You are here

IGF 2020 - Day 8 - WS234 Security of digital products: Industry and enhancing trust

The following are the outputs of the real-time captioning taken during the virtual Fifteenth Annual Meeting of the Internet Governance Forum (IGF), from 2 to 17 November 2020. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

 

     >> MODERATOR: Good evening, good morning, good afternoon, traditional greeting on these online meetings.  Welcome to the panel security of digital products the role of digital security in enhancing trust at the IGF sponsored by the Geneva Dialogue.  My name is Vladimir Radunovic and I will be your host today.  The topic is quite high on the agenda.  The relevance of security of digital products and services has been discussed for quite some time.  Most of cyber attacks exploit vulnerabilities in cyber space.  We need more secure digital products and more security environment.  We have heard about reducing vulnerabilities on all levels from diplomats in the UN Group of Governmental Experts and working group and the OECD to the private sector to the regulators and we will have the pleasure to discuss with some of them today.

     One of the main questions today is what can vendors and producers do to enhance the security of digital products and how does that play with the roles the regulators and government and so on.

     Briefly on the Geneva Dialogue that is and anishtives that gathers lead companies around the world to discuss good practices and security by design or secure design of the products.  The partners that contributed to this year's discussion of Bizone and Cisco and Kaspersky and Seimens, UBS and we hope that we will have more companies around the world joining us to extend this circumstance until the future.

     In addition to partners we have a number of observers that contributed to discussions including the cyber security tech accord, the world economic forum, cyber security studies at ETH Zurich and the credit episode student in Geneva.  Aligned with other multi-stakeholder episodishtives and processes such as Paris accord and we are following closely and trying to make links with what is happening in the Group of Governmental Experts, the open end working group, the OECD and many other.  We have published a document for public comments with the key terminology and best practices.  Visit the website to find out more and we will reflect quickly on that later on.  And one last note, after this session there will be a separate Zoom room as a follow-up for coffee for all those that want to learn more about Geneva Dialogue and discuss in more informal setting.  Stay tuned.  We will send you the link at the end of the session.  The outline of the session, this workshop will discuss best practices and examples for creating digital products.  It aims to bring perspectives of private sector, regulators, public authorities, technical community and Civil Society around the world and we expect your Vin puts throughout the session.  We will start with setting the stage about the impact of vulnerable products on international security and then move to turn to discussions on good corporate practices, maybe also bad practices.  That will be interesting to see.  And some of the challenges when it comes to private sector embracing security by design.

     And we will close the discussion with brainstorming on what are the next steps and discussing whether we can develop some sort of a common baseline requirements that would sync all of the different developments around the world.

     The format is roundtable but we have a couple of discussants we invited to set the stage and share a little bit of their own practices that came out through the discussion within the Geneva Dialogue.  I will briefly introduce them.  Great pleasure to have Mr. David Koh with us.  The commissioner of cyber security and chief executive cyber security agency of Singapore.  And we have with us the special Jon Albert Fanzun.  Unfortunately, the only lady today among the discuss 80s but I'm sure there will be more around to contribute, Anastasiya Kazakova, public affairs manager of Kaspersky.  Barrack Otieno is a trustee.  Kenya ICT action network and I hope at some point, I don't know in Nestor has joined.  The global CSO of the group from Argentina.  We also have co-moderator and will follow closely on chat, Marilia Maciel is a digital policy researchers at DiploFoundation.  She will look at discussions in chat and try to interrun me and us and raise your hand and jump in and we have a Rapporteur, Andrijana Gavriolovic.  Be provocative in chat and raise your happened, it is a roundtable so don't be shy.  We were asked by the Internet Governance Forum ask do a group photo.  A family photo.  I also all that want to switch on the camera at least for a brief minute and we will do a family photo.  I guess they also need it for IGF presentations in a way.  Thank you so much.  We will do it like three, two, one and then go ahead with the session.  You can smile.  Plea three, two, one, smile.  Thank you.  Perfect.

     Okay.  I encourage you to keep the cameras on certainly.  But so that we feel maybe more closer.

     Let's run straight to the discussion.  We will start with setting the scene.  And well, trying to understand why the vulnerabilities of the products and the environment impact the international security.  I will start with Mr. David Koh.  David, I guess I mean the Singapore was one of those very active in the field when it comes to looking at how to make products less vulnerable.  You have done a lot on a regional and international policy and some sort of labeling schemes and instructions about security by design, but you are also very active in international discussions and negotiations.  David, I would leave you to maybe set the scene briefly.

     >> DAVID KOH: Thank you very much, Vladimir and the DiploFoundation for inviting me to speak on this very important topic on enhancing what I would call trust or trust in and the security of digital products as well as the importance of industry participation in this endeavor.

     We are all deploying critical technologies more and more.  The fact that because of the pandemic right now we are meeting the IGF not physically but virtually on Zoom.  This just underscores the dependence that we have on digital technologies and the internet and therefore we must cultivate trust so that our citizens, the whole of humanity can reap the benefits from using these technologies.  Trust in my view is even more important in the current context of accelerating digital transformation and intensifying technological come about petition.  With the geopolitical divides leading to potentially bifurcation and standards and maybe between surveillance mys chains trust is the element that will facilitate the intra-operability of networks and technologies.  In my view, cyber security is the root of trust of the digital revolution that is upon us.  I don't mean the technical term root of trust that has a different meaning.  But metaphorically.  Cyber security, such technologies can trust and leverage for social, economic and financial opportunities.  How do we secure the root of trust?  Or more directly, how do we implement cyber security best practices for the digital technologies?

     I think we did do this at three levels.  Like what Vladimir was talking about.  Internationally, regionally and domestically within our own country.

     Firstly at the international level, developingle and maintaining a rules-based multilateral order is the first step to strengthening trust about states to ensure a secure, stable, resilient digital commerce and one that I would add is interoperable.  I believe that the members of the panel will speak more about this.

     Move on to the regional level.  Regional organizations can also help states to build their cyber capacities towards implementing norms of responsible state behavior for example those agreed in the UN at GGE meetings.  We are developing a practical long-term regional cyber security action plan for implementation and this will take into a*&* the national priorities and cyber capabilities of member states.  We have ten states which are different diverse levels of economic technological development.  We figure if we can get an action plan going on with all of the different groups of people it will be probably applicable to many countries around the world.  The cyber security center of excellence as well as the Japan cyber security center capacity building member in Bangkok help states build trust and maybe progress in cyber security building.

     Within our own countries, states must work within industry to strengthen cyber security as its root of trust.  This was relate to how can governments would, with industry to implement robust cyber principles.  For example, like security by tee sign.  In Singapore we launched a safer cyber space master plan to strength among businesses communities and small and medium businesses and organizations.

     When Singapore first started in cyber security the first focus was on CII, essential services.  We have the cyber security act and now moved beyond that and the next step is a broader cyber security master plan.  This master plan comprises three strategic trusts.  Firstly, to secure the core digital infrastructure.  Second, to safeguard the cyber space activities.  And third, to empower a cyber satisfactory population because ultimately people are the weakest link.  We want a mind set that cyber security is ultimately a collective responsibility.  All stakeholders, the government, businesses, small and medium enterprises, the community, individuals, everyone has a part to play and everyone needs to play their part well.

     IOT is one area we are particularly concerned about.  Ten deVises per human.  Five times more than what we saw in 2015.  This significantly increases the attack surface.  And we need to better secure these devices to protect users.

     In Singapore, we published a security by design guideline to support the industry, adopt best practices and incorporate security into the product development life cycles.  We also launched as what Vladimir noted a cyber security labeling scheme to raise the security levels of Iot devices. this is a simple labeling scheme like the energy efficiency scheme that you have in the EU and in many countries.  Like one tick, two tick, three ticks.  So the consumer can easily see which is the more secure product.

     Through the labeling scheme we hope to encourage device manufacturers to episode corps rate cyber security into their devices.  The things that they make.  The secure by design principle should be incorporated.  We look forward to working with international partners to establish mutual recognition of these labels so that that we can collectively advance security advances of IoT devices around the world.  Thanks very much, Vladimir.

     >> MODERATOR: You are a small state but doing amazing things in the field.  Much that we can learn from the Singapore experience.  You opened a number of good questions and one were discussed already in the chat whether the trust is a root for security or security enables trust.  And what is the relation.  We had quite some discussions in the Geneva Dialogue but what action means trustworthiness.  We will come back to that.

     Then there is a lot that we can discuss about the roles of private sector in the levels that you mentioned.  On the global level with rules based international and capacity building level and national and so son.  I will save that for a couple of minutes after now.

     First I want to hear from Jon Albert Fanzun.  Switzerland is active, no doubt.  What is interesting to me is that you recently got the Swiss foreign digital policy which I hope all countries should have in a way.  How do vulnerabilities and reducing vulnerabilities plays in this foreign policy?  And generally why Switzerland and Geneva Dialogue with pry private sector, it is an interesting mix.

     >> JON ALBERT FANZUN: Thank you, Vladimir.  Good so tee you all here and thank you for episode viting me for this panel.  Good questions and also some answer.

     I mean as David also just made a very important points especially about trust.  I would like to continue the conversation with outlining why we think the greater international engagement and a bit in answer to your question including multi-stakeholder engagement to build peaceful and secure cyber space.  What have what is the situation?  David said some words about it.  We are witnessing some worrying trends.  Geopolitical tensions on the rise and supply changes decoupling from each other.  The technological competition is intensifying.  Be it in the area of 5G or in the field of artificial intelligence.

     And the application of global norms and existing international law to cyber space is still uncertain and partly being contested.  There is a dramatic decline in trust Preen States and other actors and increasing risks in terms of regulation standards.  In our view, these challenges in view of these challenges it is clear that, on the one hand, we have to continue working and clarifying the international rules in cyber space especially in the framework of the UN.  But I think we also have to develop a normative approach.  And the new strategy you mentioned comes in.

     We waited for this panel and we just published it last week.  This is the first strategy in that sense.  It is also part of the there is a foreign policy strategy and then we have an internal part, the international strategy on cyber security and the third element that we would say is the international part of it.  And there are four fields of action that are defined in the strategies.  Digital governance, prosperity and sustainable development, cyber security, and also digital self-determination.

     The strategy also highlights especially the importance of the private actors in enhancing trust and security and encourage us to work with the private sector in addressing current issues in digital governance.  This is also exactly what we are aiming at with the Geneva Dialogue on responsible behavior in cyber space we started in 2018 and we launched now in the second phase in 2020.

     Today, vulnerabilities in digital products are often being exploited by threat acts in cyber space.  Given the geopolitical context that I outlined before, there is no global agreement to date on how vulnerabilities should be reduced.  At the same time, norms of responsible safety behavior developed in the behavior of the framework of the 2015 UN Group of Governmental Experts call upon states to ensure the integrity of the supply chain and to encourage responsible reporting of vulnerabilities, among others.

     This cannot be achieved without involvement of the private sector.  I would say cyber security is not like tennis or golf when you play for yourself.  But this is team sport like soccer or futbol.  In that sense or with this aim, we together with DiploFoundation developed the Geneva Dialogue into process among 15 leading industry players from across the world.  We are happy we are able to present the first outcomes today and I'm looking forward also to our discussion on this project.  Thank you very much, Vladimir.

     >> MODERATOR: Thank you, Jon, for clarifying.  That was the first question what does the government have to do about the discussion of private vector on the best practices on reducing vulnerabilities but actually I think and I saw in the chat also mentioned this importance of collaboration.  But he sort of signaled that the good scams of the incident response cooperation across the world where this might be one interesting parallel.

     Really I see there is a lot happening in the chat so maybe you can summarize and even I don't know, hand the mic to any of those guys and girls that have been very active.

     >> MARILIA MACIEL: Thank you.  It is true we had a lively discussion on the chat.  Search proposed to switch around the terms of the discussion as you mentioned and perhaps trust is the root or anger as proposed by Barrack on cyber security and what are the building blocks of trust if trust is the starting point.  And we were discussing importance of norms that promote collaboration as the starting point of building trust.  And also the importance of perception in this discussion because sometimes we do have good security and data protection policies in place.  However, it is important to convince users that there is -- that products are trustworthy.

     And that that was what we discussed so far.  But the discussion here in the chat has been lively.  I don't know if any of you would like to voice your comments.  Perhaps using the mic.  Ying-shu just added a comment with record to the response of respecting mic.  I leave the microphone if you want.

     >> MODERATOR: Does anyone want to jump in?  Just raise your hand.  You should have that option.  Yes, correct me.  Mees go ahead.

     >> HUMAYRA RABAB: An excellent discussion so far.  I wanted to add in terms of building trust I apologize for the background noise.  In Earls it of building trust I think often what we are facing is innovation is taking place without a lot of collaboration with government from the private sector because then we -- the government loses sight of what type of innovation is taking place.  And frankly, some of these new products can appear quite scary.  We saw with the election in 2016 how Facebook was collecting data.

     And now we want innovation to occur.  You know, we want technology to succeed and provide all of these capabilities to our society but I think there needs to be a bit of balance in terms of working closely together with the government to ensure that we are not producing  a new technology that could potentially be quite scary.  For example, retaining data with new products or ATM information and that sort of approach.

     >> MODERATOR: Thank you.  You raise an interesting zoom out perspective that not and we should discuss with the private sector that the security of digital products should be in place.  But there is more so that the global social responsibility in terms of the products and how they will impact the society in a way.

     So that it shouldn't probably be only let's say the assessment of security levels but also the assessment of how the technology can impact the society.  Quite interesting.  I don't know if any one of the colleagues from the private sector want to jump in.  Just switch on the mic.  David, did you wish to comment?  David?  David, if you wish.

     >> DAVID KOH: Thank you very much, Vladimir.  I thought this was a great conversation and I especially like the comments of the yum lady, sorry irk couldn't catch your name, when she made the comments I thought they were excellent.  I absolutely agree there needs to be a balance of views between government as well as industry.

     And I think that there are competing demands sometimes and we need to be aware of it.  Some of the side comments talk about trust and what are the basis for trust?  First of all, I would say that I'm happy to have start off this conversation.  I was speaking figuratively that cyber security in relation to the digital revolution is the root of trust.  I wasn't speaking about cyber security and trust but this is a great conversation.  I would add one element to some of the things that people talked about in the chat and that that is transparency and openness.  That is a key element of trust in my opinion.

     >> MODERATOR: Thank you.  We can get back again to what are the confidence of trust in a way and that is a very important part.  Search.

     >> SERGE DROZ: Already 15 minutes in and it is super interesting.  I like that.  The role of the different stakeholders it is that we clarify the roles.  I hear the call for information of governments.  I find this is trick DYson because what we are talking about is a very difficult and technologically challenging system to be looking at and no single entity today controls the full technology stack.  So not even the big players control the full stack.

     To coming up is meaningful technical regulations probably is going to be a challenge and probably going to create more damage than it is creating good.

     I think what governments need to do is or should do is that they should create an environment in which collaboration can foster.  For example, security teams  can reach out to each other and address vulnerabilities.  In the past, just yesterday, Microsoft published a patch with 112 security holes that were fixed.  Most of these were not discovered by Microsoft.  They were discovered by other people.  We need to be able to talk to these people.

     Right now we have sanctions that makes it illegal to talk to many so of the mayber technology companies and that is detrimental to trust because we cannot use the products and be sure that all of the security issues are addressed.  That is one through the definition of norms can create an environment where the people that operate the whole infrastructure and that is the tech community can start work together meaningfully.  And I think there is a difference between looking if we want to have a business case or not or a business case at a company like Facebook or Google or who else has versus the underlying security and the underlying infrastructure that actually makes the internet running.  It is often referred to as the public core of the internet.  Think we need to distinguish between these two things and at the end of the day we really need to start talking to each other.

     I mean I think what David mentioned quite directly, trust is not a technical issue, it is a human issue.  We all are humans and we must never forget this especially in the technological environment like the internet.  We need to build up the relationships across the trust gaps.

     >> MODERATOR: Thanks.  Yes, go ahead.

     >> JON ALBERT FANZUN: I want to say something about trust.  I fully agree this is not a technical issue.  Just an example from the Swiss perspective.  We have a private application and app for contact tracing.

     Most important part of this application is security and data protection.  There is no possibility to technically identify the users but we had a very -- a lot of discussions about privacy and about trusting this application.  Even and when you compare it with other applications like the data flows and if you have a Facebook account or something else, you see that there is not trust or let's say the other way.

     Even if you think in other context that the governments -- that the government has more trust if they do something.  In that case it was not the case.  We have more or less 2 million people using the app and I think we overcame the trust problem.  Nothing to do with technology, I think the baseline is, of course, it is needed.  But trust is a process, and it is something that you have to build up among experience and explain how you -- how a device is if you canning.

     >> MODERATOR: Thanks.  I think we collected already in I will read some of those I wouldn't say definitions but confidence of trust which were mentioned over there that I notice is predictability.  Transparency.  Knowledge, consistency.  Reliability.  Dependability.  And so on.  Marilia Maciel, before I pass the floor to the colleagues from the corporate sector to hear more from them, any summaries from the chat?

     >> MARILIA MACIEL: An interesting side discussion on the need to foster partnerships between governments and the private sector in order to avoid governments from taking advantage of vulnerabilities.  This is a very interesting point and I believe that others will touch upon it later.  But it is just important to remember that there are some groups working on norms that would create a transparent system for governments to vulnerabler inities.  It is important that they have a clear process and that it is disclose our and not stockpiling.  A norm advanced by the cyber commission on the stability of cyber space that launched a report recently and they do have a specific norm on governmental stockpiling of vulnerabilities and a system of transparency and an interesting comment on encryption.  We are talking about security and governments want to have security in cyber space but at the same time have policies that webben encryption.  How do we reconcile the two different policies being developed by governments?

     >> MODERATOR: Nice thoughts.  Let's move now to there was more of a broad discussion on the interplay between the policies and international, national and then the corporate sector roles.  But I would like to focus a little bit more on what the companies themselves can go.  And within the Geneva Dialogue we ended up with as I mentioned a document for comment withcy sort of a result of the brainstorming of the companies involved on what are the main components.  What does it mean, security by design?  Security by default?  Security of the life cycle.  A couple of terminologies or concepts explained there.  We tried to find a common understanding.  Including concepts like vulnerability management, vulnerability handling.  Coordinated vulnerability disclosure versus responsible vulnerability disclosure.  It is quite a mess when it comes to terminology.

     But there were interesting examples shared by the companies on main elements of how they themselves implement security by design and that includes threat modeling and various ways mechanisms to do a threat modeling for an upcoming product and then there is a lot about supply chain security and how do you make sure because we are so interdependent also in the marketplace, how do you make sure that you follow closely on what confidence you integrated and if a vulnerability appears in someone else's product whether that impacts you.

     And then development and deployment and a number of good practices to ensure that developers are trained and responsible coding in a way and other means.  And lastly, vulnerability processes.  Whether from reporting to management to disclosure and so on.  I want to hear from the firstly from the two members of the partners of the Geneva Dialogue any experiences or even on previous discussions.  I will start with Anastasiya Kazakova.

     >> ANASTASIYA KAZAKOVA: Good morning to everyone.  It is a great pleasure to be here.  I would like to highlight one of the three aspects of the Geneva Dialogue that we experienced me and my colleagues while participating in several months of discussions were helpful.  That is true about the definition.

     I think what really the Geneva Dialogue did is build in the community where different companies could talk to each other and found that we may all speak about the same but use different notions and names and vice versa.  Sometimes ma I use the same names but imply different meanings.  It was a really good exercise to try to agree on and reach a consensus of a meeting industry best practices and vulnerability handling was someone of the best aspects and what security by design and security by default means.

     The second aspect that I find important that Geneva Dialogue focuses not only on the vitally discussed security by design and security by default but also on the concept of trustworthiness a relatively new concept which adds to the assessment of the products and Geneva practices and allows us to ask many additional questions about some non-technical aspects.  Institutional and legal aspects.  Whether digital products are trustworthy and allows us to dig a little deeper and found more about the environment where the technology is being produced.

     And it is very great that we could cover these aspects within the discussion.

     And finally, the third aspect I think the greatest achievement of the Geneva Dialogue and organizers is that we try to episode corps rate and the organizers tried to incorporate many other industry best practices and we tried to not to duplicate what has been said.  But on the country to try to deliver and that is complement in more detailed manner of what are the principles for resilience and security of digital products?

     And I think it was really, really good exercise, first of all, again for the community, for companies to understand that they are there are actually some differences between us, too.

     >> MODERATOR: Thank you.  One of my take aways on one hand there is quite some different perspectives on approaches.  But on the other hand some of the lead companies do honor quite much when it comes to try secure devices.  I notice your hand, I will get back to you, soon.  Netor is again, is another partner.  I know that you are working a lot on digital identity and the supply chain is one of the important aspects.  I wonder when whether you want to comment on the supply chain aspects and how you can ensure that supply chain is trustworthy in a way so your technology is also trustworthy.  Nestor?

     >> NESTOR SERRAALLE: We must align you will a of the activities with the development of best practice in Earls it of cyber security.  First this is turning in best practices but also a change and challenge in terms of internal processes such as partner and supplier cooperation and contract policies and a wide range of things we need to keep up to date.

     As you say, the very changing in the industries is very important.  You know that the security life cycle is for us a main question.  Because we need to create a secure solutions in terms to through the digital identity of the people in our region.

     The complexity of the process we are -- where our solutions bring the cyber security includes many core systems for example there is a challenge in the region where the partners, integrators and customers are working very hard to close the gap in terms of safe practices.  Because of this from view we are committed to maintaining the same cyber security standard through the solution and sharing our best practices with the rest of the players forward especially with customers.

     So one of the best findings we made in the process of developing the security culture inside of our company is importance of maintaining and increasing our participation in activities.  Today we are involved in Geneva Dialogue because it is important to layer and discuss best practices in our industry in order to maintain the digital security of the people who use our products.  Not just a reputational problem, it the a social responsibility.

     Despite the restrictions in the region we want to provide the same security experience that leaders provide globally.  Because of this interaction with colleagues around the world and close relations with Microsoft and Cisco and other important players in the industry our key to increase our capabilities on our security development life cycle.  And I want to say thanks to the Geneva Dialogue for the opportunity to be here as part of this very relevant forum to create a more safe digital world.  Not only for us, for our extended value chain and for the society especially in -- thanks.

     >> MODERATOR: Thank you.  Nestor.  One of the interesting elements that you mentioned was the investment in security culture in the company, the change of the project.  That is is in the outcome Document about the process and how do you make sure you change the project.  What is interesting with Vue that is a relatively small company compared to others onboard but to you do have a special department in a way following up on the cyber security tech accord and many other international developments and that is quite interesting.

     I want to open up now the discussion of first pass the floor to Barrack Otieno and then get back to Muhammad.  It might be easy for the big companies who invest in the change of the culture and generally embracing security by design.  I'm sure there are a lot of limitations when it comes to smaller companies and Vue is one example.  Barrack any comments on the previous discussions.  I saw you were very active also in the chat.  Any reflections on what are the limitations for challenges across companieslet say across Africa to embrace the approach to security by design.  I will start with Barrack and then nestor, if you wish to comment as well.

     >> BARRACK OTIENO: Thank you very much.  And good morning, good afternoon, everyone from wherever you are joining.  Just to respond to that, in the global south business majority of the startups and generally even the small and medium enterprises are always struggling with the question of survive harsh economic environments and staying afloat.

     Just to note that just like in many other parts of the world, getting credit for business is a major challenge which means that founders or proprietors of companies have to get customer resources.  Which means they have to choose between food and keeping the business going just to ensure that their companies are working well.

     As such the whole issue of security by design then becomes secondary to operation of the business.

     I would like to say that is a major imPediment when it comes to implementation of security.  Unlike the global in Europe where security is part of the culture or fabric, it is a bit different in the global south.  Of course, we have scenarios where security is driven where you find most of the global companies dealing with security products are pushing their products or are pushing to make a profit as opposed to transforming the culture or ways in which communities look at things to make sure they are security conscious for lack of a better word.

     Which leads me to my next point is which is basically when you look at the global south which is almost similar to Asia, the Asia-Pacific region, we have cultural nuances.

     >> , in Africa we have what we call the spirit of Ubuntu.  It means togetherness.  It means whatever I have, I share with my brother.  For instance, if it is a laptop, it is not just pipe.  It is for the family and for the community.  When you start looking at security within the concept of ubuntuu it brings challenges when you compare or look at is the way security is in the global node or in other parts of the world.

     And finally,  this is also the lack of adherence to security standards like the ISO 7000 series and other government standards like COVID --  I don't know why the word COVID just came out.  I think there is a major issue or major challenge because if you look at majority of the organizations in Europe, over and above the vendor products that provide security, you find that there is a security framework that guides how these companies operate or how the companies treat data and this is one of the areas that we are struggling with in the global south.  You find that, for instance, I happen to have been involved in local standard development at the Kenya bureau of standards which is my country.

     And while these stand Dads are available to the community at $30, you find that they still are not purchased from the library of the local bureau.

     And one of the things I have noted is that standards touching on health and safety are mandatory.  They are enforced.  But standards touching on IT security are not mandatory meaning the companies are given an opportunity to divide whether to implement or not to implement.

     This is considering the fact that right now most of the business is online and security is as critical as health.  I will stop at that.

     >> MODERATOR: Thank you, barrack.  Quite some important thoughts.  We had a lot of discussions about the standards and applicability of standards not only whether they are mandatory but also whether they are affordable and clear and whether they are useful and even some definitions in the standards are not the same as what the companies are using.

     I wonder, Muhammad, you lowered your hand but if you want to jump in back raise your hand or switch on.  Yeah.  Go ahead.  Sorry for waiting.  Just unmute yourself.  You have to unmute.

     >> MOHAMMAD GHARANI: I'm from Afghanistan and working a as the deputy director at the president office.  Lyme leading some technology staffs for example, technology, and also system and process reengineering.

     But the big problem here is digital culture.

     People are not -- they are not trusting on for example their data to share with the government or for example when they are taking the IG accord, they don't want to share their private information or family information or their educational background because they don't have the trust that someone will hack our information or access our information for example from Pakistan or iran but we have some political issues also.

     My question is or just I want to know that trust is a process.  How to promote the trust among new generation at schools or universities or at society.  What will be the best model or practice to apply it in low income countries or landlocked countries for example in Afghanistan?  Thank you.

     >> MODERATOR: Thank you, Mohammad.

     Very useful again.  One thing that might be the question for all of you is if we look at the young generations going more and more into startups nouvelling new applications and devices.  Now do we make sure that those new startups and new services actually start from security by design as well.  I will give you one example.

     This very Zoom which was very scarcely used before the COVID.  Overnight it became one of the key communication platforms and certainly when they started the platform they didn't have security as one of the preconditions as Barrack mentioned.  It is not the focus.  We will probably have more and more of these services which suddenly pop up and become very important and many will be coming from some startups hopefully from developing country as well.  That is another one question how do we make sure that we spread the culture and enable people with innovations to start on best security.  I know that Snastaysia wanted to reflect on challenges.

     >> ANASTASIYA KAZAKOVA: I wanted to reflect on them but I wanted to reflect on this question.  I think it is important that Barrack mentioned for small companies when emplaymenting the security layer especially for SMEs this is my big question on return on investments and return on investments might be to ensure the product security.

     So why SMEs should invest more in security for them.  If they don't have budget simply knowing what should be done and capacity building is one of the directions for collective work including both larger companies and the government side as well.

     Another probably direction for addressing the challenge is building the trust ecosystems and multi-stakeholder ankle co-systems and the example the Geneva.  We learned on the Casper ski side what is done on the Siemens and Microsoft side and it was helpful to exchange and hear each other.  I think if the small startups together with the government I think it will provide more opportunity to foster and fill the gaps that exist in the industry and enhance the information sharing and help each other.

     Another challenge that we personally see still, though they are a good compilation with the best practices with the Geneva Dialogue report there is still an open question about the lack of institutional framework I would say.

     So the many important questions are those what from the government point of view would be an optimal level of security?  What are the particular certifications and standards to pass?  And Barrack touched on this.  And what are the necessary technical requirements to meet.  Even in the European continent there are already good practices but the lack of institutional framework sometimes, the lack of actually guidance what should be done to be considered as an optimal level of security, this is I think the one industry would definitely find helpful as well.

     >> MODERATOR: Thank you, Anastasiya Kazakova.  We have a few more minutes.  I will ask, you asked interest to jump it on Mohammad's comment.

     >> IDI KULA: We promote trust.  We need to promote scepsis many in terms of Civil Society and among our Civil Society because when anyone is not -- he sensitive data or personal datas are processing collecting by private companies and all governments they don't need to trust the dig dig of government (break in audio) corporate entities.  And secondly, I would also emphasize that private sector or companies need to be more open to Civil Society and they need to say hey, come here and please test our products, our processes.  If we have any backdoors in our products.  Like some companies has backdoors and very dangerous factors in their device.

     >> MODERATOR: Thank you.  I will think we had quite some discussion on Geneva Dialogue on transparency and a couple of good examples I invite all of you to look into the document and provide comments on transparency by Microsoft and Huawei.  In order to open up and be transparent so the communities and the customers and the community need to be able to review the code and look what is in and so on.  So capacity building as Anastasiya Kazakova mentioned is the key.  Point taken, thanks a lot.

     >> DAVID KOH: May I jump in?

     >> MODERATOR: Sure, David.

     >> DAVID KOH: I just wanted to pick up on Barrack's point about culturallal nuances not just in the global south but also in Asia and circle back to a point which Jon talked about earlier about COVID applications.

     So all of us are familiar with contact tracing applications because of COVID and there a huge question about transparency and about security and privacy et cetera.  I want to just tease out Barrack's point that there are cultural nuances.

     For example in east Asia countries like Japan and South Korea and Singapore have different political cultural history and community historical cultural perspectives so there is a strong trust.  It is not so much individual privacy but individual privacy, individual standards are subordinate to family and then community.  And there is a certain element of trust and sub order nation of the individual tool, the wider community good.  Consequently in countries like Taiwan and Hong Kong and Japan and South Korea and Singapore, we are prepared to give up some of our individual privacy in order that appropriate government agency, the ministry of health has the information so that they can do contact tracing.

     This would not be acceptable, in let's say, EU, Europe, GDPR, et cetera or in some other jurisdictions.  But understanding the balance point and difference in cultural nuances and historical context or even the political culture of the different jurisdictions is also relevant.  So as we discuss about international norms and standards, even for cyber security or privacy or trust I think these are things which perhaps need to be considered.

     Because as many of the speakers have said, trust is not just a technical issue.  It is ultimately a human dimension.  Thank you.

     >> MODERATOR: Thank you, David.  And this basically leads to the discussion which we will probably follow up in the Geneva Dialogue and it is how to come up to some sort of baseline security requirements that maybe all companies can start with and how do we think let's say the international principles whether it is the UN and the Paris accord and the others with standards and policy and regulation like what CSA is doing and then with best practices.  There will be a big challenge because of both you and Barrack mentioned the different nuances in the not necessarily just cultural but generally difference.

     A quick back to Marilia Maciel before we wrap up.  I see scrolling through the comments.  Maybe you can try to summarize.

     >> MARILIA MACIEL: Thank you.  The chat has been very, very lively and interesting.  Thank you very much for being so active.  Our comments resolved around three main cop, epicorruption, pros, cons around short comings.  Alternatives to encryption.  And then we discussed the disparities between north and south when it comes to capacities of putting in place security standards and somehow lite of the importance and there were interesting discussions on standards and the need to deploy security standards in order to promote security online.

     And I leave you with an invitation that actually comes from Mout and mark Cavrell to join the coalition on security standards they are looking at point such as the procurement of large companies to foster the adoption of security standards and other top.  I will join this Dynamic Coalition thank you very much and I invite others to do so.  Thank you.

     >> MODERATOR: Thank you.  And thank you Wouk and mark for mentioning that.  We are coming to the end.  I would like to at the end use the opportunity before we hear the messages to ask anyone of you the discussants whether you have any final thoughts in the brief form.  I will start with Jon first.  If you want to wrap up briefly from your side what are the takeaways?

     >> JON ALBERT FANZUN: Thank you very much.  The take it is aways is that trust is at the center of the discussion and I don't think that that is a technical question as I mentioned before.

     Some years ago, we trusted that an election and the result of an election will be accepted.  Now we live in a day that -- days that even that that we saw that it is -- it is impossible to not to trust is in question.

     And I think trust begins with dialogue and I think what we started with the Geneva Dialogue is to talk to each other.  Anastasiya Kazakova mentioned it.  And I will think that is the precondition to have trust in each other.  One of the key takeaways is also that the dialogue we started gives or offers room for also the industry to talk to each other and that is also one of the takeaway I take or the takeaways I heard in the discussion.  Thank you.

     >> MODERATOR: Thank you.  Jon.  I guess I can do it on your behalf since the IGF asked us to come up with a personal organization commitment when it comes to the discussion.  Do you want to tell your commitment then?

     >> JON ALBERT FANZUN: So we want to continue our Geneva Dialogue was in 2021.  I hope, of course, in a digital way but also I hope that we can see each other and that is our commitment to go a step further with our dialogue.

     >> MODERATOR: David, any final reflections and your commitment on the topic of securing devices?

     >> DAVID KOH: Thank you.  Two points on the take did theaways.  One is really the whole discussion of trust.  Trust we agreed is at the center of it.  There is a lot of discussion in the chat on what trust comprises.  I would add transpair sentcy and it is a human endeavor and what Barrack said that you have to bear in mind the cultural elements.  The first takeaway is trust.

     The second is what Jon said and I heard previously as well that second baser is a team sport and we have -- that cyber is a team sport.  We have to play together.  We need to work together and second is multi-stakeholder.  I think that governments come to this -- I saw in some of the chat this is the government perspective, I confess I work in the government and I spend my whole life in the government so perhaps that perspective is -- that comment is not untrue, guilty as charged.  But I think that totally agree the digital world, the digital revolution is too important.  Governments can't deal with this alone.

     We need the full participation of industry, full participation of academia and Civil Society.  So multi-stakeholder approach.

     I commit to engage other countries and other stakeholders.  Thank you.

     >> MODERATOR: Thank you.  Quite a commitment which will be undertaken in a way.  Anastasiya Kazakova, how about reflections and commitment.

     >> ANASTASIYA KAZAKOVA: Both comments from Jon David looks very, very inspiring for many of us that are currently in the session right now.

     From my side we talk about a lot of challenges and even in the digital tomorrow and the digital day after tomorrow there will be even more challenges.  Digital transformation is here to stay and the threat land scape will become more sophisticated.  This is the difficult option in which we will live.

     Reflecting on the trust and multi-stakeholder cooperation the key is to build the trust ecosystems and to help actually everyone that wants to about he in the -- at the able and to have a say in the negotiations and the dialect.  Trans pair presentcy on both sides.  On the government side and the private sector side.  I mentioned in the chat verification and accountability and integrity.

     Serge I mink mentioned that you shouldn't violate norms and integrity is what you actually say and what you deliver.  You shouldn't violate what you promise before.  So those are principles of those trusted ekey co-systems.

     The committens, capacity building for us for Kaperski we will try to invest in the ICT community and support, first of all, our partners and customers with the knowledge on how to address supply chain risk and digital security risk.  Thankoff.

     >> MODERATOR: Thank you, Anastasiya Kazakova.  Nestor, your commitment? UNMUTE YOURSELF.

     >> NESTOR SERRAVA LLE: Sorry.  I'm impressed for the discussion.  For us today to participate.

     So can you hear me?

     >> MODERATOR: Yeah, yeah.

     >> WE MUST THINK we must think globally.  We are operation in Europe and we need to work with all of the trust and confidence policies that you have in Europe.  But at the same time, this is a good opportunity to create the same environment in Latin America and other countries, Korean region or North America inclusive.  To create the same environment you have in Europe.

     I think Europe is a very good example for example in terms of GDPR regulation could advance if you compare that regulation for the rest of the world.  For us a big opportunity and good opportunity to create a new perspective regarding the security by design and security by default and security life cycle.  All of these topics are relevant to increase the security and mainly when we are taking care of our digital identity in many countries.

     So for us is a must to understand what is the best practice in all of these topics.  So I appreciate so much the collaboration between public sector and private sector.  But in fact in our region we have a gap to cover in this topic especially.

     >> MODERATOR: Thank you, nestor.  Barrack, you have the last round to close with some of your commitments and reflections.

     >> BARRACK OTIENO: Thank you very much, Vladi.  I join my colleagues in commending your moderation.  It has been an interesting panel.  My commitment is to create more awareness because I believe that is what is needed in the global south in most of the African countries.

     We have come up with very good documents.  Partly like the convention which just tries to build a security conscious cyber space or cyber society in Africa but adoption is low because of awareness.  For me, creating more awareness is key.  The other point is capacity building which is a also is commitment I'm engaging myself to.  Because once aware science created, building capacity is key.

     And finally, also building the security conversation into the culture or fabric is the last point that I would look at.  Thank you very much.

     >> MODERATOR: Thank you Barrack.  They will kick us out of the room even if it is virtual we still have to hear the messages or key points taken.

     I invite Marilia Maciel to share the messages from the discussion.

     >> MARILIA MACIEL: Thank you.  I will be super quick.  I --

     >> ANDRIJANA GAVRILOVIC: The first is that trust is at the center of discussion and it is important to remember it as human issue and not a technological one and the starting point are building trust are norms that promote multi-stakeholder collaboration.  Governments should create an environment in which collaboration with foster but there needs to be a balance of views between government and industry.  Promoting best practices of companies can help other company improve the own processes as well.  That would be the second message.  The third it is important to clarify baseline requirements for digital products taking into (indiscernible) and norms.  And the last message would be the companies need to capacity building both in terms of the implementing the baseline requirements and fulfilling and participating in multistandings processes.  Did I breathe while reading this?  It is not sure.  A colleague of writing right now and it will be available on digital watch.  Over to you.

     >> MODERATOR: Thank you, and I encourage everyone to share your takeaways and thoughts.  What he have to close now.  We do have another Zoom room open now and I will switch after this session to that one.  If you are interested you can join, my colleague will share the link to the Zoom room and thank you all for joining.  We have gone a little over an hour but it was a good discussion.  We can play the bye bye video.  Thank you for joining.

     >> Thank you very much.

 

Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10
Switzerland

igf [at] un [dot] org
+41 (0) 229 173 411