IGF 2021 – Day 3 – WS #142 One click to attack critical infrastructure. What can we do?

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.



>> ANASTASIYA KAZAKOVA:  Hello to everyone and welcome to the UN Internet Governance Forum.  This is one click to attack critical infrastructure.  What can we do?  We discuss infrastructure protection on the focus of international corporation component.  My name is Anastasiya Kazakova working with Kaspersky.  I am happy to be your moderator and my colleague public and first Manager Pierre Kaspersky will be the moderator along with me.  Please do not hesitate to share your views and use the chat for that.  We will be hearing first the views of the experting and after that, we will also try to take the most interest in questions to address them additionally to the all experts.  I am really excited to launch the part number 1 and start first with national approaches to the critical infrastructure profession and discuss what can be ways to consensualize a CI protection network.  We have the first speakers for the first part and just to introduce all of them, we'll have Ambassador Regine Grienberger from the Federal Foreign Office in Germany.  And Danielle Klingeley the Senior Advisor for the foreign affairs Switzerland.  Mr. Dan Yock Hau.  And Ms. Johanna Weaver and ahead of the Australian Delegations UN and a group of governmental experts.

So as you can see, we try to invent the experts providing different regions and different countries approaches to have endeavors views and understand what is actually now the key elements in regulating critical infrastructure protection.  I would like to address the first one to first to learn about the national perspectives.  What are the key elements in national regulatory approaches to protect critical infrastructure and what is really interesting how countries see what is critical and hot it critical especially after the first wave of the pandemic I'm really happy to pass the floor to Ambassador Grienberger and Mr. Klingeley and Mr. Vaughn.

>> REGINE GRIENBERGER:  Thank you, Anastasiya.  The task here is analyzing how infrastructure protection and policy could be good work.  I start to show how we do it in Germany, so our national approach and then how it is embedded in EU in the EU framework because this is, of course, a regulatory framework for us.  And then I mentioned something about our international corporation, but I leave the UN framework so that global framework to the speakers from Singapore, Switzerland and also to Johanna where all three are championing the UN network.  I align with them, I think, but I will not mention it in my (?).

So Germany is a big country, a transit country, a big market economy that also means critical infrastructure is in private hands, but the specialty in Germany, they have a federal system which means some of the critical infrastructure the owners of the regional level, regional entities and municipality.  We have eight neighboring countries.  Eight EU countries plus Switzerland.  So these are the circumstances which lead us to something that we call a whole of government and a whole of society approach to critical infrastructure protection.  Essential elements of these are that we observe close public‑private corporation with intense information sharing also our best practices and lessons learned.  We try to continuously improve the cybersecurity level.  So this is ‑‑ this means that our architecture is not static, but dynamic.  We monitor very closely the development of the threat situation especially with regard to cyber threats.  We have a national cyber defense center for that.  And the priority support is given to critical infrastructure operators by our authorities.  For example, we have a mobile incident response to.

The national framework is basically consisting of 4 important things.  The first one is law on the security of networks.  It created cybersecurity agency the BSI.  And there is also a directive on critical infrastructure as the legal framework for the cybersecurity of critical infrastructure.  This has been in place for several years, but it's updated from time to time.  It has been updated or so this year.  Also in the action tool, they're increasing threats that we have seen experienced during the pandemic that everybody relied heavily on a digital environment and we saw also ‑‑ we saw on the other hand incidents that were increasing and numbers rising.

According to the specifications, critical infrastructure operators must implement and technical organizations and measures for IT security.  Both at federal and state levels there are coordination offices for critical infrastructure which are tasked with coordinating and networking measures.  And the second element is a critical infrastructure strategy which summarizes the objectives which threat situations in the areas of (?) and responsibility for both government and business stakeholders.  Here in this directive or this strategy also our neighbors, the EU, the G7 and NATO are mentioned as most important partners for our national critical infrastructure protection.

Let me have a cybersecurity strategy has been renewed this year and was agreed on in August 2021.  This is a public document because it mirrors this whole society approach and it gives tasks to all stakeholders that are responsible or that contribute to private security.  To Civil Society, the academia and also to the government on both national and federal level.  Then you heard back about IT security law which is the law that was under discussion when we discussed also how to ‑‑ how to speed up the deployment of the 5G networks in Germany.  It is the law that strength knows also our cybersecurity agency and gives it authority, for example, in detection and defense against cyber attacks.  The security of mobile networks, Consumer Protection security for companies and cybersecurity certification.

So when we look now at the European level, we have just our last Friday, I had an agreement among the member states on a new network on information security directive.  It is also an update from a former directive, but we have also seen the need to, for example, intensify our efforts to protect critical infrastructure.  So this network and security information security directive in this too now.  The council has agreed on it.  Now it's going into the negotiations with parliament.  And we implement this European regulation by our national regulation.  Perhaps some elements also of our international corporations.  So beyond the European level, I would like to mention the counter (?) initiative.  This is an American initiative where Germany joined and personally needing the diplomatic track within this initiative.  This is really ground breaking step in harnessing expert ease and political results to defeat ransom threats.  In the diplomatic threat, we finalize at the moment a mapping of ongoing modular level formats and discussions and negotiation processes and we want to define also areas where enhance collaboration among the participating states can be useful.  We want to encourage all states to actively (?) groups.  It is a cross border phenomena.  So those nations can do it alone.  I believe at this point, I'm happy to join the discussion later.  Thank you.

>> ANASTASIYA KAZAKOVA:  Thank you so much.  I think part of the answer was also covering different question about the expectations from the Private Sector looking at autopsy domestic perspectives.  Thank you so much for the response to this.  Now the floor to Mr. Klingeley would be very grateful to keep remarks shorter to make sure we're hearing all experts.  Thank you.

>> DANIEL KLINGELEY:  Nadine felt ill this morning and so she asked me to replace her.  As you also mentioned, unfortunately the protection of critical infrastructures become increasingly urgent in receipt years.  As a title of this workshop it can detect and damage from Afar with a click of a button.  We have seen a short increase in such incidents including some spectacular attacks like colonial pipeline.  I think that again make everybody aware of how important it is to protect critical infrastructure and take measures in that regard.

In Switzerland, we have strategy on the protection of infrastructure.  If the one was adapted in 2012 and the secretary one in 2018.  In 2018 to 2022.  And it defines critical infrastructure as processee systems and facilities essentially for the function of the economy for the well being of the population.  And that can include energy supply passenger and freight transport and medical care.  As we have seen during the pandemic, medical care has really come up high on the agenda because of many very, very attacks on the health sector.  This has been even before the pandemic already a part of the critical infrastructure as our government has decided it.

Per the key approaches would be dictated by different elements.  Generally speaking, in Switzerland we follow the approach for critical sectors.  This means a regulatory approach would ‑‑ there should be always a balance between regulation and incentives.  In Switzerland, we see the protection of critical infrastructure as a cross cutting task which interfaces with various policy areas and tasks like energy policy, security policy, protection against natural hazards and so on.  According to critical infrastructure protection takes place within the framework of decentralized structures and the responsibilities as Switzerland is a federal state like Regine just mentioned before.  As for the definition of critical infrastructure providers, Switzerland has an certainty which focus us on critical functions than such an organizational level.  Stakeholders operating a critical infrastructure can contact the national center for cybersecurity and ask to be included in the inventory.  To give you an example, some time ago, a company that produces security paper for bank notes approached our national center for cybersecurity and after some discussion and after the show to this NCSC, what they do and why they think, they were accepted and included into environment.  This inventory is wholistic in nature not only focusing on the information assurance part of critical infrastructure providers, but with increased processes and also becomes clear with such things like managed service providers for critical infrastructure growing importance.  So we also have companies that provide services.  And I think there was a wake-up call in that regard and made rethink what is critical infrastructure and what should be in inventory.  I think the inventory itself while it's not enough to have decided what is regarded as critically infrastructure or not, you need to also process then what to do and what does it mean for this providers.  A friend of mine just gave me one example.  I think it's a very good one.  In one country he spoke to one of the heads of the cybersecurity.  He told him he could decide if he wanted that his pen is a critical infrastructure.  He has the authority to do that, but that is not enough.  You have to decide what does that mean for this pen, who can use the pen and what you do if you don't use the pen.  You put it in a safe and so on.  So just deciding is not enough.  We need processes and measures and the whole structure, what to do and that is also a part of our strategy.  I can maybe talk a little bit more on that one and talk about a second to that question.  Thank you.

>> ANASTASIYA KAZAKOVA:  Thank you so much.  I think it's really interesting looking not only on the critical functions, but auto use case and whether critical services can be used and how it could impact the regulatory approach on this regard.  I am pass will the floor to hear the perspective about the Singapore's approach on this regard.

>> YOCK HAU:  Thank you for sharing this perspective on this subject.  Let me first begin by sharing our perspective on CII protection in Singapore.

So in Singapore, protecting the critical information infrastructure of what we call the CII for short is a national priority and remain use.  We have a law that mandates CI operators to protect the systems and for CSE to manage the protection of the systems.  And our focus is really insuring there is no loss or compromise of the computer or computer systems to insure financial services.

So in Singapore, we have identified 11 critical infrastructure sectors.  They have the usual familiar sectors, things like energy, water, banking and finance, healthcare, transport which includes the LN and C sectors and info comedia, emergency services and the government sector.  These sectors provide services that are essential to the national security defense, foreign relations, economy and public safety and public order to the citizens of Singapore.

So given the unique historical and social political circumstances of each country, we think that states should have the prerogative to designate them at the national level.

So in our case in Singapore, what we do is CSA, we work closely with the various sector regulator.  So for each sector that I mentioned earlier, there's a sector regulator to determine what an impact criteria would disrupt a cost, a grave debilitating effect to essential services.  First of all, we determine criteria and then we will jointly perform and impact assessment to identify the systems that impacts the criteria.  Through this, those systems that are considered essential providing essential services will be designated as CII by the Commissioner.  Anyway the commissioner of cybersecurity, okay, which in this case is also the chief executive of the agency of Singapore.  To manage this CII, we have established a key piece of our legislation for the oversight and maintenance of Singapore.  And the key emphasis is to insure protection of CII against cyber attacks.  It has three key objectives.  First lead is strengthen the protection of CII against cyber attacks.  Secondly is to authorize CSA as the national agency to prevent and respond to threats and incidents.  Third establish a framework for service providers.

One of the key focus as part of my job is insure our CII remains resilient in the face of cyber attack.  Whenever there's a bridge of cyber incident, reporting of cyber incident, our military for CII owners, the cybersecurity act set up a framework for CSA to be informed and you need to request for information on CII during investigations.  CSA will also work with the CII regulators with CII owners to the best cause of action and our focus is on balancing operational efficiency and impact of this and operational investigations.  As cybersecurity threat increased in severity and sophistication, organizations will need to recognize it is a matter of when we bridge.  Our cybersecurity framework takes into account the full sweep of what is commonly known as the IPDRR, framework, identify, protect, defect the framework and insure resiliency of CII in providing essential services.  We also believe that adopting a risk base approach on cybersecurity is a sustainable and relevant approach towards cyber managing risks.  I will be ‑‑ I think I will stop here and I will be happy to discuss these issues in greater detail later further on this issue.  Thank you.

>> ANASTASIYA KAZAKOVA:  Uh‑huh.  Thank you so much.  Again for providing the domestic and also structured ‑‑ in a structured way.  I will now pass the floor to Johanna Weaver.

>> JOHANNA WEAVER:  Thank you.  Rather than give a full overview of the Australian framework, I thought I would touch on parliament just in November.  This is legislation specifically designed around security of critical infrastructure.  So it passed less than a month ago.  That legislation has four key provisions that will be of interest here.  The first is that it extended the definition of critical infrastructure in Australia from 4 to 11 sectors.  And so these sectors include all things you would expect it to include power, water, transport, fuel, et cetera.  Interestingly for many involved in these discussions, it also designates the Domain Name System as critical infrastructure in Australia.  We have quite considerably expanded the definition.  Then to go to David's point about who gets to decide if the pain is critical infrastructure, what are the obligations that then arise from that, the new legislation that we have passed has implemented three specific requirements.  One is reporting requirements and the establishment of a register of critical infrastructure assets.  And this including reporting requirements around things like foreign ownership.  So it really has increased and extend the those existing reporting requirements.  It mandates cybersecurity incident reporting for our critical infrastructure providers.  So if you have significant cyber instance happening on critical infrastructure in Australia and its designated in the sectors it is now mandatory to report that to the Australian cybersecurity center.  And then the fourth length of it, which is I think quite unique is that we have legislative government assistance measures.  So this means that if there is a cybersecurity incident happening on critical infrastructure and the language here is important that seriously prejudice Australia's prosperity, national security or defense and the government has the power to mandatorily take that infrastructure to be responding and mitigating to that cyber incident.  So as far as I'm aware, the only other country that has powers at quite that level of basically ministerial directions for the government to take control of the infrastructure is France.  So the French cybersecurity agency has a similar power, but it is a considerable step up in Australia.  It's not without controversy in particular the fact there isn't necessarily the provision around judicial review around that directions.  So it is something that I'm sure there will be a lot more discussion on.  It really goes to the point on question 3 about what do you do when there is a major cybersecurity incident as well.  So happy to talk about that more as we go on.

>> ANASTASIYA KAZAKOVA:  Thank you so much.  Really interesting.  I think about the extension of the definition of what is now considered a critical infrastructure structure.  We have seen the union with the update of the UN directive and inclusion of the managed service providers and the Cloud providers for instance is also a part of the critical infrastructure.  Could be also the trend that we will see.  Thank you so much for that.  I would like to merge the second and third question and also narrow down them and probably again to pass the floor to Ms. Grienberger and ask how is it possible to share how those particular infrastructure protections from the stability framework coexist with the domestic effort and in the event of the cyber attack, beyond the Private Sector who might own the IT infrastructure and critical infrastructure, what are the expectations and he, of course, I would also like to refer to the security research to incident responders private certs and many others that also could be private and could also be part of the global response at the national level.

>> REGINE GRIENBERGER:  Okay.  Could you repeat your first question please?  I had a misunderstanding.

>> ANASTASIYA KAZAKOVA:  Sure.  Sure.  I apologize for that.  How those norms from the disability network and they coexist with (?) how will those implement at the national level.  Thank you.

>> REGINE GRIENBERGER:  Okay.  The UN norms ever a very generic framework.  So what we do on the national level is we try to have something in place that solves our day to day problems and is in line with this global framework.  So for example, certs in the framework have to be political and this is something that we can provide for it on the national legislation.  So, um, we have 42 CERTS in Germany.  So it's rather complex system, but all of them are available in solution.  With regard to what is ‑‑ what is ‑‑ how is the responsibility of Private Sector and Government Sector balanced?  I would like to raise also a question for discussion.  I would like to hear also your comments because, um, we have, of course, to define what is critical infrastructure and John had mentioned already the issue of sectors and also Dan did this which sectors are critical infrastructure.  But we have also another criteria that could be sized of infrastructure and therefore, it becomes critical infrastructure and science can be financial turnover and could be number of users.  And that is ‑‑ that is something that also the European level we are taking up this idea of size as a criteria for being critical as soon as many, many people rely on us at an infrastructure for the daily lives that becomes critical in a way.  So, um, of course, there is also the aspect and this is something that the government focuses on.  It's responsible for, you know, water, energy waste and so on.  So this is absolutely critical infrastructure.  But yeah.

With regard to information infrastructure, a lot more becomes critical because people rely on it in their daily lives.  For example, mobile Telecom networks, I don't know, 10 years ago.  It was a luxury and now it is an essential.  This is also something that we have to discuss and we have to discuss it with a Private Sector because as soon as they are defined critical infrastructure, there are heavy burdens for them with regard to their relation to the government.  Thank you.

>> ANASTASIYA KAZAKOVA:  Thank you.  Thank you very much.  Daniel, would you like also to share the perspective of (?) here?

>> DANIEL KLINGELEY:  Yes.  One group and particularly the GGE they give quite valuable guidance and how to implement the norms in particular with protection of critical infrastructure.  The GG report has resolution 58‑199 and the creation of a global culture and cybersecurity and the protection of critical information infrastructure and the annex highlights actions they can take.  I think that's quite a good start for many states to look at that and see what actions they can take if they haven't done so.  As I mentioned before, a good step and our views to implement is to development of the national strategy and ideally, the strategy is developed with all stakeholders that run critical infrastructures.  As I said, we have this national strategy on protection of critical infrastructure, which is also linked to the national cybersecurity strategy in place.  And this strategy defines 17 measures at which the government tends to maintain the security of supply and improve it in key areas.

Among other things, it has given supervisory and whether there are significant risks of supply interruptions.  Measuring are to be taken and do such risks and under certain circumstances, it may be necessary to adapt legal foundations, energy law, traffic laws.

We are on one hand active and establishing in developing more in depth collaboration between critical infrastructure and government entities such as was mentioned.  And there's a small and independent nation that acting against threats and malicious networks originated from its territory is absolutely key.  Foot only regard to provider, but contribute to such activities early on in order to Avoid damages to other nations critical infrastructure providers and to achieve, Switzerland has entered several groups from pure technical ones like cybersecurity and respond team focus groups for such platforms as the GFC and cyber capacity building domain because we think it is important to have other countries to build up their capacities.

As mentioned also, having a broad exchange between critical infrastructure providers and the government is key.  The network of relevant stakeholders must be established early on and continuously strengthen in order to funk case of an outtake or attack.  So the focus must land on building such private partnerships to allow for efficient support.  From this point of view, it is important to understand that at the end of the day, the providers must understand the responsibilities and duties as even the best network and partnership cannot replace a sound and robust of managing risks with respective organizations or enterprise.  So it is really a shared responsibility that we are trying to implement.  This was a means that corresponding capacities must be made available.  It is also verified for critical infrastructure to prepare for the worst possible incident and to have networks maintained and tested regularly.  If public networks are established and functioning, then every actor knows what to do in an emergency.  A text can be mitigated and forwarded more easily and negative effects can be avoided.  That's the approach you are trying to implement.

>> ANASTASIYA KAZAKOVA:  Thank you.  Interesting the use of the phrase deferred responsibility and how it is balanced and quite interesting to look at this approach especially given that it is the confederation with different approaches and more federation level here.  Mr. Dan would also like to provide the view of the Singapore.

>> DAN:  First questions of the UN norms and let me just say Singapore has the UN and inclusive platform that all those countries both big and small come together to discuss about the developments of rules and norms for international pieces.  It is also a platform to enhance the cyber corporation.  So the successful conclusion of the inaugural BG and UNGG last year is assuming achievements.  There are building measures that we would like to share a three key areas that are important to enhance global corporation and cyberspace.  And the three areas can be at least summarized to the three Cs in our views.  So consensus, collaborations and capabilities.  So the first C on consensus so much progress has been achieved in this land mark report by OAWGG this year.  We think that more can be done to broaden the consensus on the existing areas of divergence.  So we need to discuss to insure that there's consensus to develop so‑called rules of the road.  It is important for countries to put Aside the differences and work on common areas and to insure there's a consensus on what the norms are.

Secondly, we think there's a need to collaborate between domain safe and secure.  As we all know, the cyber safe has physical boundaries and many systems span across different countries and countries to collaborate closely to insure that we can respond to the system and cyber threats.  So, um, lastly, the countries must invest in developing capabilities both within the country and insure we help other countries develop capabilities so that there is a systemic response to cybersecurity.

So moving on to the second question of critical infrastructure.  I think our key word here on protection of critical infrastructure, I think our key word is a team effort.  Government do not necessarily have monopoly on the solutions to cyber challenges.  No single country or no single stakeholder will be able to take on the full responsibility of insuring cybersecurity of its CII.  It is a collective responsibility of all stakeholders including the government, the critical infrastructure operator as well as a Private Sector.  However, government should take the lead in strengthening across the corporation given the weakest link can provide entry point not just to specific system, but can cause on effects that affect other sectors and the whole country too.

So in Singapore, what we do is we regularly conduct cyber management exercises to improve the crisis response capabilities and readiness to response probably and effectively to cyber attacks.  We bring together all the 11 critical information infrastructure sectors in the national concerted effort to cast and validate the plans in response to complex scenarios with simulations of cyber threats.  In addition, cyber threats are not confined one the boundaries and bilateral and multi‑lateral corporation are key to share timely information and respond to incidents swiftly.  Singapore will build on these efforts and work more closely with partners to combat cross cyber threats.  We recognize that the urgency of highlighting the threats is important to protect CII.  Disrupting and undermining operations of CII will likely impair the services for population and cause detrimental effects to the domestic region at the national level.  In this regard, we are glad we are consensus report of the 6 GGE and recognize the fundamental importance and protect and developing an additional layer for F and G.  And I think that's all I have for this.  Thank you very much.

>> ANASTASIYA KAZAKOVA:  Thank you, Mr. Dan.  I agree with you especially the last report that required an additional layer of how they collaborated and it was really ‑‑ to us as a Private Sector as well to understand how states view them with a particular measures recommended to other states and other recommended to the Private Sector and owners of the infrastructure to do to protect the critical infrastructure.  I pass the floor to Johanna to get the view from Australia, but before, I also would really like to highlight that we would be happy to hear your questions.  Do not hesitate to ask them in the chat.  I see many people in the room and listen to us.  So we'll be welcoming your questions as well.

>> JOHANNA WEAVER:  Thank you.  I just wanted to emphasize with the recent UN agreements that passed through the General Assembly just a couple of months ago with our agreed earlier in the year, the key takeouts for those that aren't intimately involved in the discussions, we have now unanimous agreed.  Every country has agreed to two norms.  They have agreed to 11, but relating to two in particular.  One we're not going to intentionally damage the critical infrastructure of other states using ICTs and the other is saying that you should protect your critical infrastructure from ICTs.  So the significance of the agreements earlier at the year in the UN is saying that every country in the world is saying we need to do this.  That's quite a significant milestone.  In the GGE report in addition to the OAWG report, every country is saying yes.  This is a good idea.  We have now the additional layer and additional guidance. what does it mean when you say let's not damage the infrastructure of another state?  It provides much more.  We have high level statements, the new GGE provides a lot more detail T. provides some suggestions to countries if you're looking at how do you protect your critical infrastructure.  Go ahead and have a look at that report because it is a great starting point.  In terms of what countries dooring and how you can implement this with respect to the first one and I would love to see more of this.  There are not enough countries in the world making public commitments that they are not going to intentionally damage the critical infrastructure of other states.  We know there are many countries out there who have and are developing cyber defense capabilities, including Australia.  Australia, however, is one of the few countries that publicly commits that we're not going to use these to damage the infrastructure of other states.  We need more transparency around.  This we cannot allow these cape acts to be developed in the shadows.  Obviously parts of these will remain classified but in the same way, we disclose, we have warships.  We can disclose the fact we use those warships in accordance with the rules that we have all agreed.  We can disclose the fact we have these defensive tools and agree to use them in accordance with the rules.

With respect to how you implement the protection of the critical infrastructure one, the example we gave earlier with the Australian critical infrastructure legislation that's just passed is an example of that and many of the other things that colleagues have spoken of touch on those points as well.

The other point I would say is yes the norms are voluntary, but countries have committed to act in accordance.  That's the significance that came out earlier this year.  They're binding international law.  It is not voluntary norms.  They're many concepts reinforced by binding international law.  And we need more countries not just to talk the talk at the UN.  We need more countries to walk the walk and actually act in accordance with the commitments they're making.  Thank you.

>> ANASTASIYA KAZAKOVA:  Thank you so much.  Really interesting especially to my personal perspective.  Biden international law and Biden norms is also the question how they co‑exist and looking at more practically how they do and helps to have a better understanding on this and trouble within the ‑‑ yeah.

>> JOHANNA WEAVER:  They make it really clear that international law and nowhere complement each other that the forms do not change any of the existing binding obligations you have as a state.  They help us to understand what those ‑‑ some of those obligations may be.  So norms and international law operate concurrently and I encourage people to look at the GG and BEOG and how they coexist.

>> ANASTASIYA KAZAKOVA:  Thank you so much for this.  If anyone would like to reflect to the remarks?  Yes, please.

>> REGINE GRIENBERGER:  I want to add something to what Johanna said.  The first one is that the states are obliged to protect the critical infrastructure is also a big challenge on the human resources.  Something that is often not really considered as a serious challenge is a serious challenge, which means do we have enough experts and cybersecurity experts and human resource literate to protect critical infrastructure in our societies and this starts from primary schools to university.  We have to make sure we have enough people who are able to do this.

Then something that Danny said is capacity burning.  And then we have in the OAWG report a very important sentence which is that cyber capacity building is not one way street, but a two‑way street which means that especially in this field when it comes to implementing norms of critical infrastructure, you need to operate closely let's say all partners who share a certain, for example, information network, communication network take part in the cyber capacity building early so all that sides are able to do their responsibility, to full their responsibility in following their infrastructure.

>> ANASTASIYA KAZAKOVA:  Thank you so much.  What is even more, I would add that with the stability framework, I understood (?) helping some states to the less developed space, but I think it can be how the private sector can help other states and are other sectors especially small and medium businesses.  This is one way to look at what is going on in terms of cyber efforts in this regard.

>> REGINE GRIENBERGER:  For example, Ukraine, everybody is speaking about (?) too, but there are other pipelines running through Ukraine and central Europe.  We are working with Ukraine in terms of cyber capacity building tool to set up a name work to protect this.

>> ANASTASIYA KAZAKOVA:  Thank you for sharing.  Daniel, would you like to respond?

>> Daniel:  I support everything Johanna said on nowhere and international law and the reports with language on that.  Everybody can go and read that.  And I just wanted to add the obligation owe say that the norm you should protect your critical infrastructure, of course, is very important, but I would also like to highlight the other one that you should if there is a crest for assistance by another state that you should try and help this state.  Of course with the means that are available to you.  So in our approach in Switzerland is that on the technical I read the certs.  They help everybody.  If we get a request of the mistakes that we don't regard as our closest friends, if there is really an attack on the critical infrastructure in that country, if we get enough information from that state, technical information we need to be able to help them, then we do that.  I think that is also really important there is a good corporation on the technical level between states, between certs, which is not politicize the, but really trying to help and mitigate affects and malicious activities in the cyberspace.

>> ANASTASIYA KAZAKOVA:  Thank you.  About this aspect also, thank you for building a bridge to the second part about the international component.  Each of the requests and assistance would be the core to look at.  But also the hope participants I would like to pay attention to the one of the sessions previously taken on the IGF about the law of neutrality and if some of the Private Sectors in the states can have neutral status to mitigate a cyber incident despite the political conducts.  I will share the link here that's been organized and it is really interesting in discussion taking place at IGF.

Concluding part number 1, I want to narrow down the question and I assume it will be difficult to give the answer ABC for the 1 or 2 minute.  Keeping the same order.  In the event of the cyber incident and keep think in mind this is for the government to provide institutional framework, but the Private Sector, my own infrastructure, what would be the course of action for the critical infrastructure and Private Sector broadly and here, of course, refer to security searches, the company represents or the private incident responders and many more.  So maybe to start first with Mr. Dun and Ambassador Grienberger and to Daniel and Johanna.

>> Mr. Dan:  Any incidents, the key word is what I said earlier.  The key thing is about team work and working together, collaboration to response to any cybersecurity incidents and in Singapore, we stress that a lot of expectation is not because you are a CII operator and therefore, you are alone to face the threat when you face ‑‑ when you keep an incident.  In the first place, they would lay down an institutional framework.  In our case, we will have certain ‑‑ we have the power to have certain matches and, of course, when an incident happened, we will ‑‑ they will report an incident to the agency in Singapore and we will draw any resources from other parts of the government when necessary to support any of the critical infrastructure operators if they need the help.  Of course, we mind private operators they would have into operating critical infrastructure to put in place some organic capabilities to defend the system.  But sometimes when they made pretty advanced, very advanced threats, the government would have more hesitation to provide support and it is all about team work working together and make sure we video an understanding even before an incident happens and work out processes before incident happens.  When something happens.  The team effort effect will come into play.  And that's our key focus.  Thanks.

>> ANASTASIYA KAZAKOVA:  Thank you so much.  Ambassador Grienberger?

>> REGINE GRIENBERGER:  The responsibility of the governments is basically provide for the framework.  So to Celt up national rules and also international corporation with regard to malicious state actors especially.  That's also a diplomatic responsibility, but with regard to cyber criminals, it's also the responsibility to cooperate law enforcement and other governments in the jurisdictions.  Otherwise it's the private owners of critical infrastructure who are responsible.  Of course, as in the case of Singapore or in our case of cybersecurity agency is helping, but it is the private owners responsibility.  When European directive, we will have fines if they are private owners of infrastructure do not of cybersecurity protection.  Thank you.

>> ANASTASIYA KAZAKOVA:  Thank you.  Thank you.  Daniel?

>> Daniel:  Really short I could echo what was just said.  The same situation in Switzerland.  I mentioned it before.  It is now really a shared responsibility.  Everybody has to know and it's responsibilities and duties and incidents occur on critical infrastructure.  This network really plays out and works and, of course, the government sees and supports the industry and Private Sectors.  But the first responsibility lies with them.  If their infrastructure is attacked and maybe a state‑owned infrastructure and the responsibilities with the (?).  I can support that with what was said.

>> ANASTASIYA KAZAKOVA:  Thank you.  Johanna?

>> JOHANNA WEAVER:  So I think there's two things.  One when it comes to a cyber incident responsibility against critical infrastructure, we're assuming this will have widespread impact on the public because it is critical and if we're good at designations of critical infrastructure, this is serious.  It has impact on people's lives.  So the first thing is we must have pre‑existing plans.  You must have pre‑existing relationships both with governments.  So those aspects of the government agencies that will help during a particular cyber incident response of a significant scale, but also an incident management plan.  That will be the Private Sector.  The Private Sector may be the ones that get called in to respond to those incidents.  So have a plan and a pre‑existing relationship with the key stakeholders.  The second thing I would say is exercise critical infrastructure incidents as part of that emergency response plans.  So most countries have national emergency response plans for what happens if there is some critical classes that shut down your country.  Make sure that also includes cyber attacks on your critical infrastructure.  In my experience, it very rarely does.  An incident against critical infrastructure needs to have this whole different complicated structure to go from the critical infrastructure provider up to the Prime Minister of your country.  It will be something that the Prime Minister needs to be aware of.  Use structures.  Exercise those structures in advance.  And to Iona's point.  If Australia's government will step in, it's absolutely not the case they will always step in.  This is a power of last resort.  So that goes back to the first point which is had those pre‑existing relationships and a plan including with a Private Sector provider to provide that incident response.  Thank you.

>> ANASTASIYA KAZAKOVA:  Thank you so much.  Really grateful for covering the question in the chat and we need to conclude part number 1.  I invite everyone to thank experts and really interesting perspectives, but we'll work on the report and provide the links the experts have announced.  So for the wider public, thank you so much.

I will move to the second part to discuss the international corporation component and that's to explore opportunities for the UN cyber emergency phonebook, which I would like to stress doesn't exist.  We would like to reflect the idea.  If this is a possibility for formal and informal mechanisms to cooperate within states and also actors of effective critical infrastructure in different jurisdictions.  So we honor to have with us the following experts.  Mr. Serge Droz from board of directors at first representing I think the unique global students.  And Ms. Carmen Corbin.  The global program on cybercrime of undock.  And Mr. Pierre Delcher.  The private security researchers today.  We also have the free call questions and I would like to announce the first one.  It is an affected state by the cyber incident and critical infrastructure in the state is affected by the cyber incident.  That state doesn't have the capacities to respond.  Who should it approach for help and what does the UN service stack framework do in this regard?  I would like to start with Mr. Serge Droz and then pass to Carmen and then to Pierre.  Thank you.

>> SERGE DROZ:  Thank you.  My name is Serge Droz.  On the board of four incidents responses and security teams.  We are really the umbrella organization that brings together all these incidents responders not only from garments, but from the Private Sector and academia.  I think there's ‑‑ you mentioned in your question what if a state is affected that doesn't have the capability or a capacity to react to this?  I would argue that probably most C‑certs today sooner or later run into limits about they can't handle an incident anymore.  They don't have access to the infrastructure that's affected.  To remember most of the infrastructures operated by Private Sector organizations.  It is very rare they're operated by the state itself.  So that team will have to reach out to our teams.

Now at first, we promote is not only that every state has a CCERT or national CCERT, but it has a national CCERT community.  And those communities probably should be ‑‑ if you affected in a smaller country, there's a good chance that your neighboring country would suffer from the attack too.  So to answer your question what I think should happen is if a national CCERT runs into trouble, it needs to reach out in it's CCERT community to our teams that may be able to help.  That is absolutely crucial.  If you believe you have a national team that did solve all of it, you probably lost.

>> ANASTASIYA KAZAKOVA:  Noted.  And I think in this regarded list too, the norm by the question assistance and the norm about the cooperation between certs and providing the floor to cooperation between them.  Thank you so much.  Carmen, would you like to also share perspective?

>> CARMEN CORBIN:  Yes.  Thank you so much for inviting me to participate on this panel.  I am happy to join today with the other experts and to listen to the first panel of experts that gave so many really wonderful perspectives.

As you mentioned, I am the UN DOCs in western Africa.  I am posted in Dakar.  Before I came to Singapore and the UN, my first job was a cyber prosecutor in the us.  I have over 11 years working as a cyber prosecutor specifically on all types of cybercrimes and dealing with digital evidence.  I raise this because I'm really seeing a lot of what had discussion is today about relationship building and how to react to an emergency incident and how that is actually applicable and a reality in what we're facing in Africa and the work we're doing in west and central Africa, but really across the globe.  As cert said, really all certs in any country at some point are going to face a situation they may not be prepared for and they will need to reach to other experts or other private, public partner relationships to help get through the experience or solve the issue.  So I think the two major things that we highlight in the work that we're doing and west and central Africa, but as a program and a whole across the globe, really focusing on capacity building, training, training for understanding on digital evidence and cyber investigations and prosecutions, but relationship building.  Relationship building is critical and as Serge, I want to underline what he said.  This is internal to countries doing public and private entities, but also regional.  Especially critical we see it here in west and central Africa.  Regional relationships and knowing who points of contact are and other countries whether neighboring country or someone in the region that would be reachable for assistance or collaboration if an emergency incident occurs is really, really critical.  So these are two of the aspects that we really focus on a lot in our work here.

>> ANASTASIYA KAZAKOVA:  Thank you so much for the comprehensive overview and a brief one of what the UNDOC does.  Pierre, the floor is yours.

>> PIERRE DELCHER:  Thank you for your opportunity to discuss this point.  I would say depends on a lot of factors well, starting by what is the respond meaning.  The affected states or activity sectors requesting states memberships, existing memberships and requesting organizations.  Values in frameworks already exist to request help such as regional cert communities or cooperation mechanisms like the EDC and the directive mechanisms for the grand union.  Maybe regional crisis and incident response mechanisms, maybe cyber focused or not like the IPCR arrangements, the August eye level crisis coordination process or the EEAS, crisis response system.  There is also multi‑level corporation bodies at CCERT, state or evolves like the TFC.  The IWWM only two even.  And, of course, additional bilingual agreements and corporation frameworks may exist.  But to minor ledge, nothing which is fully international by nature and which is cyber specific in us already exist for such a case.  So this is just to illustrate possibilities because the state may also decide to approach values organizations including private ones, international body or states; however, it deems fit out of any existing framework depending on the circumstance of the attack or the crisis, of course.  And questions now are:  Can any state in the world benefit from at least one of search existing corporation frameworks, are existing frameworks sufficiently fit, tried and test and trusted to be involved in such case.  And could enabling which of the existing frameworks be read as an offense or threat by any other state?  I don't believe there are existing frameworks today which can cover all of these three questions.  Let's say (?) and I also sincerely don't know what the UN cyber stability network is suggesting in such a case.

>> ANASTASIYA KAZAKOVA:  Still, it is really great to hear actually the part of the answers at the same fold because I think positively in the case they are still the same structures that we are all aware of and currently the leverage and use.  But going for the aspects of the limitations, why some of the theoretically positive and the efficient mechanism might not be existing.  The question is:  What can be done in this regard and specifically to achieve that stronger corporation between the sources or community.  And how the neutrality of these can be in this regard and in the meantime, hearing the questions and answers of the speaker cells would like to send the link as I mentioned to the session of the neutrality and the research with the (?) about the law of neutrality in cyberspace which talks about the neutrality of the private actors and maybe also it can be helpful for the audience.  So Serge, the floor is yours.

>> SERGE DROZ:  Can you rephrase the question?

>> ANASTASIYA KAZAKOVA:  Absolutely.  What can be done for stronger corporation and how to insure the neutrality?

>> SERGE DROZ:  Okay.  So sorry.  I was kind of a busy day today.  What's really important is that states take to face value that CCERT responders should just focus on their very own role.  On the one role they're designed to do and that's responding to incidents.  They should not be part to any other activity such as attribution for example, or offensive abilities.  If you start to deal with someone that does attribution, then other states may not collaborate.  You do not know if this pays back.  I think it is error important to have an understanding of the roles and responsibilities of all involved actors.  And sadly, we often see situations where either a CCERT team is more important than the other one because I'm a national CCERT or from a big corporation.  So that just doesn't really work out.  We need to get away from this and really continue improving trust and that may mean that certain states kind of take a step back and start working with people they don't really like and that, of course, is a challenge.  That can be overcome by really kind of focusing on the role.  We do this in other areas.  In disaster relief, for example, some area has kind of a big (?).  There's no questions of rescue keeps from countries not really on speaking terms working side by side.  But in cyber, we don't have that concept yet and I think it's very, very important to move this way.  And that's also, I think, one of the reasons why I think first is really a great organization because we do have members from pretty much any kind of political block.  So we have the national c certs of China, Russia, pretty much every European country and U.S. and they talk to each other and that is the thing we need to foster and continue to promote.

>> ANASTASIYA KAZAKOVA:  Thank you.  Thank you.  The question to you as well about the strong are corporation between C‑certs and the possibility for more neutrality to insure more neutrality for them.

>> CARMEN CORBIN:  I can speak from our own experience we're doing in Africa and west Africa.  One of the ways we work to build the relationships and to build with relationships you have more of an opportunity, more of probably a realistic reality of cooperation is we have regional events where we bring cybersecurity experts or members of certs from different countries and regions we cover and regions we cover to come together to work on these issues for capacity building work, for conference work and also just recently last month we held a conference that was a regional conference that included table top exercises.  And again, it was a fake incident where there's an attack on a national bank, but it's a process by which it allows different cyber experts from these different countries to have to react in an active way to an incident that is, you know, allegedly happening in their country and it allows to then in a very safe space talk about how they would react to these things, how they could work together, how they would share information within their region between these countries to combat the problem that they're facing.  So it's from this on the ground sort of work that we're doing regionally in the areas that we are working around the world that we're trying to build this collaboration and its relationships in a very I would say a simple way and the way of basically just having the people be across the table from one another or, you know, under the pandemic, it is also sometimes across the computer screen unfortunately like we are right now.  But it still is allowing people to see each other and talk to each other and recognize that, you know, many of these countries they do have a cert or even if they do not have a cert, there are cybersecurity experts in place in different whether they're in law enforcement or other agencies within the governments that can be the point of contact for this type of collaboration and international cooperation.  This type of relationship will always be key I think for an emergency situation for deescalating the situation and then for moving forward with an actual investigation and prosecution.  These relationships between countries, private, public relationships are really going to be key.  And our partners too at Interpol, they have also a large program that is in Africa where they're trying to also work in the same ways of building networks and capacity building and cybercrime and I won't speak any further about that in particular, but you can go and research that online.  So there's a lot of us working in the same field to building up these connections around the world.

>> ANASTASIYA KAZAKOVA:  Thank you so much and also for highlighting.  I see we also have the (?) with us and maybe he would also like to share the perspective of that.  Of course keeping in mind the cybercrime and issues insuring the international security (?) but still a separate process within the first committee, but it could be interesting to know.  If the same mechanisms might be used in the run of the incident especially when we don't know yet what the sub incidents is about and what we're dealing with.  I think definitely could be overlapping mechanisms in this regard.  But Pierre, over to you for sharing the perspective of the Private Sector as well.

>> PIERRE DELCHER:  Yes.  So what can be done from achieving the corporation and the neutrality to be insured.  One of the lessons learned I kept from my past experiences as a major incidents responder and as an international (?) is that a corporation does not strengthen or happen as a rut of any single specific action whoever the initiator of the action may be broad an effective corporation as well as its develops are result of multiple factors which apart the wheel to cooperate.  This includes common grounds, goals or issues, commitment, commutual understanding or compatible capabilities and clear outcomes and successes, time and I believe before anything else, trust.  Trust between parties but also trust between individual.  As a result to me, building of threatening corporations is first continuously building trust and there are no magic recipes to do so.  This is achieved by trying to face experience values common situations and issues over time.  This is involved and ease value means including openly stating the will to corporate and the will to do so.  This is always starting from there and knowing each other by sitting in meetings and schedules in the size events to discuss with more and more freedom and sensitivity, understanding and committing to each other.  We have staff exchange.  So that one can truly learn and discover from the day to day walk of the other and try to bring something to it with capacity building also, is thing common definition that is good for redefining what is global, critical infrastructure.  Setting a reasonable amount of most practical common goals and bold goals as a program so that everyone can start trying to reach common success.  Openly sharing personal information to each other as a token of good will and daring to ask for help in the event of a difficult situation as a will to build a practical common ground and as an opportunity to face issues more easily.  To enable participation and lessons learned before any real operational need or rise can all be experienced through proof of concept, take any part of global issue.  Let's agree to try tackling it for real as much as possible during a given timeframe.  Rather forces and go with any options I listed.  As with regard, CCERTS neutrality then again it depends on what neutrality means.  CCERTS have a common term to understand and remediate cybersecurity incidents, but they all do so for their constituency first be the states or private corporation or customers.  And as so, there will never be neutral in the sense and they will always work with their organization as a priority by mindset and by design.  That's not necessarily an issue because when incorporating only the common goals remain as a common priority and as Gregory (?) or any system will emphasize.  It is not limited to it.

>> ANASTASIYA KAZAKOVA:  Quite interesting.  Thank you so much.  So we actually hear the mostly common answer and elements of the answer.  Serge highlighted the role and it should be that important role to insure the stronger corporation between CCERT and trending neutrality.  A lot of the corporation collaboration in this regard and Pierre trust in the trust building and experience all the way together some cyber exercises and this could be necessary while the experience helping us together what did work, what didn't work and how we could improve our corporation in the future.  But I think also trust is also relying on the person of relationships between the different people.  So the question would be how to formalize the corporation between the institutions beyond the particular conducts and particular experts.  If the cyber attack affects critical infrastructure again, if (?) could be possible, if yes, how?  What are the formal mechanisms first of all that we need to keep in mind in this regard.  So I would like to pass the floor again to Serge, to Carmen and Pierre.

>> SERGE DROZ:  So, I ‑‑ I've been thinking a lot about how to create trust and first trust.  I always come to the conclusion.  Trust is an inherently human thing and it is very, very difficult to kind of distort this from human and institutionalize this.  At the end of the day, it is always about people kind of working together that have had a past history.  In my experience, you build ‑‑ people always say it did is difficult to build trust and I kind of agree but not 100%.  I think you can start quite easily by starting on a simple problem.  You collaborate.  You send the simple request for help.  You don't send an RFT that loads confidential data and is tricky.  You really start working together and this is how you build our trust.  If feels continue working if on a regular BASIS, then actually the trust can be extended to a feel.  So just being associated with a certain team, that means that whoever you collaborate with is going to trust you a little bit more.  So I think the goal will be to start this individual trust and then spend this to entire feels.  That means for people to overcome their Egos because it means bringing in junior people into the conversation and not just keep everything themselves and it is also a challenge because a lot of security people or technical people are kind of shy.  So you need to be a little bit outgoing and be able to talk to others.  All human factors play in.  We know how to build and we all have friends hopefully and I think it's really the same mechanisms here.  Start building friends.

>> ANASTASIYA KAZAKOVA:  Thank you.  Thank you quite an optimistic way.  Carmen?

>> CARMEN CORBIN:  Yeah.  I keep saying because I think generally the same sort of concept, but it really comes down is to cyber diplomacy like what Serge is saying.  It coming down to you need people in certs and positions that deal with cyber attacks to technically know what they're doing and how to solve the problem there needs to be a willingness to share information special to share skills if that's possible.  So again, with our program at UNODC, we're trying to create possibilities for these trusting relationships or the beginnings of these relationships to start boy capacity building work where we're bringing different people from different countries together where they're learning together, they're training together.  Sometimes they're even assisting each.  Different countries assisting even other on cybercrime investigations and trainings.  So with these ideas and these events, we're working to try to build these relationships, these trusting contacts and that diplomacy, that ability to communicate with one another and willingness to do so.  Ultimately, that is going to be key to solving this really huge issue that we have globally.

>> ANASTASIYA KAZAKOVA:  Thank you.  Thank you so much, Carmen.  Pierre?

>> PIERRE DELCHER:  Getting back to your question of is cross border possible and the initial topic of this discussion about the cyber images.  I believe, of course, that the cross border and even cross anything corporation is possible.  It is in any way absolutely necessary as obvious it is all right, I believe it is still useful to state it again.  Cyberspace is by design and fact across border.  It exists from interdependences only in any state or organization can decide to manage from its own small and complete (?).  But any action on cyberspace as a war is a global by nature and only possible from cross border corporation.  Then because of this, and as far as I know from my experience as well, there are almost non‑of such cyber attacks or incidents that are strictly bound to a single system and by same organizations.  So attackers are several targets sometimes on several countries rely on infrastructure cyberspace and liberate that belong to several organizations.  So cyber attacks are also global by nature as well.

Lastly, victims of cyber attack and organizations that are affected by cybersecurity incident often provide services or goods which are at least dependency on other organizations and services.  So incidents parameters are most likely to be borders and foreseen by initial responders.  Cyber attack incident would be global by nature, but response is almost never.  The results of the current rate to cyber attacks and cybersecurity incidents speak for themselves.  They can bearly manage to contain or remediate on limited parameters.  Others simply can't.  Some then go straight to attribution and political scale and overall cyber readiness is for regulation and past incidents.  It's still not good to make cyber attacks difficult.  Why cyber attacking are not more limited or more frequent than before.  I believe cross border cooperation must be possible and should bring better results that we already have.  But for this to be possible, I believe we must be ready by building trust and preparing corporation frameworks just as discussed previously in this framework and discussion.

UN emergency phone book is a good start and can surely be done easily by leveraging existing mechanism.  But this will surely need to go further right away.

>> ANASTASIYA KAZAKOVA:  Yeah and I agree with you, Pierre.  It would be really definitely at a good case and especially such UN's have emergency phone book at global context can be officially somehow centralized in the existing right now.  So I think it will be quite helpful especially to countries who do not have those capacities.  I understood that the ability of the country to respond to the request coming from another country has been relying on how much this country is successful with the domestic approaches and having domestic structure approaches to insure critical structure and build the teams and looking at resources and also if speaking of the fact that the critical infrastructure protection is sectoral and need the national level sector corporation is possible.  Then beyond one nation, the more cross border corporation I think also would be more possible in this regard.

Before we close the session, I would like to provide the floor to see you and hear the perspective from law enforcement and global law enforcement.  So floor is yours.

>> Craig Jones:  Thank you very much.  Really interesting conversation.  Let's come through clearly is the trust element and how do we trust them as a global community in this space.  We're trying to engineer that trust model that we can share critical data sets and information.  But what we're looking at here across the piece is vulnerabilities within our networks and systems that criminals and others take advantage of.  Sharing first on that vulnerability and identification mitigation of those.  Looking at how first operates as well.  So very much we're trying to work with first to draw together that community, learn from each other and share on about corporation.  We look at those criminal acts effectively and trying to coordinate that between countries.  We look at geo political angles and very much we're still working on that geo political context in law enforcement.  I ask to look at the cert communities about what do you do with that information, that cutting room floor information which you gave where it is not a state attack, but you get information that is related to criminal acts?  How do you share that internationally, but how do we share that internationally as well.  There is another important element we look at here as well within this conversation.  I have said enough because of the type.  Thank you very much for giving me the opportunities to come in.  Really interesting field discussion here.  Thank you.

>> ANASTASIYA KAZAKOVA:  Thank you so much and I like the perspective on the data sharing which I think is the hot topic within each government to define the access to data and possibility for data sharing between private and public partners between the law enforcement and so on.  Thank you so much to all the experts.  We need to conclude the session.  I really hope you find the discussions useful.  I hope it could be one more step forward to having a better understanding globally how the critical infrastructure taking place, what the regulatory approaches are in this regard and how we may have better insights coming from the UN level especially between the new open ended groups next week.  Thank you so much.  Again, please join me thanking all our experts, Serge, Carmen, Pierre, I hope you would have a really productive day further in the UN Internet Governance Forum.  Thank you so much and it was really great to see you all.