IGF 2020 - Day 5 - OF40 Multitude of initiatives, single objective: stability

The following are the outputs of the real-time captioning taken during the virtual Fifteenth Annual Meeting of the Internet Governance Forum (IGF), from 2 to 17 November 2020. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 




>> WIKTOR:  Thank you very much and for all of those of you that are invisible and make the panel possible.  Warm welcome to all the participants that are ‑‑ will be probably joining us along the session and the panel.  And it's my great pleasure to welcome all the panelists today.  That's great to join us in this open EU Open Forum on market of initiatives, but single objectives, ability of cyberspace.  This is a second event of this type that we are doing.  We have had similar discussions on the IGF in 2019 under quite different circumstances where we could physically meet in Berlin, but I think that doing that virtually this year it makes it even more linked directly linked with topics of discussions with IGF and of this form.

So I have today with me a number of fantastic panelists.  So with no known unnecessary order of importance, I will start as well with introducing them to you.  First let me introduce Ambassador (inaudible) who serving for cyber and foreign ministry of affairs.  He has held a number of different positions including Asia‑Pacific department, director of export policy department and director of ministry.  As well as holding ‑‑ he held several positions both in Republic of Korea but as well China and Mongolia.  Entirely in the spirit of multi‑stakeholder, his government experience, he also has been working as academic teacher and research and visiting professor.  So let me move then to Mr. Alatalu.  The European union.  Prior to that, he has had head of international relations corporate cyber defense central.  Excellent and has been in cyber defense in the study of ministry of defense and he served as the diplomat in the Ustonian delegation.  She has been involved in worker team very actively during the EU presidency of Estonia in 2017 as a vice chair of the council working party on cyber issues.

Then I have Martin who is a board member and the former chairman of the form of incident response and security teams first, which is a non‑profit organization association of 530 security teams in 96 countries.  Covering quite a bit chunk of the globe.  He is also a chief information security officer and (inaudible).  He has a long career in managing security organizations which includes building the cybersecurity intelligence team and work on the security teams at Google and Microsoft.  Now let me move.

She graduated from the school of international studies but as well technological university.  As a part of that, she was involved in a crafting various dialogues, but also vitalization.  She has been writing to a number of journals and newspapers both internationally and regionally such as new straight times, the nation, China, daily, south China morning post to name a few.

And then last but not least, we have (inaudible) and Nicoli.  The team has won the first prize in the apps for digital piece competition which the first addition has been held to organize this year by the cybersecurity technical and United Nations of disarmament first.  Microsoft EU's office in Brussels.  So warm welcome to all the panelists.  Let me start maybe with just setting the frame for the discussion today and I'll invite you to give a little bit of a pitch of where you come from and what are the ‑‑ what are the ‑‑ in your view, a role of various stakeholders that in advancing security and submitting cyberspace.  Of course, considering the respective capacities.  So as many participants would be fully aware of, you know, currently there are several ongoing discussions on the multi‑lateral and international level that's linked with the disability and security in cyberspace.  To name a few, we have the open ended working group on the issues as well as governmental experts.  But cyber stability is a (inaudible) and in many other form.  From the perspective of European union, we have been a promoter and will continue to be a (inaudible) promoter of what do we call a strategic framework for prevention, stability and cooperation in cyberspace.  But we also recognize and have been supporting for a long time this multi‑stakeholder approach, which is a key in the domain that we are talking about today.  Different actors have different responsibilities and capables in cyberspace as I said.  We need engagement of Civil Society.  We need an engagement of business and we need an engagement as well of academia in this discussions moving forward.  So with that introduction, I will move and invite ambassador (inaudible) to maybe start and break the ice with a few minutes.

>> Good morning, good afternoon and good evening, everyone.  Times are challenging, but the spirit is strong when it comes to the cyberspace, cyberspace showed us our ugly face even more during the COVID pandemic, but it also got all of us to work together using the cyberspace even if we cannot travel.  So thank you for inviting me to this panel.  I will try to serve few observations from the perspective of the government representatives of a member state of the union.  As Viktor mentioned, there is whole rage of the processes going on different levels which involved the government to push forward the questions or challenges of cyber stability and cybersecurity.  Victor has already named those most important in the United Nations framework.  I'll be back to that.  But just to give you the little bit of background ongoing to processes in cyberspace on the level of governments are taking place also in the ECE which is focusing on countries building measures.  There is a number of those confidence knowledge about measures agreed upon within the OAC framework and with a number of countries participating in specifics to enhance our corporation in cyberspace aimed at building confidence.  As we speak now in fact, I am on another computer participating an exercise which has been called yesterday by room an ‑‑ Romania and it provided answers of what would we do if we well a cyber attack on the energy system and us in particular on the wind farms.  So this is just an example of how many projects are going on in different frameworks of international forum.  Then we have also our internal processes which add the security in the cyberspace.  Internal within the organizations of which we are the members.  Poland in particular, it would be European union or NATO.  It was on the EU I think we have made a big progress on the governmental level in introducing the cyber diplomacy tools, the restrictive tools for the first time this year to speak normal language to introduce cyber sanctions for the first time in the history of the European union on July of this year.  And the second package just days ago.  The cyber sanctions is the response of the government to the attacks against the EU member states or (inaudible) of the European union as such or international organizations which are considered important as it was the case in the first package where the attacks OPCW were taken into account.  So this is again the government organizations government organization activities to provide cybersecurity some cyberspace.  I will come back for a moment to the u N and it was in the UN, you again have a number of processes going on.  You have activities in Geneva.  You have cyber crime fighting activities based in Vienna or future cyber crime activities which is to be decided whether they will be based in Vienna or New York.  This is a new initial taking place and we have two most important for cyber stability processes which are taking place in the first comedy of the United Nations namely the governmental ‑‑ the group of governmental experts and open ended working group.  Most of the groups mandate should be concluded early next year and we are working on concluding this work, but what is important and I shortly want to touch upon when we come back in discussions to that, there is certain level of disappointment with the results of that work.  Namely we ‑‑ many countries including all EU countries would like to see more tangible results of what we're doing within the United Nations.  There's a lot of discussions on the question of applicability of the existing international law and existing international norms as agreed earlier to the cyberspace.  And the questions raised by some countries whether it is applicable direct, new instruments, universal instruments that we worked out or not.  These are fundamental questions for the government.  If the group of countries to which we represent in the European union or the family, we all not neglect the importance of the questions of the applicability of the law to international cyber international cyberspace.  We would like to move forward with specific tangible results which would help the whole range of the countries to increase the capabilities in the cybersecurity and providing safety of cyberspace and increase the confidence building measures.  The last initiative that was announced during the last session in September officially was announced in September during the last informal session of open ended working group is so called program of action.  It has been delivered by EG and France.  All EU members endorse it as a (inaudible) and the problem of ‑‑ program of action is maybe the new way out of this deliberations within the United Nations contacts because we not neglect the importance of continues process, but we would like to create a framework for more practical results oriented activities.  Results that will increase specifically capabilities of the member of the United Nations and will build the confidence among them.

We must remember that all EU countries have relatively well developed cyberspace systems in place.  But this is not necessarily the case for the majority of the (inaudible) in the United Nations.  So from that perspective, we would like to share our best practices.  We would like to share mechanisms that we have developed in our countries with the other members of the family and the UN family and we think that we should agree on ending the dual truck, which we have now between the group of governmental experts and open ended working group and come up with a single truck which will be maybe hopefully based on the program of action and focus on more tangible results.  To some of that, I would like to say this is what we do on the level of the governments.  It's needless to say that implementation of whatever we do as the government may not take place without not only understanding, but full fledged cooperation from the other shareholders of the cyberspace.  And the other shareholders is everyone and everybody.  It's the research communities.  These are NGOs which have a different set of values.  These are developers of new programs, new applications as we have today.  These are the companies which are actually providing the tools for every user and there are individual users at the end.  Because I say even with the best systems technical systems of cybersecurity, the education of individual people is very important because eventually a lot of people put themselves in problems with mal issues software for example.  The crime activities.  I'm not talking about state to state activities, but crime activities result in single persons fly because they clicked something, which they should not click.  So the education on what to click, not to click, education on what are the sources of this information and why this information is dangerous for society is not just for the government is also important part and stakeholders in the cyber education are also important.  So to sum up, the job of government is to create the frameworks.  And this frameworks are being created on the various international levels, the global level at united nags or expanded regional level like OECE or the European level, et cetera, et cetera.  They report being created on the internal national level set up by the government and our internal legislations which provide a framework.  But the actors within this framework must work together.  So we can't do anything because the government other than set up the framework.  The substance of the activities must come from the minds, (inaudible), and sometimes heart and the resource of the other stakeholders representing enterprises, businesses, research community, NGOs, education community and so on.  I probably spoke longer than I was supposed to.  That sometimes is happening with diplomat, but I will stop here and I'm looking forward to (inaudible) during government discussions.

>> WIKTOR:  I picked up a lot of very interesting (inaudible) that I would like to come back in our discussion parts about tangible results and individual users.  I think that's very important as well element about at the end of the day cyber.  It touched us as human beings as much as anything else.  Capacity building and as well how to translate the forms of the frameworks that we established in a more concrete way and also through technical standards and technical work.

Before we go there, I would love to hear from you a little bit about your perspective.  From our experience of action, we have very close engagement with think tank and academic community which adds very important voice into what us as practitioners very often do because first help us to think outside of the box.  And also delve deep into some of the issues.  But also if you can, you know, at certain point, maybe Q&As reflect a little bit on the regional aspect that you come from the Asian region, which is very active and very advancing quickly on cyber issues.  So Farlena, over to you.

>> FARLENA:  I do have a long answer I think with this question.  So I'm a little unsure whether I should get into it now or should I should get into it later.  Maybe I should just deliver my talking points first and we can converse on it in Q&A.  Distinguished guests, ladies and gentlemen, I wish to convey my gratitude to EES and Internet Governance forum.  I am most thankful for the opportunity to share some of our experiences particularly Isis and for the opportunity to learn from participants and panelists.

My presentation aims to fulfill from a perspective of an organization stranding somewhere between academia and policy making.  So I will now doubt be in the company of this and that is the contribution for later discussions after.  If I miss anything, please feel free to prod me during Q&A.

But first leased discuss some of the contests.  Some of the efforts can be characterized by how cyber disabilities is viewed.  If we sigh it as a goal to be upheld by few factors namely political, technical, it incubates and contextualizes the ideas also as conversations and even when it can be relevant.  The first is stability related to draw political tensions played out in cyber where impacts and infrastructure for cyber operations would be considered‑‑ would be required states to be good and responsible behavior.  There are few mechanisms for deterrents in this case which is to uphold for good state behavior.  Would that be ‑‑ is that my ‑‑ sorry.  There is a comment.  There was a note that my speaker of the not working.  I thought oh, dear, I was worried that I was babbling to myself.

Second is in regards to the definition for technical factors when it comes to cyber stability.  We're looking at open secured table accessible and peaceful cyberspace that would require technical assurance and cooperation.  These can meet certain ends for corporation to handle cyber crime.  To this end, the academy can play a valuable role as a space to haven't the multi‑stakeholder structure and dialogue that needs to occur.  The perspectives of cybers structure challenges typical arrangements on jurisdiction and responsibility, when we hold discussions on Private Sector engagement and ICP usage, this was held (inaudible) some of the reflection impact how private organizations actually viewed their own mechanisms for them to handle some of the threats for some of the rising threats in this region, in this realm.  Meanwhile, other perspectives that we have actually observed when it comes to some of the platforms that we have held is in regards to the (inaudible) perception that is impacted ‑‑ during the time, the concept of cyber war fare was quite (inaudible) and what the debate moved forward to date, during the days ‑‑ it is still being articulated for appropriate policy and responses.  Academia is serve this incubator of ideas and platform for dialogue.  The exchanges occurred to forum such as council for security corporation and Asia‑Pacific.  But particularly the study group on international law and cyberspace conducted with C scat provide insights to point of congregation and governments in the region, which is most helpful and tries to move the conversations forward.  NGG report.  So this type of training programs sought to engage the stakeholders.  The governmental stakeholders and also the academia research community to converse on some of the concepts underpinning cyber stability issues.  Programs run on cyber direction as well have actually had bridged the gap and encourage (inaudible) to share knowledge for discussions on cyber stability to be inclusive.  Academia can reflect and grow in silos.  The learning from information already (inaudible) are beneficial and would insure and realization of enough supporting cyber stability faster.  However, the challenges that academia may be the same as those reflected on other platforms.  It is established between the academic community and between other academic communities and are even communities that Civil Society.  These can affect the clarity and transparency that would impact pragmatic and appropriate policy solutions to be introduced.  Sometimes solutions and other parts of world will not work here and this is where academia plays a strong role that tries to contextualize some of the conversations held in other parts of the wonder.  Access can be also impacted by resources where the student to attend certain meetings can be limited by the availability of resources.  Platforms held in the space is also acceptable and (inaudible) in more track 1 held organized platforms.  Which means in dialogue, sometimes finding the right angle, but it would take a certain type of trial and error and would mean holding the same type of conversations every other ‑‑ every few years so that different agencies can take part in what you would open would bring a different outcome.  In seeking punishment, different platforms offer different lessons building greater cyber stability.  I would have provided some type of insight of how academia actually contributes to cyber stability processes in the space.  If anything, address it in the Q&A I would look forward to speaking more of it after.

>> WIKTOR:  I will definitely come back to that.  SIIM, I can have you next coming?  I think that you also will offer us a very interesting perspective probably drawing a little bit more on the capacity building elements as well.

>> SIIM:  Yes, indeed.  Thank you very much, Wiktor.  It's a pleasure to be here.  I have to say I have been very busy taking notes from fellow speakers.

I would like to share some slides to highlight what I will be speaking about in the coming minutes.  So let's try to get those to work.  Perfect.  So very quickly.  I will go to the first slight right away.  Previous speakers have highlighted different initiatives and the different topics which are very helpful on our area.  Focusing on this panel.  I would start off by recapping how I as a former academic or form are researcher see that.  There are trends on a national level and international.  There are a lot of national efforts in the area developing straight gees, implementing new structures, coming up with new standards, attribute already highlighted which basically all comes down to cross corporations.  Nation and stakeholders working closely and ever more closely together to solve issues related to cybersecurity at large.  And at the same time, there's a lot more national effort.  Just to mention the UN.  And there is a lot more shared approaches to the issue of cyber capacity.  But see it has been announced a priority of course in the EU level.  And EU strategy and most recently ‑‑ it's a priority expressed all the time for the EU.  But it is also a priority on the other side of the Atlantic, for instance, in the U.S.  They say working with (inaudible) is a priority building capacity elsewhere.  It's a priority.  And these are just two examples, but there are a lot more.  So if you think what is cyber capacity building and how it relates?  Here is the mapping.  You see that at least the different levels that a stakeholder is emerging.  So it can be anyone from an individual way to let's say the government parliament (inaudible) energy.  So everybody has a (inaudible) and everybody can be a stakeholder.  Why it matters is that everybody can also be say targeted.  And the severity of a cyber incident can range from mapping and services.  So anybody looking after your activity or anybody trying to sneak into your (inaudible) all the way to service option.  So again, anyone can be a stakeholder and anyone can also be a target.  Representing my agency in the information systems authority.  We call it rya.  It is an acronym.  I guess it is the easiest way.  It is multi ‑‑ it has many years experience in part of the countries that contribute on funded projects.  What we have taken away from these projects and lessons from the international partners as I have labeled here, they're truthful.  First you need to have a sort wide approach and the second you need towards a target what you train and where you provide your education.  So coming to the first, the society approach, if you want to build cyber society, there is one size that doesn't fit all, but if you want to be a successful cyber capacity builder, if you want to achieve results and say provide sustainable development in cybersecurity, you need to speak to a critical structure.  But you need to speak to a private sector in general and you need to speak to Civil Society organization because they're off in the drivers when it comes to responsible approach by the citizens to a given issue.  And then the other area, you need to target your training and education.  So there is again one size doesn't fit all.  You need to speak to (inaudible).  One hand, they are the future, but you need to speak to them about cyber hygiene.  I say in my personal life, quite often the school student who bring in the new apps and then you need to basically educate ourselves as to what are the risks associated and then you need to teach your kids.  But you also need to be on top of the development and quite often children are the way to do that.

Then the young adults, you need to enhance their understanding of cybersecurity and such.  They are often the next generation decision makers what they deal with.  They build the economy as we say.  So they are the ones responsible for making the country work to make the society work.  And cybersecurity is just part of what is going on.  So you need to educate your people off especially young adults.  In Estonia, we have a campaign (inaudible) inner cities.  You cannot leave anyone behind on that as well.  You need to speak to management because this is when the resource decisions are made.  I would include cyber projects and how to communicate cybersecurity and so on.  So these are the lessons learned.

You might ask what is the purpose of cyber net in this?  It is an EU funded project which is to bring together first the action that the EU is going outside the EU in their capacity building.  So to strengthen the coordination coherence of all the good work that EU is funding and experts are engaged in other countries and building cyber capacity.  We also Rhode Island enforce.  That is to provide this technical system.  It means bring together the capacity that EU has.

Very quickly.  We have ‑‑ the project is run by the Rio, the information system of Estonia.  And security ‑‑ cybersecurity agency.  And, ah, our ambition is quite high.  We don't have any geographical limitations.  This is a map of the EU Delegations.  In the comes year ago, we should be reaching out and helping to build cyber capacity world wide.  Of course, we need to adhere to the standing principles of the EU when it comes to cyber capacity building as such, but also the more broad principles.  So they all relate to what the EU is promoting when it comes to stability of cyberspace.  They assist in international law, protection of fundal rights and freedoms, who can access Internet forum and so forth.  Colleagues highlighted some of them in good question tail.  If I may conclude with a recommendation, if you Google operation guidance, that should bring you to a report that was started two years ago by the European union institute of security studies.  And that is a very useful (inaudible).  I just copied one graph from the menu which highlights the VIP checklist.  And from (inaudible) to interest to principles, so these I think are a good BASIS to carry on discussion.  Thank you for your attention and look forward to any questions you might have.  Thank you very much.  It is really a pleasure to be here.

>> WIKTOR:  Thank you very much.  Let's move on to Martin.  What I would love to hear and what we can bring to the attention as well is you come from the world where very often you are told what are the notes in the frameworks.  You have to concretely operate within that which is a struggle.  I think what we need more as well is to have a better dialogue between those who are on a daily BASIS have to implement that and those who imagine things.  So over to you, Martin.

>> Maarten:  Thank you very much, Victor.  So my name is Maarten van Horenbeak.  We're an ocean about 500 security teams that is really ranked from government, Private Sector and academia.  And what makes our members special is that they are oft know referring to as the fire brigade of the Internet because they're the first ones to step in.  We have three different ways of doing that.  The very first one is focus on global coordination.  One of our goals is make sure there's a well and competent teams ready to respond to incidence.  We want to build a community where they can easily find each other and find other incident responder that have very specific skills.  Or they might be much closer to a network that is conducting (inaudible).  And we name to do that by expanding membership days and we do that by drawing members per se or immediately, but we also have fellowship program, which is focused on members in potentially states that may not have the funding to join an organization first.  Second, we focus on creating global language.  What we mean with that is that every (inaudible) has a common set of tools such as technological and used to be effective.  And finally, we educate third party stakeholders such as policymakers on the work of or member teams and how they can help us address our ongoing needs and challenges.  And really practically what we do is bring all of these into the response teams from around the world for training, information exchanges, conferences or in working groups where they can work together to build standards.  And we do this across organizational boundaries.  So we have members and then our very levels of funding and capability.  And one of the interesting things about first is that we bring people together when sometimes they might not have the mechanisms in place to come together.  So what we often see at our conference is that we see the national (inaudible) of a country participate and it would be one of the places where they meet a lot of constituents because some of the large corporations are universities.  They also be participating in that same meeting.  And as this network, this we painted in a number of different mechanisms to contribute our experience from dealing with actual security.  I wanted to highlight three different challenges we often run into when we bring together the groups.  And quite often, there's perceivability that they can deal with an incident by themselves.  And the (inaudible) really works as a network because we need skills both from the government, but also from the network operator and from the failure that builds the software that's been affected.  We see that we're most effective when incident response team and especially the national ones invest in multi‑stakeholder corporations of a really vibrancy served community.

The second challenge that we have seen and this is especially in receipt years has been about the inclusiveness of the defensive cybersecurity community really is effective when relationships between states worsen.  And that can have relatively minor backs, but it can have relatively major ones when a particular country is under some type of sanctions.  And the challenge with the restrictions is they make it difficult for incident responders.  Not just because they might prohibit conversation but because of the concept of derisking quite often they avoid risk because it is kind of part of their job.  As a result, they try to stay away from things that might not be willing or completely what is their government endorses.  And third, we see developing trust as a very core prerequisite for stability.  It isn't something that gets (inaudible) or legal document, but by work together, achieve something old things and building larger corporation on top of that.  And one initiative that I would like to highlight specifically from our community is some people call ethic first which launched on local ethics day this year just two or three weeks ago.  It helps guide the ethical public of members.  So the didn't beauty that a team member has, coordinated exposure, respect of human rights, responsible collection, those types of things that we think if incident response team and responder live up to these specific ethical guidelines, they're going to be a lot more successful building trust, both with their peers and constituents.

To summarize, to us they're just concept of the big network of stakeholders that is needed to insure stability and cyberspace.  We think that multi‑stakeholderism and development of trust are some of the key elements that are really important to get us there and make that happen.  As a forum, we have painted in a number of different initiatives including the open ended working group.  We provided input to the stability of cyberspace.  One thing we have particularly focused on in the last few years is training.  So where we provide a training to technical incident responders, today we expanded and also provided training to all over the government and all the diplomats working that space.  Thank you very much for the opportunity to speak.

>> WIKTOR:  Thank you very much.  It was very interesting and many notions.  But I think one that particular strikes me is also that there is a need for multi‑stakeholderism not only at macro level, but micro level anyway.  And, you know, what I would like to explore a lit bit more later on is how also your actions can be compared to the our confidence building measures you are practically implementing.

Now onward to you.  I think you have a very interesting story to tell as well from the perspective and I hope you will bring us as well very close to the human individuals and human beings with your opening remarks.

>> Jerome:  WIKTOR, thank you.  Very excited and they have considered to invite young people to these matters and I think it's a very good statement for the future of service security as well.  It's the first time that they take part in such a panel.  It is enlightened by the wealth of the panel, but I have been taking good notes of everything that you said and I think not agree more on many, many points including the fact we have to focus on users.  So I'm Jerome and I present a team of five people that are actually all based in the U.S.  We took them from Europe.  In India and the U.S.  One recently flagship new competition that the UN and the (inaudible) court has organized for the first time.  We wanted very recently and so we all train right now to build on the pitch we made to the UN.  It was to propose that we tried to build the service that would bring free cyber threat into the (inaudible) to users that don't have a lot of cyber knowledge.  So this is this kind of vision that we pitched and tried to sell to the competition.  We won a prize for it and with the resources and connections we made as part of the competition, we are trying to build it.  To the participants that are here today of any age and of any background, I would recommend that if you want to kick start your thinking about cybersecurity, you think about this competition.  We feel that it was very well done that we were really fortunate to receive advice along the way and that at the end of the day, it is through this kind of competition organized by businesses, but also big organizations like the UN that we can try to bring in some fresh ideas.  So I highly recommend this as well.  We believe that opportunity is high to try to target the user.  The user that don't understand very well cyber threats and to bring in websites and services that are going to help them.  We already are taking this problem of cybersecurity from this micro point and it's fantastic today.  But we can see with the Ambassador the macro point and then trickling down towards me more and more micro.  I think for us, multi‑stakeholder means this.  It means that we have been fueled in our thinking by this competition.  Without this competition, we would maybe have been sitting together and speaking about these things, but we already put our hands on the deck.  This is embodiment of what we would consider this model to be.  So also today now, we are trying to build on the momentum of the prize.  It's like ‑‑ we have one engineer on the team, but the rest of us including me are policy people.  So we've also very humble to try to understand better the technical issues, but our engineer is good.  And we welcome to the any partnership we are in contact with NGOs, with cybersecurity specialist and any kind much inputs or connects that we can make through the evens will be extremely useful.  We have a (inaudible) that we share with WIKTOR.  We can share as well.  So yes.  Even this background, I will speak this point of view today.  Thank you very much for inviting us and I'm very, very glad for your stay points.

>> WIKTOR:  I am thankfully aware of the time.  So let's also make sure that we can engage with participants of this panel.  I asked my questions.  In any case, I will leaf it.  But I wanted to check with all attendees in there is a brave person who wants to break the ice and start with a question.  And as I said to you, there can be also questions going to be put in a chat.  So I think as long as you are preparing your questions, then I'll be the first to launch.  I think all describe many interesting elements of this big puzzle that we are sort of focusing on.  I wanted to check with you.  What opportunities or frameworks should be explored win the multi‑stakeholder community to move discussions on sponge informative behavior and cyberspace ahead.  Any volunteer who wants to start first with that?  Do you see anything on the horizon either existing or do we need something new to advance that discussion?

>> Right, Woktor.  When it comes to responsible norms of behavior, it has to be worked out at all levels.  I already mentioned the discussions we have on how the existing international law and existing norms apply to cyberspace and in various opinions.  I'm sorry, but for us, it does apply.  Cyberspace is the same as any other space.  That behavior must not be happening in (inaudible) space including cyberspace.  But to carry on that message, it needs to go to all stakeholders.  For example, it's not only state to state behavior, but there is huge multi‑national companies.  So they need to be also involved in discussion.  They are.  Especially by the union they are to create the sponge behavior in the cyberspace.

Then the developers, and I don't mean just software developers.  If you develop a tool and you have technology tour or new technology or new software, I think it's important to keep in mind what could be the rules of using that tool in cyberspace?  So even on the designing level, it's not just the joy of being the best professional and doing something creative, but I think we should think about what were the results on that.  You have seen it.  This is what happened, right?  And just for example, so eventually again it's going back to the long‑term process, which is not bringing quick results.  This is the education of people.  And through the education of the citizens starting from schools, you have to put a lot more effort on teaching kids and young people.  But even the rulers, the political clocks.  Wharf you do, it has much more strength than it used to be in the past.  So watching TV, everything single we do now from social media or programming or whatever has a result for whole societies in countries and the developers.  We can't avoid it.  It is underestimate the element.  And also if I can (inaudible) a little bit more.  It is important to have instant reaction.  We talked about it today like cyber sanctions or critical incidents response teams in place and also here we need to come up with that.  Even what we heard from our panelists today is clear picture.  Nobody can provide cyber stability and cyberspace individually.  It must be a joint effort, and there are different ways.  There is one element which came and is not bring results today.  We need results today.  That's what we're doing in different ways, but we need the rules in the future.  We need to increase capabilities of state, societies, et cetera.  Here what comes to my mind is the new visual of the European union is the UPN cybersecurity technology on damage.  As we speak, this is in the process of creation.  Today is the deadline, if applying for the hosting of this institution.  One of those that want to endorse it in Poland, we hope we can win that.  But the important element of that on the level of the European union, we tried to create a center where we provide instrument to support the industrial technology and the research work providing for cybersecurity.  So this is a giant at the EU level.  This is ‑‑ I hope it will be changed and oriented towards multi‑stakeholders.  The idea of this center is provide through resource, but also ‑‑ this (inaudible) stakeholders in cyber first to help work them together.  When we were at rotating polish contents, we also bring talk to what is important with individual countries.  That is the partnership between difference stakeholders.  We have in Poland ‑‑ that's the part of the multi‑EU side initiative.  So we play them.  On the national level, we have at least two major partnership programs.  One is the government and industry, which involves a number of companies.  They're coming up with new solutions and just think what will be eyeful to help stability.  This is the program of corporation in cybersecurity.  They have another partnership program with 68 partners from different scopes from city, but also from research, academia, et cetera, working to increase this stack in space ‑‑ stability in stays.  But we'll have a number of government started programs which provide resources to small companies.  So, in GOs which are also strong here and also to the research community to work together to the same goal of increase cybersecurity.  We're 6 to eat programs.  In laland. 

On the national level, I see the center cyberspace.  And new machine it would ‑‑ and then we have to go back again to the government early.  But in the UN and this is my final remark here, on the UN as we discussed the program of action which I introduced at the very beginning in my intervention, the important one is we're going ‑‑ and in this discussion, we also will put a (inaudible) on how to include none on ‑‑ we want them to paid in this present bring their expert ease and bring perspective.  Be the global international level of the united fashions.  Be the original UPN union level.  This must ‑‑ keeping must take place.

>> we are running it and pick our time.  Therefore, you know, it's reflecting bad on me that I was not able to ‑‑ I want to give you a shot of 15 or 30 seconds last pitch that you would like to make to all of us as the multi‑stakeholder community before we close.  Maarten, can I start with you?

>> MAARTEN:  Sure.  Thank you, Woktor.  I think what Jerome mentioned about tutting the user first is really, really important.  A lot of what I said was all related to trust.  We bring in everyone and give everyone a voice.  So I think I'd like to close on that.  Let's focus on building trust and corporation and then I think we can get the stack.

>> Thank you.

>> FARLENA:  He spoke about security by design, but there's Moe things to be shared on the region.  These types of platform because region meaning that if we're looking at south east Asia and developing worlds, these are places where they're developing some of the platforms and regulations and endorsement when it comes to areas in security and design.  If the effort she does get to be developed and she has seven times of inabilities, was they can be a concern.  Second might be when it comes to asthma and how wee do we engage it best on the platforms been set up.  We do have to be at the table as well and these are also some of the moving parts when it diagrams to cyber stack.  The third part is to build and Maarten's point.  Sudden things are on when we are talking about say how do we regards cyber attacks or cyber attacks at level of (inaudible).  That's one ended in a discussion.  You are looking at this information or you're looking at something that is how data is bug eased.  Those can actually concern users and usefs.  I think this concerns how cyber stability is actually defined and contextualized.  As mentioned, there is a concern about geo political issues when it comes to cyberspace.  Those can have a lot of content that can be tapped into government agencies.  If you are looking at something like this information, that ‑‑ (inaudible) immediate landscape and that impacts how that comes in.  And also because this actually ‑‑ the types of sponge that governments have to approach some of these issues, I should divide it in ministries.  You can have ministry A and ministry B.  This can create a difference and how open some of the agencies can be.

>> WIKTOR:  Thanks, Farlena.

>> Yes.  Thank you very much.  I wanted to reassist that is very important.  That was one question, but we won't to cover it.  Food for thought for later.  I am wondering how we can make better the link between the gig government to provide frameworks and the grass would level and highway we can stream line this better in the future.  I think this is one key to the public.

>> I think ‑‑ I think that feeling of the being remote certain discussions do not touch me or they're so remote and accessible can create the such engine and engagement from the forms we are trying to add everybody to allow.  But last but not least, over to you.

>> Just to reflect on good thoughts.  Going back to the education, I think I could agree with what you said cyberspace ability starts with underneath to educate the people and educate them wise.  But also bring in the education on the signer lists.  So I'm doing it the way realize on ‑‑ so thank you very much for this opportunity.

>> WIKTOR:  I would like to thank all of and you also in the audience for this fan of the discussion.  I must admit.  I could go on.  There are so many strands and discussions.  IB looked hungry, but this is probably a good sign that we need to continue this process.  Personally as well like to carry over this message about thinking user first and thinking about the human centric approach.  Not forgetting human centric element in all the approaches we have discussed.  So thank you and thank you as well for the organizers IGF for this fantastic and for allowing us to stretch the time allowed for that.  Have a lovely rest of the IGF and I hope to see you in the near future.  Bye.