IGF 2022 Day 1 Open Forum #44 Enhancing cybersecurity of the National Administration – RAW

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> ROBERTO ZAMBRANA: We are already starting the session, I'm giving you the floor now.

 

>> OLGA CAVALLI: Good morning, it is the morning here of quite summer day.  Quite hot.  My name is Olga Cavalli, I'm the national director of cybersecurity of Argentina.  Many thanks to all of you for being with us in person or virtually today in this open forum focused on enhancing cybersecurity of the national administration, but we have a group of experienced and distinguished panelists, and friends who will share with us some comments about how to enhance cybersecurity and tack I will cybercrime.  With me there, our distinguished panelists, I will briefly present them and then give the floor to them, thanks to all of you, I know you are very busy, some of you are art in person, some virtually.

 

Professor emeritus of the university from Germany, Regine Grienberger, Ambassador for Cyber Foreign Policy, Germany, welcome, Regine, Liina Areng, in Estonia, the regional program lead at EU CyberNet.  Cesar Moline, Director of Ciberseguridad.  He is the regional program lead at cyber net in Latin America.  Very important role.  Kerry‑Anne Barret, my dear friend from cybersecurity Program Manager or Organization of American states.  Were he our dear from Roberto Zambrana as our own site moderator.  A MAG member.  And our dear Rapporteur from Columbia, Monica Trochez.  Thank you very much, Monica for being with us,

 

Over to you, Roberto, for to give us initial comments.

 

>> ROBERTO ZAMBRANA: Thank you very much, Olga.  Indeed it is very important session, and I'm also welcoming our great panelists, and all the people that are attending for online and of course attending here onsite.

 

Working to see, a very nice session about cybersecurity, and the efforts that are different governments are doing regarding this important issue.  In the different aspects that are part of the strategies to actually fight and try to prevent different kind of debts and other means of affecting actions that can be damaging for our institutions, particularly in the public sector, but in different other aspects.

 

So maybe we can start with you, Olga, and our first guest.

 

>> OLGA CAVALLI: Thank you very much, Roberto, for your initial comments.  Before giving the floor to our colleagues, let me tell you very briefly what has been done in Argentina to enhance the cybersecurity especially at the national administration, but being the government and the national administration, one of the most important users of the IT infrastructure and data, that it is interesting information for you to have in mind, we have a national cybersecurity strategy, it's being revised right now, we have a national cybersecurity committee which involves several ministries, the directory that I lead in the security of public innovation, we issue a policy called minimal information security requirements for organizations of the national public sector because ‑‑ this policy establishes status of minimum information security requirements which are mandatory for this ministries or parts of national administration.  And the main receivers and producers of information of the country.  This is kind of the basis for establishing security at the national level.

 

So we have seen that it's important, we are working on the different organizations to make that happen, and it's revised by the national directorate, but there is a big challenge, especially for developing countries in different aspects related with cybersecurity.  How to be up‑to‑date with technology.  Technology is usually acquired from other countries, it depends on the budget, availability and sometimes when everything is well done with security, nothing happens.

 

So it's difficult to show progress when all the things are in place and are working well.

 

At the same time, it's difficult to ‑‑ there are not many universities and ‑‑ train staff, there are not very many universities and training courses training people, especially you at the national administration how we can create new careers in cybersecurity with universities and how can we deal with the human resources ‑‑ lack of human resources.

 

What is happening in Latin America is many of our very good human resources are going to work to developed countries.  So that's also something that we have to face as a big challenge.

 

So having said this, general questions and comments and things to think about, I'll ask one question to my dear friend, Wolfgan, and he will know that Wolfgan is very well recognized for all the work that he does, but especially he every year, we wait for his comments about predictions for the next year, about cybersecurity and all that will happen in internet, especially in this international interaction.  So Wolfgan, my question to you is, considering cybersecurity as an important part of internet governance, and I know you are focusing more now on your work in cybersecurity, can you share with us your comments about what we can expect from ‑‑ and about cybersecurity and cyber threats in the next year that's coming, 2023 and welcome and thank you very much for being with us this morning, afternoon for you.

 

>> WOLFGAN KLEINWAECHTER: Thank you, Olga.  Thank you very much for making this arrangement.  I just came from a session which I title the role of government in internet governance, and we referred to the definition of internet governance from the agenda, which introduced multi stakeholder model where the civil society, the private sector and governments are singled out as the main stakeholders and each stakeholder should contribute, and this was the key words, in their respective roles, and the conclusion from this addition, in their respective roles, is today's no single model for the governance of the cyberspace because it depends from the issue.  If it comes to cybersecurity, the governance model will be certainly different when it comes to the management of the domain name system.  The domain name system, governments are in an advisory capacity because all the work is done by technical experts and by the registries, reg stars and ICANN, and many various capacities on the nonstate side and the governmental Advisory Committee, very aware of it.  Cybersecurity, it's very clear, the government has the priority.  National security and also fight against cybercrime, this is primarily a task for the government.

 

But however, it would make absolutely sense, and it's not ‑‑ would not only make sense, but it is needed that governments consult with nonstate actors.  If they really want to enhance the cybersecurity, like in the domain name system, the voice of government is needed, that's why, you know, you have governmental Advisory Committee.

 

For cybersecurity, it makes absolutely sense to a nonstate actor Advisory Committee, which would go for advice on the technical perspective on the private sector from the civil society, you know, what governments should do.

 

You mentioned national cyberstrategy, I think this is really important and will help also, you know, in the ‑‑ it's a confidence building measures.  If each country has a national cybersecurity, then you understand much better.  You know what are the special national priorities and, you know, what the situation in this country.  That's why also in the program under discussion in the working group in the United Nations, there is the recommendation to elevate national strategies.  But it would be absolutely needed, in fact national strategies are coming out from a multistakeholder discussion in the country.  If only governmental people are sitting together and craft such a document.  They can produce a document, but miss some points.

 

The decision‑making capacity remains in the hand of governments, but all the wisdom and knowledge which could come from the technical sector, from the private companies, from civil society, are needed.

 

And so far, the ‑‑ looking forward, what will happen in the next years, I think we are moving towards a crossroads where the multistakeholder model, which was adopted 15, 20 years ago, will see a stress test.  Because, you know, if you look around, there are some governments that say why I should consult with private sector, I have power and I'm not ready to share this with others, sharing is the key word, and Christian agenda if it comes to the governance system.

 

So far, it's difficult to make any predictions.  The discussion on the global digital compact, which was kick started today by the tech envoy, I think it's a good opportunity, though my concrete proposal would be that the process could be stimulated by the creation of multistakeholder drafting teams which work on certain texts to find a decision‑making capacity will remain in the hands of the government.  It's intergovernmental body.

 

Before you come to the final stage, there is a lot of things to do, I think that's why the awareness in particular in the face of cybersecurity was in governments is important, it's ‑‑ they make use of the potential, which is available in each country and where countries can learn from each other.  Back to you, thank you very much, Olga.

 

>> OLGA CAVALLI: Thank you very much, Wolfgan, this awareness issue, I think, I've been reading and learning new things in my role in cybersecurity, and I think that the awareness is one of the key issues that especially the government can have in hand.

 

And I take note of what you said, nonstate actors Advisory Committee, I think that's a very interesting concept.  Maybe we can think about some countries that have that in their structure.

 

And I don't see the government not interacting with the private sector with the technical community, with companies providing the technology, technology especially in the developing countries that we are mainly buyers and users of technology developed in other countries.

 

So thank you very much for your comments, and maybe I come back with other questions in a while.

 

Over to you.

 

>> ROBERTO ZAMBRANA: Thank you, Olga, it's important to mention, indeed, most of our countries usually work separated in the different agendas.  The private sector themselves, the government by themselves, and it's important, as you mention to check with this issue in every integrated way,

 

I would like to know, we are going to Regine with this question now, I would like to know, Regine, how is the security in the public administration, and how this organizational structure interact with other ministries, inside, of course, the national level and also outside with the other countries and the European Union contest.

 

>> REGINE GRIENBERGER: Thank you for that question, it sounds easy but it's difficult to answer, the German arc tech sure, the pictures in children's book.  They are multi colored, and you have the little mouse.  So I will start with the three layers that I see, and they basically ‑‑ to explain from the global perspective.  So first, we have the whole of government approach, which means there is a court of three ministries carrying the children of cybersecurity in Germany, Ministry of Interior, that was responsible both for all the resilience work that has to be done, but also for cybercrime.

 

Then there is the Ministry of Defense, responsible for military defense 37 in our case this means not only defense of national territory, but also within our military alliance, which is NATO.

 

Then there is the diplomacy part, which is my part and the foreign ministry, going to being on the international norms and on our bilateral relations in order to counter the threats that we are facing.

 

So that's the whole of government approach.  We have our national cybersecurity strategy, which describes the task and responsibilities for each and every part of the public administration.

 

But the strategy describes also the second level, which is a whole of society approach.  So we include not only the regions, Germany is a federal system, so we have a state level responsibility and a regional level responsibility, but also the tech sector, telecom providers, critical infrastructure providers, academia, civil society actors and so on.

 

By this, it mirrors somehow the multistakeholder approach we have on the level.

 

Third layer is embedded in an EU framework, for every one of the three points of this triangle, we have for resilience, we have a network and information security directive, on the EU level which gives us directions of what to do on the national level.  For the defense we have EU cyberdefense posture which is under discussions to reach the next level.  For diplomacy an EU cybersecurity strategy which describes some tasks we do jointly, like capacity building.  I'm happy to see Liina on the call.

 

Let me tell you also something about our challenges that we are facing.  It was mentioned already briefly this multi‑level and multi perspective to cybersecurity means for government this feeling of a loss of control.  Because there are so many actors and the government is somehow not even in the position to steer the process.

 

That's also in our case.

 

The second one, this is part of it, that the developing technologies developing at such a speed, it's difficult for state actors, national actors to be really able to grasp what this means, also in terms of national security and there's often the feeling whatever the government does, it comes too late and too little, compared to the threat level we are facing.  In Europe, this is often discussed under the headline of digital sovereignty.  So cybersecurity questions and ownership of digital technologies come together to one discussion.

 

The third challenge I would say is securitization of the whole question, which means that with this very delicate balance between privacy and individual rights and the digital rights approach to digitization and freedom in the discussion on the other hand, security in the discussion, events like for example the moment at the ransomware pandemic we are facing in Germany and other countries, all over the world, lead our security actors to the ‑‑ to the sentiment that they have to get more competencies in order to combat this pandemic.

 

But then what happens to the other side of the balance that is really something that is very challenging and also here I think that only within a multistakeholder discussion we will be able to reach a consensus that is sustainable also in the future.

 

And then this leads to the 4th challenge, this is of course disinformation, and I must clearly say that in our system, we separate clearly our measures, our campaigns against disinformation from the cybersecurity discussion.

 

So disinformation is a problem, it's regarded as a problem, but the mechanisms that deal with this are completely separate from the cybersecurity.

 

So, for example, internet shutdowns is something we do not use we want to maintain the integrity of the digital ecosystem and they rely on reliable access to internet.

 

So our hybrid threats working group we have within the ministries is more relying on elements like resilience of the society, fact checking, providing good consult information from the side of the government, so in the pandemic people are able to access good quality information on reliable and so on.

 

>> ROBERTO ZAMBRANA: Very interesting, particularly to know that it's totally feasible to have an approach of multistakeholderrism.  It's very important and prove experience to ‑‑ I would like to go to Olga now because I think we have.

 

>> OLGA CAVALLI: Thank you very much.  Maybe if we have time after the first round of questions, I would like you to ‑‑ if you can give us more detail about this second level group that you explained, the regions relating with the technical sector, how you related with the government, but I will leave this question for the second round if we have time.

 

Now I would like to welcome and make a question to Liina, the chief in Estonia and commend all the work your cyber net are doing, one of my team members was in a meeting one or two weeks ago, and she said it was a fantastic meeting you organized there.  Thank you very much for that, for inviting her.

 

Cybernet has a very important role in creating a network of expertise to support practical learning and now I'm happy to see you're working intensively in Latin America.  What are the main challenges for creating this network, especially considering the comment about the multistakeholder, the challenge of governments interacting with the technical community and companies.

 

To be able to deliver this practical learning, that it's useful for the attendees, can you share with us some examples of concrete outcomes and impacts and welcome and thank you for being with us this morning.

 

>> LIINA ARENG: Thank you very much, it's a pleasure to join this discussion, very warm greetings from Estonia.  Quite a long trip to Argentina, it's no ‑‑ the project was created three years ago with the aim of improving the quality of delivering the ‑‑ to improve access to the experts, and skill and capacities to deliver that cybersecurity ‑‑ security of cybercrimes related and impacts.  And I want to focus on the awareness and growing the number of experts who would be interested to be ‑‑ to share the experiences with EU partner countries across the globe and to share experiences through different ‑‑ different consultations, trainings, and we make this network available to the EU institutions, to projects, to EU Member States who engage in activity.

 

And the European Union is the largest develop ‑‑ provider in the world, accounting for more than half of all development aid in the world, and it's also very active player in ‑‑ commenter in this organization and connectivity project.  And it is trying to support these efforts and trying to raise cybersecurity awareness ‑‑ and when ‑‑ they are delivering or the issues are receiving aid.  The digital transformation space as well.

 

Latin American region.  The EU, the EU is family of 27 nations, very diverse countries, but we have all joined by the same vision of ‑‑ for global inclusive free and open cyberspace, and this is what we want to convey through the project.  The experts in our network, we currently have several experts that ‑‑ trying to until.  They have very diverse backgrounds.  Interesting ‑‑ deliver the trainings, combine the expertise for larger countries and smaller countries, from different maturity levels, limitations, public sector, private sector.  Civil society, and ‑‑ so combining these different ‑‑ different ‑‑

 

My audio is not.

 

>> OLGA CAVALLI: It's a little ‑‑ I think if you speak closer to the mic., I can hear you better that clear.  That would be great, thank you.

 

>> LIINA ARENG: Try to hold my mic here.  Let me know if it's still cutting.  So basically the ‑‑ we were ‑‑ the experiences from the 27 Member States of the European Union and also experts from the region.  We also engaging with experts in the Latin American region.  We have been working together for years, and we know ‑‑ we share the same values and professionals.  Because we know that copy and paste or one size fits all does not work.  This is the practical learning, practices and exercise and case studies.

 

I'm from Estonia.  It is implemented by public sector agency.  Estonia information system authority, and national cybersecurity.  It has a reason to encourage government to government knowledge shift.  Our network, we have public sector, we still have public sector experts.  Public sector involvement specifically because we might have great consultants who master the theory and the methodology and present extremely well, but the ‑‑ we may not have worked in a place to implement the security policy, and the struggles or the frustration of operating under those resources.  Therefore it is good to combine the different sides of the story and analysis.  How you enhance recognition, practical knowledge.

 

It does not happen through PowerPoints obviously, all about that.  Practical collaboration and information, and in Europe, by creating longer term mentoring schemes, some professional internships, these are the most effective methods to learn.  So concentrate.

 

And regarding the challenges, I guess when designing the trainings, or suggesting experts, we have to take into account always have in mind adoption capacities, because the outcome should be something that they should be happy about and where they have resources.  Their time, their efforts and they should feel they are part of that connection.  Because if this is not the case, then the work will be forgotten quickly and the policies that have been drafted and even adopted will be never implemented.

 

So the needs change happens and sometimes that effort is ‑‑ is frustration as well.

 

This is how we try to ‑‑ sharing experiences, practical experiences through the network we have created.

 

>> OLGA CAVALLI: Thank you very much.  Liina.  27 nations, same vision, that's a very strong ‑‑ that's a very strong idea to have in mind and to work with.  So I commend you for that.  This adoption capacity, I think that's important.

 

Sometimes we see that technologies are not used but sometimes not necessarily adopted in the right way, so I think this is a very interesting comment, and I will come back with some questions after the first round that I have in mind.

 

Now, back to Roberto again.

 

>> ROBERTO ZAMBRANA: Thank you, Olga.  Now we will go to a region, and we have with us Cesar, and I would like to ask him regarding the cybernet effort established in Santa Domingo, Dominican Republic, and in this matter, how do you see the region on its way to digital transformation and which are the main challenges you think a region has to face in the near future.

 

>> CESAR MOLINE: Well, thank you very much.

 

>> ROBERTO ZAMBRANA: You have the floor.

 

>> CESAR MOLINE: Thank you very much for that, thank you Olga, as well, good morning and good afternoon to all.  I guess the Latin American region is called to face great challenge, to achieve this necessary digital transformation, or to develop this digital ecosystem.  You know, we need ‑‑ we've made advancement when it comes to the coverage of telecommunications networks and services.  We have advanced in legal frameworks with ‑‑ had lots of projects and initiatives when it comes to social inclusion programs.  And even in the electronic government.

 

But the unquestionable fact is we as a region, we are still lagging behind quite a lot, and I guess, you know, to answer your question, Roberto, I will try to narrow it down to five big areas.  I guess number one, obviously comes down to infrastructure.  You know, in this context, you know the promotion, I guess, of proactive public policies is required, that for example, will allow, you know, I guess the deployment of, you know, broadband services, both on a national level and on a regional level.  This is something we still as a region, when you look at the statistics from, you know, organizations such as ITU, you see even through the pandemic, there was a consistent ‑‑ considerable growth, I'm sorry, in the use of telecom services.  The region as a whole is still lagging behind when compared to other regions as well.

 

Second challenge is the digital economy, and obviously this is something that even though there has been a lot of access to small, medium enterprises, to the internet, it has increased even before the pandemic, after the pandemic, way more, this, however, has not been translated into our reduction of the productivity gap between companies, you see small, medium enterprises do have access to technology, do have access to the internet, but, however, this is has not translated into more economic welfare for some of these companies as well.

 

Thirdly, there is the issue of electronic governments, electronic government has to become, you know, a core entity for digital transformation, which is why we, I guess, as a society must advocate to promote more action in this arena.  However, it is worth knowing after more than a decade, I think, or even more than that, there have been constant meetings, constant commitments, you know, saying we need to improve the government, but the reality, when you look at e‑government success and such, such, you realize that probably only about four or five countries in the Latin American Caribbean are among the top 50 places in the world.

 

So, again, lots of area for opportunity.

 

The fourth I guess challenge that I would have to find is basically the challenges that stem from social inclusion and sustainable development.  Obviously encouraging the incorporation of ICT in social fields is essential to create an inclusive society, we must ‑‑ to include ‑‑ we must focus on vulnerable social groups, so this must be a priority when thinking about ICT policies.  At the regional level, the goals of ICT policies should be to influence education, developing better students, student and teacher competencies, for example when it comes to health services, obviously improving the efficiency of these services.

 

Last but not least, always take care of the environment and the use of ICTs for our protection of the environment, must also be one that we must not leave behind.  Last but not least, only, my favorite topic of all, capacity ‑‑ cybercapacity building.  And it's true that national efforts in cybersecurity must be reinforced by our competent authorities, all of us giving the perspective for Argentina, which I think is a really good example.  We have Kerry‑Anne on the panel that will probably tell us the efforts of OAS in promoting the development of the national cybersecurity traffic, the creation of ‑‑ this is a step in the right direction.

 

But we have to understand that, you know, we need ‑‑ if we are ever more dependent on, you know, this technologies, and these technologies do carry a certain type of risk.  So if the only way that we can actually, you know, fend off some of these risks is obviously with cybercapacity building, having, for example, basically having enough preparedness, enough resilience when these attacks happen, we know what to do, we have the corrective measures in place and this can only be done through cybercapacity.

 

>> OLGA CAVALLI: Thank you very much, Cesar.

 

>> ROBERTO ZAMBRANA: Thank you very much.  Go ahead, Olga.

 

>> OLGA CAVALLI: Maybe you want to comment something?  I just had a followup question, maybe for later.

 

>> ROBERTO ZAMBRANA: Don't worry, we will continue following up later in our second round.

 

Due to the time, please, go ahead.

 

>> OLGA CAVALLI: Thank you, Cesar, and I know that you're in the another meeting, I value very much that you take the time for being in this panel.

 

Now I would like to give the floor to my dear friend Kerry‑Anne Barret from the Organization of American states.  We all know, especially in the Americas the great work done by the Organization of American states through the cybersecurity program that has a major role in helping all countries of the Americas in defining national cybersecurity strategies, capacity building and perhaps having this European Union has in Latin America have and we have the Organization of American states, so they have this place for all of us to interact.

 

What is needs to be done at the national and regional level to build upon this strategy and enhance the cybersecurity of its national administration so national cybersecurity doesn't end being a paper that everyone likes, but nothing happens?  How can Member States again to prioritize the necessary governance structures?  We have heard some ideas from redefine in Germany and the European Union from Liina.  How can these structures be enhanced for sustainable national capacities and thank you very much for being with us and welcome.

 

>> KERRY-ANNE BARRET: Thank you so much, Olga.  I think all the comments have been ‑‑ I think it builds on each other.  I think I wanted to take three different perspective, and identify some of these ‑‑ from those situations.  The first one would follow up on Wolfgan's example of the multistakeholder group that could be established at the national level for the development of strategies.  So like I said, best practice within the OAS, we ensure our Member States have a ministerial group or at a minimum, multistakeholder that actually involves private sector and academia when consulting the developing the strategy.

 

One of the reasons we think that is necessary, because even within government itself, there are siloes and siloes are because one person may be working on a digital strategy, another one on public administration, another one on improving e services for transportation.  Those siloes ends up causing there to be a disconnect between digital projects at the national level, therefore you end up with multiple contractors, multiple service level agreements, multiple standards for security.  So one of the first things that interministerial group does, it allows all the ministries to actually hear from each other while what digital projects they're working on.

 

At as a further step in that process, they use their capacity to pull together all the stakeholders at the national level.  Even if they're not part of the interministerial group, all sectors have a round table discussion both during the rain storming side of developing a national strategy and then at implementation in terms of building.  What are some of the downsides to that?  I'll go to the opposite send of what Wolfgan said, he stuck with me.  That's just me paraphrasing Wolfgan.  One of the cool things is private sector is actually very interested in working with government during the working group sessions.  It always fascinates us that they always wonder why haven't they heard from the government after the strategy has been approved because there's a continued interest to support the government and implement the strategy.  This brings me to my second example, which is initiative we have been doing for the past few years, it's called the cybersecurity innovation consoles, we have executed this in Chile, Mexico, Colombia and we are hoping to add other countries to this like Costa Rica.

 

The whole idea of this is bringing together private sector, a academia and the government in the room and private sector, what are the challenges and solutions.  One of the amazing things through that process, the OAS recognized the need to have all these groups to have ‑‑ establishing the governance for administration.  Hearing the needs of the government can then continue to support them.

 

So one of the main things that came out of those CIC's for the past three years, this goes to Cesar's point in terms of capacity building, work force development has come out as a very key need nationally, and we as OAS with some of our partners, how can we then provide that framework for work force development, not just looking at the nice framework, which many of us know, how can we revitalize this.  As another example to this, we had our second virtual session this year and tried to just talk about work force development holistically.  We believe that conversations like that will support governments, national administration because they'll begin to see the gaps and needs they have and digital skills and start to develop frameworks to fill those gaps.

 

I think my last major example I'd want to share with everyone is the need for more research in our region.  It's something that always gets me that as a region, national administration or government to start thinking about cybersecurity holistically, research is needed, we need to bring academia into the room.  We need to mia Curtis summer we are taking their research and using it.  We have produced white papers, publications, but I want to use this word, but down to the point where you can actually absorb the information is also critical.  Ensuring we are pushing research that's good, but also it's absorbable by governments, recognizing that we have to have executive level points coming out of that.

 

An example of that we have done recently was with a civil society global partner digital, we published a good practice on national security strategy development, and we saw it easy complementary to the ITU guide because that guide speaks to strategy development takes it step by step.  We even shared our documents with that as part of the multistakeholder collaboration, saying this is our publication to complement yours.  What we try to do in that document in Americas, we have 17 national cybersecurity strategies.

 

We believe we have a to share.  We gave case studies, we asked each of our Member States, in Colombia worked with civil society to do their strategy, what were the best practices.  We spoke to civil society to get feedback, how was that experience working with the development to developing the strategy.  We recommended anyone hasn't read it, read because it gives practical examples.

 

So I think to summarize, Olga, national administration can only be improved through that multistakeholder model because at the end of the day cybersecurity affects us all differently.  The government's perspective in terms of creating the ecosystem, the private sector in terms of creating the technology and then the end user is the citizens in terms of us being the absorbers of technology, needs to have different levels of knowledge and different levels of information available to us.  I believe our national administration can only be improved through that.  Back over to you and Roberto, thank you.

 

>> OLGA CAVALLI: Thank you very much.  Kerry Ann.  I commend you for all the work your Organization of American states.  You said something very interesting, people that have not worked within government think that governments are monolithic, that's far from reality.  We have siloes, different views and different ministries and different agencies within government, but have different perspective, especially in relation to cybersecurity.

 

I also think the work the Organization of American states helps governments to be closer and interact and lose this to work with private sector because there is also this geopolitical dimension of technology, with the private sector, it's sometimes for government, it means something.

 

We have some time for a second round of questions, perhaps shorter.  I have ‑‑ I don't know Roberto, if you have some also ideas.  I have a question for Wolfgan, if he's still with us.  Sometimes you may have to go to another meeting.

 

You said that ‑‑ a good idea could have ‑‑ could be having a nonstate actors Advisory Committee.  Do we know ‑‑ I can't think of CGI that have very interesting multistakeholder model.  Do we know about other countries having this kind of nonstate actors advisory committee interacting with governments?

 

>> WOLFGAN KLEINWAECHTER: I think this is certainly different from country to country.  Regine has mentioned, the conference never would have taken place because they have to advance multistakeholder model at home.  What I would add as a reaction to the discussion here, I think there is no need to reinvent the wheel.  Each country is confronted with the same situation, and you can compare to climate change.  Climate change is a very global issue, all countries are confronted, but, you know, the protection of climate starts at home.

 

You have to look at what your country, what you can do, but you can learn from each other.  You know, you have ‑‑ the global experiences to your national situation, to your national priorities, but this goes hand in hand in the academic world, we have years ago introduced this terminology, globalization, the global issues, you know, need a local answer.

 

For cybersecurity, this is exactly the case, though, because the ‑‑ the weakest part of the global internet ecosystem is a risk for the security of everybody.

 

In so far to learn from each other, you know, exchange of best practice, a cheap investment and capacity building is important, that's why in the United Nations, the program of action is the real way forward, not to introduce new norms and treaties in this field.  Probably in cybercrime, it's a special case and ransomware a new challenge.

 

I would think, you know, think global but act local.  Thank you.

 

>> OLGA CAVALLI: Thank you very much.  Wolfgan.  Localization.  But at the same time, we are all connected.  It's really very challenging.

 

Regine, you have mentioned you have tech sector interacting with regions, is that a formal committee, how is the formality of this group with interaction of the further government or the regions.

 

>> REGINE GRIENBERGER: The format is national cybersecurity council, which consists of the Federal Government institutions that I mentioned, so ministers of interior, foreign affairs, defense, justice and so on, but also representatives of the regional level and private sector and civil society.

 

And they actually have an agenda that contains all the issues where we have joint, but that's not the same interests, we have the same issues on the agenda, but different views on that.

 

For example, the question of innovation and research, who is actually responsible to that, we have a state‑financed university system in Germany, but we have a lot of researchers are financed by the private sector.  This has to combine somehow to make sense.

 

Then the question of skilled work force, we need a lot more of IT experts, who is actually responsible for educating these experts, is it schools and public sector training institutions, or is it the private sector because we have a duel education system in Germany.

 

Critical infrastructure is the other thing, we have critical infrastructure providers that are private, we have those that are public, many of those are not even on the federal level, but on the regional level or district level, so, again, a challenge of how to bring them all to the point where they take this burden of the responsibility of providing minimum standards for the security of their service.  Certification is another use case of the cybersecurity council.  It helps the consumers.  Because they know that the product they buy is secure we have our cybersecurity agency testing the products and working also with private testing entities to kind of label products, but we have on the other hand the private sector interested in getting those labels in order to have a better, you know, argument in marketing their products.

 

>> OLGA CAVALLI: This national cybersecurity is a multistakeholder body interacting with the government, as far as I can understand.

 

>> REGINE GRIENBERGER: Yes, that's the case.

 

>> OLGA CAVALLI: You mentioned disinformation.  Is that something considered as an issue of cybersecurity in part of the activities you mentioned.  This is part of the cybersecurity issue or more on.

 

>> REGINE GRIENBERGER: No, it's not.  We don't regard it as a cybersecurity issue.  We have other fora to discuss this and rely more on the resilience of the society and regulation of companies than on state activities in this sector.

 

>> OLGA CAVALLI: Thank you very much, Regine.  Roberto, do you have some other questions in mind, I have some others, maybe you want to chime in.

 

>> ROBERTO ZAMBRANA: Maybe to the elaborate a little bit more about the approach the states have when they have to provide inputs, use the same kind of framework over the regions or they just manage their own approach and they provide inputs for the national level.

 

>> REGINE GRIENBERGER: For the private sector, the minimum requirements issued but the governments create or should create a level playing field for everybody.  That's why ‑‑ because we have an internal market in the European Union, we have also tasked the European Union with setting up some minimum requirements for cybersecurity, both in terms of products or internet of things products devices that can go online that's a work in progress at the moment, for example, critical infrastructures, we have these minimum requirements for quite a while, and are updating them at the moment in order to match them to the actual threat situation we face.

 

So the level playing field argument is very important.

 

>> ROBERTO ZAMBRANA: Thank you.  I have another question, following question, Olga for Cesar.  Maybe we can go with him for a while.  Cesar, if you are still with us, I wanted ‑‑ the regulator office for Dominican Republic has an important, a major role regarding universal access, and that's one of the things that you mentioned in your intervention before, which, of course, is very important to aim this digital transformation in your country.  How do you see the strategist that may be effective in the near future in order to overcome this kind of situation because as you said before, we do have several debates in our region, not only between the region and the rest of the world, particularly the global north, but inside the region.  For sure, it happens in our different countries, you do have this kind of divides inside the Dominican Republic, how do you face that as the regulator.

 

>> CESAR MOLINE: Well, that is really the million dollar question.  Had I known you were going to go there, Roberto, I would have really prepared a completely different participation.  But I will answer it to the best of my ability.

 

Number one, I think obviously this has come ‑‑ this has come, I guess, over Wolfgan mentioned it, Kerry‑Anne mentioned it, Regine has mentioned it.  When it comes to this multistakeholder system of approaching some of the challenges that I guess digital transformation and the internet as a whole brings for us.

 

For example, I can give you some very examples of projects we have done in the Dominican Republic of trying to basically close some of the device that you mention.

 

For example, we have done quite a lot of alliances with the private sector in order to get, you know, telecom services, broadband and internet services to those communities where we honestly know that no provider in their right mind will ever go there.

 

We have managed to make quite a lot of advancement in the past few years, especially during the pandemic and obviously now after the pandemic we have made quite a lot of advancement in having lots of liaisons with the private sector.

 

Additionally to that, there's obviously civil society.  One of the biggest ‑‑ I guess one of the main projects I'm really ‑‑ that I do have to highlight there has been certain approaches to the regulator, to NGOs that deal in this type of issue that are trying to get communities connected online in order to close some of those gaps and try to get connectivity to the people that need it the most.  Obviously this is, I guess, it is not only, you know, roses and perfume, there is a lot of negotiation that has to go on.  There's a lot of interest on the table from governments, from private sector, even from civil society, the communities this touches upon.  I guess my advice in this regard would be, yes, do try to get everyone on board, never forget that the ultimate goal for this, getting people online, not necessarily getting them online for the sake of getting them online, but getting them online to have, I guess, the internet be this enabler for their transformation and inclusion and obviously for the mic benefits they can reap out of this.

 

>> OLGA CAVALLI: Thank you, Cesar, one minute for Liina and one minute for Kerry‑Anne.  Liina, I see that the basis of your work is the European Union, I see that you are doing activities in Latin America, which is very good.  Which regions are you working with, apart from Latin America and European Union.

 

>> LIINA ARENG: One minute.  Latin America and that is the first European Union funded competence center, which is also a compliment implement for the region, lots of potential to Harmonize the security level, collaboration, I guess this is why ‑‑ specifically, of course EU has the priority regions, geographically filtered activity.  It is concise approach to ‑‑ but we ‑‑ this is also in Asia, but actually has a lot of different type of capacity projects, in addition to the internet ‑‑

 

Quite a lot of work all across the global ‑‑ segments where no other project is delivering.

 

Projects and activities that ‑‑ whatever they need to ‑‑ delivering something that we have.

 

>> OLGA CAVALLI: Thank you very much, Liina.  I think that Kerry‑Anne has no audio.

 

>> KERRY-ANNE BARRET: I got audio back.

 

>> OLGA CAVALLI: You're back.  Thank you, final comment for ‑‑ thank you.  One question about what you mentioned about research, how can you think that we could enhance the research idea within universities, how can ‑‑ the Organization of American states doing something in that regard, I think that's a very ‑‑ we have lack of research in Latin America about cybersecurity, I agree with you.

 

>> KERRY-ANNE BARRET: One of the things we are looking into for 2023 is to increase our research in certain topics, for example, the agenda on cybersecurity, we will be doing more specific research by region to ‑‑ reaching out to universities, we have learned of a network of researchers launched out of Brazil, so we are thinking of ways in which we can start to reach out to them and collaborate with them to do topical issues and use our platform to publish and bring more visible to those works.

 

One example, we learned recently of a researcher that did some work on work force development with ITU, we reached out to see if we could do a joint development with them on that research, we recognized there's a need to be able to use our platform to cause the work that researchers are doing, I think it's to bring them into the room more often as well when we have the consultation for the strategy.  That would be probably some next steps we could probably highlight.

 

>> OLGA CAVALLI: Fantastic, thank you very much, Kerry‑Anne, we are totally out of time.  I want ‑‑ I keep two or three big ideas, enhance multistakeholder activities, capacity building, and work together, private sector, governments and academia, and technical community.

 

Thank you all very much for being with us today, thank you, Roberto, Regine, Liina, Cesar, Kerry‑Anne, and Wolf began, Monica, thank you the audience for being with us, and with that, I thank you my best regards from Buenos Aires.  Thank you very much.  Have a great day and IGF if you're there.

 

Bye, everyone.