BPF Cybersecurity (2017)

About

The 2017 Best Practice Forum on Cybersecurity (BPF Cybersecurity) examined how a well-developed cybersecurity helps to create an enabling environment for ICTs and Internet technologies to contribute to development and to achieving the UN SDGs.

Cybersecurity assessment of the CENB(s) recommendations

The BPF performed a cybersecurity assessment of the CENB output documents and identified ten potential risks and security challenges emerging from the CENB policy recommendations.

1. Securing the reliability of and access to Internet services;
2. Securing the mobile Internet;
3. Protecting against potential abuse by authorities;
4. Confidentiality and availability of sensitive information;
5. Fighting online abuse and gender-based violence;
6. Securing shared critical services and infrastructure supporting access;
7. Vulnerabilities in Industrial Control Systems (ICS) technologies;
8. Preventing collected information from being repurposed;
9. Deploy secure development processes;

Via a public call for input the BPF invited the community to come up with ways to face these challenges and mitigate the risks. This exercise resulted in a consolidated list of policy suggestions intended to inspire decision makers and other stakeholders around the world.

Areas to develop further stakeholder conversation

The BPF’s consultation on where a multistakeholder approach could help addressing security challenges resulted in a non-exhaustive list of 17 areas that would benefit from further stakeholder conversation.

Some issues are already being discussed, and duplication by creating new forums should be avoided. Hence, there are opportunities to establish dialogue and cooperation between existing initiatives, and interested stakeholders could consider joining existing forums.

Output document

IGF 2017 BPF Cybersecurity Final Output 

Background

Part of the IGF’s thematic intersessional work program, BPFs offer the IGF community a space for stakeholder conversation on Internet governance related policy issues, and substantive ways to exchange best practices and produce concrete outcomes.

The BPF Cybersecurity was conceived in 2016 as a multi-year project building on the work of the 2014-2015 BPFs on SPAM mitigation and on CERTs. The proposal for the 2017 BPF Cybersecurity, approved during the MAG’s virtual meeting on 11 April 2017, built on approaches used by the 2016 BPF Cybersecurity and emphasized local and regional-level best practice exchange.

The 2017 BPF Cybersecurity worked in an open, bottom-up and collaborative way, leading into the BPF Cybersecurity workshop at the 12^th IGF Meeting, and followed by the publication the BPF output document. Throughout the year the BPF convened in virtual meetings, held online discussions and invited community input via a public call for contributions. The BPF’s virtual meetings and mailing list were open to all stakeholders interested in or with expertise on cybersecurity.

Mailing List Sign-up

https://www.intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org

Documents

Proposal to MAG for 2017 Work

CENB Phase I - Security-focused Policy Analysis

CENB Phase II - Security-focused Policy Analysis

Meeting Summaries

Informal Virtual Meeting I - 17 January 2017

Informal Virtual Meeting II - 24 March 2017

Virtual Meeting I - 20 May 2017

Virtual Meeting II - 21 June 2017

Virtual Meeting III - 7 August 2017

Virtual Meeting IV - 18 September 2017

Virtual Meeting V - 11 October 2017

***Call for Contributions***

[SEE CONTRIBUTIONS LIST]

All stakeholders are invited to submit written contributions addressing the below questions and issues to the 2017 IGF BPF on Cybersecurity mailing list (subscribe: https://www.intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org). While it is envisioned that initial drafting of the output document will begin on 15 September, this should be considered a soft deadline as contributions will be welcome on a rolling basis, particularly from IGF National and Regional Initiatives (NRIs) and from other relevant entities or organisations who may be holding meetings relating to cybersecurity prior to the IGF annual meeting in December. Contributions received past 30 September may not be guaranteed for inclusion in the BPF's output document. 

Contributions will then be compiled and synthesized by the Secretariat, and further circulated to the community for comment and further work towards an output document for the BPF to be presented at the 12th IGF in Geneva, Switzerland from 18-21 December.

All individuals and organizations are asked to kindly try to keep their contributions to no more than 2-3 pages, and are encouraged to include URLs/Links to relevant information/examples/best practices as applicable. When including specific examples or detailed proposals, those may be included as an Appendix to the document. Please attach contributions as Word Documents (or other applicable non-PDF text).

Overview:

During 2015 and 2016, the Policy Options for Connecting and Enabling the Next Billion(s) (CENB) activity within the Internet Governance Forum identified two major elements:

• Which policy options are effective at creating an enabling environment, including deploying infrastructure, increasing usability, enabling users and ensuring affordability;
• How Connecting and Enabling the Next Billion(s) contributes to reaching the new Sustainable Development Goals (SDGs).

The Best Practice Forum on Cybersecurity realizes that making Internet access more universal, and thus it supporting the SDGs, has significant cybersecurity implications. Well-developed cybersecurity helps contribute to meeting the SDGs. Poor cybersecurity can reduce the effectiveness of these technologies, and thus limit our opportunities to helping achieve the SDGs.

BPF participants have conducted an initial study of how the policy proposals compiled as part of CENB Phase I and II may affect, or be affected by, cybersecurity implications.

As part of this ongoing effort, the IGF is now calling for public input to collect additional risks and cybersecurity policy recommendations that can help mitigate security impacts, and help ensure ICTs and the Internet continue to help contribute to achieving the SDGs.

Relevant reading:

-Summary Records of the BPF

https://www.intgovforum.org/multilingual/content/bpf-cybersecurity-1

-UN Sustainable Development Goals

http://www.un.org/sustainabledevelopment/sustainable-development-goals/-

-Policy Options for Connecting & Enabling the Next Billion(s) - Phase II
https://www.intgovforum.org/multilingual/index.php?q=filedepot_download/3416/549

-Security focused reading of CENB Phase I -

https://www.intgovforum.org/multilingual/index.php?q=filedepot_download/4904/687

-Security focused analysis of CENB Phase II -

https://www.intgovforum.org/multilingual/index.php?q=filedepot_download/4904/688

Questions [*Please see HERE for NRIs-specific questionnaire]:

• How does good cybersecurity contribute to the growth of and trust in ICTs and Internet Technologies, and their ability to support the Sustainable Development Goals (SDGs)?
• How does poor cybersecurity hinder the growth of and trust in ICTs and Internet Technologies, and their ability to support the Sustainable Development Goals (SDGs)?
• Assessment of the CENB Phase II policy recommendations identified a few clear threats. Do you see particular policy options to help address, with particular attention to the multi-stakeholder environment, the following cybersecurity challenges:
  
  • Denial of Service attacks and other cybersecurity issues that impact the reliability and access to Internet services
  • Security of mobile devices, which are the vehicle of Internet growth in many countries, and fulfill critical goals such as payments
  • Potential abuse by authorities, including surveillance of Internet usage, or the use of user-provided data for different purposes than intended
  • Confidentiality and availability of sensitive information, in particular in medical and health services
  • Online abuse and gender-based violence
  • Security risks of shared critical services that support Internet access, such as the Domain Name System (DNS), and Internet Exchange Point (IXP) communities
  • Vulnerabilities in the technologies supporting industrial control systems
  • Use of information collected for a particular purpose, being repurposed for other, inappropriate purposes. For instance, theft of information from smart meters, smart grids and Internet of Things devices for competitive reasons, or the de-anonymization of improperly anonymized citizen data
  • The lack of Secure Development Processes combined with an immense growth in the technologies being created and used on a daily basis
  • Unauthorized access to devices that take an increasing role in people’s daily lives
  • Other: describe a cybersecurity issue critical to developing the SDGs in ways not listed above relevant to your stakeholder community (100 words or less)
• Many Internet developments do not happen in a highly coordinated way - a technology may be developed in the technical community or private sector, and used by other communities and interact in unexpected ways. Stakeholders are managing complexity.
  This both shows the strength and opportunities of ICTs and Internet Technologies, but also the potential risks. New technologies may be insufficiently secure, resulting in harms when they are deployed: conversely we may adopt security requirements or measures that prevent the development, deployment, or widespread use of technologies that would generate unforeseen benefits. Where do you think lies the responsibility of each stakeholder community in helping ensure cybersecurity does not hinder future Internet development?
• Where do you think lies the responsibility of each stakeholder community in helping ensure cybersecurity does not hinder future Internet development?
• What is for you the most critical cybersecurity issue that needs solving and would benefit most from a multi-stakeholder approach within this BPF? Should any stakeholders be specifically invited in order for this issue to be addressed?