|

Part I: Framing the 2016 IGF Best Practice Forum (BPF) on Cybersecurity Multistakeholder Dialogue

1 Leave a comment on paragraph 1 0  2016 Internet Governance Forum (IGF) Best Practice Forum (BPF) on Cybersecurity:

2 Leave a comment on paragraph 2 0 ‘Building Confidence and Security in the use of Information and Communications Technologies (ICTs) through Enhanced Cooperation and Collaboration’  

3 Leave a comment on paragraph 3 0  

4 Leave a comment on paragraph 4 0 Part I: Framing the 2016 IGF Best Practice Forum (BPF) on Cybersecurity Multistakeholder Dialogue

5 Leave a comment on paragraph 5 0  

6 Leave a comment on paragraph 6 0 The report[1] of the IGF 2015 Main Session on Enhancing Cybersecurity and Building Digital Trust held on 12 November 2015 at the 10th IGF annual meeting stated the following:

7 Leave a comment on paragraph 7 0 “The general consensus coming from the session was that cybersecurity is everyone’s problem and everyone should be aware and understand that the cyber world is a potential unsafe place. A culture of cybersecurity is needed on different levels. Individual action was encouraged to make the Internet safer. Moreover, a need for a comprehensive approach to tackling cybercrime and building trust, such as the introduction of security elements when developing cyber products and services, was highlighted. Participants also stressed the critical role that education plays in addressing cybercrime issues and noted that education should be expanded to involve all levels of society. Capacity building was cited as an indispensable driver for cybersecurity.

8 Leave a comment on paragraph 8 0 There were calls for further multistakeholder participation in the tackling of cyber crime. Session panellists agreed that the IGF, including National and Regional IGFs (NRIs), has proven to be a good collaborative multistakeholder process for cybersecurity, but still needs to reach out to get missing parties around the table. The involvement of the government, private sector, civil society and other stakeholders in handling cybersecurity was stressed as fundamental in terms of sharing best practices, sharing results of critical assessments and identifying globally accepted standards of cybersecurity. All stakeholders must understand, respect and trust each other’s expertise and competences.”

9 Leave a comment on paragraph 9 0 Building on this report and emerging demand from the IGF community for an additional multistakeholder dialogue platform to discuss issues related to cybersecurity, during the IGF Open Consultations and MAG meeting from 4-6 April 2016[2] there was agreement that a 2016 IGF BPF would be carried out on a cybersecurity related topic, building upon the previous work of the CSIRTS and SPAM BPFs[3]. The MAG meeting also acknowledged that the WSIS +10 review process had produced an outcome document[4] with a strong focus on “building confidence and security in the use of information and communications technologies”, making an IGF BPF related to cybersecurity even more relevant and timely.

10 Leave a comment on paragraph 10 0 While reviewing the outcomes of both the IGF Spam[5] and CSIRT[6] Best Practices Forums (BPFs) held in 2014 and 2015, there was an emerging consensus amongst the community that the 2016 cybersecurity BPF would benefit from addressing cooperation and collaboration between stakeholder groups as a central topic[7]. It was said during an initial virtual meeting[8] for the BPF that one of the lessons learned during the work on the IGF BPF on CSIRTS was that the work attracted mostly engineers working on technical issues. That BPF group found that while CSIRT teams in most cases find agreement within their own communities, there were significant communication issues when engaging with other stakeholder groups, in particular policy makers, civil society, law enforcement and even industry.

11 Leave a comment on paragraph 11 0 The community also expressed that all stakeholders would benefit from having a multistakeholder discussion on how to engage and communicate with each other on cybersecurity issues. There was also a feeling that this would be uniquely fit for an IGF BPF and that the work carried out in 2016 should not be seen in isolation, but should rather be seen in a long-term perspective and that capacity building would be an integral component for the work. End users, law enforcement agencies, policymakers, and all of the other range of actors involved in cybersecurity would be invited to get involved in the work on an ongoing basis. It was also noted by a group of BPF participants that focusing on cooperation and collaboration would support the Internet Governance Principles laid out at the NETmundial Statement[9], that recognize that “Effectiveness in addressing risks and threats to security and stability of the Internet depends on strong cooperation among different stakeholders“.

12 Leave a comment on paragraph 12 0 It was also emphasized during the first few BPF Cybersecurity virtual meetings[10] that to many today, the word “cybersecurity” is often loaded with context, and many organizations associate it with government decision making, or commercial security solutions. Within the IGF, it was said, there is an opportunity to redefine cybersecurity as a common goal between all stakeholders, and to work towards finding a common understanding about what productive cooperation and collaboration might look like.

13 Leave a comment on paragraph 13 0 In a contribution to the BPF from Mr. David Strudwick[11] it was also suggested that cybersecurity ‘situational awareness’ could also be a complementary topic for the BPF to explore in its work. The contribution defined cybersecurity situational awareness as “Both knowing and influencing combined risks and applied mitigations”; or in more detail, “The resulting sensitivity to a local risk state that arises from clearly establishing vulnerabilities and threats and the commensurate measures to mitigate such threats, while supporting and maintaining the confidentiality, integrity, availability and non-repudiation of information within integrated computing and communications systems.

14 Leave a comment on paragraph 14 0 The proposal suggested that the IGF BPF Cybersecurity dialogue space could work towards helping to “establish a common international scaffolding and development of emergent best practice supporting security situational awareness, with the intention to achieve globally applicable common policy towards increasing technical capabilities, reduction in vulnerabilities and the exertion of positive influence engendering increased confidence in the operation of underlying information technologies, on which the Internet relies.

15 Leave a comment on paragraph 15 0 Two contributions[12] from the Internet Society (ISOC) to the BPF also emphasized the importance of cooperation and a collaborative approach in multistakeholder efforts to build confidence, user trust and security in the use of Information and Communications Technologies (ICTs). In ISOC’s Executive Summary of their Policy Framework for an Open and Trusted Internet, they state:

16 Leave a comment on paragraph 16 0 “Large scale data breaches, uncertainties about how our data is being used, cybercrime, surveillance and other online threats are impacting Internet users’ trust, how they use the Internet, and hindering Internet adoption. Policymakers are facing an important challenge today: How to fully embrace the digital revolution while, at the same time, ensuring the safety and security of their citizens. The Internet Society believes the Internet needs a solid foundation in trust to achieve its full potential. Trust is a cornerstone for all successful connectivity strategies, in developing and developed countries alike. This can only be achieved through collective responsibility and collaboration.”

17 Leave a comment on paragraph 17 1 ISOC’s collaborative security approach to tackling Internet security issues further emphasizes that the Internet itself was built through voluntary cooperation and collaboration and cooperation and collaboration remain the essential factors for the Internet’s prosperity and potential. Further, the approach emphasizes that everyone has a collective responsibility for the security of the Internet and multistakeholder cross-border collaboration is an essential component.

18 Leave a comment on paragraph 18 1 Others emphasised that in terms of collaboration and cooperation between those with the knowledge and skill sets necessary to improve the security of the Internet that implementation of vulnerability coordination and bug bounty programs are also key functions. It was said that any entity which is responsible for protecting data should have a process in place by which they can acknowledge and fix identified vulnerabilities in their infrastructure as reported by external entities. This allows organizations to scale their efforts towards identifying vulnerabilities in externally-facing properties, as well as provides invaluable data on where their existing security processes have failed and need improvement.

19 Leave a comment on paragraph 19 0 Messages from some of the 2016 Regional IGFs (2016 European Dialogue on Internet Governance (EuroDIG); 2016 Asia-Pacific Regional IGF (APrIGF) and the 2016 African IGF (AfIGF) :

20 Leave a comment on paragraph 20 0 It was a cross-cutting goal of the 2016 IGF community intersessional activities to make efforts to enhance existing cross-linkages between the growing number of National and Regional IGF Initiatives[13] (NRIs) and the IGF. In this context and with this goal in mind, it’s important to note the following three examples of such linkages between discussions taking place at National and Regional levels and discussions at the global IGF level such as this cybersecurity BPF.

21 Leave a comment on paragraph 21 0 During a workshop[14] (Workshop 5: Cybersecurity revisited, or are best practices really best?) held at the 2016 European Dialogue on Internet Governance (EuroDIG) held from 9-10 June 2016, the following messages from participants emerged from the meeting which further indicate the demand from the community for further dialogue on cooperation and collaboration in cybersecurity work:

  • 22 Leave a comment on paragraph 22 0
  • People tend to cluster together and collaborate within trusted communities, because with a trusted relationship something can be done. How to broaden this cooperation by binding with other clusters/communities?
  • We need to collaborate to get things done, and the essential point is then to create trust between stakeholder groups: successful examples were when battling spam and cooperation between CERTS and LEA’s. It can be done.
  • Diplomatic communities (with a so called ’military tradition’) and technical communities often mean something completely different when talking about security. There is a massive gap. But they are talking to each other and there certainly is an intention to continue the dialogue.
  • How to keep the different ‘clusters’ open, where issues are discussed? More transparency is necessary when it comes to public-private-partnerships: all stakeholders should (be able to) participate.
  • There is a multitude of platforms and initiatives working on cybersecurity, all spending money and doing capacity building: but are they indeed open and transparent, and what effect do they have and how to bring them together? This is an open question…[15]

23 Leave a comment on paragraph 23 0 The Synthesis Document[16] from the Asia-Pacific Regional IGF held from 27-29 July 2016 also stated:

24 Leave a comment on paragraph 24 0 “II. Security

25 Leave a comment on paragraph 25 0 Cybersecurity, the protection of information systems from damage and disruption, is critical not just to the stability of cyberspace, but also increasingly important to the physical world. Whether it is security, stability & resiliency of the Internet infrastructure or security of network and information systems, collaboration is needed to mitigate and prevent cyber security incidents within and beyond the Asia Pacific region, and the setting of global encryption standards is encouraged.

26 Leave a comment on paragraph 26 0 The Draft Outcome Document[17] from the African Internet Governance Forum (AfIGF) held from 16-18 October 2016 noted the following in the Conclusions and Recommendations from the Plenary Sessions:

27 Leave a comment on paragraph 27 0 Session 5: Security and Privacy issues in the Internet:

28 Leave a comment on paragraph 28 0 “African member states should sign and ratify the AU Convention on Cybersecurity and Personal Data Protection. In this context, they should implement relevant regulations related to Access to Information, data protection, privacy and cybercrime.

29 Leave a comment on paragraph 29 1 Reinforce capacity building on Internet governance issues as education and cybersecurity.”

30 Leave a comment on paragraph 30 0 The Ambiguities and Challenges in defining the term ‘Cybersecurity’:

31 Leave a comment on paragraph 31 0 Throughout this 2016 BPF dialogue, during the virtual meetings and in comments on the mailing list[18], many participants in the work noted the ambiguities and different definitions/meanings of the term ‘cybersecurity’ depending on the usage/context and the perspective and/or the intention of the stakeholder discussing or using the term.

32 Leave a comment on paragraph 32 0 In her recently published paper, What we talk about when we talk about cybersecurity: security in internet governance debates[19]; author Ms. Josephine Wolff describes this further in the paper’s introductory abstract:

33 Leave a comment on paragraph 33 0At meetings of Internet governance organisations, participants generally agree that improving security is an important goal, but these conversations rarely yield consensus around how to achieve this outcome. One reason security plays this paradoxical role—as both a universal point of agreement and a continued source of contention—in these debates is that it has significantly different meanings to different stakeholders involved in these governance forums.”

34 Leave a comment on paragraph 34 0 An active participant in the BPF, Mr. Alejandro Pisanty, further developed this notion in a note to the BPF mailing list:

35 Leave a comment on paragraph 35 0 “The term “Cybersecurity” is used for many different purposes. Many professionals consider that it is particularly valuable to use all terms that include “security” sparingly, and then more as shorthand for sound risk management.

36 Leave a comment on paragraph 36 0 It is valuable to distinguish between national security, public security, enterprise security and personal security. Further, much clarity arises when discussions have a clear starting point in signalling what assets are being protected against which risks, even if in a broad picture. Thus, cybersecurity as national security encompasses, attacks that may impede the functioning of a society as a whole and threaten a nation’s sovereignty or survivability; enterprise security includes separately its operational infrastructure and its intellectual property; for an NGO oriented to the defense of human rights, cybersecurity may encompass the confidentiality of its membership, sources of information and activities; threats to its reputation, and the drowning of its discourse in social media; for the average citizen, threats are mostly against life and limb, reputation, and economic assets. The best practices in cybersecurity will ensue from a proper, proportionate analysis of risks, costs and benefits for each case and the risk-management disciplines that can best prevent and mitigate attacks.”

37 Leave a comment on paragraph 37 0 Another active BPF participant, Mr. Kush Singh, further elaborated the challenges and ambiguities from his perspective on the mailing list:

38 Leave a comment on paragraph 38 0 “In my opinion I find Cybersecurity as a much generalized term. To most of us it doesn’t mean much because we have been dealing knowing or unknowingly with cybersecurity. But it’s easier to define the issues arising with cybersecurity. That being said I think it is very important to be specific about the type of cybersecurity issues that we deal with and which sector are we referring to e.g. private, public, banking etc.

39 Leave a comment on paragraph 39 0 Mr. Andrew Cormack also contributed this valuable input to the discussion:

40 Leave a comment on paragraph 40 0 “Personally I’ve found that it (the term cybersecurity) has so many different interpretations (both across and within sectors) that it’s almost meaning-free. So any discussion that mentions it ends up either as a discussion of what the participants mean by it, or at worst as a very long and complete miscommunication between people each talking about their own interpretation. But today’s call[20] also made me wonder whether it’s actually a barrier to learning from past experience – anything that pre-dates the invention of the term can’t be relevant to it. So maybe trying to explain that “cybersecurity” consists of a number of pre-existing fields (information security, online crime, incident response, etc.) can make it easier to learn from those previous fields? As I said in the call, I’ve recently discovered that I’ve been doing “cyber security” for twenty years.”

41 Leave a comment on paragraph 41 0 What was emphasized and made clear throughout this important discussion is that within the context of this BPF, which emphasizes and focuses on ‘Building Confidence and Security in the use of Information and Communications Technologies (ICTs) through Enhanced Cooperation and Collaboration’, is that participants in the BPF discussions and those reviewing this output document and the following Part II of this output in particular should take into account that this BPF uses a multistakeholder lens when discussing cybersecurity quite broadly; therefore, the written contributions submitted to the call for inputs and further comments made via the mailing list or in discussions have been made from a variety of different perspectives/viewpoints depending on how the relevant participant defines cybersecurity. Irrespective of how each respective individual participant or stakeholder group defines cybersecurity, a common point of convergence emerged that further cooperation and collaboration is essential to building confidence and security in the use of ICTs.

42 Leave a comment on paragraph 42 0 [1] http://www.intgovforum.org/cms/documents/igf-meeting/igf-2015-joao-pessoa/igf2015-reports/609-igf2015enhancing-cybersecurity-and-building-digital-trust

43 Leave a comment on paragraph 43 0 [2] http://www.intgovforum.org/cms/documents/igf-meeting/igf-2016/magmeetings/732-summary-igf-1st-oc-and-mag-meeting-4-6aprilfinal

44 Leave a comment on paragraph 44 0  

45 Leave a comment on paragraph 45 0 [3] http://www.intgovforum.org/cms/best-practice-forums/2015-best-practice-forum-outputs

46 Leave a comment on paragraph 46 0  

47 Leave a comment on paragraph 47 0 [4] http://workspace.unpan.org/sites/Internet/Documents/UNPAN96078.pdf

48 Leave a comment on paragraph 48 0  

49 Leave a comment on paragraph 49 0 [5] http://www.intgovforum.org/multilingual/content/2015-best-practice-forum-outputs

50 Leave a comment on paragraph 50 0  

51 Leave a comment on paragraph 51 0 [6] http://www.intgovforum.org/multilingual/content/2015-best-practice-forum-outputs

52 Leave a comment on paragraph 52 0  

53 Leave a comment on paragraph 53 0 [7] See 2016 IGF BPF Cybersecurity Virtual Meeting Summary’s from May-August 2016: http://www.intgovforum.org/cms/best-practice-forums/bpf-cybersecurity

54 Leave a comment on paragraph 54 0  

55 Leave a comment on paragraph 55 0 [8] http://www.intgovforum.org/cms/documents/best-practice-forums/758-bpfcyber-meeting-summary-24-may-2

56 Leave a comment on paragraph 56 0  

57 Leave a comment on paragraph 57 0 [9] http://netmundial.br/netmundial-multistakeholder-statement/

58 Leave a comment on paragraph 58 0  

59 Leave a comment on paragraph 59 0 [10] Initial Contributions/Ideas/Suggestions received via emails on BPF Cybersecurity Mailing List: Proposal from: Andrew Cormack, *Jisc*Adli Wahid, *FIRST*, Cristine Hoepers, *CERT.br/NIC.br* Peter Cassidy, *Anti-Phishing Working Group (APWG)*, Maarten Van Horenbeeck, *FIRST*, Serge Droz, *FIRST*; Neil Schwartzman; Jerome Athias; James Gannon; Serge Droz; Marilyn Cade; David Strudwick; Michael Ilishebo; Alejandro Pisanty; Wout DeNatris; Cheryl Miller; Nick Shorey; Richard Leaning and more.

60 Leave a comment on paragraph 60 0 [11] http://www.intgovforum.org/cms/documents/best-practice-forums/881-cdd-igf-proposal-20160617

61 Leave a comment on paragraph 61 0  

62 Leave a comment on paragraph 62 0 [12] Internet Society (ISOC): A policy framework for an open and trusted Internet –  http://www.Internetsociety.org/doc/policy-framework-open-and-trusted-Internet and Collaborative security approach to tackling Internet security issues: http://www.Internetsociety.org/collaborativesecurity

63 Leave a comment on paragraph 63 0 [13] http://www.intgovforum.org/multilingual/content/igf-regional-and-national-initiatives

64 Leave a comment on paragraph 64 0  

65 Leave a comment on paragraph 65 0 [14] http://eurodigwiki.org/wiki/WS_5:_Cybersecurity_revisited,_or_are_best_practices_really_best%3F#Messages

66 Leave a comment on paragraph 66 0  

67 Leave a comment on paragraph 67 0 [15] Messages from 2016 EuroDIG Workshop 5: http://eurodigwiki.org/wiki/WS_5:_Cybersecurity_revisited,_or_are_best_practices_really_best%3F#Messages

68 Leave a comment on paragraph 68 0  

69 Leave a comment on paragraph 69 0 [16] 2016 Asia-Pacific Regional IGF Synthesis Document: http://comment.rigf.asia

70 Leave a comment on paragraph 70 0 [17] http://afigf.org/sites/default/files/2016/docs/REPORT%20AFIGF%202016%20Draft%20outcome%2018102016_evening_rev1.pdf

71 Leave a comment on paragraph 71 0  

72 Leave a comment on paragraph 72 0 [18] http://www.intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org

73 Leave a comment on paragraph 73 0  

74 Leave a comment on paragraph 74 0 [19] http://policyreview.info/articles/analysis/what-we-talk-about-when-we-talk-about-cybersecurity-security-internet-governance

75 Leave a comment on paragraph 75 0  

76 Leave a comment on paragraph 76 0 [20] See summary report of BPF Cybersecurity Virtual Meeting from 11 October: http://www.intgovforum.org/multilingual/content/bpf-cybersecurity

77 Leave a comment on paragraph 77 1  

Page 29

Source: https://www.intgovforum.org/review/2016-igf-best-practice-forums-bpfs-draft-outputs-as-of-2-november/2016-igf-bpf-cybersecurity-draft-output-version-1/part-i-framing-the-2016-igf-best-practice-forum-bpf-on-cybersecurity-multistakeholder-dialogue/