IGF 2020 - Day 9 - WS210 Nobody Left Behind -Interregional Cyber Capacity

The following are the outputs of the real-time captioning taken during the virtual Fifteenth Annual Meeting of the Internet Governance Forum (IGF), from 2 to 17 November 2020. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 




       >> Welcome to our webinar.  Please be informed that the session is recorded and hosted under the IGF Code of Conduct and UN rules and regulations.  And the link will be pasted in the chat.  And the chat feature is for social chat only.

     And Q&A feature is used to ask questions.  Please do that, and please enjoy the session.  Thank you.  We can start.

     >> KERSTIN VINGARD: Good morning, colleagues.  It is my great pleasure to welcome you to this IGF discussion Nobody Left Behind:  Interregional Capacity Building. 

     I'm Kerstin Vignard, and I have had the honor to lead through the process since 2009.  Capacity building is a fundamental component to empower all States to reap the benefits of the digital environment while protecting themselves and their citizenry from those who will try to destroy it from malicious purposes.

     We have seen an explosion in the quantity and reach and breadth of cyber capacity building globally focusing on different stakeholder groups and different themes and different objectives.  In the formal and informal meetings at the United Nations, the importance of capacity building has been an area receiving near consensus support by States and non-State actors alike and stressed there is a need for more capacity building while at the same time noting that capacity building needs to be guided by agreed principles such as reciprocity, sustainable and effectiveness and we should use better use of existing structures and organizations to do so.

     And as this pandemic's exposure of our digital dependencies has only underscored the importance that they said we should redouble our efforts while at the same time doing more to ensure that capacity building is effective, respectful and sustainable.  Today we will be considering how greater interregional capacity building could put some of the principles into practice.  How do different regions approach capacity building?  How do different approaches, how can they be shared or better leveraged to embody this two-way street we talk about in capacity building principles? For the next hour we will explore the benefits and challenges and concrete actions that could help different regions get the most out of it.  The four panelists bring a wealth of experience from different regions.

     But one of the exciting things about this is all of them have represented different stakeholder groups throughout their careers in governments and think tanks and regional organizations and the private sector and Civil Society so they really all have sat at different seats at the table, so to speak.  So we're really going to get like double the benefit from the panel today.

     By way of housekeeping, we'll start with a discussion amongst the panelists and then we'll open up to questions and insights from you the participants.  At any time you can submit the questions and comments via the chat function.  When you do so, if you could share your region or your stakeholder group affiliation because that's an important context for us in this conversation. 

     With that, I think I'm going to kick off with Latha Reddy, Co-Chair on the Global Commission on the Stability of Cyberspace.

     Ms. Reddy has had a long and distinguished career in the Indian Foreign Service.  She's the former Deputy National Security Advisor of India and has also served as Commissioner on the Global Commission on Internet Governance. 

     Latha, like many of our panelists, you have been a different stakeholder at different points in your career. 

     Now, based on your experiences, what do you see as the strength that Asia-Pacific governments and multi-stakeholder groups bring to cyber capacity building?

     >> LATHA REDDY: First, let me say how nice it is to be with all of you and talking on this global platform and talking in a multi-stakeholder group. 

     As you said, I had the opportunity to both work inside government and outside government.  Just to set in context, I'm from India but I have a global avatar, if I may use the word.  I have been on the Global Gommission for Internet Governance and the Global Commission for the Stability of the Cyberspace as co-chair.  I think I can take a broader local, national, and regional view.  Asia-Pacific is a very large area, and we are divided into very many groups and I think it is done very well in the Asia-Pacific so far as a region is as young, you know.

     They have really come up well with capacity building initiatives and I would suggest that every subregion, if I may use the term, within the Asia-Pacific could use that as a model, you know, the more advanced countries in terms of cyber capabilities like Singapore and others have really come forward to build centers of excellence, to take the lead and yet at the same time as you say, being very respectful and trying to introduce an element of reciprocity as well.

     This is always the trick with capacity building, you know, I mean it shouldn't just be one person giving and the other person taking whether between regions or between countries.  Both must feel that they are contributing to the conversation.

     And you know, in some way helping to build better capacity in their respective regions and between regions.  And now talking about South Asia as you know because of our geopolitical situation the SOC has not been as effective as it could have been.  Again, talking in a regional sense, India has been able to reach out to many of the smaller partners in South Asia and Nepal and Bhutan and Sri Lanka and Bangladesh and the Maldives and try to help them build capacity.  There is also capacity building within regions apart from between regions.

     I would say some systems are working very well.  SIRTs are constantly in touch and when SIRTs compare their experiences it is very, very useful as a learning process and as a strengthening process for how effective SIRTs can be.  And there are best practices set up between countries and it will have to be a mixture of bilateral, regional, subregional capacity building exercise to be really effective.  I will start with that and if there are any other points, we can come back to that later.

     >> MODERATOR: Thank you very much, Latha.  Your point on respectful partnership amongst neighbors in the same region is really well taken, and I think it helps transition to Folake Olagunju, Program Officer of Internet and Cybersecurity at the Cconomic Community of West African States and serves as co-chair of the global forum on expertise advisory board.  Folake, what do you see as the strengths of African regional or subregional ability in terms of capacity building?

     >> FOLAKE OLAGUNJU: Thank you very much, Kerstin, for the kind words.  And also for what Latha has said is pretty much the same thing.  It is always good to know that you are not doing anything completely different. 

     So from our situation in terms of cyber capacity building in West Africa, our region is very -- we're still trying to find our way.  And which that is sort of a good thing.  A good thing in the sense that we can actually now borrow from other regions and see what they have done instead of reinventing the wheel.

     Being the regional body what we are trying to do is establish relationships with donors to act as a bridge between our member states and the donors because we are looking at economies of scale and economics of learning and it is also a harmonized approach.  Within the region we know it is somewhat different in developing countries as it is in developed countries, issues are somewhat different. What we are trying to do is make sure within our region, like Latha said, we want to do cooperation so we can have a few key players within West Africa, Nigeria, Ghana, Côte d’Lvoire and even Cape Verde, the smallest country in the region.  But they are actively doing other things, so what we are trying to encourage the lesser member states that haven’t gotten to that level, to actually start engaging with individual member states.

     We built relationships with donors such as the EU.  We are learning from them as well.  The EU, they are a big brother or big sister, for lack of a better word. They are a regional block.  And one of the ongoing partnerships is with the EU and looking at African Union to see what they have done.  It is quite important that we don't over reinvent the wheel, for lack of a better word, because capacity building is capacity building.  We want to ensure whatever we actually build, it actually trickles down so we want to make sure and use the word that nobody can really explain, sustainability.  Sustained capacity.

     We want to make sure when we build the capacity, we are building it and people actually sustain it and we keep building on that.  Pretty much almost the same thing as Latha said is what we are doing.  We haven't done anything completely different as yet.

     >> MODERATOR: Thank you, Folake.  I'm glad you brought up the definition of sustainability, that amorphous good sounding word but what does it mean in practice. 

Perhaps we can circle back later in the conversation.  Both of the first two speakers have mentioned the importance of regional or subregional organizations as being that bridge of helping increase effectiveness, whether through matchmaking or asserting us at bridge and that is maybe something that we can circle back to if people are interested.  I sometimes wonder if we are investing enough in building capacity within regional and subregional organizations as a force multiplier to play the role.  Maybe we could circle back to that if people are interested.

     Now, Liga Rozentale, Security Director for the EU Emerging Press and Cybersecurity at Microsoft and former Cyber Diplomat at the EU and NATO.  What do you see as the strengths of the private sector and regional arrangements in Europe in the field of cyber capacity building?

     >> LIGA ROZENTALE: Good morning, Kerstin, good morning all panelists and all the participants.  It's a pleasure to almost be in Katowice at IGF in Poland.  So thank you to the organizers for all their work in turning this event to digital, which is a bit unprecedented at this scale. 

     As Kerstin mentioned, I've had a career in both government and the private sector, and so I think looking back, multi-stakeholder is sort of the theme of my CV.  But I just may speak from the perspective of Europe where I have the best visibility of what the governments and private sector are doing. 

     However, being a representative of Microsoft, I also have a strong visibility of how the global company is looking at these issues on advancing cyber norms, on looking at capacity building, and trying to find how we can work across regions as a global company.

     So looking at Europe itself.  Europe has a slightly different arrangement on cybersecurity and capacity building because in Europe there is the EU that has a very strong legislative framework and cooperative framework that is very positive in some way.  We have legislation that requires certain minimum levels of capacity across the EU which is excellent and also forms a lot of opportunities for cooperation across governments.

     However, moving from government to the private sector, I see that, you know, the work among governments is excellent but how we could turn that into a multi-stakeholder process is slightly different.  A two-track process.  The multi-stakeholder process which is sometimes in competition with the government processes.

     So how do we make that bridge to make the government processes more partnered with the multi-stakeholders of Civil Society and the private sector to take best advantage of all of the resource?  Both regionally and then how can Europe work with the rest of the world in this kind of format?

     Microsoft is very active in capacity building and we are looking at the Paris Call by a tool to supplement processes going on by government.  The Paris Call addresses nine different principles on building cybersecurity through various cyber norms but we want to go beyond that to see how we did actually implement these norms to work on capacity building.

     The UN efforts that are ongoing are excellent and we support that as much as we can.  And there are various initiatives looking at how the multi-stakeholder process can go forward but I think it is important to share the lessons across regions and compare what are the differences so we don't make assumptions about what works and what doesn't work.

     I think the two previous speakers have identified how different areas differ and I think that is excellent.

     I think that in Europe, there is an excellent government perspective on this with the EU cyber dialogues.  I would be interested to see if there is a process that could accompany and build bridges.  I was pleased there was an EU-India dialogue after many years of discussion.  Perhaps we could see how there could be an EU-India not track two but next day process with the multi-stakeholders engaged in the process and see how that could apply to different regions.

     So getting the understanding of how different regions are approaching capacity building is quite important and I wanted to highlight one step we are taking on building this understanding is yesterday at the Paris peace forum Microsoft in the global forum on cyber expertise announced a new joint project on a new Africa program manager looking at implementation of the Paris Call in Africa over the next year.

     So we are looking forward to that cooperation and looking at how that could supplement capacity building in Africa as a first step in the next year.

     >> MODERATOR: Thank you, Liga.  And that was an exciting announcement yesterday for sure.

     And perhaps next year when we are having this conversation we can be doing specific lessons learned from that experience.

     Now, lastly, we have Bart Hogeveen.  Bart, in your role it is inevitable that you would be on the panel because your title even has cyber capacity building in it.  Head at the Australian Strategic Policy Institute International Cyber Policy Center and worked on cyber capacity building in the Asia-Pacific.  What do you see as the strength of think tanks in academia in your region's cyber capacity building efforts?

     >> BART HOGEVEEN: Thanks and good evening to fellow panelists and everyone listening in.  As you mentioned, I'm working with a think tank based in Australia.  And as my previous speakers mentioned a bit of their background, my background is a nexus of international peace and security and development issues.

     Now as the role of as a think tank, I think it is obviously a bit different from the previous speakers who are either working with the regional organization or a bit multi-national or national government and we don't have those resources behind us to do and decide on capacity building issues.

    What we can do and what we are doing is obviously to look at what is happening domestically but definitely also in our region.  So provide a level of analysis.  Provide advice what is currently going on and look at the gaps so the duplication and additional issues that government, industry or regional organizations could tap into.

     One of the other things the think tanks like ours play a role in, and Liga mentioned, is organizing 1.5 dialups and where we, indeed, big government, private sector and Civil Society organizations together in a bilateral, trilateral or whatever lateral dialogue with other organizations.

     Now one thing I just would like to share let's say based on my experience working with cyber capacity building in this part of the world for the last couple of years is that working from Australia which has obviously been active in cyber capacity building.  There was even a dedicated cyber capacity building program with the Department of Foreign Affairs but looking at three very different kind of cyber capacity building conversations or dialogues in the region as obviously kind of internal capacity building and within the country but also with kind of similarly mature nations.

     Then let's say on our eastern side, I mean Australia and New Zealand and to a part Singapore are also engaged in the South Pacific and there you have a completely different dynamic from conversations elsewhere where it is much more about connectivity and how do we make sure that people are actually taking up the benefits of ICTs in a responsible manner as I sometimes tend to say they are not entering the internet of the late 1990's but the internet of the 2020 which is so substantially different.  And in southeast Asia where the focus is less on regional security but more on connectivity and how do we transform economies as industry 4.0.

     So you have different kind of dialogues happening.  And to pick up on one point, I think it is for a -- for less of a cyber capacity building nation where it is also looked at providing, it is hard to provide expertise and sorry I'm using catch words that isn't really sustainable and really make sense in a very different local context.

     And I want to echo I think the point made at the start of the conversation that capacity building is very much kind of a back and forth between multiple partners, I would say.

     But I don't see that really happening in practice.  I see what I see happening in practice is obviously that lots of capacity building is offered and that those with their feet on the ground get lost out of it and get a feel for local context and what is required.  How that should go through and programming let's say at the policy or higher level, I think that is a very big challenge and we see that partly represented in some of challenges that we are facing but also regional capacity building centers that have been stood up here in the region for instance in Thailand and in Singapore.

     I will leave that for now.  And, yeah, I will leave that for now.  Thanks.

     >> MODERATOR: Thank you, Bart.  And I see that you brought up sustainability again.  So I think we are definitely going to come back to that.

     I kind of would like to scratch a little bit deeper on this idea, there seems to be, we have a whole panel about an underlying assumption that more cross regional sharing, that region to region sharing is either necessary or would be beneficial.  So let's unpack that assumption.

     It is something that uniters worked on in 2018-2019 we did a series of meetings in cooperation of CSIS of Washington on exactly this and specifically looking to see if there was appetite for more structured conversation between regional and subregional organizations.

     So maybe we could start with that and look at why do we think that cross-regional sharing is something to be pursued rather than just a simple interest or I mean why interregional?  Latha, do you want to take a first stab at that?

     >> LATHA REDDY: Yes.  I think it comes from the fact that, you know, cyber is essentially a borderless regime, right?

     So we can only be as strong as the weakest link.  So it makes sense that it is not just being strong within your country, within your subregion, or within your region.  To really have a proper open, secure, safe system, we must really cooperate between regions.  So I would say that is the fundamental reason.  The second point is it is a game of catch up really because there are some countries which are very advanced and have great cyber capacity building already in place.  And there are many who don't.

     So unless we really reach out between regions, how are they going to bridge this gulf?  Your problem is that the largest share of future users and even now the largest share of users don't necessarily come from the highly developed countries.  The largest user of cyber space today is China followed by India, whereas it is widely recognized North America, maybe the five I's and EU that you have got the strongest cyber capacity already installed.

     So how are you going to reconcile these two unless there is interregional cooperation?  That will be really my take on it.

     And I think that if you don't give the global south a legitimate voice, you know, when they are going to be providing most of the future users and even today provide a very huge proportion of the users of the internet, you are going to have an inherently unjust system which is really not correct.

     I would welcome any and all efforts at bridging this gap and bridging the digital divide, connecting the unconnected and bringing in more inclusion.  I think it would be wonderful if every region could cooperate, you know, in this.  As I said earlier, even within the regions that -- the ones who have more advantages, who have more skills should really take the lead within the region.

     And more importantly, the more developed regions need to really reach out in a big way, which is why I think it is very exciting on what Liga said about the announcement at the PPF yesterday.

     That is really the sort of thing we should be looking for.  And Liga, incidentally, you were talking about the EU India cyber consultations.  In a sense that was a track 1.5 because, you know, I was part of that.  I actually chaired a panel.  Because you had representatives from the EU, you had the ambassador of the EU to India, this was held in Delhi.  And yet at the same time you had private experts such as I would render to say myself and other colleagues, academics.  You had some private sector as well and you had think tanks whether the German marshal fund or the EU institute of strategic studies or the ORF who were the cohosts.

     That is the way to really build capacity between regions.  In this particular case, it wasn't between two regions, it was between the EU and India but the same model could be extended to interregional cooperation by establishing track 1.5 dialogues between regions and I think that is very, very important.  I saw it for myself when we had the AVEM, the at the Asian Plus 6 and the EU dialogue only many other issues.  I don't see why the same shouldn't be happening on cyber as well.

     >> MODERATOR: Thank you for that concrete example.  Liga, you mentioned in your initial intervention about how we check our assumptions when we are engaging in cooperative partnerships across regions.

     So could you say more about that?  And maybe why even -- the challenge of checking one's assumptions, how do you do that?  And again, why is this so important, this cross-regional sharing?

     >> LIGA ROZENTALE: Yeah, sure.  Latha, thanks for the information about the EU-India dialogue.  And it is quite positive to hear that there were non-governmental actors in that that and I certainly encourage those processes. 

     But back to the question about checking assumptions.  I find that as being a global player and being quite a force sometimes in global issues, a company such as Microsoft really needs to tread carefully when moving into the space that is a bit on global governance issues and we want to have a firm understanding where we can supplement and help other processes ongoing and do that in a constructive manner and not derail some things going on at the UN and in other formats.  Understanding how resources could be shared in a thoughtful and sustainable way is very important.  And how we go about that is -- has to be careful and has to have a lot of feedback from regional actors.

     I think whether I speak from the side of Europeans or from Microsoft, you know, we sit in our own environment and we know it works in our own environment.  And that doesn't necessarily translate across regions.

     So to be able to ask the right questions I think is part of the first steps in approaching cross-regional dialogue to be able to see really how resources could be matched, how we can you mentioned this two-way street, and how we can make that two-way street really work.  And you know, and how we can fit in as a global actor.  We are a U.S.-based company, but I would say a lot of the actions on building sustainable development and working with the UN is a much more global process than just the North American process.  How can we take place across regions as a global actor and connect the input we have on cybersecurity looking at a global scale on a more regional/subregional scale and how we can be useful in this process without making assumptions.

     >> MODERATOR: Thank you, Liga.  Maybe we could pivot to circle back to something that Bart mentioned and then maybe this could be a good place for him to come back in.

     In your experience, to what extent can good practices from one region be applied to others?  You had the experience working both in the Asia-Pacific but also on your international projects that have a more global focus. 

Where in your work have you seen or wish to have seen greater cross-regional sharing or felt there was an opportunity being missed either for lack of capacity, lack of sustainability, lack of resources?  Could you say some words about that, Bart?

     >> BART HOGEVEEN: Sure, by all means, and it is one of the points I would be keen to follow up on.

     Because I might want to take a different approach because I'm not so sure whether kind of capacity building that is from one region to another reason or let's say that relationship is as productive as we sometimes want to think.  And I think it is precisely what Liga just mentioned.

     And I'm coming let's say for the moment let's say from a Pacific perspective where there is no strong regional organization.  There is no body which kind of either coordinates or is really kind of helping nations with articulating what they really need based on the local context and what makes sense in a local context.

     So for instance, an Australian or Microsoft solution in the Pacific in nine out of 10 cases would not make sense.  Even the lessons learned would probably be difficult to apply in a totally different socio-economic setting, and also in a totally different kind of governance setting.  That is really important I think to consider.

     So, for instance, there is definitely value for instance where we compare experiences from the Caribbean with nations in the South Pacific.  Or whether you compare maybe experiences in Latin America with Southeast Asia.  I could see there might be some similarities.  I think in most cases and that is also part of capacity building is how you learn as a single economy and how do you learn as a region.

     Because we all have particular trajectories how the internet came to our nations and how we started adopting new technologies one way or the other.

     And I just want to -- when Vint Cerf was talking at the one and only Internet Governance Forum that was hosted in a Pacific Island in Vanuatu I think two years ago, the regional one. 

     He said, every country needs to kind of write up its own, let's say history of how the internet came to the country and how it grew.  And I think that is very important kind of to take that perspective because it is very much kind of a national learning path. 

     So I'm not so sure whether interregional capacity building is as valuable and as productive as we sometimes want to think.

     That ties to the other point I wanted to bring in.  One thing that is really missing in lots of the cyber capacity building work and people who are working in the space and that is the developmental expertise that ability to talk with kind of potential recipients of support to really articulate, define and reassess assumptions what is really require and what would make sense in their particular context.

     That might mean that you are well, that in the end you take a completely different direction than what you would initially think would be appropriate.  So that would be my other point.

     Developmental expertise I think is really lacking in the space.

     >> MODERATOR: Thanks, Bart.  Folake, can I put you on the spot on that since you would, in regional or subregional organization that has an economic development et cetera focus.  Could you respond to what Bart just said?

     >> FOLAKE OLAGUNJU: Bart and I, sometimes we agree and sometimes we don't agree.  I'm kind of in the middle with what he said.  I kind of think there is room for inter capacity region building on one hand.  On the other hand, I understand where Bart is coming from.

     There has to be international buy-in and ownership and commitment, and if we are not there we are wasting our time.  We need to make sure that those three things are in place.  Wealth builds a nation, if you have money and the funds you can do capacity building.  We don't have that in the region.

     When we get donors or partners coming in, we have to assess the capacities and the resources they have to see if they can actually filter through or make a difference.  I think a lot of donors are dangling the carrot and then they expect you to just take the bait.  As the Global South or developing countries we need to do a little bit more and show that we are not just taking any carrot that is thrown at us.

     So I think in that respect if you look at the traditional donors and the non-traditional donors, you find that quite a number of countries are moving towards the non-traditional donors because the requirements are less and less stringent which sometimes might not be a good thing and sometimes might be a good thing.

     You have to see where each country is coming from.  The economy is different, each country is different.  There are certain nuances in West Africa that we won't find in the Asia region.  We need to talk more even if it is at the regional level because the regional bodies understand what is going on in their member states.  I can say our member States take what we say as fait accompli.  If we say to the member states please join the GFC, there are resources available, most of our member States will do it because they do take what we say as authority to a certain extent.

     >> MODERATOR: Thank you.

     I think that really helped give us a more nuanced picture.  And I appreciate you jumping in like that.  And that resonates with one of the comments we received from one of the participants. 

We have Teresa from the DiploFoundation who noted in cross-regional capacity making sure support is neutral and unbiased.  As you said a lot of times it comes with strings attached and that is something we talked about in the OEWD.  I was wondering if other people on -- OEWG.  I was wondering if people on the panel want to talk about strings, no strings, now it works and making sure that that buy-this is there.  Does somebody else want to jump in on that question?

     >> LATHA REDDY: I would like to jump in on that question.

     >> MODERATOR: Thank you.

     >> LATHA REDDY: I had experiences early in my career when we were successful in promoting tele-education and telemedicine models to many developing countries.

     Building on that experience, I would say a country like India that has been able to build very good platforms for payment platforms, e-commerce platforms and FinTech forms and online banking platforms at not a very great cost, you know, would be happy to share that expertise with the other developing countries provided there is an interest.

     So how this would fit into interregional is a question.  Because obviously the cultural contexts are different in different regions.

     But, in some ways you know, these models that have been developed in developing countries, maybe more so for the global south and I think we have, you know, sort of special fund for Africa.  So even the funding could come from that.  And I think by and large India does not attach conditions like, you know, that only Indian firms should do the work or that we want to bring in our own workers to be installed in that country.

     The interest is very much in training local people to take over and to keep it sustainable.  So I mean I'm just throwing that in as an idea that, you know, there is possibilities of this sort of cooperation as well.

     >> MODERATOR: All right.  Liga, did you want to jump in on this as well?

     >> LIGA ROZENTALE: I was thinking about the strings attached to any sort of capacity building.  When we look at the UN processes, I think it is one approach that any capacity building we want to have also accompanied with respect for international law.

     And so building a foundation that looking at the future once capacity develops in a region that this will not become a region that suddenly does not respect international -- the equitability of international law and responsible behavior in cyberspace, as already identified in different UN GGEs from 2015 and prior. So how can we partner capacity building with norms is quite important from our side.

     I mean we see that from a corporate responsibility perspective.  We address cyber norms quite -- with some fervor and we would like capacity building to two along the same lines.  How can we make that work and how can we emphasize that responsible behavior plus capacity building is good for longer term development?

     >> MODERATOR: Right.  Thank you for bringing in the linkage between capacity building and the responsible behavior framework that we have already in place at the international level.

     Does anybody else want to jump in on this because I think it is a nice segue to talk about trust.  We have a question and also a comment from the Q&A about, you know, cross-border or global capacity building for cyber security and even internet governance.

     There is maybe a lingering what the person says here is a lingering mindset of distrust across some regional or economic blocs.  How do we address the issue of trust and efforts to build trust in capacity building?  We talked about the carrots and the sticks and the only -- not obligations but the linkages or conditions, conditionality.  Trust and legitimacy are key criteria for successful capacity building.  And not just capacity building in and itself but for building the enduring relationships that we believe are the foundations for success here.  If your view, are there existing regionally focused organizations or partnerships that are maybe underutilized or underleveraged that are trusted partners that have kind of inherent legitimacy in particular regions?

     We talked a bit about subregional and regional organizations.  Bart has mentioned the value of think tanks in track 1.5 or track 2 initiatives.

     And so first, within the region, are they under utilized and how could we better leverage those sorts in cross-regional/regional sharing?  I will throw that out to the whole panel.  Maybe Folake, would you like to start?

     >> FOLAKE OLAGUNJU: Thank you, Kirsten.  Leadership is key.  If you have a -- thank you, Kerstin.  Piggybacking on what Liga said, when you're talking about the norms the OEWG in West Africa still talking about SIRTs, talking about SOCs and digital labs.  So we are not quite at that level. 

     So I think it is important that we start educating our leaders so that they know what needs to be done.  And this is the time to actually start doing that.  So we need to leverage the relationships with the GOCs, the EU and Bart's organization and you name it.  I think if we start building those bridges and use the regional bodies a bit more because we have got more power in terms of trying to get our member States to actually come in as a group.  So you can imagine, if you take ECWOS, for example, you are talking about 400 million people, it is easier to drill down than going individually State by State it is not going to work.  And that way you are sort of killing 10 birds with one stone.  I think we need to look at that approach.

     And face to face matters.  Member states, countries, people, they want to talk to people they already know.  You need to build that trust.  I mean if Liga goes to, for example, Senegal, if nobody knows her in Senegal, she is not going to get anywhere.  It is the reality as we know it.

     Even if Microsoft wants to build a relationship on the Paris call agreement you have to have strong partnerships with the regional bodies and then they will take it through.  That way will be a more success.  Approach.  Utilize the platform such as the GFC.  They are tried and tested and run initiatives in several countries, Senegal and Gambia and those have worked.  We need to use the structures in place.

     >> MODERATOR: Interesting that we are talking about both trust in kind of institutions and organizations but also the personal trust and relationships that get built up and that is also part of the sustainability question, isn't it?  And how much is personal.  And maybe some of the challenges that the current pandemic and the lack of, you know, the ability to hop on a plane or do a three-day workshop or do what you need to do on the ground, how that has kind of set new challenges for developing new relationships.  It is much easier to maintain relationships that already exist in a digital environment than it is perhaps to establish new ones.

     Other panelists on this question of trust and?  Yes, Latha and then Liga.

     >> LATHA REDDY: I just wanted to actually talk about another issue, you know, when you are talking about capacity building, you are talking about the need to build infrastructure, you know, to connect the country.

     You are talking about the need to master technologies, particularly advanced technologies that Folake spoke about.  I think the policy issues are also very, very important.  You know, because this idea of educating the political leadership to take the right decisions the idea of building capacity on policy issues is very important.  A lot of people say data is the new oil and they really don't know what they are saying, you know, it is just a catch phrase.

     The real issue whether it is data governance, data protection, data privacy, you know, what are sensitive personal data.  You need to go into these things in a little more depth to be able to talk with any authority.

     And the same is true of internet governance and of norms, the various efforts going on to build norms around the world.

     I would say there is a need to build all of the three capacities, and I think that if partners come forward with very concrete examples of how they can help with each of the areas or some of the area, that in itself will build trust because you realize that you are not just saying give me a contract to build something, right?  You are actually saying I want you to become self-reliant and I want to teach you how to master each of these areas.

     So I think that is a great trust building exercise.

     >> MODERATOR: Thank you, Latha.  Liga?

     >> LIGA ROZENTALE: I wanted to speak from the experience of Europe on the trust-building issue.  We have close government cooperation but trust has -- is something that is always something that has to be constantly readdressed.

     Europe did this through legislation which was quite controversial so have sort of a forced cooperation and trust building through the NIS cooperation group and the C-CERT network adopted a few years ago.  In my experience sitting on the side of government at that point, it was quite controversial to force all countries to send one participant to discuss strategic issues in cybersecurity because it was a mandatory cooperation.

     And that process is still under way.  But over the course of years if you make people meet three times a year and look at each other and discuss their families over coffee then they do build trust eventually it turns out.

     The important thing is to keep the same people in the room over the course of the years and that is difficult.  And the situation of COVID, it is more difficult.  To talk to people over the computer, we are getting used to it.  How can we take the European best practice of making people get in the same room and see if that works in other regions?  I realize what Folake says, if I go to Senegal, nobody is going to listen to me regardless of who I represent.

     So how can we built the trust along the European example and see if that works?  SIRTs from all over the world that goes quite well.  C-SIRTs don't even want to talk to their counterparts on the sort of strategic government side as well.  Within a government you need the strategic side to talk to the technical side openly as well.

     So there is lots of layers that need to be addressed.  But getting people in the same room is quite important.  As soon as we get this COVID problem taken care of maybe we can look at that in a bit more detail.

     >> MODERATOR: Bart, I think you are the only one that hasn't come in on this get.

     >> BART HOGEVEEN: Thanks.  And I'm still expecting Microsoft to come up with a vaccine that will get us all traveling very soon.  Without kidding, maybe I will share an example of the point you raised earlier Kerstin.  Kind of the UN processes. 

I wish it wasn’t brought up in this conversation but one example project helping the southeast nations with the implementation of the UN cyber norms.  Whether you like it or not or it is effective or not, it is seen as kind of an agreement that is kind of being pushed towards these nations and many countries are looking at these nations to subscribe to it and they have done that in public and in the public state and kind of how do you kind of build a deeper level of comfort and awareness of what these actually mean in practice? 

We set out a kind of a program which looked at, first of all, looking at what would be local knowledge partners, local think tanks in the region that could help us and that we could kind of train up and help develop their own knowledge and skills and engaging with their government counter parts.

     When we ran the trainings and workshops, it was really trying to listen what would for instance D-11 UN norms mean for them in practice and what we found and hopefully not too long we will also be able to share information because we have done that in confidence in most countries you see practical examples of the norms.  When Folake is talking about the SIRT development, that is in fact having the capabilities and having policies around these institutions is part of the implementations or the norms and what we also say is that in the absence of a UN blueprint with you I don't think that will happen any time soon or at all, I'm not sure whether we should want to either, that also allows an opportunity for each nation to develop its own interpretation of what an international agreement means that their specific context.

     I think we have been successful in creating a level of trust and being there for the long run and delivering something concrete but also being critical about our own nations that we represent and that we don't have all of the answers to all of the questions.  I think this is an example of where sustainability can work at a very practical and operational level and where you build let's say greater awareness and a deeper sense of comfort with what is happening let's say at the global level.  Because I think despite what we believe, things are happening very quickly especially when you talk about the UN processes unless you are deeply involved in it.  For most countries it is still a very quickly evolving road show which they find difficult to really follow and really grasp.

     >> MODERATOR: You know, thanks, Bart.  I think that helps round us out.  But I wanted to share with everyone a few of the comments and insights that have come from participants here.  A colleague, Silvia at the SAE has -- says she agrees a lot with what the panelists have said but following on Bart's remark that interregional capacity building is maybe not as productive as we would like to hope it would be. 

     And Folake reply, she says she would add that exchange between regional organizations can be fruitful not with the aim to copy from one to another but to exchange best practice, specific practices and see what can be done for a specific sub or a specific region.  And a forum for regular exchange would be valuable.  That is certainly something that I know that Silvia and I have talked about in the past about how do we even in informal ways help regional and subregional organizations connect more amongst themselves to exchange their experiences. 

     Another person commented and said personal relationships and personal trusts is what expands between nations and regions, which echoed some of the things that have been said on the panel. 

     We have a comment that says my personal experience is a minimum of three meetings, and the third meeting something changes.  There you go.  That's an endorsement of the European three meetings.  Even between police, C-SIRTs and regulators it is about learning positions and if and where there are common goals.  And I have seen some enlightening experiences there.  So three is the magic number apparently for breakthroughs.  And this is from a Dutch colleague representing at this IGF in part of the Dynamic Coalition on Internet Standards, Security and Safety.

     We have another comment says she agrees strongly with Folake's point about building capacity through and of regional institutions.  It seems like we have a lot of interest and agreement on both the personal side, the importance of regional actors as being trusted partners that are probably under utilized and they need capacity to be enlarged and that is perhaps is a force multiplier we can do more on. 

     I'm conscious of the time, and I think this is a great discussion.  I wanted to dig down into the question of sustainability.  I think we have been skirting around it by emphasizing both the personal relationships are being important, but people move on, people retire, people move in and out of positions. 

     So how do we balance that personal connection which is important with sustained institutional trust and legitimacy.  How does that work?  Have to start with the personal and then kind of colors institutional relationships?  Is there some sort of transfer that happens?  Or how -- we can't always rely on personal connections.  So I just was wondering if the panelists could quickly if anybody wants to tackle that one.

     >> LATHA REDDY: I would like to come in on that, Kerstin.  When I was in government it was very important to build that personal touch.

     I don't know if the magic number is two or three or four, it could be different.  But yes, because your first meeting is essentially to state your positions.  It is to make the other person aware of where you are coming from.  And in subsequent meetings you take that for granted and then start seeing what are the things you can agree upon.

     And certainly by the time you have three or more meetings, trust is built.  And as far as changing the personal relationship to an institutional relationship, I would talk about, you know, very briefly about my experiences as a diplomat.

     You move on in three years, but certain relationships have been built.  What do you do?  You leave a handing over note for your successor saying these are the usual contacts, these are the institutions it is very good to cooperate with.  And I think a wise successor would actually take note of that and build on that.

     But it is still somewhat personal because it depends on how much each person wants the successor to succeed.  And it is not always the case.  So I would say sustainability is very important.  Keep the same relationships going where possible.

     And where it is not you create a mechanism that says this institution it worth cooperating with no matter who is in that one and who is in your own institution.

     >> MODERATOR: Starting with the personal and --

     >> LATHA REDDY: Starting with the personal.

     >> MODERATOR: And allows creation of the institutional.  We only have three more minutes, colleagues.  And I'm -- I feel like we could continue on this for some time.  And this is such a great topic. 

I think in the remaining three minutes, I would like to ask you all to just in lieu of closing remarks or final words just before we wrap up, I would like to ask each of you imagine we are at IGF 2021, thank you for giving us the background there, Liga for us to look at, we are all imagining and reflecting on interregional capacity building a year on.  And Liga might be joining us from Senegal at that time, I'm not sure.  But regardless, taking into account the challenges of capacity building during the pandemic, which unfortunately seems to be with us into next year, certainly.

     And also that sense of urgency which has been amplified during this time for all of us.  A year from now, what is the one thing you would be looking back and saying in your role where you are now, what would you have been most pleased to see change in the next 12 months on international capacity building?  What would you like to achieve that is realistic under the current circumstances and environment?

     Folake, could you?

     >> FOLAKE OLAGUNJU: For me, I would say I would really hope that the countries in West Africa are moving slightly into talking about CBMs and norms that would actually encourage more responsible behavior because right now the conversations are still all around the technical side of cyber.  So for me, I think we need to start talking more about the diplomacy side of cyber because I think that is important and they go hand in hand.

     >> MODERATOR: A good priority for the next year.  Bart?

     >> BART HOGEVEEN: Two things.  I would be very happy that within a year from now we can look back and talk about a very dynamic GSCE Pacific hub that has just been announced a couple of weeks ago where we are looking at establishing a regional center expertise or operational hub that can support companies with a global headquarters back in Europe and with a local hundred in the south Pacific region.  I'm looking forward to how that is developing.

     And secondly echoing Folake's point and finally we are back on the same page again.  I would be very content when we see more countries and more organizations feeling comfortable with expressing their views and their positions on a whole range of cyber security and cyber development and ICT development issues than we see currently.

     >> MODERATOR: A good metric of success.  Latha, in less than a minute, what is your wish for 2021?

     >> LATHA REDDY: I want to see a universally trusted global agency emerge on cyber capacity building.

     >> MODERATOR: What about you, Liga, final word?

     >> Liga Rozentale: I would like it to be multi-stakeholder so Microsoft can participate.  But also building the trust necessary in the multi-stakeholder environment to look at how to address the cross-regional cooperation a bit better.

     >> MODERATOR: The first meeting out of three next year.  Okay.  And with that I would like to thank the fabulous panelists.  I'm sure you found this as stimulating and thought provoking as I have.  I wish all of you a continued and productive interesting discussion at IGF 2020. 

     Thank you to the organizers and thank you for giving me the opportunity to speak with you this morning/evening/afternoon depending on where you are.  Thanks so much.  Have a great day.