IGF 2017 - Day 3 - Room XXI - OF64 OAS/OEA and the Promotion of National Cybersecurity Strategies in the Americas

 

The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> MODERATOR: Good afternoon, everyone.  Thank you very much.  We are about to start the forum.  So we ask for the previous presentation, if they want to continue in another room.  So on behalf of the OAS, we would like to thank our panelists today.  The assistant secretary of state for cybersecurity at the U.S. department of state.  Mr. Victor Lagunes, CIO of the republic of Mexico.  Laurent Bernat, cybersecurity and privacy risk analyst at the organization for economic cooperation and development, OECD.  And Ms. Barbara Marchiori, organization of American States.  The purpose of this forum is to share with you the member states on the development of national cybersecurity strategies.  We have been working on three main areas, policy development, capacity building, research and outreach on the policy development, basically working on national policy authorities, a new working group that has been established on cyberspace, on capacity building, working on several exercises, development of certs, a platform (?) and more focused on documents (?) and awareness. 

This year there have been different beneficiary countries through the participation of training, through the strategies in the Americas platform or different reports.  They have received direct assistance.  (?) Have adopted or national authorities.  We have eight countries that have adopted national security strategy.  The last one has been the government of Mexico.  That's why we invited Mr. Victor Lagunes to share how this process of development of the Mexican strategy. 

There are three others, the Dominican republic and also other governments (?) Honduras and other member states that we are going to engage in in 2018.  (?) Working group that was established by OAS in 2017.  And the main purpose of this working group which we hope to reach a consensus will take place in February 2018. 

These are some achievements on the certs side.  Basically, since 2004, there are now 21certs.  There are certain numbers we have given direct assistance.  We are looking forward to next year, having the Dominican republic and Guatemala on board.  And having more exercise carried out and actually ‑‑ well, continue with certain elevations on certain countries.  This is a platform for communication and information sharing on government certs.  Including academic certs that we are working and trying to reinforce.  In the Americas.  There is one case that has been famous, the impact for which to (?) today we received the news of the incident.  On training, there are more than 10,000 officials that have been trained over five years.  More than 5,000 over the past two.  There are results of this training.  Focus not just on government but actually on private sector academia and any project that is funded by the city foundation that is focused on (?) and is looking to create digital security.  Colombia, Trinidad and Tobago and now we are expanding to the Dominican Republic and Costa Rica.  This is some of the research, looking to release one in March, another about the banking and financial sector in 2018. 

We wanted to give you an overview of what we were doing.  And again, I believe Victor will give you an overview of how the government of Mexico somehow could be similar in other countries.  We'll invite to give an international perspective of the U.S. government, which is cohesive with other member states and, of course, we'll invite our colleagues at the OECD to share their perspectives on why they're looking it towards national cybersecurity, OECD and member states and share their experience in this process and what they look forward to. 

So Victor, do you want to continue? 

>> VICTOR LAGUNES: Thank you so much.  And thank you so much to my colleagues on the panel.  We set out in Mexico early in the year to find a process to hopefully engage the community, and we are publishing later in the year what could be an encompassing and overarching national strategy on cybersecurity.  The main reason why we tried a different approach was over the last years, there have been national and state level and different organizational approach that was created mainly from ‑‑ basically from the government to the citizen (?) or strategy.  It was created by different groups in society, not only society but also academia and so on.  It was rapidly (?).  And we learned that it was not the right approach today to create a policy that was supposed to create certainty and trust in our ecosystem without the feedback and really answering the questions that Civil Society had specifically. 

So we started by diagnosing the country's status.  We didn't have a lot to go on at the very beginning.  There were a lot of global numbers, statistics and so on.  And of course, we tried to extrapolate those into a national impact.  Then we were able to create some numbers nationwide.  Anywhere between ‑‑ different how you measure it ‑‑ but anywhere between 3 billion to 5 billion U.S. dollars are lost due to cybersecurity that is exploited (?).  And that creates a big issue, and also it's grown exponentially not only in Mexico but in the whole region. 

Mexico has around 70% of people connected.  So, you know, we came from the last five years of having half the country not connected to 70% growth.  So still having the first generation teenagers holding a hand‑held for the first time and that creates a specific scenario for Mexico which is very advanced on many levels and many sectors, but also some people are connecting for the first time into the digital world. 

As I mentioned this year, we've created with the support of the OAS a collaboration platform that was done through many foras and debate events.  We created three workshops in which we invited and not only the OAS but actually an active participant and also a vehicle to invite other international experts that could provide feedback and their own contributions into the process. 

We published an open document that was co‑created with Civil Society as a whole.  So we are glad to say that when the document was published, it was actually crowdsourced or co‑created with Civil Society.  Next, please. 

I mentioned here the five different things that we have.  And it's important to highlight that we wanted to mature the conversation within the country.  And by saying so, we didn't leave any topic behind.  And it's usually said and stated that cybersecurity, once implemented, it goes against some other criteria such as privacy or data protection or, you know, censorship and so on.  The reality that this strategy as a private document and private initiative so that we can ensure the conversation within those groups.  And we can actually debate those topics and reach common points beforehand.  And then once we have the policy ‑‑ public ‑‑ published, it was actually signed off by all the different groups.  And we created a different dynamic and a different synergy because of that.  Next, please. 

So on October 11th, we created a commission within the government of the ministry of public affairs in Mexico.  And that is a vehicle in which to publish the document.  And also from there, we published the strategy.  Next, please. 

It encompasses five objectives.  Society and rights, economic innovation, policy institutions, public security and national security.  Next, please. 

And the overarching initiatives here are really the task forces or the groups with different initiatives that are going to be drilling down different projects that we'll be working on over the next months.  Cybersecurity awareness.  This is mainly around education.  A lot of awareness campaigns within the ministry of education, also police and cybersecurity units.  To be able to educate our children in different sectors into what it is to be connected.  Capacity development, challenge and, of course, technology.  Coordination or collaboration nationwide and international.  (?) Directly with academia.  (?) Same area.  Critical infrastructure I think pertains to, of course, energy, oil and gas but also banking sector in the country.  Legal framework.  We need to find better or more agile ways to follow suit in terms of new crimes or new cyber crimes and how that pertains to legislation.  And measuring (?) feedback and agile enough to (?).  So we had it published in both Spanish and English on this URL.  You are welcome to go in and highlight and provide comments and questions to us from there. 

And overall, this is the first ‑‑ one of the steps towards strengthening and establishing more trust and more certainty in the country.  Hopefully we are able to create the second and third steps rapidly to be able to implement our strategy for the next six months.  Thank you again. 

>> MODERATOR: Thank you, Victor.  Thank you very much.  Thanks, Belisario and thanks to OAS for organizing this session.  Given the global and interconnectedness in cyber space, the United States recognizes the importance of working with our allies and partners to realize our vision of an open, interoperable and reliable and secure Internet and realize this is particularly important in the Western Hemisphere. 

As an international community, we are dependent on our collective cybersecurity capacity, and we are each only as strong as our weakest link.  The United States has identified the full range of cyber issues including international security, cybersecurity due diligence, Internet governance and Internet freedom as a national and international policy imperative. 

A key priority objective of this administration, the United States department of state promotes the U.S. vision for cyberspace by actively working with our close partners and allies, by working with emerging cyberspace, and even working with states that we don't always see eye to eye with.  As part of our approach to cyber engagement, cyber diplomats and Washington and around the world work closely with our technical experts, law enforcement officers and other key stakeholders to articulate U.S. cyber policy and respond to cyber threats, stressing that security and freedom in cyberspace must be achieved together.  Cyber capacity building programs provided by the state department are one way the United States offers policy, legal and technical support to nations aiming to increase their access to and achieve the full benefits of the Internet and ICTs. 

The United States works with global partners to shape the global agenda for cyber capacity building to meet recognized cybersecurity best practices.  These efforts allow us to coordinate with like‑minded partners to better leverage limited resources both human and capital.  Our programming stresses the following key elements: First, the state department ledges foreign assistance tools and resources to assist our partners in developing sustainable security incident response teams.  That are capable of engaging stakeholders and assessing the needs of offering technical assistance when appropriate to improve our collective ability to combat cyber threats. 

Second, we focus on national strategy and policy development.  Where new Digital Economies, new national cyber agencies and new national policies are emerging, United States assists countries to develop a well‑crafted national cyber strategies, policies and agencies that are uphold and interoperable and secure cyberspace.  The U.S. department leads U.S. government efforts to assist countries in creating national cyber strategy policies and agencies aimed at improving their cybersecurity capacities while also supporting fundamental freedoms, privacy and the free flow of information. 

The third element is cybersecurity awareness raising.  Public awareness campaigns raise awareness of cyber‑related threats and best practices worldwide.  And they empower citizens with the knowledge and a sense of shared responsibility to practice safe behaviors on the Internet.  We've partnered with NGOs, multinational organizations, like OAS, the private sector and educational institutions to increase awareness of cyber vulnerabilities. 

We also find that when partners come to the table ready to improve their cyber capacity, they are eager to make progress in all of these areas.  However, where possible, we advise them first by articulating their national aspirations and then focusing on the development of policy framework that can support those goals.  The U.S. state department has partnered with a federally funded research and development corporation called the Mitre Corporation.  With them we've created a national cyber strategy engagement plan for diplomats to use when assisting partner governments, international cyber strategy development and implementation efforts. 

This is highly flexible and based on a comprehensive study of existing cyber tools including methodology.  Our engagement plan focuses on eight elements that cover a range of foundational governance, operational, and enabling capabilities that we believe provide the foundation of an effective national cyber strategy.  I think it's worth noting here that because to some extent, these are common elements found in our approach dictate work in the region and even the preferred methods of our partners represented here today.  Those elements include strategic foundation, policy and governments, in other words, where we look at relevant standards and regulation, thinking about the resources, the allocation, distribution of resources that are deployed to cybersecurity, risk management, risk management approach that is essential to national strategy development and implementation because it allows a country to measure the vulnerabilities against realistic threats and available resources. 

We also look at cyber crime.  This is referring to a country's capacity to prevent, identify, respond to and prosecute cyber and cyber‑related crimes.  Next is key partnerships.  We think about both internal and external partnerships that can support a nation's cyber strategy.  The last element is cybersecurity culture and workforce.  Relating to the education continuum encompasses public messaging, cyber‑related skills and job training and expert‑level training for particular cybersecurity functions.  It's important to recognize that every government including the U.S. government will prioritize these differently.  The goal of our engagement is identify the areas for additional work to help strengthen and implement our partners' cybersecurity strategies and to provide actionable, quick wins as well as long‑term steps that they can take to address those priority areas. 

We've been fortunate to see firsthand the successful engagement on national strategy development and implementation in the western hemisphere.  Among the first and most dedicated in carving out (?) for this process.  We have gladly contributed to this effort most recently for our participation in a week‑long roundtable discussion in Mexico City in April as well as in July.  On that note, I would like to recognize the government of Mexico for its achievement of accomplishing national security strategy that Victor just explained. 

From our perspective our efforts have strengthened our collective security and we look forward to continuing to cooperate with them.

Thank you. 

>> MODERATOR: Thank you.  Thank you very much for your input and participation.  Thank you very much for being here today. 

>> PANELIST: Thank you very much for inviting me.  The OECD has been working for many years in the area of digital security, and I was lucky to participate in the efforts carried out with Colombia and Mexico to help the country develop a national cybersecurity strategy.  I could go through the OECD recommendations and instruments and documents, but I'm not going to do that.  I'm just going to focus on a few messages that are probably the most important, that is from my perspective, taking into account OAS in these countries.  And these messages are the following.  The first thing that government faces when it tries to develop a national cybersecurity strategy is that it thinks it's developing ‑‑ it's addressing one area, and it is to some extent addressing one area, but in reality, it is addressing a multifaceted area.  It could be seen as several areas brought together.  So it needs to develop a holistic policy framework for something that is multifaceted that has different facets. 

We could discuss forever how many facets and which ones there are.  We can simplify to solve.  And there is no order.  The first one from an OECD perspective is economic and social prosperity.  You want security because you want to realize the full benefits of ICTs for innovation, for growth, for posterity.  You want to fight against criminals.  That's another object of cyber crime.  And also cybersecurity issues related to defense, conflict prevention, other aspects related to national security and international security.  That's another facet.  And I should add (?) this one, there are technical aspects to cybersecurity.  And that's also a huge area that has to be addressed and likes to stand out, et cetera. 

We need to work together with ‑‑ sometimes they complement each other, but they also compete with each other.  And the governments have to find the right mechanisms to balance dimensions in order for them to really implement, help each other.  That's the first aspect.  And it relates to the governance ‑‑ governments have to face and the appropriate government mechanism, the appropriate mechanism that will do this balancing exercise appropriately, varies across countries. 

The other important message is that some economic and social posterity it's not always well understood.  This is a risk management issue.  This is not that the policy should create a safe and secure digital environment because this is just not possible.  The policy has to educate, promote an approach to digital security which is based on the management of risk to economic and social activities.  That means that everyone has a responsibility in using ICTs or in developing ICTs to enable ‑‑ to manage the risk or to enable users of ICTs to manage the risk.  Risk management is extremely important because when you actually secure something, you're also, to some extent, limiting something else.  So if you think you are going to have a safe and secure environment, you will definitely close it, and you will reduce the potential to use it for economic and social posterity.  By managing the risk, taking into account the context, you will help achieve all the benefits from the digital technologies. 

The third message is because everyone shares some responsibility according to their role, cooperation is essential.  Which means that all stakeholders have a role to play, and all stakeholders should be part of the development of the policy.  How you do that will, again, vary across countries.  But cooperation is essential.  And that takes me to my last point. 

We always say security aims to create trust, to enable trust, again, from the Digital Economy to flourish or growth and posterity to take place.  Well, if you want to reach this trust objective, you need to create the conditions for trust to be there ‑‑ to develop.  The relationship between the stakeholders in order to ‑‑ between all the stakeholders including the government in order to develop the policy and to complement it is not a one‑off.  It's not something that oh, I'm going to have a multistakeholder process in order to develop the strategy.  It's a long‑standing trust relationship that you want to establish that can be important in creating a strategy.  It's a long‑standing relationship, trust relationship, because all the stakeholders will have to implement the strategy, in every action they will take every day on using ICTs.  So it's a fundamental element.  Trust is an outcome.  But you need to have it (?) so you need to have all the stakeholders at the table and to create this trust relationship with them.  That would be my four ideas and to finish with a statement, I would say that one interesting aspect of the initiative by OAS is that by bringing international experts in countries, they could create the conditions, create the conditions for trust to be established.  I must admit, I ended up with some critics from other parts of government and business in a big room with many other officials from other countries.  And we didn't know anyone.  And we were put into a situation at the end of this journey after a week of work, we ended up having a fair discussion, a very neutral and balanced discussion with the host country in a very independent way.  And that was, I think, (?) and very useful for the country.  Thank you. 

>> MODERATOR: Thank you very much. 

>> PANELIST: Hi.  Can you hear me?  I'd just like to say how trust as an input and as an outcome.  In the cybersecurity program in the OAS, we work as facilitators.  And this is actually our second open forum.  The first was last year.  And it was based on our work.  And (?) it was the main focus.  Much focus and 2017 was a very interesting year because we have four countries in the region, Chile, Costa Rica, Paraguay and Mexico.  So talk about national strategy because it is a learning process for us.  And (?) that's what we try to do, how do we foster this multistakeholder approach.  And the Mexico experience was very pleased, Victor also pointed out the importance of building trust and having all the nations engagement.  And then we have to discuss implementation.  That's the next step.  And also how important it is, trust, again, for this process because that needs to be the outcome of it. 

And trust and so many things that we have to do.  Also with different ways of saying putting one nation, area that focus areas dimensions and how you're going to put this together and so many challenges we have.  Social conflicts, shared responsibility.  So it's a lot of challenges.  We still need to keep now the next step, to make sure that (?) so I think it will be interesting to listen to the panelists and also the audience a little bit, how do you think we build this trust?  With corporations and making sure that all stakeholders are engaged. 

>> MODERATOR: Any questions.  Who will sponsor that.  Any question from the floor? 

>> AUDIENCE: Yeah, hi.  Thank you for your comments.  I'm from Brazil.  I had some thoughts.  We've been working on a national strategy in Brazil on information security.  And I'm from the ministry of foreign affairs.  And this was a debate that basically involved (?) but also civilians and administration.  I felt that by dealing with this issue, we had to face some sort of silent dilemma concerning who was in charge of what and to what extent dealing with security of information and data security, we were not at the same time dealing with the aspects that had to do with privacy and privacy of personal data.  Because basically from a perspective from someone dealing with law enforcement, the tendency is try to protect information, even if by isolating it, by denying access to it, and then it goes to what you all were saying.  You can protect the information by isolating it, but denying access to it, and that's it.  But then you have this problem with the economic value of data of information.  This is one aspect.  So when this topic is dealt by people from security branch of the government and et cetera, they tend to consider it as a national security problem, et cetera, et cetera.  And then the tendencies to try to protect despite what Laurent said about the economic value. 

But there is also another issue that has to do with the privacy value of things.  Personal data is something that should not be dealt with in the same way as, for example, public information or certain government information.  So we also had to face this dilemma.  To what extent government agency should be allowed to have surveillance over private data in order to protect people from cyber breaches or whatever.  There's some thoughts that came up from my experience. 

We tend to work with the concept of building trust.  It's more generic, of course, not denying (?) there is such a thing as cyber crime, et cetera.  When we have to try to balance overall, you know, the economic benefits, the privacy concerns and those aspects that you were mentioning about, you know, governments, cyber crimes.  So it's basically ‑‑ I would like to have you talk about that.  Thanks. 

>> PANELIST: Offer a thought on, you know, it's you know, one thing that we have to decide, you don't have to make a choice between the sort of economic prosperity from having economic growth that we achieve from having the free flows of data and to choose between that and security of personal data.  You know, with the right types of policies and procedures and encryption in place, you can put that data anywhere in the cloud.  When it flows across borders, that's for more pattern than those that offer localization.  That alone can be kept oftentimes in a less secure environment.  That's just one, I think, if you will, smaller concept that we emphasize and we talk about it.  That's a very good point, too, about the national security side.  It's very important that we have very strong rule of law protections in place about how access by our national security agencies, you know, the citizens of our countries demand that, you know, access to data in responsive ways when protected by the rule of law. 

>> PANELIST: From the OAS perspective, we want to clarify.  First of all, our program is (?) because that doesn't work.  It doesn't work like that, period.  So it's cybersecurity or digital security or information security has failed many times.  It should be built according to the reality of each country.  In the case of Brazil, (?) it's a really big country.  And of course, the security or the national security, it would play an important role.  That's something that ‑‑ I don't know, Victor, if you want to mention later ‑‑ happened in Mexico.  He witnessed the process in Mexico.  Actually the process in Colombia where those countries have national security issues.  But that doesn't mean that there should not be economic or socioeconomic focus on this.  Because in the end, we are talking on protecting the Internet and the citizens of the country that rely on the Internet.  So the most important is to see what is there of the strategy, make sure that we are able to (?) and start from that. 

Of course, and then actually Brazil, Mexico and Argentina, maybe they have income from their federal government.  But the reality of these three countries is totally different on the economic side, on the language.  So you cannot just copy and paste from one country to another.  So it's very important maybe to (?) what to do in this reality and tailor to the needs of the country and taking the different perspectives of the region.  I don't know if you want to comment on something. 

>> PANELIST: No, I agree with your points, Belisario.  Five years ago we set out to do our implement of a national vehicle strategy.  We were basically focusing on global transformation and the implementation of services.  Also, focusing on economic growth, using technology and ITCs channel as a vehicle.  (?) Participation, et cetera.  And we led the cybersecurity to our national security agencies.  So the operation was started.  We later realized that it has to be in concert.  It was not an option of policy that could be led or driven by our national security agency in an operational manner.  It had to be, you know, open.  It has to be discussed openly.  The gap between what I mentioned around (?) having their agenda, very strong points, again, for privacy.  That they don't prevent cybersecurity policy to be implemented.  They don't ‑‑ the value of highly open debate, we figured out that we couldn't implement it fully.  Basically we reached that common goal in the last basically value policy we established was the mechanism in which one, they could implement it.  Of course, investigate and prosecute cyber crime.  As well as, you know, protecting human rights online.  So that's the way that we found that we could have a mature conversation and have a more rich ecosystem in the country, a much more open and much more vocal academia and so on.  But in a way that we could implement it.  With censors.  Basically with an agreement of all sorts with different areas of the country. 

>> PANELIST: Thank you.  I think one ‑‑ one thing I do want to discover on the national cybersecurity strategy that I didn't know, one thing I look for is the vision.  And it may look like something (?) and it's sometimes just a couple of sentences.  But what is the vision?  Very often there are strategies with many initiatives which are good but no vision.  And so they are not really strategies.  They are compilations but not really strategy documents.  The problem that countries face is that everything in that area is very difficult to think in silos.  If their talking point to think in terms of who is going to do it, it's likely to fall into one facet of the government at the expense of the other. 

With Colombia and Mexico and as you just said, it was really interesting because you had this huge effort, great effort to bring ICTs to bring access to the Internet to the population for, you know, in Colombia, one of the goals of digital was reduce privacy.  A very clear objective with the cybersecurity process in the government more related to national security or cyber crime.  And my reaction was, like, okay, you use the ICTs, but somehow those who will use it and those who promote it should not have any leadership (?) should not do this process when it comes to the risks.  There's something wrong here.  It should be more holistic.  And of course to make it holistic you need to have different people from different ministries and national security and the other to come to the same table and discuss.  And the problem here is that there are knowledge gaps, national security people see the world from national security and that's probably a good thing, right?  And the same on the other side.  Access is good.  And national security is a priority of ministries of technology.  So there's a gap that needs to be bridged.  And the development of the vision is probably magnifies that yes, you may end up with a single one, but it's a fundamental part of.  If everybody in the government agrees on that aspect, then you can start to fill the holes.  But with the leadership in the area where the need, incorporating to ensure that it's balanced and work together.  And that's one way to balance ‑‑ we have that (?) I said I would not talk about it.  For economic and social posterity which includes recommendations for developing national cybersecurity.  From that angle.  And one is to get the leadership for the whole process, for this holistic process from the highest level of government.  Because that's where the level where things can be balanced.  That's the level where the objectives of the various sides can be balanced.  So that's one. 

And privacy is essential, as you've rightly noted.  And again, it probably helps to have a privacy framework that's there before.  If there is no clear privacy framework, privacy protection, then yes, it's going to be more complicated to develop both at the same time or to realize the issues on one.  So the idea (?) digital security also deals with privacy protection.  These two are very much interrelated. 

>> AUDIENCE: Hi.  My name is John Lopez.  I'm from Colombia.  We agree that cybersecurity is a long‑standing relationship in a multistakeholder perspective.  The thing is in the Colombian government, they are creating two policies that can create risk for the citizens' rights.

And they speak about transparency, and they need something like ten days, 300 pages.  And they think that this is transparency.  And this is a multistakeholder perspective.  And also, when we try to participate in cybersecurity, they tend to think that we are trying to hurt the government.  And we are creating those comments based on international standards created by the OECD.  So I think it's important to speak about the big issue of transparency and multistakeholder in cybersecurity when a government doesn't give us enough space to participate. 

>> AUDIENCE: My name is Gabrielle Soto.  I'm from Brazil.  I have a question about the European Union, we have the DPPR that has been developed.  And I have a question about in the perspective of America, the consent.  And in another perspective about cooperation and the private sector is there is a direction that or recommendation under the cyber ‑‑ the cyber crimes and cybersecurity that they can adopt on this respect.  Thank you. 

>> MODERATOR: Any other comments or questions?  So maybe Laurent can provide more input because I know that Colombia is trying to get into the OECD process and follow the recommendations.  You mentioned I think they need to fulfill something, and I will leave that to Laurent.  And we try to promote the multiple dual parties.  Regarding Soto, the DPPR, I don't know if unfortunately or fortunately the government works based on mandates.  We are responsible for the cybersecurity mandates.  Sometimes or many times privacy are very linked to privacy issues.  Right now we have a mandate to work on this issue.  We do give recommendations to governments to look at this.  We actually work very closely with the Commission of human rights.  For example, in the case of publicly, we were working with a woman in Guatemala.  They were drafting a law on cyber crime.  And we suggested to ask inputs from the inspection commission ‑‑ sorry, special rapporteurship, provide us input on these issues.  These are some cases where (?) really behind, critical decision.  It doesn't mean it's not critical.  So it's always case by case.  We do work very closely with the private sector.  We have a close relationship with Microsoft, with Amazon.  We are, of course, about to file a couple of white papers with these organizations.  And I want to say that most of them recognize the importance of working together with law enforcement and the final users.  With Microsoft, for example, we are actually training two people.  We have differing initiatives actually available for them. 

>> PANELIST: About your question specifically, it's very different from (?) issue a regulation and then make member states adopt.  I know we don't have a specific mandate to understand the privacy, it's important for nations' privacy.  So that's something that's important to include when members say during the process of development of national cybersecurity strategies, one of the questions, of course, when you're assessing the regulation, what do you have, what policies are implemented.  You have a (?) it's always a topic that is considered (?) about the importance of privacy.  That's why we have international experts.  It's an important practice.  We invite someone that is an analyst to come with us to discuss these topics.  So that's how we approach the matter. 

>> MODERATOR: Really when we went to Mexico or going to any country, it's not just OAS officials.  There is a group of experts, academia, Civil Society, private sector, government, even other international organizations from around the world.  We try to provide (?) some of them are considered.  Some of them are not.  We are not a mandatory organization.  We can just provide recommendations based on the requests of the member states.  We're trying always to assist.  And if you want to add something else. 

>> PANELIST: I can try to respond to the point on the transparency by actually responding to the question at the beginning.  Once there is agreement and consensus on the need for transparency, still there is a need to understand what (?).  And it's true that recommendations like the one of the OECD, the building blocks are fundamental but they don't go into detail. 

What we do is dive into each of these building blocks and see the meaning and what kind of good practice could we promote through a consensus process at the OECD for countries to have a better understanding of what they should do to be effective.  Again, it's not so much a (?) it's more like what works and what doesn't work.  Transparency the problem is not so much ‑‑ it is, of course, a problem not to do it well.  But it's just not going to establish the trust that you need in order for people to act responsibly, which means to actually do what they should do when they use an ICT. 

The other is it may have an immediate political benefit in not being too transparent, but it has not solved your problem.  I could name three things off the top of my head to get the trust ‑‑ there needs to be this cooperation and institutionalized.  And to some extent, this is what we've done with OECD.  We have institutionalized the representation of the business and industry, Civil Society, the Technical Community, and the trade unions.  So institutionalization is important because it shows that this is not a one‑off.  It's a long‑term thing, a long‑term relationship.  It's a mindset.  It's the culture.  Not just only political benefits.  Another aspect is we need clear processes.  (?) Cooperation.  It's not going to be yeah, we have a workshop.  It's going to be a whole cycle, a whole life cycle that never ends because best practices will be reviewed.  You will have to get the feedback on the implementation.  Of course, top‑down is the last point.  It's not just the process, it's all the documents, transparency of who participates.  So many countries establish groups which are long‑standing with representatives of many different sectors as a way to institutionalize. 

Getting out of the one‑offs, let's get out of cybersecurity strategy.  But let's create the conditions for the culture of digital security risk management or whatever cybersecurity risk management.  Whatever you call it in the long run because it's about fundamental change to the economic society that ICTs are bringing.  It's not just one issue that will be solved.  It's going to be with us for decades and decades. 

>> PANELIST: Specifically about the Colombian strategy, I think it's important to offer (?) a difference from 2011 to 2016.  If you're talking about the cybersecurity strategy, now it's the national initiative security policy.  They did introduce the topic of participation in the party.  Actually, it was important not only for Colombia but for the region as well.  It's a very good message.  It's a long‑term process.  There is a long way.  But (?) trying this process to make it more multistakeholder.  So in the beginning the report recognizes the work because we have that in the strategy.  It was very important improvement, of course, to a lot of work.  And it's going to be reviewed in the future again. 

>> MODERATOR: So yes. 

>> AUDIENCE: Just quickly on the sector, in Mexico, we have basically (?) and also some task consideration that already happened.  And a lot of them with the private sector, in the U.S., of course, big social media outlets, in which, for example, there is an investigation happening and, you know, potential persons of interest when they are investigated, we do have those channels open with (?) so to be able to investigate fully.  And I mentioned that because it's a very transparent process in which governments get help and corporations actually support the (?) I have to say the process is faster.  It's all of these companies in the country.  And finally, we do have signed agreements with Microsoft about best practices but to monitor and (?) where they monitor and viruses (?) able to gain more information and be able to share it to our citizens in a more (?) way. 

>> AUDIENCE: Thank you very much.  My name is Julia.  I'm also from Brazil.  (?) I would like to hear ‑‑ I'd like to hear from the panel, how do you see the militarization of cybersecurity especially in Brazil.  Because the Army has social media, for instance, but the efforts for cyber crimes such as, like, fraud and money laundering are not ‑‑ they don't have so much focus.  So how do you see this, especially in America? 

>> PANELIST: It would be very difficult in any other country because it's not ‑‑ because, you know ‑‑ but, again, as we mentioned, we promote (?) a pretty open and secure Internet.  It plays a role.  Actually the diplomats, private sector Civil Society, everyone has a role to play.  We're not really in a position to provide (?) international. 

>> PANELIST: I would emphasize those points that we really need the stability, also speak freely and emphasize that freely use on the Internet, democracy, the public debate, and, you know, fortunately almost all the western hemisphere, that's very possible.  You know, and that freedom needs to be very strong in our hemisphere, which is a very positive thing, and we want to see around the world more progress made for citizens to speak. 

And just on cyber crime, one thing that at the Budapest convention from 2002, that provides very important mechanisms for sharing information to go after cyber crime. 

>> MODERATOR: I believe, you know, it has to be in a way that is transparent.  Also, we need to allow governments to have the tools to be able to prosecute and to investigate cyber crimes.  And to allow ourselves to be protected in such a way that we are in a country where certain things are happening.  Crimes have been committed.  So with those two mechanisms need to be, of course, implemented in such a way that are implemented in a first‑world environment and can be shared, the mechanisms.  You know, many countries are in a situation ‑‑ and I can only speak as to Mexico ‑‑ where more and more advances in the technology and more and more technologies have been invented.  And there needs to be a response.  And technology and solutions.  And while implementing those solutions, you know, could be the implementation of this reaction.  There has to be collaboration with society, collaboration with legislation around it.  But that's a conversation that needs to happen.  This is not a misuse of these technologies and so on.  But the use of these technologies to be able to protect ourselves from the crimes being committed.  Which is in member states, within Mexico at least, basically the cyber crimes fell, this actually happened (?)

>> MODERATOR: With that, we'd like to thank Barbara for your participation and all of you for your time and interest for being here.  Thank you very much, and we'll adjourn the session. 

[ Applause ]

(The session concluded at 16:13.)