IGF 2021 – Day 2 – OF #44 Digital Cyber risk Management at The Age of Covid-19

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.



>> AMIT ASHKENAZI: Hello to the people. We're sorry that we're not there with you in person. If you have questions, we'll be happy for you to join. Can you hear us?

>> We all live in a digital world. We all need it to be open and safe. We all want to trust.

>> And to be trusted.

>> We all despise control.

>> And desire freedom.

>> We are all united.

>> LIMOR SHMERLING: Thank you for this. Very exciting. We're starting this session, IGF 2021 on the topic of Digital Cyber Risk Management at the age of COVID‑19. Hello to all of you around the world joining us, hopefully. My name is Limor Shmerling, Managing Director of the Israel Tech Institute. Also, for the knowledge of Amit Ashkenazi from the Israel National Cybersecurity Directorate. We have an excellent lineup of speakers with very practical experience to share with us.

I want to look back just for a short minute at my personal experience in tech policy which is anchored in the data protection and privacy space where we have had legal tools at a strong level including enforcement power and agencies to enforce them for many years starting with the OECD guidelines on data protection and EU directive and country laws. And since 2018, the GDPR has become a gold standard influencing many nations, continents, and proliferating into practice, into private sector through global collaborations and commerce.

We have years of experience with enforcement efforts and regulatory insights and still many challenges remain in this digital space of data protection and new challenges emerge constantly.

Moving into the cybersecurity space, or the digital security space, we do have the OECD 2015 guidelines. But we have I think less available legal tools and effective enforcement tools. Yet, the need is here. It is urgent. And it is critical. The rapid and extensive transition of organisations, employees, and people around the world around digital means due to the social distancing requirements in the past few years with the COVID pandemic, really required and created an unprecedented huge growth or digital crime, digital terror, digital risk.

Our goal in the next 60 minutes with the help of excellent panelists will be to share best practices and lessons learned for dealing with nation's digital spaces which started before the COVID pandemic and accelerated in a major way by it.

And how do we face the enhanced dangers from cyber risks? And how do we make sure that our macroeconomic and society stability is not compromised?

Cyber stability supports our economic wellbeing when it is borderless and we need this to happen fast. We need this to happen now. Spoiler alert, you're going to be hearing about international collaboration and the need to coordinate between countries. So this is a good thing since we have here national experts in this field. And our hope is that today we ‑‑ the dialogue will provide support to building a multistakeholder partnership that will facilitate cyber‑related knowledge sharing and best practice sharing.

So let's hear from our panel of experts how this can be done. And we will start with Dr. Bushra AlBelooshi, the Head of Research and Innovation of the Dubai Electronics Security Centre. Dr. AlBelooshi, thank you for joining us today. My first question to you is how does Dubai balance this very rapid digital transformation with cyber risks emerging and persisting? You're unmuted. Thank you.

>> BUSHRA ALBELOOSHI: Thank you IGF organizers for inviting me to this interesting panel. It's my great honor to be amongst such esteemed panelists today.

As we all know, cybersecurity is the goal for the flourishment. Dubai, we're hosting the biggest connected event in the world. Digital transformation is the main dynamic. We at the Dubai Security Centre, and the main cybersecurity, has never been less challenging than any other cybersecurity regulators around the world.

We're working very closely with our business departments just to make sure emerging technologies are always surrounded with the right cybersecurity controls around them. The minimum, critical controls should be there whenever we're having a new technology that is being released in the city.

And we always think about how to balance between the digital transformation and the innovation of the strategies toward digital transformation that we have in such a city and between the cybersecurity.

So we are not any more worried about the cybersecurity threats. But we are more concerned about cybersecurity events that might impact or might have direct impact on the safety and the right of the humans.

So having connected vehicles, driverless cars, are a bigger risk than the service we've been thinking about for the previous, let's say, ten years.

Recently, we approved a temporary license for self‑driving vehicles on the country's roads. With that, we'll be the first country in the Middle East and the second globally to test self‑driving cars on its streets. To make sure those vehicles are more secure and reliable by having such tests. Our aim is to have 25% of Dubai's transportation by 2030. It's a matter of how we can balance between the digital transformation and the cybersecurity. And with that, our country also issued ‑‑ allows the new technologies to be tested, to be implemented, without having a legal framework around them. As you all know, usually the legal framework and laws and regulations will take time and leadership always wants the technology to be fast and to be implemented quickly in the city. That's why we have a regular framework that says new technologies will be implemented while the legal aspects of the legal frameworks are being implemented at the same time. Having leadership support to balance between cybersecurity and innovation, we are managing to get all of those innovations and technologies in the city today.

>> LIMOR SHMERLING: Thank you. Trying to sum up the points you made, you said collaboration between different government agencies is key to being able to support both innovation and digital transformation along with cybersecurity. And leadership support is of the essence. And I wanted to ask you in the respect of autonomous vehicles and this new arrangements that you have to support that innovation, do you have some insight into cybersecurity arrangements in that framework?

>> BUSHRA ALBELOOSHI: We've been the first city in the world to (?) an autonomous vehicle. Between 2017 and 2018 where most of the other countries, let's say, were missing having a complete standard that talks about cybersecurity controls for autonomous vehicles. So we've been the first to issue a standard for autonomous vehicles just to make sure at least we have the minimum controls.

As I said, we're working on a (?) The standard, go to the providers, ask them to implement the control. The next step will be testing. Actual testing and certification against those standards. But it's a divisive approach that is the standard or is the minimum controls. Test them. Certify them. And add up to the current standard based on what we are facing on a day‑to‑day basis.

>> LIMOR SHMERLING: That's super interesting. I can share that Israel's government started thinking about autonomous vehicles and trying to think and legislate even and start the regulation to support that. Including cybersecurity and data protection principles in it. I'm sure that our colleagues would love to ‑‑ if you have an English version of that regulation, that would be already a resource that would be worth sharing. I'd be interested to read that. I'd be happy to get that from later on.

You mentioned agility and being agile. Can you maybe share with us a little bit more about how you do that in practice? How do you close the gap between the lag between technology and regulation and policy. What components do you use in Dubai, your work that makes agility possible.

>> BUSHRA ALBELOOSHI: The legal frameworks, laws, policies, in other countries might take five to ten years. Our knowledge and interaction with other countries. But in our case, it's more (?) The development and issuance of the standards usually shouldn't take then one year. Even the strategy development, His Highness recently announced he doesn't want policies that will stay for five years. He wants to focus on agile strategies where we're focusing on outcomes and outputs rather than objectives, goals, and other things.

In cybersecurity while implementing also the same methodology. Whenever there is an announcement, new technology, we're working hand in hand with the government's regulators just to make sure at least the minimum controls are there once the technology is being launched. We usually give them one year to implement the standards controls and after one year, we make sure they're aligned with the standard and they understood the standard the way that we wanted.

And after, let's say, two to three years, we're moving from other perspective to a certification perspective where we bring an international certification budget to implement our standard and just to test the standard against those controls to make sure that what we are doing is matching with the standard with an international, let's say, recognition that says, yes, this autonomous vehicle or this connected vehicle now has been tested. And the controls that we have and the standards are met. And this car is now ready to be tested on the road, on the street.

>> LIMOR SHMERLING: Sounds very effective and very speedy. And bearing that in mind, and remembering what you're doing on the national level, how do you think we might promote the harmonization between national policies since our economy's global and innovation technology are being deployed globally. How do you recommend we harmonize these policies between nations?

>> BUSHRA ALBLOOSHI: Recently we worked closely with a couple of government regulators and private sectors looking for the current certification issues and whether we can harmonize the current certification process across the globe through multilateral or bilateral agreements. The paper is titled International Cybersecurity Certification Framework: Pathways to Collaboration and Situational Awareness if anyone is interested to look through that paper.

Through that paper, we recommended the government regulator to have a sense of collective responsibility that should lead to collective action against industry and standard setters. We strongly believe that an international (?) The cross‑border cybersecurity certification should be the next step. I've been in discussion with a couple of cloud service providers like Microsoft and those big names about how many certifications they should abide to with different countries. Including us in Dubai as well. They have many and they are struggling. And I think the issue is getting worse in today's situation. We're having so many laws and regulations. So as a service provider, cloud service provider, you need to abide to different laws and regulations and certifications that are specific to each country. I know that harmonization is not easy. But at least we can agree on the minimum controls. Right? The minimum controls over time the cloud service provider is operating in different countries.

If we have the base that we can agree on as nations, and countries, then it's a matter of adding, let's say, an additional, let's say, controls that can be implemented at country‑specific level. As long as we have harmonization. The governments and the private sector and the whole nation at the end of the day.

>> LIMOR SHMERLING: Yeah. That sounds very reasonable. And this brings to mind ‑‑ thank you, Dr. AlBelooshi. I want to move over to Stepanik Pavel. In a previous conversation, you mentioned cloud computing. Just to connect this thread and maybe I can invite you to share with us how the Czech Republic is coping with the advanced move to cloud computing. How can this be harmonized internationally?

>> STEPANIK PAVEL: Thank you very much. Thank you very much for having me. And good afternoon to everyone. Cloud computing adaption was expanding rapidly even before the pandemic. The pandemic caused the adaption even in a great rate.

Use of cloud services is growing rapidly in both the private and public sector. Cloud services can contribute to a more economic, safer operation of information systems. The user can get management surveillance and other stuff.

However, cloud services bring along newer risks in the cloud. The place of data processing. And the individual customers often do not know where exactly it is. So the customers don't know the aspects of the legal system of the country. Where the data is stored. They don't know the legal system. They don't know who can access the data also. There's a significant dependency on the customer on the provider of cloud computing services.

So these are the main reasons why we think that it is necessary to regulate the use of cloud computing by public administration.

There are three main principle of our cloud computing regulation. It is trust. We need to check the provider and the service. That they fulfill their requirements. There's transparency. We need to have the information about data processing. Where is the data stored? How long. And so on. And responsibility.

It's important to emphasize that the public administration body is still responsible for information security even if it is using whole services.

On the base of impact criteria that are defined in the decree, the public administration body has to identify one of four security levels of its information system. The security level undermines the extent of the security requirements.

To be specific, for example, the data of an information system of the level high start only in the EU and data of the critical level which are important for the national security only in the Czech Republic.

It is also a legal condition for public procurement for cloud computing services at the security level or cloud computing service must be the same or higher than the security level of the public administration information system.

So that was really a brief and simplified information about the Czech regulation. And now to the harmonization. Some of you probably know that in the EU, we have quite a new regulation. It's Cybersecurity Act. This regulation amongst other stipulates rules for cybersecurity certification of ICT products, services, and processes. It should be certify (?) compliance with certification schemes. First should be the European certification for cloud services. That would be the tool of European harmonization of the mark of cybersecurity quality of cloud computing. It is now in progress.

>> LIMOR SHMERLING: Thank you. I apologize for forgetting to acknowledge you properly. So Pavel, our expert, is the Head of Legislation for the Czech National Security Agency. Thank you for those comments. Perhaps, what would be a practical route toward harmonizing maybe this European scheme with other more, or any types of potential discussions that will be promoting that end?

>> STEPANIK PAVEL: As Dr. AlBelooshi said, we need to stipulate some minimum standard. This minimum standard should be on the international level. I think it's one of the possibilities to stand in the EU to have this standard which would give the minimum level of the cybersecurity of cloud computing.

>> LIMOR SHMERLING: Thank you. And can I invite you to share with us a little more of the Czech experience during the pandemic with the hyper-digitalization process. That influence. I know you were working on a strategy during COVID. During 2020. And announced it. So can you share some insight into that process?

>> STEPANIK PAVEL: There are many, many things happening in the last two years in the COVID years. And the initial cybersecurity strategy, the Czech cybersecurity tasks and the affiliation for the agency in Czech. It provides cybersecurity strategy and related action plan to government for its approval. This strategy must be reviewed every five years or in a shorter period, if needed.

The National Cyber Security Strategy is the baseline that says the main direction, strategy goals and approaches for the nationwide effort to achieve this level of cybersecurity. The strategy was approved at the end of the COVID year 2020. Its action plan half a year later then. And in the year 2020, one of our National Cyber Security Strategies, we had to provide a new one regardless of COVID. It faced rapid digitalization before COVID. COVID makes it even faster.

The maker within a few months managed to (?) that cybersecurity is an important programme that we need to handle. At times, people had to rely on digital means to show up to keep in touch with their loved ones to do their jobs. To ensure the education for their children. And the citizens of the Czech Republic came to realize how much we gain from technology. And what it means when it doesn't work.

I could mention cyber attacks in some of our important hospitals. By the way, some could only be as a result of functioning domestic and international collaboration and information sharing.

In the year 2020, also issued a warning. It's one of specific measures that is possible to issue according to on cybersecurity. It was a warning about the higher intensity of the threat of cyber attacks, particularly in the health care sector. And we'll learn about the specific threat thanks to cooperation with other institutions in the Czech Republic and abroad.

Our National Cybersecurity Strategy sets a number of goals. Among the main three pillars, confidence in cyberspace, strong and reliable alliances, and a resilient society. The first pillar, confidence in cyberspace, covers secure infrastructure, capabilities and so on. It covers the confident reactions. That includes things like developing the national attribution system. The deterrence concept is part of the cybersecurity system. In this respect, attribution is significant. Undermining the source and identity of an attacker is a basic prerequisite for any effective reaction.

Cybersecurity is not only about securing the technology. It's also about in all technical aspects, it's important to hold the perpetrator accountable.

I already mentioned the second pillar. The strong and reliable alliances focused on international cooperation.

And the third pillar is called the resilient society 4.0. That means that we have the state where cyber threats are minimized and benefits of technology.

Mostly about the digitization of public administration, but also about the digitalization ‑‑ let's say digital awareness and education of the wide public. They are the main problems we're facing right now. It's expert basis, and overall education as well.

And we do have a number of initiatives supporting education for young children, students, educators, public servants, other laypeople, and, of course, health care sector personnel. That's to our activities connected to the National Cybersecurity Strategy or the Czech Republic. Thank you.

>> LIMOR SHMERLING: Thank you. That's super interesting. You've had a busy year. That's for sure. And I have to say that I'm going to take some liberties as moderator and comment the national attribution system tickles my interest. If we have time, I'll try to maybe revisit that topic and thank you for now. And move on to our next expert who is Robert Kosla, the Director at the Cyber Security Department of Poland. Robert, I saw that you were writing during these past few minutes quite a few comments. So feel free to just share with us everything that you've collected listening to Bushra and Pavel. That would be great. Let's start with that. Then maybe I'll pose some questions afterwards.

>> ROBERT KOSLA: Thank you very much, Limor. Yes, I took some notes, of course, as Bushra and Pavel inspired me of how we approach the challenges. First of all, develop national level capabilities in cybersecurity. As Bushra addressed, the question of collaboration. The question of setting the baselines at the national level. And, of course, to promote them for multinational cooperation. This is something that we're investing. We invested heavily in the recent initiative. Where there had been 32 countries involved to discuss how to mitigate, how to disrupt ransomware attacks in a critical infrastructure centre. The most devastating attacks as has been addressed by Pavel against hospitals. Especially during pandemia.

Of course, as Czech Republic Poland, we also introduced national cybersecurity strategy in 2019. What's more, in the national cybersecurity strategy, there are two goals. Two strategy goals. The first is about cyber resiliency against attacks to increase cyber resiliency. The second it to increase information protection at the national level.

So, of course, following the strategy, it is quite short document, it is 32 pages. We developed an action plan. The action plan, the major problem, major challenge for action plan was financing. The last column in the ‑‑ so we identified stakeholders. We identify all the actions. Covering cyber hygiene. Covering cyber skills development. Covering qualifications as well. So not only IT‑related qualifications. We formally endorse three types of IT qualifications for the new jobs descriptions. And we also endorsed officially formally three OT qualifications. So this is something that we will be even open to share also with other countries. As we think that could be a good foundation for them ‑‑ to recognize the qualification model worldwide.

Talking about resiliency. Of course, I admire what Czech Republic has done with cloud computing. This is also our ‑‑ that's where we are heavily invested. I may say it's saved us a lot of efforts. It gave us an opportunity to run our Public Administration Services. Because most of them have been implemented in support by the public cloud services.

So we've been able to develop the national level ‑‑ the national cybersecurity standards on cloud computing use. This is documented. Defined four levels of information. Four levels and requirements for four levels of information. Starting with the open data and ending with classified information.

So we introduced this. We work with vendors. With global vendors. On the validation programme. All the services. Right now, we have a marketplace for the Public Administration that also may be used by small and medium enterprises. So they can contract directly to cloud services. We have over 500 services. Infrastructure as a service, platform as a service, ending with software as a service.

This effort on increased resiliency based on cloud computing and very strong partnership with public cloud service providers. And I can tell you that because we're talking about COVID time, and what was the impact of COVID. When we had the discussion with our national security authorities before COVID started, it was quite difficult to discuss the use and how can question use public cloud services.

Of course, there was very conservative approach by national security authorities only looking to the government cloud environment rather than public cloud environment. But, of course, when we introduce our national cybersecurity requirements for cloud computing, we covered both scenarios. Of course, depending on the classification of data.

So as COVID has started, we've been ready, actually, to use ‑‑ to start to use public cloud services in so critical systems like, for instance, the vaccination registration. Like the vaccine distribution system. So all those services actually ran based on the public cloud service.

Of course, I agree with Pavel about transparency and responsibility. That was covered in validation programme. That's what we ran with global players. What's more, Poland is actually looking for big investments right now from Google and Microsoft. Announcing to build the region's first in Poland by Google. Also the full infrastructure, full region by Microsoft. We'll support, of course, the data in Poland, itself.

Areas related to resiliency. And the last point I wanted to address, I think this is one of the best practices. At the national level, we implemented digital wallet. So digital wallet is used by us and all the citizens to store data in one place in an electronic format. This is a personal ID. This is driver's license. This is also related to COVID certificates. So everything is in one application. So it actually helped a lot of citizens. And we've seen the growing number of users.

What's more, of course, having the federated ID supporting this digital wallet. By the way, Poland is the only country in the European Union having this digital wallet implemented on this scale. So we share this best practice with European Commission and also offer to contribute heavily to the process that is ongoing on the revision of the forum ‑‑ consolidated the management of electronic identity.

Those are the major activities. But we implemented in Poland, as I said. I think focus on resilience. Focus on the very good partnership with industry. So that since October 2019, we ran Cybersecurity Cooperation Programme. This is not declarative in partnership. But really partnership with industry. So it's focused on five areas. First, it's about to improve the public administration competencies in cybersecurity. So industry, the education programmes. And we started education for local and regional governments. And up to date, we trained more than 6,000 people for last 12 months.

Then we use also this partnership, Cybersecurity Cooperation Programme, for sharing information of cyber threats. Cyber threat intelligence is openly shared by industry. Of course, to increase our situational awareness and be better prepared for cyber attacks.

The third, security recommendations, security baselines. We currently published a set of baselines developed together with vendors like Microsoft, Dell, IBM, VMware. They've been used also during the pandemia. We recommended how to harden the remote work and the environments to be better protected against attacks.

And the fourth is about preparation to certification and evaluation. So this is something that was addressed by Samsung. Very strong interest in the evaluation certification of the mobile platforms. Mobile devices.

And the final, the fifth one, it's about dissemination of information. We work together with vendors, with companies, and we promote them, the development of the new solutions, software, hardware, and the services. It's actually cyber resiliency, partnership, and also identity and digital services. Thank you very much.

>> LIMOR SHMERLING: Thank you. Thank you so much. I have so many questions. There was so much content in here. I'm going to just touch upon I think several points and maybe ask you some questions.

One thing I heard, and I'm making sure that I understood correctly, that before COVID, there was hesitance to move into the cloud. At least for more high‑risk type of services. COVID really gave a push into the cloud. Both public and not only private, and really triggered this transition.

But still at the same time, heard that you do ‑‑ you're glad that you will have regions from international cloud providers, in Poland. You can use them if places where you feel that the risk calls for the services and the data to remain in Poland. Which is something that I think has also been shared experience in Israel and probably echoed also in other places around the world. So thank you for that. And it's good to hear that basically, we're facing similar challenges and problems and we're arriving at sometimes similar solutions.

Something that was very interesting that you mentioned in passing, which I want you to maybe elaborate on. And that is disrupting ransomware. In Europe and Israel and probably additional places around the world, maybe Bushra can share with us also afterwards. I saw you were nodding. Ransomware attacks especially on health organisations and hospitals. How do you disrupt them as a government? What did you do?

>> ROBERT KOSLA: This is quite interesting. We use any means. So it means, of course, that the legal measures, so first of all, we collaborate with law enforcement. And we discourage victims to pay any ransom. What's more, we provide support, operational support, and support on‑site to recovery. To recover from the attacks.

In most of the attacks that we observed also including hospitals, when there was a direct support from our ransomware expert team deployed on‑site, we've been able to recover all the data within a few days. So even the most devastating attack like one of the regional hospitals targeting or where 1500 devices have been encrypted including, of course, the computer tomography. All the medical devices were also not reachable. The ransomware expert team, rapid response team, this is the team of experts that works and gather huge experience working not only in Poland but also internationally. We supported some countries with advisories. We supported directly Ireland when they faced attacks against the national health care system. We shared with them information about the decryption tools. How to set them.

Ransomware attacks, recover the activity, the data, rather than to capture the artifacts.

So in many cases law enforcement forces are saying we need artifacts and start to develop decryptors.

Start to recover the data. This data is not fully 100% encrypted. So in many case, the encrypted are only the index files of the database. If you know the structure, if you even have the partial data available, you are able to risk all the environment.

Plus, as we do not recommend and discourage to pay any ransom. We work with industrial partners like with Microsoft, Cisco, VM, companies to use their services, in many cases cloud services or some devices that can be deployed for those big things. To help them to recover from the attack.

So this partnership based on Cybersecurity Cooperation Programme was very, very good. That's what I said. Not the clarity ‑‑ partnership, but the way how we work.

What's more, we also used legal measures to stop information leakage. So when we see some data ‑‑ you know the model of ransomware is not only focused on the ransom to give you the access ‑‑ to return you access to your data. Also not to leak the data that was stolen from the system. So in this case, we worked with the legal counsels actually to develop the model to stop data leakage in using the court orders. So it's a quite effective model. It was developed by us together with some also British legal teams. This is something that we promote. We shared this with other countries.

This is ‑‑ the model, of course, first follow the money. For law enforcement. Then follow the information. So when we see that information is leaked in the dark space, we can actually follow and see the sources. And we can also track the sources where ‑‑ and the media that are publishing this leaked data. So we capture this and we follow this type of information. And we've been quite effective in stopping this. So that's why we showed this best practice during our counter ransomware initiative meeting.

>> LIMOR SHMERLING: Sounds fascinating and very practical. Thank you for sharing this. I see we have questions already starting in the chat. First, we'll finish our round of experts with Amit Ashkenazi, head of Israel National Cybersecurity Directorate. We have a couple questions prepared. Let's start maybe with your comments on the same question. How do you disrupt ransomware? How do you help hospitals get back on their feet and during COVID? During a pandemic, which is the worst place to be hit during a pandemic.

>> AMIT ASHKENAZI: Thank you, Limon, and thanks, panelists, for the illuminating, important comments. One of the things, on the one hand I'm optimistic, on the one hand, I'm pessimistic. A lot of the solutions are simple. Therefore, some of the events that we've seen, simple cybersecurity hygiene can solve some of the answers. This goes both to, if you like, very heavy‑duty‑type events like the Colonial Pipeline attack in the U.S. which at the end of the day, as we understand it on public reports, is because of using single‑factor authentication that enabled the attack. The fact whether the IT system was separated from the system that ran the pipes.

A lot of the measures are based on being prepared. The other thing, again, this goes to preparedness. Everyone talks about backups. We should make sure that our backups are not connected to the same system that may be infected.

So, again, I'm optimistic, if you take your pills and do your exercise, you'll be okay. But, again, things happen.

And here I think the things that we've heard from our Polish colleagues, quite innovative and things that we should consider about what the country can do in these areas. And how we can, indeed, make things come back to function as fast as possible.

I think in this context, cloud technology is, indeed, is one of the enablers that we can see. It is useful because it is native in its forensic abilities. And its IT abilities. So we're not as reliant on the IT administrator in the organisation. We can rely on some of the things supplied by the infrastructure, itself. It also enables better recovery.

I think, though, the high‑end attacks, we need the country to do even more. And use some of its capabilities, law enforcement cooperation, industry cooperation, to see whether we can actually be more proactive in helping the organisations in dealing with the situation. And Robert talked about this very explicitly. Helping the organisation. Use the backups and come back to usual function.

>> LIMOR SHMERLING: Thank you. Thanks, Amit. And now maybe going a bit higher level and I want to ask you what can you recommend as an effective approach to other countries, and from your experience of many years in this space. And, specifically, in light of Israel's recent years' pivot to its approach in how you do cyber protection or cyber defense.

>> AMIT ASHKENAZI: So I guess the comments are basically quite simple. I think that one of the things that we should overcome, and this, the IGF is such a wonderful forum to talk about this message. Is the need to bring together different communities and stakeholders. We need to bring the technological people talking with the legal people, talking with the policy people. Working together so that we share the responsibility to make systems more secure.

And this would seem a very basic message. But I think it's necessarily both in dealing with, if you like, the older types of risks and the new development technology type of risks that we've heard from Dr. AlBelooshi. We need all the stakeholders to aware of their own in this area. And especially we need the non‑technologists not to be afraid to talk with the technologists and deal with their role in accountability and governance of technology.

Now, these are things that every country and every policymaker I think can apply in his or her respective field. And I think that this is the basic infrastructure upon which we can build more and more flows, if you like, for the more developed use cases. For cloud. For autonomous vehicles. For 5G. For quantum, et cetera.

I think once we have this in place, the understanding of a continuous dialogue between different types of professions, and that this is a shared responsibility type of approach, then I think we have a strong groundwork to do this.

And in Israel, we have the advantage of being smaller than other countries. This has allowed us to foster these communities a lot faster between the different stakeholders.

And as I think also was mentioned, there is an important role for industry in this area. This relationship with industry has a lot of fascinating elements. And it is super important. Because most of what we use is created by the industry. But what we're seeing in recent years in Israel and other places is the role of the state in these relationships. So we're not only accepting technology and products as such. But we also are asking for more accountability and responsibility.

Specifically, in Israel, we have done a lot of ‑‑ we have invested a lot of efforts in supply chain management and the supply chain, which is an important area. And the other thing that we are looking at is our role in helping organisations close the vulnerabilities by locating such vulnerabilities through open tools and encouraging vulnerability disclosure programmes in collaboration with law enforcement.

>> LIMOR SHMERLING: Thank you, Amit. We have 12 minutes remaining. So, firstly, I would like to invite Bushra and Pavel if you wish to comment and react to your colleagues' interventions. You're welcome to open your mics and Robert as well. And let's start with a round of brief comments.

>> BUSHRA ALBELOOSHI: I'm glad to see the common ground we're all sharing over here. I agree with Robert that COVID pushed lots of things that we never thought would be pushed. Specifically, from the security authorities.

So we are lucky enough maybe in Dubai that we had our certification with the cloud service providers. That we were clear what should go to the cloud, what shouldn't go to the cloud, before the pandemic. So once it hit us, we were having at least two or three certifications that were issued to couple of public cloud service providers. It was not an issue. But due to the huge demand that came all of a sudden to the cloud service providers, we accepted some exceptions for even non‑certified ones just to make sure that the services would still be up and running. We had the basis, but it was pushed a lot with the pandemic.

And I agree with both Amit and Pavel about the health care part. How the health care would, let's say, target of attacks. We never expected that. We expected the health care centers would one day be target for attack. We were always thinking about the energy sector, we were always thinking about the other critical national infrastructures. But health care maybe was not in the eye for cybersecurity because it was maybe the least interesting aspect for the attackers at that point before pandemic. Health care and research centers as well, both of them.

When it comes to Pavel's points about cloud computing, I agree in order to start harmonization, framework should be based on international standards. The standard we have in Dubai is based on additional requirements about data geoboundaries. So all standards we have and all the controls are coming from the international standards except for the geoboundary things. And this is also specific to specific services that are critical national infrastructure services where we are asking the cloud provider to maintain the geoboundaries.

>> LIMOR SHMERLING: Thank you. Pavel, I'm still thinking about the attribution. So feel free to comment. But please say something about your scheme for attribution.

>> STEPANIK PAVEL: First, I would like to thank all my colleagues, panelists, for the information they shared with us. It was super interesting.

To the attribution, I couldn't be very, very concrete because much of the information is, of course, classified. But as I could say that in the national cybersecurity strategy, there is the task to build the attribution framework, national attribution framework. We have to do it since the beginning of the 2021. And we are working on it very, let's say, progressively. It's something that we built together with very many other bodies. It's not only technical issue. It's even issue of ‑‑ it's an issue that we need the interagency services and so on. So very many parts of the state are helping with the attribution. And I think the attribution framework is very important I think for the deterrence of cyber attackers.

>> LIMOR SHMERLING: Yep. Absolutely. So I think that we can definitely sum up initially that there's lots to be done and that a lot has been done.

And we've touched on how important it is to work together both on the national level, on the international level. How important it is to harmonize standards, harmonize expectations or certification schemes. Again, both on the national level and on the international level. And to be clear and transparent with stakeholders what is expected of them. And this is ‑‑ this came from all of you. And I think it was loud and clear. It's very much important to create the collaborations with both industry and government stakeholders. Because as Amit said, or I think Amit or Robert. The stuff we use is made by industry. So the infrastructure is very much in their knowledge. And it's clear that the effort needs to be collaborative.

I wanted to maybe allow each and every one of you for the last five minutes of the panel before we say good‑bye to maybe share what is your dream goal for your careers in cybersecurity for the coming year. This is almost, like, an end‑of‑year resolution or beginning of '22 dreams. What would you love to see happen in cybersecurity policy? Amit?

>> AMIT ASHKENAZI: So, again, this is the magic genie coming out of the bottle. Always, I would ask for two things basically. In Israel, domestically, we have one thing we still haven't finished. And this is cybersecurity legislation to finish the deployment of our policy. We're doing a lot of stuff. But we have a law and want to legislated.

On the international forum, I'd like to see these types of discussions more formalized to create alliances of defenders. So we have seen these discussions really useful from the technical community. The first organisation. But we need to see the creation of better ties between the national, the government, of the world. There is the European model, but I think this should be extended outside Europe. I hope for this defender community that we have better policy and legal tools to coordinate events across borders.

>> LIMOR SHMERLING: Sounds good. Robert, what is Poland's dream? Sorry, I can't hear you.

>> ROBERT KOSLA: Poland's dream, my dream, actually ‑‑ my dream, I will start with my dream first. My dream for next year is to be more active and develop cybersecurity reference architectures. That's what we initiated to work with the industry. Based on the recent attacks and also combining components that are necessary to increase resiliency of the public sector and also small and medium enterprises.

Architecture first of all for local and regional governments. Also at the same time, cybersecurity architecture for health care system. That's what we're working right now, initiating right now, with a very strong interest from the industry. So we will continue.

And the national level dream is to amend the law on national cybersecurity system. The amendment will include the more power in operational structures. So establishment of sectoral ‑‑ this is the best practice we borrowed from our colleagues from Israel. We also, based on this legislation, we will introduce the regional SOCs, Security Operation standards. This is the concept we shared with European Commission. Last week, I had a chance to present it in front of the European Cybersecurity Competence Centre. This is a concept, from resilience, recovery fund, to European fund. That's where we allocate the major interests.

Of course, in parallel, with ISOC, information sharing, all these centers. We have one already covering ‑‑ and we're thinking of others to be established. That's the dream of the amendment. And implementation of the project that's been already drafted.

>> LIMOR SHMERLING: Thank you. Good luck. Bushra, you want to share yours?

>> BUSHRA ALBELOOSHI: I share the same thoughts at the end of the day. On the international level, I hope we'll have more better public/private partnerships. We developed partnerships with the governments and international, and we're working toward improving our relationship with the private sector. So we already started that this year by having a collaboration with the private sector. It's an actual joint venture with the private sector for digital skills. And we are looking for other partnerships for certification, qualification, and other areas.

When it comes to the international side, so z as I said, we have the World Economic Forum paper or report that has been published. I hope that we will take an action toward harmonizing or at least having bilateral agreements when it comes to certification. I hope that's one time, having those efforts duplicated across different countries, we'll have one or a bilateral agreement where we recognize each other's frameworks and certifications.

>> LIMOR SHMERLING: Right. Finally, last but not least, Pavel.

>> STEPANIK PAVEL: Thank you so much. At the beginning, I want to just shortly, shortly, react on one question in the question place. The question is how are you prepared to address challenges posed by disruptive technologies? I just want to invite everybody to look at our website where you can find resource on the product of our conference. We organize a conference. And there are many other materials. For example, national cybersecurity strategy of the Czech Republic. It's all in English. You can find some answers there. My answer to your question is to implement the Czech national cybersecurity strategy in the next year. Thank you so much.

>> LIMOR SHMERLING: Thank you so much. This has been a pleasure and super interesting and very practical. I really appreciate all of your contributions and cooperation. And thank you, Amit, for organizing this panel and inviting me to moderate. Thank you, Pavel, Bushra, and Robert. Hope to see you soon again. Have a wonderful continuous of this conference. Bye‑bye.

>> STEPANIK PAVEL: Thank you very much. Bye‑bye.