The following are the outputs of the real-time captioning taken during the Tenth Annual Meeting of the Internet Governance Forum (IGF) in João Pessoa, Brazil, from 10 to 13 November 2015. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record.
>> SUBI CHATURVEDI: Good morning, everyone. Thank you so much for joining us today. We should be ready to start in about five minutes. Please take your seats. Thank you.
Good morning, everyone. Once again, a very warm welcome. Welcome to this city and very important session, Cybersecurity and digital trust. We think this team speaks to the heart of everything Internet, everything that we hold dear and for the future of the Internet. We have a fantastic panel of speakers today. And we hope to have vigorous sustained consistent engagement from all the in‑room participants, and those of us who are going to be joined online. We don't think ‑‑ there are online virtual participants, so hold on to your questions and comments.
I'm delighted to have my colleague Dominique Lazanski, and together, we are going to be joined, guided, shepherded by two excellent moderators. May I call upon our chair from the host country, Paulo Sergio Carvalho, who heads the cyber defense center to open the panel. Over to you, sir.
>> PAULO SERGIO CARVALHO: Good morning.
(no English interpretation).
Which will approach the following topics, enhancement of Cybersecurity and building digital trust. I'd like to greet all those here, and I'd like to thank for the invitation to open this main session. I'd like to say it's an honor and a pleasure to be here, and take part in this relevant discussion, relevant for all the countries in the world. Thank you very much.
From now on, I declare open the session this morning.
As the cyberspace expands itself, adding ever more networks, we also have an increase in the risks inherent to the use of this space. Consequently, an increase in an improvement of Cybersecurity is required, in order to protect the space, and to contribute to its use with freedom and ethics.
At the same time, Cybersecurity shows very clearly that the success of this process depends basically on an intense collaborative action. It requires building and maintaining trust relationships among all the parties involved. And like in any other trust relationship, we need initiatives to bring people closer, mutual knowledge and convincing demonstrations of respect to people's values and rights.
This takes time. Cybersecurity is sustained by technological devices, supported by exact concepts. On the other hand, this trust is based on subjective values.
At first these concepts may seem incompatible, but based on the lessons learned resulting from the work from the several institutions that operate in this area, I think that these concepts are inexorably linked when it comes to cyberspace.
There is an attempt to make these concepts compatible, and this leads us to many questions. Many of these questions are open and will be discussed here.
This panel is no trivial matter. I say this based on the day‑to‑day results conducted by the Ministry of Defense, side by side with representatives from all sectors we collaborate with in order to improve cyberspace security. With all representatives of this sector, Brazilians and people from other nations, we are building and improving the trust relationships. This morning's discussions therefore will be extremely valuable not only for the people who are here in this audience with us, for people who are anywhere in the world, and for people who will see the files of IGF 15 in the future.
Now, you are invited to moderate the panel, Mr. Wout de Natris, and Mr. Blaker, you have the floor.
>> PAUL BLAKER: My name is Paul Blaker, from the Government of the United Kingdom. And throughout this morning, with my colleague Wout de Natris, we will be moderating the conversation up until lunchtime. We are both sure it is going to be an interesting, informative and valuable discussion on enhancing Cybersecurity and building digital trust.
Before we get into the conversation, let me say a few words about how we plan to manage the agenda this morning.
So we have divided the conversation into five sections. First, we would like to try to identify the issues. Second, we will talk about the kinds of capacities that we need. Then we will talk about capacity‑building. Then we will go to multistakeholder collaboration, and finally we will like to look at the next steps.
We are very fortunate to have a really great range of speakers here from many different backgrounds, bringing many different perspectives to the conversation. And just looking around the table, I feel very privileged to see so much expertise and experience in the room. I think it's going to be a really good and rich conversation. Some of our panelists may have to leave a little early, and there may be one or two who are not able to join us until later.
So the approach we will be taking is that for each of the five agenda items, we will be asking four or five panelists to make contributions of around two to three minutes.
After each of the agenda items, we will invite comments from the floor, and any comments or questions from the remote participants.
But to start with then, let's move on to the first question, which is around identifying the issues. There are two questions which have been posed. First of all, what are the critical challenges in establishing resiliency and trust from the different stakeholders' perspectives? What are the key issues and challenges for a secure and sustainable, free and open cyberspace, and how can international cooperation be enhanced?
I'd like first of all to invite David van Duren from the Global Forum on Cyber Expertise to speak for a couple minutes on those questions. Thank you, David. The floor is yours.
>> DAVID VAN DUREN: Thank you. So the question is, what are the key issues? And speaking from the perspective of the Netherlands, I'm also from the Netherlands, the key issue is we are vulnerable. In the Netherlands, for example, 80 percent of the people is doing online banking, 60 percent Internet shopping, 95 percent use social media. 94 percent use more than one PC. So we are very dependent on ICT in our daily lives these days.
What are challenges, what challenges do we face? I think if you look at the past years, the scope of cyber has been broadening from Cybercrime to Cybersecurity to cyberspace. Also, actors involved are increasing. This means we need a comprehensive approach. This comprehensive approach should include resilience, response, recovery, and all kind of elements like knowledge, awareness‑raising, detection, prosecution, crisis management, etcetera, etcetera.
This is very important, this broad approach should not only have a national dimension but a strong international dimension as well.
Also, because what we do on a national level gets more and more integrated with what is happening on the international level or to say differently, national is international per se.
I think the main challenge is building, is to building trust between the relevant multistakeholder parties. And yes, it's hard building trust. Like one person once said, trust takes years to develop and can be destroyed in seconds.
Conditions of public/private cooperation, public/private partnerships, are having a shared interest, trust, a base of equality and getting results.
Within the Netherlands, the partnerships were pretty good I think, and what helps is that, for example, critical infrastructure is very important, it's an end to private organization, but also there is a culture of dialogue. There is not a top/down management approach, and that helps in the multistakeholder setting.
For the Netherlands, it's a challenge to make the next step to secure free, open and secure cyberspace. This means we need a movement, movement from public/private partnership to public/private participations. And challenges for public‑private participation are finding this mutual and individual interests, finding the right balance between regulation and self‑regulation, cooperation and also information sharing. This means having a common understanding of how and under what circumstances to share information.
The second movement is moving from structures to networks and Coalitions. Like five years ago, in the Netherlands we started with all kind of building up all kind of structures. Now they are in place and now it's about working together. And the step is not only working together but building a Coalition of certain topics or certain problems.
It's also the movement from being aware to becoming skillful, and from having a national focus to being internationally focused; national is international.
And last, having a risk‑based approach. Then last, if we talk about international cooperation, like I said, actually we should also, we should talk about international participation. Public/private participation works if people really work together. So this is what we do for example at the GCE. The Global Forum of Cyber Expertise is about capacity‑building on a worldwide scale. It is about working together. It is an informal Forum that was launched at GCCS in April 2015. The core concept is initiatives for parties within the multistakeholder setting to work together on specific topics, to share best practices. Examples of topics are awareness‑raising, responsible disclosure, Cybercrime, etcetera.
On these topics, practical results, best practices are achieved and shared with the global community. So again, to conclude, the key of international cooperation is participation. Again, key elements are identifying shared interests, bring transparence, trust, work together on the base of equality and most important get results. Thank you.
>> PAUL BLAKER: Thank you very much. I invite Willian Check, Vice‑President of NCTA to speak. Thank you.
>> WILLIAN CHECK: Thank you. Good morning. I'm speaking from the perspective of ISPs and private industry, and a key challenge is the fact that Cybercrime doesn't have any borders. This makes it difficult for law enforcement to be able to address cyber crimes. A second issue is something I call economic asymmetry of Cybercrime.
The cost to defend against Cybercrime is disproportionately larger than the cost of performing the Cybercrime or attack. For example, for little money, you can get into the Cybercrime business, but to defend against it is much more costly.
Often, economic incentives for implementing the necessary security are misaligned. For example, some technical approaches to reduce cyber attacks will benefit traffic flowing out of a network, but not on your own network.
Because of that, the financials of Cybersecurity are often difficult to justify within an organization. That is a challenge. Another issue is education. It's critical that people, companies, countries, have the tools and understanding needed to address Cybersecurity issues. Education is one of the most significant challenges.
In the U.S., with a partnership between private sector and the Government, something called a Cybersecurity framework was developed. Notably, it's a voluntary framework for private industry, based on existing cyber standards, guidelines and practices for reducing cyber risk to critical infrastructure.
It's applicable to telecommunications networks, but also other critical infrastructure systems, and it's not one size fits all, but the ability to tailor it to fit the need.
We also recognize that Cybersecurity is everyone's problem and there is no silver bullet. Cybersecurity is no different than any other security problem, other than it happens in the cyber world.
The entry point for cyber threats is still at the intersection between the cyber world and the physical world. So we need to do a few things to address that. One, raise everyone's awareness that they need to take preventative measures when interacting with the cyber world. That is no different than making sure that, for example, someone doesn't sneak in behind you into a secured building.
Second, we need the designers and developers of cyber products and services to think about security from the beginning. Thirdly, we need everyone to understand that the Internet and the cyber world are potentially dangerous places and that no one is policing all of the traffic all the time; therefore, not to connect a critical system to the Internet in an insecure way.
This is where I think organizations that promote developing cyber best practices and collaboration are critical. We will be talking about multistakeholder organizations later. But I did want to raise one multistakeholder organization, M3AAWG, which stands for messaging malware and mobile anti abuse working group. It's a group of ISPs, E‑mail service providers, mobile network operators, telecommunications companies and infrastructure vendors, and anti‑spam vendors, basically a group of security experts that get together on a global basis to talk about best practices, Whitepapers, and really an opportunity for professionals to share abuse informations and their experience with peers.
There is a lot of challenges with Cybersecurity. But by talking in this Forum is a great first step for global cooperation. Thank you.
>> PAUL BLAKER: Thank you very much. The next panelist is Mr. Bob Hindon of ISOC. The floor is yours.
>> BOB HINDON: Thank you very much. I think so far I'm pretty much agreeing with what has been said. But I think I have a slightly different cut at it. I've been involved in the Internet since the very early days, and even did some early security work.
This is a topic that many people have opinions on, and but there are a few comprehensive solutions. There is no simple solutions. There is not one solution that will do everything. Of course, the Internet is not static. It's not like the phone network that hasn't changed a lot.
It evolves every day. So, the security challenges, Cybersecurity challenges are going to, it's a moving target, both the good guys trying to protect individuals and the bad guys. It's not, you know, it requires I think a new kind of thinking. We don't have, we don't, I don't know that we have much a really good model for this based on our previous experiences.
I'll go through some specific topics, because all of the parts have pluses and minuses. We have encryption. It's a very good technology to keep your data private. Other people can't read it. If you are worried about pervasive monitoring, then encrypt your data. But there is also, there is legitimate reasons why, like the work that he mentioned about doing spam filtering. How would you look at the inside of the E‑mail, if it's encrypted?
We all know the risks of trying to share keys or having back doors, that's not the way to have real security.
We have identity and trust. How do you know who you are talking to? Can you trust the other side? I think this is not, I don't think we need to go as far as knowing who the person is, but I think it's more important to know that you are talking to the same entity or person that you talked to before, so you have some assurance that it's consistent.
We want to be private, we want to be anonymous, but we have seen recently with some of the gamer gate stuff, how attacks on women largely, you know, if you can do this in a anonymous way, it's very hard to stop it.
And I don't know what the, where the trade‑off is there, but it's like many of these, it's a difficult solution. We have a variety of bad actors. We have some states sponsored. We have individuals, we are seeing large scale denial of service attacks for political reasons, for commercial reasons, for I guess just being disruptive. They don't like the policy of the person or organization they are attacking.
We heard about spam. I think about this in two different categories. One is, it started with getting advertisements for stuff you don't care about. But now it's turned into a way of spreading malware doing phishing attacks.
I actually, getting an ad I didn't request is annoying, but carrying a phishing attack and clicking on some link that you thought was from your friend and having it get your computer infected, that is a more serious problem.
I think, and there is not a single entity or Government or company who is going to solve this problem. I think there are roles for governments, for network operators, for companies, but also for individuals. I think we all need to be more responsible about this. We need to be careful, when we use our systems, that they are the latest ones, have the latest patches and running, having security built in them, not keeping old unsupported things around that easily get infected.
One thing that I think is the best sort of structure is for more collaboration between people to really talk about attacks, talk about solutions, talk about what works today, and continuing to evolve that. ISOC has a program called collaborative security which is that sort of thinking, and I think we will need to do a lot more of that before this is done.
>> PAUL BLAKER: Thank you very much. Now I'd like to move to our next panelist, Ambassador David Gross.
>> DAVID GROSS: Thank you for the honor and privilege of being here. I'm impressed we have such a large audience. There is obviously a lot of excellent programs going on here at IGF this morning, but obviously large numbers of people understood this is the place to be because this is the most interesting of all of the sessions this morning. I appreciate that very much.
I'm also privileged and honored to be following Bob. It's great to be on the same panel with someone who has given so much and participated so widely in the Internet, and certainly the organization that he now chairs, ISOC has been an extraordinarily important part of the Internet ecosystem and working on the many of the problems we are talking about this morning.
There are some things that are easy when it comes to the issues we are talking about this morning. There are some things that are hard. Some things are so hard that I don't think they are going to be solved until we have a new technology that replaces the Internet. But that should not keep us from focusing on those things that we can and should be doing.
One of the things that I think is often overlooked and may arguably be easy, but I recognize that there are barriers, are things that individuals can do. It is extraordinary to me, and I have to say that often I'm involved in this as well, we are all human, there are so many things that we can do in enabling the technology we use both individually and in the organizations we are, to enhance our own security. There are security functions in the software. There is security things that you can do in your own home, in your own organizations that are often not done.
In so doing that, you can live a much more secure cyber life. Those are things individuals can do. They are empowered, and they are not particularly difficult. The area of cloud computing is extraordinarily important in this area.
It used to be just a few years ago, when everyone just lived on their desktop, or your PC, and you interconnected with the Internet, that you had to have all your own security. The cloud allows people to have security of the world class type, regardless of where you live, regardless of your economic circumstances. I think those proposals that would inhibit the growth of the cloud through data localization and otherwise are greatly going to have an impact on what could be a much safer cyber world.
Similarly, those who seek to have uniform technology I think often undercut Cybersecurity. The diversity of operating systems, the diversity of technologies, often are a way in which we live a safer cyber life.
The importance of this is obvious, but I would also point out that for those who are committed to Connecting the Next Billion, the next billion are not necessarily just the poor people. Rather, in all the world, including the developing, developed world, there are millions and millions of people who choose not to get online, and part of the reason they choose not to get online is their fear because of Cybersecurity. Taking these steps, making the availability, new technologies in new ways, will enhance the ability of people to get online, even those who can afford it, even those who have technically access, but who are too afraid because of what they read in the paper every day. Thank you very much.
>> PAUL BLAKER: Thank you. Before we open up questions to the floor, I'd like to invite one final speaker on this agenda item, that is Mr. Rahul Gosain, Director of Data from the Government of India.
>> RAHUL GOSAIN: Good morning, Excellencies and my dear friends here. Taking off from what Bob said, he made an important point that Cybersecurity is a key area where multistakeholder cooperation is required. It is not like one agency or one set of people can solve the problem.
Given that practically all of the important online services that most of us access, and the services which most of us use are provided by identities, no one stakeholder holds all the answers to all the problems. That is an important point I think.
Given that governments are ultimately held responsible by the public and are indeed accountable to the public for all security related issues, so one cannot but help underscore the central role of governments in this area. That is the constituency from which I come from, I come from the Government of India. That is why I speak from that perspective.
But given the segregated nature of the Internet, trust is central to the operation and continued growth of the Internet. Each of us must have faith that the data stored in the cloud will remain secure, and that common status transacted on line is based on enforceable contracts.
That is a very vital point. Trust is the currency of today. Digital trust is the currency of the digital world. Evidence based critical assessment of systems, institution and threats is essential to devising effective Cybersecurity strategies, and nation states could think of conducting stress tests that assess the performance of systems and processes, under various scenarios. This would be a effective way of assessing strengths and weaknesses and help determine where efforts would need to be made to move forward.
This is not saying that this is not already being done, but this could be possibly planned to be done more effectively. This is particularly crucial in assessing the resiliency of critical network infrastructure and the continued growth of Internet, if I may say so.
Such stress should be conducted at many levels beginning from the local to the national and even international levels. The interdependencies of computer networks means that the effects of Cybersecurity related event can easily percolate both upstream and downstream, meaning that broad‑based tests are essential.
Effective tools to share learning from such tests has already been brought up in the discussions today. Cooperative action to implement corrective actions would go along with building trust in the digital economy.
Apart from that, I would also like to emphasize that Cybersecurity is a very important focus area for India, given our flagship based India program which depends heavily on Cybersecurity, and there is a lot of emphasis on training in Cybersecurity professionals to meet not only the current but future needs for India.
Apart from this, possibly some of the key challenges which we are facing is the rapid advancement in technology has made the world smaller, but not necessarily, the physical and political boundaries between states have sort of been blurred.
It has thrown up key legal challenges, such as determining jurisdiction, ambiguity in whether the sovereigns have power to exercise their will beyond the territorial jurisdiction, and each nation having their own set of rules; crossborder issues dealing with regard to Cybercrime has gained paramount importance.
We need to go a long way in this direction. We need to create capacity and build capacity so that there is greater awareness, number one, and then there is data preparedness to tackle these issues. Thank you.
>> PAUL BLAKER: Thank you very much. I'd now like to open up the discussion to questions and comments from the floor. If you would like to make a contribution, please line up at the microphone in the traditional way, not the microwave unless you are hungry (chuckles).
I think while people are thinking of questions, I'd like to thank our panelists for setting a broad agenda of key issues. We heard about the importance of building trust between stakeholders, about moving from public/private partnership toward public/private participation. I find that idea very interesting.
We heard about the economic asymmetry that there is in Cybercrime, about the importance of education, a range of issues around encryption that we can talk about.
We heard about, a number of panelists speaking about individual responsibilities in this area, and also about the role of governments, importance of stress testing, the importance of crossborder cooperation. There is already a very rich and full agenda for us to think about this morning and other issues as well which I haven't mentioned.
If there are any comments from the floor, either questions to our panelists, or additional issues that you would like to put on the agenda, now is the time. Please, could you keep your interventions to one minute and please, could you make sure that you say who you are and where you come from. Thank you. Our first question. Maybe technical help with the microphone, please.
>> AUDIENCE: Can you hear me? Yeah, okay. I'm Mohit Saraswat, Internet Society Ambassador. I think first of all, I want to commend all the speakers who have raised these important points. It's important that we get into this dialogue, and ensure that those are raised. But if I interpreted correctly, there is one key issue which has been missing, is the data transfer between the consumer and the organization who are building a lot of platforms and apps.
There is too much of data transfer which is happening. While there might be a good reason for economy, for example, to position the ads better, position the product better, but at the end what happens is, I mean these data which is not required can also be used for wrong reasons.
So it is also important that we have a control on the data transfer between the consumer and the app provider, particularly when the mobile is on, and I'm not in for regulations because informed consent becomes a challenge in itself, but it's important that the multistakeholder comes together and ensure to come with a standards which has security by design in it.
That has to be enforced on the new generations of app developer. Thank you.
>> PAUL BLAKER: Thank you. Any further questions from the floor? Yes, sir.
>> AUDIENCE: Can I speak in Portuguese? Okay.
My name is Luccas Augusto da Cunna Silva. I study engineering at the Federal University of Alagoas, part of IGF's youth program. In keeping on with what's been said, I think the panel has brought some very important issues.
But now, we are dealing with software vulnerability. And in the databases where we see the level of vulnerability of some systems, some systems have shown a very high vulnerability system. So hackers can just access these systems' Administrator, thereby they can have access to the microphone, to the camera, to all the data and everything that you have inside a computer, notebook, for example.
So in this environment, we have to think that we need to develop a system, you are developing something like a car. When you design a car, you need to resort to technical standards, safety standards, so people can drive safely and survive.
We know that information and the virtual environment that we live in, in the Internet, leads to real damages. How far can the companies go or how far do they have a responsibility regarding information responsibility.
>> PAUL BLAKER: I will ask if there is any remote participation, contributions. You have the floor.
>> AUDIENCE: Hi, Mubashir Sargana from Pakistan. And my question, but I think it's a comment, I think Google, Yahoo!, Bing, they also make people vulnerable, like indexing and archiving their public data as well as private data, without even their consent. For example, if someone's data gets leaked, is posted on a Web site, someone else can easily search it out to any search engine. Thank you.
>> PAUL BLAKER: Thank you very much. Could I ask, are there any questions or points from remote participants? (pause).
Okay. I think that is a no for now. But there will be later stages during the conversation where remote participants are welcome to make contributions.
There are three questions there, thank you, one around data transfer, one around the vulnerability of systems, and another about consent and the use of data.
Before we move on to our next topic, I wonder if any of our panelists would like to respond to any of those questions. Bob.
>> BOB HINDON: Yeah, two of the questions, comments. So, regarding data location, so my view on this, it's not very important where the data is. But it's really what happens to it, who has access to it, the controls to it, because the Internet is supposed to allow things to be in different locations. There is some delay reasons why it's good to keep it close to you, but it's not, just keeping it close to you will not make it more secure. The security problems are location independent. The bad guys know how to access stuff in any location.
The other thing about Google, Yahoo!, basically, I guess I'd say sometimes free is too expensive. When you use a free service, you are definitely, you are paying for it by your own, by sharing your own information. And if you don't, if you are not willing to do that, then don't use free services. Use a private E‑mail server, where you pay money, or whatever it is, and so it's the business model of these companies who provide these free services to look at your information.
I think you can't expect them to do much more than that.
>> PAUL BLAKER: Thanks.
>> WILLIAN CHECK: I think a couple interesting points here were made from some of the speakers.
Again when you look at cyber systems, it's the entry point of how attacks take place.
And the attacks take place between the cyber world and physical world. There are specific areas within the cyber environment that you will see specific areas of ingress.
And because of that, I think the point that the one question came up on security by design is terribly important. I think security by design cannot be overemphasized. It is critical for future design in software systems.
>> PAUL BLAKER: Please.
>> RAHUL GOSAIN: To reinforce the point Bob made regarding free services, I saw a line outside which said succinctly, it says if you are getting it for free, then you are the product.
So, that I think says it. Apart from that, the point made regarding how a car is developed and safety standards need to be developed, and technical standards need to be developed, I would like to inform that as our colleague David had pointed out in the initiative of the Dutch in which they have a global security, Cybersecurity related conference, or like the M3AAWG, I think a lot of work has already been done in that direction.
I'm sure much more needs to be done. But the point is very well‑taken, and we need to arrive at some kind of globally accepted standards of Cybersecurity, which can sort of deter any cyber attacks or any problem from the bad guys, you know, so that the products which we make to produce a more cyber secure world should be consistent and should conform to certain set of standards which are mutually agreed upon.
>> PAUL BLAKER: Thank you. Intel.
>> AUDREY PLONK: To follow up on the standards point my colleague made, I agree on the global standards front. I would take it further to say that as has been pointed out already in the panel, Cybersecurity is a broad chapeau of issues. So having one single standard or a small set of standards that's going to cover all these issues is both impossible and unreasonable. And so you have to look across the global standards organizations that are working on technologies, horizontally, and how they are incorporating security into the standardization process.
I think it's evident that is happening with the encryption work within the ITF, it's happening within various industry‑led cloud security efforts in standardization, same in the mobile space.
Because all of those platforms are different and the way that security gets built in both technically, from a feature perspective, also from a design perspective is just different across platforms, I agree they need to be globally accepted and they need to be industry‑led and recognized by the broadest community possible. But we also need to recognize that there is no one‑stop shopping for standards.
>> PAUL BLAKER: Thank you. Very short intervention, please. Thank you.
>> CAROLYN NGUYEN: To the point of security by design, I want to add that it's not just at the part of the deployment stage, but it has to be security throughout the entire life cycle. In addition to security by design, there is also operational security and maintenance. It is important to keep that mind‑set throughout the entire life cycle.
>> PAUL BLAKER: Thank you. One final intervention from Chris Painter, U.S. State Department.
>> CHRIS PAINTER: I wanted to comment on some of the larger issues too. This is not, governments do have an important role here, but governments certainly don't have the exclusive role.
I think as we, not just in standards but as we think about policies, and one transition I've seen over the last 20 years, in the last five years especially, is this issue has migrated from the technical community alone to one that is now a major policy issue for governments around the world. And what that really means is there needs to be, and there is, much more collaboration not just between governments but other stakeholders.
We very much endorse, as we did with the NIST framework which was referenced, a collaborative approach between Government, private sector and other stakeholders; in fact, a collaborative approach within governments because not all governments within their own governments talk to each other that well sometimes. It's good to have all the discussions taking place, and I've seen a real improvement in that.
That strengthens this area in a large way, because if it's just a technical community who have the expertise leading it, they don't make as much headway unless they get the political impetus, and it's happening now.
>> PAUL BLAKER: Thank you very much. At this point we will move on to our next agenda item, and I will hand over to my co‑moderator.
>> WOUT DE NATRIS: Thank you, Paul. My name is Wout de Natris. I'm co‑moderating this session, as you heard.
We are going to move to the SS movement of the capacities, and as we all know, there are many, many initiatives, measures, best practices, standards being introduced, but do they actually do what they do, do people adopt them, and is it ever checked and ever made known?
The good example of that is that one of the participants in one of the sessions I moderated before here said we are going to boot up a wall of shame: Everybody who does not do what by now they are supposed to do, we as Government are going to publish it.
That may be a good thing or not a good thing. But notice that some people are starting to think differently about when measures should be taken or not.
We are going to do that, this discussion on the basis of a few questions just like before. The main thing is that we are going to assess the capacity, so what capabilities are essential to addressing Cybersecurity challenges and how can they be measured. That is the main theme.
We are going to do that around three questions. The first one is how do we strike the right balance between Cybersecurity and human rights including free speech. How can we create a cyberspace for start‑ups, governments, without thwarting innovation, and how do we engage diversity and regional, national, linguistic and forensic challenges. The first speaker is the Minister of Information of the Government of Bangladesh.
>> H.E. JUNAID AHMED PALAK: Thank you, the host, Mr. Paulo Sergio Carvalho and the two moderators, ladies and gentlemen. I beg your pardon that I go off on my deliberations. I cannot answer all the questions because I'm leaving, sorry. Well, as you know, I'm in politics. And I'm the President of the Government of Bangladesh, but I'm not looking from the Government perspective only.
I'm looking at this only from the general point of view.
Well, to us all the Internet is like air, we breathe in and breathe out. Without that, you are not going to survive. So it probably means you need to have clean air every time.
So in terms of technology, and that technologies is already part of our daily life, and when you build the technology, trust is very important.
The agenda is well set. And here what are the problems we are facing at this moment, at this juncture of this history, there is a tendency, number one, tendency to use the cyberspace neutrally; two, encroachment beyond borders by states and individuals, also by persons.
And within the national borders, there is cyber attacks on individuals, associations, state institutions, hijacking syndrome, attacks and piracy problem. These are the other problems. Many can add more problems also.
So problems are there. So every problem has a solution, if there is a political will to.
Here if you look at the problems, then we need to have a dual approach, the approach from the international level and at the national level. So the important thing is, there is a, what somebody said, that the transfer of data to the consumers, that it's very important how you assure protection of the data. Transition from IPv4 to IPv6, this transition period, intermediary period, you have to ensure the security of the data transferred from one to another. The reliability of the hardwares and softwares is very important.
Having said that, let me come up with certain proposals. One is that we have a technological problem, how technologically we can assure that the hardware, software, these two are safe to handle. That is a technological problem.
Another is a political and legal problem, how to develop a legal social network or framework which will assure the safety of the Internet. Here, so number one, I said that to, politically we need at the global level Cybersecurity treaty to ensure safe cyberspace. Number two, we will have to agree on setting up technological standards that ensures reliability. Third, data protection technologies, solutions, it has two aspects, one is technological solutions and another, legal solutions.
Four, I want to bring on board the mass media. Mass media can come here as a watchdog, so that the cyber attacks or terrorists do not cross the fine line of human rights. So when we are looking for technological solutions and legal solutions, we have to keep in mind that we have to agree on the basics of human rights and freedom of speech, and etcetera, etcetera.
Agreeing on that, we can move forward. But if we agree on this legal and political solutions, or technological solutions, what we need is to develop a cyber literacy. Without cyber literacy, you cannot just execute the whole things. Cyber lawyers and cyber courts have to be set up and training on cyber problems should be there.
So let me conclude by saying that, well, so I stand for safe Internet. Safe Internet will be assured by legal, social solutions, technological solutions, ensuring human rights, and let us find out the cyber criminals collectively. It is not an individual fight. It is a global fight. I stand by safe Internet. Stand jointly against cyber criminals and terrorists. Let us unite to develop a global approach to ensure trust, secure cyberspace. Thank you very much.
>> WOUT DE NATRIS: Thank you very much, Minister. Next we move to Marco Hogewonig, External Relations Officer at RIPE NCC in the Netherlands.
>> MARCO HOGEWONIG: Thank you. One of the key challenges we see with enhancing Cybersecurity is keeping up with technology. The Internet and users that use it are continuously changing from a security perspective. The biggest risk is to fall behind. We need everybody to involve to stay firm and have an understanding of what is going on, and this works both ways.
We need policy frameworks that take into account the technical capabilities of the network, but we also need innovations and technical designs to take public policy objectives into account.
Cooperation between stakeholders and between public and private sector is key here. Not only do we have to be able to make huge reach out as expertise but more importantly to learn from each other.
The advances in the Internet of Things mean that we see nontraditional access to the Internet space. This is no longer the domain of telecoms and Internet service providers alone, but we are also working with other industries closely. Getting these people up to speed with the work that we have been doing in the past decades to improve security and trust is crucial.
Likewise, we need to be aware of their needs and challenges, and be ready to adopt our policies and methods to accommodate those needs.
Finally, we have to be aware that not all solutions lie in technical designs or technical capability of the system. One of the key capacities we think to be developed is to be able to judge where to apply specific technology and make an informed choice about which protocols and designs to use.
All stakeholders need to do risk assessment, and understanding of the underlying mechanisms and fundamental design choices I think are key to improve security and enhance the overall trust in the Internet and those that use it.
>> WOUT DE NATRIS: Thank you. Congratulations, you are the first one that is within the time. (chuckles).
Very well‑done. Next I'd like to call on Mr. Jeremy Malcolm from the Electronic Frontier Foundation.
>> JEREMY MALCOLM: I didn't have any prepared remarks, but I'm responding to what I've heard. A quote that comes back to me is one from Dwight Eisenhower, who said that if you want total security, go to prison. That is true on the Internet. If we want the Internet to be totally secure, we have to lock it down and turn it into something that is no longer the Internet.
That is why the application of human rights to Cybersecurity is of vital importance, because it is the only check that we have on a run away Cybersecurity response.
This has been recognized globally. I think that, although there is no treaty on Cybersecurity and human rights, there are enough other instruments that we can say that there is an international consensus on this point, both intergovernmental documents as well as multistakeholder or Civil Society documents. So the cyber, in terms of intergovernmental documents, you can look at the Cybersecurity strategy of the EU. You can look at the UN resolution on the right to privacy in the digital age. These are both documents about balancing the need for Cybersecurity with the need for privacy and freedom of expression.
Whereas, in terms of multistakeholder documents, I guess the NETMundial statement jumps out, as do the necessary and proportionate principles on the application of human rights to communication surveillance.
I am interested in interjecting more as this session proceeds. But I think I want to make sure that the starting point is that Cybersecurity is never an end in itself. It is a means to securing the peaceful existence of our human rights. And if we forget that, then we are in danger of the Internet turning into a giant prison. Thank you.
>> WOUT DE NATRIS: Thank you. Next I'd like to call on External Relations Center in Oxford.
>> LARA PACE: Hi, I thought I was talking in the next one, but I'm happy to speak now; whatever you prefer.
I move to the next one? Yeah.
>> WOUT DE NATRIS: Then nobody talking, but it doesn't matter (chuckles).
So, I'm up to speed also. You will be called on again at a later point. Next I go to Mr. Ang Peng Hwa, Director in Singapore of the Institute of Research Center.
>> ANG PENG HWA: Hi, good morning. I have Power Point slides. I'm going to ask you guys to imagine the Power Point slide at some point.
The talk is supposed to be about enhancing Cybersecurity and building digital trust. I find it there is a lot of emphasis on Cybersecurity, but actually it could undermine digital trust.
There is a paper, this is where the slide comes in, trust the Internet and digital divide. If you Google IBM trust, Duke, you locate a paper, it shows correlation of Internet penetration is highest with trust, not even with income.
If you want to get people on line for various reasons, you should build trust, not, believe it or not, not Cybersecurity. The question is, what is the secret to gaining trust? Of course I have the answer and you would know that, right?
There is one secret to getting trust, simple, all philosophers tell you that, act against your own self‑interest. Demonstrate an act against your own self‑interest.
How easy is that, to act against your own self‑interest? From what I've heard, and a lot from Government agencies and Government, governments want sovereignty. They want the power to act. They want to be able to have sovereignty over subjects, Internet, and data. Right?
This is to build Cybersecurity. Next slide.
Second last slide. There is a problem with sovereignty. There is, for us to be here in this global environment, we need three things, I want to call a trilemma. I have a paper on this, again citations and all that. It is a Portuguese translation of the paper actually.
Sovereignty, globalization and democracy. My next click, there is a red line going over crossing on democracy, because in a trilemma you can only have two out of three. Take your pick. Sovereignty, for Cybersecurity, obviously a good thing, globalization, and democracy. Pick only two out of the three. You want sovereignty? We need globalization. That leaves democracy out. How much trust will you have in a system that doesn't have democracy?
Final slide, what do I suggest as a solution to giving up sovereignty? Three points. Data protection laws, we have heard this. Mohit talked about data transfers apps. Data protection laws strengthen the rights of the individual versus governments, collecting of data as well as surveillance. Second, point about checks and balances on surveillance, we discussed that a long time in Bali. The third one is governance. It is not about checks on Government, not about checks on governing. The goal of governance is create trust in the system. When you have a better governance system, you are going to have better trust in a system. When you have better trust in a system, go back to my first slide, you are going to have better penetration of Internet, greater use of the Internet.
>> WOUT DE NATRIS: Thank you. Finally, I turn to Professor Milton Mueller, School of Public Policy, Institute of Technology.
>> MILTON MUELLER: All right. I'll go now. I think that we are kind of avoiding some of the really important issues, and I know it's probably making some people uncomfortable to talk about them, but that is my job here. So I will do that.
Number one, encryption. We all know that that's one of the key ways of making your online communications more secure.
However, we also know that law enforcement and intelligence agencies are interested in limiting the use of encryptions so that they will have access to the data.
If we are not talking about how to reconcile that problem, we are not talking about one of the most serious issues. I would suggest that the use of encryption, like many technologies, is an irreversible aspect of the growth of information technology, and that we need to accept the fact that citizens have a right to encrypt their communications, and governments have to find a way to work around their limited access to encrypted communications, and find a new means of dealing with lawbreakers and bad actors on the Internet, rather than trying to insert themselves into the key management process.
Jurisdiction. We have Carolyn from Microsoft over there, and Microsoft is engaged in a very important legal battle with the U.S. Government over access to data, to the Ireland case in which the U.S. Government is essentially asserting a global jurisdiction. They are saying even though the data is in Ireland, it's controlled by Microsoft, and so we can issue not even a warrant. It is something I guess between a warrant and a subpoena.
We can get access to that data, which means that they could, regardless of where they put that data, they could get access to it. This is an issue, this is a Cybersecurity issue. It contributes to the data localization efforts, because if the U.S. Government is successful, that means that globalized services will be possibly more difficult. People will be more willing or less willing to use a global provider, and we may be sacrificing the massive economies of scale that can come with cloud services.
The issue of the treaty, the Bangladeshi Minister mentioned that we need a treaty. I think someone else did. That is a controversial issue. Can we achieve what we want for Cybersecurity through governmental treaties or rely more on network cooperation among the providers. If you do the latter, which generally I tend to favor as being more effective, but then again you have issues about procedures and due process which can sometimes get sacrificed in these more private sector oriented mechanisms.
So, one other point related to something Mr. Hindon said, you mentioned gamer gate in the context of Cybersecurity. I want to make it clear that gamer gate is about content. There was a hostile content, and I would like to assert a clear distinction between Cybersecurity issues which have to do with the technical integrity, availability and resilience of the actual Internet, and content regulation issues.
I don't want those two things to ever be confused, because then if you say that certain kind of content is subversive or destabilizing, then you are paving the way for giving the Cybersecurity rationale for censorship or content regulation.
There may be legitimate reasons for certain countries to want to regulate content, but let's not call it a Cybersecurity issue.
>> WOUT DE NATRIS: Thank you, Milton.
We heard more dissenting points of view in this session than in the first one, I think, which makes it a lot more interesting to listen to different points of view.
I'm opening up to the room for any questions, and we have remote participation. As nobody is standing yet, I'll call upon a remote participant to ask a question first.
>> Remote participant:
(there was no English interpretation).
>> REMOTE MODERATOR: We have two questions from Nigeria. The first question is who is responsible for deciding the value of trust online, and demographic trends. For regions with less zero threat, why should global providers not consider openness and access to developing countries?
Can the standard be set at the same speed with advanced organization or governments? That was the first question.
The second one is, we believe the IGF should develop measures that encourage profiling of the various cyber attackers that exist in the cyber world in order to understand motives, psychological drives, and compelling urges to create fear in cyberspace for cyber crimes.
>> WOUT DE NATRIS: Who would like to take the first question? I have to admit that I did not really get them from the English, but if somebody got the first question, please take the floor. No?
Somebody on the second question? Jeremy.
>> JEREMY MALCOLM: So, the suggestion that the IGF should develop measures to profile attackers is probably not the best use of the IGF's resources.
I am all in favor of the IGF expanding what it does, but maybe not in that direction.
But I think there are a number of other institutions that would be well suited to that task, and that there are links to those institutions here at the IGF.
>> WOUT DE NATRIS: Thank you. We have a question in the room. Then I'll go to Marco.
>> AUDIENCE: Thank you. Matthew Shears with the Center for Democracy and Technology. We seem to be having the same conversation. Let me put something to you. In the Chair's statement at the global conference on Cybersecurity in the Hague, the following statements were made, and I'd like to understand what the panelists are going to suggest in terms of how we actually implement those, realize those statements.
The first statement was, governments were urged, are urged to ensure that cyber policy at national, regional and international level is developed through multistakeholder approaches including Civil Society, technical community, businesses and governments across the globe. That is the first thing I'd like the panelists to comment on. How do we make that actually happen?
The second point, the conference urged all stakeholders to work together proactively to ensure that Cybersecurity policies are, from their inception, rights respecting and consistent with international law and international human rights instruments.
From their inception means that human rights are not appended onto a document in a paragraph or something like that. I'd appreciate the panelists' thoughts on that. If you are interested in the issue of Cybersecurity and human rights, we have a panel at 11 tomorrow morning. Thank you.
>> WOUT DE NATRIS: Thank you. That comes together with my introduction of the session. If anybody would like to respond on that, how actually we are going to go from policy to practice, if I remember correctly that that was the motto of the GFCC in the Hague this spring. Mr. Hwa.
>> ANG PENG HWA: To Matthew's question on cyber policy through multistakeholder model, what it would mean is that governments shouldn't decide policy by itself. Often governments feel that they have expertise, especially developing countries, they have the best knowledge, best information, best people. Therefore, they are the best people to decide policy. What the statement is saying is that you shouldn't do that. You should look at other issues, and this way you get human rights by design into the policy.
This needs to be done at the local and national level and high up in the scale, when you can scale it to the national level. You need to bring in all the stakeholders into deciding the policy.
>> WOUT DE NATRIS: Michael.
>> MICHAEL KAISER: I'd like to address the multistakeholder question for a second. From our experience, and I'll talk about this later, too, multistakeholder starts best when you are trying to solve a specific problem. When you see things like M3AAWG, working in that space, or the anti‑phishing working group working in that space, or you see the NCFTA in Pittsburgh working on Cybercrime issues and financial crimes and other things, where people can come together to focus on a problem that is solvable, if we work together as opposed to solving everything at once through a multistakeholder process, that is where you are going to see progress in multistakeholder. How you connect all those multistakeholder processes together is a challenge.
A lot of people sit in all of them. Some sit only in others. That is part of the issue. Focus in multistakeholder is a key and gets lost in the discussion when we start talking about it, because that is where you come together to solve a specific problem first.
>> WOUT DE NATRIS: Thank you. Due to time constraints we are going to go to two final reactions and responses to what we have. Chris, you go first.
>> CHRIS PAINTER: This is a combination of response to the questions and the comment I was going to make before. First it's important to know that, we have said this, Cybersecurity and human rights are not contradictory concepts. They should be complementary.
I think to the question of, one of the concerns I've heard expressed by some folks is that as governments are paying more attention to Cybersecurity, sometimes that is being used as a proxy to infringe human rights.
And that shouldn't happen. We should work across the board to make sure that those are taken into account as we go forward.
Indeed a lot of the work we have done in terms of capacity‑building, which we will talk about in the next session, is trying to model that multistakeholder approach of consultations with Civil Society, industry and others and doing these provisions.
I also wanted to call attention to the working group that the freedom online Coalition has that was just referenced that is going to be presenting its results tomorrow. They have a working group on, that focuses on multistakeholder and rights respecting approaches to Cybersecurity.
This is a very important presentation tomorrow at 11. I recommend everyone to see it.
Finally, I want to comment on the comment made by our Bangladesh Minister calling for a global treaty for Cybersecurity, which I think is just a very bad idea. In fact, I think it's an unworkable idea. I don't even know what a global convention for Cybersecurity is. I don't know what that means.
I don't know what concepts that holds. Indeed, that in itself is probably not going to be a multistakeholder approach to the problem. There are lots of activities, there is many things around the world, there is many, both statements in the UN about culture of Cybersecurity and action plans. There is the Budapest convention, there are many things out there that are good models for countries to look at or to participate in.
I think trying to do one, bring the rule from all, is not going to help us solve the problem.
>> WOUT DE NATRIS: Thank you. Marco.
>> MARCO HOGEWONIG: Thank you. I'll be brief. In response to some of the questions raised in multistakeholder, yes, as I mentioned in my intervention, we have to raise awareness and be aware of each other's objectives and needs and take this into account, and also be able to trust each other's expertise when it comes to finding solutions, and the multistakeholder model would definitely be the key to solving part of the puzzle.
The reason I asked for the floor was to respond to something the Minister said regarding IPv6 which is the topic we take close to our heart.
I think especially at this level and security in digital awareness, we have to be aware that there isn't that much difference between IPv6 and IPv 4, and everything you do in this space should be agnostic to that level. Security measures should take into account these two protocols, access to these protocols exist simultaneously, and that is something to be aware of. Police all policy regulation, but also the work we are doing together should be IPv agnostic as much as possible.
>> WOUT DE NATRIS: Thank you. Milton.
>> MILTON MUELLER: I'd like to address what I think Matt Shears of CDT was asking. The conversations about Cybersecurity do get a little bit repetitive, and the question is, what can we make happen?
I think the thing we have to understand is that Cybersecurity takes place at various levels, and a very large part of the responsibility is with the private actor, whose systems need to be secured, and that distributed responsibility is a key feature. So the idea that when you talk about the multistakeholder model, too many people have in mind the idea that you are getting a bunch of people in a single room and they are negotiating about something, or making trade‑offs.
In fact, all kinds of so‑called multistakeholder cooperation takes place at various levels, you know, industry associations, national levels, and more importantly, across industry sectors. And that's, you know, I think Audrey was making the point earlier, the standards environment is incredibly diverse. There is no single spot where you can go to.
We have to understand networks governance, distributed governance, as our basic mechanism for dealing with Cybersecurity. What can the IGF do to advance that agenda. How can we bring people together in ways that constructively get them working on problems that they are not able to work on in any other environment.
It's not clear to me that there is a role for the IGF per se, other than perhaps an educational one, but we might be able if we try to be a little more aggressive or ambitious, I should say, rather than aggressive, ambitious in what we achieve here, and we don't avoid the controversial issues but actually embrace them, I think we could maybe make some progress here.
>> RAHUL GOSAIN: Thank you, honestly spoken by Milton. Just to tie in that point what the moderator made regarding dissenting opinions, being raised in this session, it's beautiful to see how the comments made by Peter and by Ang tie up beautifully in terms of the real challenge that confronts governments. The real challenge is not per se providing Cybersecurity solutions, but how to provide Cybersecurity to the citizens in a way, in a discrete way, that does not restrict freedom of expression and the growth of the Internet, so that the Internet does not become sort of unrecognizable from the way we know it.
That is the real challenge, I think. That is the beauty of it all in how the comments tie up beautifully. Thanks a lot.
>> WOUT DE NATRIS: Thank you. I've heard yesterday in discussion also, is about finding the right incentives for private industry to act on all the things we discuss about. Are there some views on that from the room? Or in the panel? What could be initiative, incentives?
>> AUDREY PLONK: I'm not sure I remember exactly where the incentives question came up. But I think there is various incentives for various actors in the ecosystem. The private sector is mostly incentivized by what the customers want and what the user wants, to deliver a product that is trustworthy and stable for the user. I can't speak for the whole private sector. But as a general matter, the standards that are followed and processes that are followed to achieve that are open and transparent and collaborative in terms of how they are built, and they are fairly standardized across the industry.
There is obviously business incentives in terms of how the private sector builds product and there is consumer goals. I don't know if that is really the question. But there are other discussions in the ecosystem around different kinds of incentive structures, more from the operator side or end user side of how we get people to deploy product, more security related products or features, or how do we get people to update their systems more. That is a different set of incentives.
I think it's, just saying how do we incentivize the private sector to go solve this problem is a little bit superficial in terms of the depth of the actors that are required to actually be involved in making a more trustworthy environment.
I also think it's useful for us to step away from this notion that there is some end game state of secure, and it keeps getting repeated. It gets repeated in every set of documents that comes out on security. We want a secure, stable, trustworthy, of course we want that. I think it's fine to say that we want it.
I think it's more difficult to set that standard and then expect, to Matthew's point, for Governments not to then come in and say it's not secure, so we are going to do something about that. We have to change how we think about that. We have to think of it as a continuum of risk and of productivity and of trustworthiness, and not a black or white secure or insecure, because it's never that way.
>> WILLIAN CHECK: One of the interesting things that came up in terms in the U.S. with the new Cybersecurity framework that was developed is one of the very important things that was established was that you had to have a top‑down approach within organizations.
This would apply certainly within nationalities and regions too. You can't expect Cybersecurity to happen just at the engineer level. It has to be at the CEO level, and be at the board level, to be stressing the importance of cyber within an organization.
>> I think there is a lot of private companies ‑‑ at my day job, I work for one ‑‑ who know a lot about what is going on regarding attacks and malware and whatever, denial of service attacks. It would be very good if that information could be shared by ‑‑ there needs to be cooperation between the private and public sector. But the other part of this is, customers of those companies who build these products that we want to be secure need to actually insist that they are secure, and not buy products that aren't.
That is for individuals and for companies and governments. It has to be high on the priority list that security is taken seriously, that you get frequent updates.
One anecdote, this recent thing, about a car manufacturer, being hacked, you can take over the car, and their solution to fixing this was you have to bring the car back and get a service appointment. They would put new firmware on it. But by comparison, the electric carmaker Tesla just downloaded new software when they had a vulnerability. We need more thinking like that.
We are not going to make products that are perfect. But we need to be able to fix the problems, as soon as we find out, and they need to be updateable quickly.
>> One of the things I think that is perhaps being overlooked is the issue of incentives. This is not an intellectual exercise, not an academic exercise. This is a real part of our world. One of the things I think that bewilders many of us, maybe all of us, is that obviously vulnerabilities have economic and personal cost, and yet we still seem to fall into the same traps over and over again.
One of the areas, and picking up on one of the excellent things Milton talked about, in terms of what individuals and organizations can be doing and how those incentives can work, that is starting to emerge after many years, is the issue of insurance.
I don't mean insurance as a way of just covering up for problems that have been created, but one of the benefits that insurance often provides is a way of disseminating helpful useful consumer‑friendly information of what can be done to create a lower risk environment, as a way of giving people incentives to save money, something that most organizations and individuals would like to do.
With the starting to see a emergence of insurance in this area, I'm becoming more optimistic that at least some of the low‑hanging fruit that's often been there will start to be addressed as a way of being dealt with that will help to inform people in ways that are accessible, easy to digest, and perhaps give individuals economic incentives to do the right thing.
>> WOUT DE NATRIS: Thank you. I'm going to go to the room first? Ask them if they step up. I'll give you the floor. If there is another question from the room, please queue up to the microphone. I'll give Mr. Hwa the chance to speak first and I go to you. Mr. Hwa.
>> ANG PENG HWA: Just in case I've not been well‑understood, with my accent or whatever, it's the issue of black and white, in this space, and nothing is black and white. What I'm saying is that you do need to be aware that over decision of Cybersecurity can lead to degradation of trust. Take an example of Microsoft being compelled to get information to the U.S. Government. What is the problem of cloud computing there? It is not security. It is the issue of trust in the information that I've stored in Microsoft. Who will access it? Now there is a policy that say that U.S. Government can access it. My trust is reduced. I'll be less likely to use the product or service.
Is it a problem of security again? No. Wherever I go, I will go to small outfits, probably less secure outfits, that I believe, I believe Microsoft would have better security. So you can see how this undermines the trust, and undermines the penetration of use of even cloud computing. I organized a panel a couple years back on cloud computing. To my surprise, the number one concern of cloud computing was not security. It was trust. It was privacy, having data protection laws.
>> WOUT DE NATRIS: Question from the room.
>> AUDIENCE: Hi. It's a common comment and a question at the same time. When we talk about incentives, for example, we all know that overall incentive is financial. It's going to be the users that are going to say what the companies need to do.
Unfortunately, the users don't, they are not aware enough of Cybersecurity, so they can demand that. This is one of the problems that we have.
I see here that we talk about education, collaboration and cooperation, right? And what I see is that when we have discussions about Cybersecurity, we tend to deal, talk a lot about technological issues or governmental issues, but there are some other human issues that I think that are not well addressed.
For example, when we talk about education, collaboration and cooperation, those are not technical issues. We need to bring people from other areas to come here and discuss that with us. We need people from education background, for example, to talk to us about education and how we can get Cybersecurity into the education aspect. Internet is not a thing for geeks anymore. It affects everybody's lives in all areas. We have to have people from all areas to discuss that together with us.
About the stakeholders involved again, I'll try and be fast. We cannot wait for them to come here and discuss that with us, because we are the ones that are worried about it, not them. We need to go for them, go where they are, go to their events and try and bring them to us.
The other option that we have is wait for the big thing to come. We only started talking about tsunami alerts and evacuation routes when we had a big tsunami event. We can wait for the big Cybersecurity event to happen, so that it increases awareness. Then we see how we act or prepare in advance and see how we act later.
>> WOUT DE NATRIS: Thank you. I was going to point to you, Michael.
>> MICHAEL KAISER: I would answer that question in a couple different ways. First of all, overarching on this, we have to create a culture of Cybersecurity everywhere we are. We live in a car culture, we have traffic, we have a culture of traffic safety everywhere. Right? Those issues and traffic safety are taught by everybody to everyone. That is what we have to achieve in Cybersecurity at the end of the day as well. You go out here into the conference center, you will see little bins for different kinds of refuse, trash that you have. Right? Because we are starting to build cultures of recycling across the world.
It doesn't happen quickly. This is a long‑term process. You can see already that we are becoming in many countries cultures that are nonsmoking cultures. We have to become a culture of Cybersecurity. It has to be infused across everything we do. If everyone is touching the technology, everyone has to know how to use it safely and securely. And that requires all hands on deck. You are right. The educational system is important.
Parents, really important. Industry, really important. Government, really important. All play really, NGOs, all play really critical roles in creating the culture of Cybersecurity. That's the end game in many ways.
>> WOUT DE NATRIS: Thank you very much, Michael. We are going to take a final ‑‑ you want to respond to that?
>> CHRIS PAINTER: This is a long‑term effort, been under way for some time. One thing that is happening now is that more countries are having programs, including in Brazil, to get more the citizenry understanding the cyber threats, and indeed, we had national Cybersecurity awareness month in the U.S. in October. Many other countries are doing similar things, either for a week or month or a few days, to profile this issue. That is only part of it, to be sure, giving tools to citizens to be able to actually handle some of the threats.
One of the things that came out of the global conference in the Hague and global initiative for cyber expertise, one of the projects that the U.S. and Canada have partnered on is to do exactly this, to bring more awareness of threats to not just businesses and governments, but also to citizens around the world. It's something that if folks are interested, they should consider joining.
>> WOUT DE NATRIS: Thank you, Chris. One final question.
>> AUDIENCE: Thank you. Hirohota from JPRS, a agency for Japan. I hope my question is in line with the topic of the session.
If important information, for instance, personal data of customers is leaked from an organization, people tend to blame ‑‑
>> WOUT DE NATRIS: Sir, could you please speak into the mic? We have trouble hearing you.
>> AUDIENCE: Sorry. If important information, for instance, personal data of customers, is leaked from an organization, people tend to blame the organization as a criminal, not as a victim. However, getting attacked and hacked is a usual event these days. There is not a complete security even if the organization tries very hard.
So we, the cyber residents, should perceive that being attacked and being hacked is not a shame, not even a crime. On the basis of such perception, the victims should share how they are attacked to raise their security collectively, of course with a device caution. I wonder how the perception change can be achieved including cyber security. That is my question.
>> WOUT DE NATRIS: Thank you very much. It's a good question. It's something that we run into daily, that crimes are not reported, because of shame factors or other reputational factors. Jerry wants to respond, and perhaps somebody else. How do we solve this, Jerry?
>> JEREMY MALCOLM: I want to push back against that question a little bit. I think sometimes the shame that comes from personal information being disclosed by hackers comes from the fact that that information shouldn't have been there in the first place in some cases. There haven't been proper data minimization practices followed.
For example, in the case of the Ashley Madison hack, there was information that users of that, we don't have sympathy for the users, but the users had paid Madison to permanently delete their data, and when the hack was published, the data was still there.
I think there is enough shame to go around, between the hackers and the companies who have not followed proper deminimization practices. And of course, there is also the fact that in some cases, lax Cybersecurity practices have been practiced by the companies. I'm not saying we should blame them for not being impenetrable, but we can still expect companies to follow basic precautions.
I'm not entirely disagreeing with you, but just presenting a contrary perspective there.
>> WOUT DE NATRIS: Thank you, Jeremy. We had a lively conversation on this topic; so successful topic, I think. But we have to close it at some point and move on to the third one. I'm going to hand back to Paul. Thank you for all your comments.
>> PAUL BLAKER: Thank you very much. Actually, some of those recent points leads us well into the next topic. We would like to move on to the focus on capacity‑building, and what are the best practices that we need to address some of the challenges that we have been discussing so far this morning, both today's challenges and challenges in the future.
And what kind of platforms do we need to facilitate this? There are two questions which have been posed for this topic. First of all, how do we promote the use of the Internet for international peace and security, and what recommendations are there for high level principles for cyber cooperation?
Secondly, how do we discover new approaches for institutionalizing and disseminating best practices for capacity‑building? To start to look at the questions, I'd like to ask Mr. Wafa, head of the Cybersecurity department of the Ministry of Communications in IT in Afghanistan, to contribute. You have the floor. Thank you.
>> ZMARIALAI WAFA: Thank you very much. Capacity‑building is one of the most important components, component while establishing information infrastructure. In order to establish capacity‑building program for a nation, it is important to manage this through Cybersecurity, through national Cybersecurity strategy.
Having national Cybersecurity strategy will make this job easier. Security trainings are costly. We need strong support from the senior management. We need buy‑in.
The first step towards the resiliency of the Cybersecurity is then Government should establish a multistakeholder environment, bring the stakeholders together from private sector, academia and operators to address the challenges they face.
Critical infrastructure partners must collectively identify priorities, clear goals with clear goals towards their assets. All these threats are shared responsibility. Regular awareness program and training programs are essential in both Government and private sector. In this regard, we need to plan, establish a Centralized Computer Security Incident Management capabilities which is called national SIRT.
To managing CSIRT or SIRTs with a national responsibility, we can provide awareness, manage cyber incidents, support the national Cybersecurity strategy, public/private partnership in Cybersecurity, building a culture of Cybersecurity, national policy framework for Cybersecurity, managing and participating in Cybersecurity exercises, Cybersecurity assessment and evaluation.
One of the initiatives back in 2012 was from the Government of UK establishing as the center for global Cybersecurity capacity‑building. Such initiatives itself can provide a good platform accelerating the awareness program.
We do need more of such initiatives. Last but not least, the cyber drill program, one of the most effective practices. Now it is that show collaboration between two various SIRTs, businesses, businesses also need to exercise this practice, in order to exchange information with each other, and see how vulnerable they are to today's attacks. Thank you.
>> PAUL BLAKER: Thank you very much. I'd like to invite Tomas Lamanauskas to contribute, Head of Corporate Strategy at the International Telecommunications Union.
>> TOMAS LAMANAUSKAS: Thank you very much, Paul. First, ITU has experience in this area, especially starting from a society where heads of state and Government facilitate the so‑called action line 5, C5 about building trust and security in the field of ICTs.
In our, so now it has been in this year, we are reviewing the ten‑year progress. It is a review of what has been achieved. It is timely here. However, also starting from the way your questions were posed, how would you ensure that we are all safe internationally through the capacity‑building, it's an important point for us also, realizing that we only are safe as the weakest link, and the weakest link can be anywhere. It can be in, cyber threat can come from any country. Any country can suffer from it. It is important to adopt the approach, we understand it is not about zero sum game, not about us versus them. It is about protection of everyone. We only can increase our collective protection when every country and every citizen have a protection against cyber threat. It is our collective interest as a global community to ensure Cybersecurity everywhere. It is not because, when we talk about capacity‑building, development assistance, we should understand this area is not about altruism. It is about ensuring citizens of every country can benefit from trust in the cyberspace and users in a trusted secure way.
The new aspects, what other new aspects that we should take into account now, especially with the new technology. So again this is no longer becoming, no longer just about data and money, while it is very important. It is also now about Internet of Things, with industrial Internet, with variables. It is also about now lives. It is becoming very important.
Also increasing complexity of stakeholders. It is not just about SIRTs or national regulators or Telecom operators. Everyone is dependent on that and everyone has a stake in it. When we talk about capacity‑building and buildings the level of Cybersecurity, it is important to involve them all.
How do we, what are the some of the learning from our perspective, how do we address that, how do we build capacity? First of all, it is important to look at that in comprehensive manner. ITU has come up with 7 high level expert groups with a global Cybersecurity agenda which has five pillars, the way we see this comprehensiveness through technical procedural measures, legal measures, organizational measures, capacity‑building, international cooperation.
We need to look at that in a comprehensive way. We need, there is no question, understand a lot of threads can be tackled by simple awareness and people doing simple steps, cyber hygiene. It sounds boring. It is interesting to talk about cyber espionage or big data losses or big incidents. But although there is, a lot of incidents can be resolved by taking simple steps. Your own Government study says 80 percent of the cyber threats could be eliminated by doing steps such as updating antivirus. A similar U.S. study, we can achieve 94 percent reduction in risk if we measure the top 20 controls and apply them that are standardized. It is important that everyone takes steps and we help people to know what steps to take.
We need to ensure that, how we protect all the other vulnerable groups. Cybersecurity for everyone means sometimes we need to take specific steps. In IGF, we have had discussion about Child Online Protection, and other issues that undermine trust and how we take actions against that.
In terms of the measures that we have been doing recently, review measures in trying to build global Cybersecurity, trying to help in building global Cybersecurity culture, is what we believe is that to achieve something you need to know where you are going and need to measure that.
Global community last year in our Plenipotentiary conference agreed on target 3.1, which talks about increasing Cybersecurity awareness by 2020. We as a global community agree to that. Now the question is how we get there.
In terms to ensure that we measure that, we have a global Cybersecurity index measuring readiness of countries in this regard. We collect country profiles ensuring that there is peer learning and see the best practices there, and issued an updated national Cybersecurity guide which helps countries build Cybersecurity policies.
Important theory here, in this fora as well, SIRTs is an important element of the Cybersecurity environment, and building so they are sufficiently mature is important. With our 65 country assessments, we have 13 SIRTs implemented, four in progress, one being updated, and trying to ensure that the basic infrastructure, especially in the countries what we call wide spot countries, countries where they don't have this capabilities there. Already a colleague from Afghanistan mentioned important cyber drills. We see it as an important measure, most of building technical capabilities, but also by building trust among people, both national, international among different stakeholders. We conducted 13 cyber drills in a hundred countries.
Organization and helping build all stakeholders standardization is important. So in our important element, when we have standards in Cybersecurity, an important part is bridging the gap, making sure developing standards from stakeholders, from other parts of the world, so we build it together. That is one element of our approach to capacity‑building. It is not just from us to you capacity‑building. It is everyone coming together to solve those challenges.
The last point, to make the importance and understanding that none of organizations or entity can do and resolve the challenge by themselves. It is complex and there are various stakeholders. These are different kind of stakeholders, but we need to look inside those stakeholders. We have another layer. We talk about Government. We no longer talk about Minister of Education, Finance, Ministers of Economy, responsible for critical infrastructure, if we talk about private sector, Telecom industry, other industries, banking industries. It is becoming very complex environment in which we need everyone to chip in.
We do it in a few layers. One is the UN layer, where within United Nations we have now the strategy and action plan, how to coordinate action, so various agencies helping member states in the area, but also other stakeholders. And there was a presentation of Global Forum of Cyber Expertise, to which we are a proud partner of, and also partnering with a number of private sector partners, and Civil Society partners in that regard. That is the way forward.
I think this is also, this discussion here is a good way to also bring those stakeholders together. Thanks so much.
>> PAUL BLAKER: Thank you very much. It is interesting. Already there is a strong theme around capacity‑building being a shared responsibility, which is in all of our collective interest.
Now I'd like to turn to Chris Painter from the U.S. State Department.
>> CHRIS PAINTER: Thank you. I wanted to address both of the questions, and I think they are different but related. The first is how do we promote international peace and stability in cyberspace. The second is a more general issue of capacity‑building.
I want to talk about both of those. In the realm of promoting international stability in cyberspace, this is very important, because having a more stable cyber environment overall, where states don't have an incentive to break that stability and cause disruptions makes the entire ecosystem more secure, and leads to better security generally and better stability throughout the world.
To achieve this, we are seeking a broad consensus on where to draw the line between responsible and irresponsible behavior particularly for states. We really approach that in two different ways, and made significant progress in different forums, including the UN group of governmental experts on this issue.
First, we have been promoting, and we have wide acceptance of the idea, the basic rules of international law apply to cyberspace. Acts of aggression are not permissible, and countries that are hurt by attack have a right to respond in ways that are appropriate, proportional and minimize harm to innocent parties.
But we support a additional set of principles that we can bring forward. They are principles that we are promoting, both that gained acceptance in this group of governmental experts, which comprised of 20 countries, but they are getting wider acceptance around the world, and we are hoping to have many more countries realize the value of these principles, these norms that get wider acceptance and therefore, I think it leads to a more stable environment.
We view these as universal concepts, that would be attractive to all states, and something that we can make great progress on, and I'll list them. One is that no country should conduct or knowingly support online activity that intentionally damages critical infrastructure or impairs the use of it to provide services to the public.
Obviously, not attacking critical infrastructure in peacetime does lead to a more stable environment, if countries sign up to that.
No countries should conduct or knowingly support activity intended to prevent national Computer Security Incident Response Teams from responding to cyber incidents, or use its own teams to enable online activity that is intended to do harm.
Basically, use SIRTs for good and don't attack SIRTs. If you think about the SIRTs as the way to handle incidents, attacking them would lead to great instability, and it's important for governments to recognize this.
The third is that no country should conduct or knowingly support cyber enabled theft of intellectual property, trade secrets or other confidential business information, with the intent of providing competitive advantage to its companies or commercial sectors. We think this is something that no Government should do, and indeed this was a subject of a recent agreement reached between President Obama and the President of China and also Prime Minister Cameron and Presidency of China.
Finally, every country should cooperate consistent with its domestic law and international obligations with requests for assistance from other states in mitigating malicious cyber activity emanating from its territory.
This goes to the cooperative environment and the collective cooperative environment we talked about earlier. Those things together as a package would lead to a more stable environment, and we are promoting this around the world, with many of our partners too. Getting wider acceptance, in a way, it's capacity‑building in itself because bringing principles, norms forward, getting acceptance helps dramatically.
On the other side of capacity‑building generally, there's been a huge amount of work that has been done in a number of different forums. This is a great example of you don't need just one Forum or again one controlling, one ring to rule them all, as I said before, but you have lots of things out there, which are complementary or important. There have been regional work within the OAS, regional work in other organizations. We have heard about other activities here today. There has been work in building national strategies. There has been work in building SIRTs. Those are all really important.
Most importantly, I know this is going to be discussed by my colleague from the GFCE, the launch of the Global Forum for Cyber Expertise was an important initiative that ties together a lot of these different activities, and we are proud to be one of the founding members, and more countries and more entities, it's not just countries, it's countries and private sector, Civil Society. It is open to anyone. But it is really to partner on activities to do capacity‑building around the world.
This is really, this idea of capacity‑building is incredibly important in our policy, because we recognize that, as one of our previous speakers said, that the weakest link issue is a problem. Every country, as they are getting more connectivity, as they are relying on the Internet and technology for their economies and societies, they need to be able to build policies and other things and need to do it right. They need to incorporate human rights, but also make sure they are doing it in a way that is interoperable and can work with other countries.
We have done a lot of work in sub‑Saharan Africa in the U.S., where we have done things in the SADC community and east Africa, East African economic group, and ECOWAS, and we are continuing to do that because that is an area that is very important. External action service of the EU has done work. There is lots of work going on in the area. The GFCE, and I will not steal the thunder of the next speaker, is a critical and good example of how to tie a lot of this together.
We ourselves are cosponsoring three, four different initiatives with different partners; some targeted Africa, some more generally. We look forward to continuing to work on that.
>> PAUL BLAKER: Thank you very much; lots of really important substance there. But before I open up to comments to the floor, we have one more panelist to contribute, Lara Pace from the Global Cybersecurity Capacity Center.
>> LARA PACE: Thank you. Good morning, everybody.
I am going to talk about the capacity center. We are housed at Oxford, and I'm responsible for taking all this knowledge as we are building at the center in collaboration with a number of experts and taking it to the world.
We are a research project, and we are focused on trying to understand what effective Cybersecurity capacity‑building looks like. We do that by, we have developed a model to understand Cybersecurity capacity, or the maturity of Cybersecurity capacity. And for the benefit of this conversation, when we talk about capacity, we look at national policy and strategy. We look at building this Cybersecurity culture. We look at education and training that a country offers to its people. We look at the regulatory environment and the technical environment.
What we are doing is, through this model, deploying it across the world through international organizations, from the international community and also directive with governments, is gather this learning and experience of how people have built their capacity, and understand really what works and what doesn't.
So maybe when we talk about international cooperation, we can be a little bit more strategic in trying to make that happen. Personally, I'm really interested in the international cooperation element, just because so I represent an academic institution, but I'm not a academic. My background is capacity‑building.
When I worked with a international organization, the challenge in making that actually happen, develop wholistic comprehensive sustainable programs of capacity‑building, working with a number of stakeholders, both internationally, but also in region, and at the national level. So I think in trying to develop this global understanding, possibly we might be able to be more strategic in our international capacity‑building. We need to be more strategic both at the donor level, also at the international level, and also nationally across ministerially.
Going back to the GFCE, we are one of the gaps of the UK Government to the GFCE, and together with the governments of Norway and also the organization of American states, who is one of our key strategic partners. We think that GFCE is good because it actually does bring an element of awareness to what actually is available for people to take up in terms of making the capacity‑building more efficient.
One of the outputs of the GFCE is to develop this inventory of Cybersecurity activity, and we have been asked to deliver that, and what we have is we have got a dedicated person working, researching, trying to understand who is doing what where. That is housed on our portal.
As a Cybersecurity planner, in the emerging world or developed world, you are able to go there and see whether the capacity you are trying to build has recently happened in one of your neighboring countries, who the experts are, and how you can foster building that capacity through that inventory. We believe having this sort of mapping of what is happening may begin to address this duplication of effort, because hopefully you will be able to fast track your capacity.
That is my two minutes.
>> CHRIS PAINTER: My colleague from the UK has an important project there. We have projects there. There are a total of 42 founding members and now 50 members have joined, and they include governments and businesses and other stakeholder organizations. If you don't know about this initiative, and it's important work being done around the world, but this initiative is trying to sponsor that work. The Dutch are not here to talk about it, but I think they would be very pleased that it's getting so much traction around the world, and really trying to harness and do a lot of this work, and get existing bodies like the one in the UK to do work that is really important to the whole ecosystem.
>> PAUL BLAKER: Thank you. There is a broad agenda there. If people have questions again, please come to the microphone, in the traditional way. We have heard everything from cyber hygiene, at the individual level, to the principles being discussed by the UN GGE, and I think Lara described sustainable and wholistic capacity‑building programs in the area.
I'll open the agenda. If there are any questions, please come to the microphone. First I turn to our organizer who would like to ask a question, and is kindly walking to the microphone. The floor is yours.
>> SUBI CHATURVEDI: Thank you. My name is Subi Chaturvedi, and I'm a member of the MAG. One of the key reasons why we did put the panel together was also to look for answers to many questions, questions because these are emerging issues, and not all of us even have been able to problematize the key challenges.
My question is to Chris. Chris, this is about how one man's hero can be another person's traitor. We as citizens look for answers from governments. We have learned that many times we are in the room, and at other times we are outside where we don't know how our inputs will be treated, especially when it comes to issues like Cybersecurity, like building trust.
When we are looking at issues about surveillance, how do you resolve questions of, do you necessarily proportionate and how do you ensure protection, because it's not easy after you have told the story. Many times recourse is difficult, because this is at the heart of the conversation; national security and free speech and expression and human rights online should not be at cross‑purposes.
That is the first question. The second short question is, when we are looking at collaboration between SIRTs and trans‑national agencies, law enforcement or online agencies, if you follow due process, it is a very long time to get a response.
How can we develop mutual trust without looking at just Government interventions? When you are looking at crime that happens online, it is in realtime. And there are many actors who are collaborating together. What are the alternatives, not just the formal processes? Two questions going your way, please. Thank you.
>> CHRIS PAINTER: On the first question, look, it's important for there to be basic principles in the way that every Government gathers intelligence. There has been a lot of work in the U.S. over the last two years. And President Obama has spoken about this in looking at those practices, and making sure that there is adequate oversight, proper purpose, and all the things that you need to have a system that is not targeting, which it never has, people for dissenting points of view, political dissent, for religious purposes, but that is not true from a lot of other governments.
One of the things that is a concern, and I mentioned this before, is when governments use the excuse of Cybersecurity, which is important and they should be doing it, in a way that they are trying to draw absolute sovereignty around their borders and not respecting internationally accepted human rights and the free flow of that kind of information. We see this more and more.
One of the big parts, and this does tie into the capacity‑building effort, when we do capacity‑building around the world, we bring our colleagues from our democracy and human rights group at the State Department with us. We are not just talking about Cybersecurity and Cybercrime, but talking about human rights aspects too. We are also bringing other stakeholders, private sector and other stakeholders to model the multistakeholder approach to working on policy. As governments are grappling with the issue, it is important that they understand those competing concerns, and often not competing, often complementary concerns and take that into account.
On the second question ‑‑ remind me the second question again. How do you collaborate among different agencies and with other stakeholders.
One of the things we have found when we talked to other governments about these issues is that you can't just talk to one agency. You have to make sure that there is a whole of Government approach where they talk to each other, which is a harder trick than you might think. There is a lot of stovepipes out there. I used to say even in the U.S. Government, which has it as well, that we have stovepipes of excellence. People were doing great work in different areas but not collaborating.
That's changed dramatically. And when we go around the world and when we talk to other governments, we bring all the different stakeholders with us, but we also go outside the Government and say, when you are developing your Cybersecurity strategy, national strategies, the best practice is you don't just do it in the Government. You consult with the industry community, consult with Civil Society community. That is how we build our international strategy and other documents. It is a important thing for every Government to do. It gives those strategies more legitimacy.
It makes them more powerful in the long term.
>> PAUL BLAKER: Thank you. I see there is one more question at the microphone. Sir, the floor is yours.
>> AUDIENCE: I'm from Pakistan. I have a question, what if the Government doesn't care for Cybersecurity issues in the country? I see comments on the floor about there are Cybersecurity seriousness, there are steps, there is efforts. But in fact, when they go back to their country, the reality is far away. It is different.
I was just wondering about a strategy that can impose, that can actually force countries to have Cybersecurity laws, Cybercrime law. I think this will be immensely helpful to build better digital trust if all the countries in the region have Cybersecurity laws and Cybercrime laws.
>> PAUL BLAKER: Thank you. I'll ask the panelists if they would like to respond to the question. But first the next question from the microphone.
>> AUDIENCE: Hi, Taylor Roberts, research fellow at the Global Cybersecurity Capacity Center. My question is, when we implemented, when you implement a maturity model like the ones we have, we get a review of what existing capacity is. Can you provide recommendations on how to move forward? But a country that is just starting to take Cybersecurity into consideration has an array of options before them. I can invest in a SIRT, in a strategy, awareness campaign. How do you provide guidance on which step to take first? Is it dependent on domestic context? Do we have enough knowledge about capacity‑building as a discipline to be able to make this informed decision? Thank you.
>> PAUL BLAKER: Thank you. Are there any questions from remote participants? No? Okay.
In that case, thank you. There are two questions. Sorry, Milton.
>> MILTON MUELLER: This is a question for Ambassador Painter. Do you consider the GGE to be a multistakeholder entity, and how does it, as a governmental negotiating body that is similar to some of the old arms control negotiations, how does it fit into the multistakeholder environment?
>> CHRIS PAINTER: On the last one or all three questions? How would you like?
>> Do it all.
>> CHRIS PAINTER: When you are talking about things like international stability, and what states should do or refrain from doing, that is naturally more of a Government conversation, but doesn't mean there is not a multistakeholder aspect to it.
One of the things we are launching this year, the U.S., is a series of conferences sponsored by UNIDEER in Geneva, trying to bring other countries outside of the smaller group of the GGE and other stakeholders to have these conversations which would help inform those discussions.
Certainly, from my own perspective is, we have had many talks with our industry, Civil Society, as we go through the year, to inform some of the things we talked about. If you look at the GGE report, there is a lot of references to the importance of human rights, which we fought to get in there, thought it was important.
There is certainly reference to sovereignty, and it does exist in cyberspace, but is not absolute. We are trying to make sure we have inputs to better inform us.
On the question about mandating countries to have particular laws, the better approach, a few years ago this was not an issue. This was not a policy issue. More and more countries are now seeing the importance of it. It is maybe true that not all countries are paying enough attention to it yet. But that's changing and changing dramatically and rapidly.
That is the opportunity to make sure that they look at some of the best practices out there. Budapest is a best practice for Cybercrime law, but look at the collaborative and voluntary approaches like the NIST framework we have done in the United States for critical infrastructure. There is a lot of good things that are out there that countries can use. That ties into the last point which is the prioritization point.
I think particularly with the developing country, when they get a new cable drop and they have connectivity, and it may be cell phone and other broadband connectivity, and they are looking at how they can build this, they have an advantage in a way. They can build policies in the beginning rather than trying to layer them on later on like all of us did.
If I were to prioritize them, the number one thing is to have that strategy, that national strategy, because that captures what your game plan is, where you are going, what the responsibilities of the different stakeholders and agencies are in your Government, and it raises awareness as a major issue within the Government.
I think that is foundational.
Having the kind of institutions like SIRTs in place which are critical to doing this, and good law enforcement, those are critical too. There are foundational building blocks, and you can add on from there. Awareness comes next. But that national strategy helps with awareness as well.
>> PAUL BLAKER: Thank you. We have two questions from the floor, one about countries that don't have Cybersecurity measures, one about which steps to take first. Tomas Lamanauskas would like to intervene, and Lara would like to add something.
>> TOMAS LAMANAUSKAS: Maybe agreeing with Chris, I wouldn't be that pessimistic that governments don't care. Governments do care, because they don't want issues and can raise more media attention, and their politicians don't want to be explaining why these issues are happening, why they don't have proper strategies in place.
However, there are also ways to do, peer pressure as well. At least from our perspective, what we are doing, I mentioned the targets, and having a committed target and knowing that will be measured, how the Governments are achieving that is usually not a bad way, because no one wants to be seeing them low in a list of the achieving countries. That grabs the attention of ministers and high level policymakers.
Having commitments and measuring them, what we do with the global Cybersecurity index, is important. But at the same time it is important to support, that is where capacity‑building comes. We cannot just say have it. We talked a lot about today, how we do the capacity‑building and support the governments, how you give them the right tools.
The last point about prioritization, one of the projects that we like is, I would call right questions but not necessarily right answers approach, which means we need to help governments and stakeholders to ask the right questions, but the answers may be different from different countries. What is a priority could depend on a level of maturity of the existing Cybersecurity system, but also ‑‑ I agree with Chris, sometimes it's better to have a strategy and implement it, but also a practice sometimes says it's easier to start with a SIRT and while you build a SIRT, you start building awareness what is needed. Other stakeholders get interested. You can build other elements of that.
You have to be opportunistic about that. It is not only about what is right to become first, but where you can actually make it end as well.
>> PAUL BLAKER: Thank you. The line is now closed. We will take a comment from Lara Pace. Two more questions and then we will have to move on.
>> LARA PACE: I completely agree with what Chris said in terms of having a strategy. Multistakeholder consultation is really important for that, the broadest consultation as possible. But what we are thinking about at the moment, the priority on developing the strategy is essential. But we also need to make sure that we have an allocation of thought in terms of implementation.
We don't want all these various stakeholders working with other stakeholders from across the world developing national strategies, and they are just beautiful documents but it's difficult to implement them. In the development of the strategies, we need to make sure that there is an allocation of thought and resource to make sure that there is a sustainable implementation plan on that.
>> PAUL BLAKER: I go to the questions from the floor, please. Could you keep your questions to one minute, if possible. Please introduce yourself.
>> AUDIENCE: Steve Zeltzer with labortech.net and LaborNet. I have a real concern, and we do, about the effect of the trade agreements like the trans Pacific partnership, TPP for example, as far as Democratic rights of communication, because under the TPP which has been just released, it would criminalize whistle‑blowing by extending trade secret laws without mandatory exemptions for whistle‑blowers or journalists. It would compel ISPs to take down Web sites without a court order and associate a domain name with a real name and address. This is part of the TPP agreement. Rules are being established already that threaten Democratic rights of communication for journalists and others. This has to be addressed by the effect on communication and freedom of information. Thank you.
>> PAUL BLAKER: Thank you, sir. You have the floor.
>> AUDIENCE: Thomas Richmond, director for cyber Forum policy at the German foreign office. I will skip the observation I wanted to make on political importance of capacity‑building like bringing all governments at the same level, but mention another element in the GGE report, confidence‑building measure as a way of developing capacity of states to address security problems.
We are trying to push for, to develop confidence‑building measures, setting up mechanisms that would allow the collectivity of states and governments to check and to assess incidents that might happen, so one state where incident happens can address his group, and take it to the group, and see whether anything malicious was behind this.
My question is, really to the NonGovernmental members of this panel, how do you see these interstate confidence building measures, is that a way forward? Or is it preposterous to try to copy what we have learned in the 1970s and '80s in classical arms reduction, for example.
>> PAUL BLAKER: Thank you. We can't take any more questions from the floor now. There will be another chance for questions later. We have two questions, one around trans‑Atlantic trade agreement, one around confidence building. Is there a member of the panel who would like to respond?
>> JEREMY MALCOLM: Trans‑Atlantic partnerships is one of my main interests. I agree it is out of place for rules that affect Cybersecurity or more broadly Internet Governance to be placed in trade agreements. It is the wrong venue. It is not multistakeholder at all. If we can think of the worst place to negotiate such agreements, it would be in the TPP.
You are right that some of these aspects that you mention do have a relation to Cybersecurity. For example, the trade secrets provision is not a conventional trade secrets provision. It is more of a mashup between trade secrets and cyber espionage.
I'm not saying these are not important issues, but they are not issues that should be negotiated in exchange for market concessions on rice or automobile parts. They are discrete issues that need to be discussed in a multistakeholder setting. The domain name issue that you mentioned where you have to submit to certain domain name rules in the TPP, there is no reason why that should be discussed in that Forum, given that ICANN is a fully multistakeholder process for developing policies on domain names.
I'd be interested to hear if Mr. Painter has anything to say about the apparent disparity between the multistakeholder model that the U.S. administration promotes, and the fact that rules on Internet Governance are being dealt with in the closed trade agreements such as the TPP.
>> PAUL BLAKER: Thank you. Milton Mueller. Comment?
>> MILTON MUELLER: Right. I want to make it clear I'm very much in favor of free trade. I agree with Jeremy that there is an unfortunate pattern in the U.S. of intellectual property interests throwing things into trade agreements that are not about trade, but are trying to leverage U.S. market access to get certain kind of enforcement mechanisms that they want.
I think this is, we badly need to open trade and improve trade, and they are, the U.S. is often risking that value in creating opposition to trade agreements by making these concessions to nontrade issues.
I'd like to address, however, the other question that was asked about the confidence‑building measures. In fact, that was why I asked the question to Mr. Painter about the multistakeholder nature. I certainly understand when we are dealing with cyber weapons and cyber arms control, that in some sense we are dealing with a traditional state‑based laws of war kind of negotiation. I don't see that there is anything inherently wrong with the fact that states are going off in a room by themselves.
However, I think that the larger Cybersecurity problem as I said earlier has to be handled in a distributed, decentralized and multistakeholder way, and equally important, we have to resist the tendency of states to try to jurisdictionalize or border cyberspace along national territorial grounds.
This is, in the name of Cybersecurity, we have to really, that is something that fundamentally threatens the nature of the Internet.
>> PAUL BLAKER: Thank you. We are already starting to move to our next topic which is around multistakeholderism. I will ask Chris to respond to some of the points when he speaks in the next section.
But for now I'll hand it back to my co‑moderator. Thank you.
>> WOUT DE NATRIS: Thank you, Paul. Yes, it's on. Multistakeholderism is the next topic, we are moving on.
The main question that we are putting down here are what are examples of successful proactive and reactive collaborations to address Cybersecurity challenges, even nationally, regionally, or globally within a sector or across sectors.
We are going to do that on the basis of three questions. How can we amplify multistakeholder participation in promoting national stability of the Internet and enhancing cooperation in global Internet Governance toward a secure cyberspace. The second question, how do we enhance digital trust and protect privacy through bilateral and multistakeholder initiatives and collaborative spaces. The third question, what case studies are available?
I'm going to open the floor with Microsoft and ask Carolyn, Carolyn Nguyen to make a intervention.
>> CAROLYN NGUYEN: Thank you very much. Thank you very much for enabling me to participate in this panel.
A couple of things, because our name has been mentioned a couple times now this morning. I want to start by first addressing that which is the notion of trust and notion of trustworthiness. Several speakers this morning mentioned that the focus of the conversation needs to be about establishing a trusted relationship within the ecosystem, and it's not just about technology.
That for us is very much important. We are the one, we were the ones who launched a concept of trustworthiness, initially at the computing system, but now increasingly that has to be trustworthiness of the ecosystem. It is within that context and that process that we have been working to enable trust with our partners, our users, but also governments of the countries in which we work.
That was part of the conversation that Milton brought up with respect to the issue that we have with the Irish Government and our actions against the U.S. Government. It is entirely to try to establish trust and address surveillance issues that have come up around the world. Without that trust within the ecosystem, it is not possible to address many of the vision and realize that.
From that I want to move to the question of the panel which is very much about multistakeholder. We strongly believe that there is no one stakeholder that can solve and address this issue. Let me take a couple examples. Within Microsoft, we have tried to establish software that are safe and trustworthy for all users around the world. With respect to that, we collect information and data to understand the impact of malware infection rates around the world.
In 2013, Microsoft established the digital crimes unit, which is a, where we work to take down botnets. The organization includes former prosecutors, police officers, technical analysts, bankers, engineers and physicists. We work very closely with law enforcement agencies around the world as well as governments around the world.
We have operations in Washington, Brussels, Singapore, Beijing, Berlin and Tokyo. This is where we address the question of transparency.
Within the center, let me talk about some of the multistakeholder examples. I'll highlight two. One is the capture of botnet which targeted banks and customers in Europe. We worked on this with the UK Government. What came out of this, and this is more in the reactive category, we partnered and announced a partnership with the financial services information sharing and analysis center. Those of you who are not familiar with it, it is the global financial industries go‑to resource for cyber and physical threat intelligence analysis and sharing. In September of last year we announced a part that where we will make our own cyber threat intelligence program available to ISOC members, so they can receive realtime information on known malware infections that are affecting more than 67 million unique IP addresses around the world.
There is also information, such as DDoS attacks as well as botnets. The second one, there was another speaker this morning who mentioned that Cybersecurity is about establishing safety for users of Cybersecurity, and within that, what we have done is to address online sexual information against children to help identify and recover missing children.
This is where we work jointly to create tools to address these issues, to identify photos, and contribute that to the Center for Missing and Exploited Children. It has been adopted by Interpol as recovery efforts internationally.
On the reactive side, as part of our operations we strongly believe in creating a safer Cybersecurity model for all, and it is that, within that, that we start to explore predictive Cybersecurity models that can advance the understanding of key technical and nontechnical factors that contributes to Cybersecurity.
In this we started exploring working together with the Martin school, a multistakeholder model, to address how, what are the quantitative as well as qualitative factors that can help to address and assess the cyber capacity of countries around the world. Those are examples of multistakeholder processes, both reactive as well as proactive, that are ongoing and being implemented today.
>> WOUT DE NATRIS: Thank you. I'll move to your neighbor, Audrey Plonk with Intel. You have the floor.
>> AUDREY PLONK: Thank you. I think we have already had quite a robust discussion about multistakeholder on this topic already. Not to duplicate anything that's already been said, the first question about how do we amplify multistakeholder participation in promoting international stability, this gets to the points that Milton has brought up and responses from Mr. Painter.
I think that a little bit more openness around this topic, I agree with others that have said it's important that governments get behind closed doors and talk about this, these issues, Government to Government. But I also think it's important that what comes out of those processes and those discussions be shared in a broader context, and that Civil Society and the private sector are invited to understand what the issues are, and provide a perspective, because I think the piece of the Internet community that differs from maybe other more traditional topics on disarmament and arms issues, is the global distribution of the network and the degree to which these resources that are being used in conflict are built privately by the private sector and often operated there.
There is opportunity. It sounds like the U.S. has interesting proposals for conferences to bring that discussion to a broader audience. I welcome learning more about that.
But that type of discussion could benefit greatly from that sort of input from the, more from the multistakeholder community.
I think Carolyn has already touched on examples, and some other colleagues have mentioned the anti‑phishing working group, the M3AAWG, the messaging and anti‑abuse working group. I'll go back to my earlier comment about the umbrella of a chapeau nature of Cybersecurity. If you broke it down into specific components like incident response, or national strategies, or public/private partnerships, you would see that within those there is a variety of examples on how multistakeholder communities come together. There is a lot of opportunity for improvement. To the question that Matthew brought up, how do we implement that in a policy, and a policy format, I think that is the challenge that's worth discussing in this session and others going forward. How does the community, multistakeholder community encourage open processes around Cybersecurity policymaking in different countries is the goals that came out of the Dutch conference.
One example I will give that I don't know has been given, since our Dutch colleagues have unfortunately gone, but I would defer to Mr. Painter on this as well, but the process of the global cyberspace conference has started in a much more closed fashion and have evolved over the years to be more open and multistakeholder.
The evolution of that, and I'm not trying to say it's perfect, I'm just saying it has certainly advanced from a Government, intended to be a Government discussion to having a more participation. I think that is very welcome by the community and something we can point to, to show the benefit of opening up discussions around Cybersecurity specifically, but also broader Internet Governance issues to the multistakeholder community. Thank you.
>> WOUT DE NATRIS: Thank you. Next, Michael Kaiser. I have to read it, which is the National Cyber Safety Alliance and please, the floor is yours.
>> MICHAEL KAISER: Thank you. It's an honor and privilege to be here. Thank you for having us in and or moderators for doing such a fine job this morning. You are doing great. I'm going to talk about a specific multistakeholder approach. We are the National Cybersecurity Alliance, a public‑private organization, funded by industry and Government. We are created as a multistakeholder partnership to do work in education awareness.
It is not just that we participate in multistakeholder processes, but we are a multistakeholder process. We very much believe in this.
I'm going to talk quickly. One of the questions we haven't talked about is why we even have a multistakeholder process in Cybersecurity. Why is it important? The scale is gigantic. There is no one who can do this on their own. We have to do this together. No one owns this all together. Everybody owns this. Cybersecurity is something we all own, governments own it, NGOs, industry, individual users own it. We all own this together. Therefore, we have to work together on this.
The other part is that Cybersecurity is not cheap. There is no one who is going to pay for all this. We are only going to get this done if we leverage the investments that we are all making together. We have to find a way to take the investments that we do have and put those together to create something that's bigger than what we can do on our own. That is an important element that underlies this. We have to reduce duplication of effort. If we have everybody trying to solve the problem on their own, everybody is coming up with different solutions. We are going to have duplication all over the place. People are only going to invest so much in different efforts.
We have to look at the stakeholder efforts as addressing two different levels. One is ecosystem level security, which is what we talked about here, but the other is the other part of this, is that we have to have every individual network protected as well. Sometimes we need to split those out a little in order to figure out the best way to do that.
Some of the elements that I see in these public‑private multistakeholder processes are, you have to have broad involvement, and you have to be open to letting people at the table and you have to let them in at any part in the process. You can start down a path and be way down the path and there is new people you find. Guess what? You have to open the door and let them in. You don't have a choice. That is what a true multistakeholder process is.
It starts with a narrow focus as being very important. It has to be grounded in a shared problem. Our best experience has been around messaging. We discovered there was a shared problem. There was no consistent messaging about Cybersecurity in the United States and we came up with a stop, think, connect campaign, by 25 companies, 7 federal agencies working collectively over a year, conducting research, talking to consumers, hashing out issues that could create something we can all use together. That has to be at the end of the day. If we can't all use it, it is not a multistakeholder process. Self‑interest is important and it is fine.
Multistakeholder processes must allow people to come to the table and must be able to express their self‑interest and that self‑interest must be incorporated into the end result, because we do have self‑interest, and to say we are putting those aside, we will never end up in a result that will be good.
Finally, I think that we have to look at this as an effort that is owned by the partnership and not created on behalf of, by somebody else. Nobody else can create a multistakeholder process for somebody else. You have to be part of it. It has to be owned. Ours always operate by consensus. Literally by consensus. If one person says I don't like it, we change it. We fix it. We work to make it right.
You build these little agreements all along the way in order to make this happen. You have to have a way forward but you have to be flexible.
You have to give people meaningful participation. There has to be assignments to get it done. In our process to creating stop think connect, people reviewed the survey instrument. People raised their hand and figured out what kinds of collateral need to be created. People raise their hands and figured out the agendas for the next meetings. That is really important. I'll end with one other little important part of a multistakeholder in Cybersecurity, and that is at the end of the day, everything we all do to be safer online makes the Internet more secure for everybody else.
How we implement that through multistakeholder is everybody doing their part, makes it better for everybody else. That is really a important element. Thank you.
>> WOUT DE NATRIS: Thank you. We have a remote participant and then I'm going to ask the panel to reflect on what we have heard. The remote participant, please.
>> Remote participant: Thanks, chair. We have a question: Where should the role and responsibility of national Government begin and end in cyberspace in respect to Cybersecurity?
>> WOUT DE NATRIS: That is a good question indeed. Thank you very much. Who would like to start with that question before we go to reflection on presentations? Chris, as Government?
>> CHRIS PAINTER: Government has an important role. But Government doesn't have the only role. I agree with Milton. This has to be, there is different stakeholders who have a major role and the general concept of Cybersecurity which is quite broad, so there are certain aspects Government has unique abilities, and capabilities and there is many others where the private sector and Civil Society may have better capabilities than the Government, surprisingly.
You need to have, not really surprisingly, I'm using that facetiously. It is important to have this distributed approach. That is what we have been pursuing.
To answer some of the other questions, Audrey was saying the GCC, yes, that has been a evolution of that conference where more stakeholders have been brought into the planning stages, and that is something that was seen as a important process point.
On the question on the TPP, I'd say that is a very important agreement, and I think one of the things that it helps preserve, frankly, is freedom of expression by defending against the threat of balkanization of the Internet through the creation of fireballs in borders. In the U.S. and every country that is a member there will be a consultation and debate. The text is on line in the U.S. among stakeholders about that agreement.
Finally on the issue of CBMs, that is a important part of our, greater work on stability. There has been work done in the OSC, organization of security and cooperation in Europe. We did a capacity‑building seminar on CBMs with Singapore, partnering with Singapore for the ASEAN regional Forum.
These and other things are transparency measures. Part are cooperative measures. They are not just Government oriented but can including other stakeholders. All those things will be important going forward.
>> WOUT DE NATRIS: Marco.
>> MARCO HOGEWONIG: Thank you. Not a direct comment to the question but picking up on things that were said. At a technical level we say security by obscurity is bad. That also applies to this level. We need to start by trusting each other that we all share the same objectives, public and private sector. We all want to maintain the security and stability of the Internet.
I don't believe that one stakeholder can do this. We need to cooperate and use each other's expertise and capacities to mitigate interests. I think it's important to enhance a multistakeholder system and participate in each other's processes, to share information and discuss what each stakeholder can do within their mandate to help mitigate a current and emerging threat.
>> RAHUL GOSAIN: Taking off from what Mr. Chris Painter said and from where he agreed with Milton, and also from the specific question, the last question which was asked, what constitutes, what is the domain in which the Government should be getting involved, and what are the domains which should be left to the others, which are best handled by their own respective set of competencies. So possibly I would be sort of interested to know if there is any larger discussion on this specific subject, and maybe what is the appropriate formula. This could be sort of beaten out properly and sort of constructed in the form of a particular model, so that it's more easily understandable, and we have a common understanding on this issue, number one.
Number two, on the point of multistakeholderism, I support a point well‑made by Michael which I think is basically, although multistakeholderism and the point he made was that there is far too many technical bodies to have a one‑stop shop kind of approach, which defines all the standards and covers all the inclusive things which are very well‑made out points. So how to get multistakeholderism in such kind of a scenario is the real challenge, and maybe if somebody could sort of drill that further, and sort of offer us greater insight into that. Thank you.
>> WOUT DE NATRIS: We will turn to the room. Are there any questions? Please come up to the microphone. I understand you can only do that in a traditional way. I've learned something today also. But perhaps before somebody does so, I'd like to make one comment.
IGF has best practice fora. One of them is about mitigation and regulation of communications and what it did ‑‑ not so much look for best practices, but for best practices in case studies, where things actually went very well, and not only from the public side but especially also from the private side.
I think that would be very interesting to look at these examples that were provided there, as they really are telling about ways that within countries things can go forward in successful ways.
So that is just a tip. Michael, you would like to make a intervention?
>> MICHAEL KAISER: A point on the question about Government. If you are looking at a multistakeholder approach, Government is a stakeholder. Government has interests to sit at the table on these issues. It is just being honest about those. That is all it takes. That is how it starts. Yeah, Government has interest. Different governments have different interests. It depends who you are talking to at any given time.
There are interested parties at the table. Maybe they have other things they bring like resources or expertise or abilities to manage different kinds of processes in different ways, but that is what a multistakeholder process is. It brings the people who have a say and a stake in the outcome, and Government is always going to be one in Cybersecurity, pretty much in everything. But sometimes they are not always the lead stakeholder. Right? They can be a secondary stakeholder. It could be a tertiary stakeholder.
But you have to look at it that way. That equals the process across the table.
>> WOUT DE NATRIS: Jeremy.
>> JEREMY MALCOLM: I agree with that. We have moved on in our understanding of what multistakeholder processes can and should be since WSIS, when originally there was that fixed rigid definition of the roles and responsibilities of stakeholders, in which governments had sovereign authority over public policy issues involving the Internet and everyone else was advising on the sidelines.
NETMundial statement was a progression from that in recognizing that the roles and responsibilities of stakeholders can vary issue by issue. I don't think anyone would deny that Cybersecurity is an issue in which governments will always have a role, as Michael said. And there is also evidence I think as Audrey pointed out that governments hold themselves recognizing now that they don't have the only role though, so in future, as we continue on our path of continuous improvement of multistakeholder processes, I think we are going to see that the roles of the other stakeholders in Cybersecurity will be better recognized.
>> WOUT DE NATRIS: Thank you. I don't see anyone queuing up. But there is still comments from around the table. Marco, please.
>> MARCO HOGEWONIG: Yeah. I want to second what Michael said. Governments are a stakeholder in the process. All the technical community venues are open to everybody for participation. I would like to highlight specific efforts that are taken on; for instance, the organizing Government round tables to specifically inform Government and get them to participate in our process, but also the work that, as you mentioned, in the technical standards work that the Internet Society is doing, and trying to get Government people and Governments themselves more comfortable in participating in standardization projects.
We are happy to take on board more comments on how you think we can enhance that process. But we are doing a lot of effort in getting other stakeholders involved in what from the outside seems like a closed environment. The technical community is open to participation.
>> WOUT DE NATRIS: Clear invitation I think to others. Do you think that it's difficult to reach out as a technical community towards the Government, to actually understand the conversations? Or do they just don't show up, what happens?
>> MARCO HOGEWONIG: I think it's a multifaceted business. Of course, venues like the Internet Governance Forum and regional and national initiatives were great in bridging the gap, and making the contact, inviting people over.
Participation in the different processes, it depends. Again to speak to my earlier intervention, you don't need to solve it yourself. It's also important that you just go to the microphone and explicitly state your needs and explicitly clarify what your objectives are, and have the technical people with their expertise help you in achieving those goals.
It's not fully about totally understanding the technical processes, but at least please participate and please state your needs at the right time within the processes to make sure that the technical community can accommodate those needs.
>> WOUT DE NATRIS: Thank you. We have a question. Please introduce yourself.
>> AUDIENCE: I'm from India. I would like to make a comment. In a multistakeholder model, the developing and developed countries and IT industry may play a vital role in helping those who are lacking in terms of technical knowledge for Sustainable Development of Internet. We need to discuss this here and also agree to something which will help to, help in raising funds for the underdeveloped countries. I would like to add, this will help in setting up Cybersecurity excellence centres in these countries.
>> RAHUL GOSAIN: Building aspect, probably I'm sure a lot needs to be done in that direction, and the governments are certainly committed to doing much more in that direction. Certainly international cooperation in that area will also go a long way. So we will be consulting help from all other colleague countries, so that we can also make improvements in that in the end applies leverage our capacities to the best of our capabilities. Thank you.
>> WOUT DE NATRIS: Probably also unfortunately, the GFCE people have left but that sort of initiative in which these sorts of questions are actually being addressed, and hopefully solved.
>> RAHUL GOSAIN: Yes, yes.
>> WOUT DE NATRIS: Thank you. I see another question at the back. First that gentleman, and then you. Please introduce yourself.
>> AUDIENCE: First Lieutenant Arthur from Brazilian army. I'd like to know what is the contribution of open source initiatives in this multistakeholder task force. (pause).
>> MARCO HOGEWONIG: You want to take another question first?
>> WOUT DE NATRIS: No, that is fine; answer the question if you can.
>> MARCO HOGEWONIG: In a sense I think open source and open source community itself is a multistakeholder process. I think that is one of the benefits of open source, is you can contribute, and everything happens out in the open, which from a security paradigm is a good thing, we believe.
I'm not exactly sure whether I captured your question correctly. What is the role of open source in multistakeholder, we should see open source, and especially the larger developments that go on as one of the multistakeholder processes, where I believe everybody should have their role and their say in what their needs are, and work on this together to enhance the security.
>> AUDIENCE: Thank you for opportunity. My name is Zak Paretti, I'm from Institute of Education. My question about the Government, who are bad actor, such Iran, Russia and China. And actually they do not play positive role. Of course, they are stakeholder. I want to know what is their role in this process. As I'm talking here, many, probably hundreds as the Government mentioned 50 people are arrested because being on social media, for expressing their idea on Facebook or Twitter or whatever. Thank you.
>> WOUT DE NATRIS: We will take one final question. Thank you for that comment.
>> AUDIENCE: Thanks a lot. Dominica, Professor of Constitutional Law, University of Naples. I was wondering if there is a contradiction between the European and also American policy in Cybersecurity, and on the other hand, the policy that aims to force over the top to create the back doors, because of the back doors, if allow Government to entering the platform, at the same time make this platform less secure. That's all. Thanks.
>> WOUT DE NATRIS: Thank you. Anyone would like to respond to that more comment than question? Then any last thoughts of the panel on this topic? Otherwise I'll hand over to Paul to do the last section of this stimulating debate.
>> PAUL BLAKER: Thank you. We are now moving into the last section of our conversation this morning. We would like to start to think about what the next steps should be, what practical and concrete steps can be taken, what initiatives can be implemented, what evidence‑based research is needed, and we set two questions for this concluding part of the discussion.
First question, how can Cybersecurity be more open, accountable and transparent? Secondly, what are the next steps and what processes can and should be part of those next steps? I'm going to ask Jeremy to kick off with a few thoughts on that, before opening it up again to the rest of the panel and to the floor.
Jeremy, would you like to say a few words to start us off? Thanks.
>> JEREMY MALCOLM: I could unless someone else would like to go first because I wasn't expecting that. Does anyone else wish to go first while I ponder? If not, let me express some thoughts.
I think in terms of openness of the Cybersecurity initiatives, there is obviously a definite need for reform of national surveillance practices, that were exposed by Edward Snowden. This is not just something we can lay at the foot of the United States, either. We have to look at what GCHQ was doing, what the 7 eyes are doing. And in terms of both Congressional and legal challenges in court, and in terms of the open Government partnership and various other avenues for expanding openness and transparency of these practices, we have still got a long long way to go.
That is something that we haven't really spoken too much about in this panel. But I thought I'd throw that in.
>> PAUL BLAKER: Thank you. I'll pass the microphone to Chris to say a few words. This will also be then a final chance for questions, comments from the floor. I'll ask other panelists if they want to contribute. I'm also warning panelists now that I'm going to ask you to talk about one new thing that you have learned from this conversation. So you have time to prepare. But before we get to that, I'll ask Chris to make a contribution.
>> CHRIS PAINTER: In terms of next steps, as the discussion has shown today, it is critically important for us to continue to have these conversations in formats like this; not just in the format here, but also in the regional and national IGFs. This is a very important component of all of those. I'd urge this to be included to the extent it isn't already in those various fora.
Then of course, some of the next steps revolve around the importance of capacity‑building and the Global Forum for Cyber Expertise and work that is being done which carries out and through almost every topic we talk to. The final thing, we need to have these conversations here too. That is why it's critically important the IGF actually continue its existence for a substantial period of time to bring predictability. We have called for an extension as you know of the IGF at the UN General Assembly. We call for it again today. We know that many stakeholders have also joined in that call. We think this illustrates how valuable this Forum is.
>> PAUL BLAKER: Thank you very much. Tomas Lamanauskas, you have the floor, and after you, Carolyn.
>> TOMAS LAMANAUSKAS: Thanks a lot. First of all, in terms of next steps, and when we discuss the Cybersecurity and how to progress on that, it is important to include universality so we have stakeholders from all nations at the table. And other panelists mentioned that Cybersecurity is different from other areas, in regard that it's Democratic. The issues can come from anywhere. And also anyone needs to be protected in the same way. We need to avoid the discussions about people without them being at the table. How do we bring them together?
In that sense there are challenges as well. There is the number of forums and foras and discussion platforms that we have, cyber Alps, I remember one conference, there are so many. Now we have cyber Alps. So the question is how do we get that alignment, because again, we can't expect every stakeholder from everywhere participate in every fora.
How do we maybe try to break down into issues, maybe have a more issue related discussion and start understanding that we can no longer talk about this broad thing. Now there are various different issues that maybe we can bring different people to discuss them, and ensure the right people are around the table and also the right people could participate, so they know how to participate in the processes in the past and can come. Thanks a lot.
>> PAUL BLAKER: The Rocky Mountains maybe more than the Alps, but Carolyn.
>> CAROLYN NGUYEN: Thank you. I'd like to second Chris's call with respect to expanding the conversations into the regional and national IGF as well, because one of the points that's come out from this conversation is the need to create additional awareness on the issue. I want to bring up another point, IGF as a platform was created to bridge the digital divide, and within the WSIS review there is a call for addressing closer relationships between the WSIS action lines and the SDG. As we know, Cybersecurity has a critical importance in advancing the 2030 agenda, so within that, similar to what was done in the past year with respect to policy options, Connecting the Next Billion, the next step is policy options for enabling Cybersecurity. And specifically within the context of bridging the digital divide, it's very much about cyber capacity‑building, I think which is something that all the stakeholders around the table and in the broader IGF globally around the world can agree on.
That is one very concrete step that I'd like to put forth. It would also create awareness and visibility of all the different multistakeholder initiatives that are already ongoing around the world.
Then to Jeremy's comment with respect to the open Government partnership, that is reaching out to our stakeholders. There are other organizations, very similar to the open Government partnership, which are addressing exactly the same issues in a multistakeholder Forum. It would be nice to identify some of those organizations and also bring them into the table.
>> PAUL BLAKER: Thank you. Now I'd like to open it up to the floor, if there are any thoughts on the next steps or any concluding thoughts as we start to draw the threads together. Now is your opportunity to come to the microphone, ask a question, or contribute. Or if there are any questions or comments from remote participation. Sir, you have the floor.
>> AUDIENCE: Hi, it's Fabricio again. My question is, we definitely know that we need to engage more people from other stakeholders, we know that we have to try, and I gave the suggestion of going there, and bringing them to events. But my question to you would be, who should be in charge of doing that? Who should be the ones going to the event and trying to bring other stakeholder groups? How do we deal with that? Is that something that we would deal in the IGF, would it be some organization like ISOC? Do we have someone that is doing that? Or maybe we should create another kind of organization to start doing this collaboration and efforts with other stakeholders groups.
>> PAUL BLAKER: Thank you. Who would like to comment on the question?
>> CHRIS PAINTER: I do think there is a challenge in making sure that people are involved in all these conversations. But I don't think creating a centralized way to do this is the way to go about it. What we have heard from panelists is there is so many, there is a richness of the various opportunities out there for people to participate. We just need to make sure those are inclusive as possible. I think reflecting on my colleague from Oxford, doing things, and even with my colleague from the ITU, doings things that list what is available out there, and that people can understand what they can participate really is a more effective way than trying to create some sort of bureaucratic structure that would do this, because I don't think any one organization can do it alone.
ISOC has a role. Many institutions around the world have a role. Some of them are regional and some are international and some of them are national.
>> SUBI CHATURVEDI: Briefly responding to the question, this year the MAG opened up to a new stakeholder community and that has about three EU representatives, it has opened for the first time. We also believe that each of us carries with us this responsibility of bringing new people with us, whether it's workshops, the way the rating systems evolved from the last two years, how we have been able to privilege and also prioritize and through a formative action bring in new voices, in terms of giving them the benefit of first time proposals. It's also ISOC, many new ISOC ambassadors, ICANN fellowships, but whether it's introducing people through remote participation, also taking us with us the learning that we take from here, and that truly is the value of the IGF process as a platform, which is inclusive in bottom‑up and allows open participation.
I think the onus lies with governments to create more fellowships with communication and ICT departments, but also intergovernmental bodies to make these meetings more open and accessible, and also with the each of us to take these learning to each of our respective stakeholder groups, write about it, blog about it, and the Internet is all yours.
>> PAUL BLAKER: Thank you. I'll ask Michael and we have one more question.
>> MICHAEL KAISER: Yeah. My answer to that question is a couple fold. One is, you can look to the processes that are out there, and try and gauge, or you can create your own.
I think that is part of the multistakeholder process has to happen at every level. It doesn't just happen way up here. It can happen far down into the community.
We didn't talk about this because we have multistakeholder, but also critical are partnerships. It is who you decide to work with in your own community, to start addressing these issues. Who is right around you in your neighborhood, who is also concerned about this issue, who you should be talking to about this issue and figuring out, how can we do this in our town, our city, our country, our state, whatever your structure is, and start your own multistakeholder process to address the issue locally. We need more of that. We need more at that level, that happening, because that is a next level of engagement in a lot of places.
>> PAUL BLAKER: Thank you. Question from the floor. Please say who you are and where you are from.
>> AUDIENCE: Sally Long from the Open Group. I'm the director of the Open Group's Trusted Technology Forum. All of the discussion that I'm hearing now about bringing together existing initiatives that are out there, I really support that, because our Forum has created a standard and an accreditation program for ICT providers for product integrity and supply chain security.
It's a standard that was created by Microsoft, IBM, HP, CISCO, Juniper, EMZ and a little bit of the DOD. The point is, and it's a best practices standard, so when I heard you all talking about best practices for ICT providers, I thought wouldn't that be great, if we could work together and you could be more aware of that.
I know it's not ‑‑ it's hard to take in every initiative out there. But I think it's important that you don't reinvent what's already there.
I would also like to say this is my first time at the IGF. I'm very amazed at the experience, the passion and the enthusiasm for solving these tough problems. So thank you.
>> PAUL BLAKER: Thank you very much for that. Anyone like to respond on the panel to that point? All right. Thank you.
We are drawing towards our conclusions now. We have covered a really wide range of issues. I'm really impressed at the breadth of the agenda that we have managed to cover. But also the fact that we have looked in some depth at some of the key issues, I really think it has been a valuable session. I certainly learned a lot, and I will take away a lot. And as I warned panelists earlier, we have got a couple of minutes, I'd just like panelists to have a think about one new thing that they have learned from this conversation, the one new take‑away, and share with us what it is that you take away from the discussions so far.
>> ZMARIALAI WAFA: Thank you. Throughout the session, we talked about various topics. This is my first IGF, and I am so delighted to be a part of the panel and the Cybersecurity issues as well.
What we learned was the same theme, the collaborative work of the stakeholders. We each and every panelist is representing an entity, and the way that this whole topic, topics were brought up, we were in a position to answer them. So I would say the IGF itself is a good example of bringing different stakeholders to one table, addressing the challenges. Thank you very much.
>> MARCO HOGEWONIG: I think the composition of the panel and the open discussion should be a template for the discussions happening in the other fora, and at the other levels and their inclusiveness. So that is the one thing I should take away, but I'd like to observe that as much as you wish, you should not force people, forcibly exclude people from anything, we cannot also not force them to participate. The invites are there, fora are open, but you have to take the step and participate and be willing to sit at the table. That is also a great take away from this.
>> TOMAS LAMANAUSKAS: More confirmation. Expansion of the multi‑faceted plenary should come with issue of Cybersecurity, when hearing the questions from Government actions to open source, you can see how different issues come into the play now, how we need to bring people who are accessing that, in those different topics, if we want to make good progress on that.
>> LARA PACE: I wanted to reiterate the importance on the capacity‑building element which we focused on, we spoke about earlier. And I think that when we are looking about, when we are thinking about next steps and Cybersecurity, we really need to try and raise the awareness across the stakeholders, as we spoke about earlier, and try and build a skilled workforce, but also a skilled Civil Society as much as possible.
We really need to get the message out there. And I don't think it's incredibly challenging or expensive. If we work together we can come up with meaningful, practical collaborative approaches to addressing those very big challenges. I look forward to hearing what everybody.
>> JEREMY MALCOLM: One of the take‑aways from me, which I heard from Michael but which I've been thinking about, is different governments have different interests in Cybersecurity, and we at the IGF tend to divide the stakeholder groups up into these blocks of governments as a whole and private sector as a whole and Civil Society as a whole. That is inflexible, particularly in this area, where we know that there are divisions that need to be recognized and worked through.
One of the ways in which the multistakeholder model can evolve is in recognizing that stakeholder groups aren't unitary, and it may sometimes be beneficial to split them up into groups of common interests. And maybe that is something that we could see in the future evolution of Cybersecurity discussions.
>> PAUL BLAKER: Thank you.
>> WOUT DE NATRIS: Maybe completely as a moderator but also of course I take something home with me, we have talked a lot about openness, about trust, about capacity‑building, about awareness‑raising, about security, about surveillance of course, but also what struck me is the where is the weakest link, and we point to some countries in this case, but it's also about Cybersecurity. If we had to fill this room with the number of parties that are involved in Cybersecurity, it would probably not be big enough.
It's impossible to ever reach out to all those that should be participating. You can't force them to participate, as Marco says. But there are sort of parties that probably we never even heard of but determine how safe our devices are, or our lives are nowadays.
So what I would like to share with you, and perhaps that you can take home with you, next year, most likely, who are the main people in a community that is, or business community, that is not present now, that we would like to have here next year, and how do we make them come and make it attractive enough for them to come?
I can give a personal example of work that I've been doing, I've been trying to get input for best practices, etcetera, and people say what is the IGF, why would I put effort into doing this? Now some people actually are here because they saw the potential for their own work. How can we make it attractive for people that do not know about the IGF, but we want to have here next year? That is something we can all do and all think about and all reach out on.
That is what I'd take away from the session. Perhaps we can have a completely different conversation next year.
>> PAUL BLAKER: Thank you. Carolyn.
>> CAROLYN NGUYEN: Thank you. I want to reiterate the other comments already that there are, I was struck by the amount of passion but also the agreements at the high level in terms of some of the concepts that need to create trust, multistakeholder, etcetera.
But I think a clear take‑away for me is that we need to figure out how to harvest that passion by focusing on what is a specific issue within Cybersecurity that we want to bring people together to solve. I think Michael, you made that comment earlier on, because the approach has to be issue‑specific, and that is another way to bring people to the table.
It is about interest. That way, you can have a productive conversation, and a very specific conversation.
>> PAUL BLAKER: Thank you. Chris.
>> CHRIS PAINTER: I've been to several IGFs, and I see this conversation, particularly this conversation has evolved and become better every year. That is an important trend line. I do think that the workshops provide a good place to talk about best practices, and then bring that together in a panel or a plenary session or main session or whatever they call it next year, like this.
I think that's very helpful. I do think one thing that it will be up to Mexico to, who will be hosting this, to really promote, is that I think you don't always get all the expertise you need in discussions like this, because people don't really know what the Internet Governance Forum is, or may say that is about Internet Governance, and they think about it as a narrow term and it is for many people, but we have to get the people that do the issues, Cybersecurity issues, from Government, who might not be coming to the Internet Governance Forum. They think of it as not in their area. Got promotion, advertising campaign and outreach to make sure that those folks know how broad the agenda is, not just in this area but across the board in issues we face in cyberspace, would help to make the conversation richer in the future.
>> PAUL BLAKER: Thank you. Michael.
>> MICHAEL KAISER: A take‑away from me, a couple things, one is there are more people that I have to be working with. (chuckles).
You sit in this room, around this table, go to this conference, and you realize there are so many people doing such good work and that we have to figure out a way to work together even more. That's both a challenge and an opportunity. To the point, this also goes to multistakeholder process too, we talked about, I mentioned that you have to allow everybody to come to the table, but the truth is sometimes you have to pick up the phone and get people to come to the table. Right? Then you have to actually reach out to people to say, it's not just like, do you want to come? Maybe one thing we learned, we need to help get more people to the table at forums like this.
So let us know if we can help.
>> PAUL BLAKER: Thank you. Any final comments?
>> AUDREY PLONK: The problem with going towards the end, everybody has taken the good observations. I agree with Chris. Coming to the IGF for a long time and dealing with Cybersecurity issues in the IGF, I learned about several initiatives I'm not involved in and I'd like to be. But I also think the maturity of the conversation is significantly different than it was even a couple of years ago. I think the level of interest and understanding on the part of the broad community groups is very encouraging, and I think the solution space, the ideas and the solutions that are being discussed here and offered are very practical and for the most part very reasonable and actionable.
I think that speaks to the maturity of the IGF as a venue to discuss these issues, and so I'm very ‑‑ I have learned in all of the Cybersecurity sessions I've been in, definitely something specific that's happening that I didn't know was happening before.
>> PAUL BLAKER: Thank you. That's great.
>> RAHUL GOSAIN: Well, the take‑aways have been far too many for me to ‑‑ this is also my first IGF, like Mr. Wafa who is my colleague on the panel. I echo the same sentiments regarding the richness of the panel as well as the passion with which the comments have come in.
And whether it is about making disparate groups other than a one‑stop shop solution, searching for that elusive one‑stop solution, whether it is that or whether it is ‑‑ I mean the take‑aways have been too many. But it's really been an interesting session, and I have, I'm much the gainer for it. So I take away a lot of things for this and hope to continue to be able to contribute meaningfully and further many such matters. Thanks a lot. Thank you, everyone.
>> PAUL BLAKER: Thank you. Take‑aways have been too many also, I think. That is a sign of a good session. Before I hand back to our Chair on behalf of my co‑moderator and myself, we would like to thank the panelists for their contributions. We made you work very hard. We really appreciate all your engagement. I'd like to thank questioners from the floor, and from remote participation and for your engagement. Perhaps most of all, thanks to Subi and Dominique who organized this session extremely well.
We owe them a big debt of gratitude. Thank you. (applause) With that, I'd like to hand back to our chair for closing remarks.
>> PAULO SERGIO CARVALHO: It's now time to end this session. And we would like to thank our organizers, moderators, panel members. We would like to thank you for this very rich discussion in this theme, authorities, ladies and gentlemen, we would really like to thank you for being here with us during this whole morning, contributing to all our discussions.
I would like now to officially close this session. Thank you.
>> SUBI CHATURVEDI: Also a huge thank you for the translators and the transcription, and our host country. And thank you, chair. Thank you, moderators. You have done an excellent job, three‑hour session, very very grateful.
(end of session at 12:25 p.m.)