This is now a legacy site and could be not up to date. Please move to the new IGF Website at

You are here

IGF 2018 - Day 3 - Salle II - WS281 Public-Private-Civil Partnerships in Cyber Capacity Building

The following are the outputs of the real-time captioning taken during the Thirteenth Annual Meeting of the Internet Governance Forum (IGF) in Paris, France, from 12 to 14 November 2018. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> So, hello, again. I'm Patrick Pavlak. I work for the institution of studies here in Paris but I'm a co-chair of the global expertise. I'm very happy to have with me several members of the advisory board but also people who are members of the GHC themselves.

      And the focus of this session on public-private-civic partnerships so it's something that we decided to bring this conversation for a simple reason. One that we have something to offer. Something that's built up in the private actors still. But secondly to recognize the fact that civil society organizations themselves are involved in the implementation of the capacity building project. Something that doesn't get enough recognition in my view. To discuss this, I have six panelists. For the sake of time, we only have one now. We're going to keep it short and sweet and hopefully engage in a conversation with you afterwards.

      Feel free to add to the discussion if you're involved in these activities. Hopefully we'll have a good conversation afterwards.

      To kick us off, we'll start with a few general questions where I hope the panelists will be able to contribute and open for the conversation. I will start with a question to Catherine who has been involved on the side of the secretariat and the institutions and civil society organizations. With a question on this broad triangular relationship. And how does it work in practice in your view? And I have started with a very simple assumption that it's not working really well still that we see only on one side of the relationship. What role do they play? What drives them? How do we build better incentives to build the partnerships. Do we need them at all? We talk about public-private partnership or the broader corporation, that's something that's enough. Why don't we start with you, Manon with a very good overview on the side of the secretariat with the initiatives going on, the working groups, and you have over 60 members, I think. So please go ahead.

     >> MANON VAN TIENHOVEN: So it's a platform which encourages international cooperation or cybercapacity building. It's built on the multi-stake holder model. It's members and partners, members being countries, international organizations, private companies. As well as partners. Civil society.

      I think already there was a call for more importance of the civil society which led to the installation of the advisory board. I believe it's on the content to the stakeholders to join the table. At the beginning, the structure of the GOP was focused on the initiatives which was focused on the members with the slight involvement of some partners.

      I think with the creation of the Delhi communique, endorsed by the insider GAC community, members, partners, as well as the advisory board, which created a common know Cus on cyber capacity building that it created the working groups which provides more room for the inclusion of all stakeholders.

      So the movement that the GAC made from awareness to implementation to have more stakeholders was at the table.

     >> If I can ask a quick follow-up question. Last year, the GAC has moved in the direction of having partner organizations involving the process. And I think that might be of interest for many people in the room who actually would think of becoming a partner. What is their role. How can they get involved and contact the secretariat? What would be the steps to do that?

     >> MANON VAN TIEHOVEN: We need the partners because that's where the expertise is. Implementing partners, the encyclopedia and in the process of cyber capacity building. So we're trying to do this by creating a cyber capacity building knowledge portal, which is we have a smaller advisory group, positions that are trying to set up this portal. But to have the content that we need for the implementation on the portal. We need to have partners. So if you're interested to become connected with the GAC community, please send an e-mail to the secretariat or talk to one of the advisory board members or talk to me after this session.

     >> How many of you have heard of the GAC before, so I know what is the level of the awareness in the room. Okay? Not that many. So I think we may also want to incorporate some elements and what the GAC actually does and how you are involved in the whole process.

      Catherine, would you like to continue?

     >> CATHERINE GARCIA van HEOGSTRATEN: After MANON talked about it, it's important to go back to three pillars. It will clear in the governance structure, that is clear and transparent to the members.

      So in my current research to counter cyber crime, I mentioned this in a prior workshop, such a governance structure is sometimes not clear or transparent. So I think if we tackle this specific aspect that create more trust, I think we can attract and also create incentives, as you mentioned, Patrick, on -- on basically going for partnerships.

      Cyber crimes makes a very sensitive case for PPPs, and if you look at the framework for PPPs that is within the convention -- the developer's convention, very much relies on regulatory -- regulatory approach. And so there are specific articles, for instance, in the conventions, 16 to 21 specifically that speaks about this need for a -- for a legal basis for a -- for a partnership.

      So, I will start with that. Note of seeking clarity of the goals in order to create incentives for the partnership s to come up.

      The private sector is specifically has been very in a way, there are initiatives. I'm looking at my research to look at the cases and good practices to add to that, I will say the economic forum has come across with some specific principles or guidelines for private-public partnerships in the field of cyber crimes or to counter cyber crimes. And obviously, it's also worth to mention that you talked to me about convention, that is being discussed still and undergoing discussions. So, that's for -- for just for preliminary thoughts on your questions.

     >> Quick follow-up. So from your research, what is the extent -- you mentioned it from public transparency and private-public partnerships which fields a gap that they're going to provide. Is this happening? We all know that the enforcement corporations are probably one of the most secretive areas.

     >> Exactly. Exactly. Most of the cases in the course of my research are, of course, drawing attention to corporations and the different work between law enforcement and obviously the states, the governments.

      However, for instance, I can show -- I can talk sharply about one case that which is -- if you have heard -- 0 is an application, it's a chat box that was created or NGO so representing civil society together in your X or Y company, I cannot recall the name. It's been deployer ready and it has been already been -- yeah, causing some of the same time of -- of bringing some attention on the effectiveness of this -- this chat box that was deployed to help in this case, the NGO, to tackle and trace, it was on-line sexual exploitation of children and sexual terrorism.

      One of the outcomes of these deployments, of this technology based on the PPPs has been that -- there's been an enactment of and a specific law where mostly the -- most of the cases were traced.

      Once again, we go back to the framework. There is so far the only case I know at the moment based on PPPs to counter cyber crime where civil society in this case has deployed based on the framework of PPPs technology to prevent in this case but also to find evidence against cyber criminals.

      So, I could mention there is a -- there is a lengthy report of University of light and, of course, the blowbacks and also the -- the important impact of the -- of this partnership. But I think it's from the general point of view, I think it's a step forward and I see these in a sense that can give some light on future interventions or by anticipation of civil society in the framework PPPs.

     >> Thank you very much. We'll change a bit in direction and by those in terms of the ordinance being done. You always have the conversation and exchangs. How do we bring more in the south of this conversation. And we started some research work in the direction. I was wondering if you could give us a bit more exactly on how the ecosystem looks. What are the main challenges? How -- where or how badly is the whole system worth and how it's part of the conversation.

     >> Thank you, Patryk for the difficult question. We started to collect evidence on the models, on the public-private partnerships, public-private interplays and the collaboration. You need to implement policy making on cybersecurity.

      And we -- so we have observed that the -- the structure on this issue comes from the sector regulation where historically the private sector was in order to somehow support governments where there is budget deficit or shortage of skews, therefore public-private partnerships are more conscriptive were somehow established, especially for broadband rollout.

      But at the same time, the internet and the infrastructure has evolved, there has been observed the need for making this kind of partnerships less prescriptive but rather cryptive.

      And therefore to increase -- descriptive, therefore, to release the relationship between public and private sector, it's going towards interplay. So not anymore formalized in the structured partnership, but more an interplay between public and private sector.

      Then, of course, with the internet, the need of cross border or international cooperation, the inclusion of the actors and partners within this collaboration has emerged very strong. And then the devolution of this sort of interplay into the multi-stakeholder collaboration that can take these forms.

      We have analyzed, for instance, the case of Marisius. Because it's ranked as the top African country in the global cybersecurity index in 2017. The island wants to become regional hub for ICP in the region. After the internet industry for Africa is based also in Marisius and the country has well developed national cybersecurity strategy in 2019.

      And they've got a specific goal, number three, which is they want to develop an efficient collaborative model between the authorities and the business communities. For cyber security. So the implementation of the strategy, we have observed the evolution of the models. The first one -- first phase as we called it, had basically a number of predefined roads and you have the dependency between the different actors involved. SOF it was very prescriptive. A lot of flexibility. And they put some sort of structure -- so similar to PPP model. In the model involved towards more interaction rather than the reporting lines between these different actors. The model was more descriptive and there was a robust information sharing between the -- the different actors. It was actually one of the main successes of that collaboration. And the model was more open.

      Then the model did not really include organizations in the scope that they should be basically involved because the more vulnerable with the actors together with the users in the national security space and they should play some role. Beyond the former democratic participation in public hearing and these kinds of activities.

      So why you can still see an important part of the private sector, we still understand why it's there, or owns it critical information infrastructure, special interests and they must have had permission available. Still couldn't we see a very strong participation of the same level of the civil society in the country.

     >> Thank you for this. We'll actually have two government representatives, but also regional organizations, I think. Who are involved on the government side, now working for the government and the other for a regional organization.

      How do you -- how do you go and see the involvement of civil society in those efforts? Yes, as implementing projects in Latin America for years now in success. I wonder to what extent your cooperation with civil society actors was successful or not. What part of it was -- but it's been active in the private wealth countries. What's the approach of SCO when you talk about cyber capacity building? Okay? Started with you and -- governmental strategy, in the regional organization perspective.

     >> I think I'll start at the organization-wide level. I'm with the cyber security part of the OAS. But it's generally as a regional model always ensured that society can come to the table and be part of our decision-making process. In interregional political body, the society has the option to go into the OAS website and register as a civil society and once that is done, it's not recognized that it can participate in any -- or sit in and listen to any one of our political meetings that are happening. And I think that stance alone shows that a body made up of government recognizes that civil society can calculate in the decision making.

      From the status security program perspective, we have partnered with civil society in I think so many memberships and have our membership to partner as well with security, the for example, for Mexico park by Guatemala. They ensured the process was transparent enough that civil society could come in because during the review process, ISOC had led the actual discussion, took notes, submitted a note, and pardoned the government to go through what was created.

      One of the things that I wanted to point out as well is that the civil societies that we work with, we're -- we're at the point where I think we're thinking how can we engage them more? Because the competencies can increase persons. And I think many times they think of the awareness. And I think the established program, we're trying to see how we can go beyond that. There's a need for competencies. Because some of the societies are so active and engaged in freedom of speech, digital rights. It's not just advocating, but developing tools and developing mechanisms that the societies can get them involved in the discussion.

      Another element I wanted to look at is civil society corporation actually leads to trust. If it is that they're involved in the political process and the discussion when the document does go out, there's a level from society to believe that, A, someone else looked at it. It wasn't just a government decision, it was actually a part of the process and dialogue that involved it. In the last thing I wanted to raise is we also have a model where we're trying to merge civil society and private sector with our convenient power. A good example of that is we have an ongoing project called cyber woman challenge for example we had to implement in Colombia, it was actually civil society that girls that code, pretty much, was our partner on the ground. And they were able to get women at the table learning technical skills and it was the private sector partnering through that.

      So just the discussion is that you have TPC, which I like, because it's really a private-public partnership that can have civil society, not just as the target of the training, but also the equal playing partner in getting the process done and completed properly. I think.

     >> Great, disappointed about a convenient power. Because I think this link between private sector and civil society is not always what we have. The initiatives that have been out there taking work quite well and staying with the civil society is kind of becoming a target of the initiatives rather than a partner. And I think that's the interesting point. Robert, you presented the government as I think one of the few that realized the power of civil society in research. Because you invested but also a lot of your own energy. In the capacity building center.

      And I think it's one of the few initiatives where we see this kind of engagement between the government and the research institute bringing very concrete results. But if you can extend a bit on this conversation and share some of your experiencing a been engaged but also many other venues, that would be great, thanks.

>> Thank you. It's always nice to be the government so my name is Robert Collett. I work within the foreign office within the UK government and I run projects helping other countries improve the cyber security capacity. I'm trying to approve the UK aside from the capacity. And we do that because we live in an interconnected world. And the UK cannot be safe or keep the citizens safe in one of the obvious things you know about.

      We've been doing that since 2012. And in response to the international call of their action and coming out of the UN-supported bodies and their countries to help each other. And when we think about helping countries, we don't just mean working with the government and helping the government, but we mean working with the government, the citizen, the civil society organizations, universities, and companies. And since we started, we've invested about 10 million in to projects, working with over 100 countries.

      And I think that if I can give any message to take away from what it looks like from a government side in doing this is that I'm -- we're surprisingly dependent upon civil society. Most of the people we need to protect outside of government next to the critical assets we need to protect are not run by governments.

      Most of the people doing the research in this sector are outside of governments. When we want to go and send experts to another country, there aren't many experts inside of governments. We employ that many cyber security people and most of them are really busy defending the UK day-to-day. So when we need to send experts to another country, we lookout side of government and largely to civil society.

      That's why from inside government looking out, we're really dependent on the civil society and that's a good and healthy thing. That's really great. We develop the partnerships when universities are think tanks and local civil society organizations, groups of experts giving the spare time like first the community of incident responders. That they do really good work. One because they know about the subjects. They do it because they care about it. They have the passion for these things.

      So all of our projects, even when it's government working with government, it's often civil society in that relationship coming up with the research, coming up with how when he do our jobs. Literally Patrick wrote the playbook and guide to how people in government should do their jobs in capacity building. And then it will often be at civil society university nongovernment people who are having those conversations on the ground paid for funded by the UK government but talking to, say, the government of Colombia who was on the last panel. That was a team from Oxford and also from UK civil servants, but largely Oxford people going out and having those conversations. From inside government, it looks like a strong and healthy relationship that I know that we should be doing more. And that's why I come to places like the IGF, because I like to meet more of the civil society people out there who have the best ideas and the best solutions that we should be working with.

     >> This idea of dependency. The important point to make here is that people like yourself and Kerry Ann do not have an easy job within your organization because I know when you have anyone in the government waving the flag of civil society or putting it out for the civil society guys, even within your own governments which sometimes makes things difficult.

      I would like to explore the idea of dependency. We have Daniela on the panel. Both involved in doing capacity work in cyber.

      So, if you could both give us a bit of an idea of the projects that you have been doing but I would like to target this around the idea of dependence because I think very often what's happening is we have this lip service being paged to the civil society participation and I would like to get your -- your perception of that to what extent it's still there and how can we actually shape it up a bit and make sure that we have this engagement.

      So let's start with you.

     >> Great, thank you, Patryk. I want to keep it brief so we can have time to discuss. I want to focus on two aspects that are key to understand the partnerships as partnerships of equals. First, I think the fact that civil society is so broad and so diverse and we need to get beyond the stakeholder silos that we continue to talk about sometimes and understand that civil society actors can be academics, researchers, technologists, and there's such a broad range of expertise. We do things civil society to one label, we make us think civil society has one row. That's not necessarily the case. And it can conclude artificial barriers but also it's a missed opportunity to really delve and talk on that expertise.

      And the second aspect that I wanted to raise is take away from the organizations' work and engage stakeholders and capacity building. And it's bad we can't do stakeholder engagement in a piecemeal way. It needs to be done in a wholistic way. And civil society needs to be brought onboard from the get go. We need to provide critical input that will help you tailor your projects. They're more tailored and suited to the needs. But also, it will help to increase trust and create buy-in that we see as critical for then the successful implementation of the projects.

      This is quite linked I think to capacity building in general and do not think of it in a vertical way. Not as substituting capacity, but rather doing it in a more collaborative way, in a more fluid way. And b like enRico was saying, moving from a hierarchy model to something that's more collaborative approach.

      In terms of some examples that have come to mind, we've been collaborating with the OES for a couple of years now, and in particular, thatter symposium. So it's an annual cybersecurity symposium and they gather stakeholders and I think the second year in a row the society partners have been delivering a cybersecurity and human right s there you can there. It's interesting that the capacity building is -- they build the capacity by being there to prepare for that. But also building the capacity of the other actors and stakehold er that are there. So I think the roles and the lines are quite blurred and fluid sometimes.

     >> Thanks a lot. We talked about OAS and NCO, but I think we also have our Swiss colleagues in the room. And I would like to credit them for organizing something that I think really shows the involvement of public and private and civil society. The dialogue that you try to discuss how different groups of actors are playing a role in shaping the nominative aspect. That's one of the meetings where most of the participants were from civil society rather from the governments from the private sector. Thank you for organizing that. Lets's see. Your turn.

>> Thank you. Oh, a scary echo with the mic here. I'm  Lucie, I work with access Now. I'm one of the few organizations that do cybersecurity capacity building on the ground. And I enjoyed that intro because mainly I never thought of us that way. But I had the branding.

      I think we kind of stumbled into that role by coincidence. We have always been a very grassroots-run organization. Our key focus has been on something called the Access Now help line, a digital security desk that's open 24 hours, seven days a week and available for anyone who needs help with their cybersecurity. And we build our work on top of that. Any policy, any communications and advocacy we do, stems from the lessons that we learn in that environment.

      I think the important thing I struggle with in this world of cybersecurity, multi- stake holder discussions, is that there are differing definitions of SHOOIB security. And I think the other day there was a joke made on one of the panels that there are two types of states in the world -- those who use cybersecurity as something to be protected, and something about the user. Which is very much where we are, for us, it's very much with the individual. It starts with the individual and that's where the conversations should begin, not about international norms and then working our way down.

      And then there are states who view cybersecurity as a space to control and manipulate the population and have a secure environment. And so that's where a lot of our struggles in these international conversations also come from, because they're initially balancing basically two sets of expectations and narratives in these spaces.

      So, as a part of the help line, one of the things we also offer is a digital security clinic that's also available in the beautiful booths here at IGF. We also offer training to other NGO ohs. How to respond when people come to you with big issues.

      A part of it is technical. A big part of it is helping people to understand the technologies and how you can make it work for them. A big part of that is also legal in providing that support. I think that's a little bit where the role of civil society, and I'm -- you're right, Patryk, there's a lot of lip service but I don't see the interaction to the degree it could exist. There's a need for some of the governmental program s that do exist to doing a civil society that's doing the work on the ground like us and other organizations are doing. There are funds, for instance, emergency funds for human rights defenders who run into trouble and not getting distributed effectively. The human rights defenders that we're not really aware of in Europe, if you're aware of someone working in Pakistan. Those people are already reached superstar level. They're going to get the support we want.

      How do we make the programs, how do we make the money trickle down? That's a real issue. That's a challenge in public-private partnerships in general. I hate using the term PPP because I studied economics. So when I see PPP on the screen, I'm like what are we talking about.

      It's so high level that it talks about the government and the companies. The companies only answer to shareholders, they only answer to the political parties for the parties that cover them. The narrative for the civil tote gets lost in this organizations. The things that are outsourced from government to companies and the worst it is for civil society. They're protectled by a lot of anti-transparency, laws and legislations. I can FOIA a government program, I can't FOIA a program they have with a private company. A lot of the relationships get lost for us.

      We're brought in a certain time. I smile when I hear that we can submit comments. I love it. It's half my job to submit comments. There need to be interaction and we need to start thinking about -- we need the individual unique people, at least these are meant to serve. Because if you get too stuck thinking about the processes, the organizations, I think the cybersecurity on the ground and the people who really need the support suffer.

      Thanks, Lucie. I think we have about 15 minutes for conversations, questions, answers. I would like to get a show of hands in the room, who of you have a question, comment, observation you'd like to share?

      So two people. The lady in the back.

     >> I love this discussion about multi- stake holder approach. Because my organization is also doing a lot of public-private partnership. Public-private dialogue type of work and we engage a lot of the civil society.

      So my question today is about civil society. How do we engage civil society in other countries. Some in the palace that civil society is basically a label, right? It can mean academics, think tanks, and different things. So all of the institutions would stay sponsored or stay funded. So how do you have a meaningful dialogue or engagement with a country -- in countries that civil societies or genuine civil society is nonexistent.

     >> Thank you for your question.

     >> I'm actually writing a report or catching the notes for the digital watch. So I'm jumping in my own notes. I'll be quick. I want to share two more examples of our role of civil society in PPP or public-private partnership. One is the personal experience where for years we'd been to one. We had an NGO. And Daniela said we have shouldn't see it as one thing, there's a diversity of civil society organizations. We've been the ones to help the governments understand the policy and the environment. That's a particular interesting role of civil society helping the governments. And a particular example of that is from Serbia, where I come from, a where we as an NGO manage to be the one to get all of the governmental representatives around the table plus Telekoms and others, because they trust us, we are an NGO. And because we don't have bureaucratic limitations. For them to get together, it was not easy. For us, it was quite easy. Got them together and five years created a fantastic, informal multitask holder group which drafted the policy and all these things.

      It's an interesting example. Trying to see where I can fit somewhere else as well. The other one comes from the research we did. How different states develop their own cyber competence. That's something that Robert mentioned. The examples of the countries that we run through, Finland, Estonia, Israel, UK, Netherlands, Germany, Korea, shows that in developing national competencies, it's a huge set of examples of the public-private partnership with governments, mainly give the incentives a bit of funding but the incentives would help with the legislation and stuff. The policy to set up the initiatives. Private sector jumps in with a lot of funding and cutting edge skills. And then academia is actually the one that expends with the knowledge that together with the private sector, innovation, perhaps joint ventures, develop business, so on. Israel is a good example. UK has some. That's an interesting example as well.

     >> Thank you. We worked with the GAC on global good practices that extends to the whole reflection process. A question up front.

     >> If you don't mind, not really a question, slight comments. Remarks. I would like to share our own experience. I would like to support the idea mentioned by the distinguished colleague from the UK saying that the private-public partnership is an essential part on cushing and fighting cybercrime in principle.

      There's many interesting remarkable remarks here as I can say. And a new generation of researchers trying to find a solution in fighting cybercrime. You have to understand despite the interconnections between civil society of the government organizations and the business society, by the way, the business society is more -- is more probably well prepared for some malicious activity. It's impossible to do only one platform in which we can fight.

      There's an example, there's no unique approach in the pending issues. So, in this case, I would like to invite you, please, to conduct your work to be done under the U.N. umbrella, only the United Nations could combine all of the efforts together.

      In this case, I would like for your information, yesterday night on the committee of the 73rd general assembly was adopted the draft resolution proposed by the Russian federation and the 32 co-sponsors. The name of the draft, the resolution, is countering the use of information and communications technologies for criminal purposes.

      It means since last year, we'll start the world political dialogue within the U.N. scope. And we would like to invite you, other organizations, to participate, to discuss all of the pending and -- well, typical issues that could be raised during this year or the next one. But, please, don't -- only one legal instrument like Budapest convention. There are seven in the world, seven different regional instruments. Each region deserves a legal foundation to be discussed.

      But the only U.N. umbrella can join us. Thank you.

     >> Can I ask you a quick follow-up question on that following your invitation for the civil society to join the conversation. What will be the mechanisms through which the civil society would be able to participate in this discussion given the primary government organization.

>> The mechanism is quite simple. There's a number of -- there's nongovernment organization that should just be associated with the -- with the U.N. secretary to be registered there and be invited. There's a normal procedure surely not wrong just multiple business in civil society are in different topics, for example, the human rights protection or something like that.

      Probably if you just investigated this issue more thoroughly and showing not difficult for any organization to participate, thank you.

     >> I have two more. Do I have two here. These are the last two and we'll go back to the panel.

>> I work in semantics in India. So in India, we're experiencing the capacity building has been like this. So, about three years back, we partnered with the association, round up, looking at the requirements. Several other companies and other vendors also. Then, got approved by the skill -- for certification. In addition to that, the political society on our end, we STUTDed scholarships for 1,000 women. I'm happy to share that in our first batch, out of 62, 27 were women, and hopefully this will in a few months' time or years' time, it will be almost equal, thank you.

>> Thank you very much. And here?

     >> Hi. I would just like to make a quick comment to reposition a little bit the discussion on the global south and the experiences in the global south. And I and I thank Enrico for bringing up the experiences. And also I think it's about bringing something that Lucy was mentioning which is where do we meet? You know, this bottom-up process and top-down process, if we can go through the generalization. But over at Europea, we've been doing research on cyber security in Brazil and map the actors and do capacity trust building. Because at the end of the day, it's a very slow process sometimes. And I do think we have to -- I've seen throughout the interventions and I think there's two considerations, the first one would be to be very careful in understanding multi-stakeholders processes, understanding public-private partnerships and understanding expertise. Which I think sometimes can be very confused, especially when you're talking about processes and building initiatives and new channels and new cybersecurity processes.

      But what we -- and the second point I was going to mention is with regards to the experience in Brazil. So what we did, we organize a series of convening sessions, can put every one on the table. And what we get at is that there is a huge challenge of building language, common language between stake holder groups. And this time more on the stake holder one. But I think it would be interesting to bring a little bit more of another experience from another country.

      And what we found out was actually there was a huge confusion over what are the responsibilities and competencies, versus the sectors. So we get people together. But they're talking about the same cybersecurity but with absolutely different conceptions of it. So how do you build policy on that? How do you actually get them to map out together what are the priority areas? So this is where you know of the challenges. And I think it's in the very early stages since policy in Brazil is very concentrated on the public administration.

      But I wanted to bring this experience and also bring the nuances of using interchangeably the terms of multi-stakeholder, public-private partnerships and the expertise that hasn't come up and obviously in the processes, you see a lot of that. So thank you.

     >> Thank you for sharing that. Back to the panel. Two, three minutes each to make reactions. I'll let you pick what you need to answer. But a few questions I think we should not miss from the conversation, one, how we work with the countries where civil society is government affiliated, kind of. How do you do that there? There's a comment on the Budapest convention and one of the seven original bodies and supposedly this being one of the original ones, we may have a different comment on that. Take it in that direction.

     >> Okay. Lots of interventions there. So I'll try not to cover all of them. I would have loved to have had a conversation with my Russian colleague, but he's left. So -- he's a sort of directed to him, but it should be a discussion here.

      I say, yes, there are different regional conventions out there, century to the beauty pest convention. We find it really useful to do practical cooperation between law enforcement agencies. So it works for what we need to do as a country and the other country to the signature is tell us it works for them as well. And there's no reason if you're say an African country, why you can't sign up to the African convention and the Budapest convention. These two things are not NUCH yulely existent and some had signed up to vote.

      That would be my response to that. In terms of the question rooted to the role of the UN and how much this is a multilateral, a multi- stake holder conversation, obviously, we are really strong proponents of multi- stake holderism inside of the security having a multi-stakeholder conversation. Governments need to be in the room to have that conversation. It's definitely one we're up for and we welcome civil society to be a part of that. And we also think that there's a law governing cyber space. There's laws which govern offline equally apply on-line. We forget about practical solutions in cooperation with civil society right now than have a long multilateral discussion and the outcome of which might not be very helpful for anybody. So I would say look to practical solutions which work today and look to them in cooperation with civil society and I absolutely take at this point on language. Even just within -- not quite your point, but even just within the cybersecurity technical community, we have long discussions about what is a breach and what is not a breach. Different departments measuring them in different ways.

      If you bring in others outside of government in that conversation, it gets more complicated. But that doesn't mean we don't need the conversation. And ideally when doing capacity building, which is what we do, that should be a multi- stake holder conversation within each country. It should be technical experts, civil society groups of various kinds and government talking about how they see the issues of terminology and interpretation. And finally, yes, it's really hard if there aren't authentic civil society groups to work with in a country, I think that should give pause as to what kind of projects you run in that country. And it also shows that capacity building, and I keep coming up to that because that's what I work on can't be done in isolation. It needs to be seen within the context of wider digital programs and governance programs and human rights projects. And it is within a whole ecosystem of our activity that needs to be mutually supportive.

      The brief comment on the engagement of civil society in foreign countries. Actually, very controversial, complicated issue. Based in my experience, for instance, in Africa what we've seen is starting to shut down the internet in the elections or applying the direct access for such media use.

      A good way of interacting is to provide them evidence and research. This actually shows that maybe sometimes they are actually counterproductive for the population. For example, you've seen in Uganda, now some research has been done on the negative effect on the tax on social media use. And tax is removed, the GDP of the council will increase.

      So if actually the civil society is able to establish this kind of interaction based on evidence, it might be an easier way for the civil society to interact in countries that might be considered authoritarian and taken into account the civil society.

     >> I agree. It's a tricky question. One of the prerequisites for the multi-stakeholder to purchase to succeed is a genuine commitment so sometimes if that's not there, it's not sufficient having that, but it is crucial and that buy-in and commitment is key. I think on top of Enrico's comment. Restoring engagement with other groups, civil sector s will have commonalities in their interest. So I think exploring that might also be an option.

     >> Thanks, the gentleman who asked the question is no longer in the room, but for the sake of the conversation, Catherine, do you want to pick up --

>> I will just -- hope he returns to hear Robert's points, which I absolutely endorse. I think Robert made a very good case for the Budapest convention. And indeed from the academia and the legal research point of view, I absolutely think this is a clear and transparent and therefore to some extent able to create trust for public-private partnerships.   To countersign crimes.

      So, just as a point of clarification, on how big is the impact of the Budapest convention, it's a framework for a law. So it has provided such a framework to understand what are the interactions between in this case one of the stakeholders, government stake holder, which is the law enforcement. And obviously the prosecutor, the judges, and the jurisdictional parties.

      So, and also, obviously based on the provided that this implementation of the -- of the powers in these powers or that are given through this public-private partnership framework is a well implemented in the national level. So that's also independent of the implementation. Of such a pursuit of power. So it's not given, it's not as straightforward as it can be seen by some stake holders. However, it is a framework that exists, that is there, and is being used so far. There is plenty of reports on the eastern region. How this framework has been used by the council of Europe with concrete conclusions. So definitely, I repeat, it's a starting point for any academic research on -- on PPPs to counter cyber crimes.

     >> Okay, there's too many question to answer, I think, wholistically in the time we have. So if you want to come up to me after and have some of the conversations, I'd be happy to. What I want to highlight other than I like the term "authentic civil society," it makes me feel like a fancy Italian meal. What I want to highlight is that there's a real disconnect between understanding of personal security in cyber security and societal security in cyber security.

      It's a real shame for me as a researcher who did risk-based theories to she the real focus on minimizing the societal risks. Because everywhere else, when we legislate, we accept a certain level of risk. Somehow we've reached the point in Europe and globally where the RILSings of anything in digital needs to -- risk in anything in digital needs to be 0. You're not going to solve that by controlling technologies. You're not going to solve that by micromanaging how the technologies are implemented. So societal issues need to be solved outside Hoff the digital realm. The way this focus has been going, it continuously, it consistently undermines the efforts of organizations like ours who work with users on the ground, to improve the security and improve their personal risk models. That's what I want to leave you with. Try to focus on the users.

     >> Well, thank you, everyone for all of your comments. I think the GAC, it's a bottom-up platform which really encourages private-public-civil partnerships in cyber capacity building.

      I think what we're making right now towards implementation creates more room for more stakeholders at the table. And I'm looking forward to the discussion with you and with the advisory board to see which stakeholders can join the GACE to build a better  multi-stakeholder atmosphere.

     >> It's important to recognize what we started the conversation on, that it's bringing everybody in the room. It's not civil society outside being consulted but recognizing that as multi-stakeholders, we need to ensure that everyone is coming because we have something to contribute. The civil society entities, the NGOs pointed out, the structure is not what we think it as, it's not just Greenpeace. It's more recognizing that the competencies are everywhere and we have to capitalize on that. The reason I raised that, even the question about the Budapest convention, some persons may not realize what the issue was that was being raised here. It's important to bring knowledge to the users because the issue that's being raised is bigger than this discussion can touch. Those of us know and that's the bridge that needs to be built is to get that information out there.

     >> So, thank you to my panelists, thank you to all of you for my comments, questions, and staying in the room for slightly longer.

      I would like to finish this panel for a roll call of all of you who are interested in capacity building and who would like to contribute to this conversation a bit more active way to reach out to us as well as members of the board and the advisory board of global cyber expertise. We have the representatives in each of the working groups that were established in the GAC standards cybercrime. And we're very much hoping to get more of your inputs in the coming months and years on most of our communications will be published on the website of the GAC. So, easy to follow.

     >> I'll stop there. Thank you, thank you once again. I hope we will not have to meet next year to discuss the potential contribution or noncontribution of the civil society to the U.N. process in New York. But that would be an interesting panel for sure. So thank you all of you for participating and enjoy your lunch and the rest of the conference, thank you.

Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10

igf [at] un [dot] org
+41 (0) 229 173 411