IGF 2018 - Day 1 - Salle IX - NRI Session on Cybersecurity

The following are the outputs of the real-time captioning taken during the Thirteenth Annual Meeting of the Internet Governance Forum (IGF) in Paris, France, from 12 to 14 November 2018. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> MODERATOR:  Hello, everyone.  Only at this early hour of the day, the people are still a little bit lost in this building.  So Tanya and I decided to start the section.  Their are enough people in the room and I would call all the ones involved in the NRI side, from the national regional IGF.  If no one is in the room, then Tanya will freestyle a little bit with you.

[Laughter]

Are there any speakers in this room?  No.  Wow.  So one moment then.  I guess that people are still clearing outside who doesn't have their badges, who didn't pick up their badges yesterday or the day before.  I want to ask you ‑‑ are there people who are involved in your regional or national initiatives on the Internet Governance?  I see a couple of hands.  And so I see a couple of hands.  For anyone who just came here, there are any speakers, please, please come on stage.  I see that two people who raise their hands were actually involved in what I was going to speak about about European initiatives on cybersecurity.

So I don't know.  I guess ‑‑ I guess actually, ah, that you are all here to hear about different cybersecurity efforts.  And I believe that this session was going to be structured like this like we first were going to provide input on what was going on different cybersecurity discussions and contexts.  Perhaps vulnerable targets, minors and then move into the collaborative approaches to cybersecurity, but since we have no speakers, I'm going to change it.  I am free to, right?

>> AUDIENCE:  I come to support you.

>> MODERATOR:  I guess I am going to make a comment her ‑‑  oh, there is one more speaker.  We decided to freestyle.

So then I'm going to moderate a bit and I'm going to follow the structure of the section I was provided.  I didn't like the structure at all because from the European point of view and you can correct me if I'm wrong, we do not consider cybersecurity at the metal level.  We do consider cyber security the safety of children.  So the discussion was supposed to start with the idea of how in cybersecurity we are approaching protection of vulnerable targets, protection of children online, protection of youth and EuroDIG, we have no approach to this.  We have not approached this issue from the cybersecurity perspective.

It is protection of the critical infrastructure.  It's collaborative approach is to secure networks and we treat child protection as a safe Internet.  Protection of vulnerable targets, awareness capacity building so that child on land protection we believe the two for child protection and for cybersecurity and policies and actors involved are very different and we have to approach these issues from a different perspective.

I'm going to pass the ball here to Adrian.  How do you approach this issue?

>> I am Adrian Custer.  I work with the swiss government cert.  We try to improve cybersecurity in Switzerland from the basic cyber hygiene point of view.  We believe that the more secure national or the global network is the less threats are there for critical infrastructure.  So you will be able to keep on having your power, having your communications and all the other services you need.  We also try to foster corporation collaboration amongst all stakeholders.  Especially we see that there is some responsibility with all the intermediaries because between me and Tatiana when we communicate over the Internet or we interact, there are several players in between and they are usually tasked with just transmitting everything that comes into their networks and giving it out as it is.

On the technical layer, an ISB access provider, he might find out that my computer is infected.  So there is one perspective for one argument.  He says I am required by law to transmit whatever comes out of this connection and pass it on, but on the other hand, as he can detect, I am infected.  I would really like to get notified about this.

>> MODERATOR:  Thank you very much.  I would like to pass it on from Korean IGF.

>> SPEAKER:  I am a representative from KGIF.  I am here to discuss about cybersecurity to relate to Internet freedom.

South Korea has been facing some dread from north Korea.  And then I tried to divide ‑‑ I tried to explain with France first is that the industry really has been attacked by some kind of cryptor attack.  It is really, really highly profiling problem in south Korea.  Some ISP has been locked up because crypto spy ware and then more than 1,000 ‑‑ more than ‑‑ less than thousand sometimes has been emerges from this new emerging cyber attack.  And then including many industry including ISPs are asking government to do something.  But the tension has been arising because when government do something against cyber attack, they need some regulation or authority and then much more power.  The problem is that ISB just reluctant to provide that corporation or some kind of information sharing.  That's tension.

The second one is that government has been divided by several agencies.  In European style, there's some kind of network information security.  I really inspired that and the day is really compressed by the cybersecurity problem.

In south Korea there are much more institutions.  Especially in south Korea's case, the government security agency has a lot more power, but personally I do not know how much they understand the technical problem in the cybersecurity desk in my opinion.  I think south Korea really will be embracing inclusive and much more complacent approach against the cybersecurity problem.

The third one ‑‑ okay.  Civil Society understands what kind of problem or damage they have from cybersecurity, but the problem is they really are trying to protect some privacy in Internet freedom.

Several years ago, they struck down the regulation about Internet education registration act.  There is Internet privacy and that's why south Korean struck down the regulation and then by the side effect of the decision, the problem is that anyone even from the outside of the country, anyone can try ‑‑ anyone can just disseminate a lot of the effectness and information everywhere and then sometimes I believe fake news is mostly dangerous than sometimes cyber attack.  You heard about some kind of case of how things are attacked in the federal election.  They have ‑‑ they just slightly change slightly influencing people's idea, perception.  We can call this public opinion.  When it comes to public opinion, it has been done by many people.  It is a much more dangerous than physical.  It is on the mind and people's trust and then voters cannot vote for people they like.  That's the problem.

I am here to share the information about south Korea and I want to hear from another country.  Question?  She has no idea.  Okay.

>> MODERATOR:  Yes.  I have a few more points.  I saw that twof the speakers started the role of the ISPs and how much they're involved in prevention and cyber attacks.  I would like to put it further for discussion.  The question of fake new cybersecurity and I'm going to address this from the European perspective.  Before I move that, we have new representatives.  Michael Water is looking for the ISPs.  If you can tell us, what is your take, uptake on the ISPs responsibilities?  How much involved they are?

>> Michael Water:  I'm not going to talk about fake news ‑‑

>> MODERATOR:  You are going to talk about fake news, but just not right now.

>> Michael Waters:  I believe it existed from centuries already not on the Internet, but elsewhere.

From the ISP or from the industry perspective, we have some years ago and I explained this were already in many other countries.  We had a nice partnership supported by German government with 2 million Euros to set up a project targeting two Groups.  One is small businesses and one is private individuals.  And the one was about ‑‑ was called ‑‑ the project was called bot three.  It was against infections and from private individuals and it was done together with the virus software industry and together with the press who distributed CD rooms and then with anti‑virus software.  It was so successful that when we started, Germany was somewhere on ranking on number 18 or number 2 or number 3 in the most distributing malware because people had old PCs and stuff like that.

And we went up to place to ranking number 18 after one year just by distributing the software and helping the people to get rid of their infected computers.

The way we did this was also agreed with the data protection authorities.  So there was no one going directly into the computer of a private individual, but they told them what to do.  And they did it ‑‑ we did it with a consent on one side, but also with web pages to help them.

The other project was for home pages from very small businesses.  They quite often know someone who can set up a home page for their business for little money.  Maybe the son who just started computer science studies or something like that.  And, um, we offered a test to see if there are ‑‑ if there is old software, outdated software used, which makes it easy for getting infected with drive‑by infection and any other malware when someone visits their website.  So the way we did it was we got the agreement from the small business to copy to hold stuff down and then it was tested offline in a lab and the result was reported back.  That was the only way we thought which is feasible.  We needed the agreement of the owner, of course, to copy this stuff down to be compliant with data protection rules and business rules.

This is ‑‑ the second project was the problem on how to get to the small businesses like painters or something like that.  And that was the biggest problem and we still didn't achieve the numbers we had with the bot free project.

We both put together these projects to handle it on a European scale and, um, both projects were at least successful and Europe as well.  It was funded by the European Commission as a separate European project, which you can find if you look in the website for bot free.  You may find links to these two projects.

That's what we did from the German IP industry for cybersecurity.  But my personal view is the software and hardware industry is mostly their job to do what already can be done technically and using more encryption even if governments doesn't want it.  Thank you.

>> MODERATOR:  Thank you very much.  We have from Georgia and government.  Can you tell me what the Georgian national level about cybersecurity, the ISPsays role, thank you very much.

>> SPEAKER:  Hello, everyone.  Maybe all of you have heard about Georgia more for its wine and food and culture and less about cybersecurity.  But storag Georgia is in top ten cybersecurity.  And actually, we are second in Europe after aftonnia lined with France.

Why Georgian government paid more?  This replies back N.2008, we had a huge cyber attack on the critical infrastructure and it was the crucial point that government paid a lot of attention when creating agencies, institutional frameworks, legal frameworks, strategies that we're just targeted on developing of Georgian cybersecurity.

On our way to developing cyber ecosystem, we made many, many mistakes.  One of them was this top down approach and having less attention coming from cyber sector and involvement of cyber sector, decision and policy making process.  We already mentioned the wheels and now the days we're on this good part that have the association agreement with EU and generally Georgia is on the way of putting cybersecurity, legal regimes on legal framework and making Harmonization of EU in Georgian system.  From next year, we in the process of implementing these directives so that we'll have a mandatory requirement for critical infrastructures and incident handling and information sharing platforms with Georgian start community.  At the same time, what was new in development is that in our constitution, we put that insuring of cybersecurity should not infringe human rights so that access to Internet and usage of Internet should be in compliance with privacy and other human rights.  Personal data protection and so on and so on it.  Is constitutionally guaranteed within our legal system.

What is also more important is that we are in the process of developing regional partnerships for the insurance or protection of critical infrastructure.  With the regions and within the involvement of eastern European partner countries, Georgia is leading the effort of insuring a cybersecurity protection of commonly used critical infrastructures.  This is a really interesting project and so that all our regional countries would put efforts in insuring cybersecurity commonly used critical infrastructures in the region.  We are in the process of having new cybersecurity strategy with the involvement of cyber sector and it is first design with involvement of academia and Internet service providers and other representatives.  It will be connected next year with three years action plan in the process.  We'll be manning legislations and do a lot of emphasis on awareness and capacity building which is a crucial point for Georgia.  This is in short.

>> MODERATOR:  Thank you very much.  For those who just arrived, I am wearing two hats.  One is moderator hat and another one is the representative of the European dialogue on the Internet governance.  I am making an overview which exists on the European level.

I've heard the worst fake news several times.  I will throw the ball and now my hat of the European dialogue.  EuroDIG would not believe that cybersecurity is a threat.  We throw fake news under the truck of media law of the human rights.  So how do you fight illegal content and what is illegal in the age of digital disease.  And I can say that on the European level, what I see international fake news and I would really like to hear from Korea maybe and from Michael Water because Germany has this European network ‑‑ excuse me.  German network enforcement law about fighting and removing illegal content.  My question is:  Is the cybersecurity another hat answer?  No.  How do you see the trend influence security and jurisdiction and anything related to crime because in European, what I see is this debate about changing the concept of intermediary liability.  So just a big cover here.  Europe had legal directive in 2000 which proclaimd that intermediaries ISPs, platforms and whoever you might imagine have no liability unless they are notified first of all.  And secondly, they do not have obligation to monitor the content proactively.

What is going on in Europe now with relation to content and fake news is introduction of the new concept of intermediary or platform responsibility.  So instead ever changing the consent of liability, now and take down, the European level debate creates new narrative there is responsibility of the platforms and they have to monitor the content.  I see it as a next trend.  I see that, for example, in Germany, there is a network enforcement law and some montash involve involved.

I do believe that cybersecurity includes fake news and if it is, how should it be handled?  Should it be proactive handled and what do you think about this?

>> SPEAKER:  Thanks for asking that.  When it comes to some kind of intermediary liability, maybe some monitoring of obligation and then sometimes struck down the contents where it can be some very critical threat or some anonymous ware.  But in south Korea, there's only the law which they obligate ISP on that obligation only when it is a critical infrastructure.  In short, south Korea has a law about cybersecurity protection in critical infrastructure.  When law enable some authority or ISP to do something and who that works, that means there is close monitoring of everything.  I believe there's a point they're against that.  I realize that exactly the saint thing happens all over the world.  But I can say ‑‑ I think I specify some country name, but some other country they do.  They do monitor everything and they quickly strike down content, I believe.  I personally believe intermediary liability is not a full solution.  They have a lot of buttons about things and sometimes ISP is not much a technical solution against some technological drift.  That's a problem.  So this near solution is implementing sharing.  Cybersecurity threat has been important and I believe because it is one of the processes that Private Sectors and the public sector get together.  I believe it is a multi‑stakeholder of the cybersecurity protection and problem solution, I believe.  But still not many countries has ideal solution about how can they realize or much realize their cybersecurity implementation sharing.

For example, it has happened to some kind of big IT company.  They can ‑‑ do you believe they're willing to provide or treat features that are attacking the government?  We can say yes, but sometimes they don't.  That's the problem.  But government only allowed it to do infrastructure or critical network.  They cannot have holdings.  I already mentioned about cryptor ransom problem, but our country is very smart to attack and focusing not on critical infrastructure.  They attack very small country not connected to everything.  That's why the government cannot monitor everything because they're not critical infrastructure.  I believe to cover that loophole, sometimes they have encryption policy.  Encryption policies are not just some device cases, but encryption policies is not the perfect solution.  Sometimes encryption policy allows the government to ask the IT government to do and who would noble every device.  That's a problem.  I believe there is value conflict between a privacy protection and then protection of the cybersecurity problem.  And then I believe through ISP through the whole network is not the perfect solution.  That's not the answer.

>> MODERATOR:  Thank you.  I would like to pass the ball to Michael and then to Nata.  We went from content monitoring to encryption debates you can.  Briefly speak about the two debates on the international level and do you believe that both of them are related to cybersecurity and if any of them does, how does it implement on the general level?

>> Wow.

[Laughter]

>> MODERATOR:  I am moving to a very interested unchartered territory.

>> SPEAKER:  I just want to go further on what my colleague said about intermediary liability how we handle these things.

As my association runs an Internet peering point, very large one in Germany and in many countries, we were following the problem that secret service came in and tapping lines.  No, not ‑‑ no.  Secret service tapping lines to check.  So we went to court and we lost in the first instance at court, but we knew that we were going to lose it.  We just did this to step further on to the highest court.  This is now pending and we'll see on when it comes out if secret service ‑‑ in Germany, we have two parts of secret service.  One for interior matters and one for exterior matters and the one who is in question here is the one for exterior matters, but it was interior and he was also when tapping lines looking at German nationals which is not the task of that secret service.

So we went to court and we'll see what will happen in the next years.

In principle, the ISP industry in Germany has no problem even not with interception if it's signed off by a judge.  What we ‑‑ what the industry does not like is preventive interception just in case because we don't want the ISP industry according to the laws you already mentioned, Tatiana, to see content and these things.

According to fake news, in the past was sometimes called propaganda and it worked.  It still works today.  We don't address fake news as a threat in the cybersecurity area.  We say if people know it, then they believe it.  That was what newspapers ages ago as well.  They read it and they could believe it or not and could try.  Today with the internet, you have much more sources to check if it's really fake news or not.  And this can ‑‑ this can be needed.

What encryption is, I think the current problem what we are seeing is especially for the infrastructure problem that you have many old embedded systems, which you just hook up on the net.  They don't ‑‑ these systems don't understand any encryption so far.  So it's a metafrom my understanding of time when these things are replaced or when the pressure of securing the infrastructure gets so high to have them replaced.  Otherwise the liability on those were infrastructures.

And I fully agree when you said these fake news and most of the stuff according to media laws and to ‑‑ and this area w media laws, we have our separate meeting.  The media industry they forgot how to make business on the Internet and they didn't come up so far today to really change their business models many of them.  But it's getting better.  It's getting improved now and they make more revenue but still the laws as they still exist are to a different business model from the ages.  So ‑‑ and this is also why those distributed content from the media industry may carry with it vulnerabilities and, um, making the system unsecure.

>> MODERATOR:  Thank you very much.  I actually agree.  I agree with him that fake news are influenced in cybersecurity debate and I see it in Europe.  I don't know about other regions, but as much as we want at EuroDIG on the European level to treat them separately, they wheezeel their way here and there because they are related finally to the intermediary liabilities and I will pass the floor to Nata and Adrian.

>> SPEAKER:  Yes.  Cybersecurity is influenced by them.  In Georgia it is not the responsibility.  Because like in German case, it can take down the content if it is illegal said by judge.  We have a court order for that and not based on somebody's perception and not based on the monitoring of the systems.  So monitoring and preventative monitoring of the network is not responsibility and it's not a good practice that is encouraged in Georgia.  Considering our geo political situation, fake news and prop up gun place a big gun in political decision making process.  And for that, our ministries have divisions, strategic communication divisions that fake news and how to have state response to take news by those division.  Minister of defense and justice.  Their response is giving the proper information to public.  And not censorship and not taking down the content,bi giving the proper and valuable and right information to the information society.  This is the kind of process.  And we are taking and looking at fake news at the part of the hybrid war fare.  This is right now.

>> SPEAKER:  So if you use the word war fare, are you relating it to cyber attacks or to war or to both?  I know these words came from the cybersecurity debate and now it is just moving more to illegal content than to security.  So do you think that they should stay separated or just natural process or ‑‑

>> SPEAKER:  It is very difficult.  But having these words together, when we had armed conflict and together with armed conflict we have like information ‑‑ fake information sharing on situations and this is what happened in Ukraine and what is happening in Georgia right now.  Together, we have propaganda and this is hybrid in old terms together.

>> MODERATOR:  What can you say about all these discussions from your national perspective?  Thank you.

>> SPEAKER:  I see some similarities between the fake news debate and cybersecurity debate.  In that regard, it is all transmitted data and with fake news, it becomes content.  So people see it and they get upset about it.  So they call for someone needs to do something about it.  And therefore comes I discussion about responsibility or even liability with intermediaries.

In cybersecurity around, you don't see the malicious state that does harm in some way.  Therefore, they are able to see several things and I'd like call upon to take reasonable steps and identify and mitigate cybersecurity.  If they wait until you have the court order, the attack is already through or the virus has spread even further.  So therefore, we believe the intermediaries have a vital role to play in securing the whole ecosystem.

With that being said, it is not up to all undernear areas.  Everyone needs to work together to secure the Internet ecosystem.

>> SPEAKER:  I believe they don't need some noble decision.  Because we can divide how fake news disseminates all over the world.  The who produceed it and who disseminated it and thirdly, who kepts ‑‑ keeps seeing this.  We can ‑‑ according to IT research prozac, they are much more human.  We cannot find it because of the anonymous.  But someone who can find this who is to blame?  Who?  Who?  On Facebook, they find who is attached ‑‑ attacked to do it.  And also who is using the bot connected to that.  That's why I'm asking.  When it comes to protection of fake news, we can find anonymous people, but we can ‑‑ the ISP intermediaries can find who using the bot.  Okay.

>> MODERATOR:  Am I right that what you're saying that it is not about content monitoring.  It's about ISPs of responsibility to help with identification of the ‑‑ of who is behind this, but not what is right.  Okay.  This is a very important clarification because I see the security.  If you are using automation tools, you will use them for attacks.  Yeah.

>> SPEAKER:  That's why there is no need to why the wide content.  They find out who is the manipulator over smaller volume.  Not the need of the controller.

>> MODERATOR:  Thank you very much for the clarification because I believe it is important in the realm of the debate.  We have 10 minutes left.  Are there any questions from you before I will ask the speakers to wrap it up?

So seeing no hands.  I would like to ask the general question.  Name me one challenge your ‑‑ secondly, how do you see your national initiative contributing to the cybersecurity on a national level?  Do you contribute or do you just says is?  Two questions.  Challenge and your contribution and Iing start with Korean IGF and we go this way.

>> SPEAKER:  Okay.  I tried to suggest the floor to raise their hand about questions about your own country.  Any floor?  Please identify your country and name, please.

>> I'm from Colombia.  My name is Alvaro.  I think one major issue about fake news, especially in my country is they are displayed as if they were true.  These people that make fake news, they try to make much of the information similar to one of the Europes web platform.  So I think there's an issue about how these fake news are being displayed.  So I think a good initiative would be to teach people the difference between how does an authentic news is and because ‑‑ not that it is there you just because it looks like it is true.  Speak speak thank you.  I wanted to find out how you mitigate fake news from spreading?  I would also like to link it to the current U.S. elections where information was given to voters and they went to wrong polling stations during the elections.  How do you mitigate that?

>> MODERATOR:  So one cover here.  It is their nation on the international and initiatives and we do not have anyone from the U.S. here, first of all.  And secondly, I do believe my takeout from the discussion we had that child fake news in the realm of cybersecurity can be fought with some of the tools that I used to fight automation or identify who is behind that news.  It is more of a social problem that has to be tangled with different tools.  So going to a particular case, I believe it would be a bit more going to the needs and more polit cased.  I are messengers.  Yes, please.

>> SPEAKER:  Okay.  I am from Boston and I am a member.  Cybersecurity.  I would reach out to the separate example.  My web page for IGF 2015 is now under attack.  And says ‑‑ for quite a while, it is unaccessible to us and then we have no information.  Even though ‑‑ I mean, the design and all this interactive program is really, really very good concept, but we have no use of it.

>> MODERATOR:  So we have all these people in the room because they got lost and came here just by chance.

[Laughter]

I'm just joking.

[Laughter]

>> SPEAKER:  I think it's quite the irony that when IGF forum and talking about cybersecurity, we have such a series failover.

>> I am from Mexico and last year we worked on the implementation cybersecurity strategy and working with a government.  We have the multi‑stakeholder approach from cybersecurity strategy.

I want to know how are you sharing information, strategy information about critical cyber attacks and incidents and how they speak information about government.  Sometimes they don't want to share because they have repetitional programs or maybe the government doesn't want to share information.  If you can share with us their experience in this case.

>> MODERATOR:  As we have five minutes left, each speaker has one minute and this would probably be the last question.  Whatever you want to say, you say.

>> We have for that computer case emergency room building.  And we have no disclosure agreements sometimes that we provide a data to other agencies without telling that this bank is attacked.  But general about what kind of attack is back and provide genal information to that 60 oras well as the others.  Certain cases is a trusted partner for trusted sector.

>> SPEAKER:  We also have government and information sharing.  We do their in the form of a for ther inship and nothing is mandatory in that realm.  We needed to build trust over the years so that private entities share information with us and amongst themselves.  And also we try to provide them with the threat landscape so they know what to expect in the future.

>> SPEAKER:  Now it expands together with industry and all the other stakeholders to deal with these issues and we also have a law where companies have to report within a given time any incidentsy to those.  Some of them try to circumvent, but I think it's only a question of time because it can give everybody as you see on the web page here.  Speak speak in the case of south geia, cyber attacks information from the gray marking and disability to their industry.  But that's not much in the other a warn.  Because why?  Sometimes they can reveal their top secret or some business secret or something.  I don't know how.  This one would only link to do this.  I'm not from the United States, but you have the cyber security sharing act.  First thing is that a day ahead with non‑disclosure policy and even though they know something or each other, they do not identify who attacks or who has been attacked.  Even though they relay the information, they're free from the low liability.  They share the information and nobody can sue them.  That's a bit question.  Very good embear messment.  We have a fake news session.  Please come here again.  I am the moderator.  Thank you.

>> MODERATOR:  Thank you very much and we are just in time to finish.  I am sorry.  We have to free the room.  So could you please, please give applause to our impromptu speakers?  Thank you all so very much for making this session interesting and full of content.  Thank you.