IGF 2020 - Day 3 - NRI Cybersecurity local policies and standards

The following are the outputs of the real-time captioning taken during the virtual Fifteenth Annual Meeting of the Internet Governance Forum (IGF), from 2 to 17 November 2020. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 




   >> JENNIFER CHUNG:  Are we ready to stream and start the session?  Good morning.  Good afternoon, and good evening, everyone.  Welcome to the NRI Collaboration Session.  This is the NRI Collaboration Session on Security Locals, Policies, and Standards.  We do have with us a whole host of NRI colleagues who will be giving their interventions.  We will have interventions from Brazil IGF, from North Macedonia IGF, from Chad IGF, France IGF, and Albania IGF, and also have other IGF colleagues who will be making other interventions throughout the entire program with us.  There will be several policy questions answered at this time.  These are what are the contemporary challenges for our societies regarding cybersecurity; the second is what are concrete examples of defense in Cyberspace; and the third one is what are good practices of successful, regional cooperation on cybersecurity matters?

I guess I'm really happy to really kick off the whole conversation with looking at the national cyber defense mechanisms and why we need them and what the good practices are.  In this particular segment, I would love to invite examples from Brazil IGF, and North Macedonia IGF.  If I may right now, just a question really to our speaker from Brazil IGF, Ms. Cristine Hoepers, if you could tell us possibly what the situation is right now in Brazil.

   >> CRISTINE HOEPERS:  Good morning.  Good morning, everyone.  Thank you very much for inviting me in for the question for the session.  So, in Brazil the work on security actually started more than 20 years ago when the Brazilian Internet Steering Committee here in Brazil called for specialists to provide an overview on what would be a good model for security in Internet, and especially for coordination across the country.  And that report set the scene that really we needed several organizations, not only one, especially in recognition that security is something that is actually not achieved by one agency or one organization but really you need to have all actors as part of a security mindset, so at that time CERT.br was created and other CERTs or Computer Response Teams or Computer Emergency Response Teams as also known were created and that was a process that was slow because you need to have maturity in the country and mindset and during this whole process we had ‑‑ there is lots of teams and all of the teams work in network governance and so no really hierarchy, nobody is really mandated to report to any other team.  So CERT.br is a national team of last resort and provide services to any network and we are in contact with everyone that needs to reach Brazil regarding cyber issues or security or defense.  So in that sense, we have another team with more responsibility that's more focused on the government and that team is really more focused on government networks and helping states and cities, but really states and cities are not hierarchically obliged to report to that team.  It's a network of cooperation.  This has been formed for over 20 years and most people know that we have a cyber strategy coming on but we already have a cyber defense strategy that's much older around 10 years and they all focus on cooperation between private and public sector and involving academia to bring up new ideas and bringing in solutions, and they all recognize that all networks need to have their own capabilities for defense and own capabilities really to secure the network because I think this is the most important so there are a lot of efforts in training and capacity building and really in having a lot of people in the country trained and continue cooperation inside and outside so this is really a brief history and what I could share in like this short time for the session.  Thank you very much.

   >> JENNIFER CHUNG:  Thank you for information about the Brazil situation.  It seems quite clear and it's been in place well over 20 years.  It's interesting to hear that.  I forgot to introduce myself.  I am the moderator for this session.  I'm Jennifer Chung, a MAG Member for this year and also part of the Secretariat of the Asia‑Pacific Regional IGF.  And with me also, our Co‑Moderator and discussant, Mr. Laurin Weissinger.

   >> LAURIN WEISSINGER:   And we'll actually be facilitating the conversation and asking questions to the panelists and listening to our attendees as well.

With that, I would like to give the mic to North Macedonia IGF.  Apologies if I mispronounce your name, but could you give us some background on what is happening there?

   >> PREDRAG TASEVSKI:  Yes, of course.  In Macedonia it's quite interesting that before 2016, we haven't had any information regarding the cybersecurity capacities and it was just passed under legislation law but nothing more concrete.  Where later ‑‑ later that year in Macedonia in 2016 first and foremost established in Macedonia, Critical Emergency Response Team.  Later coming to the capacity and to the scope of that agency, the World Bank and the global cybersecurity capacity center raised a cybersecurity capacity review conducted in July 2019 where the main consulting took place using the central cybersecurity capacity maturity model, and within five dimensions such as cybersecurity policies and strategies, cyber culture and society, cybersecurity education, training and skills, legal relation frameworks, standards, organizations, and technologies.  Within such report, we Macedonian ministries and Macedonian CERTs, drafted a national cybersecurity strategy 2018‑2022, actually published the same month and same year, quite interesting.  (Laughing).

The main goal of the National Cybersecurity Strategy is cyber resilience, cyber capacities, and cybersecurity culture, combating cybercrime, cybercrime cooperation, and exchange of information.  And all of this the National Cybersecurity Strategy has been kind of developed from the recommendations of the previous report review that I have mentioned.

Also, on the other hand with the multistakeholder approach, we have established the Internet Governance Forum in North Macedonia and within that each year we coin a group multistakeholder approach of discussing very important topics about cybersecurity and, for instance, last year we were conducting ‑‑ we were conducting and discussing topics for the governance level, how they're implemented, what are the metrics in the national level, how do we increase and do we need to increase for the cybersecurity professionals and education effort toward the development of even more security professionals.

And within all, I can sum in that in a very spirit the North Macedonian cybersecurity has been increased and the capacity of dealing with a cyber-attack or incident and so on.  It has the capacities and knowledge and the agencies and established steps and procedures and guidelines.

   >> JENNIFER CHUNG:  Thank you for that.  I know you're really in the middle of the National Cybersecurity Strategy that you mentioned, 2018 to 2022, I think you mentioned, but probably we'll come back to you on that if you have a little more information and possibly compare what's going on in the region as well.  But before that, I would like to give the mic over to Chad IGF.  I believe we have a speaker from Chad IGF, Dr. Bakhit Amine, apologies if I mispronounced your name, but if you could give us a bit of an overview of what is happening in Chad?  Dr. Amine, are we able to hear you?

   >> BAKHIT AMINE:  Yes.  I can hear you.  Good morning, everyone.  Thank you for inviting me to participate in this panel, which I think is very important.  My name is Bakhit Amine, and I'm from Chad.  Chad is a landlocked country at the center of Africa, bordered by Libya to the north, Sudan to the east, Nigeria and Cameroon to the southwest.  It's a strategic and economic interests and it's open to attack from all directions by cyber criminals and cyber tourists, Boko Haram, Al Qaeda, was set in 2009 several of the regional on the border between Nigeria, Chad, Cameroon and Niger, and it's one of the deadliest tourist groups in the region, so really it relates to our security and Boko Haram are taking information technology and training members and recruiting new members and communicate and so on.  So Chadian authorities are aware of this situation, and also are aware of the country's internal and external isolations and quick work to provide the country with telecommunication infrastructure, regulatory and legal framework and institutional framework.  The Chad has established a National Information Security and electronic certification agency in 2015.  The cybercrime capacity in Chad is at the early stage.  We do not have a cyber defense strategy and no policy framework at the national level.  Chad doesn't have also ‑‑ doesn't have a computer security incident response team, and as you know, without a computer security incident response team, there would be no effective way to share information and resolve an incident at the national level.

So our citizens, like the others are subject to cyberattack, and Chad is in real need to is establish, you know, an appropriate strategy, which is why we are here to learn from experience of other countries and apply in Chad.  That is a nutshell of what we can say about the situation of Chad related to cybersecurity.  Thank you.

   >> JENNIFER CHUNG:  Thank you so much, Dr. Amine.  I can see other colleagues from West Africa IGF and other regions as well, so I think this is a really good session for us to share best practices, especially listening from national IGFs and also some states who already have quite mature CSIRT ecosystems and also CERTs, so it's actually good to have this conversation right now.

I'd really like to turn it over to looking at more of a national and regional international cooperation.  I think to this we can probably turn it over to France IGF.  Mr. Lucien Castex, could you give us a bit of information on what's going on in France?  I know there is quite a mature network over there and several other things including the Paris Call from the President back in to 18.  Could you give us a bit of information and context? 

   >> LUCIEN CASTEX:  Thank you.  We have framework in France, and basically, France has cybersecurity as cornerstone of digital agenda for the past couple of years, so idea is to develop a national expertise as it concerns cybersecurity and also to raise citizen awareness of threats and try developing collaboration with the stakeholders in France prospectors, Civil Society and so on and strengthen educational programs in this regard.

As it concerns policy, basically as you know, France is a member of the European Union so we have a number of legal instruments that are in in place France transposed the NEISS that pertains to cybersecurity, and GDPR which includes principle of privacy by design and privacy by default concepts and implement security into design of interfaces and products.  And France is quite engaged in ENISA its European Cybersecurity Agency and dedicated agency and related to cybersecurity questions, and also to answer your question. 

France is quite engaged with Europe, for example, as cybercrime convention, of the convention and has a number of initiatives at the international level.  The first one you mention is indeed the call for trust and security in Cyberspace which is aiming at bringing basically the international community together to ensure cybersecurity in Cyberspace.  France is also championing which is violence.  And in this regard, there is an advisory network bringing Civil Society and a number of experts to the table to discuss these issues.  And again, getting back to it next round, but basically there is also a number of initiatives from French organizations, a number of regulatory bodies with regard to data protection, cybersecurity, or media regulation, for example.

   >> JENNIFER CHUNG:  Thank you for your information in France right now and of course all of our colleagues are standing in solidarity with you with what is happening in France right now and it's actually very good to already have such a mature network and such mature policy strategies that aim to address these types of attacks and have a regional cooperation there.

Turning now to our next speaker from Albania IGF and this is Vilma Tomco the General Director of National Authority on Electronic Certification and Cybersecurity.  So, Ms. Tomco?  Could you give us a little bit?  Yes.  Thank you.

   >> VILMA TOMCO:  Thank you for inviting me in this really very professional panel.  I am here to say something about the Albanian framework regarding cybersecurity situation and certain cooperation that we have in the region and internationally.  I have to go shortly because they say that lastly, we have done a lot of things in the cybersecurity field.

Cybersecurity as in the Macedonia case has begun lately in our country something with very few limited schemes in 2009 and after with policy document in place during the 2014, to 2016 and after we saw that we need to work hard on it.  So, in 2017, we have cybersecurity law in place and we have worked also to fulfill the framework, the frameworks and regulatory things.  So I think that we have all of this legal framework in place but we still have the need to improve it because we have not fully transposed the NEISS Directive and it is now objective this year within this year and next year that we need to be fully transposed the NEISS directive into law and at the same time the policy directive is finish and we made the conclusion of how we have fulfilled the action plan that we have together with it.  We are drafting the new strategy of cybersecurity, national strategy cybersecurity in the country where a lot of stakeholders have worked and made contributions to it, review it, et cetera, so we're in the process to approve it.  Together with that we have also drafted an action plan and we have also approved the indicators in order to see how we have to fulfill it.

What is important to our side is that we have identified the critical and important infrastructures, so we have fully transport this part of this directive and we have through a very clear methodology, we have defined which will be the critical and important infrastructure in the country based on the methodology and this year we have a large number of these stakeholders and institutions that has to belong to the critical infrastructure.  And what is more important based on the on the tools or let's say procedures that we put to them, we have seen an increase in the interest to invest in cybersecurity to all of these critical and important infrastructures and also interest to increase the staff capacity‑building of their staff.

And this has put us to application to organize time after time, workshops, seminars, cyber drills, and other events in order to bring together all cybersecurity experts to train them, put them all together, talk with each other, and let's say to break this barrier that exists between the information.  So, we have tried to make them to share information, to share cases, and to help each other of what to do in case of cyberattack.

So, in this moment, we have had the support of a lot of international partners like ITU, like DCAF, a lot of others in the region like national CERTs in Macedonia or Serbia or Cyprus, so we have a lot of memorandum of understanding between national CERTs in the region and more in Europe also.

And this is for our, let's say for support to help us in different cases.  I cannot say that we have big numbers of cases, of incidents, or let's say other things that they are still not confident to share this with us, but what we are doing is a very strong efforts to raise the capacities of the teams.  So, we have also with our policies, we have impact in creating sectoral CERTs in each critical infrastructure, and in the others to open several cybersecurity programs in the academia in order to produce good experts in the field.  So, we are in this process to match the request with the offers in the cybersecurity market.

This is an endless work and we are to continue, but this kind of event that you are organizing is also a support to enlarge our networking, collaboration, et cetera.  Thanks to you and thanks to also the organizers of IGF.  Thank you.

   >> JENNIFER CHUNG:  Thank you very much, Ms. Vilma Tomco.  I see there are several questions in the Q&A pod.  I attendees and colleagues please do use the question and answer pod to pose questions.  We already have a first one, a question to all the panelists, and I guess I can expand also to NRI colleagues on the call.

International cybersecurity cooperation runs into issues from time to time.  How do you think that international cooperation can be improved?

I think this has already started nicely from a segue from Albania IGF who gave the intervention about some memorandums of understandings with other national CERTs, but I would like to open this question and also ask my co‑moderator, Laurin to see if he has anything to add to this question before we add it up?  Laurin, please?

   >> LAURIN WEISSINGER:  Thank you, Jennifer.  So, yes, I think I'm seeing two interesting dimensions to cooperation here.  And both, essentially, have been picked up by the panelists.  Right.  So, one would be more about kind of regional or in‑country cooperation, so the first intervention by Dr. Hoepers, right, about how-to Brazil in CERTs in different places deal with each other.  And then there is the kind of international dimension that Ms. Stevens mentioned, which is how do you go outside of the country.

And so, I guess either is fine for all panelists to answer in terms of what they're doing, in terms of regional or in‑country cooperation what they're doing internationally and where they think they have done well or where they might have to improve or find new solutions.

   >> JENNIFER CHUNG:  All right.  Perhaps I'll direct this question first to Brazil IGF, Cristine Hoepers?  Or any other panelists or other NRI coordinators or speakers would like to address this?

   >> PREDRAG TASEVSKI:  This is Predrag from North Macedonia.  I can address this.  I think both international and regional cooperation is extremely important for sustainable cybersecurity capacities.  So for instance, why Macedonia has been progressing in the spirit of light in the four years we kind of reached a very good level of cybersecurity since ability is due to the very extremely big support of the international organizations, such as NATO, OECD, DCAF and so on when it comes to training, to capacity building, to education, to workshops and so on.  Where on the other hand, on the regional level, there is already we recalling from Albania mentioning that we have memorandums with Albanian Critical Emergency Response Team, Kosovo, as well as Serbia, Bosnia, Bulgaria, and Greece.  And we're working to get and we're having each year; unfortunately, this year due to the pandemic circumstances, there weren't any collaboration or regional trainings.  However, for past year, 2019, there were several, around three to four workshops that were conducted.  Of course, with the support of international organizations.

   >> JENNIFER CHUNG:  Okay, Mr. Tasevski, it's important to hear about the international cooperation there.  You did mention a bit more about the memorandums of understanding with other national CERTs, and it is quite interesting to see that regional cooperation there.  I guess staying in that region and going back to France and also Western Europe, perhaps, Lucien, if you could expand a little bit more on that on the regional cooperation?

   >> LUCIEN CASTEX:  Sure.  Sure.  It's quite interesting, indeed, and the question is quite important because, basically, one of the key points is information sharing.  Not everyone is on the page, and then you need to improve capacity, which needs to basically at a local level in country cooperation, CERTs, local stakeholders, but also at the global level so that we can try aiming to global cybersecurity.  So, recalling as we mention earlier, we're trying to do so by bringing multistakeholder approach and there is a number of other initiatives.  And indeed, in France, we have quite a few.  For example, we have French commandment of cyber defense which was created in 2017 to increase cyber capacities and we have a number of legal initiatives as it concerns fake news, hate speech, and content regulation, basically. 

So, for example, quickly, on fake news we passed a law in 2018 against manipulation of information which is aiming to better protect democracy against fake news, which are deliberately spread.

There is particular attention on election campaigns.  It's quite important in the U.S. presently, and basically the aim is to improve transparency to digital platforms and the law is also creating legal injunction so that fake news can be taken down if they manifest and disseminated deliberately.  And also, it's creating a duty of cooperation, which is quite an important stake in sharing information.

So, the other point I was mentioning was cooperation at in‑country level.  And for example, in France, we have a number of different regulators.  We have CEP which is telecom regulator and concierge which is regulator of digital sectors.  And well, basically, you need both of them to cooperate, and this is done by a number of ‑‑ well of workshops and extending good practices between authorities so that regulation can be, you know, effective and that expertise can be shared with authorities.

At the local level, I can give you a quick example.  For example, from AFNIC the state appointed registry.  So, during the COVID‑19 crisis, well basically, in cooperation with DGCCRF which is basically the general directorate for competition in consumer affairs regarding fraud online.  And such cooperation, in my opinion, quite the first step obviously but also the cornerstone of cybersecurity because it's cooperative and multistakeholder by nature.

   >> JENNIFER CHUNG:  I think we have several questions in the question and answer pod that has built up during this time and I would like to still give an opportunity for NRI colleagues either from European region or I can move to different regions to answer this cooperation question.  But before that, I see there has been quite a few questions for Dr. Amine.  The first one is more of a statement, I think, and it's a statement I think to reaffirm what you mentioned in your intervention about needing to develop the computer security incident response teams and also there is another question from Madeline, and this question is directed to Dr. Amine as well.  Do you have cybersecurity capacity building initiatives from private sectors in Chad and how does the private sector landscape provide digital tech and services look like in your country?

   >> BAKHIT AMINE:  Thanks for the questions.  First, I would like to intervene about the regional cooperation.  The regional cooperation is important for us, in particular, in the regions of the area, so the United Nations Office organize a training workshop, a workshop also was attended by the officers from Chad, Niger, Nigeria, and so on, so we think the regional cooperation is important and it will help us to increase the capacity of our officers, and increase also the sharing of information.

In Chad we do have the initiative to ‑‑ to build the capacity because Chad has already established a national higher school for information and communication technology and this will show a clear political will of the highest authority to provide Chad with advanced education in ICT and in particular with degrees in cybersecurity.  And also, we have also the incentive to implement national cybersecurity strategy which is why we requested from the ITU in order to help us implement our national strategy.  Thanks.

   >> JENNIFER CHUNG:  Thank you, Dr. Amine, for that.  I would like to open up this question really to any colleagues from NRI colleagues from the Africa regions to actually understand a little bit more about the regional cooperation.  I do see a few of them on the call, so please do let me know if you would like to intervene to add a bit more of a dimension on the African region right now and on cooperation regionally as well as internationally, so do let me know in the chat or if you're able to raise hands, please also use that functionality.

I guess I'll pass the mic back over to my co‑facilitator and also co‑moderator, Laurin, for another round of questions.  Laurin, I believe you do have another question you want to ask the panelists and also the other colleagues?

   >> LAURIN WEISSINGER:  Yes.  Absolutely.  Thank you, Jennifer.  So the second thing I picked up during the initial statements, and this was particularly pronounced when Mr. Tasevski was speaking and that is the question of kind of culture, how to leverage a strategy, how to build a culture that is about security to get people involved to support education, to support in‑country cooperation that we already talked about.  So, if we could maybe start with Mr. Tasevski because he brought it up the most, kind of what is happening on that front and where do you feel this might be going in the next few years?

   >> PREDRAG TASEVSKI:  Thanks very much for such a great question, and I have to say one of the biggest challenges when it comes to national cybersecurity awareness is to create the cybersecurity culture and that is a question of a million dollars.  Unfortunately, I don't have the answer to that question.  But on the other hand, I can say how in Macedonia what kind of approach we have taken in Macedonia.

One very great example that it just came back this year in the middle of August, which was a part of the national cybersecurity action plan is how to make the people actually, the most vulnerable and the human firewall on the national level is to create a quite interesting and also very interactive educational commercials that are going on the national TV, and one example was between, so in Macedonia CERT, they took example of how the grandma is educating what the secure password to the grandson, and what is the malware, what is secure banking, what is phishing?  And so on.  So, these are the best practices that have to be taken.  And I have seen this on my parents, relatives, older ones as well, I see that everyone is perceiving that information very well and they're taking it.  They are digesting it and they're taking care of it, their digital identity, their digital information.  They're starting to understand that the data itself on the Internet, it's vulnerable and they have to take measures to be able to protect themselves and to be, of course, aware about it.

So this is one of the ways how the action plan of the national cybersecurity strategy in Macedonia started, but then also when you build the cybersecurity culture, which was really mentioned by my colleague from Albania, it's extremely important to identify, do you have enough professionals, or do you have enough education that can bring more curriculums and syllabuses, not only on for doctoral studies in post studies, but rather on the Bachelor level have you already covered such topics?  Are you discussing these topics with different groups of age, from the younger ones to the oldest ones, the ones that are the more vulnerable at the teenagers, that the people or the generation that is 24/7 on the Internet and I have to be honest, even now days I am a native and Internet savage person, but sometimes with new applications, new technology and everything, you can't keep all up to the speed.  Where on the other hand, those generations they do.  And, hence, we need to make sure that we take everyone into consideration, all different groups from the youngest ones to the oldest ones, and to be able to, very importantly, to be able to deliver to the nation or to the people, to the humans, to everyone in the fact that they will be able to digest that information like a cultural exchange like in Macedonia, the example was through grandma educating a young person.

   >> LAURIN WEISSINGER:  Thank you.  I think that was a really detailed and really interesting answer as well.  Could we go back to Dr. Cristine Hoepers who would like to speak about the aspect of cooperation and maybe she could also kind of quickly mention how the aspect of culture impacts on that as well because obviously these things can be tied considerably.

   >> CRISTINE HOEPERS:  Thank you.  The topic of cooperation is very dear to CSIRTs and Computer Response Teams, and actually in 2014 and 2015, we had two runs of the best practices forum on CERTs and cooperation on CERTs so 2014 was when we had activity for IGF, and in those years the main discussion, when we were looking for best practices for CERTs, the things that came over and over were really we need cooperation, but for cooperation we need to establish trust, and really to need to establish trusts, that is an interpersonal relationship thing.

So, those discussions, they really came over and over, and in 2014, the report, and I would encourage everyone to go to those reports because in the reports we actually registered on the first year what was already working and what is a CSIRT and what it can do and what it can't do because it's not really an answer for everything.  In 2014 it was more focused on cooperation, and I think 2020 was one of the challenges for cooperation among CSIRTs because to establish trust you need to know the person and so there is no contract that can establish trust or no MOU or no other organization.

So, CERTs, we have several organizations that we work for cooperation.  So, the main organization is first, and of course that's the forum of instance response and security teams and they're very involved in IGF at the ‑‑ now they're helping to coordinate the best practice forum of cybersecurity since it was established, but we have regional organizations as well and then the regional CERT cooperation organizations are the ones that are formed mostly because of culture.  So, your question about culture, so really, we have AP CERT, that's one of the oldest ones that is Asia‑Pacific, and so they have one goal and they really work well and they work together and they have different goals.  And here in Latin America, we are helping to create Lexi CERTs more for cooperation in Latin America and Caribbean.  We have language.  So, culture is very different and so some countries really having the obligation to report to someone will never work because the culture is not for that.  For reporting to other countries, you have to have formal organizations because people are more formal and want to have contracts and so.

But really for cooperation, I think trust is the main point, and this is one of the points for example here in Brazil that one of our major challenges is how to create this trust, and we usually create through conferences.  We do a lot of breaks and long extended times for networking, and this is usually where the cooperation and trust comes.  And later on, you have long relationships, so and I think that there is no really secret for cooperation, but it happens.

And another thing is also trust on technical expertise because at the end of the day when you have a very serious security incident, you need someone that knows how to deal with that, how to contain the incident, what they can share and they cannot share, how to protect data and privacy.  So, I think this is really important, and this is just to give an idea that we have some reports and previous work on cooperation in 2014 and 2015 intersessional so I think it's a very interesting read on challenges and why some cooperation works and do not work.  Thank you.

   >> JENNIFER CHUNG:  Thank you, Cristine, for that more detailed explanation about the regional cooperation.  I note we did have an attendee with his hand up and his hand is now down again.  I think it is ‑‑ I'm sorry if I mispronounce your name, if you're able to unmute, if host, if you can unmute his mic to ask his question?

>> EVGENY TONKIKH:  I had a message for previous topic about how we could enhance cooperation that was raised in the Q&A boxes.  So, I'm not sure, maybe it's already touched during the previous panelist speaker.  I would like to bring to our colleague some examples of interregional or inter‑country cooperation like Project Cyber Breaks, it's the first one is a map of existing regulations and the best practice and develop policy certifications in area of cybersecurity governance, and including personal data regulations.

The second one is Internet access policy and strategy for digitalization for public administration in countries so my understanding such kind, maybe mostly academic project, but it contains many interesting practical information and also provides some very useful workshops and such approach from bottom to top could be helpful, I guess, not only Brix countries because I will say Brix countries present different areas like America, Africa, Asia, and I guess based on these findings, we could take something and enhance and take into account national aspects and bring to the top level, to the international level like IT U, like United Nations agencies about cybersecurity aspects.

I guess it's could be a possible way to enhance and make more actual ‑‑ actual initiative.

   >> JENNIFER CHUNG:  Thank you.

   >> LAURIN WEISSINGER:  Thank you very much.

   >> JENNIFER CHUNG:  Go ahead, Laurin.

   >> LAURIN WEISSINGER:  A little bit of interference, apologies.  We have one more audience question that Peter Koch would like to answer, according to the question pod, and that is a question from Angela which is what role if any do you see forensics post cyber-attack, this is perceived as an extension of the CERT role?  Go ahead.

>> PETER KOCH:  Thank you for that question.  That raises at least one interesting meta issue which is that what is the mandate of a CERT and then who is going to define that, so there will not be a one definite answer to this CERTs or CSIRTs usually have a constituency that they serve and mandate related to that which is mostly governed by the constituency or if you want it, or if national CERT or intergovernmental CERT, then the mandate is described by the responsible government entity.

Now, in my part of the world, as in Europe it is not uncommon like specialized services like forensics are delivered by private entities and they would be called in.  So at least a CERT will have a coordinating role when it comes to these forensics questions and forensics is a wide field so it can either go to research in hardware and so on and so forth, but if we expand this a bit are wider, we are touching upon the question of attribution of attacks and of course there is a long way from a CERT and specialized service providers through law enforcement and maybe even to intelligence services when it comes to cross‑border attribution and so on and so forth.

A wide variety, and I would recommend if anybody is interested, that first the coordination center for CSIRTs, first.org has a couple of descriptions of what CERTs may or could do.  But there is no single blueprint for this, so I hope that answers the question but I'm happy to follow up.

   >> VILMA TOMCO:  Can I interfere a bit here?  Since I belong to the ‑‑ okay?  Okay.  So, it is a very interesting question, but I think that regarding the forensic and the CSIRTs, we need to make the differences.  CERTs or CSIRTs has to treat like an incident, so they have to find what is the cause, what can happen, et cetera, et cetera.  When it comes to it, it is an issue of criminality, so it comes to some ‑‑ it is to enter in force the institution of the law, the law, of course, and they have to follow all the processes by the police, others and judges, et cetera, so there is a separation in this.  CERTs can support, can help with information, et cetera.  But they cannot do the work of other responsible actors in this field.  So maybe I'm wrong, but they see this separately.  CERTs need to treat as an incident and they have to share the information and to prevent that this incident happens to other constituencies and other CERTs and responsibility of protection, but in such moment they had to delegate the responsibility to the law enforcement institution, like state police, et cetera, to treat in the other direction as an act of thief or criminal or abuse, et cetera, and they have to be punished based on the damage they have caused, so they are very separated with each other.  To communicate and with the institution that is a separate responsibility, I think.

   >> JENNIFER CHUNG:  Thank you, Ms. Tomco, that's very enlightening as well.  I do want to direct our attention to Dr. Hoepers response in chat about more information on CSIRTs and CERTs and I know we're running out of time and there are a lot of questions from our audience as well as our NRI colleagues, but I do want to bring this conversation back over to the African Region, Mary, you've patiently waiting, please intervene and keep it short so we have a time to wrap up with all the panelists.

>> MARY UDUMA:  Thank you.  Thank you, Jennifer.  I hope you can hear me.  Okay.  I just wanted to raise the issue of what is happening in our region.  At the Africa level, we have the Africa Malabo Convention on Cybersecurity, but not many countries have signed.  And at West Africa level, we have directives and not many countries have signed to that.  So, in terms of cooperation, but at the national level, I think countries are developing their cybersecurity strategies and some have gotten to a point of view and act, but the truth is still that it is very, very low so we need to do a lot of awareness.  Even when you come up with the strategy, we have to still do with a lot of awareness and cyber hygiene needs to be on our communication channels, even reviews and television, and even on WhatsApp, people talk to one another on WhatsApp, so you can communicate that way.  So that is where we have.  We have CERTs, Africa CERT, West Africa CERT, we have national CERT, and not all the countries have in our region. 

But one thing that is particularly interesting of mind is that the cybersecurity issues bridges, they have financial and economic information and have not heard talk about that but since we don't have time, I would love the panel to discuss that too.  Issues and implications of cybersecurity or cybercrime.  My colleague from Chad talked about criminality, so if anybody can raise anything that would be fine.  And if there is anything to mitigate that, that would be fine.  Thank you.

   >> JENNIFER CHUNG:  Thank you very much, Mary, for giving us a more comprehensive picture of what is happening in West Africa and also the Africa Region.  We are running very quickly out of time but I do want to give a little time to our panelists for a very quick kind of wrap up and just a find question really to all of you about, you know, if there is any action‑oriented commitments from you?  And I would maybe like let's do a 30‑second wrap up from everybody.  Let's first hear from, I guess, Ms. Vilma Tomco from Albania IGF.  Any final thoughts and words?

   >> VILMA TOMCO:  Thank you.  The only thing that I can say is that to work in cybersecurity is an endless work, endless action, endless awareness, and endless capacity building, so the young that want to enter into the field has to admit that this is really the future because there is no digitalization, there is no advancement in the technology for evolution, for fifth evolution without cybersecurity in place.

   >> JENNIFER CHUNG:  Thank you, Ms. Tomco.  Lucien from France, last words?

   >> LUCIEN CASTEX:  Thank you, Jennifer.  Quite, indeed, endless action indeed.  I'll just maybe shed some light on digital trust.  It's, in my opinion, quite important, wildly important point to raise.  Basically, it's of importance and to be able to restore a form of digital trust, well basically we need to increase cooperation and we need to raise awareness to cybersecurity question.

   >> JENNIFER CHUNG:  Thank you, Lucien.  Dr. Amine, some last thoughts from you on this panel?

   >> BAKHIT AMINE:  Cybercrime is no state, no institutions, no individual, and so we need to raise awareness and implement an appropriate strategy.  Thanks.

   >> JENNIFER CHUNG:  Thank you, Dr. Amine.  And Mr. Tasevski, any final thoughts on actions?

   >> PREDRAG TASEVSKI:  Yes, of course.  I was on mute.  Of course.  As technology moves and we're becoming more and more technology savvy, especially due to the pandemic in situations, and we can say that the privacy and security are the cornerstone of the cybersecurity.  We have to be aware; we have to be educated, we have to know what we are sharing, how we're sharing, and we have to be concerned about our data in this place and our surroundings as well as we need to make sure that we handle the data properly.

   >> JENNIFER CHUNG:  Thank you for that.  Final words go to Cristine Hoepers from Brazil.  Any final words or action commitments?

   >> CRISTINE HOEPERS:  Yeah.  I think we should all commit to awareness in education.  And I think at least, I am very engaged in this and I hope to be engaged in the future as well, but I think everyone also needs to engage into having and making their own part on cybersecurity and cyber hygiene because I think one of the major points for awareness that we need to do for policymakers to young people is that you have to do your part.  No one else can do your part on cyber hygiene, and you need to be engaged and really it's a process of cooperation in all parts and cooperation of ourselves and doing our part for really having a better cyber ecosystem, and I think we need to engage everyone from vendors to everyone for responsibility because we're only going to have a safer Cyberspace if we have everyone making good projects, people making good policies, and consumers making good choices, and us as citizens also engaging into having a better cyber hygiene and thank you everyone for this great panel.

   >> JENNIFER CHUNG:  Thank you, Cristine, and all panelists and also interventions from NRI colleagues for your words on cybersecurity.  Please continue to engage with us and have a very happy rest of the IGF.  Thank you all.