IGF 2016 - Day 1 - Room 3 - WS26 - Cyber security Initiatives in and by the Global South

The following are the outputs of the real-time captioning taken during the Eleventh Annual Meeting of the Internet Governance Forum (IGF) in Jalisco, Mexico, from 5 to 9 December 2016. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

RAW FILE

INTERNET GOVERNANCE FORUM 2016

ENABLING INCLUSIVE AND SUSTAINABLE GROWTH

JALISCO, MEXICO

6 DECEMBER 2016

WORKSHOP 26

CYBERSECURITY ‑‑ INITIATIVES IN AND BY THE GLOBAL SOUTH

09:00

   >> MODERATOR:  Good morning, everybody.  This is the morning workshop session Cybersecurity‑Initiatives in and by the Global South.  Welcome to this session.  My name is Carlos Martinez, the Chief Technical Officer for LACNIC Latin American and Caribbean Network Information.  It's a pleasure for me to be here.  It's my first IGF, I'm very proud of this because we have today, and I'm very confident, we'll have a wonderful session.

Let me tell you about the format of this session, that has some peculiarities that you should be aware of.  We're going to start with a opening panel.  My panelist, I will introduce them in a minute.

Then we'll introduce you to three projects from the Global South that have been funded by a initiative called seed alliance which is an initiative for developing and financing projects in the Global South.

It has been able to finance different projects and during the life cycle several projects were selected that had to do with cybersecurity and they're really relevant to this session.

So after, then we have our panel, then we have the presentations from the projects.  And then there is a breakout session.  We are supposed to break out in groups, and we are supposed to debate in the groups along three different topics, which I will introduce them to you right now.

One is surveillance versus security.  The second is cybersecurity in relation to trade and innovation.  And the third one is cybersecurity for Internet infrastructure.  Don't worry if you don't, if they slip out of your mind.  We'll have time to actually go over them again.

What do we believe this is important?  Cybersecurity is in everybody's mind, right.  It's difficult to see any presentation or any paper or anything about the Internet without the mention of cybersecurity.  Cybersecurity has been one of the hottest topics in the Internet for a long time.

The threats are violent, the threats are many, and there is wild consensus among us, who work on the Internet, that having a safe and secure Internet is a prerequisite for the Internet to become the development tool we want it to be.

So, I hope this workshop will help us discuss all of these things.  So without further ado, I'm going to introduce you to our first panelist, sitting right next to me is Mr. Olaf Kolkman from the Internet society.  The chief Internet technology officer, am I right?  Okay.  From the Internet Society, and he's been working in the Internet for a long, long time and has done, in my opinion, very interesting work in cybersecurity, which I'm pretty sure he will talk about.

Right beside Olaf, we have Cristine Hoepers from Brazil, I've known Cristine for years and years, and I credit her for introducing me to cybersecurity.

And then next sitting next to Cristine, we have Jean‑Robert Hountomey, did I say that more or less, right?  Okay.  Comes from Africa serve, which is a wonderful initiative which I think we have a lot to learn from.

So Olaf, the floor is yours.

   >> OLAF KOLKMAN:  Thank you.  So cybersecurity, as Carlos just said, it's a very wide topic.  And there is always the risk of boiling the ocean with these very wide topics in trying to address everything and anything that relates to these things.

Since the topic is about cybersecurity in the Global South, I want to talk a little bit about an experience that I had last week.  But first, I want to put a little bit of it in context.

The context that I want to put my approach and my views in, and the description that I'm going to give, is that of collaborative security.

Collaborative security is a concept or an approach that we launched in the Internet society about a year ago, describing some of the properties of cybersecurity approach toward Internet security that takes into account what the Internet actually is.

I'm not talking about the Internet as a package switch network, but the Internet as the platform for bringing opportunities.  That platform has a number of properties.  We call those properties, the invariant in our own lingo, but the basically says that the Internet is global reach, that you can innovate on the Internet, and that you don't have to ask anybody for permission to innovate.

It says that there is an expectation of coherency and integrity.  It talks about fundamental properties of the Internet and values and preserving those, and taking a risk‑based approach when you do cybersecurity.  Now, that's all big and vague words.  But in the implementation, one of the things that is incredibly important into taking account those values and properties, is that security can only be done in collaboration at the scales where action can be taken.

So, there is an aspect of subsidiarity in taking a cybersecurity approach.  You find goals and take action at the smallest possible level with the stakeholders that are involved in these processes.

The reason for that is that there is no security on the Internet.  The Internet is not a definition of centralized.  It's a network of networks to which people attach and bring platforms and services, and users connect and get.  So, there is no central place in which you can manage all of this.  It's collaboration and subsidiarity that is important.

So last week, I was in Nairobi where we were having a workshop around Internet security that was done in the context of translating made by the African union which is called the Malabo convention done in 2016, the African convention on cybersecurity and personal data protection.

This is a high‑level effort to set the parameters for a regional cybersecurity approach., but it's important that these approach, these high‑level approaches get translated into actions on the ground.

And what we try to do in Nairobi with a number of expert, talk about what are the several recommendations at that we can make in order to get to the next level of implementation of these.

One of the important aspects of that is that we chatted a little bit about what are the specific challenges for the ‑‑ for African cybersecurity?  First, it's the realization that we're talking about the global Internet, a global network.  And cyber threats are, essentially, similar everywhere around the globe.  They're not very different in Africa.  But Africa has its specific set of problems.  Around the continent, Africa is a big place with many countries.  But bandwidth is an issue.  The cost of bandwidth is an issue.  Power is an issue.  Regular blackouts and so on and so forth.

Training and man power, capacity is an issue.  And then there are, you know, man‑made issues like fraud and sabotage, theft of fiber or fuel shortage or things like that.

In general, you see somewhat older infrastructure.  That is an issue, too.  Older infrastructure at the consumer or user sides or in the networks, means that perhaps the latest security patches are not available.

With older Android phone, older mobile platforms, it might be that the newest Android versions cannot be installed, so that gives a whole other dynamic then to dynamic in the western world.

Somewhat of a lack of information sharing.  There are some regional platforms that work, APNIC, the operators forums and appearing forum, but the institutional building still needs to be enhanced.

Then there is a lack of enforcement and regimes across boarder collaboration.  That is also not something that is very specific to Africa, but the level of development there is difficult.

I'm looking at the clock a little bit.  I'm okay.  Good.

So what we try to do, following that subsidiarity principle and looking specifically at what we need to do at the Internet infrastructure level, we looked at what kind of recommendations we can give at the regional level, the national level, at the organizational level.

And specifically, also at the ISPN operator level.  And these are, perhaps, not the most actionable recommendation, but it's preparing for action, I would say because that's something you have to take, in the back of your head, when you do these type of things, they have to lead to action.  Without action, there is no security whosoever.

So at the regional level, we came to a ‑‑ and this paper will be published in the next half year, within half a year, I would say.  An African‑wide cybersecurity and collaboration and coordination committee, really trying to get people together and exchange information.  Information exchange is incredibly important when it comes to cybersecurity.  Being aware of the threats that are out there, and being aware at the controls and so on and so forth that you have to implement to, at least, notice the threats and counter them, is incredibly important.

Capacity‑building and knowledge‑sharing on the pan African level is another recommendation.  Make sure that there are universities that have programs that are online tools that help people build the capacity that is needed to deal with these issues.

On the national level, it's important that the country ‑‑ that within the countries the critical infrastructure is identified and protected, that information exchange, again, is facilitated at the national level.  Bring the law enforcement and the local operator community together so that, at least, they have knowledge of what is going on in their community.

Promote and ‑‑ promote the ISPs, Internet exchange points because they bring a certain aren't of resiliency but also facilitate collaboration because people come together at these exchange point, and collaboration, again, helps facilitate information exchange.  And for information exchange, you need to trust, and collaboration is the key to that, knowing each other.

Finally, public institutions.  Public institutions can lead by example.  For instance, by implementing a set of security practices.  If a TLD is a public institution, for instance, are deploying the NX ‑‑ would be an example there.

At the ISP we recommend the implementation of baseline security.  Here I'm going to make a shameless plug for an initiative that we're deeply involved in, which is the Manners initiative.  The mutual agree norms for routeing security.  A set of very simple baseline practices and actions to be taken by ISPs and basically, signing up that they are willing to do that.  This is a form of self‑regulation.  MANRS.org is the place where you can look at that information.

And again, collaboration between the ISPs and so on and so forth.

At an institutional level, and this is not typically an African recommendation, I would say, at any institutional level, at an organization, make sure that cybersecurity becomes part of your genome, that it becomes part of your thinking, as well as, the operational level and the executive level.

Awareness about cybersecurity is something that is feeded at that level.  It needs to be discussed at the boardroom because an without an awareness you might be caught blindsided and that would impact your business.

So those are, at several layers, several layers ofsubsidiarity which is important, what is important in this context is that the African security is being done by the Africans.  The Kenyon security is done by the Kenyons.  And with that, I'm going to hand it over.  Thank you.

   >> CRISTINE HOEPERS:  Thank you.  One of the things while Olaf was talking, most of the best practice in security are out there for a long time.  And from our experience in Brazil, the major challenge to implement all of those best practices is people.

And, training people is a challenge.  Having people with the understanding and with the technical skills and with the political will and with the resources to do that.  So one of the things that we see for these many years that we are working in Brazil and in Latin America, especially with the whole community, that is very strong, is when you reach to someone telling them that they have a problem, you know, you need to implement the Manrs best practice routeing, or you need to implement or reach to them to say you have 1,000 mans affected by a botnet, most of them don't know what to do and how to do it.  They don't understand the problem.

So it's not only a shared problem, and it is a collaborative problem because only the owner of the network, only the ISP itself, the government organization, itself, is capability of implementing the security.  There is no one that can come from outside and just magically secure everything.

But there is still a mindset in some of these people that, you know, oh, someone will do the security for me.  So if I would say, one of the challenges is really to make people realize that it is a collaborative effort that is everyone's role to participate in security.  But then we also need to teach them.  And even if we go for end‑user awareness, and you were talking about the whole Android phones with old versions and updates and everything.  So, it's not only a challenge that people don't have money to be buying the latest gadget all the time and there are constraints being put by the vendors that don't allow the updates, so there is a whole ecosystem that is complex.

But in Latin America, and I think Africa is the same, we have a lot of people that didn't have the time to learn the technology and then face the security problems.  They are getting the first technology already loaded with problems, with security problem, with fraud, with malware, with everything, so it is even harder to teach and to raise awareness because usually we're talking about the technology and people, they are they are oblivious, these are several of the challenges and when we talk with other security teams in the region, is really how to get the message through.  It's not only to the end user.  Sometimes we get to a network that is severely compromised, and they didn't have a clue, but not because they didn't want to do it but because they didn't have the knowledge.

So I think one of the things we're doing a lot in Brazil and Latin America is to provide training.  In Brazil, Nic, the TOD, we are doing a lot of free trainings in best practices for ISPs and systems.  There is a lot of push to using Nsac, to try to create a infrastructure that is more secure.  Latnet is doing a lot of that in all of their conferences and do special training areas in security, but sometimes we are teaching security and we see that there is a lot of networking that is missing, there is a lot of basic concepts.

And even yesterday, OECD was giving a statistic that half of Latin America is not connected, but then we are moving to have the other half connected.  We are going to have more vulnerable networks.  We need more workforce to put those networks forth, and these are all challenges that we need to take care.

And then, sometimes when people think about security, and I think one of the topics here that is cybersecurity versus surveillance, that some people they get desperate because the problems are big, and they start to implement control mechanisms and they think that controlling somewhat the Internet would make things more secure.  But they are not.  Most of the time, they make the network even less secure, and it's a bigger challenge, but it's really to understand, I think, what all I have said that the network is distributedded, that there is no central control, no central security, and this is, I think, a challenge that we need to address.

But a lot of good initiatives are out there.  There are a lot of people, from our experience, that the first time they are faced with a security issue, is when they wake up, is when they go after the information.  So one of the key points is to have people ready and willing to help them, and then collaboration is key.

And in the region, we focus a lot into bottom‑up collaboration to have the people come together, and then decide what's the best way to collaboration.  Information‑sharing requires trust.  There is no way you can sign a MOU or do a large just say share information.  People will be suspicious.  But when you gain trust, knowing the people, it's amazing how many information‑sharing happens and how many knowledge‑sharing happens too.  I think that is very important.  These were my opening remarks.  Thank you.

   >> MODERATOR:  Thank you, Cristine.  Your turn Jean‑Robert.

   >> JEAN-ROBERT HOUNTOMEY:  Yes.  So I would like to add a little bit on what Cristine and Olaf just said.  By how about how we were able in the African continent to deal with the issue of collaboration and trust.

So originally, all the different stakeholders were speaking a different language, and we had to reposition the debate in terms of economic incentive, in terms of economic loss for the initial state.

And as the technical community was suffering in putting together resources to build a network and the reverse, facing those challenge, and also with their African leaders pushing forward the ICD agenda.

We were able to find a common ground, talking about economic terms to work together.  So what that has bring us, the impact for that is that we move from a state before that kind of dialogue, where they were, for example, only three security incident response teams on the continent, to no national security strategy.  Very few crisis management practices, and also very few initiatives of collaborating together to a, kind of, interesting result that we are seeing.

It's still going.  It's progressed.  It's still going.  So now we have about eight published national cybersecurity strategy.  About 20 teams with 10 members on the response community.  11 teams at an early stage of their capacity‑building.  1SSS per year between all the different stakeholders, and 2 SSS per years between the African stakeholders and their counterparts at the international level.

It has also helped the technical community to get more organized and to create a different organization, and to empower those organizations to look at their own issue, for example, a mission about ethnog which is the operator growth.

Task force with an issue of network operation like routeing, vendor issue, treatment, and application user related issues, and to bring on the table those issues.

Afrin which was the original Internet registry, IP addresses, ISN numbers.  Registry registrar, also being asked to look at a different issue.

The research and education network, together to look at the issue they research on education that will face in cyberspace and that issue, and bring all those issues on the table.

And then those organization founded, and from the organization that I will present, which is Africa Cert to operationalize what has been found and to bring a set of solutions so that together we can look at how which can prioritize the most urgent risk‑based approach and find the different kind of solutions that we can do.

So what we have done at the Africa level is that we have reminded to reach out to the otion institutions, like law enforcement community, ITU, the African policy makers to see how together we can sit down at the same table and discuss the challenge we face, and find a solution.

Also, one of the interesting aspects of that, kind of, collaborative and trust element that we have been building is that we meet several times at the regional level and also one time at the continental level to discuss on the solution and on the progress that every organization and together we are making, and also to plan for the next phase.

So that being said, the future looks promising.  We've all raising activities and the African leaders getting involved with the support of ISOG, engaging the policymakers and encouraging together with the technical community and also the society and government and encouraging them to come out with the right policy that the operational level to fund those different initiatives.

So, the outcome we have started even if all of those work is still in progress.  We have started seeing some interesting steps.  The National Cybersecurity Agenda has now been moved at a operational level with specific measurable and attainable goals and also an implementation plan with resources required.

It has been advocating for the formation of effective incident response team, and promoting also the foundation of sound policy and strategy, effective legal and regulatory framework, and also stressing the need to build more cyberskills and also a global cybersecurity culture within the African continent.

And it has done something very interesting.  It has made me advocate for African government, which is rare.  Thank you.

   >> MODERATOR:  Thank you, very much.  Thank you for the panel.  For my plug, I think we have time for one or two questions.  Do we have some remote participation?  Okay.

>> (Speaking off mic).

>> Thank you.  We have a question from Fernando from Coasta Rica.  In many organizations only when something happens to threat information security, they take actions in that area.  What could be done to change this kind of management?

>> I'm pondering on this question because it's sort of human nature.  In Dutch, we have a saying that you will, you will fill the hole after the cow has drowned.  Idioms don't translate well, I recognize.  There are lots of cows idioms in Dutch.

Anyway, I think that's sort of human nature.  That people first have to realize that there is a dependency that they didn't really realize.  Most companies, now days, started off as traditional ‑‑ traditional organization, traditional companies that were not connected to the net.  They were selling bread or coffee or they were selling digging machines or cars.  And suddenly, you find that as a retailor you're online.  Suddenly you find that being online comes with dependencies that you've never thought about before.

A recent example, I think the target personal data breach where a target was hacked, made people realize that, you know, you have a vendor.  You are a dependent on a service company, and if somebody in that service company does something bad, it has an impact on you as a company.  I think we should share these type of stories.  Information‑sharing is one of the most important pieces in making sure that people understand that they too can be impacted.

And then making sure that it is being discussed at, as I said before, within organizations at the board level.  That there is a realization that these ‑‑ that as a company you rely on for your continuity on security of your ICT infrastructure.

That's a long‑winded way of saying, sharing of things that happened to you may help others to take decisions, and may make overall infrastructure and space around you more secure.

I think that's sort of the summary.

   >> MODERATOR:  We have a microphone for the audience.  We have one person.  And I have to close the mic line there.  Yeah.

>> Thank you sphroach a really, really informative talk.  Yeah.  So I've got two questions, one for Cristine and one for ‑‑

   >> MODERATOR:  I'm sorry, could you introduce yourself.

>> Lucy, I wanted to know if could comment on the frameworks you're using in your reejers and how cybersecurity strategies are creating with cyberlaws or not.  And you mentioned the surveillance is a tendency to try and control behavior.  I wonder if you could say a little more about that.

And Jean robtd you talked about the African convention on cyber crime and I wonder if you could comment on why only one African member has ratified it and what you see going forward with that convention.  Thank you.

>> May I ask a question back.  Because you're asking this, perhaps, with a perspective and experience.  Could you share that for a poament?

>> Not particularly.  It's just something I'm exploring at the moment, and it's just some of your comments just really kind of peaked my interest.  It's just something I'm looking into, so I don't have anything really in particular to answer that comment.

   >> CRISTINE HOEPERS:  I would talk a little bit just, like you talked about legal frameworks and security.  So the security issues they want ‑‑ they don't wait for you to have legal frameworks or for you to have national strategies.

One of the things that we see is that, usually when people are discussing the strategies or legal framework, they're usually looking at one specific problem and one specific point, or some specific problem they want to solve.

It usually misses a lot into understanding the intended or unintended consequences of what you were proposing, so there is a lot of discussions ‑‑ a lot of people that want more data retention, a lot of people that want less data retention, some people that think no data retention at all is possible.

And then I think it goes for all stakeholders to first understand how the network works.  And this is a challenge I can speak more into what we are going through in Brazil that sometimes people are discussing, and they have ‑‑ they don't have an understanding of what actually is needed, what actually you can have from a specific technology or from a specific requirement.

And what I said about security and control, is that specifically we see a lot of control mechanisms, like I have to collect all the data.  I need to see everything that's happening in a point.  That doesn't make any system more secure.  It doesn't make you have more data about what's going on in there, but that actually does not increase the security of the system at all.

So but, of course, every time that someone needs to push a policy, they say oh, this is for cybersecurity or this is for the security of the world.

But one of the things, especially people in this Forum need to do is really try to speak up and say okay, what exactly are we talking about?  Are we talking about cybersecurity?  Are we talking about having more data for investigations?  Are we talking about having something else?

So, there are some mechanisms that are needed that they could be used for control, so also we can't have a point where you won't have any data because otherwise you won't be able to secure that also.  It's very complex.  But I think that people really need to go out, ask for people for opinions, and discuss more of that.

So in Brazil, there is a lot of bills in the Congress.  We have more than 100 of them talking about Internet, and they come from all sides.  So, there is a huge debate.  We need to be paying attention.  Not necessarily because people say something is good it will be, but I think it's just a way of sharing information and sharing knowledge and sharing case studies.

So for the first question, for me that would be the suggestion, to really learn from other people's mistakes.  And now days, we have a lot of mistakes public out there, and we should be looking for what went wrong and what went well because sometimes people recover very well from that.

   >> MODERATOR:  One more question.

>> So I would like to add a little bit of what Cristine just said.  So one of the challenges coming from the technical community, one of the challenges that we face is with different countries being at a different level in the maturity curve.

It was difficult to understand each other, so at some point, we need that to have a common understanding for certain things in order to be able to talk to each other.

In relation with the previous question, for example gives you an example, a few of the different incidents that happened recently against different network in Africa, we have seen that through different information that we have.  But, we don't, for example, have a common understanding of what responsibility disclosure means.

And sometimes you end up reporting issues to someone and have, as a response back, a lawyer contacting you and threatening you to put you into court.  Those are those kind of issues that the convention, and again, it needs to have more work around it, are but those are the issues that we need policymakers to come up with a, kind of, common understanding on how we discuss those issues that we are facing and how we work together on those type of challenge.  Thank you.

   >> MODERATOR:  Again.  Excuse me for not realizing that it was your turn.  So we have one more question.  Could you keep it as short as possible.

>> Louise Bennet the chart erd institute for IT, one area that I was surprised not to hear you speak about was Internet enabled mobile financial transactions, which seem to have taken off, particularly, in Africa much more ‑‑ much earlier than the UK.  And I haven't heard much about their being security problems on those, for instance, in Kenya.  However, in the UK where we've only just started doing a lot of Internet‑enabled mobile transaction, there are already really serious cybersecurity problems.

So I wondered if there were things that we could learn about how you've approached that?  Thank you.

   >> JEAN-ROBERT HOUNTOMEY:  So first of all, you are right.  If I was a hacker and if I have to target infrastructure in Kenya, for example, I won't look at network provider.  I will target the mobile operator because that's where, for me, I'm not the hacker, but ‑‑

(Laughing).

That's where a real value is.  But Olaf mentioned about some action done with the different operators and some recommendation that are coming up, and it's in provision of that.

Most of the ‑‑ most, yes.  So the future of ICT in Africa is through the mobile network.  So there are a lot of application, a lot of services that are being pushed through the mobile means.

And we have been looking at that, at the operator and developer and also the application provider and the vendor level to come up with some recommendations that can help take some steps further in order to prevent those kind of issues.  Thank you.

   >> OLAF KOLKMAN:  Yeah.  And just, good to see you here Louise.  The thing that I think we touch ‑‑ we touched upon it in the hallway conversation a little bit around mobile payments.  The thing is, if it comes to cybersecurity, and if it comes to talking about it, where do you put the parameter of what your focus of the day is?  And in the discussions we had last week, that was just not a focus.

That said, obviously, if you do the risk‑based analysis, that is where the most value, at this moment, in the cyber economy of Africa is.

In the other places of the cyber economy, there is not much value yet.  So I think that one of the ‑‑ obviously, that there needs to be a lot of attention on the value and the vulnerabilities of mobile pay, but there is also the opportunities to start with a building value in the other parts of the Internet now together with building the capacity.  So work more from in building capacity and security at the same time, which is always better than patching after the fact.

So I think the two things need to go together.

   >> MODERATOR:  Thank you very much.  This was a very, very, very interesting segment.  Now is the time, as I described when we opened the session, we are going to move to the second segment.

This is where we have the presentation from the Seed approximate alliance, these were three projects financed by the Seed alliance, they decided to come together and form an alliance and from the alliance they formed funding for the technology projects.

The three projects that we have here are related to cybersecurity, and the first one at that we are going to present is from Tonga by Andrew Toimoana who is working on developing for Tonga.

The second is Marcelo Palma Salas on security.

And finally Erika vagua fromming to about VGB security.

So Andrew?

   >> ANDREW TOIMOANA:  Thank you, and good morning.  It has been introduced, my name is Andrew Toimoana and I'm from the ‑‑ I would like to thank you this alliance for the opportunity given to me to present today.

Basically, after listening to the previous presentation, you might be thinking, what is important?  Why is it so unique for Tonga for setting up this as a project.  And I would like to introduce this to you, and probably you can see why is it important for us.

I'm not sure if everybody know where Tonga is, I get that a lot when I travel and I introduce myself from Tonga, and everybody says, oh, where is Tonga?

So I'm going to introduce Tonga to you as well.  Tonga, it's a very small Pacific island, and initially for setting up the cert, as we went through the process, we didn't know that what we were trying to do will be the first in the South Pacific.  And we had some challenge, and with the assistance of APNIC, we had come out with some solutions.

As you can see, Tonga, make double for 177 islands and about 52 islands inhabited.  The total population is about a little over 100,000 people in there.  And the total land area is 750 square kilometers.

Tonga wanted to move forward with technology, so they introduce the fiber optics was launched in August 2013.  This is one of the tools that support economic and social developments of Tonga, as it's been defined by the government.

Also, it brings enormous benefits and opportunities for the people.  This can be very dangerous if you cannot monitor and use it for the right purpose, as you know, from the previous presentations.

What the government did in December 2013, they approved a task force.  The task force will only report to the cabinet, and one of the mandates for the cyber challenge task force is under terms of reference, was technical system with entitled to sets up a Tonga computer emergency response which is to cert.

Basically, starting to prepare for launching the Tonga cert.  We became affiliated with some organizations.  We affiliated with the Council of F, this is by engaging in a class of project, which is training our legal offices and our prosecutors to understand more about the issues of cybersecurity.

And also, we had some visit to Srilangacert and Malisa cert they contributed a lot to the Tonga cert.

And also, we have appointed APNIC to be the Tonga cert technical adviser, which is providing some technical training and technical advice for the Tonga cert.

And with the assistance of the APNIC, Tonga cert was officially launched in July 2015, which is last July, and the cert is organized under the ministry of matec the ministry of communication is under.

And we have come up with different phases where we can set up the Tonga cert.  The first one is setting up the Tonga cert, we have Phase 1 and Phase 2 going on in parallel, and also developing the procedures and policies also going to know at the same time.

So we have four different phases for launching the ‑‑ for developing the Tonga cert.

As we proceed with our process of setting up the cert and as APNIC introduce us to ISIF, we were lucky to be the recipient of the small client fund.

The fund is used to develop the Phase 1 and Phase 2, as I was showing you earlier, and also government and other partners are contributing with providing manpower resources, office facility, and other.

This is the organization for the Tonga cert, as you can see we have a board that mappings the cert, and we have the operation specialists depending on APNIC.  And in the agency liaison offices, this is very important for us because we engage our ISP, and we assign, we have assigned the MOU with three ISPs in Tonga and they assign two liaison officers from each to be a part of our team.

And so, it's important that when a incident happen, we have to liase with them and also go through the process to move the process faster.

And I believe, that's the end of my presentation and you're welcome to make any comment or questions.

   >> MODERATOR:  Thank you, very much, Andrew.  I would like to invite Marcelo Palma to the stage who is going to present to us on security.

   >> MARCELO PALMA SALAS:  Okay.  Okay.  Good morning.  Thank you for this.  In the case, I presented Turbot, this is protection to the where manages traffic.

This project, we have to support to free Internet with the thank you to them and the pronl that supported the pronl.  The security laboratory, in Brazil.

Okay.  Please, do you know the ‑‑ no.  Okay.  Let's go.  It's a relay network that enables anonymous application between different application and users.  It works over the TCP and protect your identity on the Internet.

The principle problem is it try to protects your information against corporate and government targets, not surveillance.

Despite being used mainly by actively your and other peoples, there are more time compliance with other network, this is a big problem.

But how it does work, how does it work.  In order to introduce the concept of the layers.  For example, many works with operating server, using three relays.  The first, middle, and exit.  This is applied the security through it.  Each router knows only the acceptedder and the receiver that works.

For example, we have here we're trying to connect to other server and we use three relay to connect that support to the communication.

The problem is, for example, that behind any service there are a lot of malicious traffic.  I took botnet, malware, traffic, et cetera.  There are a lot of different kind.  For example, 84% of the surveyed are up or less down five.  And the other problem is 100 new relay service come online every day.

For example, we have that the 50% of this service are drugs, market, route, and other kinds.

In our project, we prosed in three phases.  First, collect the malicious traffic, analyze and classify, and following and blocking.

This includes setting up a network and rerouteing the big ‑‑ of the big traffic, obviously.  And they will assist and formalize that tracking and blocking against malicious traffic.  This is very difficult because the information of the traffic is all encrypted.  And applied to recognize to block the malicious traffic.

We use different tools like Traffic Analyze, ID, antivirus traffic system, other products for traffic.  Other products like (?), it's a new area in the intelligence, and using meta analyzing.

Our architecture work in the final relay name in exit.  It analyze the traffic used in the tools stated, much like this, and collect this information.  For example, in our case that we can collect the malware, we try to analyze with bot and other kinds of tools.

Okay.  And obviously, the traffic is entered to the router of the relay.  Okay.  This is the project and this is, for example, the traffic of it in South America.  Thank you.

   >> MODERATOR:  Thank you, very much, Marcelo.  Yeah.  This is great.

(Applause).

And I would like to invite our third grantee, Erika, to the stage.

A comment, Erika will present in Spanish and I trust that we have quite a Spanish speaking audience here, but I would provide a summary of the project in English after she finishes.

   >> ERIKA VEGA:  Morning.  I offer my apologies because I don't speak English.  I will make my presentation in Spanish.

(speaking Spanish).

(Applause).

   >> MODERATOR:  Just a brief summary of the project.  In English.  The network in Columbia, it's a huge network, actually.  It spans the whole country.  They have a problem that they want to update the routes that are present in the network.  Following some of the discussions on the ETF and actually some of us were here and somewhat guilty of that, if you will, there is a technology called the RPKI of the resource public infrastructure that can be used and applied to validate routes.

And that is willing to actually commit a lot of effort, with the support of the Seed Alliance in order to probably one of the largest deployment of the RPKI that the world has seen so far.  That is an amazing project in itself.  So thank you very much, Erika.

   >> ERIKA VEGA:  Thank you.

   >> MODERATOR:  So, we should move now to the third segment of this session.  We were supposed to break out in groups and have a debates, closed debates, but the thing is we only have around 20 minutes left, and we sort of believe that it's too short for that kind of dynamic.

So we are doing something else instead, which I believe you will actually prefer.  We are actually opening the floor for your questions.  I see some hands up already.  Remember, that the questions can be for either of the panelists or also for the others as well.  You can make questions in general or make directed questions.

So the audience, the floor is yours.  You want to say something?

>> In the meantime, I just want to give a thumb's up to the work that Erika just presented.  I alluded to it before, that at the ISP level, there are specific actions that people can take in order to make the routeing system more resilient.

The routeing system is the system that connects the network of networks to make sure that the global connectivity is there.

Now, the security of that system is notoriously bad.  And what Erika just demonstrated is that there is an ISP in Columbia that, the Academic Network ISP that has taken an action to validate what is going on on the routeing infrastructure.  And that is exactly one of these things that we call for in the MANRS manifesto that I was talking about earlier, is exactly that type of action that will make the Internet more secure, which is taking it at the level of the ISP and enhances the overall Internet infrastructure, so I wanted to add that short of applause.  Over to the questions.

   >> MODERATOR:  So we have a mic on the floor, so who wants to go first?  You have a second?  Second row.

   >> AUDIENCE MEMBER:  Hi.  Good morning.  Fernando from American University, I would like to ask a question to the panel regarding this idea of the Global South.

If we think in terms of the Global South and cybersecurity and infrastructure vulnerability, is there something specific that we should discuss here regarding the dependence between the cyber south on the infrastructure of the north.  I'm thinking specifically on ISPs, and Africa and Europe, Latin America and the U.S., is there something specific that we should discuss here in regard to risks of surveillance that is not necessarily on your territory, but you are dependent on jurisdiction and other issues regarding this other space.  Thank you.

   >> OLAF KOLKMAN:  Yeah.  I think I touched upon that during the presentation that I gave.  There are a few things that are, indeed, specific to the Global South.  And I would say dependency on traffic going, even off‑continent, is not only going off, but a security issue in the context of a pervasive monitoring and surveillance.

So yes, ISPs play a major role in keeping your traffic local.  And keeping your traffic local has the benefit of A, you don't have to pay for your transit, so you keep the dollars in your pocket.  And B, making sure that traffic that doesn't necessarily have to leave your parameter, doesn't leave your parameters, and therefore cannot be looked a the by third parties.

I think that it is important that ISPs are at the beginning of a process that will keep your traffic in your country.  Because if you have an ISP, that doesn't necessarily mean that the services that you're connecting to are connected to that ISP.

The Cloud is everywhere, and if you connect to specific server, Amazon or Netflix or what have you, you might not find your traffic being confined to your locality.  It might actually go out far away.

So I think ISPs are the first step in getting content more locally, but local content is an important piece of that.  It's an important piece of keeping data global.

And there is a pervasive monitoring angle to that, so yes, there is a sense ‑‑ a trust issue, I would say.  Maybe not what we would traditionally call cybersecurity, but a trust issue.  I hope that answers your question.

   >> MODERATOR:  Questions?

   >> AUDIENCE MEMBER:  So, for Tonga, c ert I would be interested to know how you stand your capacity in terms of tooling.  For example, what we have been doing in African continent is to focus on Open Source tools in order to put the final resources on building the human skills.  So that was one thing.

The second thing is that we have been doing, also, an initiative of helping each other.  Like a team being and knowing tools and being at a certain maturity level with those tools and being able to have teams around them to assist with capacity.

So I would be interested to know your experience in terms of toolings and what you have been using.  Thank you.

>> Thank you for the questions.  I think this is a very important question.  Especially for us in the Pacific, where funding is very limited.  As you know, we go with the standard applications requires license and stuff.  So what we have found out in the government, and it is true probably in all the Pacific island, there is a lot of Open Source engagement in the Pacific.

And as we visit the other countries, like Shrilanka, they're also engaged heavily on using Open Source.  So in Tonga, we also are using Open Source, but we also have a open standard approach for the government where also the other software, like Microsoft and stuff like that, that we also engage on.  But we want to make sure that they, that they get the licensing and everything sorted before they put it on.

In response to the capacity, we are engaging on some, and we have put up a training once a month with all of our ministries, technicians where we come in and share knowledge.  And also, they share any new things that they have come across, even some challenges that they are facing.

It's one important thing is that we engage the IS Ps technician, as we have stressed here today how important they are in making sure that the routeing is all secured.

We have learned a lot from them because they ‑‑ most of our traffic are going through their infrastructure, and but they have been there in sharing with us, it's really important for us.

Also, one thing that we also worked together with is the police, the Tonga Police or law enforcement.  Their capacity requires forensics side, it's not yet up there, so we are trying our best to learn ourself how to do it right, and also assist them in different ways.  And that's how we create a platform where we can share knowledge.  We also hold forums weekly ‑‑ I mean, monthly, and it's becoming an important forum for us.

   >> MODERATOR:  Any questions from the room?  I do have a question.  Oh, sure.  Of course.

   >> OLAF KOLKMAN:  I have a question to the room.  I find this a little awkward, we're sitting on the stabling and treat the as Oracles while we just share a perspective.

I actually wonder, if there are people in the room who say, yeah, the perspectives that you bring subsidiarity, collaboration, and so on and so forth, it's all good and nice, but I've tried this and I stumbled.

I actually wonder if there are people in the room who have experiences that are, you know, that can be shared from which we can learn, from which we, as an audience together can learn.  Does anybody want to volunteer something?  In the back I see a hand.

   >> AUDIENCE MEMBER:  Hi.  Thank you.  My name is ver ona, the second director in In Hope.  It's an international association of Internet hotlines where citizens can report child sexual abuse material found on the Internet.

So, as you can imagine we are confronted as we are a network, currently present in 46 countries in all couldn't continents and we're confronted with the issue when a content is assessed or one of the hotlines gets the content, what is considered as illegal?  What is considered as child pornography?  We prefer to use child abuse sexual material, because it's not a child being willingly and posing for pictures or for videos, of course.

But notice of the legislation around the world these days talk about child pornography these days.  So we have been discussing this issue for 16 years already, and what we do is we ‑‑ when one of our members hotlines finds content that they assess as illegal, according to their jurisdiction, then they trace that content.

They trace the content, find out where the content is hosted, and then they pass on their report to the other hotline where that content is hosted, so that that hotline in that country can deal both with law enforcement, with the police for a investigation, and with the ISP, so that the content can be taken down very quickly to avoid victimization, but making sure that there is the right protocol in place between the industry and the police so that taking down that content doesn't affect potential on‑going investigations, which would actually make the matter worse and would not help the victim or a child being rescued on time.

I think we haven't found a better solution for this problem.  We still have the issue of what is the definition of child pornography in the different jurisdictions we work with.  But we've managed to work with partners around the world, with industry, with big ‑‑ with companies such as Facebook, Google, with Microsoft, we are working with Europe in Europe, with Intorpol on a global level, and contributing also with technology and with the hashes that we actually, that our platform creates with Intorpol, so we've contributed global efforts to fighting this.

So I think this is a very concrete example of one way in which we can cooperate, like social, justice, ministries of justice, I thsm C ministry, ISP, I wouldn't say we're successful but managed a way to deal with a issue that I think could get better.  But these models could be available for other issues of cyber crime.  And I also would like to mained a point that when it comes to cyber crime, people usually either think about identity theft or fraud or financial fraud, but let's not forget, victims are also children, they're also people, and these are issues.  There are way, new kinds of ways that new kinds of crime are facilitated through new technology, and we should also put them in the front of discussion.  Thank you.

   >> OLAF KOLKMAN:  I think, I think this is a very clear and urgent example, actually, of an issue that is notoriously hard to fight and very important to fight.

And I hear a few aspects around that subsidiarity that I was talking about.  First, it is subsidiary in it's topic, child abuse is a serious topic, and organizing around the topic makes you effective and create a network of trust between the partner organizations, and but also at the local level, you know how to speak to the persons and the institutions that are involved and make it more effective.

Another thing that I heard, and I with we hardly ever really speak about, is that security, obviously, is not something that you fix once.  It is something that constantly ongoing.  You feed to be sharp.  And specifically, with a nasty subject like child abuse, there is a constant arm's race.  So vigilant ‑‑ being vigilant about security or that specific security topic, but also more in general, is something that is very important.  Security is not a matter of putting a bunch of controls in place but is a mindset of following developments and making sure you continue to be on top.

I think I've heard that all in your excellent example.  Thank you.  I think you want to respond back.  I see you ‑‑

   >> MODERATOR:  We have a remote question?

   >> MODERATOR:  Heather, can you hear me?  So we have a question from Trever fips.  This question is, how should a small island state with limited resources start the process of developing a cert?  Our population is about 40,000.  That's his question.

   >> MODERATOR:  For Andrew, I guess.  The mic?

   >> ANDREW TOIMOANA:  I think this question is related to us, especially we are one of those small island states.

It is true that trying to organize for a cert is not an easy task, as you know it requires resources and the capacity to build a cert.

And as I presented earlier, what we have done, we do a lot of collaboration and partnership.  And first, we have to identify a technical champion to start with.  And that's when we engage APNIC and also we identify those who have a lot of engagement with technology, that's where we identify the ISPs, and we also identify people within the organization where they can be pulled out and start up the cert.

One thing that is unique that we have done in Tonga especially is that we share resources.  One of the things ‑‑ one of the ISP is providing office space for the cert, and also they provide some of the equipment to start up the cert.  It's part of our initial relationship with them, and we have signed a MOU with them also about engaging this stuff, especially the engagement officers in some of the cases that come across the cert.

And to me, if we are to interest this in a smaller nation like Tonga and it might be true to all the small island states, cooperation and networking and also partnership with organizations that can assist and help you establish, it's a key factor for establishing a cert.

Obviously, we can't do it on our own without the assistance from these organizations.  Thank you.

   >> MODERATOR:  Thank you very much, Andrew.  Thank you very much for the audience.  This was a very enlightening session.  Thank you for the panelists, and we ask for a round of applause for all of us, actually.

(Applause).

Thank you very much.