FINISHED TRANSCRIPT
EIGHTH INTERNET GOVERNANCE FORUM
BALI
BUILDING BRIDGES ENHANCING MULTI‑STAKEHOLDER COOPERATION FOR GROWTH AND SUSTAINABLE DEVELOPMENT
OCTOBER 24, 2013
9:00
WORKSHOP 91
ROLE OF MULTILATERAL ORGANIZATION IN CYBER SECURITY
********
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
********
>> My name is David Satola from the World Bank. I'll be moderating the session. Let me thank the government of Indonesia for hosting this event. This is workshop 91, multilateral cooperation in cyber security. We have effectively two sessions this morning. The first session of about 45 minutes will consist of a panel discussion from the international organizations. The second half of the morning session will be sort of case studies presented by countries about their experience and interactions dealing with multilateral organizations in context of their cyber security initiatives.
Very quickly, the first panel we introduced the panelists, I'll let them give a bit more biographical information as they go through. In order of presentation, we have Tomas Lamanauskas from ITU.
Mr. Chung from OCD, Antonio. (
Missed) from the inter‑American development Bank.
Alan from the world economic forum.
And Chris vain from the World Bank.
Jaya, you're in the right place. Have a seat. I'll turn it over to Tomas.
>> Thank you, that interest induction is more than sufficient. In terms of ITU, it's good to remind us, it's a U.N. agency responsible for expertise, combining 193 member states around 700 private sector members and more than 60 academic members. We have facilitated world information society, C 5 specific building confidence and security in user groups. That means we facilitate the group of other U.N. agencies, collaborate with other U.N. agencies on that agenda. And with C especially in terms of today's panel, and we will have more discussion, but we see our work as special subject matter expertise especially in the areas of organization and development.
And in complementary to the work being done by social organizations like development banks, a couple of representatives of these organizations are here on the panel. So in terms of our collaborations, and that is the key topic of today, so we have, one of our most important collaborative partnerships is multilateral partnership against cyber threats. That includes 146 countries joined together to tackle this global issue. And part of the work includes global response that allows those countries to respond to the threats. Also allows capacity and exchange of information.
Also there's cooperation agreement, Interpol that allows cooperation between cyber security authorities, Telecom authorities and police authorities. Part of this work is also working on establishing computer incident response teams, helping countries on that. We already have been working with 42 countries in that regard and established a few successful COTs in some of the countries. That work also includes regional centers.
We have a Arab regional cyber security and innovation center in Oman covering 22 countries in Arab region, and this July resigned an understand of understanding to establish a regional security center in Africa as well. Also we work with various private sector companies, Symantec, ICT 2, micro, exchanging information and collaborative partnerships. A big part of that work is also capacity building, for example, cyber drills were conducted in a few countries. This year a clutch months ago we had a regional cyber drill in Latin America region.
Next week we will have a drill for Arab region. It allows countries to build resillians and capabilities to respond to the threats. Capacity building includes our workshops. In July in Durbin we had a workshop for 20 countries in Africa region. And we trained 27 hundred cyber security professionals, they have given 330 scholarships to over 49 member states, and we now started implementing another project specifically for overseas called cyber security. Again recently just a few weeks ago we had together the Internet society and CTEL, we had a workshop on spam for Latin America.
Some of the U.N. partnerships, again coming back, so we have a very close cooperating relationship with United Nations office for addressing crime. We are building capacity on cybercrime issues. We worked with the European commission on that, called ICP project, Africa, Caribbean and Pacific islands to organization cybercrime legislation. We work with the workr world bank and now are working on Butan on building the team in Butan. And also a very good example of collaboration among many partners on the panel, early December the minister announced in the high level leaders's meeting, Urbejan will be a cybersecurity conference, collaboration with ITU, World Bank, world economic forum, quite a few partners on the panel, another example of collaboration, and in pulse.
The last aspect, I think a very good recent development, U.N. wide frame on cyber security and cybercrime, just last week endorsed by high level program, a U.N. body, and basically combining many U.N. agencies. And that was collaborative effort between 33 U.N. agencies, development banks, and we are grateful for world bank for their good collaboration and support in that, and David personally was very closely involved in that work. And this framework actually, the main purpose is to agree on principle level how U.N. agencies development banks will help developing countries in their support, how they will make sure that everyone is working within their mandates and at the same time holistic support is providing assistance to all the countries, and that they can get support both in cybercrime and also other cyber security issues, that human rights are respected, that also the support is provided, having got a whole government approach, not a piecemeal approach but integrated programming.
Every agencies contributes from their own perspective, adding to the capacities of the countries. Another development that will stem from that, this is the la is part, will be come Pentium, a mandate of different U.N. agencies on cyber security and cybercrime, which is now being developed and will be soon public. So that is something that again will allow countries to very clearly identify which U.N. agencies or development bang is best placed to help them. Also will then allow U.N. agencies and development banks to see who are the best partners for them when responding in country. A lot of good work is being done, happy to share that today. Thank you very much for the World Bank, and IADB and the Korean government for putting together this panel, which is one more step forward in that work. Thanks very much.
>> Thank you, Tomas.
Mr. Chung, giving you the floor.
>> MR. CHUNG: Thank you, moderator, for inviting me to this very important event.
I can say about the Korean government, working party on information security team and privacy, and how the WPISP made contributions on the capacity building. My name is Tai Chung, teacher in one of the large universities in Korea
I served at vice chair of the OECD working part on information security and privacy for last seven years
I was the chair of the committee, thank you, for the conference on cyber space in 2013, which was successfully ended last week in Korea. Then you know the acronym of OECD, which stands for organization for Economic Cooperation and Development, and one more thing, and its mission statement of OECD you probably don't know. It is better policies for better lives, well defines the code of OECD. Then I just am pleased to keep in mind that policies are tool to help the developing countries with capacity building. Towards the goal we are normally takes three steps.
First one measures comparison and analyzes data to understand economy and social changes. Second step is on the basis of this analysis, it develops concepts and policy recommendations among the membership countries. Third step is then promotes policy to improve the economy and social well being of people around the world.
Let me tell you a little more about the OECD. OECD, intergovernmental organization and works for governments. It provides an international forum where 34 member countries discuss the problems and issues that they face and try to find the common solutions to common challenges. OECD members span the globe from north and south America to Europe, Asia Pacific region. They include many of the world's most advanced countries and emerging countries like Mexico, Chile, turkey. Among other international organizations, the OECD is quite special in a few aspects.
First is it focuses on economic development and addresses hundreds of different areas which have an impact on economic and social progress, tax rate division, employment, and social progress, and also education, agriculture, chemical, energy, security and privacy. Secondly, OECD focuses on the policy level. The main business is not to negotiate conventions and strategy or carry out on‑site expertise. It is to help government understand the environment and how to address economy and social challenges. OECD does lots of statistics and publishes analysis. Journalists sometimes call OECD a think tank but it is more. OECD makes recommendations which reflect consensus about what policies work best. They are nonbinding on members committed to do their utmost to fully implement. Thus it's more appropriate to call OECD policy.
Thirdly, not just intergovernmental. Since its creation 52 years ago, the OECD listens to voice from the public sector, in the sect of the economy and in discussions, meetings with civil society, the communities and trade unions. OECD has been interested in cyber security since the 1970s when the members realized that the emergency of ICT had significant impact on economic development. In that context, a trust came up as a key concept because they thought that trust is the essential for ICTs to fully realize the economics and social contributions to the economy. In fact there are many issues, but privacy and security emerge as the main ones for policy making.
From then on, working party on information security and privacy, which has made contributions over decades. Here is contributions made on privacy, since 1980 established international framework for consistent privacy frameworks. It has inspired most privacy registrations in the world, the privacy guidelines devised for the first time since 1980 this year.
Here is another contributions made on security. In 1992 the OECD guidelines for the security of information systems, a set of principles for approaching policy level and recommendations for governments in developing policies. In 2004 OECD published a comparative analysis of 10 volunteer country cyber security strategies. The report provides a brief overview of intergovernmental parties and initiatives of countries addressing cyber security and the policy level, including APEC, the council of Europe, EU, G 8, IGF, lateral, OCD, OESUN, as well as conference of cyber space. The security guidelines were devised in 2002 to take into account the emergency of the Internet. Today they are under review process and gives us an opportunity to work with other international organizations interested in cyber security policy. We have organized a security expert group for the revenue of the guidelines, which is open to participation for international intergovernmental and multilateral organization with member countries.
Now I briefly tell you how we have made contributions to cyber security for the government. First, a policy design not only for the membership countries but also for developing countries. Secondly the OECD approached the cyber security and risk management basis. So development countries take the OECD operation to minimize the damages. The third is governments aren't the only stakeholders for the multi‑stakeholder approach is essential, public private cooperation. Lastly, during the current review of OECD, the 2002 security guidelines we realized that the importance of developing the cyber security internationally, particularly for developing countries. As far as law OECD does not directly help developing countries as much as world bank and IED, but has been helping with policy and experience from trial and errors.
I believe they may be more important than the, the policies may be more important than anything else and OECD continues to try to help the developing countries in the same way. I see that today the IADB World Bank, I 2 and OECD could be a perfect combination in supporting developing countries, financially, IDB and World Bank, and technically by the ITU, and policy to be provided to OECD. This folder has perfectly the developing countries. Thank you.
>> Thank you, Mr. Chung. Very thorough overview of the important work that OECD has historically been doing in this area.
Antonio, I'll turn the floor over to you.
>> ANTONIO: Thank you very much, Mr. Chairman
I would like to start my thank you, saying thank you to the World Bank for the event and the opportunity of bringing to the table different organizations. Just for those of you that don't know who is IDD, it is the development bank basically focused in Latin America and the Caribbean. We are supporting countries in that particular region in areas related to different type of sectors, not only telecommunication but civil work also. What are we doing precisely, we are going cyber security. The IADB recently approved a couple initiatives last month in March, approved initiative for special product that basically tends to be working in countries (missed).
First one is related to development of national plans and organized movements. Second is supporting countries in terms of relations. Third one is basically infrastructure. And the fourth one is capacity building. Precisely under the umbrella of these initiatives, I would like to highlight two projects specific to a collaboration between the IADB and some organizations. One priority is precisely the development of a training center that is going to have like a list of different models, different courses, and will be precisely cyber security for supporting the different officials, governments in the Central America and Caribbean on these particular matters as well as those others. The second one is priority that is going to be launched in 2014 precisely related to cyber security.
When we talk about cyber security, 26 countries from Latin America region, we realize that no more than two or three are having a clear strategy on cyber security. So there's a great opportunity of helping the countries in the development of particular cyber securities strategies, but also in serving a particular experiences coming from other parts of the world. With whom we are working currently.
I would like to highlight three major institutions the IADB is working, the ITU, two important projects, one the creation of the center for the central America region and Caribbean. Then also we are working with them, supporting them in the commission where this particular topic of cyber security at some time is going to be part of it. Then with the OECD we are going to be working on developing a toolkit to promote use and adoption of security services, and cyber security is going to be a part of it. And the government of Rea is a major supporting, and we are basically working together in all of those activities that I was mentioning, just to come up with a proposal for the table
I think that having these types of discussions is simply perfect. Problem is that frequently, not frequently, but I would say recently we are not really sitting all of us together in a friendly and open way and discussing about important issues. The proposal basically consists on creating a community of practice on this particular matter, taking into account the situation of leading countries, Korea, the Americans, Israel, the European commission, and trying to identify which is assisting between regions like for instance where I am working in Latin America and also some other regions, and come up with sounds recommendations that could be discussed in a particular workshops or let's say working tables among different practitioners so that the experience that the World Bank is having extensive experience at the World Bank is having on this particular matter could be shared at some time, the experience coming from the government of Korea or ITU, as well as the IADB, could be put together and we really try to move ahead. All in all, I would like to just summarize everything in just one sentence.
I think that we have a commitment with our people. I mean we are development banks and institutions that somehow are looking for the good of the people and trying to look for making the life of the people better in our different regions. And we cannot, we should have to move on, we can call us, no action to stop a situation or a statement, that can be summarized in three major points. Actions, collaborations, and development. So we have a great challenge among us just to coordinate and seeing how we can accomplish. Thank you very much. .
>> Antonio, thank you very much. I'd sure we would like to discuss with you the community of practice. Alan.
>> ALAN MARCUS: Okay, Alan Marcus, world economic forum. We are an international institution, multi stakeholder nonpartisan platform focused on collaboration and improving the state of the world, all very big words. . Our focus is looking on how to bring various stakeholders an I round very clear global issues. One of them certainly is cyber security. A few years ago we went and surveyed a bunch of CEOs, multi national corporations around the world, government leaders, heads of state, heads of government and other significant ministers. We asked them what was their strategy for building a sayer cyber system. And who was responsible for that within their organizations.
I would say somewhere in the 90‑95 percent range, those leaders could not answer this question. They had no idea who was responsible for securing their cyber assets. In fact, they didn't even understand, than fact you even heard here yesterday that a lot of people don't even think it's a significant issue for cyber security and what it represents. We embarked on a program, on a commitment to bringing together these leaders around something we're calling partnering for cyber resilience. We particularly call it resilience because the notion of security kept evoking the idea of building walls and assuring people can't come in. In fact we know that is not only not practical, it's certainly not pragmatic. Resilience is more focused on how to you build a model that says if attacks occur, they are not catastrophic. How we work together more as communities, how we work together in public private cooperation. With that we built something we started with around the notion of awareness of these issues, how do we get these leaders to start thinking beyond the fact that they point to some random person and say that is the person responsible, and recognize they themselves in the leadership position have a role and responsibility for protecting these assets.
So we built this program moving people from awareness to understanding to action, and specifically the principles that then became part of this activity were four very simple things. We have over 110 organizations now signed up for these four principles, 16 different business sectors, 23 countries, including the ITU, OES, and the European Commission and others. The four basic principles are simply this. First, by signing literally pen on paper, they sign this recognition of interdependence. That is you cannot solve these problems alone. If you keep trying to, you will fail. Recognition of interdependence. Everyone has a role in making this work.
The second is the role of leadership. If you are the CEO, the head of government in a state, you are a significant very member of a party, then you have a responsible to be aware of these issues and to work this into an overall risk framework. Three, that this is something that needs to be part of an ongoing plan, risk management plan, developed practical and effective program.
And four, and I think the most important part to continue with the notion of awareness, you have to promote. We have leaders running around the world to ensure this awareness is happening. One coming up in the next few weeks, an example is in Amsterdam, the grand conference. During that conference one of the sessions will actually focus on more people signing up to this commitment. Two years ago we went back out and interviewed a whole bunch of leaders again, and what we found was now they tell us there was somebody responsible within their organization, and the second question then we asked was how often do you meet them. And that became another challenge
I would say again in the 90‑something percent range, they kind of knew the name of the person, they knew there was somebody, but they didn't meet them often and didn't understand again their role and responsibility.
Now we have been focusing on how build this into an action plan. We brought together a diverse range of leaders and created a set of priorities they need to focus on. One, information sharing so that they can better understand the issues an where there are laws in the way, how we work together with policy makers to take down those places or create safe harbor for communication. Focusing on what is really critical infrastructure, you know, if you are a business leaders, you think everything is, but kind of as a community with your governments, there may be very specific definitions, and what are they. And what is the process we want to use together to foster a better policy development and recommendation actually that came out of this to really frame this from our standpoint as an economic issue. Everybody else focuses as a technical or policy issue, and we want to continue to make sure that happens. But adding this economic issue definitely changes the game quite a bit. So in the last year we went out, and again we interviews lots of leaders. It's quite fascinating to watch how this awareness plan worked because now not only are we hearing they know exactly who is responsible, but that in fact they can tell you the name and the last time they met.
I think this is a huge step forward for leaders taking a role and responsibility. So now what we are putting together is a unified agenda which focuses on contextualizing the recommendations by these leaders and providing an ongoing sustained platform for collective discovery. We're building now the strawman for the economic bold on these issues. So certainly the more we can get involved with this, the better this is going to be. Parallel to some of the other activities we're hearing collectively, I think we at least are making progress. Thank you.
>> DAVID SATOLA: Alan, thank you very much. I think we interested in following up with you on the economic model around cyber security, an issue important to us and will lead us directly into our final panelist this morning, Chris vain from the World Bank. Chris.
>> CHRIS: Good morning everybody, I lead up the global practice at World Bank. It's a pleasure to be here. Thank you for the panelists (inaudible). It's a pleasure to be part of this discussion. For those who may not know exactly what the World Bank is, I'll take a minute or so in describing what we do. We have a new president, he's been in office for about a year (interference on audio). He has early this year focused the World Bank on two prime goals. First is solving extreme poverty in the world. That means those people making 1.25 a day or less.
Second, to raise economic prosperity for the bottom 25 percent of all developing countries. Hugely ambitious globally and one that cannot be accomplished quite frankly without the transforming power of technology, communication technologies as forward to our strategy. We are first and foremost a bank, a financer, and I would say over the last ten years we have probably financed about $4 billion in projects, relative to ICT, around the world (audio interference) in just about every developing country and region. We also are a convener, a patient convener oftentimes, for bringing together those in need and those who can provide advice, assistance and support to the various projects being undertaken. Many of the organizations here at this table have made mention of the fact that we have focused together around the areas of knowledge related to cyber security in a minute.
Last but certainly not least, we are mutual partners in that when we work with our client countries, we do not take sides, do not choose technologies. We are there to help that particular country solve their particular needs using the available knowledge and expertise on products and services around the world. That does tend to make us unique in many respects. About three, four years ago the World Bank created the ICT strategy. And cyber security was key, is key, very much, in that strategy. And we identified some key areas that we were as a bank to focus on. Remember that because we are an financier and have such a massive portfolio of loans, it is our duty and responsibility to ensure that cyber security is built into all of those loans. And we work diligently to ensure cyber security is embedded in the results. I
n that strategy we talked about national cert and development, cyber laws and regulations, business continuity, Cloud and mobile security, capacity building and cyber security in force, national cyber security strategy and policy (hard to hear). Very specifically we have about 125 projects in the World Bank now on the subject of cyber security. And for financing national certs, we have projects going on in Sri Lanka (inaudible) some of the people here in the next session after this one. For cyber security and regulatory framework (inaudible). Certainly not least, cyber security awareness and capacity building (inaudible).
So to the point of collaboration, my colleagues on this panel have done a very good job of talking about the various ways and means and tools that we are working on to I think really begin the process of working much more closely together in areas such as cyber security. So I won't repeat what they have been saying. But I will say that there appears to be almost this bottoms up approach or bottoms up demand for us to work together.
Most recently, I should say several weeks ago in the United States I was with my counterparts from the Gates foundation and part of the U.N., (inaudible) a number of organizations talking about principles for ICT development. Cyber security, security and privacy is included as one of the eight top principles we should all be focusing on, as well as (inaudible). So I think while we are doing these very important and major principles and agreements, I think our own rentees and even some of the organizations who you don't normally think of are coming together demanding that we work together and suggesting, and we are indeed talking about ways to build that to create new very interesting tools to ensure that we are increasing capacity building.
>> Thanks, David.
>> Thank you, Chris. We have a few minutes for questions before we move to our next subsession. Let me go to the remote moderators. Any questions?
Okay, questions from the floor, please. (Interference on microphone). . .
>> Thank you very much. I'd like to go back to some points that Alan, think you framed the debate very well. You talked about resilience, not security. So we don't have wall gardens. You talked about recognize, amongst actors, and this is a key point. For that to happen it depends on trust being placed among actors so they are open to collaboration. Due to recent events which have been framed here at IGF, distress has been undermind, not only hardware companies but also platforms, between civil society and governments, and between civil society and companies.
So I'd like to ask you if you have somewhat adjusted your strategy to this new environment and how would you adjust your strategy to foster trust. And would you say that after these events, cyber security issues will be seen as national security issues, and how this would impact accountability and transparency of discussions regarding cyber security and multi‑stakeholder participation, of course.
>> That is very good question. Let me say this. Trust is paramount. It's kind of that simple. Now, what does trust mean? My definition, for those who have small kids we learn so much for them, I have a five‑year‑old son, and when I get close to him, he starts to get very guarded
I say what is the matter?
I don't trust you, he tells me. Well, what do you mean you don't trust me?
I don't trust that you're not going to tickle me
I say, but I'm not going to tickle you. I don't trust you. Because of course I am. And he loves it and he laughs. But what is he telling me? He's telling me very simple, trust you is do what you say. What happened in some of the recent events, unfortunately, something happened that is not what they said they were doing.
I think that is the trust challenge. With that said, trust is paramount. We can't do this without trust. And we have to make it work with trust. We can't let some unfortunate events holds us back. If we do, we're not going to get there. The Internet and related ICT technologies have created unprecedented growth. There's new economic powers coming on line. Poverty has been erased, things just incomprehensible a few years ago are changing rapidly. We cannot allow a few bad actors or a few trust mistakes to hold us back. So from a strategy standpoint, we're not changing in that respect. We need the world to see and open, safe and usable set of digital opportunities. And the Internet is certainly core to that. I don't see the strategy changing.
I think the more people working together, the better. The simple metaphor we have been using is washing your hands. We all know if we wash our hands, we can prevent a lot of communicable diseases. It's a real simple act. Each of us personally. We don't collectively teach each other how to wash, we just do it individually. If all of us don't, it's okay, because if enough do it we have slowed down the spread of certain diseases. Same thing here. We have to understand the simple tools, and a lot of people are working on making them easier to be available, particularly for is areas that might not have the economic posture to do it. We can build trust. It's a risky world situation.
>> DAVID SATOLA: Very briefly, Tomas.
>> From our perspective, it's important to sometimes separate the global discussion among trust among big actors that has been happening and in the country level. From our experience we have been seeing the collaborations in the country level very efficient, very effective in my experience. People come together and work for the same reason. On a country level the roles are usually clearly defined and they find solutions. That is where I think it's important, especially when you speak about the assistance now to the countries, that I think is important to separate.
I think for ITU then what is important for us also, for nearly 150 years we have been a neutral organization that has built trust in many member states, especially those that need assistance. In this environment what we want to safeguard is that fact, a mutual organization, our standardization practices are totally neutral and membership driven. That means everyone can come and contribute and check each other, at the same time that our development work is being done with a country, the countries that trusted us for many years, at the same time where the civil society is being involved in those countries.
Again from my own experience we have been working very well with civil society on various, in various projects on the ground like I mentioned the recent example in our Internet project on the spam with Internet society and ITU in Latin America. So I think there's some, an is some scientists say, development workers need to keep calm and keep doing the work the world economic forum is doing, and look at the big picture issues a lot being discussed here, thanks.
>> DAVID SATOLA: With that we'll close this part of the session. If I can ask the panelists here now to please quickly vacate their seats and for the next group to come up. In the next session we'll be testing the high hypothesis put on the table by the different mult lateral organizations, and we'll hear firsthand from the countries their experience in dealing with us, which will probably generate a lot of discussion. I'll briefly introduce our speakers. We have Moez from Tunisia, Jaya from Sri Lanka, Aizu from azerbajan. And Isumi following up. We had a regret from Sherif from Egypt. I'll be standing in and giving a one minute overview what he would have presented. Without further ado, I will turn over to our first panelist, Moez.
>> Thank you, David.
I would like to thank the World Bank for this opportunity to deal with these subjects and how we can look forward and develop the cyber security and how to make our cyber space in developing world much more safe. We all know that the developing countries have been very active recently to develop cyber security strategy, national strategy. First of all, I would like to highlight the discussion of cyber security strategy would be very, need to be much more critical about it. Because what is the real situation in the world. We deal about cyber security, we talk about it. We meet a lot, we try to help and try to make things better. But in reality, in the field there's a lot of mistakes. There's a lot of risk, a lot of threats. And people are dealing with those threats definitely. In my country, for example, I can talk about my country, we have national agency in charge of cyber security.
We have ITI which was involved with different actions related the cyber security and cyber sophistication, but these never have been very clear about it, something that is not transparent. Today of course after the revolution it is something we are really dealing with because we need to develop and consider all what we have done for many years in cyber security and cybercrime. When we highlight the reasons for, to make the cyber security in countries, we really think about how to invest, how to develop a system, how to develop (inaudible). At the same time we figure out something very important, that is also we need to develop cyber space. The cyber space in our country is not the same as in U.S. or Europe. If you are dealing with cyber security and you don't have the same cyber space, you are miss taking something. We spend a lot of money in securing things, but we didn't spend a lot of money in developing things.
So I think this has to be considered very carefully as we developing countries. The second thing I want to highlight also is security. We developed and forgot about some of our essential human rights like privacy, freedom of expression. We know very well the situation in our country especially before the revolution and how it was really a big challenge actually to move forward. So cyber security in international field needs to be dual signals not just from national laws. From my country for example we have in the constitution a lot of safeguards in terms of privacy, but we know very well, especially my company I'm running for, related all those precedents. For technical reasons, to prevent some attacks or whatever we want, but we are really active in these approaches. So it is very important today to reconsider strategy, how to implement national cyber security national strategy. And those issues are really important. We cannot really be effective if we could make the cyber security strategy and could implement cyber security strategy and at the same time be like an enemy from our society because we are protecting the cyber space and the users on the Internet at the same time. So these are really challenges for us.
I will try to just finish by commenting on something that we need today to collaborate and really work a lot of partnerships
I listen very carefully to the previous panel and say this is the way we need to go. We are a developing country
I think without cooperation today, we are not able to guarantee minimum of cyber space security. So today I think there's cooperation is essential, and I think we need to deal with it carefully, as well as consider all our human rights present. So by this I think I can maybe give the floor to Mr. Fernando, Mr. Abbasov, the director of the project from Azerbaijan, how the country has dealt with cyber space security.
>> Hi everyone, I'm hear to be here. When I received this e‑mail from Natalija and saw the questions, I was very happy because I wanted a long time for someone to ask me these questions. In this regard, there's a project I think is a great example of collaboration and how the project which started from small idea started to transfer and become very rich in terms of ideas put together. And it's really shaped the entire project. It's a territory approach, aiming to connect Asia with Europe. Precisely Frankfurt and Shanghai. And the idea, you may ask why Azerbaijan, why ICT priorities are there, oil and gas rich country, abundant resources, export more oil per day than Indonesia, for example. The pretext is that Azerbaijan always try to leverage from the struggle. If you look back from becoming independent in the 19 to 20s, civil war with the Armenians, complete mess. Years later, western oil companies, we decide to go back to the pipeline, change the landscape of the entire region. (Inaudible) building the railroad. Why I am giving those examples, to give a small country which perfectly understood what is its place in this region, how it can contribute because of the resources, because of geography.
So that is why back in 2008 or 2009, my minister come with this idea to connect in a terrestrial way the countries of west and east.
Looking at my notes. As I said, the it's the shortest road, only 11,000 kilometers. The most connection with Europe and Asia takes place with submarine cable. We believe cable laid will enrich the regions, will create new work forces there. As I said at the beginning of my speech, it was this idea that we wanted to make a transit (interference on microphone). When we started to work with World Bank, S cab, World Economic Forum, the colleagues and friends started to come up with ideas and it was great to see how the project transformed. So for example, the World Bank. Mission came to us, it's a good idea, but shouldn't forget about Mosa developing very much and it can be great to connect western Africa with central Asia through the bridge. Then they say we have doing research in central Asia, do you have an idea of what is development in terms of capacity, demand for Internet. We said we have some idea but it's not clear. They said okay, we have this kind of research. Let's collaborate, let's include Azerbaijan, let's make it bigger and see what the technical capacity is. Through this way we started to work with World Bank.
So we started, then we started to work with S kap and S kap told us that should be also an extension of Asia super highway. Also we have not too much idea. We always wanted to be China, that was our ultimate goal. Now we're talking about Afghanistan, Mongolia and World Bank too, this kind of collaboration, once again, extremely enjoyed this. We were so excited this small project started to shape, reshape itself, and come to this level. Regarding cyber security conference, which Tomas mentioned, the 2nd of December we're going to have this conference. We'll be more than happy to see you all at this conference. Thanks.
>> Thank you very much, Mr. Abbasov.
I would like to give the floor to Mr. Fernando from Sri Lanka, director of ICG.
>> Thank you, David. Thanks to the World Bank for financing this very significant and important session. The role of multilateral organizations and cyber security. So (interference on microphone)
I commend the world bank and agencies for this harmonized (inaudible)
I work with greater collaboration (inaudible) clients of multilateral agencies. Getting to the topic, we know that many countries have presented developing national ICD strategy and programs capacity load the reduce poverty and transform the economies to knowledge based economics. In the area of ICT for development, we formulate ICT development strategies, multilateral agencies, especially the World Bank and the development bank and European development bank and all other agencies can play a model role. Often we have seen that ICT development strategies funded by governments, with or without support from multilateral agencies do not address the challenges surrounding cyber security. However, it is ICT related investments are to be active and reach their intended development objective is essential that all national ICT strategies include the comprehensive cyber security strategy.
And I think our friend from the world economic forum brought out the point of how this subject of cyber security and the need for strategies associated with it are not significantly well‑known amongst the leaders who drive ICT programs at a national level. In this context I have a couple of points which I would like to speak on. Firstly, the need for ICT strategies aside from cyber security strategies and the role of multilateral organizations, using my country as an example. What are the challenges and needs of developing countries, and how can multilateral agencies match those needs. What cooperation opportunities can be employed to further this collaboration. Often the subject of cyber security and many ICT strategies, it is essential the single most important message I would like to give is that countries must development national level information security strategies in all its ICT development tasks if they want to realize the development code and make their investments worthy. To explain in the presentation mentioned about the ICT investments by the World Bank over a period of time which is significant.
But let us (inaudible) exercise I think it might be worthwhile to figure out what percent of that investment was used for developing and implementing information security strategies. Because often we have seen in the developing world and emerging countries, ICT development initiatives are undertaken, and there's hardly any allocation for the formulation and implementation of ICT strategies. Our experience in this area is associated largely with the Sri Lanka development initiative better known as the initiative (inaudible) other initiatives of the World Bank. Quite a significant amount of investment has been made to adopt the project that is happening December 2013. From December 5 to December 2013, the investment of the World Bank would constitute exactly U.S. dollars 55 million.
Originally the strategies did not include a cyber security component. There was a component, an e loss component to develop strategies (inaudible) through legislation such as electronic cross action law reform. However, over time the e laws component was adapted to include cybercrime discussion based on practices as well as the development of cyber security strategies and implementing them. The change and application was possible thanks largely (inaudible) World Bank in partner with us and I commend them for that. But we also faced significant colleges then because certain minds at the multilateral agencies thought this was not important. As clients we are not pleased to say that tremendous progress is seen on the ground by multilateral agencies like the World Bank group in this area. The cyber security strategies adopted by creation of high level information security policy, IPOL, as part of the overall government policy adopted (inaudible) in 2009.
And along with that, multi prong initiative included the framework of Sri Lanka, which started operations in August of 2006. So I have explained a lot about Sri Lanka cert and what it has been able to do in the case study which I will be publishing online, and you can check that, the operational framework and governance model. It's a very small team of nine people doing coordinated exercise with multiple agencies across government, the banks, society groups. To give you a quick glimpse of them now, originally, 2007 and 2008, less than 50 incidents were reported. Number one, because the community out there were not comfortable with reporting incidents, and people were not aware of what incidents really affected them. Many of them did not know their computers (inaudible). But as of 2012, we have 1,840 incidents (inaudible) in 2011, so 25 percent increase from 2011 to 2012, swamping the work of Sri Lanka cert. On average, on a monthly basis, there are over 200 case complaints of e‑mail hijacking scenarios and so on and so forth. And cert together with ICT has embarked on sectorwide certs so that those sectors will take care of their own cyber security issues. So the banks have their own initiative that will be explained a (inaudible) case study.
In the area of creating awareness, they have hosted annual cyber security week, combining hacking challenge on national and international level Congress, as well as quiz to educate the public at a school level of the significance of information security. In conclusion, I have just a couple of points I want to highlight. What are the emerging cyber security challenges and needs of developing countries where document of comprehensive security strategies is paramount, but not only that, partnering with clients and implementing them and hand holding them in the creation of solution models is essential. And what are the challenges that we face. Well, this first challenge I would see is transitioning a project from one to another and creating an arrangement scaled down. This is one area we can develop discussion.
In conclusion, I would also urge the multilateral agencies to ensure that there's intraloaner coordination. For example, you see in Sri Lanka there are multiple lending agencies with ICT related projects done in Sil organizations that don't connect up (inaudible) and security policies that have been invested upon. Then we saw for example the study in Buhtan. What was looking in that case is is that Sri Lanka cert has emerged as the first consultation to become part of the global community and forced to do a cert but they have not been included in the World Bank project in sharing challenges and know‑how.
I think what we can do is coordination between mult lateral agencies. With that I conclude.
>> Thank you, place Sherif is not with us, so we have this statement.
>> Thank you. Our friend Dr. Sherif Hashem could not make it but he provided us with a comprehensive case study, and I'll present some of the highlights of that. Also in the context of this presentation on behalf of Egypt, I would take the opportunity to emphasize, as Chris mentioned earlier today, some of the work reflected in Egypt's case study was the result of work done in collaboration with the World Bank and others. The financing arrangement was not alone, it was caused reimbursable advisory services, which is one of among many of the financing instruments that Chris mentioned this morning in which we can engage with our clients. I'll roughly, very quickly go through the main headings of Dr. Hashem's report.
As a lawyer I'm delighted that he started with the legal enabling environment. Having worked with Sherif and other counterparts in Egypt, I know they put a lot of time and energy into getting the enabling environment right up front. At the same time, they rolled out a digital identity management system using PKI, a huge undertaking, 80 million plus Egyptian citizens being introduced to state of the heart, very secure, authentication systems. Egypt has a cert, has many, and also a member of First, as Jaya was saying. I don't know if he would highlight this, but I will highlight the efforts and capacity building that Egypt has undertaken. Sometimes using donor assistance, sometimes not.
But a huge focus on educating the citizenry to ensure in every level, government, industry, civil society, that the dialogue can happen at the same level. There's been a great amount of attention paid to capacity building. He does end up going briefly over different aspects of international cooperation. One of them I'll highlight on his behalf was an effort being done with ITU which is the working group for child online protection. Egypt is chairing that group within ITU. It's a very very important work in this area. So with that, I'll conclude and thank Sherif for providing us with this case study.
>> Thank you, David.
I think we will come back later with some questions regarding that. Before taking question from the audience, I will ask my friend, yeah, go ahead.
>> Thank you. I'm asking the question like you as well perhaps, why am I here. Maybe my only one civil society member, just to put this panel or workshop as a multi‑stakeholder. Must of them come from government organizations. Of course that is logical because the title is the role of multilateral organizations under the multi‑stakeholder idea. This is only one focuses on the (inaudible). Which is fine
I have been working on several aspects of the information security areas. I'm heading a small research institute in one of the prefectures with a population of 1.3 million people, representing one percent of the economy of Japan. The challenges with this small local prefecture and city is similar to what an entire nation is facing sometimes. We don't get much support from central government, a little from local government. This year my colleague, a lady, just received an Asian information security award for some of the, as practitioner. We are visiting more than a hundred schools in our region, Prefecture, most every week or two per week, and giving what to do when you get some silly e‑mail from an adult or on the mobile or you are seduced as a school girl. We have given this to more than 30,000 a year. We have hotline telephone and e‑mail of any kind of problems they face as citizens, and we work with law enforcement or schools, any other parties as multi‑stakeholder. And these kind of activities not only are top at government policy level, but as you mention, implementation is essential because these days everybody has an Internet. We can either attack or receive attacks any time.
I also did some policy study between 2003 and 2005 and lost funding so I can't continue, but however that the we so you very much lack of global cooperation framework in cyber security. I'm pleased to hear finally the U.N. is having this framework. Whether it's really implementable down on the ground is a question.
I was invited at the CIS commission on information security meeting in khazistan five years ago as one of the policy studies experts, and that former, one of the few bodies with very serious governmental or intergovernmental cooperation on information security areas. There's one in (inaudible). We have someone in the ICTU with some working groups. Maybe my question is to ask some question about the world's multilateral and multi‑stakeholder together.
I think it's not an either‑or question, but there are areas where the multilaterals are very good. When it comes to national security or cyber war, there is a need for intergovernmental cooperation. When that happens at Estonia, they communicated with the Russian government and the Russian government said how do you define this? Is it a wall or just some private sector or citizen actions, we don't know. And we have no definition of cyber war at that time or even after. So for some people it's a war. Doesn't mean it's real war. How do you define on international level. Of course we always need for technical business expertise that most bureaucrats don't have, at least in the past.
From the physical infrastructure, these are mainly operated by private companies in certain countries, but also it's a public good, public resource, a heavy amount of government intervention. But also the use of citizen involvement in many ways. INEZA on their board has representatives from civil society and users, just one person, and all the others are mostly the state representatives. But I was told that we really need the citizens to lead in this game. Human rights and privacy concern, I don't have that much, but many of our civil society groups are very concerned about these acts and we would like to be involved. In this panel I think the focus is for the development of developing countries and capacity building is essential. You mentioned about certs.
This is the picture of the certs today. Just downloaded a few hours ago. 61 countries, 283 certs or SISAs. As a member of the first, the only global body operational so to speak. If you zoom in, these white areas where there are no certs as a member of the first, a big hole in Africa and many central and middle east, central and Middle East, Asian and southeast Asian
I hope more efforts to be done. I don't know why Italy is not a member or some other European countries. Anyway, so these are the areas that we perhaps expect multilaterals to really help. By the way, an around the first, as a global one, the only two regional entities, one is TS 13 in Europe as regional can coordination, and AP cert in Asia. Rest of the regions don't have these frameworks either. To me there's a lot to do. And I would like to leave the last voices as multi‑stakeholder on top of this mountain.
I hope you guys will create something a little more to the regional people. Thank you. .
>> Thank you for your presentation. Yes. As we see, there's a lot of gaps and a lot of capacity building required, a lot of things need to be done
I check with audience, any questions for panelists. .
>> Hi, my name is Yiwan, I'm with Korean Internet security agencie.
I want to thank you for insightful remarks
I attended the Seoul conference on cyber space and capacity building agenda, and one of the things emphasized in the panel was covering best practices for developing countries is important, however, we have to focus more on finding the appropriate practices for each country or the region. And I want to know how multilateral organizations are working on how to formulating tailor made projects, in particular in the cyber security capacity building projects. .
>> DAVID SATOLA: I think this probably goes back a little to the first panel. If there are any other members from the first page who want to chyme in, let us know. Representing a multilateral development bank, I'll take a crack at answering your question. While I agree with you that there are not any cookie cutter approaches to this, and you speaking on behalf of my own institution, we do very much attempt to tailor our projects to the needs of the countries with whom we are engaged, at the same time, there are some basic principles that need to be adhered to. Sometimes these principles evolve.
So Alan this morning mentioned this principle of resilience as opposed to walled security. That is a very important principles, but that has evolved over time. When we started in this game in the mid '90s, it was about security, no not resilience. Nila made a very important point about safeguards in human rights attended to cyber security and achieving a balance about protecting cyber space as that might be defined in a country and protecting citizen rights and their security. These are very difficult questions. We're dealing internationally across cultures and legal systems and across languages. With the introduction of different scripts now on the Internet, we're dealing with a lot of different variable factors that need to be taken into account.
I take the point. And I do think that there's an effort being made to address the regional needs of countries, while at the same time ensuring that these kind of internationally accepted norms are expanded (microphones interference).
>> If I may include what David said in response to that question, I completely agree with David. Our experience in this area has shown that over time, since 2005, there's a significant partnership developed along with a number of agencies like World Bank and commonwealth the primary client, which resulted in an extremely well structured, tailor made program to suit our needs. So there was significant attention done in one thing, engaging a multilaterally partner with ICT development strategy, is that there's an opportunity at that point to bring in international best practices. I want to give examples that might be relevant and also might want to address a point (microphone interference) the role of multi-stakeholders themselves as part of this exercise. One example that I would like to Cite, is in developing the cybercrimes law drafted in 2001, it was a complete national driven framework with using U.K. and single (inaudible) perspectives, but when that was brought into the fold of the Sri Lanka strategy, what we were able to do is making best practices to include the analysis needed based on the human rights guidelines found in the Budapest convention.
This was the best practice used for the best guide involved in coordinating some parts (inaudible). That was also very useful. Second point on the role of multi-stakeholders that I want to highlight is that one experience that I can share is that when we started both the ICTA, the national agency under which the Sri Lanka cert became a subsidiary company to make it a flexible model to hire people signing up for the rates, that became a big challenge but we managed to work on that. At the early days we found the composition of the goal was the problem. We had an entire government oriented board at the beginning. But since 2008 and mid 2009, the board was restructured to include multi‑stakeholder model, and now we have both in the cert board and ICTA board communities representing the private sector and civic society groups, and that completely resulted in a paradigm shift in the implementation and activities undertaken both by ICT and (inaudible).
>> I would just comment for cert, all the certs in developing world I think government certs. But maybe going to the what statement (microphone interference). Important for us to consider also having a community based cert that could be very important work for national security implementation. They are really a lot of today a lot of young generation willing to be part of the national security agency or what we call community‑based cert. And this is very innovative in our developing world, and it could be really another response to the western attack (inaudible). We have other questions?
. Okay. .
>> Thank you very much, just adding to the same question if I may. Using like David's invitation to add some people from the previous panel. For us at least one important principle that is not from us to you in terms of developing country support. So the countries helping each other. ITU it's a very important principle because we are a member state driven organization. We are not considered secretariat is providing support to the members but members providing support to themselves in collaboration. That is where I think there's already very good example mentioned from Sri Lanka collaborating in designing the toolkit. Not like a toolkit designed by experts and imposed on the countries, but the countries are involved in that. And slow other projects we helped implement with the European community. In Saharan Africa, Caribbean and Pacific, not experts going to teach, but export support, countries designing the framework that we would help implement. That is think a very important principle that overcomes a bit of that cookie cutter approach, trying to implement that. That is just facilitate the work by the countries themselves and on their own, and they deciding priorities and the goals, deciding the best solution when necessary.
>> Thank you. Question here. .
>> Thank you for an interesting panel. My question or comment is more about the human rights part of this whole cyber security and cooperation, whether there's going to be some kind of monitoring mechanism that will hold some of the governments who are part to this convention, that actually violate human rights or freedom of expression by arresting activists who, you know, are expressing or practicing their freedom of expression on line, under this overall convention of protecting rights of people, et cetera. Thank you. .
>> Thank you for this comment. I think we have highlighted a lot of times the importance of human rights and privacy to ensure national security. It's not just a matter of having people in jail or something like that. For example when a hacker, yesterday for example in Tunisia we had opportunities, the revolution January 32011, and yesterday again attackers attack a lot of sites and data centers in Tunisia. What we can say, when we deal with these operations coming from other people and so on we need to be careful because young generation can be involved in separation and they are a number of people that can be worthy for the economy.
What we need is capacity building, and the Asia case study, it's important to try to train those people to try to avoid critical scenes that could harm them in terms of freedom of expression. This is very important.
I think we need to consider differently in different developing world because we are not in the same situation as in different places. A lot of things to be done
I agree with you. Yes.
>> I agree with you. But also I'd like to highlight human rights have different dimensions. Maybe relates to what you said about the development of the economy as well. In Korea or Japan, youngsters are very annoyed or abused experiences with games, getting there, being exploited commercially. Many children are playing the game over the mobile or smart phones, and they are almost forced to buy, spend money, on some gadgets. It's becoming a big problem. So it's a sort of human rights violation from the commercial sectors to the public. A lot of information happening using all the SMS's and sometimes people kill themselves. It's different dimensions. It also requires huge education on top of the political rights on free speech, which are very important. But the cyber security or employment of the internet to everyone is creating wider social problems which we also need to address.
>> Thank you. We can have one minute comment
I think what has been highlighted is very very important. It's something that we could really, we need collaborate, we need to be a partner of multilateral and multi‑stakeholder approaches for different reasons. Because there's a lot of critical issues that we need to touch base (inaudible) in development work.
>> Yeah, in conclusion, yeah, extremely good panel. Thanking the World Bank, my two parting messages. For any developing country to come up to speed in the area of cyber security strategies or ICT strategies, they have to necessarily engage multilateral agencies. That is a necessary factor. And the resulting benefit will not only be to your country, but can percolate down to the regional sphere.
For example in Sri Lanka we had a lot of capacity building activities, but in those activities we also included initiatives (inaudible). A lot of patience is needed. Multilateral agencies need to be patient and have a hand holding process and not develop them like a hot brick once a project is over, it's gone. And allowing the client to run with it. And maybe there should be a transition phase. But more importantly, the clients themselves have to be patient with the multilateral agencies and understand the dynamics in the way they work. If you engage them from a proper dynamic kind of an understanding‑based perspective, you can get your thing done. Thank you.
>> Thanks. I feel I have been alien because my subject is not very much on the cyber security, but the project itself I think a great result, what we have today is great result of collaboration, which we enjoy in Azerbaijan
I told you how it was transformed from a simple idea to something very practical. In December we are going to sign a document which is going to be another milestone in the development of the same project. We think even after we sign this project, which formally kicks off the construction of the project, still we are going to engage with international, ITU, the World Bank. I'm also planning to go to Kenya, going conference (inaudible). Also going to grab something. Every single meeting, every single collaboration, every sing the expertise with you guys enriches, and I'm happy in this regard that we have you. I want to thank you all. Without you all, my project would be very, very different. Thanks a lot.
>> (Applause)?
>> Thank you, I just want to, one line or two, in order to enhance the real multilateral cooperation internationally, I think there's huge need to enhance the mult steak holder cooperation at the national local level. The true multilateral involves I think not a government for each country, but the citizens and the private sectors all together. And the government is a good conduit to the international corporation. That is my hope. Thank you.
>> Thank you very much. By this, I think we can close now. >> (Applause). (Meeting ended at 10:32).
********
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
********