The following are the outputs of the real-time captioning taken during the Eleventh Annual Meeting of the Internet Governance Forum (IGF) in Jalisco, Mexico, from 5 to 9 December 2016. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record.
***
>> All right. Shall we start, then? My name is Pablo Hinojosa. I work for APNIC the Internet registry for AP. We have been working in the context of capacity building for our membership and wider technical community. These are the people who are actually building and maintaining ISPs and other network infrastructure services.
Thanks mostly to Duncan and Madelyn, we spotted an opportunity and together we submitted our workshop proposal that successfully made it here to the IGF. It is a little bit out of our comfort zone in the technical arena, but we look forward to learning from you. And I hope that we can have a useful dialogue and discussion. So welcome all to the cyber moms meeting Internet Governance. I don't know if you saw the transcript. They transcribed cyber norms into cybernance. Welcome all the cyber moms here. What we're trying to do here is to facilitate an introduction between two fields that have not met quite yet formally.
And can I risk to say they have not been properly introduced? They have met in the corridors here and there. They have coincided with same room. But the idea here is to give a warm welcome to a few friends to the IGF.
Our friends come from the international law and international relations fields. They work in think tanks, academia, governments, and have been working for many years on subjects around information security and cybersecurity. The approach to these subjects has been around protecting national security from attacks that could drop critical infrastructures. They think about national suiter having in mind mostly attackers being foreign state actors.
I will run the risk of oversimplification, but I hope that during this session, a more complete picture and understanding can occur.
The first simplification is that we call this field, the cyber norms field, and to the best of my understanding the cyber norms trusts or aspires to a number of groups that can be written and agreed and made effective. I'm talking about international treaties, UN and other multilateral agreements.
On the other side of the fence, actually on this side of the fence because we are in the IGF, right? Is the international, the Internet Governance community with its multiple stakeholders. This community believe in a decisionmaking model which is inclusive and where different stakeholders can participate.
Another way to see this opportunity is to refer to the United Nations system. The cyber norms community has operated in the context of the first committee of the United Nations. The first committee deals with disarm amount and cause global challenges and threats.
Such is the case of the work being made by the government group of experts that is currently working hard in the next phase of recommendations.
In contrast, the Internet governance community has lived mostly in the area of the second UN and financial institutes. That is where the UN Department of Social affairs is from, very much related to where the WSIS and the IGF derived from.
Again, in a very simplistic and reductionist way, this workshop is like opening a window. Perhaps just drilling a small hole between the first and the second committees, a hole big enough in order to extend a hand to the other side and promote a handshake between these two sides. A handshake between different approaches and approaches and similar agendas that when decisions are make made may affect one another.
I would like to ask Maria if she could be the one offering the first welcoming thoughts from the Internet governance side to our dear guests from the cyber norms community. Marilia is the senior researcher for DiploFoundation. We really need someone that can make the Internet Governance overview in machine gun fashion but with laser‑guided precision. So off to you, Marilia.
>> MARILIA MARCIEL: You should have warned me that I sat on the wrong side of the fence here. But I just started to cross‑pollenise maybe the discussion.
>> Pablo: There is no wrong and right sides of the fence.
>> MARILIA: Point well taken. But I thought about to start the discussion from an Internet Governance standpoint, meaning some of the characteristics of the Internet Governance discussions that may facilitate or may pose some obstacles for the bridging of this gap to take place.
Although security was a concern that was pretty of this when the Internet was created, after all the Internet was a military an project, this project broke free from the military realm and developed quite a set of specific characteristics. So the Internet was for further developed by the technical and academic communities, which has a very specific ethos and principles and beliefs that guide the way that they operate. And this beliefs got somehow enmeshed into the architecture of the Internet. We are talking about for instance openness, the principle of permissionless innovation, the end‑to‑end design, the design of some of the Internet protocols that we have today that in the future would pose a problem to attribution. But when the Internet was created, security was not necessarily on the mindset of those that were developing the architecture of the Internet. And this is something that we need to take into account when you try to bridge this gap.
A second characteristic is that in Internet Governance, states were very much late commerce into the process. So when they started to understand the importance of discussing Internet and Internet Governance and organised the first world summit on the Internet, on the Information Society, many commercial actors were already operating on the Internet. So we already had Amazon. We already had Google. And it's very hard to put the Genie back into the bottle. The fact that states were not there does not mean that the Internet was not being regulated. There was rules of the game that were pretty of already in place when states arrived.
Most of the rules of the game are still defined by private actors. So if we look at the infrastructure layer, we see that contractual agreements, of transit, of peering pretty of define how this infrastructure operates. If we look at ICANN, for instance, or ‑‑ we see that the contracts between ICANN and registrars that define the way that this layer is governed.
And if we look at the layer in which we feel and experience the Internet, the layer of applications, we all accept Terms of Service that we usually do not read but we go and accept. And these Terms of Service are pretty of the norm that govern our presence online.
This is a very different approach when we think about international relations, when we think about security if which international agreements play a of more prominent role.
What the WSIS did when it took place was to recognize these actors that inhabited before the Internet Governance landscape. And the WSIS text provide a base for multistakeholder and Internet Governance and if we look at the security field, we are very much far away from having a full multistakeholder adoption or even understanding.
But multistakeholderism has evolved throughout the years. And I think that from the start, we had a very strict concept of multistakeholder participation. We thought that all the actors were exactly the same and they should be on equal footing in every discussion and every step of the discussion. And I think that this understanding has been somewhat refined throughout the years. And we see that documents, important recent ones, like the outcome document of NETmundial, asks for clarification of the different roles and responsibilities that different actors have in Internet Governance. And one of the examples that is usually given is security. It's not that discussions about security should not be held in a multistakeholder fashion, they should. But actors have different responsibilities. And this needs to be recognized.
And I think that this creates a good opportunity for us to discuss with actors that deal with security and on the other side I feel more and more that actors dealing with security are open to acknowledge and to understand the importance of nongovernmental actors. They cannot operate national security policies and defense policies if they do not show up to the private sector. If they do not talk to Chris CERTs if they do not reach out to civil society because sometimes the weakest link to security issues is on the end user, is on the person that has malware on his or her computer that deploys botnet, DDOS attacks without knowing his part of the botnet.
So lastly, I think that when difference between the two feuds is that the WSIS documents put individuals at the centre of every Internet Governance discussion. Discussions should be people‑centred and development oriented. And this view has been not only endorsed but even strengthened when Information Society and sustainable development goals have been discussed together recently. So the individual's at the centre.
When we see security discussions, the state is at the centre.
In national security, policies protect many times the existence of the state not necessarily its people. So maybe it's time I think for the security side also to rethink where they place the individual in security discussions. And that will certainly create more place for bridging the gap. Thanks.
>> Aurelia thanks to you. On behalf of the cyber norm side, I would like to introduce Duncan Hollis, who is the co‑organizer of this session. He's actually the brain power behind the proposal we sent to the MAG in June and the force of inspiration for this to happen. Duncan, can you please provide us with an overview of the cyber norm space? What is it? Where does it come from? Where is it going? For the record, sorry. Duncan is a professor of law at Temple University. And I think we should be very thankful to you for joining us here in the IGF.
>> DUNCAN HOLLIS: Thank you, Pablo, for bringing me to my first IGF. And if you'll be patient with me, I want to start off by asking a very different question, which is: What are you wearing today? Like think about what you're wearing. And as I look around, as it bee fits a multistakeholder events, we're all seeing lots of different fashion choices. So the question is why are you wearing what you're watering?
I, for example, am wearing a jacket with no tie because I was told that is appropriate attire for the IGF.
And obviously looking around the room, there's a fairly broadband of what's appropriate. But I don't see any bathing suits. I don't see any tuxedos. And I guess the reason is although we say we dress for the occasion, right? We have norms that are queuing us as to what the appropriate behavior is. Norms are collective expectations of proper behavior by members of a group.
And we have all sorts of communities that form groups, whether it's the IGF as a community, whether it's engineers as a community, lawyers or institutions like CERTs or say members of the MRO.
I think the community that Pablo invited me to talk about today is the community of sovereign states and their norms for cybersecurity.
And I should say, kind of having Maria's historical perspective, that when we look at how states, as a community, have addressed cybersecurity issues, they didn't start with a GGE or the United Nations, they started domestically. They started with regulating Cybercrime and Intellectual Property at a domestic level have and it wasn't until 1998 when Russia came to the United Nations with this idea that information could be weaponised, suggesting that in some ways what needed to happen was some sort of arms control approach and indeed a treaty on information weapons.
The idea, I should say, got a very cool reception. Only a few states supported it. But what came out of that was an agreement at the United Nations to set up what we call the GGE, the group of government experts.
Fast forward to today, 2016. And we're in the midst of our, I believe some GGE m ebbs are here. They can correct me. This is the fifth and it's scheduled to finish in 2017 and it will hopefully build on the work of the two prior GGE reports issued in 2013 and 2015.
The 2015 GGE was notable for the 20‑Member States agreeing on a suite of voluntary, nonbinding information security norms for responsible state behavior in peace time. And the substance of those proposals, and we may get a chance to discuss them, are pretty interesting. States should not target critical infrastructure. States should avoid using proxies. States should not use targets or tools for cyber operations or an idea near and dear to my own heart, duty to assist victims of cyber operations.
Equally of interest is what's the new GGE going to do? Will it have some norms on encryption? Will it propose that states agree to protect what's called the public core of the Internet according to the Dutch?
But for me I think there are actually at least three aspects of the GGE process that are as important as the content of the norms that they are promoting. And that's the scope, their voluntary nature and their emergence from a multilateral protocol says.
So, quickly, in terms of scope, I think it's important to understand as already noted is the GGE is coming out of the first committee of the United Nations which deals with arms control and international peace and security. That means that whatever the GGE does, it's going to be cabined by those subjects. So the GGE is not going to address cyber threats in the form of cyber cream even if attribution problems sometimes make it difficult for victims to know are they being a victim of an individual attack or state sponsored one. But even within the security context, the question of what the GGE is supposed to focus on is still up for grabs. We might simplify this as a debate between the information security people and the cybersecurity people. Do you focus on just norms for protecting confidentiality losses, availability losses, or do you extend beyond that cybersecurity to information security and want to have controls on speech, subversive or otherwise?
Beyond the scope it's also important to emphasize that what the GGE has been advancing is nonbinding norms. Not to say that they have not focused on international law. In fact the GGE is to be commended for actually agreeing in 2013 and 2015 that international law applies in cyberspace.
But the question for the GGE, then became: Well how does it apply? And at least in what I'm hearing is they're having great difficulty in articulating specific rules on things like cyber war or state operations that don't rise to a cyber war level. And it's those difficulties, I think, that led the GGE to this idea of norms. And maybe we can talk a bit later about how one operationalizes them. But that's kind of where they're moving is this idea of maybe we can have a socially constructed set of behavior that guide behavior of like how we decide what to wear and we avoid wearing bathing suits in this room.
My final point and probably the one that probably strikes a chord or maybe a hostile one with the IGF is the structure of the GGE. It is undeniably state‑centric. Today it is 25 states negotiating over norms for states.
Now, there are occasional nods to multistakeholderism. And I would say if we have time to talk about how the GGE has become more inclusive. But be clear that whatever they decide will be done behind closed doors, Old Style diplomacy. Et me end on a more formal note. Just because the formation of what the GGE norms are does not mean that multistakeholderism will be excluded entirely. We might envision a more multistakeholderism to the norms, monitoring whether states follow through what they say they're going to do and figure out ways to build capacity, technical an and the like. I look forward, have a lot more to say about the conversation but I'll stop now for now.
>> Pablo: Duncan, can I take my jacket off now? We're also very blessed to have with us the NATO corporate Center of Excellence, Henry, welcome to the IGF, welcome to Mexico. You work very closely on research about state to state defensive cyber operations. And you may want to add a bit to what Duncan just said. Please go ahead.
>> thank you, Pablo and Duncan, for putting together this workshop. I think you have really identified an area where in their own silos. Let's see whether we can break those barriers.
And with that in mind and since this is a session that open to discussion, I will also initially outline some of the main characteristics and dynamics of the ongoing cyber norms processes.
And I hope this provides a basis for further discussions on how states and other stakeholders can collaborate.
As pointed out by Duncan, the debate has on cyber norms has so far been mostly ‑‑ UN first committee but also in the OCE and also on bilateral basis. And I think it would be useful to first explain what is meant in these forums by the term cyber norms.
Because the term norm essentially as Duncan also presented covered a very wide area of activities and the influence very wide area of actors. And if we apply the definition which is very well accepted in academic community, norm is standard of appropriate behavior for actors with a given identity, then this implies that the norm can be ‑‑ norms can substantially differ in terms of legal bindingness or have political characters, technical characters or ethical characteristics.
And in my view a lack of clarity on the term is one of the ‑‑ is often causes confusion and limits progress in this more multilateral discussions. And if we look at the current cyber norms in the context of international security, the focus has mainly been on international norms that aim to regulate state behavior with regard to cyber operations and these have been influenced most by the interests of major powers that have high level cyber capabilities.
In other words, the discussion is between actors that actually might conduct those significant offensive operations against each other. And I think it's an important point.
And we can observe progress with two types of norms. First politically binding and legally binding norms. In the context of legally binding norms as Duncan mentioned, UNGG and the international community has accepted or acknowledged the very basic but significant notion that international law applies to state activities in cyberspace.
However, states are not really clarified how does international law apply? And I think here one way that nonstate actors can actually preIPSAS individual valuable input. For example, in the CCDCE, we have hosted the telemanual process that gathers legal scholars to address this exact issue. We published the first online manual in to 13. It focused on how the law of armed conflict applies to cyber activities. And now in the beginning of next year, we'll punish the manual 2.0 that focus on the peace time activities. I think academia's input here is valuable also for the states because these discussions can be more flexible and actually provide valuable input to the two states and states have been actually more engaged in the approaches.
And, in addition, though those league an norms, you have politically binding norms that Duncan mentioned. And perhaps the most prominent here are the norms of responsible behavior, which is promoted by the UNGG. In the last 2015 report which identified certain markets which should not be attacked, for example, CERTs or critical infrastructure.
And these norms are made to apply during peace time, which is an important aspect, I think. And confidence building measures, two set of those that aim to mainly establish very basic information exchange channels.
It is important to keep in mind that with those politically binding norms, these are not certainly new legal instruments. They are rather, as I said, confidence‑building measures, additional layers to this normative framework. And these instruments are aimed usually or very often to prevent miscalculation and interstate conflict escalation by establishing those communication mechanisms and identifying areas or targets which should not be attacked.
But here we also can see a similar degrees as with the legally binding norms ‑‑ progress.
We see that they all oh have a stake in this. Most prominently the private sector has been providing their input, for example, Microsoft has proposed a set of those politically binding norms.
But nevertheless, although we can see nonstate actors being more involved, I like the point which is important for our workshop, I think, as you said, most of these discussions are still dominated by governments since they are held in a so‑called geopolitical or international security context. And thus the discussions tend to be dominated by different and often opposing state interests. As these forums address very highly sensitive clandestine activities that are of national security or military relevance.
And before I stop, I'd like to introduce you a book which actually focuses on this topic that we launched this year. Which provide good induction for actually this community as well about the main processes in this area. And this can be accessed on our website for free at CCBC‑‑.org. I stop here.
>> Pablo: Thank you, Henry. We're setting the scene. I would like to invite Alejandro Pisanty to wrap up this initial part of the session with your views on Internet Governance. I know your weapon of choice, Alex, has as been the strength of the Internet principles have when you see Alex speak about the principles, they seem more impossible to hack or break.
>> ALEJANDRO PISANTY: They are resilient. I work at the National University of Mexico and I am the Chair of the international society chapter in Mexico. Thank you for the signal.
So, number 1, the first batch of identification of the Internet Governance side of this gap. I may be wrong. I am permanent beta. Every statement has to be tested and may be corrected.
I have had the unique opportunity of having engaging if dialogue with the cyber norms community thanks to a man who should be here next year, we must bring him, who is called Ron Debert who runs the citizen lab in the University of Toronto that really bridges this gap like few others.
And thanks a lot. I have had the chance to meet Henry, Duncan and many others, very distinguished scholars in that field.
I'm going to add on the description that Marilia has made of the Internet Governance site. I'm afraid to say that with some strong divergence from the description.
First, it's an urban legend that security was not considered in the design of the Internet. That statement is a lie.
The security available to the computer scientists, physicists, coders, engineers that first designed the Internet protocols was the best available in their time. It was computer security. It was security for the mainframes in which they ran simulation, not they but in which the simulations of nuclear bombs were run. It was the security of computers where the whole payroll of the United States Government or of IBM or of several other large corporations was run, where their Intellectual Property was held. These were the best protective computers in the planet, or at least they were at the same level and the other ones would have been in Russia, probably. So it was the highest level of security ever available until that age.
What they did decide was not to put security in the hands of the network. They decided to keep the security in the edge. They decided to keep the security at the highest level that computers could evolve in the edge whereas if they decided to put encryption or passwords or anything else in the gear inside the network, they would have to be replacing the equipment and the software inside the network every time a small amount of computer power increase was available. So they would need to replace the whole network.
So they said the critical assets will be protected at the edge, and we will work with the best security that we can buy as time goes by for the network.
This is a very, very, very important statement because it shows you how this philosophy has evolved. It has become necessary to protect the Network. It has become necessary to make the net a bit smarter in order to protect the network assets themselves. That's taking a great expense. And also keeping it open and operable while it is not easy. Sorry to fit your urban legend about the principles. That's the way they work how you bring them to bear.
Second, indeed ICANN, for example, has been built on a set of private agreements that are purely based on private law. But the Internet was not built on contracts and formal agreements. It has been said again and again most likely by Andrew Sullivan, the Internet runs on a handshake. The Internet runs on a basis of very informal but very trustworthy informal agreements between the different parties and these don't have a contract. To me I may be I'm passing your packets to someone else who I'm not interested or even who is against me. Tomorrow it may be I'm stopping those packets because those packets are hurting someone. Again without seeing if I am interested or not. And from passing the packets on, filtering the packets, making charging agreements, or making peering agreements that charging is not going to be, that it will be smaller than the cost of accounting. Then ISPs all these huge structures we're talking about now, all of these were built on trust. And the Internet has been so well designed that even after being based on trust in its design, it has been able to survive in an environment where trust is not anymore an assumption.
The Internet ‑‑ the access to Internet Governance again is a very important. I will address the multistakeholder already made in a way that I think goes a bit deeper. We people working on or for or with the Internet in Developing Countries were able to work together with the other people that were making the Internet, creating and expanding the Internet. Because we agreed to work with them, we went to Internet Societies workshops to be trained or sent people to be trained without asking the government for a network that was under the government's radars in developing or in authoritarian Congress. So we work across stakeholders. Some of us were working or some of my predecessors, I'm not ascribing myself as heroic. This is a generation before me. My predecessors some of them were in government units, some of them were in national science councils, some of them were in companies, some of them were in NGOs. And they all came together just because they had to pass packets to each other and they have to learn how to pass those packets. So that cooperation across different stakeholder groups is organic to the growth of the Internet. That's what it means above the purely technical level have.
When ICANN was built, it was built on an identification of who were the possible stakeholders for the Domain Name System, the IP addresses and the Internet Protocols. And a few years later you can say this anecdotally ‑‑ IGF, these other specific Internet parts of the World Summit on the Information Society. The multistakeholder arose in that context because the governments asked for a seat on that table. They have their seats. They could have just taken them. There was nobody bidding. Their access was they hadn't decided to sit there. They had decided to sit behind closed doors, smoke filled rooms negotiating text which is 7 words of difference for two weeks. And like in the recent ‑‑
So that's the origin of this multi stakeholder. Here is another urban legend I would like to deflate. And I'm close to closing. There's an urban legend that says that the Internet community claims that there has to be absolutely equal representation between all four stakeholder groups in every possible mechanism and that there's like a one‑size‑fits‑all kind of approach. And this is another urban legend that has to be dispelled.
Multistakeholder is done on the Internet the same way the Internet is done. Form follows function. What do you need? Do you need to stop spam from one ISP to another? The ISP technicians talk to the other, what are the names or the ISPs or the filters, you block it. Engineer to engineer.
Up problems with intellectual problems, you bring the IP lawyers that have problems with lawyers, regulatory lawyers, you bring who you need. You solve the problem. You don't create a structure and look for problems. You make sure every party involved is adequately involved.
So for law enforcement purposes, of course they're going to be bringing attacks that have law enforcement implications, of course we are going to bring in the police and you're going to bring in the best and the most police that you need to solve this problem. So that's another myth that goes away.
And that is probably my statement here. And about the view of cyber norms from the net government side, I'll be very brief.
It is very important to recognize for what we see every day, what people see. Again I'm speaking on behalf of people who have not ‑‑ I hope I have not run totally ‑‑ non‑‑ actors are 99 percent and sometimes 100 percent that you see looks like an attack or scan before an attack. Like people are looking for open ports to see what they can attack. All of these come from nonstate actors. They may be by state actors or states you don't know. You see the packets. You see the IP address. Maybe you see something more. But you don't see the state even if the state is paying these provocateurs. It's very important to solve the attribution problem.
That in the technical community is seen as a very long shot. And on the other hand, cyber norms will be welcomed. They are very high away. Very far up in the upper layers of the Internet but they could be very useful if they gave the CERT people, for example, the designers or the operators clear guidelines. What is a malicious attack? Do you consider it by order of sovereignty attacking by scanning ports? Then I have to report that to the national authorities. If it is only a public violation then I will report it to the police. If it is trivial that only has to be reported in the aftermath of an attack, then we'll keep it in a file and use it or send us a requirement that we need to make a report once a month. Give us the money for the disk and we'll do that. Thank you.
>> Pablo: Thank you, Marilia, Duncan, Alex, for setting the scene. I was thinking that you have successfully explained two pillars but I think there are four pillars. I was trying to build an arc here but then we have mostly four different conceptions of these issues and we need to lay a roof on top of that.
We have norms as private contracts.
We have norms for state responsible behavior.
We have fashion norms.
We have norms of participation in different Forums.
We have norms of configuration of mainframes and network computers.
So we have norms everywhere.
And Henry insisted, well let's define these very well. And what is it that we are talking about?
So I would like to suggest to sort of peel the onion and put the roof on this solid basis. I would like to open the discussion at this stage in terms of sort of the views of the floor and perhaps some remote participants if they would like to contribute to the discussion.
Please. It has been a great surprise to learn that one of the members of the UN government group of experts is here with us. If I only could have known, we should have included in the preparatory process. Welcome. State your name.
>> Sure. Thank you and good afternoon. My name is Michael. I'm the cyber Forum policy coordinator for the foreign affairs department of the Canadian government. I am the Canadian expert to the UN group of government Alex percent. And as well I was the Canadian expert in the 2012‑2013 edition of the GGE.
But I feel like I sit on both sides of the fence because I was also the Canadian chief negotiator of the WSIS + 10. Where Canada was among those pushing very strongly for an open, free and secure Internet based on a multistakeholder approach to Internet Governance certainly with a great deal of opposition with some places around the table.
So I do feel a little bit like I can actually perhaps bridge that gap a little bit as I do believe that I sit on both sides of the fence.
If I may, I can speak for Canada, but I can't speak for others. So with that caveat, let me just speak a little bit how we see this GGE process. And let me start off buy saying that I agree with a lot of what I heard here today though I would offer a couple of precisions with respect to a few things.
First off, the UNGGE it is a bit of a polite fiction. But the experts, according to the resolution serve as in individual capacity. They're not meant to or formally meant to represent governments. But that is a polite fiction. Frankly, it is a state to state negotiation.
I would also add that what the GGE produces, when it produces it, is a report. And the report can contain recommendations. But they are only recommendations. And they're not binding on anybody, including the governments that were represented in the group.
That report then submitted to the Secretary‑General of the United Nations, which then passes it on to the first committee of the General Assembly.
So just with the that slight sort of clarification.
So, as I said, I can speak for Canada but I can't speak for other countries. And of course given the nature of the negotiation that's taking place, there would be limitations on what I would be able to about the actual ongoing negotiations because that is the conditions we agreed to when we undertake the negotiations.
So Canada's overall goal with the experts is to contribute to ‑‑ in cyberspace. We seek to avoid interstate conflict in cyberspace as Duncan has said. I think most would agree, given recent events, that is a real issue, an important issue, and one that needs addressing.
But I think the key point there and this is one that Duncan made is the whole question of cabining, if you will.
So this is a creature of the first committee of the General Assembly. And as Duncan said, it deals with states and it deals with questions of international security.
So Canada's insisting within the GGE negotiations that we limit the discussion there to focus explicitly on those, on State behavior and on international security. And when I say international security, I mean international security is understood in the traditional diplomatic sense; that is, interstate conflict, the avoidance of interstate conflict. And I think it's really important to recognize that certainly on the part of Canada and others, we are being absolutely adamant that this is the limitation to the discussion that we are having in this space.
There have been proposals by some to move into other related questions or unrelated, in our view, questions. Things related to, for example, Cybercrime terrorist use of the Internet. Even Internet Governance. And we have adamantly opposed efforts to broaden that discussion because that is not the appropriate Forum for those discussions. We do have other places, multistakeholder places, where these issues are being discussed. And as I say, from our perspective, what we want to focus on is something that I think is essential to the interests of sovereign states, and that is the questions related to state behavior with the goal of avoiding state conflict in this space.
So that, in very general terms, is where we're coming from this. And perhaps a bit of an explanation of where we come across on the approach with respect to states.
I would say, as well that there are exercises underway to be more transparent and more open about this process. We're here. We're talking about it here. There have been reports published. The reports themselves are available on the UN website. There have been a number of academic and other conferences devoted to the question. Many of these have participation from UNGGE states so as to allow for that dialogue between states and nonstate actors whether they be NGOs, academic or the private sector. So I would say that there is an effort certainly to make sure that there is a degree of transparency and openness about this. But I would add to what will happen in that space.
Sorry. I'm trying to look beyond the table at the same time.
We are bound, as governments, by the Westphalian model of sophomore when states with an international legal order which is based on the sovereign equality of states and that relationship. The UN is founded on those principles. The activities of the UN are based on those principles, and we are constrained to respect those principles in these negotiations.
There are states that absolutely insist on that. And if we are to have these discussions, then we are going to have to, in an sense, allow ourselves to be constrained by those, if not these discussions wouldn't take place. I think that's a very bad outcome.
I'll stop there but I'm happy to answer any questions that anyone might have. Thanks.
>> Pablo: I will take them a little bit. I am looking at them. But this is from remote participation. How do we take this?
Perhaps, Irene, I would ask you to come with remarks, you have been on both sides, I would like to know how to bridge these with Internet Governance discussions, as well, if there's a chance at all in your opinion. Irene is researcher and communications officer with the citizen lab at the University of Toronto.
>> Irene: Thank you, Pablo and to Duncan for con vealing this really interesting panel. And to all of you for joining us this afternoon.
So as Pablo said, Irene, work at the citizen lab at the University of Toronto. The citizen lab conducts research on cyber security and Human Rights such as the impact of censorship, filtering and surveillance, targeted digital attacks against civil society groups, and accountability, among other things. So I'm not sure if I can bridge the gap, but I will raise a few brief points and I look forward to continuing the discussions.
As you said, Pablo, earlier, that there are norms everywhere. But I would like to point out that there has been a lot of attention paid on good norms, and by that I mean norms that we would like to see as opposed to norms that exist or bad or threatening norms, at least from the point of view of the liberal democratic tradition. And these norms are spreading.
Therefore, I would like to highlight that it is important to study norms that are undemocratic, such as norms of unaccountability and practices such as Internet censorships and shutdowns and how they spread from one country to another.
And I think we also need to look at the different venues in which norms are being discussed and propagated. Not just global ones that the UN convene or the ITU but also regional ones like the Shanghai cooperation organisation, the SCO and Asian. The association of southeast Asian nations.
And the second point I'd like to make is that our research on targeted threats against civil society groups, we find that civil society groups, especially those in the Global South, they face the same kind of cyber attacks that Fortune 500 companies and governments face, but they have less resources available to counter them. And we published this finding recently in a report called communities at risk, targeted digital threats against civil society, which is available online at targetedthreats.net. And therefore I think it's important that civil society are included in the discussions. So I end there for now. Thank you.
>> Pablo: I think two questions that were based in the chat of the remote participation platform while focused on states, actors work through privately owned infrastructure. And any state actions spill over, for example, the YouTube case if Pakistan. Another question from Vladimir. He says well how about norms that apply to the private sector and the Internet industry which goes a bit into what you're saying. And what's the role of the IGF in all of these I think is an important question, as well, to be refer to.
The floor is open. But I would like sort of also this side of the room to contribute. Izumi, would you like to go ahead? Okay.
Izumi Okutani, she is policy officer of the Japan JPNIC. Japan Network Information Center.
>> IZUMI: Hello, everyone. Very interesting to see the other side perspective because I'm more involved in what we call the technical community. And number of resources in particular where many operators and stakeholders participate.
So I'd like to share an example of how we solve problems in a technical community just to highlight the difference on how things are done. I'm not necessarily saying that you should exactly do it in the same way for cybersecurity norms for like states, but I just want to highlight the difference. And I'd like to also list an example of the norms that existed in the operational communities.
And really agree with Alejandro's statement that a lot of the things that's being done in the technical community is very much based on grass root, open collaboration. So when we actually face cybersecurity problems, like DDOS attacks, I'd like to share one example which highlights how we actually do it.
So a couple of years ago, there was an attack, DDOS attack based on NTP reflection attacks. It might sound a bit technical, but in any case, it what was quite huge and getting a bit of attention in different parts of the world.
And then there was presentation made in the conference in the APNIC region. And it highlighted which countries have a lot of equipment that has vulnerabilities to those attacks. And then Japan was in like the top of the list. And a Japanese operator told this. They were so embarrassed that Japan was at the top of the list. They came back and we have this Japan network operators group. They updated this. And then operators started discussing how can we do, what can we actually go do together to help this problem?
And so what they have done is what are those things that operators can do together? And they actually put it up in a document as a guidance for the operators on what they can do. And as a result of that, the rate of the vulnerability in the NTP server from Japan drastically decreased. We couldn't make it totally to zero because there were areas where consumers had to address and there was limitation on what ISPs can do. So this is actually good example where multistakeholder collaboration could actually help. So this was actually what happened, an example of how we actually work in the operational communities.
I also want to state that we do have norms among the operators, as well. So we develop documents called best current practices documents in different fields. And there's actually one on the area of security called mutually agreed norms and routing security. And this is developed in bottom‑up way and anyone is able to give input. The document is publicly available. It's very much conducted in open way.
What's common with the norms described earlier, it's voluntary, it's not compulsory. And it's written in a way that would encourage certain measures or behavior. So I think there's a commonality in there. But what might be different is like participation in developing it is open to anyone.
And I think it was interesting a point that Duncan made that maybe after cyber norms are developed between the states, the ways on how to operationalize it and maybe there's room for other people to participate in terms of operationalizing it.
And we actually collaborate with other stakeholders in the RIRs community as well, for example, in the area of increasing whose accuracy. We're actually working together with the law enforcement agencies on how they can actually have more accurate information and identifying the holder of IP address, which to understand the source of attack or the victim so how we can work this together to increase public safety.
So this open discussions going to happen in spring next year. So this will be actually a collaboration of law enforcement agencies with the operational communities and open and bottom‑up manner. So just highlighting some of the examples.
>> Pablo: I have Paul Wilson and Felix. Paul is Director General of APNIC and recent addition to the advisory board. And then you, is that okay?
>> Paul Wilson: Thank you, Pablo. I'm involved as a member of the advisory board because the GFC started as a pretty straight public private partnership. But I guess it was realized a little later that at least some part of the multistakeholder community was missing, civil society as they called that. But that happens to include the technical. I'm fine with that, actually.
But the thing is I do actually spend more of my time on the Internet Governance side of this table. I know Izumi Okutani very well. My interest is to be that in these discussions to be sure that the norms that are being talked about are being operational in consideration of the effects and the side effects that they may have. And that's something that can require multistakeholder approach. The thing is in the middle of these discussions about Internet government and cyber norms, since the subject of those discussions and the target of those discussions is something of more concrete. It's the technical of the Internet we rely on. That's a baby we need to look out for and not throw out with the bath water, know the only throw out with the bath water but make sure it is maintained and grown and protected in order that it can do what we actually all expect it to do for us as its life goes on. Because many policy decisions can have consequences at this practical and operational level, so those decisions do need to be well considered particularly again in terms of the technical community in terms of these people being those who live with the day‑to‑day operation of the network. There's a lot of work that goes into making sure that Internet services are maintained and built and secured in a way that we all expect. But we actually take for granted have.
So the whole situation of a need for expert input isn't unique to the Internet as an infrastructure. It's the same thing that exists in all sorts of other sectors. But I mention it here because this is what the IGF is all about. And even here I sort of see an assumption, as I said, that the Internet can be taken for granted that services kind of happen for free almost automatically off the shelf if you like.
So for me being here and having spent time and spending time both sides of the table, it's about capacity building to make sure that the people who are charged with the responsibility to maintain the structure to build it, to develop the standards, the technical community in general actually do have a say and have the ability to influence and to bring some experience to bear. As well at the same time to understand an information flow in the other direction so that we are also aware of expectations as they are emerging.
But the simple message is that the difference between a secure Internet and an insecure Internet has actually got more to do with the skills and capacities of the people who are running that and building that and maintaining it than almost anything else and that's human capacity. So that's why I'm actually very happy to be with the GFC because it is about capacity building actually. That's explicitly what its mission is, cooperatives with public, private and hopefully the other stakeholders, the civil society and technical community will be in the room eventually if not just yet. Thanks.
>> Pablo: Juan Fernandez from the government of Cuba.
>> I'm from the ministry of communication of Cuba. Cuba is one of the 25 countries currently on the GGE. And I'm not the expert but the expert is from my ministry and we're working, we created a work there. I'm working closely with him. And I am in the liberty, I am not in the will I beer at this of telling everything of the negotiation but I'm in the liberty of telling you that Cuba is one of the countries that defends the linkage between the Internet Governance community and the process of the GGE. Mr.‑‑ just said that that view is not widely shared in the GGE, so it's premature to see how this will unfold. But and so I think it's a bit ambitious to begin this linkage by the norm because it's not even clear in the GGE the forms will be accepted or even the more how can I say? Benign confident building measures that are being abled from the GGE that well have to wait to see how these unfold. But definitely what I could defend here is that definitely there's some linkage because the cyber Internet is the same space in a way. So I think that we should investigate, try to find the common ground where this relationship could be done. And I don't know the opinion of Mr. Walnut, but I think that would start to work is terminology. I think that the terminology that is one of the process that is going on even within the GGE, I think that's a thing that could be done in a shared way with the IGF community because I think that to understand the terms, to have the same conceptions of terms, because there are many terms that we take for granted and are interpreted very differently by different countries. And I don't know if you're aware of this work by the east/west institute of Russia and United States. Interesting agreements in terminology. I think this should be shared.
Also to the Internet Governance community and help to try to create a common terminology it could be a contribution. Again, I would like to hear Mr.‑‑'s opinion on this. There are many other things as was mentioned by Irene that there are some other contributions on table by ‑‑ by the OCDE that are being advanced at different places. And it makes no harm for the IGF community to know about those process and to begin not only to understand but to have an opinion surrounding that. Because in my personal opinion and now as personal opinion, I'm not one to anticipate anything on the GGE, I think that whatever comes out of the GGE in terms of confidence building measures and norms will not be very widely from those proposals already tabled by OCDE and Russia and the SCO.
So, I think that it's good that that could be the beginning and then see how things unfold.
>> Pablo: Thank you, Juan. We will need to press the accelerator. I have a few speakers on board. Matthew, Ania, Henry, Marilia, Duncan. We only have 20 minutes. So let's do it.
>> Matthew: Matthew, office of technology. This is really interesting because I think it exemplifies the problem that we face in this space on the one hand and I'm not meaning to insult anybody here but on the one hand we have part of the panel talking about Internet principles and on the other hand we have part talking about conflict and state on State conflict. And yet there doesn't seem to be very much that bridges between the two right now in this discussion have.
So my question is:Y would very much like to know from the GGE and also from the technical community: To what does the GGE and government representatives that are in the GGE actually look to the technical community for input, for advice?
And similarly I'd like to know from the technical community how much they reach out to those representatives who might be attending or participating in the GGE? And that's where the bridging should occur.
And the other point ‑‑ I'll be very quick. If you go back to 2002 and 2003 and read the UNGA resolution on the global culture for cybersecurity, you'll note that we haven't progressed very far when you compare those original texts to the GGE report from 2015. Thanks.
>> PABLO HINOJOSA: Anya from the ‑‑ project in India.
>> Anya: Thank you, Pablo. Though research based we are a civil society organisation and it is from that perspective that I wanted to make a few comments. I guess to provide a counter point and to broader the discussion even further, I think.
I disagree with the premise. Contrary to most people around this table, I think. I don't think that cybersecurity and Internet Governance have been all that far apart. In fact earlier this year we commissioned a research study and I have a few copies here, looking at the intersection of cybersecurity and Internet Governance particularly in India's foreign policy. What we saw that cybersecurity, and this is what we had expected also, had been the main driver of much of what the stances that India had taken in the Internet Governance arena. There are many historical reasons for that which are documented in the report. So for reasons of time, I won't go into them.
But what I did point to was that this debate is indeed part of a larger geopolitical context as Henry was pointing out.
What that means is that you cannot just isolate about cyber norms in the first committee. These are many related debates or at least several related debates playing out in several different venues in a core way and spilling over in many, many more venues. So while diplomatically it may seem as though they are being kept apart, from the perspective of people who are not in every single one of those rooms, they do not seem to be apart.
So let me give you examples. One of the big processes that we saw this debate re‑appear again and again was the process that was mentioned earlier, where in several venues, text was parked, issues were not allowed to be debated because of hangups around cybersecurity, so to say.
For people who are not in the rooms where those core debates took place, if you do not know the background, the first time you see in these meetings you say what the hell is going on here? But the influence of that debate was massive. So much so that the negotiations at some point looked as if the entire negotiated text might be held hostage to cybersecurity concerns. But luckily that was resolved.
Another example I guess from a different angle was the whole jurisdiction debate where I see law enforcement officers, people from intelligence agencies or mostly law enforcement discuss solutions on the ground mostly from western countries, not taking into account at all those broader geopolitical debates that are going on. And they do not sufficiently take into account often the cybersecurity concerns of Developing Countries.
The jurisdiction debate is not going to be resolved at the ground, either, if those concerns are brought into this debate. As civil society, we meet these again and again. But, for example, the WSIS review is now completed. The number of venues where I actually get to peep into how these debates are unfolding have been reduced massively. The number of opportunities I have to speak with diplomats have reduced massively. And so as a consequence, we have far less access to how these debates are going on. So to the point are we discussing this in the IGF? I'm grateful to Pablo and Duncan for this workshop. Butty saw the agenda for IGF, I was worried how little concern there was about cybersecurity for us I think it means even less information is available. Thanks.
>> PABLO HINOJOSA: We have Marilia Henry and Duncan and one small comment by Camino Cabana who is the current rapporteur of the UNGGE. She is basically asking the question of whether the Internet Governance community can engage with governments in any productive way to specifically support implementation of the cybersecurity norms agreed in the different GGE reports?
And if not, why? And how does this community at the IGF think that these kind of engagements could be facilitated?
I think this is a very relevant question. And if we in the rounding up of these discussion can address that.
So Marilia, Henry, Duncan and Alex if time permits.
>> MARILIA: Thank you, Pablo. Just to quickly react to Anya's observation I think it's very right and maybe what we have been calling is bad sheets. We are touching each other, we are pulling each other but we are not speaking to each other. That is maybe where we identify the gaps. But there is no concrete wall separating us. So we are influencing each other all the time. And that is very true.
Just a quick question to UNGG I think we touched upon this a little bit but we did not dig deeper into that if you can update on the state of discussions, it seems that there has been some outside the box proposals to create clearinghouse that evidence will be taken to. That will be interesting.
Just to quickly react to the first part of the debate and to what Alejandro mentioned, I think that it's unfair to say that engineers did not take security into consideration and disregarded it as a topic. My idea was that they did not have a security mindset, which is something different when they were confronted with different principles in order to preserve principles that were important, they chose, for example, to put security in the edges, which has intelligence on the edges which has security implications. So that was my point. And I think that in the edges we see how lack of hygiene in the edges creates a lot of problems for security in the everyday. And with regards to your question on where these issues will be discussed, I think that one of the fora that has been increasingly more and more open although not totally open to nongovernmental actors is the global conference on cyberspace. Last time we did have an opportunity to provide some inputs. Maybe we have criticism with regards to how the inputs were taken into account. But I think that we see some bridges there. So that could be a first starting point for us to really have the commitment to mobilize respective communities to have a session like this during the Forum, let's organise ourselves and get together and discuss.
>> PABLO HINOJOSA: Henry?
>> Henry: Just responding to comments involving private sector and technical community and how can we bridge this in general? I highlight this point because the current norm discussions focus on State because states actually have these capabilities to cause this significant cyber operations that would lead to escalation. So far, nonstate actors actually don't have these capabilities. So these decisions are by nature made by politicians, basically, or military high level officers. So that's why it hasn't been so inclusive. But as we are reaching the end of our discussion, I'd just like to present perhaps a positive observation.
If we look at the existing international law treaties, for example, UN charter, prohibition on use of force, I think it's fair to say that we see that states are actually showing restraint with regard to those very high‑level operations that would target, for example, critical infrastructure or cause somehow destruction or harm to people.
Also, on a very technical level, we haven't seen attacks that would actually harm people so far.
So the very, very basic international norms codified in those treaties are actually being followed.
And as far as ‑‑ as long as states have these capabilities, I would even say we're pretty okay. We will be stable. But if we will see nonstate actors getting those capabilities, then we will definitely have a different discussion in this context.
>> So I guess in terms of why the conversation needs to happen I think is stepping and looking at it from a research perspective it does seem there is obviously not a complete overlap but there is a overlap between the focus although there is debate about what the GGE should be doing and some the Internet Governance Forum should proceed after WSIS that these two processes may run parallel and cooperate. They may at some point reinforce each other and preserving open and secure and stable cyberspace. But there's also some risks that they might inadvertently or purposely conflict.
And so I think one of the points of these sorts of conversations is situational awareness, that just as I think the GGE should be aware of the knock‑on effects of some of the things that I think they are rightly concerned about, interstate conflict; but as we've herd, the question is what are the effects of the norms, know the just the interstate conflict, but the rules we're trying to get states to follow on the technical community, on civil society, on others? And how will that iterate over time but I also think there is a strong possibility that what happens here at the IGF offers both some maybe some problems for how the GGE could work if there's some hostility perceived between the two communities. But as I heard the rapporteur Camino remotely suggest, there's also some potential. That there can be a cooperation where some of the IGF stakeholders might be able to help states operationalize the sorts of norms that they're looking to develop like not targeting critical infrastructure. Members of the IGF do a lot of monitoring. They do a lot of technical assistance. So not using CERTs for malicious activities not having CERTs be the target of malicious activities, these are the I think so this could participate and might be mutually constitutive way forward.
So although I think they come at it from very different perspectives and I think Henry's point a welcome one, that the GGE's effort right now is a difficult one. We usually regulate among states after bad things happen, right? The UN system is a product of World War II. The Geneva conventions are a product of World War II.
What the GGE is trying to do is we've had some problems but not at the global scale, the global shutdown, regional shutdowns of the Internet for sustained periods, hours not days and weeks and corruption of the protocols and the like. They are trying to do something significant. I do think it's a bit of publicity for what they're doing because it can be hard to make norms. Norms can come about by habit. You don't realise why you wear the clothes you wear, but as you step back and think about it you realise it. One of the situational awareness both for the IGF community and the GGE community to be more conscious of why they are trying to move forward and what's motivating them. So I'll stop there.
>> PABLO HINOJOSA: We are running out of time and I would like two things. One is to close this session by telling Juan and Mike, one key input from here they can take to the UNGGE. So I will leave 10 seconds to each to give that.
I have Alex and Mike word as well. So Alex I would ask that you finish your comment with that input to them. And then we do very quickly around the table with that question.
>> ALEJANDRO PISANTY: Thank you, Pablo. Very briefly. I believe before we sat here and now I believe of more strongly that we need to get to study these things together, work together. The GGE will do well in being informed about the perspectives from the Internet Governance side, what uncertainties it brings to state level decisions. That's a message for the GGE.
And I think that maybe Duncan, you and I and whoever else is at the table that's willing, we sued start writing a skeleton paper on what the gaps are on how to bridge them or how to structure a collaboration that's more like layer than fine grain then with gears. But should definitely not go privately each to the other side. Next meeting we should have this gap much more narrow.
>> PABLO HINOJOSA: Mike?
>> MIKE: Thank you. I will respond to some of the questions that were directed to me.
On the question of terminology from one my Cuban colleague ‑‑
>> PABLO HINOJOSA: Closer to the mic.
>> MIKE: Sorry. With respect to the question of terminology, that's obviously very different question. You look at the title of the group of governmental experts, it reflects a difference of opinion on what we're actually talking about. As some refer to information, security in the use of information, which raises the whole question of content. So that's a very hairy topic all by itself.
But that said, terminology is perhaps, at least not from our perspective, the highest we need to tackle.
Matthew was asking about technical expertise and consideration. We did that internally in your o own systems. We developed our processes. But I would also point out that CSIS and unity held a series of conferences in advance of the most recent launch of the GGE, which included representation for private sector and the technical community and others, academia and others in order to get at some of those issues specifically.
The point about cyber security, I think the issue might be ‑‑ I don't know. But I think it might be a question of definitional.
As I say from our perspective, we're using a very traditional international understanding of international security, which is interstate conflict. And we're trying to be very careful, an the least from our perspective, to stay in those domains so as to preserve space in other places to talk about those broader issues.
And also a little bit about attribution. Attribution is obviously a very important and difficult issue. Again, I'm kind of limited on what I can say in terms of the actual discussion at the table. But I can go so far as to say that it is certainly under active discussion. And I would point the fact to the previous report of the GGE which spoke a little about attribution and the problems associated with it.
I'll stop there.
>> PABLO HINOJOSA: Thank you, Mike. So 10 seconds each and we close with you, Juan. Anya?
>> ANYA: I think this is a great suggestion to have a session at the IGF on the GGE report next year. It reminds me on the WSIS session we had last year with formal input into official government process where everybody can contribute. It was still the governments who decided.
>> PABLO HINOJOSA: IZUMI:
>> I totally degree. Start with more proactive information sharing and give room for others to make observations. And at the end the state makes the decision, but have room for others to comment.
>> PABLO HINOJOSA: Marilia?
>> MARILIA: I completely agree with the session in the IGF. However I know that it's very hard to bring the right security communities, the military people to the IGF for different reasons. So maybe we should also go to them. And I think that the meeting point is a global conference on cyber space and we have the global experts we should reach out try to organise something. Thank you, Pablo, for the organisation of the session. It has been very good and important.
>> Juan: To me the suggestion on to look on operationalization of the norms was important, I think. But this shouldn't be done within the UNGG, but the UNGG should think hon how to involve the technical community.
>> You may detect a theme. I think my take‑away for the GGE would be to think about what role the IGF and the IGF community do play in operationalizing the norms.
States will have norms that will guide their behavior, but they don't have to be state‑centric in operationalizing them entirely.
>> I like what Anya and Izumi said I like having a session at IGF. And need include civil society and ‑‑ thanks.
>> She has question also in terms of input to the GGE. That's simply that in the process of operationalizing norms and in analyzing developing possibly critiquing norms at different layers, the different multi stakeholders are absolutely willing and showing if a lot of different ways which we don't have time to go into that they are willing and are actually acting towards that, a very cooperative multistakeholder approach.
>> PABLO HINOJOSA: Juan, some seconds.
>> JUAN: Before my final message, I want to address the technical participation. I can tell you that I agree, that we agree. And by the way, the expert that we selected for the GGE actually is one of the head of one of the Cuban CERTs, so he's a technical person that knows the issues. And we defend that linkage.
My final message is as I told before, Cuba defends the idea that this is' some linkage between the Internet Governance community and issues and the cybersecurity there. The extent of those linkages and the Way it could be operationalized it would have to be discussed and agreed along the time. Even as you know I'm also part of the Working Group on enhanced cooperation. And there also because I defended this in both sides, I am also telling to the Working Group on cooperation that there's a linkage towards cybersecurity. So I believe that that linkage exists. I don't know where to begin. I made the suggestion of term nothing because I thought that was less controversial. I also said the confidence building m measure because less controversial and those are definitely less controversial than norms. But it's in the hands of what can be done. But I firmly believe that that linkage exists.
>> PABLO HINOJOSA: With that I think we need to close the session and thank you very much to all that came here and happy to continue the dialogue in the next opportunity.
(end of session)