Breaking down silos in national and international cooperation on cyber security and cyber crime
24 October 2013 - A Open Forum on in Bali,Indonesia
Captioning Provided By:
Caption First, Inc.
P.O. Box 3066 Monument,
CO 80132 800-825-5234
The following is the output of the real-time captioning taken during the Eigth Meeting of the IGF, in Bali, Indonesia. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>> Looks like more panelists than people in the room. If it stays like this, let's just all sit in the front row and it's meant to become as interactive as possible. So please come and sit up front. I don't think a lot more people tend to show up. If they do, we'll see what happens then. Some are fleeing. Okay, welcome to the dutch NL IGF second panel of this day. I think the part of the reason it's so empty, it had a strange title. For one reason or the other, we couldn't change. So welcome to the Dutch Ministry of Economic Affairs open forum. The real title should have been -- it should have been "Breaking Down Silos in CyberCorporation" and a little more. We're going make it as interactive as possible and discuss best practices and if you have questions, we'll try to have an answer. Where did this come from? We had a session last year that was under the title of "CyberSecurity Incidents and Cooperation." Chris was on there. We came up with excellent recommendations. When we discussed it after we came home, we picked two out. First session we had this morning on cybersecurity and now we're going to do cooperation. Because what happened in that panel is people said, yes, we need to cooperate, we need to break down silos but at the same time recognize that for individual organization, it's very hard to break down silos because it's not in the remit. It's not the task they get from government. And it's certainly not a task to say to the government, wait a minute, we can't really cooperate. We're not allowed to do things cross board or we're not allowed to give personal data to another organization in our own country. So in other words, are we going to deal with that? And is it that being dealt with in practice at the moment? That's the sort of best practices we're going try to show here, reflect on that, and perhaps take away a little bit of the myth of privacy and see if everything is the privacy sense of data in all instances. I'm going to introduce the panel. I'm going to say Thorsten Kraft of ECO was going to present on ACDC but at the moment is ill and had to cancel. He asked me to say a little bit about it. But the right moment is there, I'll reflect on it. But because I'm the moderator, I will not take any questions because the wrong side of roles here. So I'm going to introduce everyone. Christopher Painter, secretary of state in the U.S. -- state department, sorry. I said it the same last year. Sorry about that, Chris. An entrepreneur and student from the Netherlands. Astrid Oosenbrug from the netherlands. We have AfriNIC. Nina Janssen, Ministry of Security and Justice. So we have a broad spectrum of government, entrepreneurships, international organizations, and commercial parties. So let's start with do we know any best practices in breaking down silos? Who's working on that in cooperation with somebody else in your own organization and managing to exchange data between each other? Who would like go first? And the mics are on the table. So please pass them around? Anybody? So who's actually working on a best practices in data exchange? Okay, well said, Maarten will kick off.
>> Maarten Simon: Okay, it does work. Yes, well first of all, I'm Maarten Simon. I work with SIDN, the register for domain names. We're the national registry or something like that. We're nongovernmental. We're a private entity foundation. And we run the domain for, well, in -- not for the Dutch government but in the end, the local dutch internet user. But I'm not here to talk about domain names because I know a lot about that. But that's not the point here. But I -- we have an example now that we started I think last year to -- we set up an organization together with a number of ISPs in the netherlands to mitigate bulk net else. And it was -- the ISPs were talking already for a few years together to set up something like that. The idea was quite simple. You get a lot of information about bulk nets. You find out which of your customers is infected, and you inform them. That's basically the idea. It seems quite simple. But wasn't so simple to set up. Because one of the problems, of course, is find it. You have to set up an organization, make some software, and things like that. And with the help of a ministry of economic affairs, and IDN, it's not an ISP, we're not an internet access provider. We set up this organization. It took some years, but in the end, we succeeded and it will go live very soon.
>> Natalia Enciso: You're a domain name organization? What made you say, well, mitigation is not something we're going to be involved in?
>> Maarten Simon: We are the domain name industry. But we have in our goals that we want to make the interNetSafer, more trustworthy. And we invest in that purpose by sometimes donating money to organizations that we support, for example, on on-line privacy and, for example, we have one of the sponsors of one of the parties behind the IGF and more things like that. So we got involved. We knew that the discussion was going on, and that it -- well, it was going on and on and on. And we got in contact and we understand the problem and we had the means so we could make the investment. So it's interesting for us so we were able to broaden the scope to also hosting providers. They're not members yet. But the idea is that they can become members in the future. And so we think it's a good initiative and we wanted to support it. And we will also maintain the systems.
>> Natalia Enciso: So that's a lot of multistakeholderism is what I'm hearing. Michael, you want to refresh?
>> Michael Nelson: Let me give you context for why I'm here. I've been with Microsoft for two months. The reason I was tapped to be here even though I've been with Microsoft for a few weeks is because of my background. I spent ten years in government including in the Clinton white house working on cybersecurity issue us and a range of issues and spent ten years at IBM before going to Georgetown University where I teach internet studies. I have a lot of perspectives on this. One of the first things I learned in my first job in Washington working for senator Gore, senator John Kerry and other democrats on the Science subcommittee, when asked a question, answer with a better question. I'm going to twist your question and say what are the worst practices? And I've seen some of those.
>> Natalia Enciso: Give us the top three?
>> Michael Nelson: I was going to give you the top two. The first assignment I got when I got to the white house literally day two was encryption policy. And I showed up and the Vice President had just been briefed by the national security council on clipper chip. Some of us remember that. And what needed to be done about export controls. And what was interesting is the Vice President immediately said after he heard that, go brief mike Nelson about this. And the NSA and the national security advisor said we can't brief him, he's not clear. He doesn't have a top secret clearance. Now the Vice President said, get him a top secret clearance. And I lived a clean life and within three weeks, I had a top secret clearance. But that, I think, is one of the biggest challenges we have in this whole area of cybersecurity. We have these incredible barriers, both government classification and business classification. And the third issue that's coming in is silos created because we need to protect private and personal information. Those three together make it very hard though address some of the serious cybersecurity problems we have. But I think of those three, the biggest one is the government classification. And in many cases, we're overclassifying, we're limiting the number of people who can get access to the information that they need to design better systems, to address cybersecurity threats, to address cybervulnerabilities. That's my first worst practices.
>> Natalia Enciso: Chris, you wanted to reflect anyway? Here's the blame on you as government.
>> Christopher Painter: A couple of things, first of all, I want to congratulate the Netherlands. I just came from the Seoul conference on cyberspace that was the third it ration started in London, Budapest, Seoul, Korea this year and the Netherlands is hosting the next one in the early 20 -- sometime in the first part of 2015, not exactly decided. And the organizer will be -- and the person appointed to I suppose my role is your former foreign minister who also launched the Coalition Of Freedom on-line as foreign minister. I want to congratulate the netherlands on that and look forward to that being a good event. As far as -- and, indeed, meetings like that, like the IGF, can be a way to break down the silos if you get the right stakeholders there and the right focus. One thing I want to talk about is in the U.S., there has been a lot of attention around how you can share actionable information between industry and government. And everyone talks constantly about public-private partnership, a term that's so overused it's practically devoid of meaning now. You don't -- what does that mean? To me it really does mean sharing information both ways that both sides can use. And government certainly needs the information to help look at the threat picture and help do the things it certifies to, the industry needs the picture, not just the private sector, but society as a whole needs the information to be able to better protect themselves. So a couple of years ago now, there was a project that was focused first of the defense industrial base that tried to share information, signatures of attacks and other kinds of information, with those trusted entities. Now there's a -- and that works fairly well. It was done at the ISP level. And now our Department of Homeland security is working to do that with other sectors as well. So that's a work in progress. But it's an example of giving something that the government might have unique access to that will help the private sector and try and do it in a way that's scaleable by working with the ISPs. That's a good practical example. There are other ways where information sharing could work and you could break down silos like bringing other stakeholders to the policy making process. That's really important as well as you build things like incident response plans, but that action of sharing information is pretty important, I think.
>> Natalia Enciso: Thank you, Chris. Nina, you can expand on that as an example from the Netherlands that people are calling it the Dutch model.
>> Nina Janssen: The dutch are famous for this. It's a word in Dutch but I don't know if there's a word in English. We tried to engage enough actors in the policy as possible. That's politicians, of course, the legislative process. Not just private sector. But also Civil Society. What we're recently working on and will be published on the 28th of October is the new updated national sign security strategy which is forums by this process. We have multistakeholder meetings. What should we focus on since the first strategy and what should be the action forward? I agree with Chris that public-private participation or public-private partnership that we used to call it, it has to evolve to public-private participation. We have to go from discussing things to acting on things and acting it out within the country. So Maarten just mentioned on the cooperation model with the ISPs is one of the more publicly-privately driven initiatives that could be followed in policy areas as well. If I take it from the government perspective, we, as the minister of security and justice in the netherlands coordinate the whole government approach on cybersecurity. We do that internally with the public sector but of course we try to engage our partners from other areas, multistakeholder, not just private. Also academia, also Civil Society, NGOs, in our operational arena. So we have to form if cert and it's turned into a national cert. It's become the national cybersecurity center. It's linked to the information and sharing -- information sharing and analysis centers of several sectors. There are academia, there's visiting NLs every two weeks and we connected the center to my policy department. So we moved into one building this summer and I'm trying to really understand this tech language all the time. So I think these are examples of how we're really getting across borders and we should continue on those.
>> Natalia Enciso: Is there an example of a case that you've done so far together with all of these different stakeholders?
>> Nina Janssen: We're working on several cases. Basically on, I guess, daily/weekly basis, the first one where we -- we already had an ICT response board which is partnership where we have CEO level or -- oh, yeah. The CI level participation in case of an incident where we need advice and they were called in when we had the digital case in 2011 to solve a crisis in the Netherlands that you could say. We've learned from that. It's -- we should have taken it for -- since then, we've been taking it further and this response is a way -- a manner or two to -- yeah, to respond in a multistakeholder way to a security incident.
>> Moderator: Thank you. I think you're also in a multinational arena. Where do you run to when you break down silos?
>> Adiel Akplogan: Yes, it could look ugly for us. We're an international organization P organization and by default, we work with different stakeholders locally. And by default, our policy mode is multistakeholder by nature. But when it comes to cybersecurity and cybercrime, it has some challenges to which we need to look at very closely. You are talking about sharing information, for instance. We have a public place where operators must STRERNLG all information about IP address and their usage. Now one thing is to have that information registers in the public data. The other thing is to be able to access them or use them, meaning fully in these investigation and in our origin, the cyberinvestigation and all around it is still new for several law enforcement. So one of the problem that we face is not yet very accurate at sharing but how to meaningfully use the information that we make available. So at the very beginning, I feel like we had a lot of challenge directing law enforcement and government agency to the information. They systematically clung to us at AfriNIC to have the information to fund the information. While in our mission is not to really provide information. That's why the information is public. They must be able to find the information themselves and then track it down. So we have several things. One thing we are doing is to try to walk with law enforcement agency locally and and say what are the options? How do you refine your search in the data base? And we're going even further by trying to design a tool that can be used by anyone, but among other, by others who are looking for this information. The same thing that we have done to -- to make this more of a kind of scaleable is to create what we have called a government working group. But honestly, it started with law enforcement agency group who approached us to discuss our policy mechanism, how our policy are defined, how the usage of the public data base is defined. And what we can do together to make those information accurate. So it's a -- it's a closed by invitation group now where we discuss with government. But also with law enforcement agency on those challenges that we have and how we can work together to make sure that that information is accurate. We as a district cannot say rule on legislation on that. And it's at a very global level. But what we keep telling them is that you have to really well understand how the policy development process is so you can work locally with your stakeholder locally. Your ISP, your network provider locally so to understand how to maintain information in the data base and how to make your life easy. No ISP wants to be contacted because somebody on their network or their customer is hosting a criminal is server. They want the person directly to be contactled. But if you don't provide the information in the data base in the first place, you are exposing yourself. So sharing that kind of knowledge and information on how to use that is helping. But we have 54 countries with 54 legislations and 54 different persons to deal with. And that's where the challenge is. How to access people who have that interest and access them and provide them the information in the very sustainable way. We have that as well. The ability of people who are dealing with those issues. So that it can keep the continuity.
>> Moderator: So for you breaking down silos working more than both ways even. Good example. Thank you. Mike?
>> Michael Nelson: Just a couple of quick other points I'd like to make. Before joining Microsoft, I did consulting with a leading edge forum, a group -- a think tank within CSC. And I wrote a paper on creating your transparency strategy, listing how companies and government agencies have decided to be more open about what they're doing and what techniques they use to do it. One of the key pieces of that is building your systems so that you can manage the sharing and audit the sharing. So one thing we're working on in the Technology Policy Group at Microsoft is what we call trustworthy data management. You can imagine a spread sheet where different columns have different rights and you're able to know who actually looked at those different columns. Now we have systems like that, but they're designed for certain intelligence agencies and they cost 100 times more than a spreadsheet. We need some very simple-to-use tools to allow us to share information, know who's got it, and know what they've done with it. And luckily we're working on that. And we need the audit about to go back. The Bradley manning case is an incredible example. The story behind that is that there was a clear need to share information, a small contractor, not Microsoft, built this great system to help agencies share information in a secure environment and they did it as a pilot project. And very quickly, everybody wanted to use it. At that point, the contractor came back to the agency that it contracted with them and said, you know, we don't have proper security because this was a pilot project. We were just manually looking at the logs of who was looking at what to see -- to do a manual audit. And the logs were now that much paper every week. And that's why Bradley manning wasn't noticed because they didn't invest the money to go back and do the mechanical audit, use some artificial intelligence to see who's looking. That can be done. And the kind of sharing that that system enabled was necessary. It's still necessary. But because of what's happened, they've now put the silos back in place. So this is really important. The last example I wanted to use was Y2K. I was in the white house and about 1996 one of President Clinton's close friends came to him and said, President, the world's going to come to an end and it's going to be your fault. And, of course, Bill Clinton delegated all of the digital stuff to my boss, Vice President Gore. And Gore came to me and said what does the President need to know about this. I wrote the first briefing for the President on these issues, very short. Basically the bottom line is this shouldn't be too much complicated from going from DOS to Windows. It's billions of dollars, it's not trillions of dollars, and it's not the end of the world. I was really interested in what happened on the last day of the last millennium. But in that case, we did something very smart. Bruce McConnell who was a close friend who was in charge of the international Y2K effort within the U.S. what they did there is they let everybody know this was a penalty-free exercise. You know? You weren't going to be held accountable if you were behind on your effort. Just tell us what's going on. In a lot of other efforts, when they try to do something, people get, you know, they get -- they report something, it doesn't look good, they have to do three more reports. Well, with Y2K, there wasn't time. So they just made it very simple, a very simple reporting requirements. Everybody just went out and moved as fast as they could and let everybody else know what was going on. That's what we need to do more of. Too often we get in the bureaucratic cycles where everybody has to tell everybody what they're doing all the time. Then when there's a glitch, there's five more reports. It has to be simple and clean. And that's -- I think that's the most important thing we do when we design the information sharing systems.
>> Moderator: Maybe I should take off my moderating chair craft and put on the ACDC cap for a minute. As I said, Thorsten Kraft, our advisor is ill and could not make it to Bali today. Advanced cyberdefense center. Short words, one half is on establishing national support center which is are going to help the end user disinfect the computer -- the computers or the devices. The other half is establishing a pool of data on the malicious traffic and annualize that and enrich it with other information so that perhaps from behind the data that will become clear so that people behind the nets and assisting the bog nets knowing and knowing when not to drive that back and make it a little harder to operate it. There's a project that runs for over two years and it started in February, ends in August. People who are interested can give their card to me and I will pass it on to Thorsten so he can get into contact with you. And I'll leave it with that because as a moderator, it's very hard to discuss the topic as you can understand. I hope I said it well for him. Putting my cap back on as moderator. We've been talking about the best practices at the moment. We've seen several of them. The other thing is that people on the panel said it's very hard to do all of this data sharing. And let's go and see whether that is true or not? From your personal experience, do you actually share data, for example, from private and law enforcement or from law enforcement to private or between each other and help each other solving cases or solving and mitigating problems in the private sector? So who would like to kick off with that? Is it difficult or, yes, it is possible on the circumstances?
>> Yeah, it is difficult. The problem is people lost their trust somehow. We have to find trust back so you can start sharing information again. You need to break down the silos. You need to get the trust back. So for the government, I know they are using data between companies and what the government uses, but they use the open data, share Dagata. -- sharing Data. So maybe we should learn to trust each other again. If the government starts to put out open data, and the companies can use the data in a good way, people see, oh, there's a good thing in sharing data. So maybe that's a good start to breaking down silos the way I see it as I talked to people and I talked to companies and I talk to ministers.
>> Moderator: A youth view on sharing data. Is that something we're going to be talking about in ten years from now or will it go away because we're sharing data already? What do you think?
>> Bastiaan Zwanenburg: I think there's a lot of things you can do when it comes to sharing data. When it comes to breaking down silos and different companies and governments working together, I got triggered the work. And when you are in a relationship and you're filling it with information and the other one in the relationship asks for this information and you're not sure whether or what he or she is going do with it, you probably won't share it. But over time, when you get to know someone better and starts to get a deeper understanding of how someone thinks and what somebody wants, it becomes easier to share more with the information. When you translate that to organizations, what I believe if you want to break down silos, you first have to start, get connected with EESH other on enough information level. It's about sharing knowledge, about sharing visions. How to work with data, it's about sharing information, storing safe data. For example, the story you mentioned about like a spread sheet where you can see who actually used the data, it's a very good example and you can bring it to ISPs and to different companies, the government, all kinds of organizations that have a lot of data. And once you start to share knowledge and visions about data and the way you work together, over time, there will be a point that you start to understand why it's viable to share certain information the way the ISPs and the ISDN came together. I'm sure it worked like that. It was I'm going to ask them to help with this project. This is in building trust. But if you look from the consumer's perspective, this is just one concern I want to raise. I know it's very opposing for the -- I think for a very progressively session is when I share data with the company because I love them, because I'm -- I know what the purpose is of the information I share with them, for example, facebook. I might have no problem at all when governments use this data. But I trust facebook to share this data with the government if they do it in the right way when I trust facebook. So I trust facebook to share data in such a way that they don't bring me into trouble.
>> Moderator: If they do anyway because in the U.S. it's a different law, would you give up facebook or continue?
>> Bastiaan Zwanenburg: It surely brings damage to my relationship with facebook. But I'm not talking about sharing all of the data. I'm talking about sharing data that's actually valuable for the government. I have the feeling that government, secret agencies, etc., they look at all of the companies and startups and they're like, oh, my God, they have so much data, I want some of it. I want to play around with it. And it's not very purposeful to the government to ask for this information. Once the purpose is clear and facebook understands why certain governments need certain information, I totally trust them with it. If they need a transcript of my chats because they want to know what location I was because there was a fight and probably they could use me for -- to ask some more questions, you know, they saw my location, I was having a chat somewhere in a park and in a park, someone was in a fight. This was the information they have. I have no problem with the police knocking on my door to ask some questions so they can find the actual criminal.
>> Moderator: Thanks. A different perspective. Maarten? You're a private company. You have a lot of personal data. Does trust come into it if you share data with police and other organizations or does it have nothing to do with it?
>> Maarten Simon: That's a difficult question, thank you. Does trust play a role? Yes, trust plays a role. But I have to mention that most of the public -- personal data we have is already publicly shared. So that makes it a bit strange. We have the function -- I don't know if everyone knows it. We published the names and addresses of all the domain name holders. So that's already public. And we -- well, since it's a bit problematic legally and in the privacy law sense, we limited the information and over the years and now we don't show addresses anymore. And government agencies can sign a contract with us to get the information. And in the contract, of course, we say that they can only use it for certain things and if they have the rights to ask us what -- well, we're dutch, so we trust our governments, sort of. We never check what they do. But, of course, we have a limit. So we know they come take more than say 100 a day or so. But that's it. That's based on trust. But it's a bit typically Dutch, I think.
>> Moderator: Astrid, we had a discussion I think last night. You said, well, there's these systems that the police are doing by the millions a year and how does that compare to real investigations they do? Do you have concerns on that? So does open data or private sensitivity data.
>> Astrid Oosenbrug: I have concerns that I cannot do my job. My job is to control the government. That's my job, mostly. So if they -- if the police go and go into data and I'm not sure or I can't look what they are doing, then I don't trust them. So we need laws about it. So now we're making a law, what police can do or can't do. I trust they'll be back. I can control. I need control, I need trust. Those are the two things that I need. So -- and the story about maybe it's more -- I'm more of a privacy lover, I guess, I never want the police to find me on facebook to say you were there at that moment and maybe you are a witness. Because that would really scare me off. So that's -- that's something I wanted to say.
>> Michael Nelson: Just a real quick bumper sticker. On this report on transparency, I said mutual disclosure. I'll tell you information, but you're going to tell me the information you collected and you're going to tell me what you're doing about it. We have a good model for this in the U.S., the fair credit reporting act so we have a system for rating my credit worthiness based on financial transactions and we have a right to know what data they have and I can access that record each quarter.
>> Moderator: To Chris?
>> Christopher Painter: I've spoken to several organizations recently in the netherlands is I'm not going to share any data with the U.S. anymore. Is there a sense of trust that is gone? How can we reclaim the trust because it was there before June, quite frankly, I think.
>> Christopher Painter: It would be a mistake not to rebuild the trust. The whole point is to really combat threats and to help in this area and help with cybersecurity. So I think that would be a very shortsighted approach to take that approach. I think that there are a lot of controls and protections in place. I hope that doesn't persist. There's been this issue, though, I think that everyone has seen this in their own experience that there's always a lot of -- there's been reticence between the private sector to share information with the government and really vice versa. That's nothing new. And part of it is not an expectation of what the information is going to be used for, how it ice going to be used, and what the capabilities of each side are. So in the area of cybercrime, people -- there's been this underreporting problem, for instance, where people haven't reported the incidence. The law enforcement authorities and further victimize the victims. Sometimes it's based on the understanding of what can law enforcement do for me anyway? They're not going do do anything about this. This is an education and confidence building exercise as well, I think.
>> Anyone else want to rep respond? How does trust work between all of the African nations? How does it work?
>> Adiel Akplogan: No, it's not working. Yeah, let's put it that way. Yeah, trust in the digital world is even worse than trust in physical because in the digital world, there's more difficulty controlling or following what is being said. I mean, I'm happy to talk to the police one day if they ask me more than what I can tell them. And I'm not even aware. That is where the -- where the worry comes from. And moving from that real world to the digital world in the region like Africa where the internet is becoming -- the embracing the internet now is more difficult and it doesn't even make it easier because the thing is as you mentioned is the confidence I want to share but I want to know that what is the information which is there? What is being used for? And then people -- people will be able to share. And on top of that, there is a -- there is an issue and we're saying is about the -- about the -- the regulation of the -- of the legislation framework, the framework of that. Because, you know, somebody in the -- in the remote DRC who is using his computer and doing things and has no way of going behind facebook of what he's sharing on his own legislation. However, if it is a local company, he might have somebody to help him locally. So there is a need -- a very critical need to reveal the trust base on some transparency. On that area. I think that's what we shall impart. And that's where, again, the multistakeholder, multi-interest group participation is very critical. Locally but globally. Sometimes it's even more easy to accept a level globally to have this kind of thing. But thinking it's global and applying it locally and creating the clink be very difficult. We need to work probably on that aspect.
>> Moderator: You used the word "transparency" that might be a solution to some of the things happening in the moment. Could you reflect on that? How could organizations or should the government be more transparent? How do you envision that?
>> Adiel Akplogan: I think transparency has different levels. That is the real world and if we translate that to the digital world, it's -- but at least people must be -- people, company, government must know exactly on which framework sharing of information is happening, for instance. What are the limits? What are the use? And that use can usually change all of the needs for sharing can change. And that's what policy is about. You can change it any time. Adapt it. Make it more relaxed. And I think that transparency and letting people know that, well, okay, this is what's being done, this is what's being shared can even help them, help in this case. We had a case recently where the investigation has used public information. Crowd sources is one and different -- people share information because they know what they are. And I mean how hard can we make that more -- in a more formal framework.
>> Moderator: Robert would like to respond. Then Nina. If there are any questions in the room, this is supposed to be interactive. Alert me to -- oh, you were late. But if you have any questions, please alert me. I will certainly come up to you and you can ask a question or make a comment and participate. Robert? Okay?
>> I totally agree with you about the transparency part. I face the fear, oh, police know a lot of information, they will probably come to me and get the wrong conclusion. And I'm the one being taken in instead of the real criminal, yeah, being suspected for the wrong things. Yes, the police make mistakes and they do now with data that's available. A lot of the times in the Netherlands had things on twitter where police went after certain people for things that were said. While people were TWEETing that the police were at the door, other people were smart enough to find out that the police were there because they could read it on twitter. If the police were smart enough to check out more context, they wouldn't make the mistake. If we go to the postprivacy world where all of the information, all of our locations, everything we do, are available for everyone, then, for example, the police and actually everyone has enough context to make better decisions and better innovations as well. It sounds very scary if our information is out there, I'm sure. Another beautiful thought -- and this also connects to your ideal having people show who actually reads or uses certain information because if we know everything of everyone and what they are doing, we also know who is checking out our privacy information. So I know, okay, for example, they're checking out where I'm going or where I've been today. That's scary. I can talk to Luto about it. And then he says oh, Robert knows what I've been doing on this profile. It gets very complicated. But what happens is there starts to exist a kind of cold war of information because we all know what the other one Knowles. And what happened with the Cold War never got to a war. Exactly. This is the beautiful thing about information if you have enough of it. So just a thought.
>> Moderator: Nina first, then a question, then to you, Mike.
>> Nina Janssen: Something short because the public is eager to participate as well. Putting it on the table. As we were talking about, trust by transparency and transparency being transparent about your interests and objectives, you have a form of transparency, a trust that is built on knowing that the other has the capabilities and the capacity to protect information to share information in a protected environment. So maybe just a building of capabilities of your partners. So a broad -- your external partners from government. Nationally your private partners. But also academia. You need to know whatever information you share can be trusted with that because they have the correct capabilities. But about that.
>> Michael Nelson: A couple of things about transparency. Microsoft believes in transparency. We have a report we just put out and we're suing the government because we want to be more transparent and classification rules are preventing them to do that. Customers want to be more transparent and because of poorly designed regulation, they're not able to share the information with their customers. There's need for reforming government regulations that get in the way of the sharing. Regulations are often there for a good purpose, national security, law enforcement, or privacy. They're not implemented well. They're written so vaguely that lawyers will overcompensate and hold back information that should be shared. The point about the cold war that's interesting is the phrase mutually shared disclosure comes from the cold war. There's a wonderful book by David Brynn, I don't agree with everything in the book, but it's called "the Transparent Society." It's a little over 10 years old. He's very utopian. He has a picture that we all know everything about everybody. That's a good thing. I don't agree with it entirely. But it's thought-provoking book that gets you to thinking about how extreme transparency can lead to extreme awareness and lead to extreme possibility. And perhaps some of the things in that book are already coming true.
>> Moderator: If you have a question, please state your name and affiliation?
>> Hello, I'm Paul Finnegan from the internet and jurisdiction project, a global multistakeholder to address the tangent across the internet and geographically defined jurisdictionings. The discussion of transparency is interesting and there's an important distinction that you also alluded to. There's two notions of transparency. On the one hand, static transparency we talked about. We have numbers to request. But I think what you mainly talked about is a sort of procedural transparency that there are clear procedures -- that there is a transparency of how things work, how relations work, how requests are rooted between the different partners. How is fair process and in short, what are the appropriate safeguards and procedures within the system. The question to the panel is the following. The title is breaking down silos. And in the beginning you started to talk a lot about public-private cooperation and it sounded like you would talk about public-private cooperation within the board of national jurisdictionsment. I wonder how it will apply in the transnational context. Most have a dimension because they involve maybe simultaneously multiple jurisdictions due to the location of the ccTLD use the location of the platform, the platform use, the location of the user and so on and so forth. So how does this cooperation work on a transnational context? Thank you?
>> Moderator: That's exactly my next question. So thank you very much. So I think that's right. So I think summing up what we said that trust comes in to when you talk nationally. For you, you're working with 54 different jurisdictions, Adiel. But, Chris, how do you envision the borders and sharing data?
>> Christopher Painter: What happens is through a number of different mechanisms. Withe need to continue to strengthen all of those. So there's increased sharing of information between law enforcement authorities that's gotten better over the years but it's not perfect at this point. And there's several ways that's done. One is through networks that have been set up like the 24/7 network that has about 60 countries in it. That can be a fast, free, slow thaw if you will. At least make sure that the data is available and preserved so you can go through the process of actually exchanging it. And increasingly, I think, jurisdictions are doing joint investigations which allows a much more easy and robust sharing of information back and forth from the authorities. The other thing is, the technical community, the cert community has done its best. The first is government certs. Government and private sector certs along for a while. That is increased sharing. But increasingly, the countries have created dedicated national certs. That's one of the things to be part of the national strategy as companies look at this issue. The certs are good at cooperating back and forth. I'll give you one example. And there's a diplomatics a FOEKT this too. I think everyone knows that the U.S. financial -- financial institutions have been subject over the last year to a number of denial service attacks, distributed denial service attacks. One of the thingings that we did to mitigate that attack is we went to our U.S. cert went to their counterparts where there were counterparts. In some countries, there weren't. We had to use other channels, and asked for sharing -- or help in mitigating the threat. Because Botnet is just compromised computers anywhere in the world and the concentration of the bots, the actor launching the bots could be somewhere else, the concentration could be anywhere. Sometimes there's a concentration in Germany. Sometimes there's a concentration somewhere else. So over time, there were requests made to about 100 different countries saying could you do what you could do under that domestic law to mitigate that? In some countries it's asking the ISPs, some countries they have other mechanisms, legal mechanisms in place. But the thing we did that was different is we also had, you know, I've been to the state department now two years. There's a diplomatic tool called DeMarrish. That always seemed nasty to me. It seems like it would be yelling at each other. You can have a positive demarsh. We had the embassy go and contact the policy making people in those countries and say, look, you know, you get the technical requests from this all the time, this one is really important. Could you help us out? And that was meant to build this norm, if you will, a better cooperation internationally on some of these issues. And we asked for cooperation for lots of different countries including countries that sometimes we don't get along with. So, it feels important to build that cooperation against a third party threat. And we had a lot of success with that. And we had to be willing to respond if those countries ask us as well. There's a third part which is how do you bring the stakeholders the private sector, and the others involved in that. I think traditionally and probably still the way that's most done is the government entities are talking to each other and they're responsible for reaching out to the private sector entities in their jurisdiction. But that's a little messy when the entities are cross jurisdictional. We have to have ways of dealing with that. We're better off now than last year but there's a lot of work that needs to be done.
>> I think what you started out with is you have the police silo and the cert silo and the private silo.
>> Christopher Painter: I would say even those silos we see breaking down because years ago, one of the things that we launched in the first is we had the law enforcement community come in and give the workshops to the first community. When when he started, the first community, the law enforcement guys don't really trust them. Don't know what they do. Seems kind of weird to me. Not sure what it is. The cert community, that's the cert community. The law enforcement community said who are these guys, who are these tech heads that we're dealing with. There wasn't a lot of understanding. How many of the workshops that we got together. The first one was remarkable. This is six years ago now. People are in the room and it's very stand offish. Now they get them done every time they get together. They're cooperating on cases and working on ways to share information between the certs and law enforcement and vice versa. That's a good thing. So there are ways to break down silos. You just have to keep at it.
>> Like IGF is doing, for example? You have a question?
>> Athena Aguli for ripen CC. We're the internet resources and we're based in the Netherlands. Talking about transparency and sharing information. We have an experience on that. And recently we received more and more requests for information by LEAs. And LEAs not just based in the Netherlands but also based within the other areas within our region. We allocate addresses and we have members in Europe and Middle East and central Asia. So we receive all kinds of requests for authorities. And we had an issue with our members because they were feeling very uncomfortable because, well, in the beginning, they were saying, okay, you don't share -- you're never going to share our private information. Will you? And we said, well, sometimes we have to if we are -- if we receive an order or we receive a request from the housing authority to share this information. They were very uncomfortable with that. In the other hand, we have LEAs asking for information without the proper authority and we were telling them we cannot give you this information. And the answer was, well, don't you want to help catch a criminal? Is this is what you're doing? So we were a little bit in the middle. And we -- the solution we found appropriate was to publish a document, a procedure, where we clearly say what kind of information we're going to share with law enforcement authorities under what circumstances. That was very much appreciated by the members and also I think by the law enforcement community. And I -- a second thing we did in terms of transparency, we published a report where we give like a statistical information of where this request comes from, what kind of information they're asking for, and how we handle this request. And that was also very helpful, I think, for our membership, thank you.
>> Moderator: That's a great example of how to work with law enforcement and government. The roundtables, after a while, the cybercrime working party brought the community together with law enforcement and once they started talking to each other, the discussion just changed from hostile to friendly. And now this is the document that everybody seems to be happy with. This is an example of the multistakeholderism in the local-regional level. I saw a hand, I think, from remote participation or? No, okay. Okay, Luto? Then back to Maarten?
>> I'm Luto from the Netherlands. What a surprise. I'm coming from a total different background, I guess. I used to work with youth participation a lot and the last couple of years I stepped into corporate leadership development. But if you work with the big companies, the big top 500 corporates, I mean there's a lot of different stakeholders in there. Basically you have to do a leadership process, it's about multistakeholderism. And one thing I want to make clear is I see is a difference -- in many cases where it goes wrong in this area that we're talking about right now is that, you know, multistakeholderism and breaking down silos is always based upon mutual interest. Now, that mutual interest is there as well. But you mention trust as one of the key elements in that process. Well, trust will never be there as long as it's not result-based. And the last couple of years, unfortunately, in the media especially, the trust has been gone because the results weren't there yet. So I mean at the end, I think all of us coming from each silo, we have to just, you know, look ourselves in the eyes a little bit and see that we messed up a little bit at a lot of points. We need to get better results to build more trust so that, you know, so society in general will actually give more trust and more faith in that process of building down -- of breaking down those silos. So I would strongly encourage everybody -- I'm not directing that at you. I just want to share this idea, I guess, of, you know, putting a little bit more pressure on to ourselves to really deliver the added value to the society. As long as there's no added value, there's no result and there's not enough people who will support this process of multistakeholderism. So in the end, withe have to look at ourselves to see, we should have done better, we need to do better. In the end, that's what we need to organize. That's the process that we need to facilitate with all of us. And at this point, you know, honestly, we all know it makes sense what we are saying. But the output is not there enough yet. And in my opinion, that's one of the biggest problems -- in corporate settings, if there's profit, that's the output, and there's trust. In this setting, it will not be about profit, but the result and the output should be way more clear.
>> Moderator: Okay, thank you, Luto. Mike, you want to respond?
>> Michael Nelson: A couple of quick points. I'm so glad you're in the leadership business because that was one of the six words I wanted to get to. Having leaders in an organization or company that understand the need for transparency is the most important thing. Having a leader to back up the lower level employee that shares just too much information and causes some trouble, that's a really important and unfortunately, most CEOs are still because of legal constraints and P.R. constraints, they're still not willing to back up transparency. They're not willing to -- to really say, yeah, that person may have done the wrong thing but they were doing it for the right reason. The other point I wanted to make, and this is going to be a little outrageous is I think a lot of people do understand that the I.T. industry's doing okay on cybersecurity. We're not doing great. But the phrase, you know, "digital 9/11" as been around for 10 -- been around for 13 years. The phrase "digital Pearl Harbor" has been around a lot longer. And we haven't had one. I mean, we really are stumbling along building -- making better, more secure software. Microsoft has become an incredible way in the last ten years, partly because of the leadership, Bill Gates and Steve Ballmer made it clear it's priority number one. They set up an initiative which is 800 people. They redefined the rewards structure for the developers. And as a result we must have much more secure systems being shipped by Microsoft. But that leadership is important there. The leadership is really important on the transparency side. So thank you for bringing leadership into the discussion.
>> Moderator: I'd like to stay with you, Mike, if possible. Because Mike is doing something with the digital crime unit. They do a security team that goes out in the world when they have a crisis somewhere and helps. That's not something that brings in money directly?
>> Michael Nelson: It doesn't bring it in directly. But certainly having customers who trust us is a huge amount. I'm part of an interesting group that studies the relationship economy. Every two weeks, we do these conference calls exploring how companies need to do things that don't get reflected in the bottom line. And that's a great example, you know? Working with national government to solve problems like child trafficking or child pornography. That's just the right thing to do. It's Guoed because it's both what a good company should do. It's also on the bottom line side something that attracts good employees to our company. As I say, I just joined the company two months ago. And it was things like that that convinced me Microsoft with us the right place to go at this point in my career.
>> Moderator: Showing leadership, let's expand on that a little bit. For all of you for reasons applicable, what silo would you want to break down at this moment? What would you like to change when it's on cooperation, whether -- with whoever as long as it's with this topic, of course? Would you like to start, Chris? And we'll go down the line? Who would you -- what silo would you want to break down this year to make the internet more security?
>> Are you going to turn the camera off? Let's classify this part.
>> Christopher Painter: I mean, this -- that's obviously a tough question. I guess I would like to see more -- more discussions, more coordination between the security community -- before -- I mean, if I asked this a couple of years ago, I said the security community and the private community, I think that's happening. But I think it's between the security and tactical community and the community of people who rely on these technologies, particularly the economic communities. So one of the things that I think was important this last year was President Obama raising the issue of the intrusions of computer systems on theft and trade secrets and intellectual properties. That was raised and people thought it was the security issue. They said, well, it's a security issue. I should pay attention to it and they kind of let it go. The reason it's taken hold in our country and the reason it's been a big issue in our relations with other countries and it's become a big issue for countries around the world, it's seen not just as a security issue but an economic issue. But I think when you talk to people, you talk about internet policy, including in forums like this, there are people who talk about internet policy and use the term "the internet" and people who talk about security policy and use the term "cyberspace." Part of it is bringing those communities together and let them see they have the same goals and then come together to achieve them. There's breaking down that needs to happen there.
>> Moderator: Thank you.
>> I have a developer background. I get excited from certain data. And I was thinking what data would I use. I'm not a big cooperation and neither am I a government. So I'm thinking from a startup perspective, from a small company, which kind of data would impact -- be useful for me to build a business upon and give people a better experience on that certain data and have helpful insights as well. Because that's also where we're going in the next couple of years, data-driven services. And I couldn't answer that. So the problem is, there are so many companies, so much information, the government has so much information and they're not even thinking about sharing it or making it -- they're not talk about open data, we're talking about accessible data built on mutual interest, of course. So there's nothing like one silo. It's more about just a culture change that needs to be happening like government, cultures, and organizations.
>> Astrid Oosenbrug: It's difficult from my point of view. I'm not a politician. I think in many different ways. But I would like to see even more people working together so we already started that in Holland. We brought together the government with the industry and the knowledge centers and the universities. They all talk together. Maybe we should -- maybe the last silo is stop talking and start building. Maybe that's -- but no silo. But building, you know, in a good way. So that would be my wish for next year.
>> Michael Nelson: I'm going to say something outrageous again or at least confusing. I want to knock down the information sharing silos. And by that I mean these organizations that are being set up to be the -- the one-stop-shopping source of all information on cybersecurity problems. And we see this in some cases where rather than facilitating many communications -- so everybody is talking to everybody, they've gun of two things? They've either required everybody to set up these bilateral arrangements where person A talks to person B and person A talks to person C and there's all of this elaborate negotiation that goes on one group at a time. Rather than just putting all of the data into something like facebook, which is not a bad model for this, where everybody puts their own data up there and it's shared. The problem is we do see government agencies that like the facebook model, but they want to be the gatekeeper before things are put on to this pooled sort of information. Both the gatekeeper of what gets up there and the gatekeeper of who can get in. That's not going to work. That's not what works for the hackers. They don't have somebody controlling the information flow. They're out there many-to-many communication. They're sharing information back and forth at light speed. We've got to learn from them. I think most of us on the panel know about this book. But there's a very famous book about John aquill la, 15 years old now on "Network." Takes a network to be a network. That's the bumper sticker from that book. It's true today, it's even more true today.
>> Adiel Akplogan: The main silo I would like to see break is the -- the one based on trust. We need to work together to build trust, to make -- to make, you know, make the environment trustworthy. And that means genuinely fighting cybercrime. I say generally, I mean moving from talking, conceptualizing to acting and putting things together. I'll add to that we have also to stop thinking about the internet as this wonderful beautiful tool that we use. Internet is becoming part of our life. It's completely changing the game of the way we live. And that's -- that is put in front of us very hard question -- probably it's not more very hard in some of the countries like the U.S. has a lot of -- but in many places elsewhere, it is raising some very, very important questions and we need to address them. To bring trust back. And that's important.
>> Moderator: Thank you.
>> Nina Janssen: What I think that we need to break down? I don't know. We've developed from a policy perspective. We've developed from a cybercrime glosses to cybersecurity to cyberspace, actually. We're not just talking about security, there's the economic benefits of our technological advances. And the other -- within the triangle, you have the freedom side of the opportunities that it provides the individual user of internet or other technological means. I think within this triangle, there are silos for a reason as well. There are different interests. There Thai are very valid interests. And we should share information. We should be transparent on those interests and objectives. At a certain point, I do like to respect or I -- I -- the silos are there for a reason.
>> Not always.
>> Nina Janssen: Depends on what you see as a silo. If we're talking to the private companies sharing information with us, they're asking for the competitive advantage or the relationship we have that we don't share all of the information that we get from them. So there's a good reason not to share certain information, to share, for example, anonymous data instead. There are reasons for this.
>> Moderator: Maarten, you said break down silos or making them acceptable all at the same time.
>> Maarten Simon: Yep. Thank you for making my point. Leave nothing for me. I'll come up with something else. No, but it's true. Breaking down silos, yes. But as far as it is necessary. It's not necessary to break them down to the ground. So what -- one of two things I myself noticed is that we're a private entity. We're not for profit. So maybe we're a bit different from for profit companies. But what I hear in the -- we work together with dutch national cybersecurity and one of my colleagues goes there. I think once a week or once every two weeks, I don't know. And what I hear back from him is that he is there and he shares everything. Because we're a very open company. But that -- as soon as it -- he wants to share a lot and the government sometimes wants to share also -- see, the people want to share. But then they have to go back to their lawyers. And I'm a lawyer myself. But I think you can share a lot. Don't be afraid. So maybe we should just bring to the silo of lawyers down or something.
>> Christopher Painter: There are two types of lawyers in Washington. There are the type that tell you what you can't do and then there are those who find way to let you do what you want to do. There are a lot fewer of the latter type, so they're a lot more expensive. So as a result the government can't hire them.
>> Moderator: I think what's good to notice here is there's some sort of a consensus. That's one. But the other one is that the game seems to have changed since we talked last year. Because what some are saying, we used to look just at cybercrime. Now we're looking at cyberlife, basically, our lives. And the thing called internet which has been a part of our lives. And is that actually going to look at the youth, first. Do you think the issues of privacy centered government, is that going to be your issue when you're perhaps in government or an institution ten years from now, or let's say just pretend you're working there and it's the same issue as nowadays when lawyers say, but you're not allowed to share data, will change?
>> Robert: Well, when it depends on me, I will work on encouraging people and building trust. The problem in trust, it takes a lot of trust to build trust. It's gone in a split second when someone makes a mistake. So I would like to quote Luto on this. What he said is there's a difference in working together or sharing data, privacy and personal information built on trust rather than mutual interest or purposeful sharing of your information. So if it comes -- if it -- if I can put it this way -- if people start to understand the purpose of sharing their data, they will be more easily sharing their data. So I think this is one of the changes that needs to be happening, true awareness, true -- okay, share your data, it becomes useful and it becomes easier to do it.
>> Moderator: The exact opposite that the European Commission is doing with sharing data. They're trying to restrict it as much as possible.
>> Robert: Right now all of the data being gathered is not very purposeful. It's being gathered for the sake of in ten years it might be useful. And in that case, I'm not really a -- I'm not throwing all kinds of stories to someone that will leave tomorrow, won't see them for ten years. And in ten years, he will remember something and then maybe you know, it's -- the companies that are gathering the i