You are here

IGF 2017 - Day 2 - Room XVII Plenary - Empowering Global Cooperation on Cybersecurity for Sustainable Development and Peace

 

The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

 

I am to introduce the chair of the session here, Mr. Frank Grutter who is the ambassador and head of the division for security policy, director of political affairs and director of foreign affairs for Switzerland. 

I will turn the meeting over to him in just a moment to chair, but I'd also like to take a moment to introduce the two mag members to organize this session on behalf of the mag, and that's Juan Alfonso Fernandez Gonzalez and Olusegun Olugbile, and they will be driving the input from all of the panelists. 

Thank you very much.  You have the floor. 

Usually, these discussions have a strong participation of govermentary presentives.  And with this comes a certain risk of group thing.  In some settings, it is sometimes hard to think out of the box and move the page really forward and it's difficult to find practical and innovative solutions to the complex challenges we're facing in the arena of cybersecurity at the global level. 

So what can be useful and what is useful is to get a different perspective and of course fresh ideas and in this regard, this session is very challenging.  Next to my colleagues we have representatives from the private sector, civil society, the technical community, and academia present here today.  And this is in my view of the advantages of the IGF.  Bringing together all stakeholders to discuss on an equal footing.  And Geneva is a good place to facilitate such an exchange.  It is a city where an astonishing number of effects are working on many different aspects of digitalization present. 

‑‑ breaking the silos and engaging in ‑‑ and I am confident that this very diverse panel will allow for inspirational ideas and new impetus to our efforts in the global corporation cybersecurity.  I am looking forward to all your interventions and questions and wish us all fruitful discussions.  Thank you.

On the other side, if we fail to make the right decisions, we can create a perception of insecurity that leads our ability to achieve their sustainable development goals.  As part of our work, we developed a concrete set of ten areas where development of appropriate policy insures we end up in a place where security is actively supporting development.  This ranged from security liability of an access to internet services over ensuring that systems are in place to avoid potential abuse by authorities to the development and promotion of secure development processes.  There's just one small example. 

A small business is key to driving access to decent work and improve economic work.  The best practices for identify the need to help promote technologies for small and medium enterprises to secure themselves from a duck in which promotes confidence and trust in their services.  A brief risk assessment that we did flagged how available these organizations are and how access to security technologies can be limited based on the country they're base pud in and access to security expertise.  They also tend to be highly reliant and ‑‑

A big challenge we see ahead is finding and identifying stakeholder insecurities.  We notice security issues have become increasingly complex and systemic.  Only multi‑stakeholder approaches will be able to confront our future challenges.  There is a concern by silent action by a single stakeholder group will lead to the effective and counterproductive solutions.  No single stakeholder can go it alone.  Developing a culture of cybersecurity that ‑‑ and a really good understanding of each other's responsibilities will be critical to further developing cybersecurity in a way that will actually allow us to promote wealth and ‑‑ and their support for development.  Thank you. 

Security incorporates all tracks which individuals come across during their daily lives and integrates the principles of freedom from ‑‑ and freedom from want such as poverty ‑‑ from the mid90 to now, thinking about hearing ‑‑ and security has moved one more step.  (Static for audio.)

Climate change and technologies unstoppable ‑‑ it seems that human ‑‑ technologies seem to have a lot of interest in relationship to ‑‑ they are the ‑‑ knowledge, the para diagnostical ‑‑ new fears.  Fear of crime, violence and ‑‑ and new threats to the planet, drawing upon the resources and contributing an imagination base.  The difference inside the pace creates not only a new challenge in terms of the lack of data Capitol and ‑‑ the use of technologies by seven countries as a new instrument to ‑‑ to use divertment eight as an instrument to ‑‑ national security interests.  Today, from the same ‑‑ the software and expertise to manage elections and interview securitization of ‑‑ 

The human being ‑‑ is extinct is also beholden to do in the access for data ‑‑ to big corporations who need welcoming to societies for sustenance and survival‑‑ global as self‑evident.  The irony here is that the sustenance of the cyber is itself being framed by the risk for power.  Political and economic in the name of national security market come true. 

Can there be a framework of cyber sustainability inspired by the ‑‑ calls?  Universal please in larger freedom.  The shift is ‑‑ sustainability as the people on the planet matter, complies as the ‑‑ security ‑‑ so from ensuring that cyber space is free from linking ‑‑ and tackling threats to information integrity, a new framework of cyber sustainability enters a wide gamut of action points.  And here I'd like to close by saying that as technologies that increasingly being used to surveil ‑‑ a global civic space imaging has emerged.  An urgent global impact aside the sustainability is an order and people in civil society organizations must claim the contours of such an agreement.  Hopefully, ‑‑ as follows. 

This is a plan of action for people, planet and prosperity.  It also seeks to show them universal peace in larger freedom.  Be a result to freedom human race from the tyranny of poverty and want ‑‑ it sounds a bit familiar, you are right ‑‑ and rising from the 2030 documents.  Our motivations, cyber sustainability cannot but pee the same as those that power our vision for sustainability.  Thank you.

So examples of these include massive and indiscriminate surveillance.  It also includes the deepening of surveillance, capitalism, censorship, and filtering, intimidation, and silencing of voices, internet shoot downs, destruction of access to dissemination of information and lying, personal that the harvests and classified.  So apart from asking ourselves security for who, we should also question for what and by what means. 

What happens with the state itself becomes the source of insecurity?  The solution is not to increase the power of a state to control, monitor, censor, and to intercept communications and activities on the internet or even worse to transfer those powers to private corporations.  The solution is not also to measures to criminalize the online activity of civil society groups, activists, bloggers, human rights defenders, journalists, and others for exercising rights online. 

Women, girls, LGBT, minorities are the least security.  Expose people to greater insecurity.  There is a need to overcome the perception that cybersecurity is about the technology and there is a need to challenge those approaches to cybersecurity that will enforce the school and benefit particular political or corporate interests to the detriment of peoples' rights and security.  The core purposes of cybersecurity, we need internet public places with clear purposes with human rights embedded in them.  We also need a strong accountability, scrutiny, public debate, and transparency mechanisms for political corporate powers. 

Finally, if we want security of the cybersecurity for peace and sustainable development, it is important not to forget that the internet is a resource that should be covered in the public interest and it cannot happen effectively without the entire corporation and collaboration. 

The perspectives, expertise, and experience of civil society in the community are essential to the trust, confidence of securing the cybersecurity and cannot be excluded.  No one is the holder alone can cyber securities effectively and there's a need for all stakeholders to work together at all levels to ensure that cybersecurity policies and strategies are human rights expecting by design.  So thank you very much.

Developing countries will be taking the issues of cybersecurity seriously and a global corporation when one they have cybersecurity, policy.  I'm proud to say that Nigeria has the framework in place. 

Number two, they are to defy the African cybersecurity and data protection.  And last African idea, we got feedback from the only two countries ‑‑ four countries in Africa.  I would like to use the opportunity to encourage all countries in Africa to ratify this. 

Number three, they need to create awareness among the citizens of the ramifications of the cyber security instrument.  And No. 4, we got what we need to do, include subregional and regional corporation.  African commission is doing a lot in this report that's coming to play and the subregional organization, the development corporation need to come together like the one that program.  It is help a business a lot and frustrating corporation.  They need to assure like this, one by physical presence or two, communication facility.  As you can see.  I would like to say that.

However, Africa is burdened with fragmented and insufficiently secure infrastructure.  Investment is very low in the area of cybersecurity, especially in capacity development.  However, there is an outsource in telepenetration is going very high.  This has potential of making Africa as soft target for cyber criminals.  There is also the issue of general perception of cybersecurity across all TS of stakeholders.  On our way of the potential dangers across the board. 

However, recession development is at the ‑‑ most I had to come to reality that cyber are requiring such input from all discipline.  And I require Africa needs research that is driven by government industry and currently is walking together to shut the cause in Africa. 

Having said that, recession Africa is currently undermined by poor funding, especially occasioned by poor perception of the potential dangers.  Thank you. 

From the floor, somebody has a question from the floor, here in the room?  No questions? Do we have some other from there?  Okay.  So this is the only question we have right now, so who from the speakers will want to take it?  You said you want to take it? 

We also have a cybersecurity policy which documents government position and approach and provide guiding principles to us assisting, securing and partition of the nation's presence in the cyber space.  It also enlightens the city's fascinated national dialogue and clarify government programs. 

In Nigeria, cybersecurity strategy arguments government response.  In addition to all this, Nigerian government has institutions to implement and actualize these policies and strategies.  Some of these issues include the Nigerian computer and response team.  We also have within the various sectors in Nigeria a response to give and determine partens of cybercrime. 

Nigeria also have the cybercrime unit for investigating cybercrimes.  So having said this, what should government do to ensure corporations in developing countries?  I think we need to coordinate developing countries have issues with capacity building so we need to build capacity.  Of course, a nation investigation of cybercrimes.  And we are part of the Nigeria ‑‑ we funding in cooperation with the ‑‑ we fund the Nigerian internet governance forum. 

The recommendations from these governance forums are being recommended by the government.  All this is a language our core values and principles.  So at the international level, of course, we need to coordinate and collaborate.  These are the international principles of cooperation and the UN core values.  Thank you so much. 

It is stating the obvious that only a small part of the worldwide internet infrastructure is government owned.  The private sector owns by far the largest part of it.  But that lesson is important.  Government, private sector parties, and technical and academic experts all have their respective roles and responsibilities, and as such can and should be included as legitimate participants in the international peace and security discussion. 

This is why in 2017 the Netherlands government launched ‑‑ helped to launch the global commission on the stability of cyber space.  The only international forum where government, industry, technologies, and civil society are joining forces to reach a common goal a digital future in which the fruits of an open, free and secure cyber space are there for all to enjoy. 

The power of this independent forum is that the members represent all stakeholder groups, and they are ‑‑ that being said, also from all regions of the world. 

They represent all stakeholder groups, varying from government parties, academia, civil society organizations, focusing on an open free cyber space, the technical community, and the private sector.  The formidable chair of the global commission on the stability of cyber space, marina is among us today and will speak on this panel later on. 

Even more than in purely governmental forum and technical corporate get‑togethers, these commissioners are dependent on one another to reach consensus.  In order to do that, they need to be able to truly understand one another's sometimes diverging interests and ideas.  The result is that what they come up with has and hopefully can definitely count on that I'm very confident that it will, solid backing through our respective stakeholder communities. 

An example of the work of the global commission was presented to us recently in Delhi where in the mountains, the commission launched a well received call to protect the call of the internet.  Vivid proof of the fact that this commission is providing valuable ‑‑ invaluable contribution to the worldwide depate on international peace and security in cyber space.  And this is only one example of how one could find new venues of introducing the voice of all those who have a real stake in cyber space into this important discussion.  Thank you.

So and then we also understand of course that some interesting point were made in the 2017 process, and I hope that this discussion will continue.  So I think it is advisable that countries, including those who have been acknowledging the GD recommendation, would now start implement them, the ones we have.  One effective way would be to include them in sufficient extend to national cyber security, legislation, and strategies.  For instance, having a national cyber security strategy include is already a norm waiting to the directive and that practice, having them should be a global norm. 

At the same time, we are encouraged to see that corporate partners are assuming societal and global responsibility, mitigating the risks, including those that run in the products and systems.  And the norms proposed by the ones like Microsoft are interesting and understand that governments are looking already at them.  Now, in what way can we civil society contribute?  I think one way is to serve as a test bed and a sounding board to government and industry propositions and research in them and test them.  I think that is one area where we could do more and of course more NGOs could be involved. 

Capacity building is something close to our heart and we have been working with regional organizations like the African union organization, states and in particular countries.  And by bringing workshops into the regions, we also learn very much what they think about these norms, countries which are not members of the GGE.  Then of course we can inference our national governments to adopt these norms and CBMs within our own constituencies.  Of course, we need more NGOs to do that.  I think it's still a small number that really are interested and have ‑‑ but that should not prevent us to reach out to others and bring more people into debate to support these efforts by governments.  So thank you very much.

At the foundation, businesses designing, developing, manufacturing, distributing, and implementing technology.  In and of itself, this ecosystem is very diverse.  As builders and operators, we have a responsibility for designing for security, testing our products, and validating them and working with our customers to understand their needs so that we can build better products and address new and emerging issues. 

In mitigating and responding ‑‑ mitigating and responding, numerous stakeholders with responsibility for responding to attacks or threats.  For equipment venders and software vendors, this may mean updating and finding tech solutions and working with broader business community that relies on interconnected systems and networks.  And finally we have an role of the government.  And we have an important role to play to both build cybersecurity capacity around the world and to SXOERT engage in discussions on billing a more stable and peaceful cyber space. 

We believe the stability is essential for investment, growth and prosperity, for business and to develop and deliver global and interoperative products and services.  Thank you.

I'm going to be different and I'm going to answer in line with the statement that has been provided rather than reading the statement because I think this is an interactive panel so we need to interact and I have listened to the answers and you're asking me what is the role of the UN and corporation.  And almost all speakers say that is an international global corporation.  This is a discussion that is going for ten years, UN, maybe 20 years, civil society, ten years.  But still we are discussing here.  What are the mechanisms, what should be done, what are the measure to be taken.  And I see that the questions are always the same and more or less the answers are always the same. 

So maybe we should ask ourself why this is not happening rather than try to identify the measure to be taken.  There was a mention of multi‑stakeholder and now you're asking me the role of the UN.  Well, UN is multi‑stakeholder but the presentation of the whoop is member states. 

And here there is a contradiction in terms because if we want to have the multi‑stakeholder dialogue that is beneficial and complete in terms of actions, we need to redefine how this multi‑stakeholder ballot is happening.  IGF is an example of great platform but not a decisionmaking platform.  It's great for discussion, but at the end of the day, the decision taken here or the outcomes are not something that some members state that they came to consideration as a a binding measure. 

So one of the fundamental question here is that while there are so many initiatives and so many ‑‑ and I'll keep the time ‑‑ and so many let's say already measures like confident building measure, like norms and principles, if the is no ‑‑ and consensus at the global level that this should be binding or should kind of oblige the members to respect them or apply them, then and the nature means that some countries will adopt them and some countries may not adopt them. 

So coming back to the role of the UN, UN can facilitate this process, this dialogue, and more over can actually try to get members agreeing on the fact that all of this addressed to be bold to the attention of the member state NOEFRD for the UN which is at the end of the day is member states to agree on something that is meaningful.  And by now, this is not unfortunately happening.  Thank you. 

Nevertheless, the world is moving ever closer to what's major cyber confrontation, the number and gravity of the incidents in that atmosphere is growing and becoming damage to the economies is close to $3 billion.  It's as though we have a notice that the 130 states have ‑‑ are trying to ‑‑ have diverted ‑‑ they give a training on conducting cyber war.  So in that circumstances, we should ‑‑ there's not so much a matter of putting a reliable seal against cyber, but we have more about issues about the applicability of international law. 

In my opinion, this is a rhetorical issue more and the response to it it has long been gone.  Of course it is applicable.  Sadly, the reply is only that the international community is not yet decided by who, when and how to apply that international law. 

Now, for example yesterday, the head of Microsoft came up with the idea of the Geneva cyber convention.  And there was many people who would do this and people who seemed to oppose that proposal.  But the fact is we need to be well aware that it is from international conventions.  These international conventions are what make up international.  Such a draft document was put together by Russia as a concept and was distributed among the international community for consideration back in 2011. 

Nevertheless, that document doesn't contain anything revolutionary.  Nothing radical.  The document merely contains a pragmatic list of what can and shouldn't be done in cyber space.  Then you can ‑‑ this could be taken as a basis, far from being a Bible, but in your ‑‑ but we need something to see what's allowed and what isn't allowed.  So we don't want the world to be split into poising blocks.  And so the UNGGE, information security, in the years of its work, as virtually developed standards for responsibility conduct of stakes in information space and defined the sources of such threats. 

What's more, a consensus was almost reached on making those norms and standards universal.  Sadly, on a number of issues, the document ‑‑ pause in the position of a small number of western states was not adopted under end.  Now, in Russia, we believe that the UN track for discussion of issues of codes of conduct in cyber space is key. 

Since it's only there in the UN that we have responsibility of states for their conduct and therefore we don't intend to step up the efforts of the international community in order to resume the work of the GGE with a clear mandate which would take as the main goal of its work the formulation of principles, norms and rules of responsible conduct of states in the information space.  Without that international community, the international community simply must do this.  Thank you.

One of those is the biannual global conference on the cyber space that began in London in 2011.  That's why it's been called the London process.  And we're happy to have here Sarah Taylor, the director of cyber national security director of the foreign and commonwealth office of the united kingdom and also the representative of that country in the G g E.  So Sarah, in your opinion, what role should the London process pay toward empowering international cooperation on the security of cyber space? 

First, I want to say on the London process, back in 2011, when we kicked it off, the observation that our then foreign secretary made was that governments weren't properly engaging in cyber as a strategic issue.  And so there were three really important elements of what the London process was designed to do.  And the first was to get cyber security on the agenda for governments beyond the communications ministries and the regulators who are very properly looking at cyber security. 

Now, I'm a diplomatic and I know the danger of being allowed to wander into technical issues.  I'm very grateful for my communications issue and regulations for helping me.  I will say that increasingly, cyber is a matter of strategic importance with international peace and security implications and that was what the offer and administrator at the time wanted to stress and get governments involved at that level, recognizing that. 

And also he wanted to emphasize, and I sort of say this like he had ‑‑ and I'm going to disagree with him slightly, emphasize a subspace is not an unregulated environment.  One of the key messages of the first London conference was that international law applies online as it applies off line, including the UN charter in its entirety.  We have a set of international law that applies in cyber space and starting that conversation about how the application is that law and cyber space contemplates to peace and security, something the London places was designed to do. 

The second thing that we wanted to do to the London process was challenge governments tendency only to look at cyber space as a threat.  We wanted to emphasize that cyber security has no value if you're not clear about what you're securing.  And what we wanted to emphasize that we should secure as the benefits that cyber space brings, the benefits of an open, free, peaceful and secure cyber space brings.  The benefits for expression, human rights, all of the economical and social benefits needed to be part of the conversation. 

And the third thing was ensuring we were recognizing the paradigm that has existed around traditional international security debates, governments talking to governments, isn't going to solve the problem here.  We need to have a much broader conversation with civil society, with industry, about how we're going to tackle that problem.  And so the London process was designed to bring foreign ministers and academia and civil society and industry together to think about how we're going to solve those problems. 

I think we've come a very long way.  We're sitting in the IGF now talking about international security and cyber security together in a multi‑stakeholder environment.  I think that's a contribution to the success and contributions of everybody in this room who have made taking that London process idea and running it forward.  Thank you.

What makes the commission unique besides its multi‑stakeholder approach?  Its global nature.  All major cyber powers are parts of the commission and all parts of the world are represented in the commission, literally, from Berkeley to Beijing.  And I would like to recognize two commissioners who are in the room just now, from Nigeria and Malaysia. 

The commission is co chaired by former secretary of homeland security of United States and former national security advisor of India which also shows political depths. 

The mission of the commission is to help with national security, peace, and stability by proposing norms and recommendations to guide responsible state and non‑state behavior in cyber space.  What does it mean?  In the words that all people understand, not only those dealing with cyber security on a daily basis. 

Cyber stability is an ideal state where all stakeholders are free to enjoy the benefits of cyber space without fear.  That's an idea of state.  That will not be easy to reach.  Our commission has contributed to that.  We contributed to that with our first law, called the protect the public law or the internet.  You held a text on the table and it will be distributed also later.  I'll read out the text of the norm. 

Without prejudice to the rights and obligations, states and non‑state actors should not conduct activity that intentionally and substantially damages the general and inability of integrity or integrity of the public or the internet and therefore the stability of cyber space. 

Why did we choose that norm?  We choose the public for several reasons.  Because of the global reliance on cyber space of our economies, because of the increasing dependence of other infractures on its reliability, because of potential and dramatic consequences of its disruption. 

This norm is voluntary.  It's legal and unbiding.  But we all know that norms can lay ground work for binding commitments and can one day crystallize into international law.  That's our first norm. 

We will continue our work.  Our website is on the paper that you receive.  Please read that and please be back to us whether with your proposes, your comments, your ideas.  Thank you.

For example, how can we facilitate a process that will allow strategically most important topics or urgent issues for each stakeholder and then combine them with other stakeholders?  How can the IGF facilitate focus, inclusion and commitment from stakeholders within whatever process it decides to funnel?  How can the IGF facilitate cooperation and best practices between other platforms and organizations to ensure a connection of dots where the connection is currently missing to add value to the dates and work? 

We got the example from the global forum that invited the IGF best practices and intercession to come to their conference and present our best practices and the other way around, invite them to come to us and present their work to us to learn from each other and build together from there. 

These sort of sessions are for a working group, could the IGF actually ‑‑ and what allows them for the very best topics to go through the process and ensure success and I would like to end with our national region IGF.  How can the IGF tap into and facilitate the current best practices that are existing in countries already and make sure that they come up to our international forum and that our best practices go back down for others to learn from? 

And that way I think the world may actually get a little better when we're talking about cybersecurity and fighting cybercrime.  So a lot of questions that were represented later this year in official reports following these sessions.  Thank you very much for the opportunity

Having said that, you have a question from the lady there. 

As we see it, there are two channels or two places, two forum where the theme is debated.  There's the inter governance forum and regional initiatives.  But what catches our eye is what was said by the IETU and what was said as to possible standards originally voluntary but at one point become binding norms or standards. 

So I'd like to ask, in the UN framework or within the framework of the UN specialized agencies, how could we pinpoint possible norms to protect cybersecurity and that those norms should cover aspects that promote development ‑‑ sustainable development for all countries?  Thank you. 

Part of education policies and technology coming from this caller past conflict society.  And I would like to put some points to be on the table.  The first one, I feel about security and the human rights.  And they are assessing faster to technology than clean water, for example.  We say that.  I think of personality development, culture identity rights, education, and ‑‑ the focus will be like how are you addressing governances that are in this moment in this first year? 

How are you considering the advancement in technology and peace building in relation to childhood?  The city related to the impact of these policies prior or actions, particularly with the little children, for sure, the children affected by conflict in developing countries. 

And the third point I want to make is related to ‑‑ what are we going to do in term of cybersecurity, in term of rights in relation to the precedence and government members using fake names and sustainable development and see the distance developing countries in relation to development and peace. 

But let me answer to the question from the representative from Cuba in terms of how norms and principle can become bindings.  Now, I don't think that we should jump into directly coming out with the international framework that I remember subscribed.  I think that experience shows we are not already there.  But I think that in the back of our mind, that could be might be an option to go because everyone is seeing that and even the ‑‑ let's say the global commission is realizing that you can come out with the nonbinding principle but at the end of the day, this has to be a foundation for something that has to become binding.

  Okay?  This is my own personal view and if you want, I can say a disclaim that it might not reflect the view of your organization because of course I represent you.  But here, I think it's an open forum and we need to express views. 

From the perspective, all the resolutions are voluntary.  So members, they can apply them or not apply them. 

But I think that in this specific context, maybe there is a need to go for an additional step and identify what could be the mechanism from one side to engage all the stakeholders and also here.  The setup of the UN, doesn't facilitate that unfortunately.  Now, I don't know if how many you know that IT is one or the few. 

It's not your organization that actually have the private sector as institutional membership, you know.  So we are kind of familiar with what means involving private sector or other institution but not specific member states.  But I mean in the UN discussion, you have members that are discussing and we need to find a way to engage the other stakeholder into the discussion to have that use reflected. 

And there are so many initiatives doing that, but again the initiative is to converge in something that it can be under the UN and your position of the member state or alliance, but something has to being aggregated.  Because otherwise, connecting the dots to the IGF, otherwise instant try to aggregate the discussion and the dots will be an issue that they come out and maybe next year, we at 200 or 300, 400, and then we will carry on discussing without coming to a conclusion.  This is my point of view.  Thank you

And I would include our work on norms within that.  So if I look at an international stability framework at the UK and then the others put out, it's based as a foundation, the existence, an application of current international law, norms that sit above that, which are different from the norm.  They're not another way of writing.  They're norms of way of describing behavior in terms of positive acts of cooperation, responsible state behavior looks like but also in terms of constraint.  And beneath that, confidence building measures. 

So we look at the work that's happening all around the world in building competence measures that support those norms, the application of transparency and capacity building and the recognition increasing the capacity building supports a state's ability to participate in that international framework, to demonstrate its adherence to norms, understand within its own international systems how international law applies and what processes and judicial requirements that it will need in its own circumstances to protect itself. 

So I would like to put norms in that context, norms that have been, I would stress, again, recognized, with the application of international or by the UN general assembly.  And within a wider framework, which isn't just about saying everything has to be a step towards law or a step towards a treaty.  There's a huge range of different co‑operative, the activities that will collectively contribute to international peace and security in cyber space.

And when we speak about each of these, the security of the network, the security of data, and the security of information, you actually need the same treatments, the same protocols, different kinds of action plans, et cetera so we can't be talking about fake news in the same breath as we were probably talk about data security.  The two are the few things, and you will probably need media governance frameworks to address the former, which is about news and information that as you will probably need a data related framework to deal with insecurity or security of data. 

And here I think the considerations for developing countries come from the complexity that we have had with let's say the lack of infrastructure development.  So one of the things is it's not just about cyber recognition and a fear of cybercrime, et cetera. But now and every day things, for instance, the individual consent form works, in access, to day work for developing cavernitis?  If someone says write us your privacy through individual concern frameworks.  In the larger architectures of data, how important is the idea of group privacy?  These are very important questions when we talk about data. 

Similarly, any framework on data security should be able to think about data ownership and data privacy on two sides of the coin when we think about cyber sustainability.  So I think we should actually not be mixing up things when we talk about developing norms and we should address data information and network and software as three distinct layers, each of which requires separate treatment and protocols.  Thank you.

And further more, to compliment this set of existing norms that already govern the physical world for the sake of enhancing stability in cyber space, we have indeed in the framework of the new NGGE designed a set of additional voluntary nonbinding norms that definitely help to enhance stability and responsible state behavior even more, if we all apply them, which I would hike to invite all states to do.  And the UN general assembly has embraced these norms and also invited the UN members to apply them.  So indeed it is already ‑‑ it's not ‑‑ cyber space is not a very calm and table ‑‑ it doesn't seem like a very calm and stable space at the moment. 

There are many threats and threats are increasing and that's a big concern.  We have to mitigate them.  Otherwise, people around the world will not be able to benefit and rid the fruits of anopen and fully secure cyber space.  It's not ‑‑ what I want to underscore is there is already a stable and solid framework of binding norms in place and that's for existing international law.  Thank you.

We now have to contend with multiple spheres, including the virtual or cyber space of power and influence, a growing multiplicity of interests, conflicts, and asymmetries, almost unlimited access to data, and the disarmed machinery some of which are hobbled pie rules and practices and as was said in the beginning, suffers under a silent approach to tackle these issues effectively. 

Although no clear understanding existing on what cyber war, a term with some regard as contentious would entail, it could likely sharply deviate from ‑‑ what is less disturbing is cyber enabled critical infrastructure ranging from the financial sector to power grids to nuclear facilities are verbal to attack, based upon the fact that they rely upon computer networks to function. 

The cyberattacks on nuclear facilities is a specific and increasing concern.  The nature of a nuclear facility makes it susceptible to compromise to cyber means multiple ways such as theft or inventory and the sabotaging of safety operations, satellite systems and communications systems and the compromising of data integrity. 

Another traditional arms control issue, we also remain worried about the growing trend of weaponizing information.  This is not new trend in war fair, it makes attempts scalable in ways ‑‑

Data protection and digital safety measures was mentioned earlier, and I just want to stress the importance of these topics, and I know these will be addressed in other sessions.  Although the issues do not constitute conflict traditionally, the undermining of public trust and current state relations has their own destabilizing effects.  Allow me to make a short leap to another important technology that's related and I'm pleased to see this reflected also in the program of the IGF this year, which is a a based technologies. 

This is not a discrete or fixed technology.  As most of you know, it's a feature set that can be applied to any exist or new system platform, including weapons systems.  There are emerging military oppositions of AI from military command and command and control to offensive cyber operations. 

Meanwhile, governance in cyber space is stuck and without a recall to reactive band‑aid mode.  There's deep uncertainty about how the future of cyber space may play out, not the least because it advanced like AI and also quantum computing, threatened on the mine existing approaches and as mentioned by Anita on my left, on the mind trust and social contract defining our communities physically and virtually. 

More than ever, on the way forward, there needs to be agreement on what responsible state or entity should and should not do in cyber space.  As stated, one important step is to raise awareness and universalize implementation of the norms she mentioned in her statement.  Further more, leadership is critical.  Leaders at all levels across all disciplines need to understand the shared business case for investing in and becoming cyber aware and building much needed cyber and digital literacy across generations. 

The multi‑stakeholder approach mentioned by Ms. Taylor to my left, some of the experts we consulted with from relevant industries said there are actors in cyber with resources to undertake offensive cyber operations so sophisticated that they cannot be defended by the technology alone.  This raises very serious controls from an arms controls perspective. 

Lastly, it's critical to look ahead and strengthen practical impact of our collaborative efforts and invest needed norm and entrepreneurship.  I'm excited that young is from Microsoft will speak on this on how to make much needed partnerships.  Thank you so much. 

IGF is an important opportunity to connect all the people from government, international organizations, NGAs, and the civil society more broadly.  On cyber security, which in recent years has become one of the important issues of our time.  Cyber security is at the heart of everything we do at Microsoft.  We spend over a billion dollars a year on cyber security, and we have over 3,500 full‑time professionals working on cyber security.  The one thing is clear. 

In a world where which is rapidly embracing digitization, people, regardless of their origin, will not use information in communication technologies which they do not trust.  And societies will not be able to benefit from digital transformation unless the cyber ecosystem is both free and open, as well as stable and secure. 

And the challenge is that the stability of cyber space really has been impacted by a number of developments.  On the one hand, cyber criminals are becoming more professional and aggressive in their tactics, exploiting unsuspecting users with many tactics.  As an ICT industry and truly as society as a whole, we're not just up against criminal groups operating in line. 

We're also increasingly concerned about another form of cyber attack.  And to us it is clear that conflicts between nations are no longer confined to the land, air and sea.  Indeed a new cyber arms raise is under way with nations developing and unleashing a new generation of weapons aimed at government and civilians alike, putting at risk their critical data and digitally powered infrastructure that we all depend on for our daily lives. 

And indeed this year, 2017, truly marked another concerning inflection point in that regard.  We saw attacks like want to cry, which affected over 200,000 users in over 150 countries.  And which initially targeted the systems of one particular company and then spread internationally, by some estimates causing over a billion U.S. dollars in damages.  1 billion, 1 attack. 

And while we as technologies companies have the first responsibility to help address these issues, it would be a mistake to think that the private sector by itself can prevent or stop the risk of cyberattacks any more than it can prevent other types of military attacks.  Nations in cyber weapons have advanced beyond the point where that is possible.  That's one of the reasons why this also underscores the need for international norms and agreements to protect civilians from attacks. 

When we called for a digital Geneva convention earlier this year, we in fact did so by proposing three interrelated elements.  One, we called on governments to acomment legally binding commitments focusing on reducing and ideally eliminating nation state cyberattacks on civilian infrastructure.  And I'd like to add two important points on this. 

First of all, there are clearly important building blocks upon which such norms and agreements can and should build.  For one thing, there's the important body of existing international law which we think does and should apply to cyber space.  And as has been said by many speakers on this panel, more work needs to be done to identify how it applies to cyber space.  But then in addition to that, we think more work also needs to be done to identify what gaps might exist and how that gaps can be addressed.  So we think merits a lot of focus on this notion of peacetime. 

Now creating such a new agreement could take many different forms and requires more than a single step.  It also will not happen overnight, which is why we collectively must start to build a broader consensus on these issues today. 

Second, we've called an industry to do more and to work collectively to ensure the stability of cyber space, and that includes commitments such as industry having to be 100 percent focused on defense, not enabling offense it, means we should issue patches and help our customers secure in an equity manner and not pick sides in such conflicts. 

And then third, we believe more needs to be done to hold those actors accountable that violate internationally established norms.  And one way to do that is further define and better connect those stakeholders and particularly in the private sector but also importantly in academia, you can produce technical data that can serve to identify norms violators. 

The future of cybersecurity will require many steps by many people.  At Microsoft, we're keen to do our part.  And while we don't believe we have all the answers, certainly we don't, we very much look forward to future collaboration with many of you in this room.  Thank you. 

And to start with, I would like to congratulate the organizers on the discussion of cybersecurity at IGF.  I strongly believe a multi‑stakeholder approach, cooperation between government, industry, private sector, academia, technical community and civil society. 

Why?  Cybersecurity is part of national and international security.  So far, states have been the only ones dealing with security or the main ones dealing with security.  Cybersecurity is different.  And states can't be successful in contributing to cybersecurity without cooperation. 

With industry, private sector, because industry and private sector owns critical infrastructure.  The other ones for providing homeland services. 

Academia helps us to answer the question how international law applies to cyber.  Technical community, they have been in cyber since the beginning of the cyber revolution and they know things that governments don't. 

Civil society.  Free, open accessible reliable internet is not only about technical solutions.  It's also about principles and values.  Human rights online equal to human rights off line.  I think that some governments need to be reminded of that from time to time. 

Yes, GGE failed to reach consensus report because out of five areas, we were not able to agree on one.  On applicability of international law.  And that is very regrettable.  But that's not the end of the world.  Having said that, we should not forget about the fields where we made progress, including capacity building.  It's important to engage all states in discussion in one form or another.  Yesterday, I listen to the opening panel and what president and CEO said.  He said that the first wave of internet users came mainly from developed countries, they were better educated and spoke English. 

The next billions were most probably come from less developed countries and most probably they will not speak, and that is okay.  It is our duty and our obligation to reach out to them and talk to them in the language that they understand. 

The same can be said about cybersecurity.  The countries that are vocal and active today are the mainly large countries, independent countries, but there are about 100 countries that have not spoken yet, and we have to reach out to them.  GGE make progress on conference building measures, also explaining previously agreed. 

And I didn't understand why we, the members of the GGE, were ready to talk within the group and are not ready to talk more widely about our positions.  I think it's our obligation to international community to say what was disgust within that group and to share the draft report or at least some chapters of the report. 

And finally, to compute, I'd like to make five points.  Discussion has to be continued, even in the situation where states have taken time out to look at the present situation and think about future.  Second, discussion has to be multi‑stakeholder discussion.  Third, today's session proved that we have to have ‑‑ we have to undertake efforts to introduce and universal lies.  What has been agreed so far in the GGE, especially the norms of 20132015 and applicability of international law. 

It's not an agreement of 20 or 25 states.  It's global.  It was approved by UN general assembly.  All UN member states have their ownership. 

And we have to start finally answering the question how international law applies to cyber.  If we can't do it globally, let's start it with a group of those who want to make progress and who want to have not only liberating discussions but also answers. 

And finally to my colleagues, I know that GGE and UN has its rules.  But let's belay the secrets and talk openly what we talk among ourselves in the framework of the GGE.  Thank you.

First of all, the GGE was unable to reach consensus in the last round that concluded.  That means that the previous report, inprevious round of 2015 that gives their report added importance. 

Secondly, the issues analyzed in that GGE did prove controversial since there were points of view that differed among the 25 states represented there.  Thirdly, the GGE does represent an important space, an important forum for analyzing issues and having the cyber security within the framework of the UN since it allows us to exchange in a relatively balanced manner, issues of interest, the international community. 

However, it's not possible for states that weren't part of the GGE to adopt and endorse each and every one of the recommendations made in the outcome report.  Since we didn't have the opportunity to participate or express the opinions during the working sessions, therefore there are elements that are highly important in discussions on cyber security that need to be subjected to analysis for each and every one of the UN member states. 

These issues are those such as sovereignty, the applicability of international law, the UN charter, and particularly with each ‑‑ so many characteristics involved. 

Finally, it's important to establish a mechanism under which all states can participate openly in a co‑operative fashion to analyze issues of cybersecurity.  And if we're able to achieve a forum of truly inclusive consensus, that would be in line with the spirit of the United Nations.  Thank you.

Without peace, we cannot have sustainable developments and security in cyber space.  And the peace is not only the end but also the lease. 

Some people may argue that cyber war is the reality and we should accept that reality.  But I think it is fair to ask such a question.  Are we doing everything we can to prevent cyber war, cyber arms race?  As was suggested by Microsoft in Geneva, digital confirmation, saying that industry should 100 percent focus on defense rather than offense.  And number two, the principal of corporation.  In my view, in cyber space, all countries are interconnected.  And our interests are into one.  We're in the same boat, heavy shared interest in cyber space, a peaceful co‑operative and elderly place.  We belong to the community of shared future.  Therefore, cooperation, coordination is the only way to address the challenges pretending to peace and the stability in cyber space. 

New thinking and a new concept, we need to build a few type of international relations in cyber space.  Cold war mentality, zero sum thinking, coalition, deterrence. 

Do not bring peace and instability in cyber space. 

And lastly, governance.  There have been plenty of discussions on cyber space governance during this session.  I think it is time to take raw actions for governance and structured governance as readily put it by general into yesterday's high level segment of the presentation. 

The GGE has done quite a lot in developing norms.  Now the UN should continue to play a leading role.  Although this year's GGE was concluded without any consense census report, it cannot be used as an excuse to deviate.  Instead, he would rather highlight the urgency for UN to start a new run of process. 

And in the long run, we should establish an open and inconclusive process with the UN and advocate brought upon participation for cyber space.  As stated by Chinese president recently and to the national Congress of the Communist party of China. 

China is to foster a new type of international relations and appeal to a community with a shared feature for mankind, and I think it is also applies in cyber space.  And China is ready to work with all parties to build a multilateral, dec and transparent cyber order and foster a peaceful, secure, open and co‑operative cyber space.  Thank you. 

How can we assure that the rules of law governs the cyber peace.  Thank you.  

A lot has been said about the threats and buildup of capabilities in cyber space that might threaten or the stability and peace.  What I would like to stress is that the acknowledgement of the application of existing international law into cyber space does not lead to the militarization of cyber space. 

To the contrary, rules provide clarity and stability.  And above all, they provide for ability.  Without the application of international law, cyber space becomes ‑‑ happens to become the risk of ‑‑ become the digital wild west.  The good news is that we have not to develop anything new.  The rules are already in place.  We believe as do many other countries that have spoken to date as to the international law which is longer relations between states applies in cyber space. 

And of course the key question is how does this law apply to the new dimension?  And I'm ‑‑ we welcome very much that the discussion about this key question is gathering pace. 

Various processes have already been launched over the years, over the past years, to undertake this endeavor.  The United Nations group of government experts made important contributions in that 2013 and 2015 reports.  And these reports, and most notably, the 2015 reports were endorsed by the UN general assembly and thus contained the innovation to all states around the world to implement these important recommendations.  Apart from the developed work of the UN governmental experts, a group that's indeed unfortunately could not reach consensus last year, but hopefully in the future, we need discussion in the UN will take up the work again. 

Apart from these UN efforts, there are a valuable efforts in place that take this challenge of clarifying how international law applies to cyber space head on.  Hike the title 2.0 in the frame of the head process.  These process provide guidance found based on the valuable insight of countless accomplished academics in this area.  And in a discussion with member states of the UN and other bodies which will need clarification and exchange of expertise, because it deed indeed, exchange of expertise is also of paramount importance. 

What I would like to underscore is that not only principles like sovereignty and intervention but also principles like due indigenous and state responsibility apply in cyber space and notably, most notably, also international humanitarian law. 

Let's please not forget that we have all these important bodies of law in place. 

International law also governors the space below the international law of tech.  The law of state's responsibility is very much applicable there, and that will help us to enhance stability and avoid escalation.  So to conclude, we must continue our endeavors to clarify how international law applies and then at the same time parallel to that work on this very important additional voluntary norms of responsible state behavior that will enhance peace even more.

And also in that respect, I think I would like to commend the work of the previous GGEs and would also like to underscore the importance of input in this discussion by other forums around the world, also forums of multi‑stakeholder character like the global commission on the security of cyber space.  Thank you.

And secondly, and this was mentioned partially at the forum yesterday and today, boils down to the fact that all of world civilization, development, the new scientific and technological evolution, will not be able to develop unless we address a single political question how to ensure cyber security and judge for yourselves how could cloud technologies set themselves up?  Robotics, artificial intelligence, transport, cashless finance, cyber medicine, the internet of things and a great many other things that determine the progress of humanity if all of this is at the mercy of hackers, cybercrime, cyber terrorism, and in the worst case, cyber war? 

The idea of moving to negotiations on ensuring information security for all stakeholders including several society and business with of course the decisive role of states is nothing due.  As far as I can see, this is first expressed by the French president on the subject of the address to the Summit in Dublin and reflected in the outcome document of that forum. 

And it was described as a multi‑stakeholder model.  Naturally, Russia's supports these many multi‑faceted efforts and thinks that all initiatives and proposals to develop including in the framework of this forum solutions could be considered constructively in the framework of the renewed group of governmental experts of the United Nations, which will be convened, I hope, next year, and in the context of developing universal rules for the responsible disorderly conduct of states is in the cyber space.  Thank you.

Second, we need to clearly define it's not possible to resolve conflicts in cyber space using anything other than cooperation between states.  It's the only way. 

Thirdly, addressing cyber space as a ‑‑ that contributes to peaceful development of countries and not a space in which lawyers legitimize and by association the application of counter measures or reinterpretation of international law and the UN charter as pretexts or justifications for hostile acts perpetrated through ITCs. 

4thly, we need to define issues related to the attribution when cyberattacks occur so as to avoid deliberately targeting states and escalating conflicts in cyber space.  Finally, we should defy what I must call a shared terminology that would facilitate issues relating to cyber security at a global multilateral level.  Thank you. 

One of the components of the Microsoft proposal is that it's the creation of an international cyber attack attribution organization and we want to ask the representative for Microsoft if he can give us some details of how this organization will be and function and how we the international community could help implement such organization. 

I think you've identified an important element, and that is the role that attribution plays in both helping to advance stability in cyber space and also helping to let's say reduce the level of to somebody that reduce the level of noise in the system, by making it harder for those willing to commit these attacks to the main unidentified. 

And so what we have seen, and this is based on vast amounts of cyber intelligence that Microsoft and many other companies have is that there has been a steady rise in sophisticated actors willing to use cyber offensive means.  And I can tell you, our cyber team has as I mentioned seen a clear increase in the groups that are in fact perpetrating these attacks. 

What we haven't seen is a degree of collaboration or coordination, both between private sector companies but maybe also between private sector companies to broader technical community, academia, civil society, to some degree.  To help bring together in a more meaningful way the technical data to maybe help evolve a more common methodology and then coordinate in a more systemic and advanced manner the analysis on the basis of that technical data that does currently exist today. 

And so what we have proposed and again this is certainly something that has evolved over time, is to think about ‑‑ start thinking about some mechanism, some international group.  It could very well be an international NGO, frankly, not led by governments but potentially by nongovernmental elector such as the private sector and academia.  And that could pull together from different sources and make a statement about the origin of such attacks and sufficient degree of ‑‑ or sufficient level of confidence.

And we think having such a third party organization, potentially an international NGO, they're able to advance these elements would actually be a significant and meaningful contribution, as I said, in terms of raising the stakes for those who are willing to go and violate potentially norms that they might have agreed to before. 

Again, this is a lot of work in progress.  I think there's a lot of ‑‑ we think there's a lot of room for this to grow organically over time, but we are seeing interest among other companies and certainly among other actors in civil society that want to contribute to potentially building such a process.  And so this is why we put this idea on the table, and we certainly welcome feedback and other ideas.

There was another agreement that it's actually difficult.  And one of the reasons is that while there are many definitions of cybersecurity, there is actually no universally accepted one.  And these differences are less rooted in language, which would probably be easier to solve, than they are in the priorities that a state has in engaging. 

Some see cybersecurity as a method of protecting and developing the economic protection of a nation while others see it as a national security priority. 

Rather than throw your hands up in the air and shine away from this complexity, we can also see an opportunity to engage on these topics of difference to our varied areas of expertise and advantage point, make meaningful progress.  But there are a few prerequisites.

Wearing my other hat, I'd like to share two THAVBL helped us as incident responders find agreement rapidly during the major security incident. 

First of all, we all have to show up to the table.  Today, not all stakeholder groups join in the discussions that can actually move some of these complex topics forward.  When everyone shares their views, even at the starting point of agreement, there is actually an opportunity to start from even that basic level of agreement that may exist and be difficult to discern. 

During an incident, we don't always have the choice to show up or not.  We simply have to do it.  When we prepare for one, we have that choice, and it's important that we make the right decision there. 

Second, it requires a change in mindset.  Instead of thinking how can I fix this problem, we need to acknowledge that none of us can provide security ourselves.  We need to take a step back and see how to see the problem and how it will be impacted and find small points of agreement where we can get started. 

In the PPF, we talked about a number of ways to make practical progress forward and we feel that has a community, we need to build a culture of cyber security and identify a core set of shared values, and that is something that can only go hand in hand with ensuring widespread of all stakeholder communities. 

This culture then needs to be developed through tools, and many of the speakers today raised the value of norms.  Norms are a strong way of expressing what is responsible behavior in cyber space, to help increase levels of effectively.  But it's important that spaces exist for civil sty and the technical community to help contribute to those norms. 

The tool that a norm also needs to be replicated in stakeholder groups are in narrower frameworks than just the state or interstate behavior.  An interesting idea that was raised involved the development of duties with care which describes the responsibilities of individual stakeholders in cyber space, clearly to local legislation, policy and best practices. 

Both of those are really interesting ideas that can help us move forward.  The BBF identified 18 high level areas that would benefit from wider stakeholder cooperation.  As a forum, we're limited in our ability to tackle all of them, it's our hope that the outcome document we'll publish after the IGF will inspire work that can be continued both in and outside this forum.  Thank you. 

So she's good for civil society.  To follow this discussion, implementation, not monitoring, but contribute to that complimentary processes.  I just wanted to say also that I'm very pleased to hear of course that the work of certs is mentioned here and in our capacity of building projects, workshops, we have both policy, diplomatic and south together in the same room so that they understand each other. 

Of course we would welcome and take up on merino's offer to see this principal ‑‑ or the tech ‑‑ the content of where you seem to have had already high level of agreement.  That is also very interesting.  We have to see how we can get a hand on that.  Maybe just leave it somewhere and before the cleaners come.  I don't know.  We can't see.  But I think that would be very helpful for everybody. 

Other rules that we have still one minute.  It is of course that you know it was mentioned by I think Anita is to really work also with consumers, users.  I think there on the hygiene side of being a participant in the global cyber space, I think their civil society can do a lot of working with users population at large and so forth. 

I think we can continue the dialogue and with companies.  I mean, Microsoft takes the lead, but there are many other companies.  We could maybe encourage to join in the thinking of what are the concerns of the private sector.  What norms they would like to see.  I think also something we have started now is to bring the discussion to the parliamentary groups too, parliaments.  Because at the end of the day, the parliaments will have to approve cybersecurity strategies and legislation. 

But we see that there's a big gap, that they have not been concerned credit for many.  So I think we're working with IPU to reach out those parliaments.  I think one could do more of pic consultations.  ID U does that, but could be done otherwise.  I think the ambassador mentioned emerging issues of applicability of international law, lethal autonomous weapons, the connection with cybersecurity and so forth, ethics and technology.  All these things are sort of common frontier issues, but some say it's a front door issue already.  So civil society ‑‑ and academia especially can help think and make the connection. 

Finally, you know, for instance, the new issue or ongoing issue on preventing use of ICTs for terrorist purposes, which is a great concern to the security counsel council, as we all know, there the civil society organization was invited but to start a dialogue with a private sector. 

So these are some of the functions that we could see coming up in the next 2, 3 years.  Thank you. 

For instance, a internet user simply requires cybersecurity awareness and education, but internet provider requires a different set of awareness and education.  Software developers requires different set of education, especially to be able to develop software that is secure and stable.  Manager requires a different set of cybersecurity awareness and education to be able to recruit good personnel.  The supply chain also requires a different set of cybersecurity awareness and education to be able to buy a it could meant that that is actually secure and stable. 

However, in the cyber space require some foundational like mathematical and science and not all requires that.  What is the implication?  The implication is that all that form of education.  It requires that we need to think in our nation to include cybersecurity education at all as to as learning and this is very very vital, especially in Africa.  We need to integrate cybersecurity culture from all aspects of education and the global community must be able to encourage this.  Thank you. 

Obviously ground drills for cybersecurity on human rights are needed, but the process to agree on them is equally important.  The way in which policy decisionmaking happens has to significantly change. 

Another challenge we see ahead is around transparency and accountability, not only in relation to the purposes, this cope and implementation of cyber security of strategies, but also in relation to cyber the things and cyber offense capacity of estates.  If governments are adopting approaches that instead of creating conditions for strengthening the security of users create greater insecurity, justified by the so‑called national security, then they must be subject to greater accountability and transparency. 

In particular, there is the need to hold governments accountable in investing technology that violate right of users that contradicts human rights law and that's not contribute to stability, peace and development.  Thank you. 

We are witnessing greater cyber ‑‑ we mentioned this morning about 20 countries that confirmed themselves they have a fancy cyber another 9 or 10 with great implications.  Probably many more.  It's a big problem that we heard also and could be misleading so what are the solutions?  And questions are, is it realistic to expect that countries that have already cyber armored are going to step back?  Is it realistic to expect?  Can we work on cyber disarmament? 

Second, even a tradition which is quite reliable, there's a question of heel and political attribution.  What happens with that?  Can we make sure a technical attribution will be enough? 

And thirdly, an answer when it comes to misunderstanding and escalation.  Thank you.

We're talking about cyber warfare, sorbs insecurity, et cetera, about states having to solve things.  What makes us most insecure is devices that come on the market, inherently insecure.  And if we can for example take one pilot next year which is going to say in two years from now, there's no device coming on the markets that has no unique password. 

It has a horns, focus, involves all stakeholders, and everybody wherever they live in the world will profit from the outcome.  So in other words if the IGF is able to sustain such a process, then the content will follow that will be worthwhile participating in.  So how would you look at a process like that?  And as it tried out for the IGF to do something different than it hadn't done before.  So thank you.

I just want to respond.  Can we working in this field?  Yes, I will listen and director of here in Geneva and it was a great presentation.  We can work?  Yes.  Experts said it is difficult to guarantee how to apply on a possible creation of an international group that from the technical point of view could identify the attribution.  But of course I have a recommendation that despite there is an international group or institutional mechanism to deal with the attribution in many case United Nations that is a universal membership of member states will need to have a connection with this new mechanism that will be dealing with the attribution. 

Because for example security console, there is violation of charter.  There is a threat to international security.  We need to have proof.  We need to have proof that there is a violation to proceed with the application of the measures.  So I think we can work in sovereign operations.  We can work in measures.  We can work with CBMs.  We can establish an institutional mechanism as it's been proposed by Microsoft, but we also need the states, the state governments.  Receiving that technical information, a violation of setting standards for international community to take the decision.  Isn't that going to the criminal court, the international criminal court.  We need to have the proof to take a decision. 

So I think more or less this discussion is very very good because we ever all the operation.  We have the enterprises, their industry, the civil society, academia, the experts.  But at the same time we need to engage with the states for them to take care of our any situation that provoke an unstable space.  So be need to have subtle, voluntary, maybe they could become binding.  But we need to have an institutional mechanism that will help us get the technical information, who's going ‑‑ who's violating or creating damage to our infrastructure.  Sorry to speak too much, but it's very interesting comments from Microsoft, from the civil society, from the industries.  Thank you so much.

Two, I've heard about norms rules being talked about since we started this program since yesterday from the high level up to now.  The global commission, I've heard that person talking about norms.  How will it be enforced?  How do we hold people accountable?  And even if you said binding, how can it be enforced so that we would achieve what we are looking at in having peace in the cyber space?  Thank you.

I think it's going to be a challenge, but I think in the space, we expect and look for states de‑arming themselves in certain categories.  And I wouldn't say necessarily that it's impossible that that couldn't happen also in cyber space.  These discussions will be important.  We already look at how certain conventions on arms control, certain conventions on export should apply to cyber tools and I think we absolutely need to have a discussion about the disruptive nature of cyber tools and where it's appropriate for states to talk about disarming. 

The first step to that of course is transparency on arming.  And so I would say, and I call upon all states to do as the UK has done, to talk about its cyber capabilities, to be transparent about where it is developing cyber capabilities, to talk about the rules, decisionmaking processes, political, judicial, parliamentary authorities that govern the use of those capabilities so that we can increase transparency and confidence and allow us to move forward into an honest discussion about the likelihood of disarmament. 

The second question I think very rightly pointed out that attribution is not only technical.  It's also legal and political.  Today is a very interesting day for example because the UK and the U.S. have today attributed the north Korean actors for the ransom wear cyber attack.  Let me very clear, that attribution on the UK's part is technical, it's legal, and it's political.  All of those decisionmaking processes were going through in our system to ensure that we have technical confidence in the attribution we've made in our national cybersecurity center has assured that. 

We have legal confidence in that attribution and indeed that will allow us to pursue enforcement activity in that group that we consider to be responsible.  And we have a political decision that we will be really clear that it was Korean actors Lazarus group who were responsible and we understand the political consequences of that decision. 

So to say that it's not possible, too difficult to do attribution is disingenuous.  It is hard but it is possible and we should be doing it and using it to call out irresponsible state behavior when we see it. 

And the final part of that question I think related to confidence building measures and how do we support confidence building measures.  I think one of the things we should be doing, and in fact are doing in our regional, is looking at how we can use confidence building measures to support transparency, cooperation, and so on transparency, talking about our capabilities is a confidence building measure.  This discussion here today between states, between industry, between civil society, is a confidence building measure. 

We're opening ourselves up to challenge.  We're talking about these issues, and there's much more than we can do in our state greetings and other actives.  So I look at the efforts within the OSCE to establish points of contact to allow us to know who to call, based on an operational level and political level because these attacks are sometimes political that we'll suffer and the response that we want to calibrate is a political decision. 

And I see quite a lot of hype around the confidence building measures and how we can use them to build a more constructive environment which will allow us when we return to international multilateral conversations which I'm sure we will do, to have a more conducive environment to a positive conversation because we've used confidence building measurements within regional groups bilaterally to have a greater understanding of how we worked together. 

And I wanted to ‑‑ up on the question of supporting ‑‑ in united kingdom, we're working with industry and other governments to look at what a code of practice could look like for security to ensure that we are developing with industry, a set of standards that will help ensure that devices are rolling out in the future.  Don't suffer the security problems that the devices are in the past.  We're not struggling as weir now to reverse engineer security into the internet.  I think that is a really important conversation for this group, for a multi‑stakeholder group because they must pull together through industry, governments, the device of academia society.  I've got a lot more to say, but I'd better stop. 

The purpose to defend the peace, cooperation, openness of the cyber space, I believe the community will eventually come up with a solution.  This solution may be political declarations or certain legally binding treaties.  We believe had these possibilities do exist.  However, the key thing is we not have a consensus to fess up to this arms race and the authorization of the cyber space and we need to workout what we should do and conduct a discussion on this issue.  Thank you.

And sometimes we assume the country have the expertise and the capability and the knowledge to do attribution or operation of the stuff that is needed to actually get into a point.  But you know experience from my team, which is a little more, you know, comfortable of talking about capacity building, this is something that we actually need to do and it's development at work.  And sometimes we go encounters that don't even have incident with capability in place. 

So how we can expect to have that kind of a country reacting and even endorse organize understanding what a confident measure is if they don't have at all the understanding of the overall definition. 

So in the discussion, I think it's important to understand that out of the one remember, 130 are considered developing countries and part of this, they don't have the ability to understand, but not because they don't understand that they're don't have the intelligence to understand, simply they don't have the knowledge and expertise and this is something that us as a international community we need to push for. 

And then we can designate all the processes in helping the countries to endorse all the elements that we have been discussing, including even kind of getting into the adopting confident level and measure whether they are voluntary, binding, or whatever.  I think that's the an important element we need to take into consideration.

But having said that, and we do a lot of work how to enable in a peace‑keeping, peace building rights detection.  The discussion here, our experience was that is it was for think tanks related to governments, very few NGOs have engaged and wanted to be in dialogue or thinking about hard security questions.  So this is just the way it is, and we have to open it.  But it is also ‑‑ these things are so complex sometimes that it will be take sometime to acquire the capability with each cyber in a peace related NGOs to be part of a discussion. 

So the government has come up with a unified payment which I think is an important public good so you look at security from a positive rights.  And second headline ‑‑ I don't have time.

But on top of that, we should invest collectively to build capacity in the legal square and also in the diplomatic square, and I think that will help readily to increase the number of countries and actors that are able to engage in capacity building.  Also, ideas like the attribution council are interesting contributions to the discussion. 

That being said of course, indeed we have to underscore that I want to underscore that attribution is not only a matter indeed of technical forensics, it is also a matter and it has already been stated before, of a legal and political process.  And when a country ‑‑ that being said, capacity building will definitely enhance collective abilities to do so.  And when we do that, we will have better opportunities to call out to hold days who do have the responsibility in cyber space to account, we can do it by peer pressure and by increasing the number of countries that do want to adhere to rules and make and bring to the surface those who don't and that will hopefully help to increase stability and peace in cyber space.

I think it is important to allow that it applies not only to civil society voices but also the voices of ‑‑ it has been said voices of stakeholders of developing countries as a whole.  And I think it would be good to address that problem is to ‑‑ national and general IGFs.  I think they offer ‑‑ they have very potential and nice opportunity to be able to at the local and national levels and even regional levels to be able to address these issues in a much more meaningful way. 

And then to make sure that they are making to being those perspectives to the global, and not only under the IGF but also internet governance.  So that's the first number.  Also about the unconnected.  I think creating and enabling environment for the fleshing of community networks, then it could be able to not only to create much more secure ecosystems but also to be able to bend and connect it to the online world and be able to represent their views and controvert not only to views but also to session. 

And I think we need a lot of a lot more translators in this space that can create a bridge and we're not appreciating the need for that capacity.  So I would like to suggest that we develop a new course of diplotechs.  But I really think that bridging communities is one important step to go forward and also rise or increase, you know, the number of impact initiatives that actually yields the change we want to see.

I'd like to thank all of the panel, participants, and organizers for what was clearly a well thought out, well organized set of presentations. 

Cybersecurity discussions have been on the IGF census since the very very earliest days.  Clearly, issues evolve and escalate.  But the discussion is also evolving as well.  One of the things we hear quite often at the IGF is that it's not a decisionmaking forum.  But I think this forum also proves how important the discussion is.  These issues are complex.  They evolve.  They're very nuanced.  They clearly involve many different viewpoints, whether that's through the different stakeholders or equally regional differences, national differences.  It takes time to unpack those.  It takes time to listen and learn.  At the same time, we've seen real concrete actions come out here. 

Well, the IGF is not a place for those binding decisions, they do very clearly inform actions that are taken back to the local and national level.  Whether that's taken back through private sector activity or taken back through government activities, through some of the IGF intercessional activities, such as the best practice forums or national regional IGF initiatives, there is clear action being driven from the discussions here. 

We are not robust enough as a forum to take binding decisions.  We were not constituted that way.  We are not mandated that way.  That does not give any lesser value to the work we do here and the discussions we have.  So while respecting very very much the call for more specificity, more outcome, I think that we'll evolve.  We've had a number of discussions today that we said it's a process.  We start with discussions.  We look for commonality, some agreement, perhaps strike some norms.  And ultimately if appropriate, it may become policy.  That to me is a clear action oriented process and I'm glad for one that we actually give time to these complex policy and regulatory discussions.  I don't believe that fast policy necessarily equates to good policy. 

I think I'd like to just close very quickly by thanking Switzerland as the host country for doing everything they've done to not only facilitate this session of course but all the other aspects of this conference.  It does take an awful lot, and it's come together over the last year very, very well.  With that, I will turn to close the session with my sincere thanks for everything you've done to support this particular one.

This session has made it very clear that we have many challenges with regards to cybersecurity, but also I believe we all know that if we come close to a normative framework in cyber space, if we can agree on a normative framework, the rewards will be very high.  We should not lose out from our site that what's ignite us all, the cyber space, it's free, it's open, secure, and used for peaceful purposes. 

And even though we might have divergent use on what are the priorities, where we should participate and what exactly should be done, I think we also have some building blocks on which we can agree.  I guess we agree that the multi‑stakeholder approach is the right one.  We agree that we need some voluntary norms of state behavior in cyber space.  We agree that more confidence building measures will help to establish trust between states, and we agree that more capacity building is needed especially for those states who do not have enough expertise to take part in these debates.  

And for my country, for my government of course all these building blocks have to be firmly anchored in existing international law.  And even though the UN GGE has not been able to agree on a report, I believe we were all agreed that existing international law applies to cyber space.  And as was said after being more vocal, ask governments how we think international law applies to cyber space.  What exactly do we mean when we say international law is applicable

And for my government, it's the UN chart in its entirety and we will put the focus on peace on resolution of conflict.  Of course, we would put the focus on the prohibition of the use or threat of force. 

But for the sake of being comprehensive, we would also say there's article 51 and the charge under which very specific circumstances can be applicable. 

And then we have the international customary law on the principles of state responsibility and due indigenous which has been mentioned several times here in this forum.  And it is an important one because it obliges states to make sure that if they become aware of ‑‑ or that they have to do everything to stop internationally wrongful acts emanating from their territory, and I see the lady here of the human rights council just a few meters away and of the founding city of the ICRC I also have to mention the applicability of international humanitarian law and human rights. 

That's for us, a given, of course.  While we should make our best efforts to find agreement and consensus on how international law applies, I'm aware these are difficult discussions and might need more time. 

But we should then base our work in the future, I believe, on what we have agreed upon, and we have two very good reports in 2013 and 2015 of the UN GGE and we should look into how we can make these reports and these recommendations much more operational and that more states and more stakeholders are aware of these reports.  RFRN I believe many politicians in Switzerland have never heard of the UN GGE.  They have no idea the COD has developed 16 confidence building measures fall I think there we have still a huge task ahead of us to make these building blocks of enormative framework so to say more known. 

And as I said, capacity building, much more can be done here.  It's been mentioned also, parliaments, I think that would be a good access to work on, and confidence building measures, being transparative in your capacity is what you have, having points of contacts, exchanging information on your doctrines.  I think these are important things.  And in the regional forum and others, important work is to be done and we should continue to pursue that work.

 

Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10
Switzerland

igf [at] un [dot] org
+41 (0) 229 173 411