IGF 2018 WS #75 Approaches to a Wicked Problem: Stakeholders Promote Enhanced Coordination and Collaborative, Risk-Based Frameworks of Regional and National Cybersecurity Initiatives

Organizer 1: Civil Society, Western European and Others Group (WEOG)
Organizer 2: Intergovernmental Organization, Latin American and Caribbean Group (GRULAC)
Organizer 3: Private Sector, Western European and Others Group (WEOG)

Additional Speakers: 
  • Barrett, Kerry-Ann; Organization of American States (government)
  • Craig, Amanda Microsoft, (private)
  • Dutton, Bill; Global Cyber Security Capacity Centre, University of Oxford (civil society)
  • Shannon, Greg; Chief Scientist for the CERT Division at Carnegie Mellon University’s Software Engineering Institute, and Vice Chair of IEEE Internet Initiative (civil society)
  • van Duren, David; GFCE (government)
  • Wilches, Juan Manuel Commissioner, Comision de Regulacion de Comunicaciones, Government of Colombia (government)

Ensuring a secure, stable, resilient, and accessible cyberspace is critical to realizing economic and social prosperity and ultimately attaining sustainable development throughout the world. This has been the key message of previous IGFs and the basis for convening the Best Practices Forum (BPF) on Cybersecurity. This workshop will build upon the work of the BPF Cybersecurity as well as take forward key messages of the 2017 IGF High-Level Thematic Session, “Empowering Global Cooperation on Cybersecurity for Sustainable Development and Peace.”  In particular, we will aim to educate, inform, and help to break down siloes to facilitate cross-stakeholder and cross-sectoral cooperation in implementing cybersecurity capacity building efforts and developing voluntary, risk-based security frameworks that will enable a nimble response to challenges in cyberspace. The overall aim is to provide insights to a more meaningful global-oriented approach and become more strategic and collaborative in building national and regional cybersecurity capacity that is risk-based to enable nimble responses to security challenges.


Debate - 90 Min


David van Duren, GFCE will describe the Forum’s approach to building a global platform for countries, international organisations and private companies to exchange best practices and expertise on cyber capacity building and the Cyber Capacity Building Portal which will be launched in a community one-stop-shop for knowledge in cybersecurity capacity building.

Bill Dutton, GCSCC, will describe efforts to create comparable cross-national data on cybersecurity capacity that will support collaborative research and implementation efforts across the globe. In addition, he will present an analysis of the significance of capacity building, which empirically demonstrates the need for capacity.  

Kerry-Ann Barrett, OAS, will detail how several members of the Organization of American States (OAS) have implemented risk-based cyber-risk management plans. He also present key findings of the OAS regional Cybersecurity Capacity Maturity Assessment and plans to ensure security of the financial sector.

Juan Manuel Wilches, Commissioner, Comision de Regulacion de Comunicaciones, Government of Colombia, will discuss how Colombia is working with the OAS in establishing and developing a national cybersecurity framework as well as the implications of Colombia’s recent acceptance as a global partner at NATO.

Amanda Craig, Microsoft, will provide the business perspective on the value of voluntary, risk-based cybersecurity frameworks developed through public/private interaction, such as business input to the OECD’s 2015 Digital Security Risk Framework and the NIST Framework and their subsequent implementation.

Greg Shannon, Chief Scientist for the CERT Division at Carnegie Mellon University’s Software Engineering Institute, and Vice Chair of IEEE Internet Initiative, will discuss how incorporating automated security assessments and formal assurance methods to improve defensive cyber-deterrence enhance over-arching cybersecurity frameworks. He also will explore how IEEE created a platform to enable information exchange among developers and other stakeholders and how this platform disseminates the latest best practices and tools for securing critical systems.


Both organizers and speakers have been invited to participate to ensure a diverse representation of government, intergovernmental organizations, private sector, and the technical community. We also have sought to ensure diverse regional representation, through the participation of the Government of Colombia, the OAS, and University of Oxford as well as gender balance. The onsite moderator, two speakers, the substantive rapporteur and the online moderator are all female

Co-Organizers come from four stakeholder groups -- private sector, Intergovernmental organization, academia, and the technical community.

First-time IGF session speakers include: Amanda Craig, Microsoft.

The workshop is designed primarily for stakeholders whose approaches to cybersecurity may be in infancy or as yet undeveloped, but also appropriate for a broad-based audience. Stakeholders from business, government, intergovernmental organisations, academia and the technical community will discuss their respective approaches to cybersecurity. These approaches emphasize a risk-based approach, public-private partnerships, global alignment, regional approaches and technology flexibility. One element common to many cybersecurity frameworks – to be examined by the technical community -- entails “building security in” from the start through secure system development and design principles. In addition, a speaker will consider capacity-building challenges faced by many developing countries and small organizations.

Discussion Facilitation: 

Participants (including those who participate remotely) will be invited prior and during the workshop to submit questions for the speakers via Twitter which will be announced by the moderator during his introduction. A hashtag for the session will be announced via the organiser’s account. Additionally, during the last 30 minutes of the session are allocated to answer questions by the audience.

Online Participation: 

Inclusive online participation in the proposed workshop will be encouraged before and during the session through the strategic use of Facebook Live and Twitter during the workshop. In advance, the opportunity for online participation will be promoted on all available channels of the participating organizations, including email, telephone, mailing lists, and social media. The three core parts of the communication will be the importance of online participation for the outcomes of the IGF, the invitation to submit questions in advance which will be discussed and prioritised in the session, and technical information how online participation via the WebEx platform works. During the session the moderator will explicitly ask online participants to take part in the debate and the online moderator will ensure that their contributions and questions are prioritised.

  1. Cybersecurity Challenges Create Need for Collaborative Solutions: Importance of Multistakeholder Participation
  2. Why regional approaches are necessary regarding such issues as strategy development, cyber risk frameworks, CSIRT, awareness raising, cybercrime, and research
  3. What are the benefits of global but also regional coordination
  4. Why a Voluntary, Risk-Based Approach Is Optimal
  5. The Importance of Finding Consensus Among Global Stakeholders: International Standards and Trade and how can they be translated for other communities, such as academia, private sector, civil society, and intergovernmental initiatives
  6. Design Principles to “Build in Security” from the Start
  7. Addressing Capacity-Building Challenges: What Policies/Support Are Needed for Implementation?
  8. It is clear that investment remains national. Are there opportunities to improve the return on investment of cybersecurity capacity building projects to nations, such as through better coordination of systems, better metrics to access their outcomes, and improved identification and prioritisation of cybersecurity risks
  9. Wrap Up

IGF 2018 Report

- Title:


Approaches to a Wicked Problem: Stakeholders Promote Enhanced Coordination and Collaborative, Risk-Based Frameworks of Regional and National Cybersecurity Initiatives


- Date: Wednesday, 14 November, 2018

- Time: 09:20 to 10:50

- Session Organizer(s):

Carolin Weisser Harris, Global Cyber Security Capacity Centre (GCSCC), University of Oxford, female
Kerry-Ann Barrett, Organization of American States, female
Sophie Tomlinson, ICC BASIS, female
Barbara Wanner, U.S. Council for International Business, female

- Chair/Moderator:

Onsite Moderator: Claudia Selli, European Affairs Director of AT&T, female
Online Moderator: Matthew Griffin, Global Cyber Security Capacity Centre (GCSCC), University of Oxford, male

- Rapporteur/Notetaker:

Carolin Weisser Harris, Global Cyber Security Capacity Centre, University of Oxford, female

Matthew Griffin, Global Cyber Security Capacity Centre (GCSCC), University of Oxford, male


- Speakers:

Bill Dutton, Global Cyber Security Capacity Centre, University of Oxford, male

Greg Shannon, Chief Scientist for the CERT Division at Carnegie Mellon University’s Software Engineering Institute, and Vice Chair of IEEE Internet Initiative, male

David van Duren, Global Forum on Cyber Expertise (GFCE), male

Amanda Craig, Microsoft, female

Kerry-Ann Barrett, Organization of American States, female

Wilches, Juan Manuel Commissioner, Comision de Regulacion de Comunicaciones, Government of Colombia, male


- Please state no more than three (3) key messages of the discussion.

  • A holistic view on Cybersecurity: it is important to be thinking about cybersecurity beyond just the technical elements and to address the socio-cultural elements within countries and but also within organisations. There is the need to ensure that cybersecurity is addressed holistically: prioritised on the highest government levels, mainstreamed vertical and horizontal in organizations as part of their risk management and become part of the mind-set of users.
  • Risk Management and multistakeholder processes are crucial to start the conversation around issues in cybersecurity but also to work together, participate, and build trust. Transparency empowers those involved, such as civil society, and contributes to the quality and effectiveness of the process and its outputs. Speakers also raised the importance of distributed agency to reduce the risk of fragmentation. Raising awareness among citizenry is a critical complement to secure their support.
  • Sharing Best Practices: For capacity building, the mapping, development and dissemination of best practices to be action-oriented, efficient and in the position of scaling up those positive lessons learnt.


- Please elaborate on the discussion held, specifically on areas of agreement and divergence.

  • Cybersecurity as a policy issue in its own: There was a broad support that cybersecurity policy cannot be approached with the existing policy approaches as the Internet is a hybrid media. Some suggested that policy area may need experimentation to some extent to assess what works on the national, regional and global levels.


  • Research & Evidence: There is the need evidence-based support on the importance of capacity building but so far the research community has not yet provided the evidence what works and what does works despite some early observations and preliminary findings.


- Please describe any policy recommendations or suggestions regarding the way forward/potential next steps.


  • National capacity-building should be accompanied by regional/globally collaboration, in the sense of “acting globally to help locally”;
  • Cybersecurity must be approached as a foreign policy priority on the regional and national levels;
  • Highlighting of best practice in a variety of areas via case studies, practical products, toolkits, and guidelines for regional/global collaboration and national capacity building. This would make a positive contribution to the debates and the implementation of cybersecurity capacity building efforts;
  • There is evidence that resources on cybersecurity capacity building is money well spent but there is a need for evidence-based support on the importance of capacity building.
  • Fostering an ongoing sharing between countries and regional organizations is critical.
  • Important that it is a multistakeholder process: Mix of top-down –government acting as convener, but also bottom-up in terms of technical capacity and best practices are coming from the community.


- What ideas surfaced in the discussion with respect to how the IGF ecosystem might make progress on this issue?

  • Providing evidence for what works and what doesn’t work in cybersecurity capacity building
  • Developing and sharing of best practices
  • Encourage more stakeholders to get involved in cybersecurity policy and capacity building


- Estimate the overall number of the participants present at the session:

There were approximately 50 total participants


- Estimate the overall number of women present at the session:

Approximately 20 participants were women. The panel itself was gender balanced, with two out of six

speakers being women (one female speaker had to cancel before the session)


- To what extent did the session discuss gender equality and/or women’s empowerment?

- If the session addressed issues related to gender equality and/or women’s empowerment, please provide a brief

summary of the discussion:

The session did not directly address issues related to gender equality and/or women’s empowerment.

However, it did consider challenges in how technical community, government and public sector security

teams can successfully cooperate with civil society organizations.


Session Time: 
Wednesday, 14 November, 2018 - 09:20 to 10:50
Salle II

Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10

igf [at] un [dot] org
+41 (0) 229 173 678