IGF 2019 WS #217 Mitigating Cyber Harm and Organized Irresponsibility

Organizer 1: Jakob Bund, Global Cyber Security Capacity Centre, University of Oxford
Organizer 2: Carolin Weisser Harris, Global Cyber Security Capacity Centre, University of Oxford
Organizer 3: Kerry-Ann Barrett, Organization of American States

Speaker 1: Belisario Contreras, Intergovernmental Organization, Latin American and Caribbean Group (GRULAC)
Speaker 2: Eneken Tikk, Civil Society, Eastern European Group
Speaker 3: Nayia Barmpaliou, Civil Society, Western European and Others Group (WEOG)
Speaker 4: Klara Jordan, Private Sector, Eastern European Group

Policy Question(s): 

- Inclusive understanding of harm subjects/ stakeholders:
Which groups could potentially be affected by the unavailability of a technology-enabled service/ digitally stored data (or its unauthorised disclosure or manipulation)? How do the experienced effects differ between groups? Are all these types of potential harms equally considered in national risk assessments? Is reporting on these harms sufficiently integrated and linked to their underlying causes to facilitate reliable triaging of risks? Which conceptual, financial, political, or other barriers currently exist that limit the wholesome consideration of harm stakeholders?

- Risk management responsibilities:
Based on which criteria and in which steps do risk management responsibilities need to be extended from individual/ group/ organizational level to relevant national authorities? How can subsidiarity be effectively integrated in the distribution of risk management responsibilities? Which risks require proactive and preventive national management to avert systemic consequences? Which safeguards are needed to avoid that the allocation of risk management responsibilities to national authorities does not abet moral hazard by absolving risk-accepting and -producing actors from accountability? How can responsibilities for preventing harm and for mitigating harm be distributed to ensure that a transfer of responsibility for the mitigation of harm does not result in increased risk acceptance, as responsibility is outsourced?

- Challenges in measuring and comparing cyber harm:
Are all types of harms, caused by cyber incidents, currently sufficiently reflected in existing metrics? To what extent does the absence of established metrics for certain types of harms lead to discounted considerations of these harms in risk assessments? Which additional metrics are needed to avoid that risk assessments reinforce any existing biases in the measurement of harms? How can metrics account for subjective differences in the impact of harm (e.g., small enterprises and large transnational corporations will experience the loss of $10,000 with varying significance)? How can measurements of different types of harm be effectively compared with each other, to facilitate prioritised responses?

Relevance to Theme: Much like economic prosperity and a healthy digital environment depend on online security and safety, safeguarding security and safety requires a network-based understanding of risks that need to be mitigated – how they interrelate and enable each other. Building resilience for the digital ecosystem does not stop at identifying and strengthening the weakest link. The very links themselves require careful exploration to uncover possibilities for harms to cascade and for their effects to latently proliferate to new targets. Risk assessments need to broaden their scope to consider these cascading consequences and additional vulnerable stakeholders – most of whom will otherwise insufficiently prepare for these knock-on effects because of incomplete understandings of risks that are accepted on their behalf and of their own technology dependency.

Relevance to Internet Governance: The pre-emptive management of whole-of-society risks relies on inclusive coordination and communication. Where these efforts are limited to narrowly defined communities or discussed in silos, risks are only partially addressed – in as much as they are relevant to the specific interest of any such group of stakeholders. This selective vision on risk can allow potentially more impactful effects of the same hazard to spread and fester as the group-specific security definitions are unlikely to manage all risk aspects required to protect all of society and to stop harms from cascading to other vulnerable groups.

Drawing on the diversity of the Internet governance community, this panel seeks to deepen the understanding of neglected vulnerable groups that risk assessments need to involve and consider to develop a reliable picture of the risk landscape.


Panel - Auditorium - 90 Min

Description: Growing yet elusive technological dependence has given rise to an increasing displacement of the cause and effects of cyber incidents. Enabling social progress and economic prosperity, the adoption of new interconnected technology has embedded an ever-expanding part of national wellbeing in a shared, literally networked, ecosystem. Social, economic, and political functions have become inherently reliant on this technological backbone. In embracing these (inter-)dependencies, we as societies have created and accepted qualitatively new risks of systemic proportions – not always in full consciousness. Overseeing and managing this vast, riven risk landscape poses unprecedented challenges to societies. To rise to these challenges, as societies we need to rethink how we organise responsibilities for anticipating, detecting, preventing and mitigating risks. These efforts require us to deepen our understanding of how risks, if narrowly managed, can cause harms to cascade and proliferate to vulnerable groups previously neglected in risk assessments. Discussions of this panel seek to explore solutions in support of the early and active detection of technology-enabled risks and an agile response to unanticipated consequences, to protect all sides of national welfare in the digital space.

To strengthen consideration of the full spectrum of potential harms and vulnerable groups, this panel brings together perspectives from civil society on the socio-technological nexus of risks and the importance of addressing risk perceptions as well as actual risks; from government on mounting an inclusive and proactive national risk management response; from the risk management community on strategies and tools for expanding risk awareness and on how to scan for interdependencies; and from the industry on advancing public-private sector cooperation and cost-effective solutions for SMEs.

Expected Outcomes: Sharing and evaluating best practices, the workshop aims to develop insights into:
- mechanisms for the proactive identification of unanticipated or latent harms and risks of cascading consequences as well as neglected vulnerable groups;
- the allocation and transfer of risk management responsibilities to enable the prevention and early mitigation of harms; and
- elements of an inclusive national risk management framework that reduces tensions between private benefits and societal harms.

These insights will further inform the Cyber Harm Framework the Global Cyber Security Capacity Centre is currently developing, which will be openly available to the community. The Framework seeks to advance a more inclusive approach to cyber risk assessments by enhancing the consideration of neglected vulnerable groups and underappreciated types of harm, to enable the earlier detection of risk overall and the design of more cost-efficient preventive responses.

Onsite Moderator: 

Jakob Bund, Civil Society, Western European and Others Group (WEOG)

Online Moderator: 

Kerry-Ann Barrett, Intergovernmental Organization, Latin American and Caribbean Group (GRULAC)


Carolin Weisser Harris, Civil Society, Western European and Others Group (WEOG)

Discussion Facilitation: 

Holding this panel at the IGF would provide a unique opportunity to hear from a diverse set of stakeholders. Gathering a wide range of perspectives on the same risk from different angles can offer a more complete picture and highlight the views of groups overlooked in traditional risk assessments. During the session, the moderator will explicitly ask online and onsite participants to take part in the debate and, in close coordination with the online moderator, will ensure that audience contributions and questions are integrated into the discussion as a valuable part.

Online Participation: 

In advance, the opportunity for online participation will be promoted on all available channels of the participating organizations, including email, telephone, mailing lists, and social media. The three core parts of the communication will be the importance of online participation for the outcomes of the IGF, the invitation to submit questions in advance, which will be discussed and prioritised in the session, and technical information on how to weigh in via the official online participation platform.

Proposed Additional Tools: This panel will seek to facilitate and actively encourage inclusive participation in the proposed discussions, before and during the session through the strategic use of the official online participation platform, Facebook Live and Twitter.


GOAL 3: Good Health and Well-Being
GOAL 4: Quality Education
GOAL 9: Industry, Innovation and Infrastructure
GOAL 12: Responsible Production and Consumption
GOAL 16: Peace, Justice and Strong Institutions
GOAL 17: Partnerships for the Goals