The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record.
***
>> MODERATOR: Good afternoon. I'm Markus Kummer. I'm the co‑facilitator of this session Best Practice Forum, cybersecurity. With Ben Wallis, sitting next to me, who will be the rapporteur for this session.
Let me start by reminding you where we come from. The sharing of best practices. This is an idea of the IGF. They're here not to negotiate, but to exchange information and share best practices.
It was only in 2014 we made a step forward by having more instructed Best Practice Forums and the forums produce an output. There is a paper at the end of the session. It is a process. It is more than just this session. This session here is the culmination of the process. The Best Practice Forum on cybersecurity has followed two Best Practice Forums, one on unsolicited communication, spam, and the other one on C serts, after two years, we thought they had done their job. There is still a lot of work to be done in the area. It is a merger of the Best Practice Forums that we have now been going for a number of years. And this year, in the sense, is quite special. I think it falls very timely in our work. You will recall, we were in Paris last year, there was the Paris Call. Then the Best Practice Forum session in Paris. It was felt we have to look at it, but it was clear we don't develop new principles. We took the approach of looking at implementation of principles. With that, I hand over to the guy who has actually led the work.
The lead expert and done most of the heavy lifting. He will Chair the session. However to you Maarten, please.
>> MODERATOR: Thank you, Ben Wallis for the co‑convener of the Best Practices Forum. To kick this off, I will do something unusual for the IGF. I will start off with a few slides. If you can get those on the screen. Thank you. What I want to do is give you a bit of context behind the best practices forum over the last few years. The best practice s forum started with two groups. One on response teams and the other in unsolicited communications.
In 2016, both of the groups merged into what is today Best Practices Forum on Cybersecurity. And over time, we have addressed a number of different concepts over the years. The first one is that we looked at roles and responsibilities within cybersecurity.
So what do particular stakeholder groups do and how do they work together? We investigated cooperation problems. What are the challenges for security teams to cooperate with other stakeholder groups. We look at how to support sustainability goals and looked at a document that contained policy best practices for implementing cybersecurity best policies.
We took a look that year in 2017, at what it would mean in bringing the next billion users online in a secure manner. Finally, last year, in 2018, we laid the foundation for what the work of this year looked like. That was to investigate what the concepts of culture, norms and values meant for cybersecurity. We took a really very wide multistakeholder look at spaces for norms development. We looked at individual organizations that were proposing, identifying, cascading norms and how they worked. This year, we took a slightly deeper look at that. We started identifying what best practices exist regarding operationalization of cyber norms.
The idea was we took agreements assigned in stakeholder groups and analyzed what we could learn from that, that would be valuable to learn in the wider community of Internet governance. We took the approach that in March we started scoping agreements signed within stakeholder groups and between stakeholder groups and started to identify commonalities and collecting best practices from the agreements.
One thing I want to flag, as with any best practice s forum, this group is driven by the contributions of many of the people in room. And many of those that contributed to the mailing list over the last year. We really value that input.
June and July we did background research, we took selection of 19 agreements and worked what were horizontal components, definitions, foundational principles that were shared. Finally, key elements that the agreements covered. By July, we published a research paper that talked in a little bit more detail on each of the agreements and what we learned from them. And just as a bit of background, the 19 agreements we reviewed, we roughly put them into agreements that exist within a stakeholder group and also agreements that are actually signed by multiple different stakeholder groups. That was challenging.
Even an agreement developed and signed by one stakeholder group might be compiled with multistakeholder. With the agreement being single or multistakeholder doesn't always work. What was interesting is that we did see a larger number of agreements within a particular stakeholder group than there are agreements that are actually purely multistakeholder. Those there does seem to be a trend towards more and more of the latter arising.
Each of the 19 agreements we reviewed for a couple of key elements. We evaluated what are those agreements further to multistakeholderism as a concept? What do they have a reference to the equal process. If they included reflection on responsible coordinated disclosure. How they related to international law. Whether they were actually international legal components or if they much instead documentation that may have acknowledged the value of international law or in a way implemented it. We looked up the definitions that they entailed. Did they describe what a cyber threat was or cyber attack? We looked at capacity building or if that was a value in the agreement. Whether they specified specific confidence building measures or human rights or restrictions.
Based on that lens on the agreement, we tried to deepen the understanding of each of the agreements and publish that in the research paper published in July. We in August and November did call for contributions, to ask for input on the work done which and get more best practice s that more individuals had signed up for the agreement implemented. We received quite a few responses from organizations that driven the agreement or contributed. This is work that we're now taking into the final paper as we work towards publishing it in December 2019. A few weeks.
We have specific occupies planned from the session as well. The goal for today is have a solid discussion with the expert panel and all of you about cyber norms and how to move from identifying a norm to operationalizing one. That information will make its way back into a paper and there is a few places we plan to share the learnings, one is the open‑ended Working Group in the intersessional meeting next week.
For today, there a couple of key topics, I will introduce them before we head into the panel. First is norms operationalizing. We'll look at what is the role of norms? What do our panelists think is the balance between the fact that a norm can often just be observed? Because many people agree. Versus whether a norm actually needs to be implemented. Does there need to be work that happens to cascade that norm further into the international system or between stakeholders. We'll have a look at what are effective efforts to actually operationalize a norm. I will ask all panelists to share examples on what they have seen work. We will look at the road ahead. What are the things that don't exist today that we need to build. What are some of the challenges we see as some of the norms are being worked on in the international system.
Finally, we'll briefly talk about assessment. How do we actually know that the norms are working? When we don't know when they're working? Is there anything we need to do to improve that status?
Now I'd like to briefly introduce our panelists. First of all, we have one remote panelist, that is Carina Birarda from the CSIRT Buenos Aires cybersecurity center. She represents the technical community and will participate digitally. We should she that can you more, from global partners, Civil Society aand John Hering from private sec, Microsoft, Olaf Kolkman from Internet Society, and Dr. Alexander Klimburg from the multistakeholder norms initiative.
Before we go to the panel, I invited someone special here. Because I believe two years ago at the IGF in Geneva, we had had a great discussion around actually whether a norm is something you observe, which is very much the original take from council when he developed and shared the concept of the social norm.
Or whether and how implementation and operationalizing actually fits in. I would like to introduce Madeline Carr who is at UCL and director of the research institute in science of cybersecurity from the Academia stakeholder group to share some of her thoughts on that concept.
>> MADELINE CARR: Thank you for the heartfelt work you have been doing over the year on this, because I think the paper is useful to those of us working in the space, the exercise. Maarten asked me to talk about if norms are observed or whether implementation fits into this. It is something I think a lot of us are thinking about and working on at the moment.
I thought it would be helpful to just very quickly go back over how we actually think about norms and where some of the common confusion around norms and rules comes in. Because a norm is really a collective expectation for what we see as proper behavior for an identifiable group. There is some important elements in there.
One is that it is a collective perception within a group. So it is not universal. It is not something that applies. It can't apply to people who don't want it to apply to them or actors that don't agree with it. A norm is something that is internalized and respected by the actors who identify with it.
And it is about what proper behavior is. Maybe active behavior or restraining from behavior that is inappropriate. Now, sometimes when we talk about norms in this space, we're not really talking about norms, we're talking about what we might say are normative aspirations. We aspire to regard something as a norm.
But that's ‑‑ that's ‑‑ you know, getting into some kind of muddy water because the actual power of norms as opposed to rules is that they don't really need to be imposed. In fact, norms can't be imposed. Norms is something that we all internalize and value.
Rules can be imposed and can be enforced but norms don't work like that. We often run into this point of confusion about what a norm is. It is fine to aspire to norms and discuss whether we can agree and regard as normative behavior. But norms don't need to be imposed. The very power of a norm it doesn't need to be imposed. If it needs to be imposed, there isn't a norm. I want to keep that front and center when we talk today.
If we think then about how do we observe norms or how do we know when there is a norm, there are a couple of ways. The first way we can understand that there is a norm in place or a norm in play is when we observe the behavior of actors that don't adhere to what is expected behavior. All right if an actor does something which is understood to be inappropriate, they will try to hide that or deny they have done it or justify their behavior. If they do any of the three things, that can signal to us that there is a norm in place, otherwise they would just openly say no, I have done that, I'm absolutely fine with that. The very fact of trying to hide behavior or deny behavior can sometimes be indicative that there is a norm in play. That is one way that we can identify a norm.
A more positive way to express the participation in a norm, is to sometimes move away from the abstract. The norms can be abstract and vague. How to move from that to a concrete kind of expression of that norm. So now we see actors looking at the norms that have been proposed and trying to map on their own behavior of how they ‑‑ of how they abide by or recognize that norm as, you know, a guiding expectation of behavior.
So I will leave it there, Maarten, the recognition that there is a difference between norms and rules and understanding when there is a norm can come from observing an actor that is not abiding by the norm, trying to disguise their behavior or as we start talking about implementation, how actors try and express. I do respect that norm, this is how I respect it.
>> MODERATOR: That is a wonderful introduction. It sets the tone for the work we ended up doing throughout the year. We looked at documents that went from being norms proposals to legally binding documents. Along that space, we determined there is a lot of spaces for disagreement and discussion that can show whether or not it is actually a norm. So really appreciate that intro.
Now, we'll jump straight into the panel, we want to get a bit of understanding from everyone is what they see as the role of norms in this space. In particular for those that have been involved in a particular agreement or norm and signed up to it and in the process to help further it, it would be great to get their perspective on where it fits on the scale of if that is something that is simply observed to some of the mechanisms that Madeline talked about or something that requires a lot of work to further cascade into the system.
We'll get started with Sheetal.
>> SHEETAL KUMAR: Thank you so much. I thought the introduction by Madeline was really interesting, it reminds us that norms fundamentally they shape behavior and they're incredibly important. They can be invisible. The fact that they take time it is part ‑‑ it is like a double sided coin. They're effective. If you impose them through rules through laws at the beginning, if they don't actually have buy‑in, they won't go anywhere. At the same time, obviously, that makes them difficult to implement. Cyber space is a fascinating context to talk about, because what stakeholder obligations are in cyber space and promoting and protecting cybersecurity is really an evolving discussion. Not all stakeholders agree what the issues are. Not all stakeholders agree who needs to solve them, how. That is something more binding, I think at this stage is simply unfeasible.
What role norms are playing at the moment is in filling policy gaps and shaping understanding and shaping collective understanding of what the issues are. I think that is why we have seen so much norm proliferation, which sometimes leads to holding your head in your hand. Another norm initiative. What is the challenge now is identify commonalities against all the proposals that have been proposed and identify where there is consensus, which is what the BPF has done. I understand there are other initiatives identifying commonalities. I think the global commission and stability of cyber space and GRT is starting to do an exercise in that. That the next stage as well as implementing and observing the norms. We have to realize there are challenges. I just think one of the most interesting aspects of the report the BPF put together is in identifying, actually identifying those who put it into the report, what are the challenges you faced? I thought that was fascinating. I think one of the things that we found at GPD in our engagement on this issue, first of all, there are varied understandings or definitions of the key terminologies referred to in norms. Including in the norms of group of Governmental experts of the U.N., critical infrastructure, what is that? Right there is varied levels of awareness in the norms, along stakeholders there is varied capacity to implement them.
Another challenge is the varied capacity to trace or attribute incidents in sign space. ‑‑ cyber space. There is evolving capacity in that. There is a mix of capacity and lack of trust among states and other stakeholders or neutral body too with legitimacy in that sense. Unfortunately, I think there is a lack of compliance, including among states that traditionally championed norms. That can act as a disincentive for others to comply with.
It links to the final challenge I will mention here. A lack of clear institutional mechanisms or processes to monitor and report compliance. There are a lot of challenges, I think one of the ‑‑ one thing that I really want to highlight is that there is a need for more development and implementation processes to be inclusive. And the nature of the Internet demands a role demands from every stakeholder.
One thing we have come across as human rights defenders in this space. The lack of ending in human rights defenders and organizations between the norms being proposed and human rights. But they're very clear links between human rights and the norms that are being proposed and really it goes to a fundamental point, which is that the security of the Internet, security of digital technology is essential for the exercise of human rights in the digital age. More security, better security measures means a better environment, healthy environment for the exercise of human rights. It is as simp as that. Everyone has a role to play in ensuring that. One thing GPD has done with the progress association, is undertake an exercise, explaining specifically what are the links between human rights and each of the GGE norms and what are the roles that human rights defenders are playing in implementing the norms?
One role that comes out a lot, comes across a lot is in monitoring, in research, in providing an evidence base. In bringing the perspective of vulnerable populations and impact of cyber attacks on vulnerable populations. Holding organizations to account. These are essential roles to play to make sure norms are being complied with.
To conclude, norms have an incredible role to play in the ones we're in, with the different issues, who needs to be involved. They help to shape common understandings. And because of the nature of the Internet and challenge at hand, norm development and implementation process needs to be inclusive. And Civil Society has an essential role to play in that regard. I hope that was a good start. I'm very happy to go into more later, including more concrete examples of how Civil Society groups including ourselves and others we have been working with have been implementing the norms.
>> MODERATOR: Thank you very much for that comprehensive overview. I think the keyword in what you said isx is inclusion. It doesn't always seem to include different parties that are working in that norm or affected by it.
For one specific group what happened some the past, being a member of the community itself, which is a technical community, we will jump over to Carina first and then talk to Olaf and get that perspective. We will jump over to the remote participant, Carina.
>> CARINA BIRARDA: Good afternoon, it is a pleasure working with the cybersecurity report. I would like to thank the organization of the panel. For me, to speak in representation of Latin America technical community.
I consider that this is necessary as a good practices framework to be implemented. In this country, the Internet may have particular interpretation. This is necessary.
Personally, I have to say an international ISO is somewhat auditor related to information security, resilience, security. Because of that, I'm very good friends of the standards. In the daily work, I am involved in methodology, norms, and functions are necessary to know. And apply in the organizations. Research, technology, and human capacity processes. Pending implementation. And by knowing this, then being able to measure the cybersecurity maturity level and implement continued improvement which are the main point I have to say a very good benefit of the community is cultural ethnicity. The information flows quickly just like reverberation. This coordination is based on years of lead of the particular group and particular research. (?)
>> MODERATOR: Olaf your view on norms, the role they play and how specifically those that come from the technical community fit in.
>> OLAF KOLKMAN: Yeah. So does this work?
>> MODERATOR: I think it does.
>> OLAF KOLKMAN: Something I realized when we had the conversation. Thank you, Madeline, that was a nice summary that put into work all the cerebral cells there.
Something I just realized, even at this table, when we talk about norms, we might actually from our hearts or mind‑sets or background think of different things. If you are German, you hear the word din, that is the Dutch industry norm, you think about the good quality built in the German industry. The nan is the Dutch variety of that. Those set technical standards for plugs, for length. For anything. Those are not the type of norms that I think you talked about, and not the type of norms that you just talked about.
In the technical community, like in the ITF, we are developing best current practices, which are shared ideas of how to best operate networks. One of the best current practices is, for instance, the filtering of addresses that come out of your network that should be your own address, so to speak.
Those are practices that prevent spoofing on the Internet and spoofing of addresses, which is a major factor in deniable services text.
Problem with all the current best practices is that they're voluntary norms, voluntary standards that are not always well taken up by the community.
That takes me to a second type of norm, which we at the Internet Society and the community of network operators are working on which is the mutually agreed norms for security. A set of commitments to deploy or take certain actions to secure the routing system as a whole.
I think that is a little bit on the edge between very concrete technical description of how you do the best operational practices and setting a mutual expectation with the network operators, with the added benefit by demonstrating the actions you take, signing up to the norms, you create a little bit of an economic incentive to do the good thing.
So by showing that you adhere to the norm, showing that you are part of the club, you might maybe get a little bit more business or a little bit more good will. Which is a value.
In the cases where a lot of the security norms, like antispoofing are in if fact plagued by reversed economic incentives. You protect the outside world and not yourself.
I leave it at that. But I think there is some there that is a little between the norm you were talking about and you and the very technical norms that you see out of the technical community, ITF, or the Dutch industry norm, or things like nan.
>> MODERATOR: Thank you, Olaf. I like how you flagged the different perspectives of what norms are. We have someone here that spent the last few years brings people with different perspectives to sort out that. Alexander, what are your thoughts on that?
>> ALEXANDER KLIMBURG: Thank you, Maarten, and you and your team for pulling this together. We have been following this process the last four years with great interest. We think it is a great enrichment of the IGF landscape.
The comments fall directly on what all said before, which is convenient since we're a commissioner on the global commission, I would like to expand rather than contradict him. It is easy to do so. We have a number of interpretations of what the tomorrow "norm" means.
A backgrounder, global commission was set up in 2017 to address international security norms. We're a group of 28 high‑level commissioners, high‑level experts from Government, security services also Internet governor, rights community that have basic experience with Internet related security issues. And the issue at stake was we had had a mission to develop norms and policies. But even defining what a norm was, was a little tricky. The norm within the international security landscape, in particular, the one defined by U.N. DGE process is different from the norms that are used as an expression. To give you another example, from some Government point of view, there is a difference between a norm and CBM, confidence building measure, which is in ways a version of a norm. In many shades of gray you can get holed up. It inhibits you, getting traction and identifying norms to get done. One of the norms we identified as part of the eight norms part of the report, which were put out in the Paris peace form includes principles and recommendations I encourage you to look at.
One norm was the norm to protect the core of public Internet. Exactly. Thank you, Olaf. There are many copies here if you would like one. One is to protect the core of the public Internet. I won't go into that later on if there are queries. It is about dealing with the core infrastructure of the norm and protect it from hostile, malicious actions. Attacks on DNS, PGP and attacks on the physical transmission media. The point here is we found the specific need that was not addressed through the 11 GGE norms and wasn't adequately covered in the technical norms propagated.
We took those inspiration also from the commissioners to find how to put forward something commiserate with the international law, which is the focus of the work. Not trying to change Internet governance, trying to influence the U.N. first discussions, international cybersecurity and be understandable to them.
What it meant to the governance community and other communities, it is raised what does it mean for us, in practice and implementation operationization. There are different understanding of what the term norm means. We find we follow more finis Moore's definition and we can say norms can be imposed even though that is not something you want to do.
You think back with experience of slavery. That was imposed on other nations. That did take a while. It wasn't just the soft power element that made other countries adhere to it. We see it through the lens of international security. When we talk about implementation rather than operationalization. We try to looking at the fine gray area of what does it mean to implement a norm.
We saw this as a problem for the UN GGE. One problems was the CERT, the Computer Emergency Response Teams would be units of attack. It took years to realize they were a the target of a norm to protect theirtivity. That was the example of why they weren't motivated or incentivized to monitor the adherence of the norms.
One of the three most important norms agreed upon in 2015. Growing on the experience of not having involved other stakeholders even though absolutely critical. We sent out one of the recommendations, the idea of communities of interest near implementation.
Communities of interest is an expansion of the standard practice of like‑minded groups coming together to further implement an already agreed standard or in diplomatic agreement. There are many examples in the diplomatic world as well. In this case, community of interest applies that the Civil Society and private seconder should be part of this group as well. We're proposing all of the norms out there, in particular the norms that we think are relevant for international security, the 11 GGE norms, eight norms of the Paris Call. Our eight norms, all other norms that could be possibly relevant that they generate their own subgroups towards implementation that effectively helps not only explain to us what implementation means but helps explain what the norms individually are. To give you insight in what is happening in the Asian regional forum in the U.N., this is the big discussion for the next year. What does norm implementation action mean?
If I Government signs up, what does it mean? Consequence, does it have to review the documents put out, all the policies set internally even though that might be highly classified? How do they report norm violations. If the Government does isn't it shouldn't do. How do they develop on their own ability so they don't potentially violate norms. These are complicated questions. I think Government has been trying to answer the questions on their own too long.
This is a reason why we try to engage in the community is because so many norms not only directly reflect on this community but also benefit from their input. This is the reason why I'm here today. I look forward to your comments. Thank you.
>> MODERATOR: Thank you, Alexander. Thank you for showing us that world view that sort of led to the GCSE and the work you're doing that is valuable. Finally in the panel we have John Hering from Microsoft.
One thing I am interested in learning about, you and Microsoft are instrumental in ‑‑ one of the early signatories to the Paris Call which was a bit of surprise at the IGF. And that was a very interesting initiative by Government to drive a lot of this forward in a multistakeholder way. I wonder if it you can share learnings a year later that have come out of the process.
>> JOHN HERING: Thank you. I want to thank you, Markus, Ben, Wim, everyone that did work to pull this together. We're proud to participate and support it.
Someone mentioned about proliferation of activity in this space. There has been. I think particularly from a coordination perspective, given the amount in recent weeks, one year anniversary of the Paris Call. The GCS report comes out, contract of the web, everything we want to capture in the report. That is just November.
So I think we are right to start off this conversation by appreciating the mantle of responsibility we inherited as IGF and Best Practice Forum. When President Macron announced the Paris Call last year outside of this gathering. We are given this mantle back, the activities across multistakeholder groups has come to a head at an exciting time to provide contributions and U.N. dialogues that are starting again.
With that urgency in mind, timing in mind, I would be glad to give an update on the Paris Call for trust and security in cyber space, which Microsoft is excited about, proud to support.
It has been over the past year, since it was largeed the largest ever stakeholder commitment to cybersecurity principles. It has nine principles, as opposed to eight. Forgiven.
What is significant is what happened over the past year. Anyone not aware, about two weeks ago, it celebrated its first anniversary. Like any good infant, there is a lot of growth in the first year. There are now 75 Government supporters, endorsers for the agreement. That represents 40% of all U.N. Member States. 300 supporters from Civil Society and Academia alone, represents 300% from that sector in the first year. 600 supporters from industry, including major representatives from essential sectors, including financial, technical community, critical community infrastructure depending on how you define that. That represents over 200% increase in the number of supporters from last year.
This all seems to reflect a multistakeholder consensus or developing consensus of what constitutes responsible behavior.
It is important to recognize that the principles of the Paris Call are not original. These are things which are derivative, highly so from various international agreements, most prominently, the U.N. group of Governmental experts norms from 2015.
What this is, is a widening of the aperture, recognizing the importance of having a multistakeholder community supporting the principles, to take them forward, having the conversations about implementation to require multiple sectors, multiple stakeholder groups acting in cooperation. That is why it is important to recognize not just the Paris Call has grown over the past year, but also had a pivot towards talking about what it means to live out the principles. Starting to build the communities of interest that was talked about a moment ago. The Paris website and the anniversary two weeks ago, which includes the beginnings of highlighting what different supporters of the agreement are doing in cooperation with one another and individually to support and live out the respective principles.
Microsoft and through our support of the Cybersecurity Tech Accord as well is leading a few of the efforts. Others led by Intergovernmental organizations and other multistakeholder members of the Paris Call community. That is where it stands now. We're excited to see what will happen with more as we move forward.
>> MODERATOR: Thank you for the update, John. Next, one thing I would like all of the panelists to think about for a moment and share is one very concrete and specific example of norms implementation effort that they have seen that has been particularly effective.
I want like them to think about what made it effective. How that can contribute. To make it a bit easier. Olaf mentioned one great norm example, maybe we can start with you Olaf and you can share some of your view.
>> OLAF KOLKMAN: Yeah. I cannot claim that we have been effective yet. Because the routing system clearly is not secure yet. However, since the start of the effort, about two years ago we have seen significant growth but exponential at the start of exponential growth is still low at about 250 participants.
What made this effort that I think successful is that we started with the community. This is not an Internet Society initiative. The role of the Internet Society in this facilitation with the community to self‑organize and come up with exactly the type of things they can and want to do in order to get routing security to the next level. One of the pieces of the success there is that the community agreed to be part of the effort. You have to take three out of four specific actions.
I will not go into technical details. They're defined on a semisort of high level action of thou shall apply filtering. They shall register your routes, so on, so forth.
What we do is allow people to self‑declare they have taken those actions and sign up through the website. After they did that they have ‑‑ well, this extra brand of quality so to speak. I think that is an important driver. On the other hand, that has also made us aware that you have to take good care of the quality. We will be talking a little bit about monitoring. But for us, that monitoring is very important because you can both recognize norm violations but also the take up of the norm itself. And the impact it has on what you are actually trying to solve. So we're looking at the evolution of routing incidents and looking at where do the routing incidents come from and how are they tied to the people that signed up to the mutually agreed norm for routing security manners.
I can go a little bit deeper if people want, let's take it at that. I think that was about the level that you ‑‑
>> MODERATOR: Thank you, Olaf that is great. Manner is a specific example. When I watch Twitter that is positive news, an ISP announcing implementing the pieces, that is nice to see. It confirms if they're bragging they did it, it means something that is generally seen as being really important.
>> And there is already enough bad news on Twitter.
>> MODERATOR: Exactly.
>> Except for the occasional (?)
>> MODERATOR: I would like to move to John. There is work about compiling some of the learnings and share them. Is there one specific solid example that you can share of something that Microsoft has done there?
>> JOHN HERING: The question of implementation is a fairly sort of nebulous thing. As we statad at the outset of what a norm is. It is almost like dark matter is unobserved you have been working in accordance with it whether or not it was explicitly stated. In following the BPF from Microsoft, it is lengthy six or seven pages which is thoroughly not exhaustive of the list of activities that Microsoft is engaged in or currently engaged in, in keeping with the cybersecurity principles and various others we supported.
It makes a good holiday read. As soon as you finish the Chris carol take out the Microsoft contribution to BPF cybersecurity.
When I look at what is signed I would focus on the Paris Call or the accord. What is existing on the Paris Call website, there are three initiatives that we're party to. One is through the defending democracy program which supports election security, social and technological innovations and legal actions we're working alongside the alliance for securing democracy, Civil Society organization. To again, build a community of partners explicitly around election interference to solve this problem at a larger scale. Through the cybersecurity core, Microsoft is supporting information for two principles for the Paris Call. One is fleshing out definitions and best practices, on the Paris Call of hacking back. What it means in context, the difference between that and defense and implications.
It is something that industry needs to speak to and clarify. We're taking a role in concert with the rest of the tech accord. We're working with cyber green, the Internet Society, global cyber alliance to promote greater cyber high hygiene and awareness.
>> MODERATOR: Thank you, John. Sheetal what is interesting following the evolution of norms, more and more Civil Society is taking a large role. We see the principles from human rights principles related to intermediary reliability, so on, where that is driven in Civil Society and makes its way into some of the documents and some of the recommendations. Do you have a good example from Civil Society side on something that is being worked on recently.
>> SHEETAL KUMAR: Yeah. I'm glad that people have said it is hard to say what it means to implement or observe a norm because I'm sort of going to twist it on its head and say that where I think Civil Society has done ‑‑ played a really important role is in monitoring compliance, actually.
That is not always clear, but let's take the first norm of the GGE framework around which says that states should not use ICT or prevent ICT practices that are harmful or propose threats to international peace and security. So the way we understand that is that means not undertaking measures such as arbitrary surveillance or censorships or shutdowns in the name of security. Unfortunately, that does happen. Civil Society organizations over the fast few years as we have seen the trend have been important in my life whether that is happening, where that is happening, documenting the impact. I think there are countless examples. And me highlighting some examples are in no way. I don't want to ‑‑ in any way imply that there aren't many more examples. Just to highlight a few, freedom house, freedom on the net report that documents practices.
There is APCs, many publications, inputs of the network, of the network and society organizations into the Human Rights Council procedures, for example, which document these measures. There is access now, the work it has done and digital security help line. The Oregon observatory of network interference. In the role here of making sure the practices are documented. And for the alternative human rights perspective, ways to address security challenges has been essential. And will need to continue. And the more we work to socialize the norms and make sure Civil Society organizations are aware of them, the more we can continue to do the work of monitoring compliance which we heard is essential if the norms will be effective.
>> MODERATOR: Thank you very much. That is a really interesting perspective. I was more thinking of Civil Society contributes to what the things looks like, but there is a really important role that a lot of Civil Society organizations play in kind of making sure that the things that we have actually talked about that they are left up to, when they're not it is being flagged to the rest of the community. Thank you. Really appreciate it.
We will jump over to Carina. Can you share an example of something you see in the technical community in terms of things you see as a normative effort? Sorry? Can you ...
>> CARINA BIRARDA: Can you hear me? Yes.
>> MODERATOR: We can now.
>> CARINA BIRARDA: In the 1917 Buenos Aires (?) there were those that were viral. And in 27, then we became part of the OIA American research. And my sense of shared duty in the AR2018, it is the big games, where in the Buenos Aires city. The Buenos Aires (?) were responsible for carry out of the cybersecurity of the event among the notable effort, we can mention within our team clear rules were defined. It is is the feeling. It is the possible incidents, sorry. With different type of magnitude and particularly scoped. Whether they find the resolution play book for each of them.
A deep participation of those (?) for nation concerns and the international only community and the national and international are not forces allowed. Westbound work with the smart (?) a specific attainable bound. And allow efficiency of incident in highly sensitive such as the games. And complied with establishing SLA of the ability of the different services. It was an intense and interesting experience for the whole work team.
This is for sure.
>> MODERATOR: It is a great example of how one particular event led to cooperation, documentation data that was reused by others, which is in many ways what we're talking about. Alexander, I think you wanted to contribute something related to an example of an implementation effort?
>> ALEXANDER KLIMBURG: Two comments I thought would be applicable. There is a shameless plug about a report from me, one solution to getting more norms implemented is simply generating more norms. The rationale for this is on the track with the analysis of for instance, manners, which helped to get another norm implements the BCP38. What we identified is that certain norms are voluntary, not binding, allowed to hang on their own, without thinking or supporting mechanisms. While norms that are effectively complementary and have a similar goal or even the same goal, even if they don't have the same name are much more likely to be successful.
This applies toward the work of the public core norm. The Paris Call took up five of the norms, directly and we were closely involved in the Paris Call, but it also directly addressed the public core of the Internet. Even though it didn't use exactly the definition that we did.
Furthermore, the EU adopted the public core of the Internet as part of the cybersecurity act. That term is part of EU regulation. The exciting thing is now is the time of secondary legislation where we need to effectively understand what does the EU definition for instance, mean? That is a group endeavor. This is when we have to implement the laws, regulations, and in this case, the security act stipulates this task will include the protection of the global public core of the Internet. That is something that has to be done in the communities of interest.
The final point is that like Microsoft, the GCSE stakeholder groups or that members that set it up are looking at different types of community interests to take norm implementation forward. You can be sure the public core of the Internet is clearly on our radar. We are talking about a number of Governments and stakeholder groups and how to advance the norm. Which include monitoring and other types of facilitating interest. Thank you.
>> MODERATOR: Alexander we will stay with you for a second for the third topic to dive into, which is what is the way forward? You mentioned a couple of really interesting things. There is something there about packaging, how do you discuss the norms, how do you debate them? There is something around implementation that there needs to be communities of interest. In the document you released this week, there is a discussion of a framework. Do you think there should be a common perspective on how we implement the norms, or is it specific to each norm and implementation may look different? What are your thoughts?
>> ALEXANDER KLIMBURG: I think the problem we saw before, we have no agreement on what exactly the implementation of the norm means. We look at the topics addressed in the norms and facilitate the goals from our respective vantage points, international community different from from technical and Internet governance community. That I think is more important departure than the framework although I have to say the framework of the cybersecurity start, GCSC of cyber space, which you see here, has been used by Dorria, in her presentation recently, in an ICANN meeting two days ago, as an example of perhaps how other types of initiatives can be graded or effectively assessed. We encourage that.
Effectively in the abstract that is a norm, too, to effectively create a norm to be effective as a framework. The operational side, the focus of the question, is I think the more important aspect would be concentrating on mechanisms for understanding how a COI, community of interest works. The difference between the communities of interest and other groups is that this is supposed to be multistakeholder. All of the other groups were single actor. Always Government or private sector or Civil Society so they had their own norms that developed in the case of Government over centuries and don't have to figure out what is the process to come to an agreement. So when we talked about what a community of interest involved ‑‑ this is all detailed in the report ‑‑ we have a couple of principles that we think we should be good for establishing a common framework. The really interesting thing about the community of interest, it can also bring together various norms that are similar. Not exactly the same. And concentrate on what is the most important thing, which is output. Not necessarily our own individual flags and logos, but actually what we try to accomplish. This is what the community of interest model is good at facilitates.
We put forward principles to get the discussion going. This is the beginning of the discussion. We look forward to further input.
>> MODERATOR: Thank you very much. Madeline, there is in this a way, nothing new about norms. They have been around a long time. Precyber discussions about them. Is there anything we can learn from that and apply to the challenges we are dealing with today as a community and perhaps implement?
>> MADELINE CARR: I think in norms you mentioned earlier were the frameworks and looking at how some actors have implemented norms or how I would say they have attempted to demonstrate they abide by a norm or recognize a norm. And some of that is documented in your paper. So the ‑‑ the steps that John outlined that Microsoft is taking Governments have done this, the UK and Australia, for example, have published papers where they basically map on initiatives or steps that they have taken to demonstrate how they meet or abide by the GGE norms, for example.
I think in terms of the way forward, one of the things that we really need to do ‑‑ this is something that has been an ongoing theme through the IGF that a lot of us around this table have been talking about for years, is just this greater discussion and communication with the technical sector. Because ‑‑ I just want to flag that we have this session tomorrow at 10:35 that would follow on nicely from this one. Where we're looking at bringing the policy community and the technical community together to discuss how we can operationalize norms.
Because really, what we have seen is that the technical community largely comes in at the end now, where we start to think right ‑‑ we have agreed the principles or we have proposed these ideas that we think we can all get behind and now when the rubber hits the road, actually, and this falls to someone to actually operationalize what is involved. And I think that has been ann going problem through the norms development process.
I would also say we do see plenty of examples of norms that have been very successfully implemented. Even I was thinking today, when I was looking at the ‑‑ at the GCSC GCSC norms, that they won't use botnets. We can't see any nonstate actor that would openly declare or openly develop a botnet and use it. We could even so that is a very settleded norm then. No one would do that without denying it or trying to hide it. That is good, that is success.
(Laughter)
>> MODERATOR: Thank you very much, Madeline.
I would argue one college we will continue to have though, that is still because of the challenges in attribution, it still becomes difficult to determine that some of the things don't happen. That is probably a topic for a whole other panel. Thank you that was insightful. John I would like your perspective, do you think the work happening today with collecting best practices, getting others to adopt them, is that sufficient or a need for a framework or something more formal?
>> JOHN HERING: I think there is a way to bifurcate thinking about norms and implementation between skill and will. And when there is not implementation, norms don't seem to be adhered to, do you have a skill or will problem? Is someone unable, is the country unable to implement the norm or unwilling to. The question to collecting best practices, sharing best practices, highlighting what it helpful in certain circumstances, that really gets to the skill question.
You are talking about countries and organizations that may just not know how to practice good cyber hygiene, may not have a level of necessary awareness to keep themselves, users, customers, citizens save, or have the critical infrastructure. This is capacity initiatives with groups, particularly the GRE is supportive. Microsoft is a strong support ev of efforts there. Maybe not just more traditionally we think about as cybersecurity capacity building and how do you engage in the conversations? How do you build trust?
Cybersecurity tiger corps has been involved in sharing best practices. We feel in cooperation with the Governments the UK foreign commonwealth office. With the awareness efforts across the commonwealth is helpful in sharing what is taking place and learning across cultures and across dif ides what is help ‑‑ divides, what is helpful. Of the other half of the equation is will. That is where Governments are unwilling to abide by norms and expectations. As professor car pointed out, there is a question as to whether you have a norm. If no one is following, it is not there. To that end, we think about this as two public solutions. One is increased recognition of expectations, to Dr. Klimburg's point, if we increase the proliferation of norms, if we internalize the expectations, when they're violated that can be that knee‑jerk reflection of hey that wasn't appropriate, it targeted a critical infrastructure sector, but it did so in a way that immediately made me think that is out of bounds. And we understand it to be out of bounds.
That being said, voluntary commitments will only ever be so effective. We're open going to need to move to some of this for more binding obligations, particularly in Governments, in what constitutes behavioral actions in Internet governance.
>> Go ahead.
>> I was going a funny, yes, we're ready with the botnet norm. I was thinking if the norm is violated what is the reaction to the norm violation by the community? Will violators be punished in some way or another? I think that is the point in which we actually notice that a norm is being lived up to and internalized by the community.
Not at the moment when everybody says, well, we don't see it happening and nobody will stand up and say, yeah, I proudly organized this botnet. It is at the point where you say we organized this botnet, is this big enough to do an economic sanction or diplomatic incidence created around it.
>> MODERATOR: With that, I want to go to to the final topic, that is assessment, we only have 20 minutes left. How can we see if norms are complied to. Sheetal, you brought it up earlier, I want you to talk about if you see a need for a framework. And apply that same talk to the assessment of norms endurance.
Do you think there is value in building something like that out? What would that look like?
>> SHEETAL KUMAR: Yeah. I think this question of ‑‑ the previous question around implementation, the road ahead, it is a tricky one. A number of the panelists said, you almost always know a norm is being adhered to, when it is being adhered to and you know it, because the behavior is happening and it is normalized. How do you check in on that as it is happening and evolving because it is invisible almost.
It needs a change and a position of behavior that changes over time. I think that saying that, there is a need for more documentation of compliance. It is great to see what Madeline referred to earlier, I think some states leading the way, for example, in the GGE framework and saying this is what we are doing, Australia and the UK, documenting clearly publicly. This is how I understand the norm. This is what we do. I think within the U.N. context, there is a lot of calls for that.
There is already the opportunity to do that, but the small number of states that started doing that shows there needs to be much more engagement with other states and stakeholders in encouraging more stakeholders and states in the uncontext to share their experience, share their challenges.
So a peer review mechanism, which is inclusive of all stakeholders would be welcome. Sharing of practices, sharing of challenges as well. Even in spaces like this is important. Already started to happen, I think. But in order to plug gaps, capacity gaps, we'll need to know what are the challenges that are being faced in implementing a norm? For example, when it comes to supply chain security, the nature of different products being all over the world, globally distributed. Is that a challenge? That is something we need to deal with. There needs to be more clarity on the challenges being faced and more documentation of existing and successful efforts. And different stakeholders be willing to share those. Which is why the BPF report and effort is a great one. I hope we can continue that, whether it is here or in other spaces like the GSC is mentioned.
I would like to say there are lots of ways norms to be implemented and policy tools they can be useful as a reference. How do I improve cybersecurity globally? Here's an example. Establish a CERT that is independence. Establish a vulnerabilities equity process, that can be implemented in national cybersecurity strategy for example or if relevant in legislation.
At the national level, there are a variety of ways or mechanisms by which the norms can be used as policy tools and implemented. I think we will see more of that in the future, I hope so anyway.
>> MODERATOR: That you Sheetal. We will move to the remote panelist, Carina. You spoke about the incident that led to standardization of how different teams work together. Do you have any interesting ideas or suggestions on how we could approach measuring or assessing whether a norm is in place and actually being lived up to?
>> CARINA BIRARDA: Yes, I can tell you that I believe at the national legal level, it is important to sign such as the Budapest Connecticut vention, it ‑‑ convention is whether the standards are met a city, anxious should have a standard to mature the level of cybersecurity, which we call (?) In order to take this starting point and put together an action plan. Say some of the measure that we can implement is the standard definition on monitoring the KPA. Key performance indicators, divided into three dimensions. (?) rationale. It is the meetingings structure constitutionally. And the integration for the orientation and development of corrective or contingency plans.
The good practices that drive in iso 2702 of the information security and all the family and all related is a good example to be implemented. We can share the experience with whatever find it necessary to know.
>> MODERATOR: Thank you, Carina. Those are good examples of ways of actually assessing in the ‑‑ from the technical community.
Then Olaf and Madeline, I would like to get both of your perspectives on assessment.
Is there a good example that you can think of? Maybe start with you Olaf.
>> OLAF KOLKMAN: Again, for manners, that is sort of the perspective of the very tiny area. The assessment of the implementation of the norm is much more technical. We can actually measure the measures that have been taken by the community to validate resources, to register resources, do signatures, so on so forth. That is important. It is an important tool, first, to show the impact of the norm, the agreement that routing security should improve and see that agreeing to that norm actually has an impact. But it is also important to hold violators of the norm accountable. This is a difficult project. This is a difficult thing.
Because in the routing fear an incident might be a typo. Might not be a thing that is malicious. So that type of analysis you need to do careful. That is an ongoing cycle we're going through in our community. What do we measure? Is what we're measuring good quality. Data source good quality? This is an ongoing conversation, also with the stakeholder community, because I have to say, Manga is a stakeholder effort, not multistakeholder effort. Getting to a better quality. It is incredibly important for the success of the project.
I do think that it also applies to other type of normative, you know, tracking. If you look at violations of other norms, it is important that the attribution of the violations is done correctly. Otherwise, your watchdog function becomes tainted and might become irrelevant at which point progress in your norm implementation might hold. I think the quality of the norm observatory, so to speak, is often important.
I think that is a lesson that we are learning currently from Manga that is applicable elsewhere as well.
>> MODERATOR: Thank you, Olaf Madeline you mentioned earlier you see it because people speak up and say they don't agree with what happened. Do you think there is more formalization that might occur in that space? What are your thoughts.
>> MADELINE CARR: I think the assessment of norms is deeply problematic. The easier part, if we think of norms as this collective expectation of what is proper behavior, then the easier part to assess is certainly some positive behavior. If we look at those norms, some of them are about state actors doing something or nonstate actor. S and some are about restraint, not doing something.
The not doing something is much more problematic for the reasons of attribution. The positive acts that state actors or nonstate actors will do X, Y, Z will be easier to assess for compliance. That is probably the place to begin.
But I think just also, I wanted to pick up on some of John's comments, I thought they were very astute. This recognition that norms are very social, this is a social process with we agree what is and is not appropriate. They do need to be socialized. So even by talking about how we can assess the behavior, it is a socialization process. But also what John pointed out, sometimes norms just aren't enough.
Sometimes that social process just isn't adequate. There we need rules. Rules are a different kettle of fish. I think the main challenge for this is attribution. We know that attribution, any policymaker or politician will say that attribution is a deeply political act and it is not ‑‑ it is not simply a matter of technical attribution, it is whether they can act on that information. And if they attribute without providing, you know, clear evidence, that unfortunately can undermine trust in the international community. So yeah. I would begin with the pass actions. For assessment.
>> MODERATOR: Thank you, Madeline. We will keep six minutes for questions. But before we go there, I wanted to leave Natalie Randolph a minute to talk about a session from earlier in the week. Every year in the BPF we try to bring together learnings from sessions related to the topic. I thought there was one you organized relevant to what we are doing here.
>> AUDIENCE: Thank you, Maarten, for giving me the floor and everyone for creating the BPF report. Very useful. We actually use it to start a workshop on Monday where we wanted to look at the implementation because when we talk about this implementation process, it always runs vague and abstract and we wanted to see if it was possible to actually discuss this implementation on a practical level.
I wanted to explain what the workshop is about. I think one of the biggest assets is the workshop itself not specifically the income. We took the U.N. GGE roles because it is the most universal. We focus on human rights norm.
>> Critical infrastructure protection. Protecting the supply chain, and reporting vulnerabilities. And we ask our participants to look at which role they see themselves fulfill and we defined five roles because we need to steer the conversation. Those roles were opinion shaping, rule‑making, problem solving, monitoring of norms and building community. So we asked participants to really look at the role you are actually ‑‑ what actions are you taking. Look at how concreting are you contributing to this. What challenges you face when you want to fill in a different role? What we saw is that most stakeholders are participating in the norms process but hadn't thought about the conclusions they're taking. We saw a lot of challenges are recurring. A lot of challenges are also already solved by different stakeholders. What Sheetal was saying, the fact that Civil Society has become very good at norms observation, it is something that other stakeholders are saying we don't have access to that information. For us it is hard to do the monitoring
The exchange of best practices of the whole norm observation and implementation was actually very valuable. And we're talking earlier with Sheetal, this is a type of workshop, concrete exercise that could be scaled to a bigger level. So it is something that maybe could be done online. Could be an outcome of the BPF. We thought it was useful. We have heard good feedback from participants.
>> MODERATOR: Thank you for sharing that Natalie. We'll jump into questions. We'll see if there are questions from the remote participants. Nothing? Okay. In that case, I see a hand at the back of the room. I will go to the front here. The gentleman at the back with the ‑‑ yes.
>> AUDIENCE: Hello, Alejandro, congratulations for the workshop. I would like to briefly add a point also I made during the online discussion, previous session, many of these norms come from different routines. They're coming from the ones we see coming from the GGE, OEWG and other groupings, they're with the states to admit them, agree upon them and eventually enforce them. Whereas the practical work of people like Carina Birarda and others here, from the brizzal CSIRT, they work on things that come fromally ‑‑ from all regimes, multistakeholder and all practice.
You maybe have to go across borders and protect in the European country to ask someone to violate their regulations to avert an incident. The norms are challenged when you go across regimes. This should be taken into account whether you are taking your norms from Governments.
The final point, which is implementation is if norms are not written with implementation inside, this very often happens, they are useless. You have norms that look perfect.
Define the crime, the conduct, origin so forth, you will never be able to trace it back the problem. It will allow people who didn't have this unapplicable norm and let them do the CSIRT report.
>> MODERATOR: Thank you, Alejandro. I saw two more hands, Juan and Pablo. We will give you 30 seconds for your comment or question. Then take it back to the panel.
>> AUDIENCE: Thank you marten, there is more questions. The Best Practice Forum is one of the most useful features of the IGF. This is high level consultancy for people or stakeholder like us that we cannot afford that level of consultancy. Because your document, like this one, that we're discussing are very useful even for our work that we're doing. So my request is the following. You been analyzing this positions of countries. But now, in the open‑ended working group, the nation and concerns are beginning to submit their positions.
It would be very useful, because many of us, many small state, we don't have big delegations to cyst through all that material. If the respective forum is doing what they are doing, analyzing the contributions and extracting the features.
So that will be a very useful document that I could suggest that it be submitted as an official document to the convener of the open end and Working Group. I think this is the thing that we're always asking to have the synergy between different organizations, even within the U.N.
Best Practice Forum is more than U.N. That is my request, to please take into consideration. Thank you.
>> MODERATOR: Thank you for the input.
>> Pablo: Praising the work and the work of the best practices forum. Secondly, I think there could be a good sequel in the workshop we're organizing tomorrow in Europa. You are welcome to join. Small advertisement.
>> MODERATOR: Thank you. Since none of those are true questions. Is yours a question for the panel? Okay. Is there any question or otherwise we will give the panel the opportunity to provide something. We have one question. We will go to you for that final remark.
>> AUDIENCE: Carbafor German Government. I have a question on what Olaf said. He mentioned routing security. We would like to implement more routing security for our systems. But there is a standard, called GDP sec but it is not implemented. There is no device really supporting it. It is not foreseeable for the next years that it will be widely implemented. So we really would like to strengthen the cybersecurity and perhaps it would be a good norm, because address hi‑jacking will be prevented by this. It is a huge international strategic problem. But there is no infrastructure you can buy on the market to implement what to do about it.
>> MODERATOR: Olaf can you address that in 20 seconds or less.
>> OLAF KOLKMAN: I will try to address this in 20 seconds or less. BDP sec has issue in the deployment because it discloses business relationships. That is a strong economic incentive to deploy security measures.
However, one of the things that the manners call ‑‑ the norms call for is a global validation. Global validation is for instance, origin validation. Using RPTI. We don't call for RPTI specifically as an implementation, but that is certainly one of the paths that the global community currently is taking up. And what we see is that the tools that are being made available in the community over say the last year or so, there is an amazing pick up for instance, in open source implementations of validators, I think that the combination of easy tooling in the context of RPTI which provides origin validation of routes and that is a rather technical description, it will help with improving the security of the routing system. I think we're very far along from having anything that looks like path validation, because that is a technical problem that we haven't collectively solved without disclosing these business secrets.
>> MODERATOR: Thank you, Olaf we have to leave this room shortly. You have 20 seconds for the last comment.
>> AUDIENCE: 20 seconds. We did the pilot project, I won't go into it due to time on deployment of Internet standards around why it is slowly happening. We discussed five topics. I will stick to that.
There needs to be created to positive business case for deployment, the same will go for norms. Perhaps we need rules and regulations, that was another topic discussed. The third one is they need to be building products by design and how to organize that as a world that we can buy safe products. The fourth one is the Internet standards need to be understood and need to be deployed, distributed into all of the networkeds that exist around the world. In a language people can understand. Not as a technical standard because nobody understands that and why it is important for them.
The fifth is if we allow children to leave vocational trainings and universities without having a clear idea about cybersecurity, safe websites, et cetera, will mean they come into their career without the knowledge they need to actually build a safer world. We came up with a whole set of recommendations which will be published, 31 January next year which will give a way forward to the discussions and who do we need to make this happen.
My voice is going. Thank you very much for the 35 seconds.
>> MODERATOR: Thank you very much, Ralph, thank you to all that have come today. Thank you to Alissa the online moderator. And thank you to Ben Wallis the cocoordinator. All of you who came or those that contributed to the call or mailing list. You can still continue to do that. We're working on the final report by by December 9, if you have thoughts mail them as a contribution or to the BPF mailing list. Thank you very much.
(Concluded)