Welcome to the United Nations | Department of Economic and Social Affairs

 

FINAL TRANSCRIPT

EIGHTH INTERNET GOVERNANCE FORUM
BALI
BUILDING BRIDGES ‑ ENHANCING MULTI‑STAKEHOLDER COOPERATION FOR GROWTH AND SUSTAINABLE DEVELOPMENT
THURSDAY, OCTOBER 24, 2013,
2:30 P.M. ‑ 4:00 P.M.
WORKSHOP 175
INTERNET SECURITY THROUGH MULTI‑STAKEHOLDER COOPERATION

 


The following is the output of the real-time captioning taken during the Eigth Meeting of the IGF, in Bali, Indonesia. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.


     So we have a great panel today. We have four people here physically present and we have one participating remotely. And we want it to be an interactive session, so feel free to stand up, and maybe not throw things, but throw questions at us.

So I'm going to say who we have on the panel and then Marco is going to give an introduction.

     That wasn't just me, right?

     So I'm just going to mention the names of who we have on the panel and Marco is going to give introduction and set the scene a little bit, then I'm going to throw a few introductory and tell us about all the various hats you have. Say a few words about those questions.

     Okay. So we have Pete Resnick. We have Merike Kaeo, Constantine, and Robert Guerra, and participating remotely, Tatiana Tropina.

     So, Marco.

     Of course, technical community the operators there to implement those technical standards, that's where it all starts. And not only they're the ones implementing the standards, but from basically the early start of the Internet they were also involved in making secure and responding to incidents. For instance, in spam and everything that sort of grew into the operational community, then as that world got bigger and more important, we saw within the industry specific organizations incorporating on this area and exchanging information to deal with incidents to deal with certain forms of abuse exchanging experience and together coming up with solutions.

     From that you've seen things like team comery and ‑‑ dedicated industry bodies that talk about security. But, of course, also groups like RIPE or NANO, I've got security threats, I've got anti‑abuse working group, and things like that. So there's a huge participation from the technical community. And, of course, I'm inclined to say the other side, that's we're looking incorporation here. But from public sector, of course, the traditional sense, law enforcement always involved in security. Of course, when things illegal happen, ultimately, you need law enforcement there to take action. But also more recently, more dedicated units more dedicated teams to focus on cybersecurity, cyberdefense, et cetera. There you see cooperation in national levels, cooperation in international levels.

     Now, unfortunately, we were expecting a participant from Interpol, but he can't join us for now.

     And then somewhere in between, I think are the surge where you see a good example of public/private cooperation where surge incidents, response teams that again are primarily focused on exchanging data and protection. The moment you seeing something happening on the Internet, what's vital is you take action immediately. You want to get ‑‑ if you see your host spreading viruses, you want to take it offline. If you see mal ware being distributed, you want to act upon it, you want to update your virus scanner et cetera.

     So just to introduce you to the field, the players ‑‑ I can keep going. More recently what we also see is, yeah, what I would describe as data or information clearing houses. You may have heard of the ACDC project that's being funded by the ‑‑ starting off in Germany and exchanging information about it. More local initiatives like the Dutch ‑‑ all sort of try to bring together different groups and exchanging information and together trying to make the Internet a secure place. That's sort of the take we want to have for this workshop is to let's see how we can further enhance that cooperation.

     So I will leave now to I think Nurani to coordinate the panel introductions.

     As we know, the Internet is growing a lot from this very small research network to a network of two and a half billion users. There will be another billion users in 2017. That's mind boggling. That's a few years away, four years away, and there will be one more billion users. 8.2 billion global mobile connections. Alone in China, India and Indonesia there will be 3 billion connections, and Africa will be the fastest growing region. So clearly, the Internet has faced challenges in terms of growth, certainly in terms of security in the past. So it's a system that's going to have to continue to evolve.

     So, what I'd like to ask the panelists as I ask you to introduce yourself is, first of all, what do we mean with security? You know, so let's ‑‑ if we're going to talk about security, let's try to go into specifics. It's often in a very broadly used term it can be entertaining to talk about, but it's not until you go into the specifics that it's helpful. You know, are we talking about someone losing their password? Are we talking about spam? Are we talking about data protect? Architectural vulnerabilities? So for you, what do you see as the most important security questions that you'd like to raise now? Are they work that's ongoing that you think is good and you'd like to share, or challenges that we need to address? What is your role in this? In what way are you involved in this? And also, what can other stakeholders in this ecosystem do? What do you see a need to talk to each other where they might not be doing so at the moment?

     So those are three questions.

     So Nurani asked what I view security as and what are the most important security questions. Jari Arkko in his introductory remarks in the opening ceremony said something I thought was very poignant; when it comes to protocols on the Internet, the IETF builds things with security off by default.  That is specific action to turn the security features of our protocols on when we decide that's important. We go to a website and we say we want to use HTTPS, secure HTTP, that is encrypted only when we're going to our bank or something that deserves security.

     When we use e‑mail, it is almost always in the clear. It is plain text and we only use encryption in the most extreme of circumstances. And I would venture a guess that most people in this room, including myself, don't use encrypted e‑mail most of the time, let alone signed e‑mail, cryptographically signed. I think when I think about those important security questions, I'm thing about do we want to change those assumptions? Do we want to start moving in a way that makes us use security, use those secure protocols as a default way of dealing with the world? And some of the reason we don't do that is I think for basic principle; that we in the IETF and a lot of the technical folks have sort of made the perfect the enemy of the good. We tend to build protocols where we want to be absolutely sure they're secure, instead of ‑‑ and we can talk about this as the discussion goes on, building protocols where you get a good amount of security and if you need perfection, we give you the ability to do that. But if you don't, you still get some good amount of security out of it. And so I think those are the topics that I've been thinking about lately and that folks in the IETF have been thinking about quite a bit.

     I could go on forever, so I'll leave more to the discussion.

     Personally, I've been involved in many various aspects. So I used to build networks. I used to work for a vendor and actually wrote a book on how to create secure networks. It's a Cisco Press book. And I've also helped educate a lot of global constituents about what does security mean in their environments.

I'm also currently on the Security Advisor Council for ICANN. So when I look at security and what does it actually mean, it's a hard thing to define in a very clear manner because there's so many aspects to it. So if you look at it from businesses of critical infrastructure, it's really about risk management. And the thing with security is that it encompasses absolutely everything that deals with electronic data. So it comes down to the physical aspects; right? Who has access to the physical equipment rooms or the devices themselves. And then also it speaks to a large number of areas in terms of access control, how do you authenticate somebody? Do you want integrity? Which means if I'm sending data to somebody, that nobody can take the data and change it on route. Do I want privacy and what do you do with auditing? So the process of actually looking at all of that is everything that encompasses, quote/unquote, security, which I really look at risk management.

     And then if I look at it from a technical perspective, it's really ‑‑ when you're creating protocols, what you're trying to do is you're mitigating, you're trying to mitigate abusive behavior from a technology protocol level or technology level with trade offs for performance and usability. The reason why you don't always ship everything with encryption on and all the security functionality is because there are tradeoffs with performance and usability. So you have to take all of that into account.

     So, considering the definition of security, I will not even attempt to provide a technical definition. I think that what we can identify is that security as a concept is in constant transition. It changes all the time. Thus understands about security change all the time because they get carried away, if you want, from technology and the challenges that we see. What we also know is the fact that the landscape covered by the term cybersecurity includes many types of problems and it certainly includes a great number of solutions. And some of them, of these solutions can be found in the technical sphere, and I'm sure that Pete and ‑‑ I'm sure our techies will speak about it. And also can be involved through education, through policy or through regulation. However, at the same time it is very important to understand that regulation is not always the answer. And I ‑‑ it is very tempting and I understand the need of the nation state if you want to proceed to regulatory frameworks in relation to security. However, because of the fast evolving and the fast paced, actually, changes that we see, we really need at the same time to be very cautious.

     I really think that cooperation and shared responsibility is crucial in the context of security issues. We are all part of the network. I mean, for me security, for example, a couple of year ago only included password and somebody stealing my password. I'm sure that this is not even now a basic. I mean, it's a stupid way of thinking of things. But a lot of people do not know what are the security risks. They don't realize what they're engaging in when they're using the Internet. And I'm not talking about first‑time users. I'm even referring to users like myself who have been using the Internet for many, many years. So it is very important that there is a consistent and dialogue that takes place in the context of security because of the technical difficulties in the complexity, we need to start bringing together closer the communities that are dealing with security issues. We mentioned the IETF, the Internet Society provides institutional home for the IETF and there's a lot of work being done here that it doesn't get the exposure that it should be getting, not only at the level of users, but also at the level of policy makers.

     So I will stop here and just want to say that, you know, as a first step, let's start, folks, the cooperation and we'll, of course, continue this discussion. Thank you.

     In terms of ‑‑ in terms of the definition based on the type of stakeholders or subtypes of stakeholders which are groups really working with time sensitive data for a variety of reasons, they can be for legal cases, corruption cases, a lot of times it's data that if in the wrong hands could lead to serious consequences on people's lives. Then if one uses the definition from that perspective, it could be security for them is making sure when they use technology and the Internet that they can be safe from harm, safe from danger, and they can be protected in either with protocols or with procedures in place to make sure that stays safe and confidential.

     In terms of the role of the citizen lab, as I mentioned earlier, it does work on a couple different things. But in this context is we've been working for many years on advanced research, don cybersecurity, particularly mal ware. We had a study several years ago that discovered that the office of His Holiness, the Dalai Lama, was affected by male ware but so were a variety of different governments, companies around the world, and other involved in this made headlines in the New York Times and many other press. So we've been really following how this resource factor gets attacked and we study and work with a variety of organizations, do forensic analysis ourselves.

     And the importance to that I think is how we can contribute, a lot of times there are a lot of assumptions in terms of what the challenges different organizations are. There's a lot of training that takes place for NGOs. U.S. alone spent well over $150 million supporting initiatives. But where's the data? Where's the research to try and drive that? So we in our humble way try to do that. We'll be coming out with a report later this year. So I think the importance there is what I would say is working on research‑based policy and getting into the question in terms of how, so how I contribute, well, the organization works with a variety of different sectors. Because we're at university, we do something that governments and many others can do is we help convene and we help try to bring different stakeholders together.

     The major issue right now, I think it varies. Had you asked me six months ago, I would say targeted threats and the huge growth of the zero day industry. I think after the revelations of the summer, I think it's the erosion of trust and the changing in terms of the issue of SERTs came up earlier. What we heard earlier in the sessions, I think yesterday at the IGF, is because of national security, the trust is not as realtime, the conversation is realtime, there's a lot of national security agencies that are now being involved in SERTs more and a lot more vulnerabilities I think are in the system.

     And I think another thing in terms of how we contribute, we've been discussing over the last couple months, recently in terms of that it's really important to bridge and create bridges between the technical community and the NGO or research community as well. So we've been saying that and you put me on a panel that bridges the technical community and the research community and the IGF is about bridging. So I'll leave it with that and look forward to the conversation.

     Tatiana, if can you still hear me, you can briefly introduce yourself.

     We can see you, but I can't hear you yet.

     Apart from we are on right track building the next rage in music, may I suggest our remote panelist use the chat and hopefully Chris can relay it without echoing.

     Who do we have online? We've got the channel line from the Max‑Planck Institute and the other one who joined and who already admitted he had audio problems is Kimmo who works in the outreach Department of Interpol. Maybe you both can give a brief opening statement on chat and we'll have ‑‑ we'll come back as soon as Chris has them in, if that's okay.

     Shall we just kick off? Your question?

     Do we really need that? Isn't it better if we leave to it one party to fix these things for us?

>> PETE RESNICK: I'm happy to jump into the fray, because as Konstantinos was talking about this, I was scribbling some notes. One of the things I think is really important about the multi‑stakeholder model is that you're bringing together not just people with different stakes which is, of course, definitionally true, but different expertise. So really has scant little expertise in what it is to make a proper regulation and how to enforce those laws.

     The government has scant little expertise in the technology, and maybe even at different levels what the business community needs out of security.

     One of the things that ‑‑ and we've seen in both directions, one of the things that we run into trouble with is that we either jump into each other’s pools, or we expect the other group, the other stakeholder to take care of everything. And I think neither is useful. So, for instance, government needs to understand when they're making a regulation what technologies are available, and needs to know what they can address and what they can't. And going to the IETF, for instance, and saying why haven't you solved the spam problem? Why haven't you solved the Botnet problem? Is a little silly to us. The answer is because we can't. You're missing ‑‑ we can provide you tools and those tools can help a lot, but someone else has to provide the economic incentives, the regulations, the rest of the things that go with that.

     So I think, yes, there is a problem with trying to make a decision collectively as a multi‑stakeholder group. But understanding each of the groups individual ‑‑ each of the stakeholders individual expertise and using those strengths is the way to accomplish that.

     Yeah, I will ‑‑ actually, want to make two comments here. I absolutely agree with my colleague Pete here about the multi‑stakeholder model just absolutely needs to happen. What is quite interesting, that lawyers spent many, many years understanding the legal frameworks and their policies. Technical people spent many, many, many years understanding the fundamentals of the technologies and creating them. You know, politician, same thing. So we all have our fields of expertise and I think sometimes the challenge is having the patience to understand each other's viewpoints. You can always say, oh, they don't get it, they don't get me. It's okay.

     What I have found, personally, is that I have learned a lot about human rights issues. You know, some of the legislative issues that varying geographic areas have to deal with. That's another point that is extremely challenging from a security perspective when you start talking about different geographic areas because different countries have different laws, you know, sometimes tied to cultural issues. So even, you know, trying to figure out what is actually cybercrime across different countries may be challenging as a definition.

     So I think bringing together multi‑stakeholder model we're educating each other on all of these issues and then collectively in some forms we have to come to some kind of agreement in terms of what is best for all of us. We're not going to have the best solution, but step by step hopefully we'll get there. That's ‑‑ I think the model so far is really working and this is my very first Internet governance forum meeting and I can say I've learned a lot already.

     The second thing, multi ‑‑ so, by default, we are thinking of multistakeholder, government structures that are anxious to discuss those issues. We also need to understand that just because we mention multistakeholderism it doesn't mean automatically we get solutions. Multistakeholderism is not an all‑inclusive concept and it doesn't come with a magic wand that we just wave and suddenly everything is fixed. But one of the great things that it does is that it brings people together that share a common value. And through this common value they share also responsibility. And in the context of the Internet and multistakeholder, this nexus, is the fact this common value is preserving the Internet. It's preserving the open, and interoperable and the generic nature of the Internet. This is a good starting point to bring parties together, us, we've just heard and actually make them sit down and work with one another because there is a lot ‑‑ and governments do not necessarily get it. And I hear it all the time.

     But my response, my automatic response is because I am a policy person, why should they to begin with? The same way that the technical community doesn't really understand the way regulation and policy making is working, governments ‑‑ we cannot expect governments to automatically understand the challenges, the technical especially challenges, surrounding security. That's why we need the technical community to come and explain what these challenges are.

     We saw this happening. Unless we start working together, we will see this happening all the time. Just, you know, a little bit of security, a very clear example has been in the digital context in IPR. Suddenly we saw loss coming about but were endangering things and it's simply the nature of the architect of the Internet simply because policy makers do not understand what those challenges were. So we really need multi‑stakeholder participation. I know it's slow. I know it's occasionally tedious and I know it can be very frustrating. But the alternative positions, I personally believe, are ‑‑ may lead us to paths that might be more challenging and tricky than what we're facing now.

     We've been talking together for six or seven years, and in some cases that then comes back in a national and regional level and it cause ‑‑ it creates a window of opportunity for dialogue and conversation. So I think that's a good thing. But let's not forget there are other factors and other tendencies also that are pushing back not against the multi‑stakeholder model, but national security is the big elephant in the room as was discussed in the high‑level meeting and throughout as well, too. I think where we need to see that is that there are a lot of great challenges to make the multi‑stakeholder model work. We just can't invoke it.

     So I think what organizations here, and I would say a recommendation going forward, is we have to practice what we preach. If we're saying we're going to be working together with different stakeholders, then the technical sector, the government and the one stakeholder group that has not been mentioned by my previous colleagues is the Civil Society. Other than Konstantinos, but everyone else all needs to work together. They're all different skill levels and practical things, whether it's skill share, it's not inviting just folks here. So, for example, from a research perspective what we do is we realize there's been a gap that some of the research that we do around mal ware or attacks, realize that there's a great wealth of knowledge, but also analytical tools and an approach that would help us understand what we're doing.

     I would say the flip side for the technical community is how are tools going to be deployed? Or if you see certain traffic taking place, if you had a better sense of the context, you would realize. I'm just remembering something from a conversation or a discussion on the S‑AK list about a week ago is there's a whole issue with Katari Top Level Domain kind of went down. For a long time everyone was talking about, oh, it's down and just kind of a reaction around it. I think other communities, other parts of the technical community were talking the same thing. Had you been looking at this in a multi‑stakeholder lens, we would have realized there was a set of geo‑political events taking place at the same time and there was a context that was feeling that.

     So that would have better understood that it had to do with something far more nuance and complex.

     So I'll finish and the thing is that the challenge is that we have to put it into practice. And it's hard. And it has to make ‑‑ and there has to be a way to audit. And I would say that so the role of government might be to enforce the multi‑stakeholder model. I'll challenge that because in a lot of panelists who are having places that's not taking place and maybe a regulation says, yes, all the stakeholders have to get together. If you don't, don't call it multistakeholder, just call it a meeting of private sector and the government.

     I believe we have some comments from our online panelist then, Chris.

     And then Tatiana Tropina has her opening statement. "I wanted to say, so about multi‑stakeholder models in cybersecurity, I think we need to understand that there are several fields or pillars of cybersecurity, and depending on the pillars, the players' interactions between them would be very different. For me those pillars are cybercrime, prevention, detection and investigation, critical information infrastructure protection, and national security.

     "We will have different models in each area because they do overlap. I doubt we can extend what we've already achieved in multi‑stakeholder cooperation in fighting cybercrime. We cannot achieve the same cooperation in national security issues where fewer stakeholders are participating and governments are not willing to collaborate but rather to regulate. And because of the blurred borders between these areas and the absence of clear legal frameworks, we have some gray areas and problems with trust between government industry and Civil Society.

     "So basically I wanted to say that the cooperation and participation of different stakeholders will depend on the area we are operating in. And if in some areas governments would be willing to collaborate, in others we will have strict requirements, security clearances, regulation, lack of transparency and trust, and possible abuse."

     But what can we do or what should be done? Or where can we do ‑‑ where can we go in restoring the trust? Is there a need to restore the trust in this field?

     There are loads of interesting ways, technically, that we can address things like people snooping at our traffic, including governments. But those things ‑‑ those technical solutions have very interesting consequences, not just for governments and not ‑‑ but also for businesses and for the Civil Society. So, for instance, it would be very straightforward for us to re‑jigger the protocols so that all electronic mail was end‑to‑end encrypted by default. And, yes, there could be man‑in‑the‑middle attacks where people can sniff at that stuff. But we can start out with the bar being quite high. There's a problem. First of all, there's some governments who are happy to have that security on by default, so as long as it's not their ability to sniff their own citizens e‑mail. So, yes, the governments probably have some of their own stake that they're worried about there.

     But, for instance, think about Google's business model. Everybody with a G‑mail account, that e‑mail becomes part of Google's very important data to figure out what they can give you advertising for. Well, if we start saying to Google, all of the e‑mail is going to be end‑to‑end encrypted from the user to their destination and you at Google don't get to see the contents of that e‑mail, that changes an entire business model.

     Think about the companies that track their employees' e‑mail. And if things started getting encrypted end to end, the companies would not be able to, by default, see their employees e‑mail.

     And does Civil Society really want to go all the way down that path? Many people like the idea that they are having some of this information from other people, generally, not from themselves, reviewed by government agencies to see if there is terrorism going on that is being ‑‑ for which e‑mail is being used.

     There are civil liberty issues that are clearly at stake here. So I think we want to be careful, A, about pointing to one particular stakeholder, but also be concerned that these things are doing the kinds of things technically that we could do, might start to wash over into all of the stakeholders in very interesting ways.

   And, you know, something that might be possible is are there mentors from one stakeholder group to the other that could be useful? Some of the outreach efforts. Again, there's probably a lot of stuff that's been done. And I would say for the e‑mail, you know, it ‑‑ I can't agree with you more in terms of that being a simplistic view, but sometimes the simplistic message wins the day. And it creates a false sense of security in that we've seen, particularly, you know, in the developments not over ‑‑ not only over the last six months, but since all of the kind of uprising in the Middle East over the last couple years is that false sense of security has led people to communicate on a variety of different platforms, then they've been shocked and they realize when they're picked up, taken to court and their complete transcripts of all their chats have been presented to them as evidence and they've had to spend 50‑plus years. So they thought that it was safe and it wasn't.

     I think where we can work is just on the perceptions and helping people understand risk and threats, more so than this tool is the panacea.

     Yes, I was about to say we're about to open to the floor. But I'll leave the next comment to Merike.

     You know, just understanding exactly how things work, either from a protocol level, why certain choices have been made, there's always in the IETF a security section, security considerations that actually discusses where some protocols may not be as secure as they could be, but the tradeoffs from an engineering level were made looking at what's best for the overall community with everybody involved in these IETF working groups. So it is a very complex problem. But I think we do have to really work on the transparency as well.

   >> KONSTANTINOS KOMAITIS: Yeah, it's all about using different words. It's all about contextualizing this thing. It's all about trying to make everybody understand what it is. I would like to go back to what Merike say, if we are to judge a little bit the past few months, what has been happening, the issue of transparency has been manifested as a key driver behind all this. People need, to the extent that it is feasible, understand and know what is happening. And because you have this medium right in front of me right now where we are all used to getting information, having access to information, when suddenly that stops due to a curtain or whatever, a wall, then this creates more issues.

     So it is very important that we try to ‑‑ we save face. As far as I'm concerned, we see this as opportunity to restore trust. Also go beyond the trust as we had before and also do the same with transparency.

     What I would like to do is collect a few questions from the floor and then after we'll give the panel a chance to respond. Raj, I see your hand up. Please state your name and the affiliation, if you have comments.

     One is that the way of discussion when Jari Arkko presented as Chairman of the IETF last week in Athens at the RIPE meeting, at center stage asked him, who is your enemy? Because there were all these things going on. In the room we have Google, et cetera, all the sudden that became an enemy because of all the data mining they do. Then we had the governments that were definitely not a white elephant, but they were definitely discussed there. And the third one was the ‑‑ now I'm forgetting what the third one is. Can you help me, Marco, remember?

   >> MARCO HOGEWONING: Sorry, I'm not wrapping it up here.

   >> RAJ: I'll come back to it later and go back to the other question.

     The other one is that we have so many different layers responsible for products on ICT and the Internet and et cetera, so many layers in the communication that when I start to contemplate the session I was going to have, I imagined a row of a table that would belong to the end of the conference hall and we still would not have them all, and half of them we could not reach because nobody knows who they are. There's just app makers somewhere in the world that shoots something into nobody knows each other. You have a new app that may be vulnerable enough. And that goes just from play things to very serious things. Is it possible to look at the chain of the Internet and see who is the dominant key player here that could actually be somehow made responsible for the security of that part of the chain?

     And, of course, that is going to be the hardest thing possible, but could that be some sort of product driver we were talking about in the previous panel that actually said, well, if the government says this is the product it wants to have, a lot of people will follow that and then you have a higher standard because of it. But then you have to know who the key drivers are.

     If I think of what number three is, I'll come back. But it's about who is your enemy and who are you actually going to deal with first? The criminals ‑‑ yes, I got it. The third one are the criminals. So we have the Googles, the criminals, and the government. Who is your enemy? And who would you want to tackle first?

     And perhaps by tackling the first one, you'll discipline the rest in the direction you actually wanted to go. So your thoughts on that, please.

     Okay. So let's get a few more questions and we can throw them at the panel. Anyone else?

     I see this gentleman here.

     With national cybersecurity strategies and the European commission's efforts, potentially bringing in Internet technical operations that are globally distributed, having these regional types of regulations raise challenges, so it would be good for the panel to talk about the impact of national strategies on global technical operations and globally distributed resource.

     And the lady behind you also had a question, then we'll fall back to the panel to gather some responses.

     I think two questions. This morning I was in multistakeholder panel. We're talking a lot about security and that area. But I think one stakeholder always missing in all these areas are the software developers. We don't see them here and they are the real cause we are all here trying to correct something. And every time we think about software vulnerabilities and problems in software, we always ‑‑ the technical community, IETF developers, and people from networking, all have created a standard trying to cope with that. But then a standard is, again, developed by a software developer and more vulnerabilities are inserted. It's just to think about the whole community, whole software engineering community, they don't want to talk about security and they are just creating now. What we were talking about the right incentives and one of the incentives is right; the first software out is the one that is going to be adopted. The first standard out is the one to be adopted. People in universities are being taught or not taught about software security and you have just a mobile getting worse and worse and worse.

     So I think this is one area that, from my perspective as a sir‑perspective, we try to reach but is one of the hardest. We have been talking to people from legal area, from policy makers, and I think it's easier to reach to them than even to reach to developers.

     Then just as a point maybe to have a take from people from the panel, something that worries me a lot is that we are seeing more and more security as a scapegoat for different agendas and as a scapegoat for control measures and not for something that would actually improve security, but just not really to implement different and weird things. As you said in the opening, it's very complex. Security is not an easy area. It's very complex for people to understand, then it's very complex and easy for people to manipulate. So I think we're in a very worrying time now that we really need to work as a community how not to let ‑‑ actually not have security, but have a worse Internet in name of security. I think this is something that could come up a lot in the next few months and years.

Yes, I hope they are quick.

     The first one is that total security doesn't exist. It always comes at the ‑‑ the higher security comes at the expense of a reduction in freedom and liberty. So if you want more security, you will trade off certain things that you may not always want to trade off. That's a blanket statement. One can moderate it, but at least it is ‑‑ it does give an indication of the thinking.

     The second one is that multistakeholderism is about dialogue. It's not about co‑decision making. It's about ‑‑ not even about common values. There may be certain common areas of agreement, but at the end of the day multistakeholderism is about good governance, which is about listening to the others. It's about taking into account what the others have to say in order to be better informed when making a decision. Whoever is the relevant body or person or community that will take the decision at the end of the day. So it is a good governance issue.

     And the final one is related to the question of security and so on. Going into an example, to show a bit what I mean.

Crime, cybercrime, for example, it is a security issue. Now, normally, traditionally, the repression of crime is the monopoly of the state. We are talking multistakeholderism; how to incorporate the multi‑stakeholder dialogue and identifying the roles and responsibilities of different parts of the community, of the Internet community or different communities within the broader world of the Internet in respect of combatting cybercrime.

     What I would say is, if I can give an example of a tricky area where more debate needs to be had ‑‑ sorry, before I go into that, criminal law will never resolve crime. We know that. Criminal law puts a few people in prison. It dissuades others from doing and it educates others ‑‑ it dissuades some that would be minded to engage in crime not to do it. And then it educates others that might have wanted to engage in criminality that it's perhaps better not to do it. So that is a bit the background. We know that in any community the vast majority of criminal activity is not tackled by the criminal law system and it will be the same in the cyberspace area.

     One concrete example in the criminal activity area on the Internet. We have the question of peaceful protest. In the physical world, peaceful protest has been addressed and has been regulated and teased out by the courts and interpreted and so on. It has evolved over time. Peaceful protest can be disruptive and can be very annoying for some, and it can even carry a price tag for those who protest and for those who are at the targets of the protest. Now, that is an area which for the time being in the cyberspace is considered automatically to be a criminal activity. So any intervention, interference with someone else's transit or website or whatever, even if it is simply to make a political statement, it is immediately considered cybercrime. Now that ‑‑ I'm not trying to suggest an answer to that. It's simply to indicate that the answer is not yet there and that more dialogue is needed. And we need to listen to each other more in order to come up with the right answer. Thank you.

     So the idea about multistakeholderism not being a question of common values, but I love the part he said about despite good governance, but listening to each other. But also the part about the ‑‑ I guess the relationship between governments and those, for example, in the operational community and how you get that ‑‑ how you get governments and decisions they make into an ever‑changing operational world.

     The part about trust, I think we've touched upon that, but I think you might have some interesting things to say about that. But then I'd also like to put the thing about so we often talk about security versus privacy. And, you know, we have to find a balance. But I think some of the things that Robert touched upon was also about security and anonymity in terms of privacy and that it can it protect civil rights. So security in what sense? For who? To what end?

     Yeah, I think you're ready to pounce, so I'll let you go.

     Another thing is someone mentioned earlier something about enemies and which is the enemy of the week, but then earlier we talked about an ecosystem, so we're all in the same bounded space together. So I think if we can talk about the environment and even though there are actors, I think there might be a need sometimes to have regulation to just regulate how the ‑‑ if there's something deemed an activity but it's also the community working together.

     And then I'm maybe going to add an explosive comment or a question. Just going back in terms of offline and online, so you're talking about protests and all those consequences, it reminds me of something I don't prescribe to, but someone in Civil Society if you're thinking of digital equivalence of online space, then the offline space when those that want to have some sort of action and get the attention of others, they'll strike, they'll protest, and they'll barricade. So something that's come up in the past that the technical community quivers about is D‑DOS a protest measure? If you're going to say that or not. I think that's something else that if you're going to bring that up brings up a whole bunch of other things. Something you mentioned, I think you quoted in the multi‑stakeholder model, you defined it well, but I think, too, it's how do we bring traditional offline expressions and rights that we have and not just have it by default being secured, going to prison if it's in digital?

     So I'll maybe put that and hopefully it will be an interesting set of answers.

     So it's an expanding problem because everything is going to be on the Internet. I mean, there's just more and more things on it. And so, you know, I don't think that there's one entity that can be responsible. I think collectively; right, as technologists, as policy makers, as law enforcement, we have to try and figure out how to mitigate the risk as much as possible.

     I will also echo the point about software development.

So I have an engineering degree and I have to take some software classes. I got a very good grade when the program gave the result that it needed, not that I did error checking. All right. I believe that this is still true today. This is the problem. Okay. It starts with the education where I wish you would get a lot of extra points the more error checking you did.

     So anyway, that's it.

     My mother‑in‑law is 80 something. She's got an iPad. She doesn't know what she's doing. How ‑‑ you know, governance are not techies, you can expect some dialogue, but, really, how much responsibility can you expect them to take? And how much can you expect the technical community to take?

I think that's really needed.

     "This is the issue about criminal law. It does not solve a problem, but we need clear frameworks to separate crime from other activities and to implement safeguards protecting rights of the citizens during crime investigation and, which is even more important now, during crime detection and crime prevention. It's about the prime ‑‑ entity primarily responsible for security. We know that the value chain transferred to value networks and there are so many players on the ICT markets from the software developers to vendors, operators, app developers, et cetera, et cetera, et cetera. This is not the value chain anymore, this is a value network and that is why we're talking about multistakeholder actually.

     Pete and Konstantinos, then we will go back to get our responses.

     The two comments I think that tie together, who is your enemy issue and the thing that Meredith brought up about the self‑correction built into the process. In the engineering end of the world, in the standards making and tech community, one of the things we've been pushing for with recent revelations, with all of these issues is we have to separate out some of the panic and some of the screaming from what needs to be done. One of the things I think that's important is actually ignoring who the enemy is and focusing on what's the threat we're trying to avoid.

And because noting who the enemy is sort of focuses everybody on that darned U.S. government which is doing all that evil stuff. That's not a way to move forward the technology. What is is, okay, do we want to avoid active, passive sniffing of our data? Do we want to avoid folks who are willing to infiltrate our computers as opposed to just look at the network? Those are the kinds of questions that we need to ask and hopefully those protocols are built in such a way where we can say, oh, new threats. Okay. We adjust the protocol in this particular way and make that correction. So I think those kinds of abilities are what the technical community is good at to avoid some of the hysteria.

     The other comment I wanted to get at, the poor chap in the corner who everybody is going to disagree with. There was a comment that I found very odd. He said, "Total security doesn't exist." I agree with that. That's certain. I think trying to build that perfect security protocol is a horrible failure every time. Then he said, "You always have to trade off ‑‑ and I was expecting the next word to be performance or something else, which I have some disagreements with, but he said "You have to trade off freedom." And I thought, my, depends on what you mean by "freedom". Because, of course, increasing security preserves many freedoms. And so I think a lot of that has to do with the framing of what the problem is.

     Okay. So we may be in violent agreement as he shakes his head up and down. Violent agreement is something in the IETF we do quite often. And I think one of the things that the technical community needs to keep in mind is that, again, these are tools that we are providing to folks for different uses. The lack of encryption helps certain folks for certain ‑‑ sometimes very important things. We, you know, businesses for whom they want to do mass searches over data in order to prove that they are the owner of this, you know, particular piece of information, or that they are the ‑‑ you know, they can prove that they said this sometime ago in court. Having that all encrypted makes it all that much more difficult. So it's important for people to quickly find things and not rely on do I still have the keys? But, we need to provide the tools such that when I do want to lock this stuff down so no one else can view it but me, when I do want perfect thwart secrecy so no one can prove I said it, these are the tools and things we have to provide for people when they want to use them.

     So I would like to, I said it before and I would like to repeat myself, that this is a great opportunity. It provides us, if you want a gateway to greater means of cooperation, to strengthen the cooperation, because I don't believe that there's no cooperation. I just believe that it provides the gateway to strengthening the cooperation and actually building those bridges. As we say at IGF, it's meant to be talking about.

     I'm going to do a quick round of responses from the floor. Please do keep in mind we're under a time constraint.

     It's almost like you sitting singing kumbaya together. I'm going to be the voice of dissent. So everyone agrees that security is a great thing. But is it really? I mean, security ‑‑ do we really need security? Isn't there a risk that by, you know, trying to secure parts of the Internet more and more we give the illusion that it's secure. We talked about this thing that there's no perfect ‑‑ there's no total security, if you can use that term. But securities, it's not all great. It's difficult. It's hard to use. It costs a lot of money. Isn't it better that we just all agree that what's on the Internet is public? People happily share all sorts of things on Facebook. If we just all agree that if it's on the Internet it's public, so it's not secure. And as long as people are educated on that, you know, we're all fine.

So you don't have a free for all, no matter what you do. Even your TV vendors; right? It's not like I can go and reprogram some of the parameters. The vendor will do that for me, very happily; right? So you don't have a free, no secure Internet just at the get go.

     Again, going back to some of the earlier definition which was they ‑‑ people sometimes expect to be safe from danger and threats. And so if you want your on ‑‑ your offline protections that we all have because they're universal, of privacy, freedom of expression, association, you do realize that just, you know, when you want to have a conversation with a, you know, about a business deal. So, for example, it would be very different. And, for example, bringing an ICANN, in an interesting way, there's a lot about the GOT process, there's a lot of companies bidding. Imagine if every single part of that process was completely public, including the negotiations. You'd be in a different position right now. So there's an expectation that certain things need to be private. So I think the same thing is just that if you want certain rights then you deserve a certain level of security and they can go hand in hand and not one against the other.

     A few more questions.

     Yeah, go ahead.

     Filiz, please. Please state your name and affiliation for the your comments.

     I might be given under ‑‑ after all this, I might be given some piece of protection mechanism on my laptop which will assure me by some techie that I will be protected, but how do I know it is not serving to peace officer surveillance act? Fair enough, there is some talk that needs to be put on the government level, but I think technical community, and I'm part of that, I see myself as part of that, we have a long way to think through about this issue, too. How do we have that trust being put back towards our side, as well? Thank you.

     Walt.

     Yes.

     We are ‑‑ we have one last comment I think. We are running out of time. I hate to cut this discussion, because I think this is just starting to get interesting. We'll take the comment and then we'll let the panelists do a final quick ‑‑

     "I think no one is giving up in securing the Internet. More and more our daily life will be the on the Internet; shopping schools have tests and grades; cars are connected on the Internet. People are more and more dependent on the Internet and we should try and make it safer for all the people. Governments and private sector are motivated to work together for safer cyberspace."

     Last round of comments from the panel. Shall we just start with Robert and work towards you, Nurani?

   >> ROBERT GUERRA: Maybe a tweet. Great conversation. Good dialogue. I think a lot of things have been said, so I'll just finish in saying ways ‑‑ the other thing for the multi‑stakeholder model that's key around these issues is that the conversation needs to take place on a continuing basis, not just once a year.

     "I disagree. It's a stand of criminal law, many countries, almost every country has legislation on cybercrime and it is more or less harmonized. The problem is procedural frameworks and that's where we have to put our efforts."

     She notes, "This is a comment coming from someone who did a study from UIC and analyzed legislation in more than 130 countries. We do have legislation on what crime is. We do even have it harmonized. We need to protect rights and implement safeguards during the crime investigations and implement the frameworks that we use for investigation. Because it was surprising for me, for example, that Europol Interpol conference that even the police don't know what instruments they have, according to the cybercrime convention."

     I think we're going to wrap it up here. So, and I would like to add in one final closing comment indeed, let's continue this dialogue during coffee, and tonight during dinner, and everywhere else we can.

     Thank you all for being here. Special thanks to our panelists for joining, sometimes at last minute. Thank you for Tatiana and Kimmo for your online participation. For you, it's quite an early hour. So thank you all and hope to meet you around. Thanks.

(Applause.)


********
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.