The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
>> CHRIS DISPAIN: I was waiting for a queue. Here I am. My name is Chris Dispain. I am moderating this session. Welcome to the session on Trust matters: Exploring ways for building a safe and secure cyberspace.
There have been many sessions at this IGF in the trust theme, on things like online vote, net neutrality, encryption and privacy. Back in November there was a preparatory session for this session and our goal for this particular session is to build on that preparatory session. This is how it is going to run in order for us to build on it, the thing is to do is to take stock of what took place in the preparatory session and the summary of that will be given to us by Sheetal Kumar, and then we'll go to others to address perspectives on the major trends. That's followed by a couple of case studies, one from Josephine Ballon from Hate Aid and one from Rasha Abdul Rahim from Amnesty International. We'll move to our discussions and we'll talk about views on main trends, different approaches to reaching trust. The roles of the different stakeholders and what role the IGF can play. At some point during that discussion we'll move to questions from the floor and from online and we'll wrap it up in about 90‑minutes time. So thank you for being here. Let's get going! I'll throw it first to Sheetal Kumar to give us the summary of the preparatory session. Sheetal Kumar, over to you.
>> SHEETAL KUMAR: Thank you so much, Chris.
It is great to be here, especially seeing so many people on the last day of the IGF. It is really great.
Yes. My task is to provide you with an overview of the discussion we had at the preparatory session where a few key themes were discussed and some challenges were discussed and some recommendations were provided.
My aim is to go through the key takeaways which focused around the need for collaboration and also discussed cyber norms and cybercrime and share with you some of the challenges that were discussed and some of the recommendations.
First, on collaboration, it was noted ‑‑ it is very important to build on existing efforts amongst different communities and link them up together. It was also noted that the issue of resources first, political will, it doesn't always match up with actual need.
That there are maybe challenges with regards to possible centralization of networks, that impact, the impact of that on cybersecurity going forward.
The example of certs and security researchers working together, especially a voluntary capacity often was highlighted as an example of cybersecurity cooperation and it was said that this cooperation not only extends to capacity building, it is important to have these issues expanded but to do that with the continued support of other stakeholders as well. That's collaboration.
Then on norms, what coat message was really that we needed a deeper understanding of cyber norms and how they're working and how they're not. The point was that to make norms work, this requires continuous discussion and effort for deepening the understanding by the multistakeholder community about how cyber norms work, those adopted by the UN, the 11 cyber norms, what leads to you can is ses and failure in cyber norm implementation as well as in the need to engage new actors continuously.
It was said that the discussion at the IGF should focus on the implementation of agreed cyber norms and I just wanted to point out that the Best Practice Forum on cybersecurity hosting its session after this, directly after this, has played a key role in this regard over the past few years and this year it has taken a really interesting deep dive into cyber norms and I encourage you to come to that.
Then on cybercrime, it was noted that cybercrime discussions required technical and policy solutions supported across the multistakeholder community, and that governments need to take greater responsibility for criminal activity originating within their border, even if the ultimate victims are elsewhere. However, it was also said, and reinforced by many that combating cybercrime should not include stifling political speech or dissent or other forms of free expression online and that any new cybercrime treaty referring to the UN process currently underway in the third Committee should focus on ensuring effective exchange of information, reforming mutually assistant processes and finding ways to address a cyber criminality and not seek to undermine rights or seek to redefine or address what's already been addressed in existing agreements.
So that was some areas of key takeaways, the three themes, collaboration and cybercrime. On to challenges before going to recommendations that came from the session.
On challenges, it was said that from car and developing country perspectives issues need to be addressed, debate treaties and conventions on cybersecurity, many not ratified by the country, there is related challenges with capacity building, lack of willingness to access resources, poor participation, lack of follow‑up post capacity building exercises or lack of opportunities to actually put in place what was taught. And that these need to be addressed at the higher level.
Then other challenges include the affordability of security, lack of security budgets, again, lack of resources and the capability of small businesses in government and increasing threats of nation state actors in dealing with cybersecurity incidents and attribution was highlighted.
The increased cost for combating cybercrime links in with that, increasing need of tools and necessary legal frameworks for enforcement was highlighted.
Then some other challenges related to data governance and challenges in dataflow or international regulation, need to involve different stakeholders in discussions related to data governance issues, and finally on challenges, it was noted that while most narratives related to the encryption discussions are focused around big tech companies, our medium‑sized tech companies that are deeply affected by the issues as well. On to recommendations, a need to formulate a better approach to deal with existing cybersecurity challenges was highlighted. It was highlighted that while it is generally accepted that cybersecurity cooperation and capacity building is needed, a review of what's worked and what's not worked in different contents is necessary.
On capacity building, this should not be limited to training it was suggested but extended to mentoring, sharing information, inviting people to join different communities and collaborating to address issues, identifying and linking existing efforts to one another. For example, linking tabletop exercises ran by corporates or states to work done by cert networks.
Then on the issue of encryption, highlighting the needs of specify tis of issues, who was inclemented, how is strong encryption defined and it was said that stakeholders need to own implementation and to identify solutions thating from mitigation to training to support implementation of norms and standards into their own products.
That's it for me. I hope you agree, it was a really rich discussion, a lot came out of that, looking forward to hearing what everyone has has to say today to build on that.
Thank you so much, Chris.
>> CHRIS DISPAIN: Thank you. That was a really interesting summary of the discussion. I have a feeling we may be coming back to you with some reference points when we get into discussions. Don't go away ‑‑ not that you were going to, but don't!
Okay. We'll move on to looking at some of the main trends now. First person I'm going to call on is Ambassador who is going to talk to us about his perspectives with the major trends.
Over to you.
>> HENRI VERDIER: Good morning or good evening, depending where you are! I would like to say hello to my colleagues from Texas! I suppose it is 3:00 a.m. in the morning in Texas. Congratulations. I would also like to thank the interpreters, it is thanks to the interpreters that we can speak French during discussions like this one. I believe this is very important.
It is my great pleasure to be able to speak French today. Thank you so much for inviting me to participate in this session. It is a pleasure indeed.
I would like to start from quite a simple concept, a simple idea, mainly the Internet as it is neutral, free, open, decentralized, the Internet initiated an unprecedented cycle of reforms and unprecedented democratic cycle of ensuring access to culture, access to education, access to economic development.
Today we're grappling with a number of challenges that we will have to confront. I do believe representing France, but also speaking on behalf of many of my colleagues working for IGF, I believe we need to work out solutions that will help us confront the challenges without giving up on that initial concept behind the Internet. The challenges that I can envisage are as follows. The first one, it is the lack of balance, the digital divide, yes. There are a few countries, a few states that are monopolies of artificial intelligence, encryption, but the rest of the world is lagging behind and what that results in, it is a digital divide. Weaponizeation is another challenge that I can see ahead of us, namely people who apply digital solutions against peace, against global wellbeing and peace and so disinformation, data manipulation, these are examples of weaponization of the Internet. Often these are cyber criminals that we speak of. Often, there are entire states that are to blame, there is a number of external factors, negative external factors, business models, business algorithms, behind many enterprises shall generate such externalization and it is not only the industry that generates problems, still, I do believe that acting jointly we can solve the problems. If countries are to cree act in an authoritarian manner ‑‑ if countries are to act in an authoritarian manner, in a manner that would be far from democratic, then states themselves would turn out to be a threat. So we need to solve, we need to come to terms with the challenges and overcome them without risking an authoritarian, undemocratic action.
France has been involved in that process, the president spoke in 2017 about the challenges. What he said, is that Europe should come up with a digital framework so that Europe does not need to emulate the strongest, the super powers, because the strong European Union is what we need very much. The IGF forum that was held in France, the president also emphasized the need to come up with a new legal framework and to pave a new path forward for the development of the Internet acting in conjunction with the legislators. What he spoke about, is that very specific ‑‑ a very specific legal framework was needed and that the big tech companies should be onboard. Even without the assistance of the big tech companies, we will succeed. We need to act jointly with many different stakeholders and what we strive at is efficient multistakeholder initiatives. Many of you have been involved in such multistakeholder initiatives so we also appealed to focus more on cybersecurity, the European Commission is also very active in that realm, and now we have 350 different associations and 700 companies and jointly we have been working on ensuring cybersecurity.
What I'm interested in, is that the large industrial or technical groups as well as the representatives of the world of academia, they have said that what we have done is crucial, even though it is not yet sufficient and it is well said indeed. What we need to create security by design. Companies need to work out good practices in order to be able to fund a significant change wherever there is the necessary political will.
We have discussed many different steps that could bring us closer to solidarity in the realm of cybersecurity. We have published reports of a taskforce, just recently, and now we can propose that to the United Nations that a joint program of action is launched within the UN structures so that we can have an implementation tool, to be able to implement the new policy of reliability and 54 countries support that instrument. I do hope that at the next General Assembly of the United Nations we can adopt that new mechanism.
We have discussed the attack in New Zealand when a mosque was attacked and later on many of us worked on removing the pro terrorist content from the Internet while respecting the principles of transparency and democracy. What's also important is empowering all the entities coming up with the necessary legal framework with the necessary emergency protocol and so we have been working on the European legal frame work for counteracting terrorists and preventing terrorist content on the Internet. Similarly, we have also been supporting different initiatives related to fake news. I'm really not going to dwell on fake new, but what we have been also supporting is the initiative of Journalists Without Borders and the forum for democracy, we believe what is necessary is the removable of fake accounts, the tracking of overt disinformation on the Internet, the journalists' information on the Internet should be reliable. We want journalists to be politically and financially independent and the information published on the Internet should be of high quality so that fake news do not pose a threat.
This is what we strive at. We have ambitious goals ahead of us. I could speak at length but I will now be interested to listen to the remarks of other panelists. Just to wrap up, what I wish to say, if we wish the new legal framework to be implemented inspect line with the rule of law, we need to base the new legal framework on expert knowledge. We need to ensure that we understand how technical companies operate. Often we lack the knowledge. We have launched a cooperation platform. It is an open project. I have posted a link to that initiative in the chat box.
I think it is really important that all of us companies, association, universities, researchers join forces so as to be able to better understand the different modes of operation behind the confidentiality policies in companies. We need to know how it works, how it has been evolving, so this is our proposal to join forces and to work together, we have also been working with others and have analyzed 700 different contracts already. I think we can now talk about an entire Internet community that has been looking into the issues of cybersecurity, and I am sure that we will be successful if we don't forget about the underlying concept of the Internet.
>> CHRIS DISPAIN: Thank you, Henri.
That's excellent. Thank you effort link, no doubt everybody will be actively pursuing that once we finish this session.
We're going to go now to Craig Jones, the cybercrime director and he will give us a perspective on the major trends.
Craig, over to you.
>> CRAIG JONES: Thank you very much, Chris. Welcome to everybody. From Interpol's perspective ‑‑
>> CHRIS DISPAIN: Craig. Sorry. Up to you, but your video is turned off at the moment. here we go. Now we can see it. Thank you.
>> CRAIG JONES: Thank you very much.
As Interpol, when we look at the current threat picture through national, regional, global lens and dependent on the sector community that's been impacted, we also, we spoke about at length, but we see now the recent shift, the key infrastructure, even hospitals, the criminal use of innovation, communication technology, poses a formal challenge to, it is the potential of the digital economy, we say much of this has been discussed over the last few days here at the IGF. Recognizing the magnitude of the problem, it play as key role in addressing cybercrime on a global scale in support of the 195 member countries. Most recent assessment underlined that during the COVID‑19 pandemic and beyond, it opened up new avenues to cyber criminals to carry out online form regardless of the region. We saw the prominent threats, again, the ransomware based extortions, business email compromised, cyber and phone‑based frauds and legal data harvesting operations and also misinformation, and then we saw the reemergence of other types of malware repurposed to take advantage of the global pandemic.
So the cyber threat landscape has had growth in scale and impact of the threat, the criminals have been exploiting fundamental social needs and continuation of anxieties in the cyberspace during the COVID‑19 pandemic.
We receive numerous requests from countries to address the ransomware attacks against hospitals and other health institutions who run the frontline in the fight against coronavirus since March of 2020 and again this was covered in a session very well yesterday.
By attacking the critical infrastructure, criminals have been shown their will and power to maximize the damage for the targets, more importantly, for their over financial gain ‑‑ for their own ‑‑ we know ransomware attacks are not new but the fastest growing forms of reported cybercrime. Ransomware is a highly enticing, lucrative business model for cyber criminals with the use of multiple extortions and ransomware as service models.
These attacks are not always set specific, but they're financially motivated, with the financial gains channeled through virtual currency networks. While the need for until money networks is reduced in part to the pandemic and restrictions in travel, criminals adjusted the business model and changes globally and regionally, indeed they have made the criminal enterprise more efficient and effective by being early adopters of the technology.
In addition, we see complex cyber frauds hitting victims in Europe and proceeds rooted as far as West Africa, Southeast Asia within hours. Data breaches also continue to occur causing significant financial loss and impact to businesses. At the same time, cyber criminals are haring in the Dark Net providing you a anonymous, untraceable access. The convergence between cyber and financial crime is posing a complex challenge. Entails multiple phases ranging from cyberattacks to data exploitation and then to money laundering faces of layering the eventual cashing out.
The use of virtual and encryption process can hinder effective, timely response. Given the complexity a joint operation model is required to combine the capabilities of different specialized units in law enforcement to better combat cyber enabled fraud and money laundering.
Too often the full array of the operational in this regard, we launched the global cyber taskforce and within the program which is going to address the challenges through providing regional threat assessments, recently 2021 we published one in Africa and also for the Ashton region.
We are looking at the regional model for operational coordination and this is setting up a regional desk that's been built, trust though is crucial, we need to go beyond the geopolitical boundaries being followed.
As a neutral organization, Interpol developed platforms of communication amongst all of our 195 countries for law enforcement and private partners as well.
We need to induce that trust in technology.
We have successful legal frameworks for information sharing with private sector partners, and again inducing that trust legally. Our model is reinforcing people, process, technology to deliver the global program in combating cybercrime. Sojas few of the lessons we have learned. There's different role of law enforcement, a more international than local and national in combating cybercrime taking a multistakeholder approach and working closely with private partners, international organizations, NGOs, and the CERT communities. We think of how to billed out the policing model to protect life and property and prevent crime in the digital technology era. Technology helps but we have to build security by design as well.
Also one of the affected deterrents about arresting or disrupting the criminal business model, it is important to know where and how they operate in cyberspace to achieve this. Law enforcement does not always have the resources nationally or internationally to operate in this space. My final point, it is trust. It has to be built within the law enforcement community. We again follow those geopolitical lines and boundaries. Interpol is finding a better response collectively with the private sector, first responder, other international organizations. We need to continue to build on that trust model within the online community.
Thank you very much, Chris.
I'll hand it back to you.
>> CHRIS DISPAIN: Thank you, Craig.
We can see you sitting up there on your own on that stage. We wish we were there with you. Well done on making it! 10 points to you is what I say! We'll come back to you later on to ask some questions about the points that you have raised.
Right! We'll move on now to a couple of case studies and the first one is coming from Josephine Ballon. If I'm not mistaken, you have slides you wanted to use.
>> JOSEPHINE BALLON: That's correct. Thank you.
I will just share my screen for a little presentation.
I'll approach a topic from a specific Civil Society point of view, the view of the victims of online violence, these are people we're taking care of with our organization. Yes.
We're Hate Aid, I'm the head here at Hate Aid, we represent the interests of the violence of online violence, we offer counseling for those affected, we give them a first aid package to provide emotional support and we also offer cybersecurity counseling since secure passports, also the question which personal information can and should be found about me online has become very, very relevant in our world, that's taking place a lot on the Internet and social media platforms.
We offer communication counseling in order to help victims deal with the situation and help them to find out the right reaction in their specific situation right now. We also have a strong interest in law enforcement, including criminal complaints and lit litigation financing we offer against the online platforms and directly to the perpetrators and we, of course, offer help in legally securing documentation of the hate speech incidents as this is a challenge by victims already.
Of course, as every NGO, we also have a strong interest in creating awareness and, yeah, we see ourselves as the attorneys of those affected in the debate.
Why is it that an organization like ours is needed? I have to say, Hate Aid was founded around three years ago, since then we consulted more than 1500 people in Germany and supported more than 150 with litigation financing. We are still the only agency in Germany, we're still unique with what we're doing.
Why are we needed? The question is easy, all of these things are now normal on social media, we see hate speech, we see insights on information, in commentary sections of social media, activists, journalist, politicians especially on a local level are very vulnerable on the Internet these days. We see that young women, we see dickpics all the time when we look at young activists, influencer, this is really common. We see that personal information is misused a lot to harass people and to ‑‑ not even to insult them, to intimidate them and to really scare them. We even had cases where people had to move because their personal address landed on the Internet and it was just not possible to remove it entirely to make sure that they are safe. We also see that the misuse of pictures, even spreading picture, it is not always nude but all kinds of different kinds of pictures play as huge role in the setting up of fake profiles and the spread of lies about people.
these are topics that are important to us. Intersectionality, it play as huge role here, so the more ‑‑ you know, the more ‑‑ the more ‑‑ the more criteria that comes together, most likely it is that you will be attacked on the Internet, but we see especially that people that speak up for our democratic values on the Internet are in specific dangers which is journalist, activist, politicians and everybody who wants to express their opinion on the Internet.
Online violence is everywhere. This is something that we have to be aware of. We conducted survey in Europe and found out that the European Union, 60% of the users overall have witnessed online violence already and with the young adults it was 91% of the users that have become a victim of online violence, and have witnessed online violence and 50% of the young adults that were asked have become a victim already. It is every second a young adult that's been a victim of online violence in the past.
Although it looks like now everybody is very, very hateful in the spreading of this hate on the Internet constantly, it is actually not the case because the amount of people who is spreading all of the online violence is actually quite small. This is what many studies have found out and they understood very well how to manipulate the algorithms of the online world and how to also use the electronic means to be very, very effective with what they're doing. There is a study conducted that found out in the hateful commentary sections of Facebook for example, it was 5% of the users that were responsible for 50% of the likes to Facebook content. We did a smaller study with the Germany elections just held and found out that in some major areas, politicians experienced, we saw that there were more than 4,000 comments that could be broken down to only about 200 accounts that were spreading all this hate.
The problem of all this, not only the victims are intimidated and they will think about it twice if they want to post something on social media, if they want to participate in the public debate that takes place on the Internet mainly these days. We see that it is also the bystanders, the people watching what's happening there that are just ‑‑ just becoming a witness, starting to withdraw from the public debate and do no longer express their political opinions but also other opinions. We see there from study to study, this does no longer make much of a difference. We see people change their behavior on the Internet and no longer participate which creates a very weird bubble where the very few that are very loud, aggressive, they seem to be the majority of people and seem to represent the majority opinion of our society. We are convince that had this is a real threat of freedom of speech and a threat to our democracy that has to be considered in the debate about how online privacy should work and how we want to design our Internet. We have to make sure that the Internet is a safe space for both sides of the Spectrum of Freedom of Expression.
This is where our organization steps in, what we also ‑‑ yeah, aim at with our work.
We want to empower the users so that they can persist in the public debate and that they don't have to withdraw from it. We are the first point of contact. We hope the consultation and the emergency situations, but also in long‑term planning and to long‑term strategy because many of our clients do not only have one incident and then it is done. They come back all the time and also, yeah, online violence spreads very fast and we almost never deal with only one incident at a time. We support with law enforcement education so that people can defend themselves and we want to deter the perpetrators. We also have a population with specialized cybercrime unit here in the prosecution in Germany that, yeah, is very, very helpful, because Civil Society has to play a very important role in bringing the cases and building trust in the community in these public institutions.
We also communicate our successes to show that it is worth it. Of course, also to deter the perpetrators and to empower the victim was communicated ‑‑ that other people have been successful, that's a very, very powerful tool. We also sensitize law enforcement, judiciary and politics for the needs of the victims, it is also a very important part of our work because due to the inactivity in the last few years there is a lot of trust lost and we see ourselves as the bridge between the victims and the public institutions here. We also influence the legislation to improve the protection of the overall circumstances. I can tell you with regards to the discussion later, platform responsibility and platform liability of big tech companies is a very, very important part of this work.
Thank you very much for your attention. I'm looking forward to the discussion.
>> CHRIS DISPAIN: Thank you very much. We'll move quickly on to Rasha from app amnesty international.
>> RASHA ABDUL RAHIM: Thank you for having me on this panel. A quick intro into aminety Tech, the program I'm director of, this is a multidisciplinary team of technologist, Human Rights researchers, lawyers, advocates and working to make sure advance.S in technologies protect rather than undermine Human Rights.
Today I'll talk about the trend that we have seen and that we want to launch an investigation on in partnership with many journalists in the summer called the pegusis Project. That's the trend of unlawful targeted surveillance. Before I delve into the Pegusis Project, I want to contextualize the work we have done on this issue.
Over the year, amnesty international and many other NGO, researcher, academics noticed there is a pervasive lack of transparency around the use of targeted digital surveillance. Impeding an understanding of and accountability of the veer Human Rights impacts we have seen of this service event and we have long cautioned that a few hard won insights that we have gained regarding, for example, NSO group, a handful of other service surveillance companies such as hacking team, other, were really just the tip of the iceberg and so in July we launched a collaborative investigation which involved 80 journalists from 17 media organizations in ten countries which is coordinated by forbidden stories, a Paris‑based media NGO and amnesty international, our tech security lab, which is based in Berlin, compromising technologists carrying out forensic investigations into targeted attacks, we were the technical partner in this investigation. What this investigation did, it was she had light on just how states use of targeted digital surveillance tools, in this case specifically Pegusis, supplied by one of the industry's most prominent companies, which is Israeli company NSGO group, utterly out of control, threatening individuals Human Rights including the physical safety on the systematic level and it also is destabilizing to national security.
Now, just very quickly on to the pegusis spyware, by nature, it is designed to go undetected. It is considered one of the world's most intrusive commercially available surveillance tools. When this tool is installed on your device, so on your phone for example, it allows an attacker complete access to the device's messages e‑mail, camera, media, microphone, calls, contacts, basically into the target's entire life. Now, what this investigation uncovered was that Human Rights defender, lawyers, activists, journalist, politicians across the globe were potentially targeted with this spyware. To talk a little bit about figures, this is over 200 journalists from at least 20 countries, hundreds of politicians including 14 Heads of State and what that really shows, it is that it doesn't matter whether you're a journalist expressing criticism against your government, it doesn't matter whether you're the head of that government, nobody is safe from the reach of this spyware, anybody could be targeted. I don't go into too much detail on examples. I know we have limited time.
Just to mention a few.
There was a case of a journalist in Mexico who was selected for targeting with spyware weeks before his killing in 2018, more than 40 journalists in India, at least 40 journalists ever targeted with this spyware, the investigation identified journalists working in major news outlets, including associated press, CNN, New York Times, others, and even post the launch of our project, in July, many cases are emergaling, we're getting reports of people's phones being targeted and successfully compromised with the pegusis spyware, Human Rights defenders in Palastine, yesterday we published an investigation into the targeting for Human Rights defenders in Kazakhastan and last week we published a paper on 9 U.S. state employees.
To talk quickly about in view of the systematic targeting of Civil Society using that spyware, I want to touch on the real life impacts that it has had on the people who have been targeted whether or not they were successfully compromised.
Obviously, the right to privacy is engaged here, and you describe this as a global assault on the right to privacy. It also is important to remember that it is not just about the right to privacy. What the investigation and the stories that were uncovered illustrate, it is really a disturbing link between targeted digital surveillance, privacy abuses and then other Human Rights abuses. Now, of course, freedom of speech is a key one which was violated, you know, journalists Human Rights defender, other targeted with this spyware, Right‑to‑life, right to security of person, the huge psychological impact that this has on people and it is important to remember that the mere threat of surveillance, it doesn't matter whether or not you are actually successfully surveilled, the mere threat that you may be also has a massive chilling and silencing effect and it really contributes to the overall shrinking of the civic space.
Now, just to sort of wrap up and to talk about some of the recommendations that we're making in view of these really important findings. What the investigation showed, it is that NSO group, spyware, it is the weapon of choice against Civil Society for governments and it has been used to attack and silence journalists, activists, others around the world and essentially to crush dissent.
What this also show, it is that it is an incredibly unaccountable industry as well as an unaccountable sphere of state practice that needs to be regulated meaningfully.
We have a huge gap in international regulation regarding the export of these types of technologies and this shows why it is so important that states do meaningfully regulate this industry in line with Human Rights.
So one of the things that we have been calling for, it is obviously regulation of state practice over the use of these surveillance tools and over the practice of surveillance, but also regulation on an international level to govern the export of these technologies and I would be very happy to expand more on some of the issues that I have raised in the discussion.
Thank you very much.
>> CHRIS DISPAIN: Thank you very much.
Yes, we could have a five‑hour discussion about that I'm sure! Hopefully we will get to some of it, although time permitting.
So we have a group of discussants, Bart Groothuis, Anastasiya Kazakova, Latha Reddy and Katherine Getao and Liesyl Franz. I know you may have points you specifically want to make. That's fine. I will ask you to talk to two specific questions for a reasonable brief period of time to generate a discussion and we'll also take questions from the floor.
I'm going to go to you in a particular order, but the questions are:
How should we move forward with refining and implementing cyber norms? That was a clear take away from the prep session.
The second one, how do we know the mechanisms put in place working against cybercrime is satisfactory? In other words, what's success look like? I have been around for a very long time, preInternet crime, general crime has always been a problem, it is never solved. We seem to think sometimes I think we think we're going to be able to solve cybercrime in a different way to the way that we solve crime. I'm very interested in your views on that. Once we have heard from our discussants, I'm happy for others to come in as well. We will take questions from the floor.
I will go first to Latha. Over to you.
>> Thank you, I take your point that you want to concentrate on how to move on norms (Latha Reddy) that was first question you raised.
What I want to say, the UN efforts, the efforts that the world has made in the UN, they're very commendable.
Whether it is the UNGG sessions that have started year after year, whether it is the open‑ended working group, the high‑level panel set up by the Secretary‑General, whether it is the roadmap, the UN has done a great deal to put this issue Centerstage, you know, we do need norms that we do need some kind of regulation of the Internet.
Why have we not really been able to come up with binding norms which have consequences is the question. All along the discussion has been about voluntary norms, but if we address the question of attribution, accountability, of consequences to be faced by offenders, without these elements I think simply voluntary non‑binding norms are not going to fit the ticket. I think this is the basic handicap that we have been facing on norms.
Now, I personally think that the IGF, the IGF plus, the platform on which we're speaking today, the IGF is perhaps a more promising area because the IGF has made more efforts to bring in government representation, the MAG certainly has been strengthened, and the parliamentary delegations I think are a very important element, the last IGF I attended in person, it was two years ago, we certainly had many members of parliament there from several countries ‑‑ but not enough! I think that ‑‑ if that School of Thought could be followed, that would be a multistakeholder forum which I think is very, very important. If you don't bring them in, it is a problem.
How do we measure success? I would say if we have norms that work we will achieve some measure of success. It is putting the cart before the horse to say let's define parameters of success before we see how we can move forward on norms. I would like to talk about other efforts, I was interested to hear how others had to say about how they help victim, Hate Aid, amnesty international, many groups are doing different types of work and we though what's happening in social media these days.
Since you asked us to limit our opening remarks to 2 minutes, Chris, I'm in your hands and I will stop now. I hope I can come back to some of these points in the later discussion.
>> CHRIS DISPAIN: Thank you, Latha. I appreciate that. In these sessions, you know, time management is a tough job. I wonder perhaps if we can turn our minds up to dating our expression cart before the horse which is a preInternet expression, maybe coming up with something that may be more relevant to the Internet in the future!
Let's go to Bart.
>> BART GROOTHUIS: Good morning, as the chief negotiator on the new cybersecurity legislation that will come out in the next couple of years, I'm very busy negotiating a in the moment.
What we're trying to do, basically create resilience in the entities we want to protect. We're taking on cybersecurity posture and later, next year, the European Commission will come with the entity, the European Commission will come with proposals regarding products, connected devices, smart devices, but also hard and software products. Those are the two main efforts that Europe is doing to keep us safe.
To come back to your question, Chris, it is very important that we do not just look at ‑‑ just look at the ‑‑ at the barrier, making sure we don't get hacked. It is also good to look at whose exploiting the favorable conditions? Who is behind it? Why? What Europe is also doing, creating a cyber toolbox for sanction regimes. We have extended that, also to say something about Josephine's great story, to hybrid toolbox, which could respond to below the threshold ‑‑ that's what we call them, like cyber sabotage, he is espionage, others, Europe is more, and more normative in the global space and that is to answer your question, how do you make norms, it is also by upholding it.
What I'm atalled by is by many government leaders around the world saying, well, this is a tweet a government of X, Y, Z condemn this horrible cyberattack and doing nothing. That's in fact communicating that there should be a norm, but not doing anything means there is no norm for the perpetrator. We're in a phase of actually communicating norms here.
How do you communicate norms? Europe is in the provide of making new instruments, using agriculture, using migration visa, using sanction regime, using access to the internal market, we're more and more a geopolitical player, I encourage that. We should not just hide behind the security posture but do something about the perpetrators behind it in a geopolitical order, it has to be upheld.
Now, that's my 2 minutes for now! Back later! Back to you, Chris!
>> CHRIS DISPAIN: I shall unmute! Yeah. Yeah, yeah! That's the first time I have done it to be fair!.
A question that's been regurgitate, how to have an open, honest, multistakeholder, thousand have an open, honest multistakeholder with cybercrime when some state actors are just not contributing which is kind of what you just said. I wasn't sure whether it was too controversial to throw in. Now that you're mentioning it, I'll put it out there and see if anyone wants to respond later on.
Thank you very much for that.
Let's go to Anastasiya Kazakova. Over to you.
>> ANASTASIYA KAZAKOVA: Hello to everyone. Thank you so much for providing the fora we have been participating in the IGF for the second time as team, unfortunately on the virtual format. We have heard lots of really good experiences from the community building through different days of the IGF.
Also, focusing in on the key questions on the cyber norms, I would say that implementation does happen already in different parts of the world, different sector, the question is do we have a sufficient knowledge about how they have been implemented currently and what challenges particularly arise across different development, Developing Countries, more capable, private sector, less capable, including small, medium businesses and all other non‑state actors in Civil Society, further.
This is a key question of how could we learn more? What should be done to support those who need it with the norm implementation and what good practices could be shared with each other.
A key practical example within the Best Practice Forum which was mentioned, we also looked into how particular security incidents have triggered the development norm implementation because really, truly international research we did, I was personally working on a case and I needed to conduct the interview of the different security researchers based in the U.S., in Europe in, Russia as well. The key question from my side was did you know about the particular cyber norms specifically the norm on responsible reporting and vulnerabilities to implement this. Of course, the weans no. Doesn't mean that it actuallies that researchers didn't follow the good practices of the disclosure, of course, no, they did, they just didn't know what actually states are doing within the UN and definitely there is a gap and the IGF I think is one of the key places to close the gap, to make sure that those ‑‑ that the work of the security researcher, incident responder, diplomats of the academia, NGOs, they can be less happening in silos.
About the implementation as well, throughout the last week of the IGF definitely there is lots of really good workshops. We particularly conducted the workshop on the helping to understand how the norms in the infrastructure protection are happening and how the integrity of supply chains also could be ensured, there is also really interesting workshops on learning how the digital security of products is happening, looking at the normative practices and regulatory practices coming from the U.S., U.S. does a lot of great initiatives in this regard today, the European Union also mentioned by Bart, you know, looking closely what's happening with the directives and what will happen next year with the security of products in the European cybersecurity certification.
It was also great to hear the views from the Asia‑Pacific, I think we need more learning on what actually challenges again may happen there.
The last point, probably from my side, also wanted to make some practical exercises, because I believe IGF needs more and more workshops to practically help raise the cybersecurity talent and to help actually do more capacity building exercises. We tried again, unfortunately in a virtual format, we did organize the game for non‑techers to learn the technical attribution DiploFoundation, it was a unique experience, we will improve that experience, we were all virtual in different parts of the world.
Thank you for this opportunity. Again, I would like to highlight the IGF is one of the great spaces to connect with different communities.
>> CHRIS DISPAIN: Thank you, Anastasiya Kazakova, thank you very much.
Let's go now to Katherine. Over to you.
You are on mute.
>> KATHERINE GETAO: Thank you very much, Chris.
I won't say last and not least because it is the position of Africa that we're always questioned last.
>> CHRIS DISPAIN: You're not actually last!
There is Liesyl to follow you, I left the U.S. to the last for a political statement!
>> KATHERINE GETAO: Never mind.
So I agree very much that maybe the reason why the norms have not had impact is the critical questions of accountability and, of course, there is a technical problem of attribution. The issue which is very important to developing country, which is about redress, reparation, repair. I was very impressed with Josephine's work in Hate Aid because I think there are many places where the impact on the individual is not really addressed in any comprehensive way. You can carry that up even to countries, that even if the perpetrator is caught, if critical infrastructure built at great expense has been destroyed, countries have been reluctant to commit themselves to provide any type of redress unless on a voluntary basis. I would say we have to go deeper. That is we now have a global infrastructure with very complex applications which are political, social, financial and many other types and which involve individuals as well as organizations and governments. I think this has created a cultural misfit. Never before in the history of the world have we had to develop a culture that encompasses such complexity on a global scale. Now, that may sound very theoretical. I think those are some of the questions which in a multistakeholder fashion we need to discuss if we're going to have effective solutions which have impact.
I would say we have two approach, because I think there isn't much time left. One is that there is a culture that will evolve, but that happens very slowly, but it will be helped by dialogue at IGF and other forums so that we all listen to each other and to our solutions.
There is also the solutions which are coming very well from the region such as Europe or the Asia‑Pacific where if they're able to design and test solutions and there the important approach is the information sharing so that other regions can also learn from that approach which I hope will produce results much faster than the evolutionary approach where we just recognize that there is an issue and we hope that solutions will emerge with time, which, of course, they will, which is why human beings have survived this long.
I'll stop there. I'm listening carefully to the discussion. I'll be very glad to engage as we go.
>> CHRIS DISPAIN: Thank you, Katherine. Appreciate it.
>> LIESYL FRANZ: Thank you, Chris.
This has been a really rich discussion, not just in this panel but certainly over the course of the week. It was great to hear the summary from the preparatory session which I think put a lot of thought for the presentations.
To answer your first question, I would say that, you know, I think as somewhat of a surprise to some, including possibly the United States and Russia, we were able to come to consensus on the norms, on the GGE report, and on the OEWG report this year. It not only affirmed the norms and frankly the broader aspects of the framework for responsible state behavior, like the applicability of the existing international law to cyberspace and confidence building measures, but countries also committed to work with others to implement the norms and express how countries do it themselves and how they can do it with other countries and also with other stakeholders around the world. That commitment, it is also a step ahead, a step forward to I suppose refining and redefining, how to adopt, implement them in your own national context. As we move forward, I think that's a very positive step in that consensus we built, despite all of the trends of challenges that people have mentioned, and they are not ‑‑ they are not to be belittled. A trend, a positive trend, it is the consensus that emerged out of those two reports and going forward I think. Capacity building a huge component that have and the United States is committed to doing that in many ways and working with other countries and associations like the global forum for global expertise.
To answer your second question, well, I don't know if ‑‑ we used to say security is not a destination but a journey. I think that's probably going to be true for many things. There are indicator, benchmarks to point to. We could point to be able to say if we have more trust than we did or we know it is more satisfactory than it was. One, of course, is if countries could ‑‑ if they haven't, if they take efforts to build up their laws around crime and then the use of cyber‑enabled crime to be included in that. As such, to take efforts to I think somebody said investing in the law enforcement community to actually prosecute and to investigate and prosecute the crimes.
So that is one thing. I think from a behavioral standpoint, if we see changes in methods, behavior, in the criminal community online. That's one indication that things are working.
One thing that we ‑‑ I do think that even though ‑‑ you know, I think there were made good points by Latha on how to know if the norms are working and while they are non‑binding, they are also ‑‑ they're not self‑enforcing. So we as a community have to step up and figure outweighs to raise the cost to malicious actors, to undertake malicious behavior in cyberspace and impose consequences that is sort of an enforcement mechanism in itself. The United States and many other countries have called out countries when we see their malicious activity in cyberspace and there are other things that we can do such as sanctions, other things that increase the cost for that kind of behavior, whether it is criminal or state activity.
I know that's ‑‑ there's a lot to cover in this. Complexity, convergence, collaboration, they're all good C word trends. Thank you, Chris.
>> CHRIS DISPAIN: Thank you, Liesyl.
Thank you very much.
We'll go to questions in a second. I see Latha's hand. We'll hear from Latha and questions are on the chat.
Also questions from the room.
>> LATHA REDDY: There was a question that I was responding to from my good friend wolf gang from the IGF and he asked what the consequences could be that I talked about. You know, when I said the people should face consequences for violating norms.
I would say you have to have a different set of consequences for states and for non‑state actors. Secondly, I would say you have to have a ranking for the severity of the violation. You know, to say is it moderate, catastrophic, et cetera. Then you have to have a list of responses.
As I said, it has to be a separate issue for states and a separate issue for non‑state actors.
For example, in non‑state actor, they could face criminal charges, you could put hem him on an Interpol notice list U prevent his travel, you could freeze his assets, you know, the things we traditionally do to criminals. Obviously, with the states it is much more complicated rather than name and shame, I would say name and negotiate before you get to the stage of shame. That was really what I wanted to say about this.
I also wanted to mention other efforts on norms such as the Paris peace call and, you know, our own work at the global commission on Internet Governance and the global commission on the stability of cyberspace, time permitting, I would like to get to that as well because I think these efforts can reinforce what's happening in the UN and in the IGF.
For now, I'll stop this, I thought I would answer the specific question put by Wolfgang. Thank you.
>> CHRIS DISPAIN: Thank you. Thank you very much. That's very much appreciated. That's exactly why we're here to deal with those specific questions. I have a queue of people who want to speak.
I'll throw it quickly over to Lucien in the room.
>> LUCIEN CASTEX: If you have a question, raise your hand, we have someone that will give you the floor.
I have two people asking.
>> CHRIS DISPAIN: Let me ‑‑ I'll come back to new a second, Lucien to take the questions. I have a question in the chat. I will go to the discussants first, Craig, then Liesyl and then Anastasiya Kazakova.
>> CHRIS DISPAIN: I was going to come back to that point of Latha on where we take the actions.
A way we're looking at the who hadal now in prosecute range the actors are actually based.
Take the evidence from one country, then identification of the threat actors, the actors in the other country and prosecuting directly in that country rather than going down the extradition line, things like that. That's a useful tool.
Effectively, that gets the law enforcement community in the countries working, cooperating more effectively.
A project that we have currently in Africa is doing exactly that. We have an Africa joint operation cybercrime desk funded by United Kingdom and there is details on the website on details on that. Changing that model of policing effectively so you don't do it one hand tied behind your back.
>> CHRIS DISPAIN: Fantastic. Thank you.
I want to get to questions. I'll ask the discussants, if you could be brief, that's fantastic.
>> LIESYL FRANZ: Thank you, Chris.
Maybe just a two finger, on the ‑‑ on the Latha good point on naming and shaming should be naming and negotiating, I think there should be ‑‑ you know, coming from the State Department, you know, we think that ‑‑ don't think that this is something without diplomacy. Right. There is lots of conversation. We built a framework, the negotiation before the naming. We have a foundation from which to point, to say that this is what the responsible behavior is.
It shouldn't be necessarily a surprise.
Also, there are many aspects of that kind of framework that require and welcome diplomacy as well.
Negotiation, but also discussion.
>> CHRIS DISPAIN: Super. Thank you.
Let's go to a question in the room and then come back following the queue in front of me, so Lucien Castex, the first person in the room, please.
>> LUCIEN CASTEX: Thank you very much.
>> AUDIENCE: Thank you for that excellent presentation.
I heard a lot about the vulnerabilities and security but I kept waiting for extraordinary access, lawful interception as well as the hoarding of zero days by intelligence agencies and the roles that governments play in systematically undermining the security of the services we all rely on. Could some of the panelists comment on that, please?
>> CHRIS DISPAIN: That is a good question. I'm going to ask if anybody wants to comment on it before going back to the queue? Open up your microphone and speak if you do.
I'm not getting ‑‑ I'm not feeling the love that anyone wants to comment at that stage. Let's take that under advisement.
>> BART GROOTHUIS: Chris, it is a good question. So zero day factories we see around the world are somewhat privatized, amnesty international, others are in government hands, there are a couple of worrying trends.
The first, the Chinese have stopped looking for zero days and international context with coordinated vulnerability disclosure following it. They said no Chinese can compete, we do our own CTFs in China and you give zero days to the Chinese government first before you disclose it to the vendors. That's very problematic.
I think that there should be an international diplomatic effort to address this.
If you combine that capability with the huge effort that China has taken for intellectual property theft and otherwise cyber operations, it is not the best prospect for the world.
Secondly, if you look at Pegusis, it is extremely problematic that the Israeli company would export that to countries like Hungary, Poland, et cetera and others, in Saudi Arabia. Let's address if every country would go after these zero days to hack legitimate targets, that would not be beneficial for the Internet either, would it be? So we have to find a balance there. I think that it is all around export controls like amnesty also said, about the arrangement that the countries have to sign up to and diplomatic pressure, like the State Department just said, it is key. We can't ignore the fact that we sometimes need zero days to get to end points, to legitimate targets and also the Interpol director would agree, sometimes you have a severe criminal and you want to get into that communication. Sometimes you can't get into that communication without zero days. You can't exclude it, but what you can do is regulate the export, moreover sight, better democratic standards is what we have to do together, especially with the diplomats here, I this we could, if we just had the political will, from Europe, we have that will.
Back to you.
>> CHRIS DISPAIN: Thank you.
You want to comment, Anastasiya Kazakova, then to the question.
>> ANASTASIYA KAZAKOVA: Thank you so much. I would like to complement and ‑‑ looking to the Chinese rules, any future rule that a government may follow here as well, tackling the zero day vulnerabilities and answering the question, I think as we have a global community the reliability and responsibility, but it really sounds general and more specificity would be necessary in this regard, particularly if it is possible to somehow harmonize the operation of the government to the vulnerability treatment overall and to increase the transparency on the vulnerability stockpiling, vulnerability another rumblety used by state and non‑state actors, it is really important to implement keeping in mind that still the technology that we use remains global, the technology we consume, distribute remains global and the harmonizations on the rules across the governments, how the vulnerabilities have been treated, it is key to make sure that the industry would not be torn between different rules and leading to the rules of the one country by following the rules of the other countries in reporting the vulnerabilities.
The other aspect I also wanted to mention here, I would agree and align with the comments said before by others about the cybercrime and more capacity and more ‑‑ sorry ‑‑ the focus on the law enforcement capacity and we certainly know that the cybercrime, the international responsible state behavior are two different processes within the area, for industry, for the police, it may be actually very close topics but those are separate processes and of course the content and expertise is important but it is important to make sure that the process is clear that the process is aligned and if it is somehow possible to ensure that the process will be aligned, I think it is also really important key to further success in this regard.
>> CHRIS DISPAIN: Thank you.
We're going to go to the remote hub.
Over to you.
>> Remote hub Dhaka: Thank you for letting us ask the question. Moreover, the Internet Governance Forum is so grateful fob a part of this IGF in 2021 Poland. We have lots of information from this IGF.
Our question is, we know that young generations are more vulnerable part of cybercrime in the cyberspace world. How can Internet Governance work for bringing that data layer on social media or websites, how can Internet Governance Forum work with those companies who provide this type of service? Thank you so much.
>> CHRIS DISPAIN: Thank you so much, Dhaka, we have that question written done here and any of the panelists that want to speak to it will be able to do so when we have taken the other question from the floor and then we're going to go to each of the panelists in turn to make some remarks.
>> AUDIENCE: I'm from Nigeria.
My question is, I need ‑‑ I need an explanation from experts, how can nations mitigate cyber threats sponsored by state actors? I'm aware that some countries are training cyber militants for launching attacks on other nations?
Thank you so much.
>> CHRIS DISPAIN: Thank you. I think we have to some degree addressed that in the comments that we have made. I will pick it up as we go through our speakers.
>> JOSEPHINE BALLON: Thank you.
I can pick up the first question because it is related to what I wanted to say anyway.
I would appreciate such attempt to all come together with the big tech companies on this topic on an international level here because we have to be aware oftentimes accountability, but also all kinds of law enforcement, really end at the international borders, this is something to be aware of, this happens even within Europe. It is even harder to find a global solution here and we have to just be aware that these companies are located abroad and delivering their services to the whole world and that's something that really needs to be addressed because I think we have seen also that the time for self‑regulation is somehow over because it just did not work.
There were many attempts of making the industry itself regulating them, that this is just something ‑‑ yeah, that brought us to the situation where we are in now. Thank you.
>> CHRIS DISPAIN: Thank you very much.
>> KATHERINE GETAO: Thank you very much, Chris.
I can address the question and commenting on some earlier.
Yes. The UNGG efforts at the UN and the open‑ended working group are very much trying to address the state to state issue in terms of the kind of impacts that states can get, either they weaponize the technology or they engage in other activities.
This is dealt with in four areas at least.
They are the norms which tell us the basic infrastructure institutions and practices that should be in place.
There is international law which hopefully gives a place to go when there is such a state to state conflict and there is an aggrieved party.
There is the issue of confidence building measure, which help us to reduce the tension between states that occurs when such incidents are either threatened, they take place, and also the capacity building measure, which should be done in a globally cooperative way because there is the principle of the weakest link. There are some countries that are not able to appreciate this technology, then they are in a better place to be misused by bad actors.
Last point I want to address, it is just on the question from the colleague from Dhaka. This is I think something that has to be a very important subject of discussion at the IGF and other forum, which is the fact that there's a high pay‑off for crime and bad behavior on the Internet despite our efforts, both at the local and the international level. There are too few of the criminals, whether they are individuals or states behaving badly that actually suffer for their actions.
When this is combined with the diminishing opportunities for youth in developing countries, you have an explosive mixture. Many of them are going to choose the Internet as a place to perform crime. I think as we think about all of the other ‑‑ (Zoom pause freeze).
>> CHRIS DISPAIN: I think ‑‑ I think we have ‑‑ I think we have lost Katherine. I'm assuming you can hear me. On the assumption that you can, we seem to have lost Katherine.
Thank you, Katherine ‑‑ oh! You are shaking and we can't hear you.
>> KATHERINE GETAO: I'm done.
>> CHRIS DISPAIN: Thank you, Katherine. You're very kind.
We have literally got 4 minutes left. We don't really have time for what I would like to have done, which is to bring everybody around to closing remarks.
I will, however, rather than waste everyone's time by me attempting to sum up, which is probably not particularly useful at this stage, just throwing open to our panelists for any 30‑second last‑minute remarks if anyone wants to make them. Put your hand up if you will, I would happily give you the floor if you would like to say something to close.
I do know that unless I'm very much mistaken, I think that Rasha wanted to address briefly the question on youth. Why don't you take that.
>> RASHA ABDUL RAHIM: Thank you very much.
Just wanted to say that actually amnesty international will be launching a long‑term Programme of Work on children's digital rights commencing in January of next year. As part of that project, we see several things that could be done in order to protect children and young people online and to enable them to use such an incredible space which can facilitate their rights as well as undermine them. I think one of coat things that we're seeking to do, it is to really have children and young people be part of the conversation, to be part of the standard setting, you know, the Internet was not designed with children and young people in mind. Certainly, you know, social media platforms like Facebook, Twitter, whatever, the many other platforms, they were not designed with them in mind. We see them as critical part of regulating the online space so that it works for them.
We also see youth‑led research, campaigning as a major component to also come up with the policy solutions that would protect children online.
In terms of final remark, I was really interested to hear the answer about the risk of state on state cyberattacks. I just wanted to point out another trend that we're seeing, it is hacker for hire attacks so, what this means, it is states contracting with companies that then launch cyberattacks against other states as a sort of conduit. Again, at the risk of sounding like a broken record I really do think that regulation at the international level of private cyber surveillance companies is desperately needed as well international regulation where it is lacking to regulate the state practice of the use of these tools.
>> CHRIS DISPAIN: Thank you.
You have Bart, 30 seconds, 40 in a pinch!
>> BART GROOTHUIS: 30 seconds!
First of all, we have amended on eight different occasions to forbid large scale platforms to follow children, extremely important. In Europe we will legislate. In the current negotiations, that's still in. So Rasha, full on, spot on!
Last remark, on everything going on on the Internet, new norms, we shouldn't make sure that the baseline is clear, free and open Internet, we should not touch the core of the Internet, there is more and more discussion touching at root level DNS servers also in Europe, and I will do everything in my power to make sure that we do not touch and regulate the core of the Internet because otherwise all regulation we do is of no avail. That's the last remark.
Back to you.
>> CHRIS DISPAIN: Thank you very much. We need to close. It is time.
Everyone has been fantastic! I thank you all very much indeed for your time! Thanks everyone for contributing! Very much appreciated. See you all soon!