IGF 2019 – Day 0 – Raum III – High Level Internet Governance Exchange Panels on Security, Safety, Stability and Resilience

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> WOLFGANG KOPF: Okay. Let's get started. Good morning, everybody. I'm very pleased that with a slight delay, we are starting this distinguished panel. I think we only have half an hour, 40 minutes left. So the entire program will be squeezed.

My name is Wolfgang Kopf. I'm heading public and regulatory (?) Telecom. I'm really pleased to have such a distinguished panel. In order to speed up things, everybody who speaks introduces himself. Otherwise, we're losing too much time. The questions we are discussing here are twofold. The first question is: How should we deal with constantly upcoming new threats for the technical core of the Internet? That's all about IGF. And the second one is: What legal regulations and capacity‑building approaches do we need?

So it's about technology, and it's about international law and maybe also national law.

I know we have a variety of experts here who cover both. We will start with the Professor Waidner next to me. Sorry. We have no seating order.

And before he starts, let me give you just a few facts about cyber threats. We at Deutsche Telekom operate one of the biggest cybersecurity centers in Europe. They had us over there, employing almost 2,000 people. What we are doing there is constantly monitoring the attacks which are seen in the Internet. We use so‑called honeypots. That's a small device simulating to be a vulnerable device in our network. Of course, they're not; but we detect the attacks.

What is your estimate about a daily ‑‑ average day in terms of attacks? I'm not asking somebody. The average is currently about 50 million per day attacks on these devices. At peak. At peak, it's 100 million per day.

If you look at recent figures, the German Association of Digitized Companies just published some figures. Only in Germany, the damage from cybercrime is 100 billion euros per year. Three out of four companies in Germany have already experienced data theft, espionage, or other threats coming from cyber.

If you then look at the recent World Economic Forum report, their estimate is 6 trillion ‑‑ trillion dollars in 2021 of damage worldwide coming from cyber. So that gives us an idea how economically important this subject is.

But I leave it with that.

Professor Waidner, the floor is yours.

>> MICHAEL WAIDNER: Thank you very much. So what I would like to do ‑‑ what I'm going to do in the next few minutes is actually setting the stage for what are the threats for the infrastructure. To introduce myself quickly, I'm a professor for cybersecurity. At the same time, I'm heading the main cybersecurity for Germany's largest organization for applied research with, like, 28,000 employees. And I'm also heading the newly founded National Research Center for Applied Cybersecurity with some 500 researchers. So a lot of capacity for doing security research. And, actually, what I'm going to talk about is one of the main topics in this new center.

So what are the key challenges for security and safety and for stability and resilience? It's kind of a mini Mickey Mouse stick. If cybercrime (?) Espionage information which is targeting this information, of course, underneath are the Internet applications, and at the very bottom is the core Internet infrastructure, which is what I'm going to talk about.

Typically, attacks, hacks, are coming from all sides, but typically it exploits weaknesses, problems, they're at the bottom. What are these weaknesses? That's what you see on the left. These three, I'm going to talk about each three for a few minutes.

So the first one is establishing ownership over resources. This is actually something that everybody here is experiencing. If you want to do anything over the Internet, you want to know who is the other side, who is the other party. How can you identify them? On the Internet, most people would say, of course, that's the (?) Problem with all of this. It's a challenge.

There are methods to identify the other sides very reliably. If I want to get a certificate and do it very securely, there's extended validation, a lot of paperwork, very expensive, very slow. So nobody is using it. Everybody is using domain registration. I am saying, Hey. I'm Michael. You send me an email. If it receives me, then it was me. And the problem is this doesn't work. So there are attacks, and we can actually show that essentially all of the main PKIs in the Web in the Internet can be attacked and can be tricked into issuing bogus certificates.

The same is for PKI, for ownership and registries, and many other problems. So one problem is really establishing ownership over resources. There are solutions for this, I would have to say, but they have to be deployed, of course, and deployment is always a problem.

The second challenge is something like the eternal challenge in the Internet, secure routing and secure naming. One is mostly BGP. The other one is DNS. BGP prefix hijacking, so I send a message not for the correct route, but I reroute it somehow so that I, as an attacker, can intercept it. This is a well‑known problem. There are solutions to it. A PKI would play a big role in it, but, actually, we also checked this. We've done a lot of statistics and measurements in the Internet. It happens thousands of times. Prefix hijacking, rerouting, It's still an open problem.

Same for DNS. That's the naming system on the Internet. If you want to reach me, Michael.com, so to speak, someone has to tell you who that is. This is the domain system. We checked. Like 75% of all company networks are vulnerable against something called cache poisoning.

Again, together with forging certificates and with DNS, I can essentially redirect you to anywhere I want. So this is, again, an open problem. Again, there are solutions to it like DNS (?), like 10, 20 years old. We checked this as well, of course, with DNS (?) The problem is deploying cryptography. Configuring cryptography is still a big challenge. Many administrators get it wrong, and we found out two‑thirds of all DNS sec installations are still not providing any security.

The third challenge is availability performance and stability. You will see one example. Sorry for the German here, but we did a very simple experiment where we tried to measure a few things in the Internet. We did this by using some ‑‑ usually not used flex and TCP. The problem is routers didn't behave well. Instead of doing what they should do, many of them simply crashed, and people figured out that actually by just using standard protocols and doing something that's not so common, you can prevent an attack. So no need to have a bot tech; you just send messages, and that's it.

What it shows you is the Internet, this basic core infrastructure, is very fragile. We need to find ways to figure out what other devices are there, what is the software, what is the hardware that is used. And we have to find ways to deploy better solutions. Again, this is the third challenge.

So this was setting the stage, I told you. Research is providing many, many solutions. If you're interested in what we are doing ‑‑ so there is a mission (?) National research center in analytics (?) Cybersecurity headed by Dr. Schulman (phonetic) You can check it on the Internet, what we're doing there, but I think these three are the fundamental challenges, and the solutions are there. Deploying them is really difficult, time consuming. There's a lot of work to be done to be done.

With this, I hand it back to the moderator.

>> WOLFGANG KOPF: Thank you, very much, Professor Waidner. I think our next guest who will speak is the secretary general of the ITU. His theme will be around the framework, as I understand.

>> HOULIN ZHAO: Thank you, very much, Wolfgang.

Let me appreciate Deutsche Telekom, first. You know, People know that I was director of (?) Bureau (?) By ITU in 1998, and 1999 February, I started my office. And at that moment, I received Deutsche Telekom higher delegations led by your board members with technical guys to (?) In Geneva, we spent one day to talk about it. At that moment, of course, there are many operators in the world. I am very pleased to know that 20 years after that meeting, Deutsche Telekom is still very strong. Deutsche Telekom, they become even stronger. It's one of a few still remaining very active international carrier, not only a German carrier.

I would like to talk international framework. Of course, international telecommunication was created in 1865 by 20 European states. Among the 20 European states, there's a new Germany because Germany did not exist. We had seven German states. So if you talk about German membership, we have founding members from Germany. We worked from the very beginning to talk about the security. Telekom takes security very seriously. From telegraph network and telecommunications network, and telecommunications satellite, we are working very hard.

However, in 1998 we, realized that the telecom security cannot be discussed limited to the telecom (?) And we have to engage in a multistakeholder approach to engage many people. So ITU invited the United Nations to organize the World Summit on the Information Society. In 2003, first in Geneva (?) Then the IGF is one of the output of this process.

ITU was chosen to take care of facilitator rules on the cybersecurity. ITU has been working on this for years. Recently, we advanced work on the cybersecurity, particularly in the artificial intelligence areas and the cloud computings. We established some focus groups to look at this issue. Now, this is a technical issue, but, also, IT is working with our members to try to increase the knowledge about the cybersecurity and the capacity building of cybersecurity, and we have a lot of partnerships with many people. So I don't want to go into too much detail.

Over the last 10 years, we established a global cybersecurity agenda and led by a very famous expert from Norway, a lawyer. Then we developed this agenda. I was very pleased to know that at PP18, this global agenda was the first confirmed (?) That we could continue to use that output, these guidelines, to help us to strengthen our cooperation with our members.

I think that Ambassador Robert Strayer was there, the head of the American delegation. We appreciate very much his personal roles to support us with this kind of work.

And last but not least, when we talk about this new technology of 5G, I am very pleased to share with you the last four weeks we had our meeting in (?) And we talked about communication business. I was very honored to receive a letter from President Trump to facilitate our meeting and encourage ITU to continue to place (?) Rules for the spectrum.

Spectrum is absolutely important when we have the next technology of 5G. (?) We were very encouraged by President Trump's message at our conference. I was very pleased that we finished this conference Friday of last week. It was very successful. We have enough support to deploy 5G everywhere. We have also established some groups to talk about the security issues.

Also, in my message, I replied to President Trump that, you know, we encourage the United States to play its leading roles to this new technologies and also invite our U.S. experts to come to join ITU's activities to develop global standards for the security. So that serves the purpose to satisfy everybody, including our American friends and to meet the expectation of the end users for the security concerns because it's them who really help us to use cyberspace. We have to provide sufficient measures to increase their confidence to use cyberspace.

>> Wolfgang Kopf: Thank you very much.

Rob, there was a lot of themes already. Maybe you want to take over. Rob Strayer is the Deputy Assistant Secretary for cyber matters in the U.S., so well known to us Europeans. You're spending more time over here than in the U.S., I think.

>> ROB STRAYER: Almost. Thank you. Thank you, Wolfgang. Thanks for including me on your panel.

Secretary General Zhao, I want to congratulate you on completing that World (?) Communications Conference which has identified now more than 15 gigahertz for 5G spectrum, which is going to be so important to economic growth around the world and to see a harmonized use of that spectrum.

You know, this is a propitious time as we're just now passing the 50th anniversary of the creation of the Internet. In that time, the Internet has faced many challenges, and those challenges have been addressed by multistakeholder institutions that have grown up over that time. The organizations like the Internet Engineering Task Force; the IEEE; most recently ‑‑ or in the last 15 years, the IGF; also ICANN for the domain system. So we've seen these institutions develop to address challenges.

Now we're going to see, hopefully very soon, the next 3 billion people connected to the Internet, probably a trillion new devices connected through the Internet of Things in the next couple of decades, as well as every important sector of our economy becoming more digitized and, therefore, reliant on the Internet and secure connections.

That means we need to continue to strengthen and revitalize these important stakeholder institutions to address those very significant challenges of the future.

As we do so, we need to keep in mind what has made it successful so far, and that is having a very successful innovation base in a set of policies that have allowed innovation to bring us so much positive development, improve people's standards of living, and connect people around the world. That innovation has been allowed to happen because we've taken light touch set of regulation using flexible and efficient regulatory postures so that we're not stifling future innovation.

In the United States, our vision is to have an open, interoperable, reliable, and secure Internet for future generations. In part, to do so it's important to make sure we have the trust of the public and businesses and avoiding some of these issues related to cyber intrusions and cyber vulnerabilities of the systems. I think it's important that we advance a framework of responsible State behavior for the action of Nation States so that Nation States do not undertake malicious behavior in cyberspace. We, along with a number of other nations through the U.N., and actually endorsed by the U.N. general assembly, have supported a framework of responsible State behavior that includes recognizing that international law applies in cyberspace just as it does in the real world, and there are certain norms of responsible State behavior in cyberspace, and those include that a nation should not attack another nation's critical infrastructure that is providing services to the public.

We saw, on the sidelines this last September of the U.N. high‑level week, 28 countries come together to say that we support this framework of responsible State behavior and that states that act inconsistent with it and contrary to it should be held accountable and to further that accountability to, at times, impose consequences for states that act in malicious ways.

You know, I think it's also important ‑‑ one last point to really bring home here ‑‑ we need to address all these technical vulnerabilities between border gateway protocol compromises to DNS poisoning. But, fundamentally, because we're in a software‑based system, any software can be updated instantaneously to push forward new vulnerabilities and new compromises to systems. Therefore, we really need to have a trust relationship with the vendors for our most critical technologies.

In the case of something like 5G, the fifth generation wireless technology that will support artificial intelligence and all types of critical infrastructure, including the distribution of electricity, we must have the highest standard of trust with those vendors. So the United States is encouraging countries around the world to adopt trust frameworks that include looking at whether the company is headquartered in a country where it has to comply with the rule of law and has an independent judiciary in place to make sure it adheres to our most fundamental human rights, including protection of free speech and freedom of association.

A vendor that is not in a system where it complies with the rule of law and there's an independent judiciary to vindicate those rights is one that we cannot trust with our most precious data that will be generated on 5G systems.

So with that, thank you.

>> WOLFGANG KOPF: Thank you, Robert.

Well, what is the view of the smaller state? I think Minister Salazar is well placed to give us some insights. You have a background in engineering, so you're talking not only politics, you're also able to comment on the details. Please go ahead.

>> LUIS SALAZAR: Thank you, very much. My name is Luis. I am the Minister of Science, Technology, and Telecommunications of Costa Rica.

It's very important when we talk about cybersecurity because we are talking about people. We're talking about children. We're talking about all the people that live in vulnerable areas. So my message is that we want to improve all that we are doing under two concepts: The federal, gender equality, and protect the child.

So we're trying to do it from multiculture to cybersecurity for computer science, coordinate at a national level and international level, that this is very important to work together. That's to improve the cyber and computer security and support administrative and judicial authorities in the (?) Case for the prosecution of perpetrator of cybersecurity and computer crimes.

We're talking that we live in a global world, and everybody each day have more connected devices. We have to manage public policies. We are talking about innovation. We are talking about how can we make more (?) Access to the Internet. However, the most important thing is not to talk about the technical skills. I know that all the technical skills. I am an engineer. But the most important thing is to talk about the benefits of the (?) Of the people. The center of all the discussion must be the people.

If we don't work having the people in the center, we will have big and strange solution for technical risk. However, we won't take the benefit for all. And this is the reason that I am here. When we work together. We need to be capable to cooperate between the countries.

Sometimes we're trying to define our national strategies, but this national strategy depends of our ideology. However that we think to do is try to endorse to strengths all the breach along the different country in order to work together. So I think that if we fight in order to increase the capacities of the vulnerable people, we are going to move on, and we're going to get more benefit of all of these challenge that we are facing.

Thank you.

>> WOLFGANG KOPF: Thank you very much.

I am now pleased to introduce Michael Bolle. He's the member of the management part of Bosch, the company which is increasing the software company, and he's the CIO and CTO of Bosch.

>> MICHAEL BOLLE: Yeah. Thank you very much. My name is Michael Bolle. I'm the chief digital officer and chief technology officer of Bosch. There's a big reason behind that. We're a strong player in the Internet of Things, and, actually, the Internet of Things is a combination of the things world and the virtual world, the digital world. Therefore, we have both worlds in one person.

I would like to level it a little bit on the role and the importance of trust in the Internet of Things. At our initiative representatives of leading international associations like the IEEE, like Digital Europe, XE, Eclipse Foundation, Trustable Technology, Platform Industry (?), the Industrial Internet Consortium, and the Trusted IoT Alliance met for the first Digital Trust Forum in Berlin in May this year. The main focus of this gathering was to answer the question: How to build safe trust in digital systems.

In order to understand this, we all know that the global IoT market is significantly growing. So we see 250 billion U.S. dollars revenues already in next year. This is a growth of 35% year over year.

We cannot accept a situation in this world, in this development status, that the overwhelming reaction in the public space is mistrust and fear. In order to fight this common notion, we have to find, also, technology and governance solutions for that.

Therefore, we established the Digital Trust Forum as a global initiative with a focus in enabling trusted digital solutions for connected intelligent physical products utilizing AI and the Internet of Things, and, therefore, we talk about the AIoT. And the Digital Trust Forum is also inspired by the European initiatives on AI and trust.

And we firmly believe this is the ideal time to establish such a format because the need for well‑defined responsibilities and governance as a foundation for trust in the AIoT is obvious. And a key question addressed by the Digital Trust Forum is: How to enable trust in the AIoT by defining quality parameters, monitoring compliance, and, therefore, formalized AIoT, trust policies will be at the heart of operationalizing this managed by a trust policy management system.

The idea is that by formalizing trust policies for AIoT systems, trustworthiness can be established because all policies are made transparent. The system can exist the current valid policy definitions remotely in realtime and use the data to control performance. The system behavior from a trustworthiness perspective can be locked and published, and trust can be efficiently enforced by managing system exceptions and escalations. Together, with our strong partners, our company has set out to strengthen the confidence and the possibilities in the future.

However, we know that we not only need policy makers as partners, we also want to support them with concrete proposals from an industry perspective. The Digital Trust Forum will aim to define holistic policy framework to address all key aspects of digital trust in AIoT‑based solutions. This framework will include a set of AIoT trust policies, a data screen to manage instances of policy trust definitions, and a catalog of reference, definitions for IoT trust policies based on set schema.

We look forward to discussing these and other questions during the upcoming next Bosch connected world in Berlin in February 2020 where we'll continue our discussions in the Digital Trust Forum. I would like to cordially invite you to this event as well.

Thank you.

>> WOLFGANG KOPF: Thank you very much.

Let me turn to my left now. You were with a think tank. I think you did a lot of research in earlier times on rights and copyright, but you're now deep into these subjects. You're from ‑‑

>> POLINA MALAJA: Thank you. Yes. I'm Polina. I'm a policy advisor with CENTR, which is the association by and for European countries (?) Domain registries, such as .de for Germany, for example, or EU for European Union. Yes, thank you for this opportunity to be on this panel.

So I represent technical community. When we speak about cybersecurity, we need to make an important distinction. So, first, there's crime committed online, facilitated by the Internet; and, second, there's criminal activity that is aimed at disrupting infrastructure, including domain name system.

(?) And domain registries, and CCLDs for short, are technical operators over cornerstone of the Internet infrastructure that is the domain name system. And, as technical operators, they cannot assess whether any crime has or has not been conducted online. The investigation and prosecution of any illegal activity on the Internet should be left for competent public authorities. However within their technical capacity and expertise, CCLDs are actively taking measure to tackle mere technical security threats.

So, for example, Botnets, phishing, farming, or malware distribution. These security threats are targeted at abusing technical Internet infrastructure. This is where CCLDs have the necessary expertise and capacity to respond while still actively cooperating with public authorities and within the limits of the local legal frameworks.

Furthermore, CCLDs are continuously working on making sure that the zones are reliable, stable, and secure. For example, in the last three years, investments into security amongst European CCLDs have increased an additional 30%. So this is by adopting relevant standards, performing regular audits, and increasing their in‑house security expertise.

So when it comes to a global resource like the Internet and the cybersecurity threats within all stakeholders within the Internet ecosystem have shared responsibility. So it's governments, technical actors, private sector, and, to some extent, even users. That doesn't mean that, oh, these responsibilities are shared equally or identically. Each of those actors can act within their own, whether it's technical, legal, or societal.

Consequently, when it comes to the technical core and the cybersecurity threats within, these need to be addressed by increased collaboration and information sharing between partners. So, for example, responsible disclosure policies of shared vulnerabilities, sharing best practices and the information on security threats and working together on global standards within the technical forum.

Last but not least, I think the importance of education, should not be underestimated. There's often some extent as a part of social engineering involved behind at what at first glance seems to be a technical cyber threat. So it continues training of staff, raising public awareness, and educating local Internet communities is a necessary building block to make sure that there's greater security online.

Thank you.

>> WOLFGANG KOPF: Thank you very much. That was a very good overview of the entire program.

Let's go to standards. We heard more about standards in different remarks. Mina Hanna is the IEEE representative, and he knows best about standards in this circle, I think.

>> MINA HANNA: Thank you very much for the kind invitation. Very honored to be here on this panel with my very esteemed speakers. I really appreciate the kind mention of the IEEE by Bolle and Secretary Strayer.

I will probably say, first, the introduction. My name is Mina Hanna. I am the chair of policy of the IEEE global initiative on ethics of AI systems committee. I'm also the chair of the IEEE USA artificial intelligence and autonomous systems policy committee. The IEEE, of course, had, you know, as you may have heard, whether IGF and other organizations like ICANN, had a very important role in defining or creating the infrastructure that enabled the Internet. The Internet is built on technology that a lot of it was the result of investments of ‑‑ you know, large investments of government ‑‑ like the U.S. government, for example. The Internet ‑‑ the prior version of it was ARPANET that was a creation of the Department of Defense. On top of it, there were a lot of protocols that were invented to create the commerce and sharing of data, and so on and so forth, like the TCP‑IP, Wi‑Fi standards that IEEE had created, the 802.11 and all of its varieties from A to ‑‑ I don't know how many letters we have now.

But those standards, on top of that, too, you know, the entire infrastructure is not just technology. It's conventions. It's diplomacy. It's agreements. It's a lot of multistakeholder efforts to govern what is exchanged on the Internet, and so on and so forth.

Now, in the global initiative, we have noted and that was driven by the fast progress and development of artificial intelligence. And autonomous, which without too much guessing, you can conclude that the pervasiveness of many of these technologies and how they are, so the ubiquitous in our lives, and the AIoT, enabled a lot of ‑‑ or will enable now and more in the future, we'll see the increasing growth of more vulnerabilities, for example. Cybersecurity vulnerabilities will create a larger sphere for, you know, cyber vulnerabilities that would be quite a bit of threat to what we have built over the past 20‑plus years, you know, and resilient and safe and secure global supply chains, for example, which makes that a very ‑‑ you know, kind of a big threat to global economies and the free flow of data, free flow of commerce, and the free flow of Internet.

So with that in mind, the global initiative is working on developing standards and certification processes to certify the due diligence processes, for example, how companies work with each other. The aim with that is to increase the transparency, accountability, and trustworthiness of AI and essentially IoT in general.

And, you know, the global initiative has been ‑‑ you know, we have invested heavily in the global initiative to build that very large community. The community now is engaging with a lot of governments. We are, of course, here today at the IGF. IEEE USA, for example, advises policy makers in the U.S. on AI policy, Internet policy, cybersecurity policy, and so on. The global initiative, through it, we have engaged a lot with the OCD, the high‑level expert group in Europe, and we were one of the first organizations that published principles for trustworthy AI and so on.

Now, I would say that this is my personal worry. What I'm most concerned about is what we might see in terms of balkanization of technology in the future. It seems that we have ‑‑ you know, I don't know if you really want to call it. It's kind of a catch word, but like the AI race and so on. We're seeing there are some different schools of thoughts on what are the values that should govern the Internet and govern what we do with AI tools and autonomous decision‑making systems that have implications. We're going to talk about much about that during the next four days on human rights and civil rights and so on.

Now, if I were to pick on something that Mr. Kaiser (phonetic) had said in his ‑‑ the CEO and chairman of Siemens ‑‑ that he has said in his opening keynote. He said, Now is the time we define the rules ‑‑ and I know he meant standards and other things, of course. The multistakeholder dialogue that raises the awareness of all the communities that have to be involved in order to weigh in on the values that they understand are critical and important. That, of course, is the role of the speakers here, everybody who is in IGF essentially. The critical role for diplomacy, signing conventions, and having more and more engagements and dialogues.

We look forward to staying involved in that. Reach out to us. Work with us. We have a lot of collaborators, and we continue that collaboration hopefully to solve that problem and challenge.

Thank you very much.

>> WOLFGANG KOPF: Well, thank you very much.

Finally, we have Eran Brown. He's a data center architect. So he knows best how to really protect our data. And we're coming back to the technical level, I suppose.

>> ERAN BROWN: I'm going to stay on the policy level and steer away from technology. My name is Eran Brown. I'm the CTO for a company named Infinidat.

Two points you mentioned throughout the panel that I want to tie into. Number one, you mentioned $6 trillion in investment and damages expected from cybersecurity. So we're spending a lot of money, and we'll still be accumulating a lot of damage. Under GDPR and NYDFS, and various standards and regulations, we call on enterprises, corporations, to protect the PII, personal identifiable information, of the data subjects. That's important.

However, I feel we're lacking in encouraging companies to protect their own data. If a lot of that cyber damage comes from intellectual property theft and a lot of that theft is through social engineering, through the human element, we have to devise our systems to design for failure. That means we have to encourage corporations to not only encrypt data that will get them a fine of up to 4% of their turnover, but also to encourage them to encrypt the data that may cause them to go bankrupt because somebody else, a company in another country, stole their intellectual property and can now compete with them without the cost of R&D to get there.

Point number one is we have to start looking at what data needs encryption beyond just personally identifiable information. What critical infrastructures or critical technologies will be potentially stolen from companies. We see data breaches at the orders of hundreds per year. And that number keeps going up and up. It's a human element.

So, number one, let's encrypt more data to protect our intellectual property.

Number two is the human element of that. And here I could not have a higher agreement with Polina who said we have to have education. In Israel, they ran a study. 94% of all images and videos shared by pedophiles comes from jeopardized mobile devices. That's a terrible number because we don't have digital hygiene, because we don't teach kids how to protect themselves online.

A couple of years ago, as part of a volunteering project I do, I started working with about 20‑year‑olds to make them more aware of what is being done with their data online. It takes quite a few minutes at the beginning of this training to get them to understand that, for example, for a company like Facebook, they are the product. Their data is getting sold. They're using these tools for years. They were kind of born into the digital revolution, and they have no idea what's happening behind it. They have no idea how to protect their accounts from password theft, for example.

We are missing one element that is completely not technology. It's education. How do we build educational programs that will make the end user and the enterprise more resilient to phishing and that will make the next generation, our kids, our grandkids, more resilient to social engineering.

We're seeing cases of bank money theft, social accounts being locked out by hackers. A lot of our lives are not digital. We have to start thinking about educating younger generations on how to protect them. That will also have a great side effect of having better educated employees in the enterprise and commercial sector. In this context, I treat it as a great side effect. 94% of pedophilia online comes from jeopardized devices. That alone should trigger action from our side.

Thank you.

>> WOLFGANG KOPF: Thank you very much. I think that was another extremely important aspect, the human factor. We are always overlooking it when it comes to these technologies.

Given the time pressure, I'm not asking questions, but I open the floor for one or two questions to the audience. So who likes to pose a question to our distinguished panel?

Please. Do we have a mic there? Yes, we do. Just wait. Maybe you could introduce yourself briefly.

>> AUDIENCE MEMBER: My name is Walter (?) I run a pilot project on the Internet standards and the deployment of Internet standards and the lack of deployment. I've got one question. If we all agree something needs to happen, how do we get these standards or education that gets it rolling? How do we deal with the bad actors that will never comply with what we agree with? Two questions: How do we go forward from here as an action plan? How do we deal with the bad actors? Thank you.

>> WOLFGANG KOPF: Who likes? Please?

>> HOULIN ZHAO: I think the first question is very clear. I think we need global standards. We, ITU, work together with IEEE and others for Internet standards, and we support a global accountability. In ITU, we also take care of the intellectual property protections. (?) I think definitely we have already some observations that when we see some market failure, that they don't respect the global standards or something like that. Then we know that this kind of commercial could be sometimes picked up by our sister organization like WTU and (?) We would like to encourage to have global standards for global services. We work with industries, for example, in IEEE, IETF, Qualcomm, they all come to ITU to address the concerns of global standards.

We try to make additional or stronger force to encourage them to continue to work on the global standards for the benefit of users.

Thank you.

>> WOLFGANG KOPF: Thank you. I think Bolle ‑‑

>> MICHAEL BOLLE: So I have one comment to your question. I think if we look at the various standardization efforts which are done in the various groups which are sitting here on the panel or which have been present also in our Digital Trust Forum, it's clear that there needs to be a stronger correlation between the activities in order to make them really tangible and more successful at the end.

For example, if you think about the various activities which my colleague already mentioned and the impacts of artificial intelligence, also to cybersecurity and the other aspects, I think we need a global view and an aligned policy making behind those things. So what is done, for example, in the IEEE about ethics of AI, what is done in Europe has to be coordinated to a certain extent so we have a common view on the basic principles. This holds for the other aspects as well.

Therefore, we think from an industry perspective, we think we need to create some kind of forums and exchange formats in order to bring those various standardization experts together and drive forward more holistic approaches to that. And the other aspect I would like to mention is that clearly industry has to take a more active role in this standardization activity as well.

>> WOLFGANG KOPF: Well, thank you very much. I'm already reminded that we're eating up too much time. So I have to close that panel. I'm sorry.

Let's give a hand to these distinguished panelists.

( Applause )

>> WOLFGANG KOPF: I think we covered very comprehensive set of themes, so I'm not summarizing this. I wish you a very successful IGF.

Thank you.


Second Panel


>> STEFANIE KEMP: Thank you very much. A warm welcome to the next breakout session. We're talking about transaction and trust. I know we are the last stop before having lunch. Thank you very much for having, also, a very interesting fellows on the panelist.

My name is Stefanie Kemp. I am a non‑exec on the advisory board for the (?) Association Internet Economy in Germany. I have the pleasure to moderate a very interesting session, and we would like to have a little bit more on‑the‑fly exchange because one of my colleagues here on stage, Mr. Engel is not joining us. That's the reason we don't have someone really gives us input. I would like to do a brief framing on our session. So we are talking about that cybercrime is increasing. And our problem here today is do we really find rules or would we like to have policies ‑‑ standard policies in place and what does it mean from the various angles.

So I'm very pleased that I have Elijus Civilis here today, a deputy minister digitization from Lithuania. Thank you. Unexpected, Mark is again here. Mark is representing the insurance company, Ergo. That's my understanding. The next one is Maximilian Tayenthal. Maximilian, thank you. Then I have Gertrude Levine on stage. Gertrude will give us a bit more overview of best practices here today. Then I have Thomas Rosteck on stage. And I have Christian Mere (phonetic) here. And, finally, today on the fly, I had the change of Mr. Xiaoxia from China.

From the panel, we decided everyone will have a short introduction of himself or herself. Just give me a small frame of what is your touchpoint to this topic.

I would like to start here on my left side.

>> Surprising to come here. It's my first time to be at IGF. I come from the university service kind of research on the cybersecurity things. My background is information (?) International relations. I would like to talk about the background and the framework international series.

(?) We're talking about mechanisms a lot. These kinds of (?) Malfunctions, it's to regulate the different actors' behaviors to make their behaviors more predictable and more stable and finally lead to a consistent, stable cooperations among different actors.

The second, I think such kind of (?) Of course, is very important to the cyberspace, especially in today's world.

In today's world, just like Professor mentioned, these ICT revolutions happen in an environment which we don't have enough trust. (?) Actors, which mean the State actors. Simultaneously, it's very interesting to find out the development of ICT in the cyberspace depend heavily on whether these actors can have enough trust and cooperation with each other. So it's very interesting thing. On one side, these actors compete. They compete to have more influence, to enjoy more advantages.

On the other side, the actors' behaviors must limit certain margins, which means during these competitions, you should not completely destroy all the cyberspace. If you unilaterally enjoy these advantages too much, you destroy the basic trust. No global cyberspace and (?) There's no Internet. It's very interesting games. During these procedures, (?) Are very important (?) Such important characteristics.

First, (?) Second, systematic (?) Balanced. It should be important to notice, last but not least, these kind of (?) Should only serve this minority on unilateral actors' profits. It must meet the benefits for the actors as much as possible.

Thank you very much.

>> Stefanie Kemp: Thank you.

Christian, from Reporters Without Borders, may I can just ask a question on what are the relevant cyber breaches you see today?


>> STEFANIE KEMP: What are the relevant cyber breaches you see today?

>> CHRISTIAN: I mean, relevant type of breaches, I see, first of all, the quite overarching thing that we ‑‑ from Reporters Without Borders, we're a human rights organization, defending the human right to freedom of information, but the whole environment has been changing in the last year. We have a discussion on trust and distrust into media. So this is actually the fundamental layer for press freedom.

And for us, this is really a breach that we have all over the world, discussions of trust into media. The aim which we, as reporters without borders, currently are facing is that we're thinking about how to create trust signals in the information and communication global space. That's why we developed ‑‑ we initiated, actually, a bit of IGF‑style multistakeholder approach, so‑called journalism trust initiative, which is actually a European standard, which the idea is ‑‑ in the end, it should be a trusted third‑party mechanism to incentivize media outlets that respected journalistic methods can be prioritized by an algorithmic authorization.

In the last year, we had a discussion with several stakeholders. Facebook, Google participated in the project, and they registered for it. Multistakeholder approach with media, with associations, Facebook, Google, which is important. We aim that this prioritization in the algorithmic organization in the end will lead to some more trust if people can identify better some ethics and principles. But what is important, we don't have the aim to judge any content. It's just about ethics and principles because we, as a human rights organization, we are not defending any content. So the question of trust is, for us, a ‑‑ the growing distrust, actually, is a major breach.

>> Stefanie Kemp: Thank you, very much.

I would like to go to Elijus.

Elijus, when we had a very easy chat before ‑‑ I really like your question. Do you feel secure in the Internet?

>> ELIJUS CIVILIS: Well, I think this is a relevant question for all of us. Me, personally, I feel secure; but if I think of my main stakeholders, like my grandmother or my mother or my kids, I don't think they feel very much secure. This is because of this mystification about this cybersecurity, cybercrime, and everybody is talking about the digital skills.

So the problem is that, on one hand, we're in the government. We're focused very much on the digital‑enabled services. So in Lithuania, we have 86% of all the citizens and 90‑something percent of all the enterprises that engage the government through digital channels only. So in other words, everybody is talking to us digitally, but not everybody is having enough understanding of what is happening in the digital space. In the government, in the past, we were so much focused on the digital skills. What it means is basically training my grandma to do programming. But it's not about programming, right? It's about how do we understand the identities in the digital space, how we understand the ethics, how we understand, you know, the rights on the digital space. So I think the digital intelligence is what we are really aiming at. If we increase that with society, then, I think, we need to get a lot of those crimes as well.

>> Stefanie Kemp: Thank you.

So, Maximilian, just to my right, the founder and CFO of N26, what are you doing?

>> MAXIMILIAN TAYENTHAL: N26 is a (?) Start‑up based in Berlin. We found the company in 2013. Today, I think we employ about 1,500 people. The idea behind N26 has always been to build (?) European bank. We're the only ones today based on a (?) Platform and one banking license onboard customers all over Europe. We want to build the first global retail bank. We just launched in the U.S. from New York with other markets to follow.

So the product is providing a digital first bank account. So we're providing a product for millennials that like to do things on the smartphone. There's a massive shift in user behavior from offline to online to mobile.

In our world, people used to go to the bank branch and then they did banking on the browser. Now they do banking on the smartphone. We realized that no bank throughout the world is really providing a great product, a great user experience for people that like to do things online and on the smartphones. That's kind of the niche we're tapping into. I think we have 4.5 million customers today, and we're the fastest‑growing bank in Europe.

>> Stefanie Kemp: My understanding here is that if you're working in an online banking, it doesn't mean there's specific challenges, how to prevent cyber or internal breaches, from your point of view, to establish and provide a secure business?

>> MAXIMILIAN TAYENTHAL: Absolutely. Like, we obviously, in a business ‑‑ and today we are no different to other banks where we're dealing with the most private data of the customer, and we're dealing with the customer's money. So security, keeping this data private and keeping the money safe is an interesting part of the business. If you lose data, if you lose money, you can just go home and do something else.

I think also in terms of ‑‑ there was a lot of thought about that at N26. We're not advertising with security because I think, one, it's not a place where you can differentiate yourselves from other banks. Traditionally, with banks, there's no way to claim that money at a traditional bank is more safe than at N26. Obviously, like, for customer, trust is a very important part of the metric, and how do you generate trust. This is around service. It's about predictability, but it's also about safety and security. What we're doing at N26, we're basically maintaining the standards of modern technology companies.

(End of scheduled captioning)