is cybersecurity 2.0, leveraging the multistakeholder model to develop and deploy cybersecurity policy.  My name is Lara Casper, I'll be moderating today's session.  And we have today with us a number of expert speakers who will be sharing their views and experiences on this topic.  Next to me here we have Mr. Jonah Hill, policy specialist from the U.S. Department of Commerce.  Then next to him is Mr. Amit Ashkenazi who is a legal adviser at the National Cyber Directorate of Israel.  Next to him we have Alison Gillwald, executive director of research ICT Africa and professor at the University of Cape Town.  I see Ambassador Feeken next to her, Dr. Feeken is an Australian Ambassador for Cyber Affairs.  And last but not least, we have Jan over there from Microsoft.  We're really happy to have all of them today with us. 

So before I turn to them for their remarks, just a few words on the framing and the objectives for the session.  As you will have seen from the title, we are dealing with ‑‑ we'll be tackling two concepts, multistakeholders and cybersecurity that if I'm guessing if we made a word cloud of IGF 2017, you know they'd probably find their way into the top ten.  But as with many Internet governance buzzwords, I think there are probably as many definitions of these terms as there are IGF participants.  In fact, a mapping done by the New America Foundation found and identified at the moment over 400 definitions of cybersecurity that they've captured.  And on the multistakeholder side, I think that, you know, there are as many views on what it means as there are people you ask.  So despite these conceptual challenges, what we've been seeing recently has been an increasing commitment to dealing with cybersecurity challenges through multistakeholder approach. 

So ‑‑ and what we'll be dealing with here is not so much the theory of these concepts but what they mean in practice.  How do we implement them?  There are a number of stakeholders around the world who are looking to deal with cybersecurity challenges.  But going beyond just saying yes, we need to do this in a multistakeholder way, what is the actual ‑‑ what is the actual approach and implementation look like?  So what we'll do today to allow us to do this, we'll first ‑‑ I'll first invite a couple of our panelists to reflect their views shortly on what we understand as multistakeholders in cybersecurity just to narrow down the scope for the discussion.  After which we'll proceed to discuss best practice and examples of good practice and implementing this approach specifically at the national level.  And we'll reflect a little bit on the incentives and some of the challenges of doing this.  After that I'm going to turn to you.  So we're going to have a question‑and‑answer segment.  And I'll be asking not just for questions to the panel but also your own views on best practice.  And if you have examples of how multistakeholder approaches can be implemented to deal with cybersecurity challenges, it would be great to capture that as well. 

Finally, I'll come back to the panel to see ‑‑ for a round of takeaways and to wrap up the panel.  So we only have one hour for this session.  So I'll have to be a strict timekeeper and I apologize in advance if I interrupt anyone.  It will be strictly in order to keep us on time.  So without further ado I'd like to start us off, and to help us frame the conversation invite two of our speakers to offer their views and what we mean by, in turn, cybersecurity and multistakeholder approach.  And first I'm going to turn to Mr. Ashkenazi.  If you could help us narrow down the concept of cybersecurity for the purpose of this discussion, what do we mean when we talk about cybersecurity?  If you could offer your reflections in, like, 45 minutes, that would be great.  Thank you. 

>> AMIT ASHKENAZI: Thank you.  So it's very exciting to be here in this discussion.  And I want to share with you the way that the Israeli government frames the cybersecurity discussion and policy within the domestic context.  And the first thing to note is that the government is looking at this issue because basically, cybersecurity threats are threats that affect private networks, private organizations.  This is not the usual security scenario where we have voters or public spaces that the government can provide security in.  And the government is called in to assist and perform its, I would say, almost basic provider of security.  This is why we have states in the first place. 

And when we move to do this task which is expected by the citizens and constituencies, it needs to take account the complexity of performing security with a constituencies which are private organizations and, of course, the nation.  And the Israeli strategy looks at this task through an interface of relationships which the government has within the domestic cybersecurity mission. 

The first part of the strategy is institutional.  To set up a new organization which always deals with cybersecurity and to deal with cyber attacks, before we can know and deal with the cyber attackers.  So this is something that the state has to do in order to assist organizations.  The event is an event in which a lot of leaders around the world ask themselves what are we doing in our country, and what is the situation?  It's not who are we calling?  Who is controlling?  Who knows what is going on?  And in that context in Israel, there was one person that could report to the prime minister and discuss what are the measures that are being taken to mitigate this type of event. 

And this type of relationship with the private sector is based on two types of elements.  One is the most straightforward role of government is creating standards and incentives through different mechanisms.  It can be regulation, and it can be other techniques to make organizations more secure.  Sometimes our managers do not internalize the risks of activities to third parties or their activities to the ecosystem.  We saw that.  It was spreading very vastly, and not one corporation which didn't maybe touch its systems caused a problem to other organizations in the ecosystem. 

And the other part which is a more overt type of concept is the role of the government in mitigating the attack.  This is the firefighting metaphor some of you may know.  That before we deal with the attackers, we need to mitigate the attack and make sure that damage doesn't occur.  As a result of the attack.  And we know that organizations cannot deal with this situation by themselves.  We've seen a lot of strong organizations around the world, not talking about small and medium enterprises being hit and they need assistance.  In this role the government has an important task which I think I'll elaborate in the next part to create information‑sharing mechanisms and to collaborate an early detection system and also to share information about how to mitigate the attacks. 

This is a public good that until now in many countries the reason or provision of.  And the way the information security, I would say discipline has developed, requires now for more government intervention in this space.  The last thing I should mention is that what we'll focus on is attacks.  This is talking about bad code indicators.  We're focusing on machines and what machines are doing.  We're not focusing on human behavior on top of these machines.  And indeed, we are not neglecting the attention to the attackers.  But for that, we have existing institutions within our systems, as in many countries.  So if it's a national security threat, it will be dealt with by the national security establishment, law enforcement, by law enforcement, et cetera.  But notwithstanding those important roles, there is a new role for government here to interface with the private sector in order to create cybersecurity.  Thank you. 

>> MODERATOR: Thank you, Amit, for those remarks and helping us frame the discussion.  I might come back to do question of what we mean by cybersecurity later on in the session.  But I'd like to turn now to Mr. Hill, Jonah, if you could offer us your views on the multistakeholder approach.  You've actually written a couple of papers and co‑drafted papers on application of the multistakeholder approach and cybersecurity.  And I'm interested in hearing what are some of the characteristics that define it?  What do we actually mean by it?  So, yeah, please.  Over to you. 

>> JONAH HILL:  In a moment we're going to talk about the multiple applications to different cybersecurity challenges.  But I guess it would be useful before we go there to talk a little bit about what multistakeholder approach is as a matter of theory.  As Leah said, there is a lot of diversity in the use of the term multistakeholder, and it has become sort of a buzzword.  But it does actually mean something, and it does actually have a real practical application. 

So while, you know, different organizations and under different circumstances, the term multistakeholder might, you know, mean different things to different groups.  For us at the department of commerce, we've tried to actually hone in on the core elements of a multistakeholder approach.  And these are core elements that we have applied to our domestic cybersecurity work. 

So most importantly, and I'll walk through quickly what those features are.  Most importantly, we found that authentic or sort of the multistakeholder approach that is most effective is one that is stakeholder driven.  And this means that the organization convening a multistakeholder process or a venue that is facilitating a multistakeholder initiative isn't the one that actually ultimately decides where the process goes.  That it's the participants themselves that ultimately make the final decisions about what is done, what are the issues that are tackled, and that while governments or the conveners may certainly have input and have an opinion, it's not the convener that's making the decision.  It's the stakeholders themselves. 

Second, and equally important, is that a multistakeholder approach needs to be open.  So that means that all stakeholders can participate.  And importantly, the stakeholders that participate should be ones that hold specialized expertise that's applicable to the challenge at hand.  So while anyone should join, it's really important that people who are experts in the particular challenge are participating.  And that doesn't mean they need to hold a particular viewpoint, but they should know what they're talking about.  So it's important to keep the discussion open, and it's important to keep the participants diverse.  But it's also important that those who are there in a particular process are able to contribute.

Third, it's critically important that the multistakeholder approach is transparent.  And that means that anyone can have access to the deliberations.  Whether that's transcripts of the discussions like we have here that, you know, there are videos for folks who can't participate to watch streaming online.  And this really helps create an environment of trust.  It creates an environment of legitimacy and accountability that these aren't meetings held behind closed doors where, you know, there are secret decisions being made, but these are processes where everyone can see what's happening.  And if there's something that, you know, you disagree with, you know, you can have your voice heard. 

And lastly, this is something that I think is maybe more controversial, but is something that I think we at the Department of Commerce find to be critical is that the ultimate decisions and outcomes of these processes, if there are outcomes, are consensus based.  So you don't vote.  You know, this should be a consensus, whether it's a rough consensus or uniformity, about the final outcome.  So that means that, you know, you get compromise.  And you need something that's a win‑win for the greatest number of stakeholders.  And while, you know, that may prevent some of the more contentious issues being addressed, it actually may address some of the more contentious issues.  But it's important that all stakeholders walk away feeling that their voices were heard and that ultimately they were, you know, content with the end result.  So those are really the four features, stakeholder driven, open, transparent and consensus based that we think are critical. 

>> MODERATOR: Thank you, Jonah.  And what I particularly like about that approach is that ‑‑ and what it shows, perhaps it shows that our title of the session might be a little bit misleading because we were talking about the multistakeholder model, whereas actually from what you're saying is, in fact, that depending on potentially what issue you're dealing with, you might apply these characteristics in a different way.  That's certainly our experience as well in dealing with ‑‑ in this space. 

So what I'd like to do now is ‑‑ and as we've said in the beginning, what we are seeing is increased commitments to this approach in dealing with cybersecurity challenges that Amit has laid out at the beginning.  However, I think unlike in the field of Internet governance where the approach itself has become part and parcel in dealing with Internet governance challenges and cybersecurity examples of good practice are still rare and far apart, so what we'd like to do now is talk a little bit about some of those examples and how first some of the governments have been applying the approach at the national level.  And first I'd like to go to Ambassador Feeken to share the experience from Australia. 

>> AMBASSADOR FEEKEN:  Thank you for that.  To follow up rather than give a stock speech to it.  Maybe I can talk a bit about the position that I hold and how we thought long and hard about how they could embody that multistakeholderism in addressing the challenges that we were going to be faced with through our international cyber engagement.  The position itself, as I said, we sat at the beginning of the year when I landed in January and were thinking how could this position embody that?  And I think in some ways I was at an advantage, having come outside of government and sat in a think tank where in a think tank, you kind of live or die by the engagement that we could have across a broad range of sectors.  Sorry, could we just shut the doors?  It's quite off‑putting. 

And the idea being is that, you know, in a think tank, you live or die by your engagement with the private sector, with other NGOs and academia to be sure that you're being influenced by government and getting that broad range of perspective.  We thought, okay, how can this position ‑‑ how can our international engagement be shaped like that?  Multistakeholderism is at the heart of how Australia looks at its international engagement.  We do a range of things at a domestic level, a more practical level which I can talk about more perhaps in the Q&A.  But in international engagement, something that we wanted to do was, you know, on the table, we had an issue, our Internet Governance Forum had stopped and we realized we need to do reenergize that.  And we thought, well, how as government can we assist and make sure that it influences what we're doing. 

So we've committed ourselves through our international engagement strategy to a new Internet governance incorporation.  Because that's where we can take our agenda to an Internet Governance Forum in Australia, share some of the priorities for the year and ensure that the sessions and some of the discussions can have a flavor of our prioritization so that we can really draw from the broader community of thought, not just go with the sole government position. 

It's good practice, I think.  It's a way of embodying multistakeholderism when you stand up in an international meeting and say all about multistakeholderism, you're embodying it if you've been through a process like that.  So we think it's a pretty powerful thing to do.  So we'll be hosting that next year. 

We work with a whole range of privacy sector partners through the process of developing an international engagement strategy but also now one of the ways that we're doing that for this position is having an industry advisory group who will meet at the beginning of the year and again talk about prioritization and how our prioritization is viewed from a private sector point of view and help shape and influence that.  And then also meet at the end of the year.  And I keep putting myself up for these checks and balances.  I'll probably regret it at the end of the day.  At the end of the year to meet again and understand how well have we done against those objectives.  How could we tweak and look at the prioritization for the following year following that.  So in that way, again, having a broader set of stakeholders influence this position and also the positions that Australia is taking in international settings. 

Another way that we're doing that is by understanding that we feel that there's a prioritization we need to place on capacity building.  But just understanding that we can't do any of it alone.  It has to be in that multistakeholder form.  And one of the things we did when we launched the strategy was to launch a range of private sector partnerships and partnerships with academia, with other nongovernmental organizations, some of whom are in the room today.  But we had major projects launched with Quantas, with the aviation industry and banks and a range of other tech companies.  Because they have so much capability to offer.  And we're national, economic and broader social interest merge, well, then it's quite obvious that you should be working together as long as that's done in a sensitive way to the region that you're doing the capacity building work in.  So we feel that also is a really important area of the work that we do. 

Very, very briefly and then I'll be quiet because I'm sure time is coming to a close.  How do we do that at a domestic level?  At a cybersecurity level, one thing we've realized is that we were too classified in what we were doing at our cybersecurity center.  So we physically relocated our center to a less classified environment to ensure that it was far easier for academia, for private sector, for just a broader range of stakeholders who understand the technical details of cybersecurity who wouldn't have been able to engage with us in the past can now do that.  Also from the regional hubs where, again, we have less classified areas so there's more collaboration space.  It's basically governments saying that we don't have all the answers but we want to create the environment where perhaps together we can come up with some solutions together.  So we're trying to provide that working environment where we can embody, again, that multistakeholderism because we know we'll gain so much more from that kind of approach than just trying to pretend that we have all the answers. 

>> MODERATOR: Thank you so much, Ambassador.  Later when we come to the Q&A, I would like to tease out examples from other countries that I know have been developing their national cybersecurity strategies in a multistakeholder way.  I think it would be really interesting to see and maybe compare and contrast how different ‑‑ how different contexts, you know, are applying this model approach. 

If I may come to back to Amit, you mentioned to me earlier today when we talked about this, a really interesting approach or issue that you're looking at through a multistakeholder approach in Israel.  Maybe could you maybe elaborate a little bit on that? 

>> AMIT ASHKENAZI: Sure.  So I'll give a practical example of the issue that everyone knows about the issue, and you should know that the government here, when you enroll the government in the space requires some innovation from the government because security information has been around always.  And the question is what is added value of the government and what can the government do to assist this type of operation?  And we developed our thinking through the multistakeholder approach, it is a government‑led approach, but it has several elements.  On the technical level, on the content level, and if you like, on the legal level from the trust point of view.  And I'll mention all of these. 

The first thing that we saw was a need to create a platform in which companies can share information securely.  So we took the example of creating I would say a social network for cybersecurity professionals called Cybernet.  And it's open to companies and to the security people, and it's secure, and we are the moderators there.  So we can have very, very quick information exchanges.  We created a platform. 

And the second thing that we did around that platform was create trust in the roles of the use of the platform.  So companies can understand what's going to be done both within the communities.  So they have specific communities which are contextual for specific sectors.  And there are also more open forums for border type of trust I would say signals.  And it's clear that the information sharing within this network is shared for the cybersecurity mission.  It's not an alternative to mandatory reporting that some sectors may have to government in other regulatory roles.  And the multistakeholder model allowed this to develop bottom up, like maybe you know the traffic application, very popular Israeli traffic application called Waze which is based basically on people reporting their positions, and then you can understand where you have traffic jams.  So it's the same type of thinking, working here in the cybersecurity space.  But the need for the government to intervene was to create the platform to make sure it's secure and to create a trust by setting the rules of the road for the use of this platform.  And it's quite useful today both for sector‑specific information sharing and between the sectors as part of the cybersecurity mission. 

>> MODERATOR: Thank you.  I think it's a really interesting and kind of a little bit of different example of what I kind of think about when we think about applying the multistakeholder approach.  My hat always ‑‑ always thinking goes to developing national cybersecurity strategies.  I think this is an excellent example of how to model, if you will, is adaptable and flexible. 

I would like to come to Jonah, you next.  I know that NTIA, U.S. Department of Commerce has experimented with the model to deal with a couple issues.

So could you give us some background on that in a couple of minutes, what are the ‑‑ how did you do that?  How did it work?  You know, the value ‑‑ the value from a government perspective on doing it in a multistakeholder way. 

>> JONAH HILL:  Yes, sure, I know we're short on time, and I'm happy to talk with anyone after this, if they're interested in more details.  So my home agency, NTIA and Department of Commerce has a long history of participating and fostering multistakeholder initiatives.  NTI was instrumental in the creation of ICANN back in the late '90s and really sort of takes the multistakeholder approach to heart and has tried to adapt the model and experiment with it in emerging public policy issues. 

And for the last several years, we've been working on a number of technology and privacy public policy issues using a multistakeholder approach.  As of 2015 have started experimenting with the approach and a number of cybersecurity challenges for industry.

So I can talk a little bit about how the process worked and some of the initiatives that we've been working on. 

So back in March 2015, we issued what is called a request for comment.  It's a formal federal government notification process where we basically put out an open‑ended question saying, for any interested party, which is, you know, cybersecurity vendors, software providers, the research community, hackers, even, what are those cybersecurity policy issues where a multistakeholder approach might be beneficial?

And we received dozens of responses from all of those groups, helping us to identify various issues.  And we had a list of about 12 or so public policy challenges that the community thought would be valuable to explore through this approach. 

The first one that we concluded about a year ago was on vulnerability disclosure.  I can talk a little bit more about that if anybody wants to sort of hear about what we did there.  But this was, again, an open, transparent consensus‑driven process where actually we believed for the first time hackers and the vendor community came together to come up with public policy solutions for best practices for vulnerability disclosure.  And this was really about, you know, how do vendors communicate their vulnerability disclosure, how can you come up with standards that can be widely used across different types of software providers? 

After that we focused on IoT and patchability.  And the point here was to really foster a market that offered more device systems that support security upgrades.  And importantly, developing best practices for consumer awareness and understanding.  You know, most consumers, when they buy an IoT device, don't really know whether or not there are upgrades and patches that you can download for the device.  So what we did is we brought together the IoT industry.  We brought together privacy advocates, hackers, to figure out how should we inform consumers about this.  And we came out with a series of documents providing best practices for vendors to make sure that we have an informed community of consumers when purchasing IoT devices. 

And, again, I'm happy to talk with folks about that.  And lastly, we're about to start a new process on software component transparency.  And the idea here is to promote transparency of third‑party software components including open‑source software.  So, for instance, when you buy software as an enterprise or even a consumer, you don't necessarily know what hub libraries are included.  You don't really know what you're getting.  So, you know, this is a process to try to figure out how do you communicate to consumers and to, you know, enterprises that are buying software, what's in the software they're buying, and how might they best mitigate the risk of any kind of vulnerabilities that are included in those purchases. 

So basically, the point is that, you know, we are trying to ‑‑ we use the multistakeholder process to identify public policy issues that weren't being addressed in other places and that really only could be addressed through cooperation between all the parties that were interested.  So we've found the process to be really effective.  There's been challenges, of course, and I'm happy to talk about those.  But, you know, this has been a really adaptable model that's provided for, you know, overall better cybersecurity across the industry. 

>> MODERATOR: Thank you so much, Jonah.  I think we've heard three examples in which we have ‑‑ where the government was the convener.  But that doesn't necessarily have to be the case.  And as we know with the different stakeholders who are critical in maintaining the infrastructure and effectively securing the systems and networks that we are talking about, I'd like to come to Jan from Microsoft next to talk a little bit about your experiences.  I mean, the focus here is on good practice.  And I know that Microsoft has been engaged not only in your internal practices applying the model, but also participating in a number of practices that have been convened by other stakeholders.  If you could maybe give us a couple examples.  I'm going to try and keep it to four minutes if that's feasible.  Thanks. 

>> JAN: Okay, I'll try for four minutes and thanks very much, Leah, and thanks for having me on the panel.  I'll start with a slightly broader overview of what we are perceiving in terms of development on cybersecurity approaches and policy and regulation.  It's quite interesting ‑‑ you know, our team did a bit of mapping in this space.  And we're currently in a situation where over 100 countries in the world are developing some form of cybersecurity strategy, policy or regulation.  And there's a total of over 300 of these initiatives going on as we speak.  Where countries are implementing either updating an existing strategy, writing a new strategy, implementing a policy or actually setting regulatory specifics. 

And from our perspective, that is generally a good thing because we do think we need to pay a lot more attention to how we actually try and stem this tide of cybersecurity challenges and certainly regulation and policy play an important role in this.  But given that the title of our panel is multistakeholder approach is we think it is vitally important that these debates are actually well informed by a larger group of stakeholders than just governments.  And I think I just want to echo what my colleagues on this panel have said.  If you take the simple fact that 80% to 90% of the world's critical infrastructure, which tends to be the main focus of many of these initiatives, is owned, operated and maintained by the private sector, you inherently have a dynamic where you have to have cooperation between those that are in the regulatory seat and those that are running these systems.  And so in that context, I think there are a number of interesting initiatives in the past years that are worthwhile looking at in terms of how that multistakeholder approach and collaboration has taken place.  And I'll sort of flag two. 

One is much more of a bottom‑up approach, and this is the NIST cybersecurity framework.  And I think, you know, from our perspective, I'm not sure how familiar people in the room are with that framework originally proposed in 2014.  That framework, while coordinated by the U.S. Government, actually brought together numerous different stakeholders to the table to really sit down and think about what are the main elements of an effective risk management framework to tackle cyber threats?  There was lots of opportunity for input.  A lot of discussion on how that should be shaped.  And interestingly, that framework, since it was adopted and is now currently actually being revised, was discussed, we have seen that framework fairly quickly become a global ‑‑ a global best practice to at least some degree where you have enterprises outside the U.S., many enterprises in Europe and also some in the Asia‑Pacific region, take that model and implement it.  Maybe not one for one, but generally speaking, take that approach that the NIST framework proposes where you have sort of a set of high‑level functions in terms of protection, detection, respond, recovery and then a number of sort of security objectives or specifics that allow you to ultimately measure your sort of cybersecurity maturity.  At least to a certain degree.  There are ways to iterate on that and build on that.

But broadly speaking, it's something that is not only well understood by organizations and enterprises of different sizes, it's also easy to understand not only how the technical folks do in cybersecurity but also the board member and decision‑maker.  We believe that's fundamentally a very good model.  It was derived in a good way and there's a huge opportunity to implement that broadly speaking. 

There's actually an iso standard that's being developed on the basis of that framework.  So we think that is actually a very interesting approach to help globalize that model.  The other approach is something closer to home here in Europe where you have the NIS directive the network information security directive, much more of a top‑down regulatory approach.  But also fairly interesting because it is the first time that the European Union has sort of agreed on a cybersecurity regulation or directive in this case with a regulatory approach.  And in that context, I'll say that I think it was incredibly difficult for 28 member states at first to come together to agree on a set of rules that are sort of borderline in the national security space for which the EU doesn't have any competence and borderline about protecting the digital economy in Europe.  But what they ultimately ended up doing is to kind of say, look, we really have two constituencies that we're talking to.  One, we need to require governments to do certain things, and that is require governments to have a national cybersecurity strategy, have governments need to have a national cybersecurity emergency response team, and then we need to require industry to do certain things.  And that is to put in place some baseline risk management measures and also report serious incidents to their national regulators. 

And while that generally is, I think, a really interesting approach and a helpful approach in terms of building capacity in the region, what is important, I think, to be mindful of ‑‑ and again, this goes for the just for Europe but also more broadly ‑‑ as we have either these 28 countries or these over 100 countries developing these initiatives, there is a risk of some fragmentation in the approach.  And ultimately, you know, I think when you talk to folks that are practicing this and are implementing cyber risk management measures and policies, there's not necessarily a need to reinvent the wheel 100 times over.  We have been asking ourselves what opportunities are there to kind of harmonize some of these approaches benefiting from the experience of the multistakeholder community and bring some kind of coherence to this. 

And so in this context, we feel like initiatives that look at the how of cybersecurity like the NIST cybersecurity framework actually present a good opportunity to be kind of formatted and fitted into potential sort of regulatory approaches, policies and strategies that are being developed at sort of a higher level.  And so from our end, really, I think there needs to be strong multistakeholder input into getting to these frameworks, but then there needs to be a lot of attention paid by governments but also by industry to make sure we have some level of harmonizing the implementation of these strategies.  And so I think those are just some experiences we've seen in recent years, and we're working very closely with a number of governments to help them sort of understand what works for us, how we keep ourselves secure, and for example how we implement something like the NIST cybersecurity framework as a company. 

>> MODERATOR: Thank you very much, Jan.  And not to give the wrong impression, I think that what our speakers have given us so far are excellent examples of where, you know, and positive examples of how the multistakeholder approach could be applied.  What's important to highlight, though, as well as some of the challenges of doing so.  And for anyone who has been involved in a multistakeholder process, you know, you know that it can be time‑consuming.  It can be costly.  It might not apply to all issues.  And there isn't a checkbook ‑‑ it's not a checkbook exercise.  It's, I think, as well innovating from a perspective of governance.  And a lot of, I think, government‑driven policies are, you know, there's a struggle to implement it because it's just different from how policy has been developed.  I'm going to put that out there.  I see some doubt, maybe. 

But what I'd like to do now is go over to Alison Gillwald and maybe give us a reality check on ‑‑ you know, is this just a nice idea?  You're based in South Africa.  I'd be really interested in hearing some of your experiences from the African continent and how this applies. 

>> ALISON GILLWALD: Thank you very much.  Thank you very much.  I am executive director of an organization called Research ITT Africa which is a South African‑based think tank across the African continent.  I'm working very closely with partners in 20 countries, but I want to preface my remarks by saying Africa isn't a country, which is often how we sort of refer to it.  It's very diverse.  And it's difficult to speak about it in any kind of homogeneous way.  I want to throw out general points and then I'll go to specific cases maybe just to give it some, you know, a nuance. 

So the first point I wanted to make is that the challenge with many of these Internet governance frameworks the challenges with the international treaties and what I've presented is best practice is they are underpinned by assumptions around rule of law, of democracy.  They're underpinned by assumptions of competitive markets, effective regulation, institutional capacity, you know, user consumer awareness.  So basically, one of the fundamental problems is that these assumptions cannot simply be drawn through into practices of Internet governance and of cybersecurity in particular because, you know, they simply don't apply. 

That being said, you know, I think there is value in a multistakeholder approach in the sense that, you know, it can just be lip service.  So we can all say we're all doing that, and we bring everybody together in a room, but in fact, you know, Civil Society is not really listened to or, you know, industry's not listened to et cetera.  But I think we have got examples where multistakeholder approaches are being applied to Internet governance.  And I'll give you examples of cybersecurity in a moment.  Actually have opened up political systems and political processes in countries where it's conducive. 

So, you know, in a country like South Africa, we have strong administrative justice laws that require participation and consultation.  And yet some of the consultation has not been as effective or as really inclusive as it's been in other countries with far less, you know, formally democratic processes and systems.  And that's not to set this up entirely against Kenya, but I think Kenya's an interesting example where multistakeholderism over the last decade has been used to open up the policy process where Civil Society has been very, very active and appointed in official positions.  You know, leading to the first Internet Governance Forum being held in Africa, being held in Kenya.  So it's through the Civil Society organization, there's been formal input into policy processes.  There's also been a very active, enabling environment created through this process for industry.  Obviously a lot of that industry in terms of local indigenous industry is small‑scale start‑up.  And one of the issues in this multistakeholder debate and representation at the national level is, you know, which industry is it?  Because many of our industries across Africa are actually foreign‑controlled.  And of course, when one wants to create an enabling environment in which we can get investment and have good opportunities, but it's also a question of a national sovereignty and what safeguards need to be made, you know, in terms of ‑‑ so I think there is a very real tension between many African governments' perspective on national sovereignty and the multistakeholder model.  Actually the responsibility lies with the state.  And of course, underpinning democratic prerogative is the idea that the state is ultimately responsible and responsible for the security of its citizens, which comes to the point of cybersecurity. 

So I think, you know, the issue with cybersecurity, you were saying that, you know, basically deal be with a situation now where it's borderless and we're dealing with a global economy and we've got to create working systems throughout these global economies.  But in fact, you know, the point about Internet governance and particularly about cybersecurity is that the application is at the national level.  And again, when one assumes that, you know, one's got these democratic or political and economic principles underlying it, in actual fact, there are many countries in Africa that have used cybersecurity and the responsibility of the state to secure and make safe the cyber environment ‑‑ cyberspace for their citizens to actually use arguments of risk mitigation to, in fact, you know, exercise, you know, repressive measures against their own citizens rather than, you know, defense ‑‑ using it as a form of oppression and as a form of, you know, privately funded very often surveillance. 

So, you know, we know that from multinational agencies engagements across the continent involved in capacity building is that, you know, the first thing for the last five or ten years on governments' lists of what we need in terms of capacity building is cybersecurity.  And many of these governments, obviously not all of them, and I really don't want to generalize, but many governments actually are putting this priority above ‑‑ I'm not saying it shouldn't be a priority, it has to be done with everything else ‑‑ but people jump to capacity building for that and not for, you know, autonomous regulation or, you know, spectrum ‑‑ efficient spectrum use because with that, there's security structures and intelligence structures are supported and surveillance systems implemented. 

So I think we need to, you know, use this multistakeholder practice to, you know, get those good practices imbued through regional organizations that we have in the region and, of course, through the African Union who has put out several documentations ‑‑ several guidelines, et cetera, which have not been endorsed by all member states.  It's very difficult to get endorsement of member states, either of the convention on cybersecurity and more particularly on the declaration of Internet rights for Africa, African declaration of Internet rights. 

So, you know, that being said, you have a situation where national ‑‑ the implementation at the national level, which is, you know, might be presented as an effort to comply with international regulations, et cetera, is used for far more negative purposes.  And in this regard, I think it's quite important to try and get these security measures often brewing and really policy laundering some of the cybersecurity practices and laws from the West, from the Northern Hemisphere and out of intelligence and security you know, clusters and implementation or at least joined with justice and you know, more broadly safety kind of environments. 

So in relation to public/private ‑‑ relation to cybersecurity and the implementation of multistakeholder‑type models, I wanted to say that there are a number of examples on the continent.  And we basically have been working on a paper that looks at public/private interplays in the case of Mauritius where a very successful cybersecurity and critical information infrastructure regulation and governance framework was set up, leveraging the capacity particular of a very strong financial sector there which had obviously sorted out security issues, you know, decades ago or at least a decade ago in this area to secure their own systems who have very strong partnerships acknowledging the lack of capacity within government, the specialized capacity within government, not relinquishing the role of the state to provide an enabling environment and a legislatively enabling environment for this public/private interplay to take place, not abdicating responsibilities but coordinating activities around creating secure environments and agreed roles and functions in terms of mitigating risk and creating, you know, a whole lot of things including awareness of people. 

So within this paradigm which we've looked with other countries and are trying to extend across other countries, there are very clear roles for the state in creating an enabling environment.  There's a very clear role for industry in bringing in the expertise that it has.  And obviously also in the area of awareness, but also very critical role for Civil Society who are often at the forefront of creating awareness around privacy and surveillance and various other things.  So we as part of our research do nationally representative household surveys across a number of countries and have included, for the first time, some cyber rights and cyber awareness issues. 

And really what we see is an extension of the Digital Divide really sort of digital rights divide where people are absolutely unaware of the rights that they are able ‑‑ that they should have or could assert but they just simply aren't aware of them in terms of privacy.  And also that, you know, that obviously states have a critical role where we have high levels of digital inequality to play a role, but that there are other components that can fulfill the deficits we have. 

>> MODERATOR: Thank you so much, Alison, for giving us that perspective.  I'd like to turn to the audience now and ask you to pose any questions that you may have to the audience as well as if you have examples that you would like to share.  If I may ask you to be brief.  And as you take the mic, if you could introduce yourself and state the question, if there's a particular member of the panel you'd like to direct it to, please say so.  What I'd like to do is collect a couple and then come back to the panel.  Can you keep your hand so I can see them?  Could I come to Mr. Painter first over there and then I'm going to go over in the back.  Thanks.  Chris. 

>> AUDIENCE: Thanks to all the panelists.  I'm Chris Banner.  I used to be with the government, with the U.S.  One thing I have seen with respect to and one of the speakers hit on this is there seems to be a lot of confusion about what multistakeholder means and what ‑‑ how it applies to cybersecurity.  Because there is a sliding scale.  Not everything is totally multistakeholder.  There are some things around security that are led by governments.  And if you create the expectation that everything is completely multistakeholder, that just isn't true.  And I had that come up one time when I won't talk about the country we're dealing with here, but a country who were trying to convince to take a multistakeholder view of Internet governance said that they were told that that meant that if they were attacked, that they had to consult the multistakeholder community before they could respond, which we said was ludicrous.  That's not what it meant.  But it would be good to work with a multistakeholder community to build up your capabilities. 

So I think there needs to be more discipline around that.  And I do think there's benefits ‑‑ I know when we did our incident response strategy, one of the big benefits that wasn't completely mentioned is when you involve the other stakeholders in the process in the beginning, you then get buy‑in by that community later on so it validates your actions.  And that's been some of my experience.  So if anyone has comments on those, I'd appreciate it. 

>> MODERATOR: Thank you so much, Chris.  Come over to the gentleman in the back.  Could you introduce yourself and state your comment or question. 

>> AUDIENCE: Thank you very much.  I'm Honda from Chinese Mission based here.  And thank you very much for this inspiring workshop.  Yes, as you have introduced when we are talking about cybersecurity, we are talking about many things, and so I want to pick up on just the one particular thing from the cybersecurity is about international security in the cyberspace.  I think it's a different definition from the security of the cyberspace.  So if we just look at this perspective, we will find that the multistakeholder approach has some problem if that it does not have due representatives and it is not effective, and it cannot make a very easy decisions to apply to all the countries.  And there are also some arguments for multistakeholder models that we always said that even though it's tradition of international security in the cyberspace, it's just a traditional issue.  But it faces some differences.  The first is different space.  By the way, I also have some international law on the other space.  It's no difference.  And the second is about it is related to new technology.  But in order to the most security issues in the 20th Century.  The governments do not need to know how do those weapons or those technologies work.  And third is about the cyber ‑‑ the international security in the cyberspace affects civil infrastructure.  But we all know that security issues always affect civilian infrastructure. 

So what do you think the difference is between the international security, traditional international security problem, and the international security problem in the cyberspace?  And do you think that the multilateral approach will be much more effective in the International security in the cyberspace issue?  Thank you. 

>> MODERATOR: Thank you very much.  I'll take one more question and then I'm going to come back.  Over there in the back, someone's been itching to take the mic. 

>> AUDIENCE: Thank you very much.  I'm a university professor of computer sciences in Kosovo.  And I would like to stress this issue of the defining cybersecurity, actually.  Government has adopted a cybersecurity strategy, but we see that there is an issue in defining cybersecurity because there are some special issues in cybersecurity which is, for example, the e‑mail security.  And, you know, I've been telling my students that we're using e‑mails completely wrong.  And because we should use signatures and certificates and encryption. 

For example, today we have all e‑mail servers around the world across the Internet cyberspace that don't accept unencrypted connections by default.  So we need that kind of end‑to‑end encryption by default.  And the strategies and regulations, they must ‑‑ they must also imply this.  So we need an end‑to‑end encryption so that e‑mail security ‑‑ e‑mails would be rejected if there is no ‑‑ an encryption. 

So then we need software certificates, et cetera, et cetera.  So I think in terms of stakeholders and multistakeholder approach, I think that users have a great ‑‑ have a great stake to play, and they need to be educated more.  So there is a need for better education.  And also, when we speak about public policies and cybersecurity, education is of utmost importance.  So one strategy cannot englobe all of these issues.  Then there is the role that the ISPs have in cyberspace.  So what are your comments?  The question is for the whole panel, what are your comments on all of these issues that I mentioned?  And how do you think we should tackle those issues?  Thank you so much. 

>> MODERATOR: Thank you so much for that question.  I think digging deeper into some of these questions, we would be here all week.  But perhaps I'd like to see if anyone wants to take ‑‑ I think there was a particular interesting question in the back, and I think the tension between multilateral approaches and multistakeholder approaches.  And I wonder whether I could put Ambassador Feeken on the spot if you don't mind, any comments on that particular issue? 

>> AMBASSADOR FEEKEN:  ‑‑

>> MODERATOR: The mic is rebelling. 

>> We're on.  I had a feeling you might come to me for that one.  I think maybe what I'll do is I'll blend Chris's point and kind of question at the end with the comments around the colleague at the back, about discipline around multistakeholderism and sometimes there is a place written.  Sometimes there are parts where governments are probably best suited to try and sort out some issues.  And I think, you know, when we do get into the international security environment, there are issues that governments are probably going to be best placed to deal with the state‑on‑state issues. 

But ‑‑ and I say a big but, and I say that with my colleague from Microsoft next to me and they try to push governments to think about norms and international law quite clearly, and that's incredibly useful, and to be frank, if you look at multilateralism over the years, it's not always been just the domain of governments.  Yes, they make the end decisions but they're being heavily influenced by NGOs, third parties and academia and a whole range of groups.  So, you know, it's not going to give you an easy answer.  Yes, there are certain areas of international security where governments will make the final decision, but we will certainly have a conversation and be influenced by a range of stakeholders.  And maybe that also corresponds to other statements that would be made about the infrastructure in which we're dealing with being owned by the private sector as well.  That doesn't mean that there are a broader set of considerations that we have to think about.  But the imperative is on the states in this place so it is simplified.  But there is a real pressure on us now to sit around the table and kind of really get some progress on the great work we've done through UNGGEs in the past and build on the agreements that we've made and, you know, that that pressure is felt acutely I think among states.  But it won't be done in a complete absence of influence from other parties. 

>> MODERATOR: Yeah.  Thank you very much.  And Amit wanted to make a comment as well.  Please go ahead. 

>> AMIT ASHKENAZI: I want to jump in and focus us again that the context that we're discussing here is that we understand that states have a role in domestic cybersecurity.  And we caution them that when they progress in that role, before we take the international discussion, they should study the implications and the roles of the multistakeholder model and the lessons we've learned in other areas of ICT.  And the other thing that we need to take into account is that when states do that, they think that they have to take into account here is that they need to be interoperable with other states doing the same thing.  They should be cautious twice.  One, they need to take into account the interests of everybody in the community using this space for innovation.  And also the way this can affect the way I would say Civil Society, organizations, corporations interact with the global market and with global partners.  And I completely take into account that the rule of law issue is something that we have to take into account.  But I think that in any type of relationship within private sectors, between public/private actors, if there is no trust, rule of law is not completely obeyed to, then this will make the security mission in cyberspace very difficult because private organizations interfacing with government will be very hesitant.  I completely agree about the institutional preconditions that we assume.  But I think that we don't have a choice and actually the government will page difficult choices, they'll have to take into account the price they themselves will pay in carrying out public function in this space. 

>> MODERATOR: Thank you very much.  And I think I'm now putting on a hat of a Civil Society, being a Civil Society myself, and I think we're all learning together.  And I think something that Chris said was about, you know, strike a chord with me is about when do you get involved, often it sounds like we're saying we need to be involved in all conversations all the time when it comes to cybersecurity, but that's not necessarily the case.  I think it's important to say that, you know, we see ourselves from a Civil Society perspective because I don't see anyone here on the panel who represents that view.  So I'm just going to kind of abuse my role as the moderator to say that there's a key role for nongovernmental actors especially in the shaping the social contract around how when it comes to an actual cyber incident, we've already agreed on the basis.  We've already agreed on the principles.  So that then the relevant actors who have to deal with the incident can take ‑‑ can take the responsibility that they need to take.  But we're definitely not saying we need to be in that room discussing with the cert, what is it that they need to do in the next 24 hours while they're dealing with incident responses.  I just wanted to put that out there. 

So unfortunately, we've come to the end of our session.  How the time flies when you're having fun.  So what I'd like to just do is ask each of our panelists to offer any kind of takeaway points or quick remarks.  And if we can keep it brief to one minute and see if there is anything that you can offer to the audience as a takeaway and kind of on the topic.  I'd like to come to to Jan first and go around kind of gearing closer to myself. 

>> JAN: I'll be very brief.  Cybersecurity is a shared responsibility.  And I think you need ‑‑ we need to collectively ensure that all relevant stakeholders are involve in actually tackling these challenges.  That certainly puts the first responsibility on industry in order to make sure that products and services are built in a secure manner, maintained in a secure manner.  It does require collaboration between public and private sector on a range of issues both at the national and the international level, and ultimately I think as was said by others, that that process then needs to be informed and advanced by the broader multistakeholder community.  I think the point here is well taken, that there are times and scenarios when you simply need to have a particular actor take action in a particular case.  So it is not sort of a one‑size‑fits‑all model I would say. 

>> MODERATOR: Absolutely.  Thank you very much.  Ambassador Feeken. 

>> AMBASSADOR FEEKEN: I'll say multistakeholderism, it's an imprecise term but one that we're working hard to try to embody and define.  But it's vital and it really is about putting your hand up as a government and saying we don't have all the answers in such a complex domain that covers so much of broader society.  So it's about saying we don't have the answers but we're willing to engage and incorporate other thinking in the positions that we take. 

>> MODERATOR: Thank you very much.  And Alison, any last remarks there? 

>> ALISON GILLWALD: Thank you.  It is an acknowledgment in equal situations that we have the lack of capacity we have across different parts of the countries that we have to draw on all the resources that there are in the country.  You have to harness all those resources.  You know, just in terms of best practices, in terms of good governance, drawing all ‑‑ as many people as you can, drawing your citizenry into the decision‑making process and your different sectors Internet decision‑making processes are going to give you the best outcomes so that you can participate more effectively and represent your national interests and representing your regional representing yourself and engaging in multilateral decisions from an informed and inclusive basis. 

>> MODERATOR: Thank you very much.  Amit, any last words from you? 

>> AMIT ASHKENAZI: Yeah, thank you.  I think what we'd like to show here that the multistakeholder model should evolve to fit the different contexts of the different relationships that government has in cybersecurity.  And then when we do that, we are doing this in an international fora.  We think that there are shared lessons that we can learn from the discussion domestically.  And this will help us move the discussion in the next phase in a bottom‑up manner to the international sphere as well.  Thank you. 

>> MODERATOR: Thank you very much.  And last but not least, over to you to wrap us up. 

>> Yeah, we're finishing on time.  I'll reiterate, the multistakeholder approach is not a one‑size‑fits‑all approach.  There are different iterations of it, different forms of it that can fit for different types of cybersecurity challenges.  I think it's just important to keep in mind that having a process that is open, that is transparent, that's inclusive, that is stakeholder driven and that's consensus based can really go a long way towards getting buy‑in and helping, you know, make progress on some of these collective action problems that we're all facing. 

So, you know, it's not a silver bullet, but it certainly is a ‑‑ has proven itself to be pretty effective. 

>> MODERATOR: Thanks so much, Jonah.  I'd like to use this opportunity to thank all of my wonderful panelists for offering their thoughts on this important topic.  And I'd like to thank the audience for their participation and attendance.  So thank you very much.  Good afternoon. 

[ Applause ]

(The session ended at 13:31.)