IGF 2018 WS #171 Multi-stakeholding cybersecurity in Africa

Information

Session

Thematic Track:

Topic(s):

Organizer 1: Civil Society, African Group
Organizer 2: Civil Society, African Group

Speaker 1: Towela Nyirenda, Intergovernmental Organization, African Group
Speaker 2: Arthur Gwagwa, Technical Community, African Group
Speaker 3: Anriette Esterhuysen, Civil Society, African Group
Speaker 4: Michael Nelson, Private Sector, Western European and Others Group (WEOG)

Additional Speakers:

Speaker 1: Koliwe Majama, APC, Civil Society Organisation, African Group, female

Speaker 2: William Dutton, Oxford Martin School, Academia, Western European and Others Group (WEOG), Male

Speaker 3: Matthew Shears, Global Partners Digital, Civil Society, Western European and Others Group (WEOG), male

Format:

Panel - 60 Min

Interventions:

The speakers to the panel belong to different stakeholders groups – civil society, government, academia, and private sector. In this way, different perspectives on what forms multistakeholder collaboration in cybersecurity should take and on how it should be implemented are discussed by the perspective of different stakeholders groups. The discussants, based on their experience and expertise, will be challenged to untangle issues on difficulties on implementing multistakeholders collaboration in cybersecurity, and how their expertise and experience can contribute towards the effective implementation of such partnerships.

Diversity:

Diversity is taken into account in the selection of discussants, moderators, and organisers. Gender balance is respected and preference is given to women in the panel and in the organising group. Discussants work and/or have extensive experience in developing countries and belong to different stakeholders groups.

While the notion of multistakeholder collaboration on cybersecurity has often been acknowledged as central and integral to cybersecurity policy-making, what exactly such collaboration entails remains rather vague in both the available literature and in practice. During the panel, the notion of collaboration in cybersecurity strategies will be untangled. To distinguish between traditional public-private partnerships (PPPs) in network infrastructure industries and a wider array of collaborative relationships that are relevant to cybersecurity, the panellists will be invited to discuss collaboration in cybersecurity in more detail, by delving into different types of collaboration and how they differ from more traditional PPPs, before focusing on how such relationships can be designed to promote cybersecurity. The debate has the following intended agenda: - Introduction on the topic of multistakeholder collaboration on cybersecurity policy-making, and a brief introduction of the discussants; - Presentation of a discussion paper on multistakeholder partnerships on cybersecurity in Mauritius and South Africa, based on a research conducted by Research ICT Africa (RIA) in 2018 in these selected Africa countries; - Debate on research findings moderated by the RIA Principal Investigator on cybersecurity; - Open microphone for online and offline interventions and questions from the public; - Answers from the discussion; - Wrap up and takeaways.

Although different forms of multistakeholder partnerships for digital policymaking continue to gain popularity in Africa and beyond, such collaborations are still limited and mostly confined to spur broadband infrastructure investment, particularly fibre optic networks, on the continent. Where cybersecurity is concerned, an inevitable reliance on specialised ICT skills and high levels of mutual dependence should encourage collaborative efforts. Because multistakeholder collaborations often involve complex institutional arrangements involving players from diverse fields, successfully completing such a collaboration for cybersecurity is not a simple endeavour. Other challenges include a lack of resources and a shortage of specialised skills in the public sector, the pace of technological change (with accompanying risks and threats), dissonant rationales for and expectations of the collaboration, and a natural reluctance to share critical and sensitive information, for example. While the literature on multistakeholder partnerships has attempted to highlight factors critical to positive outcomes of collaborations, no agreement exists between different stakeholders on what this collaboration is all about, how it should be implemented, and how this should be encouraged. Without a better understanding of multistakeholder participation in cybersecurity policymaking, it is difficult to guide diverse actors in cybersecurity to enter in such agreements for more effective service delivery. On the other hand, missing opportunities for collaboration in cybersecurity may increase costs for both public and private partners. For a better understanding of multistakeholder collaboration in cybersecurity, a thorough investigation of instances of collaboration - including their nature and forms - is needed. This panel discussion, therefore, invites different stakeholders on debating on instances of collaboration in cybersecurity in Africa, by posing the following policy questions: 1) What is the rationale for multistakeholder collaboration in cybersecurity policymaking? 2) How can multistakeholder collaborations in cybersecurity be improved in Africa? What are the challenges of implementing them? 3) What forms should multistakeholder collaborations for cybersecurity take? 4) What are the key success factors experienced by the different stakeholders involved in the partnership?

Discussion Facilitation:

The moderators (offline and online) supported by the workshop organisers, will involve discussants and the public in the debate, and will facilitate the discussion on the topic of the panel discussion. Specifically, in order to optimise the time and to assure fair participation of both online and offline participants, the debate will unfold in the following way: 1) The moderator will introduce the discussants to the offline and online public and will briefly introduce the topic of the debate: 2 minutes 2) The moderator will then invite a researcher from Research ICT Africa to present findings from a Discussion Paper on multistakeholder collaboration on cybersecurity in Mauritius and South Africa: 5 minutes. 3) Afterwards, the moderator will invite discussants to comment on the research results and to share their own experience on different forms of multistakeholder collaboration in cybersecurity in Africa and beyond, and on challenges in implementing them: 4 discussants, 5 minutes each = 20 minutes. 4) After all discussants have expressed their opinions, the moderator will invite the offline public and the online public to make interventions or to ask specific questions. A maximum of 3 offline interventions/questions and 3 online interventions/questions will be placed in a queue and will have the microphone: 5 minutes. 5) Questions will be answered, and additional comments will be made by the discussants: 15 minutes. 6) The moderators will open up the microphone to a final round of online and offline interventions/questions (Max 2 onsite questions, 2 offsite questions): 4 minutes. 7) The debate will end with a final round of answers and additional comments by the discussants: 8 minutes. 8) The moderator will wrap up and close the debate: 1 minute. TOTAL: 60 minutes.

Online Participation:

In order to ensure equal offline and online participation, online attendees will have their own interventions and questions queue and microphone, which will rotate equally with the microphone in the room. The moderator of the debate in the room will work closely with the online moderator in order to balance online and offline participation during the debate. The remote moderator, who has been selected based on her expertise and experience on online moderation for IGF workshops, will be briefed on how to engage the online community to participate to the debate and on how to feed the offline debate with online contributions. On the other hand, the moderator in the room, who has already moderated debates at the IGF, will be briefed on how to alternate offline contributions and online contributions from the remote public. The moderator of the debate in the room and the online moderator will meet before the debate to organise modalities of interventions of the offline and online public. Last but not least, in order to engage more and new participants in the session, remote hubs for participation in the session will be organised in different African countries. The organisers will identify iHubs, Incubators or other ICT centres who will set up remote hubs and invite local participants to remotely participate in the discussion.

Report:

- Session Type (Workshop, Open Forum, etc.): Panel – 60 minutes

- Title: Multi-stakeholding cybersecurity in Africa

- Date & Time: Tuesday, 13 November, 2018 - 17:20 to 18:20

- Organizer(s):

Anri van der Spuy, Research ICT Africa, Civil Society, African Group, female

Enrico Calandro, Research ICT Africa, Civil Society, African Group, male

- Chair/Moderator: Enrico Calandro

- Rapporteur/Notetaker: Anri van der Spuy

- List of speakers and their institutional affiliations (Indicate male/female/ transgender male/ transgender female/gender variant/prefer not to answer):

Speaker 1: Koliwe Majama, APC, Civil Society Organisation, African Group, female

Speaker 2: Michael Nelson, Cloudfare, Private Sector, Western European and Others Group (WEOG), male

Speaker 3: William Dutton, Oxford Martin School, Academia, Western European and Others Group (WEOG), Male

Speaker 4: Matthew Shears, Global Partners Digital, Civil Society, Western European and Others Group (WEOG), male

- Theme: Cybersecurity, Trust and Privacy

- Subtheme: CYBERSECURITY BEST PRACTICES

- Please state no more than three (3) key messages of the discussion.

The successful implementation of a collaborative model for cybersecurity strategy development and implementation resides in agile adaptability, transparency, and trusted information sharing among and between all participations;
Cybersecurity collaborations should display both vertical and horizontal collaboration between stakeholders, be descriptive rather than prescriptive, and be sufficiently flexible in order to adapt alongside evolving cyber risks and technologies.
Participation should extend not only to public and private sector entities who tend to own and control critical information infrastructure, but also stakeholders from other sectors (e.g. the banking and finance sectors, business process outsourcing (BPO), health, tourism, energy sectors) and non-for profit stakeholder groups (e.g. the technical community, academia, and civil society)

- Please elaborate on the discussion held, specifically on areas of agreement and divergence.

The session was moderated by Dr Enrico Calandro, Senior Researcher, Research ICT Africa (RIA).

Ms Anri van der Spuy, Associate, Research ICT Africa, talked about the why cybersecurity is a particular concern at RIA and in Africa, highlighting that there is an increasing interest in cybersecurity in Africa. This could be attributed to governments increasingly realising how central the Internet is to economic development. She noted that challenges in Internet governance also apply to cybersecurity, hence the need for fast response rates, expertise, flexibility and resources. Generally, few countries have cybersecurity strategies and many citizens lack education and digital literacy skills. She mentioned that the nature of the cyber environment means that it is difficult to deal with cyber risks as governments are involved to protect public interest and private sector owns a lot of technological infrastructure.

Ms Spuy shared research conducted by RIA on collaborating models for cybersecurity in Mauritius. According to the International Telecommunication Union (ITU) Global Cybersecurity Index 2017, Mauritius is ranked as the top country in Africa and has become a regional hub for cybersecurity. Findings from the research show an improvement in public-private partnerships though still facing shortcomings, some parties being more dominant than others, the need for broader participation and no mention of digital rights.

Provisional policy recommendations include flexibility, transparency, information sharing, descriptive rather than prescriptive arrangements and involving stakeholders who find it difficult to participate and are vulnerable to cyber harm.

Responding to Dr Calandro's question on the need for multistakholder collaboration in the cybersecurity domain, Prof William Dutton, Oxford Martin Fellow, The Global Cyber Security Capacity Centre, said that the Mauritius example shared was a great example for collaboration. He however noted that there are a lot of criticisms to the multistakholder model and one of the complaints is about limited communication, yet cybersecurity capacity building involves communication. He highlighted that the Global Cybersecurity Center is setting up hubs in different parts of the world in order to scale up. Prof Durron added that the security discussion is often removed from reality and as such, the people discussing do not know anything about users or the developing world.

When asked if the multistakholder is emerging in practice, Mr Arthur Gwagwa, Senior Research Fellow, Centre for the Intellectual Property and Information Technology Law (CIPIT), mentioned that policy formulation in Africa is half-hazard. He added that Internet governance (IG) in most cases is running parallel to cybersecurity such that IG issues are discussed in public while cybersecurity discussions often do not involve everyone. He emphasised the need for different approaches to different threat models because different threats lead to different ideas of harm.

Ms Koliwe Majama, Consultant, Association for Progressive Communications (APC), mentioned that there are no frameworks for encouraging civil society engagement in cybersecurity in Africa, and the law-making process is not always clear. She referred to the African Union Article 27 that would generally be categorised as multistakeholder, but Computer Emergency Response Teams (CERTs), are not inclusive. She gave an example of the Zimbabwe CERT which had mostly government/defence and state security but no technical, women's/children's rights representatives. She concluded that civil society needs to ensure that the end-user is being represented and that the discussion is inclusive.

When asked if capacity building is an effective tool for multistakholder participation, Mr Matthew Sheers, Director, Cyber, Global Partners Digital (GPD), mentioned that GPD undertakes programs to build cybersecurity capacity in Latin America, Africa and other developing regions. He referred to GPD's recent report on mulltistakholder approaches to national cybersecurity strategy development, which had been done in 4 countries: Mexico, Chile, Kenya and Ghana. He acknowledged that the key recommendations raised by RIA match with GPD. He noted that in many countries, multistakeholder only includes government and the private sector, but there is need to work across stakeholders and team with particular groups like the technical community.

Mr Michael Nelson, Tech Strategy, Cloudflare, mentioned that Cloudflare protects websites by filtering content coming to them, for example botnets, and distributing content from websites across 150 centres, 9 of which are in Africa. He encouraged the need to build the Information Technology (IT) consultant industry in the content and allow foreign companies to invest.

- Please describe any policy recommendations or suggestions regarding the way forward/potential next steps.

The following policy recommendations were made:

The successful implementation of a collaborative model for national cybersecurity strategies resides in agile adaptability, transparency, and trusted information-sharing among all participants;
Cybersecurity collaborations should display both vertical (e.g., between overseeing organisations and other stakeholders) and horizontal (e.g., between peer stakeholders) collaboration between stakeholders, be descriptive rather than prescriptive, and be sufficiently flexible in order to adapt alongside evolving cyber risks and technologies;
Participation should extend not only to public and private sector entities who tend to own and control critical information infrastructure, but also stakeholders from other sectors (e.g. the technical community, the banking and finance sectors, business process outsourcing (BPO), health, tourism, energy sectors) and not-for-profit stakeholder groups (e.g. academia and civil society);
Special steps must be taken to involve stakeholders who could find it difficult to participate or who are more vulnerable to cyber harm, including civil society organisations and marginalised communities who may be more at risk of cyber threat;
Not only commercial interests should drive private sector stakeholders to participate in collaborative cybersecurity effort. Also, the private sector should innovate and mitigate threats, building security into applications and systems along with the need for raising awareness.

- Please estimate the total number of participants.

Approximately 60 participants

- Please estimate the total number of women and gender-variant individuals present.

Approximately 2/3 women.

- Session outputs and other relevant links (URLs):

https://researchictafrica.net/2018/11/08/igf-panel-discussion-on-collabo...

https://dig.watch/sessions/multistakeholding-cybersecurity-africa

Session Time:

Tuesday, 13 November, 2018 - 17:20 to 18:20 CET

Room:

Salle VI