Best Practice Forum on Cybersecurity
08 December 2016 - A Best Practice Forum on in Geneve,Switzerland
>> MARKUS KUMMER: Good morning, all. Ay name is Markus Kummer. I'm co‑coordinating the session with Segun Olugbile who is sitting there. I won't say much, I mean, hard lifting has been done by Brian from the IGF Secretariat and by Martin who will be the moderator, just a few words on the history and where this comes from. The past two years we had two Best Practice Forums dealing with related issues, one with the C CERTs and one with unsolicited communication. Martin was involved all of them so he has the history, and this year the experts involved, we had discussions under early this year on wards how we should maybe continue.
And the idea was maybe we should broaden the scope a bit. This is also in line with the resolution that extended the mandate of the IGF. It has a fairly strong emphasis on cybersecurity. So the experts concluded that it will be good to have a slightly broader look at this issue and Martin will say more on the definitional aspects of cybersecurity as it means different things to different people.
But another important part of this discussion was this was conceived not as a single project. That was not the idea that we solve all of the problems and issues by the end of this year, but that this is a multi‑year project and the IGF, I think, can have a prominent place in this discussion. There is an increased concern of Governments in the UN framework, cybersecurity is discussed in the first committee, the first committee is the committee dealing with disarmament and peace issues and that is a so called global group of experts and that is a Government only commission, Government only group of experts.
We think it informs Government experts if they actually discuss with people technical experts and also Civil Society and we hope that in future we have also this interaction of the IGF clearly as a role to play in this aspect and can inform also Governments and with that I hand over to Martin. Please run the show and take it away
>> MODERATOR: This Best Practices Forum came out of a set of Best Practices Forums that took place over the last few years and one of the core things we learned during the Forums is it was difficult to get multistakeholder engagement around the topic of incident response teams. During those discussions, we ended up having a lot of incident response teams around the room. We did also have other stakeholder communities but quite often there were issues around definition. What is it really that an incident response team does. We worked for two years to address those and this year we wanted to widen the scope a little bit and really review what it means for different stakeholders to work on cybersecurity together.
Cybersecurity has typically been a topic where Governments take the lead in many cases and that has always been met by concern with some of the other stakeholder groups and the participants to the BPF saw this as an opportunity to engage wide or audience and get everyone around the table that is important to our social life, our economies and the way that the Internet as a technology operates.
So I greatly appreciate that this year we have a standing room only session and all of you have come. Very quick administrative overview of what we will be covering today, and I don't know if we can present the slides for a second. But I would like to walk through how we will spend the next hour and a half. The first 15 minutes are really there is a quick introduction to the BPF, where did it come from, what has it done. Then we will spend about 15 minutes talking about the current draft and the comments that were received from various stakeholder groups and I will actually ask Brian to walk us the process a bit as he did a lot of the hard work at getting everything together for this session.
We will spend about 20 minutes giving all of the speakers' time to provide an opening statement on how they see cybersecurity within the IGF, how they see cross stakeholder group communication and coordination happening, and we will also have input from Mathew Shears from a feeder session that took place earlier in the week. Then we had have a half hour for group discussion and questions and answers. If you have particular input that you haven't been able to provide through the review platform or you haven't been able to bring up in the mailing list, today is a great place to bring the questions forward and we will do a wrap up and look at next steps for the Best Practices Forum in future years.
I will actually hand it over to Brian for a second to talk about the process and how we conducted the meetings over the year. Brian.
>> BRIAN GUTTERMAN: Hello, everyone, thank you for joining. I will be brief. Markus and Martin already covered some of the background, but as Markus said, this Best Practice Forum was conceived sort of decided upon by the Multi‑stakeholder Advisory Group in April and we had our first few meetings that spring. I think we had, it says seven, seven in the slides and we had more than that, about ten in total. Our first few meetings were about asking the community what we wanted to do with this Best Practice Forum, what might be most useful to the multistakeholder community that we had. For those that don't know much about best practice forums we convened on WebEx platforms, we had a dedicated mailing list where everyone was able to subscribe and exchange views there.
This is a similar process to the other Best Practice Forums. We built upon the work of the spam and C CERTs Best Practice Forums that took place over the past couple of years. That knowledge we built was extremely useful. Walt is a friend and colleague and he led a lot of that work so we are appreciative to him for that.
We decided early in the process that the community wants to have a multistakeholder dialogue including all stakeholder groups on how to engage and communicate with each other when it comes to cybersecurity issues. Clearly very broad, but that seemed to be what the community wanted. As Markus said, there was sort of agreement that they wanted the process to be long term so we can, so sort of ideas could bubble up and we could take forward different threads in different ways.
We then sent out a call for contributions using the IGF website and other channels to solicit inputs from all stakeholders. We got some very good feedback. We asked questions like what are the typical roles and responsibilities of your stakeholder groups in making the Internet a secure and safe place for people, what are the typical communication mechanisms between the stakeholder groups, how can cooperation and collaboration be enhanced and what are some of the common problem areas.
We list some of the contributors here. We had a diverse range of contributions, many of which these organisations and individuals are here with us today and we thank you for that from Civil Society, from business, from technical community, from Government, to that was really great. So just quickly some of the feedback, but what we want to do in this session is allow the contributors to explain a bit more about their perspectives and then leave it up in the second half of the session to those that might not have been involved yet. I think Martin mentioned already that there is a review platform that's open for public comments on the IGF website which has the draft output document there and we think it's a pretty good space for everyone to read it over, contribute, come up with even new ideas for the future. So please, we invite everybody to visit that.
A summary of the dialogue, some of the things we heard quickly. The involvement of all stakeholders in handling cybersecurity is essential. All stakeholders must understand, respect and trust one another's expertise and competencies. The term, the definition cybersecurity is often loaded with context and associated with Government or commercial solutions. It was said by many that the IGF actually offers an opportunity to redefine it as a common goal and to work towards a common understanding of cooperation when it comes to cybersecurity.
It clearly means different things to different stakeholders and roles and responsibilities of stakeholders are evolving. The debates around cybersecurity have rapidly broadened and place an important focus on policy that requires input from multiple stakeholders. It was said by some that initiatives should be built on Democratic, multistakeholder processes in insuring meaningful and accountable participation from everyone. It was said that the community must promote robust, effective and timely information sharing among stakeholders, cooperation and collaboration is key so as to not duplicate work.
Within the C CERT community specifically automated information exchange and setting expectations around the use of shared information was seen to be critical. So I think next we can pass it back to Martin and allow some of the contributors to share exactly what they said.
>> MODERATOR: Thank you very much for that great overview of findings. One thing I would like to stress is that when you look at these slides, what you see is a reflection of what is in the actual text. The actual text is a little bit more dense, but that didn't really fit very well on a computer screen, so I would highly recommend reading through the materials. Also seeing how the group came up with certain recommendations, because there was a lot of vibrant discussion being contributed that was helpful to them distill it into these outcome statements so I highly recommend reading the actual text and going through it in detail.
What I would like to do next is have a look at some of the comments that were submitted as part of the review platform. So as Markus mentioned the review platform has been open for a little over a month and has been open for comments from everyone and we have done our best to advertise this to different Forums as possible both in Government, technical community, academia, Civil Society and other stakeholders that have an interest in this particular area.
We received a number of interesting comments, and I have them here, and what I would like to do is walk through each of the comments and then give the group the opportunity to provide some very brief comments, especially if you see anything that is a topic worthy of further debate instead of simple inclusion. The very first submission we received was from Adam Backas that estimated in terms of collaboration and cooperation between those with the knowledge and skill sets necessary to improve the security of the Internet, implementation of vulnerability coordination and bug bounty programs seems like a key function which thus far hasn't been explicitly called out in this text.
Any entity which is responsible for protecting data should have a process in place by which they can acknowledge and fix identified vulnerabilities in their infrastructure as reported by external entities. This allows organisations to scale their efforts towards identifying vulnerabilities in externally facing properties as well as provides invaluable data on where their existing security processes have failed and need improvement. So a contribution by Adam Backas that some nor attention in the text on how to deal with reports of security vulnerabilities would actually be a useful addition. Is there any discussion or comments from participants or speakers here today?
Okay. You will also have the opportunity to comment on the mailing list even after the session. The next comment that we received was from USUDIATAL IS and I apologize for the pronunciation. It was important to make conscience about cybersecurity in the people and the only way to do that is showing them in real time how insecure could be an Internet provider, a PC, mobile device, et cetera.
In Latin America the people have a poor cybersecurity knowledge and for this everyone could be exposed to be hacked or personal information stolen. It is important to make more campaigns about cybersecurity issues and how easy it is for a cybersecurity criminal to steal or hack a device or system.
The Governments around the world should be working more together on this topic. The IGF should have more of these spaces and workshops to work with all ages of people that have to know that their devices or personal data are under risk and the easiest way to fix it. So a great contribution that security awareness is key to actually building a secure Internet Ecosystem. I will add that at the very beginning of the effort, the issue of user awareness was raised and was considered during the discussions and based on this comment, we can definitely look at whether we can include some of those initial comments in the final outcome document. Are there any comments or discussion on this topic? Yes, Isabel.
>> ISABEL SKIERKA: I think it is important, it says the Governments around the world should be working more together on these topics and I think Governments are an important stakeholder here but I think there is already a lot of organisations actually doing a lot of good work in this space. So maybe one could work on the text in saying, you know, there are these initiatives and maybe we can find certain ways to bring them to the fore, provide better funding for certain initiatives and so on just as a side comment.
>> MODERATOR: Thank you.
>> AUDIENCE: Just a quick administrative note for the speakers, when you take the floor for the first time, can you please introduce yourself. So Isabel, and Martin should have induced you.
>> ISABEL SKIERKA: I'm Isabel Skierka and I'm from the Digital Society Institute where I'm a researcher on cybersecurity and digital policy issues and I'm from, I'm based in Berlin.
>> MODERATOR: Thank you, Markus. Thank you, Isabel. I will move onto the next and that is from ‑‑ I'm sorry, that is the same comment. Okay. The next comment is from Zhou Rakman and he or she had three individual comments which all relate to the implementation of UID which has been a topic of discussion at this IGF. And really when you read the context of where the comment is provided, it is more about unique identification of individuals which then makes it easier to identify specific discussion and specific sources of discussion.
One thing that I would argue here is that since this is about a specific technology, I think it would benefit a document. The focus on the underlying issue that's being addressed rather than an individual technology or solution for that problem. I don't know if we have the submitter either as a participant here or a remote contributor. Do we? If not, are there any direct comments on this proposal?
Okay, then I think what we will do is engage with the submitter and try to understand what the root issue is that he is trying or he or she is trying to address as part of the comment. We will see if that is something that deserves further discussion on the mailing list. And then we have one more submission also from this person and in Ecuador we have a C CERT but until today it does not work as it should. We have cybersecurity issues not being reported by the Civil Society and our C CERT. It is poor in resources and not very open to listen to the society.
Maybe in this IGF we could be guided to another countries or C CERTs that works together with the Civil Society. One initial comment as part of the BPF on C CERT there was actually some documentation on roles and responsibilities of individual C CERTs and I know that of the material can be useful as well. We can have a discussion as to whether this is worthy of inclusion in this document, but some of this has been addressed in previous years.
Are there any comments on this contribution? Do people think this is valuable to include again in this year's document? Okay. If there are no comments, then we will actually move onto the speakers that we have here, and I'm very proud to have a wonderful panel of experts in the area, and both in adjoined areas to cybersecurity that are going to contribute some of their thoughts. First of all, we have learn from RIPE NCC, we have Matthew Shears under the Freedom Online Coalition and he ran a feeder workshop on inclusiveness of security policy communities which he will be contributing here as well. Then we have Isabel Skierka from the Digital Society Institute, Grace Githaiga from KICTANet, organisation of American sites and Hiroshi Esaki from the board of trustees of ISOC and we will get started with Richard because I know he has a dense agenda and may have to leave early.
>> RICHARD LEARNING: RIPE NCC. Just a bit of context, I was a law enforcement 30 years dealing with cybercrime, so I have an interest in both from a previous employment and what I do now. The first thing I would like to say is what is cybersecurity? I know that's been mentioned many, many times, but what is cybersecurity? What's interesting to me is that the national cybersecurity centre in the U.K. which is a U.K. funded stakeholder engagement organisation actually came out with a glossary on the 23rdof November because we don't even know what cybersecurity is ourselves so we have to write it down to let people know what is cybersecurity, and I will just quote you what they are saying cybersecurity is from the U.K.'s perspective. The protection of devices, services and networks and the information on them from theft or damage.
That is what the U.K. believes cybersecurity is. If you speak to law enforcement officer they will say something different. So on this Best Practice Forum for me, where I we like to go is exactly what it is that we are doing because it's like saying let's have a Best Practice Forum in solving crime. Are we talking drugs? Are we talking murder? What are we talking? Cybersecurity encompasses everything, so we need to narrow down what it is that we want to let people know, and how to make a little bit of involvement help the ecosystem of cybersecurity.
The thing I liked which came out now is that everyone is concentrating on things but not on the human beings that are using those things and every investigation I was ever involved in as a law enforcement officer had a human element of error or misunderstanding of something in there that allowed the crime to happen. So maybe tweaking that around, cybersecurity, maybe we should concentrate on the human being, the educational part, the awareness, the cultural changes or businesses, companies of how the employees look after the devices and the things that they have secured their companies from being attacked by cybersecurity criminals because that's what we are talking about in infrastructure.
So that's ‑‑ I do have to leave in 25 minutes, but I will stay here for as long as I can, and answer questions either now or on line or through the moderator.
>> MODERATOR: Thank you very much, Richard, and very important and interesting topic that was a big area of debate and we will definitely talk about it later as well. Then I would like to move onto Matthew from the Freedom Online Coalition who will contribute a bit about his feeder session he ran on Monday on day zero of the IGF.
>> MATTHEW SHEARS: Thanks Martin. I'm not actually from the Freedom Online Coalition. I'm the Co‑Chair of the Working Group One of the Freedom Online Coalition. I'm actually with the Center for Democracy and Technology, and we had a feeder session on day zero that was very well attended in a very small room, but the purpose of that session was really to understand how we can encourage and bring about multistakeholder engagement and cybersecurity processes. So it was not only an opportunity for the Best Practice Forum cybersecurity members to talk about their experiences but also to try and tease out learnings in terms of why they were successful or what the challenges were and how we can take those forward as a part of the BPF generally.
So just to give you a couple of quick examples, we heard a lot about capacity building. We heard from the Dutch Government on the Global Forum for Cybersecurity Expertise. We heard from different Governments including NGO in Canada on how various processes are becoming open in the cybersecurity space, recognizing at the same time there are still many limitations in terms of participation.
We heard from the Council of Europe on the value of engaging with more stakeholders and how sometimes that can lead to breakthroughs in terms of issues that they are addressing. We had representation from the OAS Belisario this week. We heard from Japan where there is progress being made opening up to stakeholders gut more can be done and we got great learning from the experience from Nigeria. And we heard from ISOC own the importance of collaborative trust and security and how important that is as a fundamental basis for stakeholders working together.
We talk about trust, but we don't actually understand how important it is and how difficult it is to gain and I will come back to that when I talk a little bit about the Freedom Online Coalition. Some of the learnings were interesting. One of the major learnings, I think, for everybody in the room was that we have to be able to put ourselves in the shoes of the other stakeholders. We have to be able to understand in a way what was just mentioned which is we have to understand what we are talking about by cybersecurity, can we put ourselves in the shoes of other stakeholders to understand what their angle is on a particular issue we are trying to understand and deal with? There was comments about recognizing there are limitations. We have to be realistic that multistakeholder isn't a solution in and of itself in the cybersecurity space. It's one of a number of tools and there will still be multilateral discussions. It's not all going to be multistakeholder going forward.
There was some cautions about the notion that multi‑stakeholderism is equal to public‑private cooperation and that's certainly not the case. People said we need to be careful we are not, that we don't make the mistake of assuming that that's the case. And that we need to really come to these meetings and, again, I will come back to this later with an open ear and not a closed mind. I mean, in a way, we stakeholders tend to come in with a position that they have had for a long period of time. It may be in fact antagonistic and that's not the way to get to agreement or to make multi‑stakeholderism work in cybersecurity, particularly given that it's such a sensitive space and so related to national security.
So let me stop there, but I think there are a whole number of learnings that came out of that that we'll capture and feed into the BPF so we can build on those going forward. Thanks.
>> MODERATOR: Thank you Matthew. Those are great outcomes and it was an insightful session on Monday. We will move onto Isabel Skierka of the Digital Society Institute.
>> ISABEL SKIERKA: Well, that was an introduction. So just to say I read the document only a couple of days ago for the first time and I think it's actually an amazing document, very important process here at IGF since I think the topic of cybersecurity has come in quite recently as I understand. So I want to start off with the same issue that actually Richard raised, what does cybersecurity actually mean? And I think there is actually a good definitions in the document already from some of the contributors, and we really need to distinguish between different forms of security such as national security or the technical security of systems when we talk about the confidentiality, integrity and availability of information.
So what is going to be protected and who is going to be protected. Those are really important issues. If we talk about issues such as encryption technologies and the use of encryption technologies this can be framed as a national security issue, but it can also be framed as a public security and individual security issue and this just illustrates how important it is to involve all of these different stakeholders with their respective states in these discussions how we should deal with that and what kind of policy should be made.
But I think one important point here and maybe that's maybe a German or European perspective, the Government in Germany or in Europe is still, still has most power in regulating technologies. So we, for example, recently adopted an IT security law that makes information sharing mandatory, and information sharing on incidents. So it's very important to recognize that not all stakeholders have the same powers and some have regulatory powers that are actually written down by law, and they will be the ones that side.
So I think engagement with these stakeholders is very important and I just want to reiterate one point from the meeting from Monday, which was brought up, which was you really need to listen to each other, and often people just go right into the room, start talking, start, you know, telling their own positions, but I think the first step should always be to listen even if you are a Civil Society activist, you have your opinions about encryption. Law enforcement agencies have very different challenges that they face, and so we need to ‑‑ this also means multi‑stakerholderism, right, that you actually find a compromise to that and that might not always work for you, for example, when it comes to defining strict legal requirements under which Governments can surveil criminal suspects. So I think what matters a lot in this process is trust, and this is why this listening and engagement is very important.
I think awareness also matters a lot. We brought that up earlier. So awareness and actually having a stake, being able to formulate a stake is important and obviously for many stakeholders to organize and voice their concerns is a very important issue here. I don't have much time, but I just want to mention a couple of, you know, I was asked to share my personal experience as well. And from the German perspective, let's say, so I think multi‑stakeholderism in our country in Germany does not work well necessarily when it comes to cybersecurity.
We just adopted a new strategy which was not even discussed in Parliament, and that was, I think we could have done a better job here or the Government could have involved at least the Parliament to discuss the strategy and to get more views into cybersecurity strategy that we just adopted. An interesting kind of process you might have heard about is the NSA committee and the Parliament. After this known revelation, we, the German Parliament, started an inquiry commission into the NSA scandal and how German intelligence cooperations, German intelligence agencies cooperated with the NSA.
We found out a lot more about our own intelligence agencies than about the NSA in this committee, but it did lead to a reform of our intelligence processes, and it's quite an interesting process because there were open meetings convened every week for people to attend and follow discussions on the NSA inquiry committee whereas, of course, also some of the documents were held private.
And I will just share some other perspectives later because time is running out.
>> MODERATOR: Thank you, Isabel. Some great insights about Government engagement as well. Next we will move to Grace Githaiga of KICTANet.
>> GRACE GITHAIGA: I'm a late comer in this, but since I was also asked to share my experiences in how we are working with it, I would like to first point out that we have, we are constantly seeing an increase in cybersecurity incidents, and especially through mobile transactions which is something that practically a lot of people are utilizing that. We also are seeing that in bank systems and in Government systems, but above all, online platforms being used for terrorism, and recruiting Al‑Shabaab, recruiting young people to recruit the Al‑Shabaab movement. What that means is this is presenting challenges that not a lot of people are prepared for.
And so what we have seen is some knee jerk responses in the form of legislation. Legislation that is has just sprung without consultation with relevant stakeholders, and, therefore, these also brings with it a challenge of balancing between the legitimate need to have security and the safe and secure online platforms and freedom of expression issues.
So then, and that also meant that anybody who thinks can do legislation is coming up with one. So we have multiple legislations that don't speak to each other, that don't show how, you know, what's the nexus and how we are all tied together and people are left to wondering which one are we going to follow. We have even seen bodies that have prosecutorial powers getting into policy formulation and that is not in their mandate. And this then shows the complex face of what cybersecurity is all about.
We have weak structures, and like I said, lack of coordination on cybersecurity frameworks, and in those who are supposed to handle cybersecurity concerns, they are under resourced as well as really knowledge gap capacities because how do they deal with this? How does a country, say, of 40 million experiencing cybersecurity concerns report to a team of eight people? Eight people who are also trying to understand the sector, and still informed by the traditional security mechanisms of how they should handle security.
And so the first response is I think, you know, shut down or, you know, we just need to come up with very strict measures. Our CERTs also are not proxied. So they wait until you report, and when you report, sometimes it takes 21 days to get a response. And the scenarios, you can play the scenarios within 21 days what would happen, systems can collapse, you know, further advanced attacks on systems would happen.
Then in terms of the whole investment on human resource, you know, you have very bright young people handling the systems, but you also are not looking into how you all, you know, incapacitate them so that they feel comfortable not to get into fraud. So, you know, you have trusted them with bank systems, with security systems, but you are not looking into the salaries, not looking into where they live so what happens? They become creative and they are actually participating in some of these crimes on cyber.
So what that means and what our experience has been, there is clearly a need for a multistakeholder approach because everyone is affected in this. It's not just one arm that can regulate or come up with laws on how we operate on the security. And everyone who is affected then needs to give their view so that we sort of try and build some form of consensus on how we approach this and how we move forward, and I would like to say that as KICTANet we are working with global partners to, you know, we have developed a framework, a multistakeholder framework that we would want to start testing when it comes, you know, even to cybersecurity issues and we will even be sharing with, you know, like a few of African countries that have been identified into this partnership.
>> MODERATOR: Thank you very much, Grace, for sharing very, very concrete issues you are seeing and some of the ways that you see forward to solve them. Next up is Belisario for the Organization of American States for his open statement.
>> BELISARIO CONTRERAS: Thank you very much. Thank you very much for the invitation to the BPF. This is my first time to be here. First of all, we would like to point out that, well, cybersecurity is now part or has been part of the agenda for a couple of years of the IGF because it's totally regular vent for the Internet, for the Internet Governance, Internet Governance infrastructure. Cybersecurity threats, again, are toward Internet stability for democracies and for rights. Sometimes I'm not sure if people forget that and are just getting into the technical aspects. These threats are implemented by criminal terrorist organisations or sometimes individuals.
We need to be aware that these organisations, they are organized and they are about people, and ‑‑ they are bad people, and we represent the good people which are the Governments, the private sector, the Civil Society, the technical community. Sometimes we forget that these organisations are acting in and are organising in philosophies like much faster than us. So we were discussing in the session in day zero, it's very important to begin finding common understandings, middle grounds in order to advance agenda, and in order to actually be able to face those threats.
It's important to understand in order to organize ourselves and to move forward that cybersecurity could mean different things in different regions. Cybersecurity for someone could actually have great alliance with cybercrime, with terrorists, with several things and not just regions, but actually countries and between countries actually different actors. That common and simple understanding is fundamental in order to move forward in a specific actions. Put yourself in the other shoes, it's totally difficult, but it's essential for any kind of negotiation and, again, in order to find any kind of agreement.
From our experience, I believe that different actors at least in the region that we work much needs to be done. I agree with the comments that were provided by two Civil Society organisations in the BPF. We found out in a report that we mentioned yesterday that in the region there are, there is a lack for awareness campaigns and digital IS, but that could be an initiative that could be promoted by NGOs. I see looking here at Michael Kaiser who works with NCSA has a close partnership with DHS and those are two organisations that would be important to promote those kinds of partnerships in other countries, the private sector, of course, to have more openness with Governments and with the technical community. You are the ones who may be have more updated and latest information.
The Civil Society and the technical community maybe have a little bit more of openness and actually try to focus on graded cybersecurity things. There are sometimes very specific focus that are really relevant, really important like privacy, freedom of speech, but there are actually other topics, critical infrastructure protection that could be really relevant for our lives and could affect all of the infrastructure and, of course, Governments.
The Government represented needs to be more open, needs to be more willing to cooperate with all stakeholders. Those are the remarks I had prepared for this, but in summary there is much to be done, but we need to recognize that, we need to find agreements and move on because criminals are already moving a step forward.
>> MODERATOR: Thank you very much, Belisario.
>> HIROSHI ESAKI: Thank you for the invitation. This is Hiroshi Esaki from Japan. I totally agree with all of the speakers' discussion so I tried to introduce our experience from Japan from the grassroots activity as well as top down in conjunction with those two together. A part of the project we are working with Japanese high level as grass groups every single industry working in the Internet. So those so those are the identified activity mentioned about ISOC so going to the Japanese way. So this is the thing we are sharing with the Japanese Government high level as well as every single industry which are going to the IoT society. That is the view we are sharing with every single business player. When we think of IoT they lack their own silo. They lack closed/open source development. So we need interoperability for the future.
Even though they now have been siloed business model. That's always the case. They have money. But in the future, it's going to be connected. So in order to making such a situation, interoperability is a very important factor to do, we are sharing with IAB and ITF. The second thing is the silo, they are connected to the Internet in the future. So we need security by design principle for the engineers who designed every single system, every single gigabit.
That is we sharing with everybody. And this is yet another activity run by the Internet Governance Conference Japan. Ten basic ideas for security for the Internet. So our first point is thinking globally, and implementing local measures. Respecting practice and principle meaning we are running Cloud. We hate just a salary, just the idea. We really with respect to implementation even for the security business, the second is the implementation of restriction and security policy supporting the improvement of the life of the human being for business. And overprotection from the security point of view is not a good idea.
How we make cybersecurity is the improvement or let's say they want to do about security. Security measures is investment for improvement and the future investment to society. That is the idea we want to share every single player from the Government officers as far as the usual engineers or users, sharing the operational knowledge, experiences is quite important. That is sharing idea. You think the Internet itself or the system, partition for the person experiencing the cybersecurity incident as the victim rather than the bad guy. That's always rear facing especially in private companies so that's leading to transparency. So in order to make it transparency, we respect them.
The last one is the first self‑help next mutual assistance, finding public assistance. That's really the grassroots way when every single person realizes that is an issue of you, then people start to work. Then the last, the last thing is by public involvement. So that is a basically we are sending to the Japanese Government, the Japanese, every single person. The last line I want to share with you is every case, you know, how to make intention to invest on cybersecurity. That is always people are thinking about. It does not improve the business profit or known benefit when there is no incident. That's always you are experiencing the voice and what we are hearing. It is not productivity or efficiency. The people, the reason why people don't want to have a serious security policy.
Then tend to think about let's disconnect our system from the Internet. So how to solve this particular problem? Find profit by daily operation of big data functions, cybersecurity system in the gift. Important to think of it as a gift. So I have many experiences regarding that. So that is a pure business model people tend to give money into cybersecurity. And the last one I will share with you is the Japanese old guy saying economy without more is crime, without cybersecurity it's bad, it's almost crime now, right?
Though a moral system without economics is attack. So that is, we are always thinking about that, not always say that is must that that is leading to the future benefit, future profit, that is the thing I try to share with everybody. Thank you.
>> MODERATOR: Thank you very much, Hiroshi Esaki. I think that was a great setting the tone really of the gift that the Internet is that we are all trying to protect. So thank you for that contribution. Now, to open up the debate, I would actually like to start off with definition because we talked about it a bit earlier. We definitely talked about it very much as part of the Best Practices Forum, and I'm going to put a contentious potentially statement out there, and that's that we can either have very solid definitions and have no real discussion and society stays a bit the way it is, or we can be in a situation where the definitions are a little bit vague, which is probably where we are today where discussion and ongoing interaction and building of trust and relationships is a necessary prerequisite to getting something done.
So I'm kind of interested in what the panelists and the other participants have as ideas with regards to what is better. Do we really need very solid definitions today? Or were we actually in a stage that gives us tremendous opportunity for learning? Is there anyone who would lick to provide initial thoughts on that?
>> AUDIENCE: Thank you very much, I just want to say something in terms of a position on the definition of cybersecurity, I think really have to be careful in coming up with a particular definition on cybersecurity because every country has a perception of what cybersecurity is all about. And I think what we might probably advise is that we should allow countries to probably come up with their own definition of cybersecurity.
Let me use Nigeria as an example. We have a vision and that vision is anchored on the definition of cybersecurity. And now I think what we can do is to provide a framework of understanding so that we can have a kind of practices such that at the international level we can have the cooperation on the standard respect, local division of cybersecurity.
What is cybersecurity to U.S. is different than what is cybersecurity to Russia. So I just want us to be guided. Thank you.
>> MODERATOR: Thank you very much, Oshigan and he is the Co‑Chair of the BPF this year and maybe if you want to mention your affiliation as well.
>> SEGUN OLUGBILE: Okay. Thank you. Segun Olugbile, I am a member of the Nigerian Cybersecurity Crime Council. I had privilege to BPF to be part of the project that mentioned the national cybersecurity strategy. One of the experiences I would like to share has to do with the issues of building a multistakeholder trust platform. And for what we have done so far, Nigerian situation is peculiar because we have a national security office that is mandated by the law to drive cybersecurity in the country.
You know that anything that has to do with an office, they are extremely regimented environment so they don't usually like to share information. However, by Providence when will I engage, the first team we communicate to the NSC, it cannot be as usual. This is not a document, a strategy you can probably develop and you expect that it will follow.
What we did was to have first and foremost the interagency on understanding of cybersecurity. We brought all of the agents that are critical to the cybersecurity in the country together. We insured that they have an understanding and they had a position on what's the cybersecurity is all about. Then we took it from there. We actually visited the domain of the Paris sector. I'm talking about the main operator, and we have achieved understanding, we obtained a commitment and their position on what they feel like seeing when it comes to cybersecurity security policy. Someone said earlier that the best way to address the issue of trust is to put ourselves in the shoes of the stakeholder.
And what we have done essentially is we have also created a kind of domain for Civil Society so that the group can come up with the definition of cybersecurity. At the end of the day, we harmonize all of the divisions and we came up with a national vision or a position on cybersecurity. And the lesson learned is that we must open the door for inclusive participation with our military, with our security, with our Civil Society, there is something that we have in common. We all want to be secure, and we want, we all want to be protected. Thank you.
>> MODERATOR: Thank you very much, and some interesting ideas there around definition initially as well as in having countries also define what is important to them, come up with their own definitions. Isabel, I saw your hand going up as well. Did you have?
>> ISABEL SKIERKA: So the first thing I would like to point out is even for the term security, there are like millions of definitions that we could probably come up with just, you know, as setting this in relation to other definitional struggles, and so my proposition would be to whenever in the document you can be precise with the term saying information security or IT security, if you really mean, you know, only the IT security or the security of IT systems and networks or information security obviously having a more broad scope than IT security involving, you know, organizational security as well.
I think that is already a good step forward and you wouldn't need to define cybersecurity as an all-encompassing term and maybe it makes sense not to necessarily define cybersecurity in very rigid ways. I agree with the other speaker, yes.
>> MODERATOR: Thank you, Matthew?
>> MATTHEW SHEARS: Yes, thanks, Matthew Shears. I will just say a couple of things on the Freedom Online Coalition working group 1 work which is a working group that was brought together under the Freedom Online Coalition grouping of countries to look at cybersecurity and Human Rights and the intersection between them. This is important because as a part of that work, we have drafted recommendations on how cybersecurity should be Human Rights respecting by design which is quite a step forward when you think about the space we are talking about in trying to bring Human Rights into the cybersecurity space. So I urge you to look at those.
They have been supported by the U.S. Government, the Canadian Government, Dutch Government, Freedom Online Coalition, and you can access those at FreeAndSecure.online. We also went through in the working group the same process of trying to understand what cybersecurity is, and I think at some point in time somebody said, well, not only is there a huge range of definitions for security, but for cybersecurity somebody said there was something like 400 different definitions.
So what was interesting for us in our working group was that it was very difficult to find any single reference to the importance of Human Rights in a definition of cybersecurity. So to add to those 400 definitions, we drafted a definition of cybersecurity and Human Rights which I urge you to look at, but I think it raises an interesting point which is that at the end of the day, I don't think we necessarily want to define it. We want to define it, I agree with the way that Isabel said, but I think we need to be careful about this because it's such a fluid space.
Technological advances are going to change the definition most likely over the next ten years, and I think we are going to see, we are going to need that flexibility to be able to discuss all of the issues. And even in this group when, I mean, it is important to define cybersecurity, but it shouldn't limit the work of the BPF because the value of the BPF that we have seen in the few submissions that we have so far, and I'm hoping there will be many more. We have seen a great diversity and in that diversity there is great value. Thanks.
>> MODERATOR: Thank you, Matthew. Belisario.
>> BELISARIO CONTRERAS: I want to recall the principle that is self‑determination that is very important to taking into consideration. Our experience when we are developing, when we are working with countries on the development of national policies or national strategies, they go through the same process of Nigeria is they get into what is cybersecurity for them. To give you a very simple example on specific things, in terms of CERTs, which is a very technical component of a server plan, there are countries in the Americas where computer incident response team maybe at the national police or federal police or at the presidency office or it could be at the regulator's office, or it could be handled by the defense ministry and actually we have the opportunity in organisations that the Member States that have 14 countries brought to the organisation the issue of cyber defense so I think it's very important to have very, very present that the countries have the right to self‑determination and each country can determine, can say this is what cybersecurity means for us.
And it's very difficult to say this is cybersecurity for everyone because the realities in Africa are not the same as in the Caribbean or Latin America or North America. So it's very important to understand cultural, economical, and social aspects of our nations. It's not just about technical issues, but actually about all of these other realities.
>> MODERATOR: That's on point. Thank you.
>> HIROSHI ESAKI: I agree with the discussion about having a common language or a definition of the cybersecurity or whatever. The reason why we made a document I have shown was very core common difference in common language. The other industry could differ too. So the document, we contacted every single person deferring to that document but making their own recommendation, there own requirement or situation or direction, but they can (Audio difficulty). So I think the BPF should have those too in order to make a detailed representation (Speaking off microphone).
>> MODERATOR: So being from the technical community and Markus mentioned earlier that I neglected to introduce myself, being from the technical community, I neglected to introduce myself. I'm with the Forum of Incidence Response and Security Teams which is a group of security teams from across various sectors. One of the things that we as engineers tend to like is some definition. And it's challenging to merge, I think, the point of view where you have very loose definitions across communities and you have the ongoing discussion and debate to get to a point that better clarifies actually the intent of cybersecurity as well, and then we have communities where really if there isn't a clear definition and subsequent roles and responsibilities that fit in with those definitions, it becomes sometimes a little bit challenging to work together and to cooperate.
Have you seen issues before or have you seen concerns and how have you worked to address those? Any thoughts on that? Yes, from the gentleman over there. If you could introduce yourself.
>> DUNCAN HOLLIS: Duncan Hollis, I'm a professor of international law at Temple University in Philadelphia. I guess if you can agree on a definition relatively quickly and simply, it's an excellent starting point. I think one of the things we have seen in cybersecurity particularly in the interstate domain is an inability from the Russians and the United States to track 1.5 track 2 effort to try to do this for several years. It then begs the question of do you need the definition to move forward? So I guess the one contribution I would make is to suggest that there are alternative ways to think about this problem, and the two other ways you could categorize instead of a definition is what are the risks? Can you catalog the risks and then look for shared senses of risks?
Do we agree on certain risks that we want to all address in a global setting? And then also values. What is it we want to do or have done? And can you find some alignment along those lines? And there are alternative ways of breaking open the conversation rather than continuing to kind of say my definition is a better definition than your definition.
>> MODERATOR: Excellent. Thank you. I would like to jump to Walt.
>> AUDIENCE: My name is Walt. I own my own consultancy and as Brian said I have been with the C CERT in groups in the past two years. When we are talking about the definitions, we can get stuck in them, I think, and no matter whether you are a state, a private certain, Civil Society or a company, you are trying to protect something and it you take a helicopter view of that everybody is abused by vulnerabilities that are in the systems that you operate, and then you have a common denominator whether Russian, Chinese or American or Dutch like I am, because I'm being attacked by something that I can't control in most instances.
So around the world, you can see that there are several initiatives at the moment that try to take on a specific angle of cybersecurity and whether that is the vulnerability disclosure that ethical hackers try to bring forward to states and the cybersecurity centers or companies, it is also initiative that's work on bot net litigation that actually have excellent best practices for the rest of the world. So that could be invited in. There are people working on, say, for software that could be invited in to discuss how actually how are you approaching it in your country. So that could be an aim for next year looking forward that you could bring in people actually to do something from a national or regional or global that everybody could profit from because you could implement best practices and then everybody is exactly at the same level at some point in time, I think. So that's my contribution. Thank you. I have got a neighbor.
>> AUDIENCE: My name is Juan Gonzalez I'm with the United States Department of Homeland Security, office of cybersecurity and communications and I do second the other's opinions about restricting yourself to just one cybersecurity definition because of the different contexts around the world and at different Governments, and I think that the gentleman from Nigeria and others provided some feedback related to let's look into best practices, let's look into existing frameworks that we can draw from and provide a more comprehensive multistakeholder capacity building around cybersecurity that we can get better information. Thank you.
>> MODERATOR: Excellent, thank you.
>> BELISARIO CONTRERAS: This is a Best Practices Forum and you said something that is totally right. There is between engineers and technical communities sometimes and sometimes policy or these kinds of issues. This is a Best Practices Forum and instead of looking for a definition, we are going to get into UN, and all of these systems that a definition will take two or three years and we do not get to a result, but what a Best Practice Forum is recognize that there could be multiple definitions, but we need to acknowledge that we need to work together whether or not cybersecurity means for the community or not, and that would be one of the best outcomes of these best practices, this BPF and see ways to improve the collaboration.
>> MODERATOR: Thank you Belisario. We have a remote.
>> REMOTE MODERATOR: Good morning, I have a question from MAPI, the cyber police, and the question is pursuing law enforcement objectives violent terrorism cybersecurity or is it another cybercrime? Can we separate the two?
>> MODERATOR: Let's hold on from that one just a second. We will get a comment from this one first. Who was the other person from the back that had a contribution?
>> AUDIENCE: I was going to follow up with what Belisario said about definitions and just like in the U.S., for example, in areas, specific areas such as IoT, we are still trying to define that area and what security means within an IoT environment, like healthcare maybe other areas within the critical infrastructure sectors that we build with. So I think it's important that we look at best practices and especially in environments like IoT that is so broad and we are still in the grass around.
>> MODERATOR: Sounds good. So the remote question was whether there is any room for dealing with violent extremism on line as part of the bigger cybersecurity issue? And I like this question because we actually talked about it in the local C CERT BPF it's tied into definition, it is very much tied into the privacy versus security question, and (Indiscernible).
>> SEGUN OLUGBILE: Well, in Nigeria, we have, we have the issue of cybercrime and cybersecurity that are in the same boat. Now, we have the best practice in cybersecurity and yet they are two issues. They are the same law. Now, what are we suggest is that cybersecurity is much bigger picture, and from what we are doing in Nigeria, we have classified five areas in which we need to approach cybersecurity. Legal is just one of them. We have engaging in issues (Audio technical difficulties).
So I think that is an intersection between terrorism and cybersecurity, and there is no way you can ‑‑ that would bring me to issues the African Union as the Convention on cybersecurity that we have a Convention on cybercrime for the Council of Europe. Now, we discovered that there has been effort to galvanize the African country to sign onto the Council of Europe on cybercrime, but what you look at the provisions of cybercrime, it is all about (Indiscernible) fine. There is nothing wrong with that, but we discovered that the level of support given to the Council of Europe is not given to the cybersecurity which is now affected our ability. So for me there is a need to really a cooperation, a principle on cooperation and understanding. There is no way we can isolate it from one another. We need to work together. Thank you.
>> MODERATOR: I think we have time for one more contribution on this topic, Matthew.
>> MATTHEW SHEARS: I think it's a fascinating question as well. I am very concerned, however, that when one can tend to look at these issues in bigger and bigger umbrellas, and the problem is you may not be addressing issues. And I think that's where we have to be very careful about what kind of issues we are putting on this kind of cybersecurity.
>> MODERATOR: Thank you.
>> AUDIENCE: My name is Nic Shory, I work for the U.K. Government, first of all, thank you very much to everyone today and also sort of throughout this process. There has been really excellent contributions. And I have got a couple of points, if I may. First of all, on this definition, I'm inclined to agree with sort of points that the professor over there made and Matthew just now, I think it's good to sort of try and recognize what we are talking about.
And you may come up with a definition, but it will probably end up at such a lie level that it doesn't mean anything and it would be relevant today but not tomorrow. So I think actually what might be more beneficial is this idea of common values and risks. And the context of where they apply within each sort of element of the ecosystem. I recall I went in a testing course once and thought I would learn these Gucci techniques on how to hack computers the first thing I guy taught was fiscal security. For the U.K. Government we just published a national cybersecurity strategy came out on the 1st of November, and it takes a broad approach to first of all sort of specific security actions that we have got to take at network level, but it's also looking at how we develop an ecosystem within the U.K. that's going to foster the skills and the innovation that's going to allow us to be a sort of prosperous digital economy.
So many challenges we found over the previous five years are sort of things like sort of stimulating market adoption of security best practice. Generating that sort of trust and engagement between parties for sort of information sharing, also sort of implementing standards. I have had the good fortune this year to do a lot of talking and meeting with people.
I remember, I recall one example I was talking to some people at a meeting about DNS Sec and I said what is the problem here. They said the problem is kind of, first of all, finance the upscaling we have got to do for our work force, you know, that someone of the technical complexities of implementing this, but then also there is the liability because, you know, if we implement DNS at on a level but someone sort of messes it up at there's, the whole ‑‑ theirs, the whole thing goes wrong but the end user thinks that we are a problem. So there are all of these things.
I think it would be a better, maybe a more fruitful approach to look at common values, risks and then look at sort of the best practices and the specific actions that we can take. The previous Forums last year on countering spam and C CERTs they produce really great high level principles and I think going forward I would welcome the input of all of the people around the table and others to look at then how we take those forward and how we implement those in some of the work that's been going on at the IGF over the last couple of years where they now have security as a fundamental principle in vertical design and all of those sort of best practices we have wrapped up and take this thing sort of a step forward under a sort of a risk common values base. (Speaking off microphone).
>> MODERATOR: So a couple of topics that were raised during the working group were that first of all there is room for security awareness as in very initially this has ‑‑ so far this year we did not deal directly with awareness principles outside of where they were beneficial. User knowledge gaps were called up as well as online safety, then second there was a definite call for online cybersecurity frameworks mostly around regional and global cybersecurity. Civil Society and Government, how do those communities help communities to work together better and transparency of private sector cybersecurity. Which in some cases ‑‑ there was room to talk about best practices for arrangement of security services how do you actually work in this area as an enterprise as an organisation as a Government, and also to look into mechanisms through multistakeholder cooperation in formulating