Security Session

31 October 2006 - A Main Session on Athens,Greece


 Internet Governance Forum 31 October 2006 "Security" Panel

Note: The following is the output of the real-time captioning taken during the
 The Inaugural Meeting of the IGF, in Athens. Although it is
 largely accurate, in some cases it may be incomplete or inaccurate due to
 inaudible passages or transcription errors. It is posted as an aid to
 understanding the proceedings at the session, but should not be treated as an
 authoritative record.

 >>CHAIRMAN TSOUKALAS:  Ladies and gentlemen, the Secretary-General of research
 and technology from the Hellenic Ministry of Development. And as chairman of
 this afternoon's session, I would like to welcome you to the second day of the
 inaugural meeting of the Internet Governance Forum. Allow me to express my
 thanks to the U.N. Secretary-General, who convened this first forum on Internet
 governance following Tunis. And we're very happy that our country has hosted
 this meeting. For the first time, it's allowed the possibility for all of the
 partners involved to express their views on this issue of Internet governance.
 We've seen huge interest from the participants. And that shows that, really,
 this is going to be an exemplary forum for the expression -- or exchange of
 views and constructive ideas. Today, we will be concentrating in this
 afternoon's session on the question of security. And within that framework,
 we're going to look at questions relating to users, messages, the question of
 access, and we will bear in mind more general issues of Internet security. This
 is one of the more fundamental issues related to use of the Internet. And it's
 an essential cornerstone of its functioning. And the -- drawing on the full
 potential of the possibilities it provides for use. At this stage, then, I
 would like to invite the moderator, Mr. Kenneth Cukier from "the economist" to
 please take over in that role as moderator. Go ahead, please.

 >>KEN CUKIER:  Thank you very much. Thank you very much, Mr. Chairman.
 Information security is something that we all rely on. It's probably something
 we all take for granted. But it's probably the most important aspect of the
 information society. Because unless the networks are secure, unless we have
 confidence in it, we don't have an information society. It might be important
 for you all to know that right now you're using a public Wi-Fi access node.
 Probably all of your data is unencrypted. So if anyone had a packet sniffer,
 they could identify what the traffic is, certainly what your password is, if
 you did electronic commerce, some of your personal information, maybe your
 credit card details would potentially be exposed. Of course, if the security of
 the infrastructure is strong, if you're using encryption, and 99% of all Web
 sites that do take your credit cards would be using that encryption, you'd be
 safe. But that 1% probably is intolerable, if you think about crime online, we
 wouldn't expect that -- sorry, offline why would we expect the same sort of
 thing online? If you're connecting to Appollon, then you are probably using the
 hotel's Wi-Fi. But if you're using the free public Wi-Fi or free Internet
 access, this is important, right now in this remove, there are two seemingly
 Wi-Fi nodes that aren't really a Wi-Fi node. You have a system on your
 computer, if it's open, that you would see whether it says the name of the
 hotel or if it says "free Internet access" or "free public Wi-Fi." Those two
 terms are actually computer-to-computer nodes. Someone has malicious code on
 their computer, two people do, presumably, and are broadcasting this. And for
 the unsuspecting user, they could be transmitting data to someone who is then
 passing it on to someone else. This is a good example of the fact that security
 is a big issue and that the security and the hardness of our infrastructure
 needs constant improvement. Luckily, on our panel today, we've got experts who
 are well suited to address this issue. What I'm going to do now is very similar
 to the last two sessions that we've had. The first thing I'm going to do is
 have them introduce themselves, their affiliation, but then also ask them one
 question concerning what is the most important issue facing security in your
 view. They'll all get a chance to say that. I'm then going to turn the mikes on
 to the audience. You can give us feedback. If you think that we're missing
 something, that's great. If you think we just need to amplify something else,
 don't say it.  We probably know it. We want to get a survey in terms of what
 are the key issues to address if we don't mention them here. Then we're going
 to launch into the discussion. However, before I ask them the questions, let me
 just talk about a piece of housekeeping. To make your interest known to the
 people who are the assistants of the hotel that you would like to get the mike
 and to say something, just raise your hand and let your presence be known to
 the ladies in the back, and they will be the ones who can have you give either
 your name or your business card, if that's easy, bring it back up here, and
 then we will call on you. Okay. Is there anything else in terms of housekeeping
 that I may have forgotten before we start? No? Good. Remember that, of course,
 this is being blogged and I will -- and also being transmitted over the
 Internet. And I will be asking for comments from the cyberspace about what
 their reaction is to all of what we're doing here. Why don't we please start.

 >>DAVID BELANGER:  I'm David Belanger, chief scientist of AT&T labs and head of
 information and software research. I'd like to take my kind of first place in
 line here to say what the issues are that we think we are trying to accomplish
 when we think of security. They're basically availability of the network, very
 basic. Integrity of the transmissions that are going over the network, so that
 middlemen can't add to it, detract from it. And, finally, confidentiality in
 the face of an intelligent adversary. And that brings up probably the most
 important issue, that the adversary will change what they do in reaction to
 what we do. It's an ongoing game.

 >>KEN CUKIER:  Thank you.

 >>LAMIA CHAFFAI:  Lamia Chaffai is my name. And I'm director general of the
 Tunisia electronic certification agency. A resolution came out of the Tunis
 summit to create an environment of confidence for electronic exchange. The
 development of services is something on which the development of a country
 depends. And to develop eGovernment, eCommerce services, et cetera, we need to
 foster this confidence, this environment of confidence also linked to the
 electronic signatures. So I feel that this is a very important aspect in the
 development of countries' economies for the future. Ilias Chantzos good
 afternoon, everybody.

 >>ILIAS CHANTZOS:  My name is Ilias Chantzos. I am the head of government
 relations for Europe, Middle East, and Africa for Symantec corporation. What we
 try to do in Symantec is try to empower people so they can safely work and play
 in the connected world. So what I would perhaps try to discuss a bit with you
 today would be the way we see the evolution, the changes, in the information
 security, the threats and trends of the evolving threat landscape. Perhaps one
 of the key issues from our end would be to point out the fact that hacking is
 no longer for fame, but for fortune, that there's a financial motivation behind
 cybercrime, and that all stakeholders, both private sector, government, and
 civil society, have a role to play in addressing that.

 >>CHENGQING HUANG:  Good afternoon, everybody. My name is Chengqing Huang. I'm
 from China NGO. I'm deputy director of CNCERT/CC. I'm also Secretary-General of
 Internet Society of China. I speak English only a little. Well, I don't speak
 very much English, so I will speak Chinese. And our society is a professional
 one. We have tried to promote the use and development of Internet, so we are
 delighted to have been given this opportunity to exchange views and ideas with
 you. Thank you.

 >>GUS HOSEIN:  My name is Gus Hosein. I'm here today speaking from the London
 School of Economics and political science, from department of information
 systems there. I also speak on behalf of a number of nongovernmental
 organizations, including privacy international and the American Civil Liberties
 Union. I guess my main point is I'm a little perplexed by this emphasis on
 security the way it is defined here. And it's usually at the expense of other
 issues, such as privacy. And so just about two hours ago, we had a workshop on
 the nexus of the two, of privacy and security, being identity and the
 management of that. And when do you actually identify yourself online, how do
 you do that? Does it actually increase the problems of security or decrease
 them? So on and so forth. So I look forward to seeing how the IGF can actually
 take this issue forward into -- for more discussion.

 >>RIKKE FRANK JORGENSEN:  Hello, everyone. My name is Rikke Frank Jorgensen.
 I'm from the Danish human rights institute. And I've been active in the
 business process through the human rights caucus of civil society and also the
 privacy group. In the WSIS process and also more generally, there is often a
 tendency to see privacy and security as two opposing issues. And I think it's
 really crucial that we understand that the protection, the privacy protection
 of the individual, it's a security measure. It's really a security of the
 individual freedom, and it's a very key component in a free and open society.
 So whenever we discuss security measures here, it's very important that we have
 privacy protection up-front in the way we deploy and design these measures.

 >>HENRIK KASPERSEN:  My name is Henrik Kaspersen. I am here as a representative
 of the council of Europe. There is a microphone here, yes.

 >>KEN CUKIER:  A little closer.

 >>HENRIK KASPERSEN:  Again, Henrik Kaspersen. I'm here as a representative of
 the council of Europe. I was -- have co-responsibility for the development of
 the Council of Europe Cybercrime Convention in relation to security, technical
 security. And technical security measures are extremely important. But also
 legal security should be a very important element. And the basic importance of
 the cybercrime convention is that it sets rules for behavior of individuals in
 the Internet and cyber environment.

 >>ARCADY KREMER:  Good morning. My name is Arkady Kremer. I come from Russia. I
 am the director of a private and public sector association, the Russian
 association of networks and services. I'm also the vice president from the
 world telecom standardization assembly. I would like to answer the moderator's
 question and explain what I think is the most important factor in guaranteeing
 security. I think that in order to achieve full security, we have to see
 security not just as our own objective, but as the means to defend the Net.
 This will allow us to work in a more precise and stable way. The issue of
 information security is not a service or a good that can be traded. It is a
 system which has to be set up and which is -- it is necessary also to manage.

 >>ANDREW MAURER:  Andrew Maurer from the Australian department of communication
 I.T. and the arts. My area developed the Australian spam legislation as well as
 looking at various other eSecurity matters such as phishing and spyware,
 Botnets most recently. I would like us to have a look at security as a positive
 construct rather than just a reaction to the current crop of eSecurity threats
 that are out there. So in terms of capacity-building, considering more could be
 done in order to ensure that transactions are secure, that personal data is
 kept protected, and that computer resources are used the way that the users and
 owners of those resources want them to be used.

 >>MALCOLM HARBOUR:   I'm Malcolm Harbour. I'm a British member of the European
 Parliament. In case you're wondering why I don't look like Margaret Moran,
 unfortunately, she is detained in England by what is known as a three line wit,
 which means she has to be there to vote. So she brings you her best wishes. She
 is chairman of a group of which I am also a director, called URAM, which is a
 U.K.-based Parliament-industry group. We submitted a paper to the IGF on the
 security issue. And it's something that we're particularly interested in. And
 you can read our paper there. And I think our views, very strongly, are that
 the issue about raising the confidence of users of the Internet in its security
 and in its integrity, which I think is an important word, is a crucial task for
 all of us, and it's a shared responsibility in every sense. It's a
 responsibility of the users themselves. Industry clearly has a crucial role.
 And, indeed, industry, I would argue, is putting more resources than anybody
 else into this. Governments have a role, but there is a crucial and vital role
 for intergovernmental collaboration. And I hope we can talk about some of those
 issues this afternoon.

>>TERAYASU MURAKAMI:  My name is Terayasu Murakami, from Nomura Research
 Institute. While usually I -- in this kind of international conference, talk
 about the ubiquitous network. But today, I am representing Keidanren, Japan
 Economic Federation, which is representing more than 1500 major Japanese companies. 
 And Keidanren submitted proposals to the IGF.
 In that, we introduced one best practice and one worst practice. And basic
 message underlying those two cases is, we should pay more attention to the
 victimizer's side rather than victims' side. Most of the security measures
 concentrate how to educate or how to train victims, but we pay more attention
 to the victimizers' side.

 >>FREDERICO NEVES:  My name is Frederico Neves. I am the CTO of the Brazilian
 registry. And because of my background in -- as a service provider on the
 network, I think the principal issue that we should try to address here is the
 network security on the edge of the networks and routing to.

 >>RICHARD SIMPSON:  Good afternoon. My name is Richard Simpson. I'm director
 general, electronic commerce, at industry Canada, which is Canada's federal
 department of industry. Not surprisingly, we look at the subject of security
 from an economic growth and marketplace perspective. I think everyone in this
 audience is aware of the growth potential in the online marketplace
 internationally, which is now trillions of dollars in net worth, and nationally
 in billions of dollars, growing at a very significant rate. So looking at the
 subject of security, rather than focus on one key issue, I'd like to point out
 a key orientation that I think we can discuss this afternoon. And that is to
 look at a more proactive rather than a defensive and reactive posture to the
 subject of net security. In my view, we should be less focused on short-term
 threats and on cops-and-robbers approach to net security and more on
 longer-term, preventative measures which can deal with this issue of the --
 protecting the online marketplace well into the future. And I think there are
 significant roles for government in terms of the legal and policy framework for
 that; and for the private sector in terms of network engineering and other
 aspects of the physical delivery of the Internet.

 >>CHRISTIAAN VAN DER VALK:  Good afternoon. My name is Christiaan van der Valk,
 and I am a cofounder and vice president of a small Swedish security company and
 also co-chair of the International Chamber of Commerce task force on security
 and authentication. I have a long background in dealing both with policy issues
 and, more recently, also the business and technology aspects of security. And
 one of the things that has struck me in the past couple of years is the
 importance of the quality and quantity of legislation and its impact on
 businesses. We've heard already how business has to play a very, very important
 role in development of trust on the Internet. And if you look at this from an
 inside perspective within larger businesses, the amount of legislation that
 affects business security practices and their I.T. systems is growing every
 day. It is national legislation, usually impacting businesses in various areas.
 I can just mention corporate governance rules, privacy, electronic contracting,
 taxation, know your customer rules, and whole bunch of other types of laws that
 affect businesses. The matrix businesses are faced with is just enormous. And I
 actually believe that we're coming to a point where it is becoming counter
 productive and businesses are asked to take so many sometimes conflicting
 security measures that it is actually impacting security negatively. So I think
 the quantity and quality of legislation is an issue that business and
 government need to collaborate on quite seriously.

 >>KEN CUKIER:  Good. Thank you very much. So we've heard generally, I think,
 big-picture themes on what some of the issues are for security. We've heard
 about privacy. We've heard that our adversary changes, the role of the business
 sector, the importance of the edge and the user in all of this. It seems to me
 that there's probably a lot more issues. If we were to come up with just an
 inventory, we would see issues like spam, phishing, viruses on the individual
 level. From the idea of critical information infrastructure protection, we
 would have big network security issues in terms of undergirding -- the security
 of the domain name system and other things. Let me ask, before I open up the
 panel to more questions, let me turn it to the audience and ask, granted, we
 didn't speak about specifics, but we looked at larger themes. Are there any few
 specific topics that you think in our inventory of identifying the important
 issues that really ought to be raised immediately rather than through the
 discussion? And if you have those questions, let them be known. And I will call
 on you, and then we'll go right directly into the panel. I see one person, the
 gentleman back there. I see a second person there. Okay.  And two more.

 >> (inaudible) I would like to add to the agenda, if I may, a coordination
 between the certs around the world within the Internet. This was not mentioned
 in the panel. And I think this is importance in the governance of the Internet.

 >>KEN CUKIER:  Thank you. .

 >> This is (saying name) from Swiss Internet user group. And I would like to
 add to the agenda the issue of how do we deal with complexity, how can we
 separate this vast amount of things that should be taken into consideration
 into manageable chunks of concerns so that we can actually, at least in small
 parts, understand what is really going on, and not just take measures that
 increase the complexity of the whole situation and thereby decrease the overall

 >>KEN CUKIER:  Okay. Thank you. I see a gentleman there. Yeah, thank you. Yes.

 >> (saying name) from the government of Quebec. I think it's very important to
 put in place tools to make more aware and to educate rather than adopting

 >>KEN CUKIER:  I see a gentleman here in the third row.

 >> I am from Moscow University. I would like to ask or even request if we can
 look into the issue of whether it is correct not only to think about threats
 coming from criminals, but also threats from the state, from states which use
 information technology in order to settle accounts. So let's not just look into
 criminals, but also criminal action by governments.

 >>KEN CUKIER:  Do I see anyone else? It looks like we have a good new
 inventory. There's --   Please. Stand up. And introduce yourself.

 >> I have a question. I have a question for at least some of the panelists
 here. Yes, I agree privacy is valuable. But a lot of the people who are
 actually working in the security field are also working with the aim of
 protecting the privacy of the users on whatever network they are responsible

 >>KEN CUKIER:  Excuse me. Let me interrupt you for a second.

 >>KEN CUKIER:  Excuse me, let me interrupt you for a second.  Is this a new
 issue we are identifying or is this a comment about an issue that has already
 been raised?

 >> No.  How do you reconcile the two so you have privacy and security
 co-existing without any conflicts?

 >>KEN CUKIER:  Thank you. I see a gentleman there and two more there.  So why
 don't we turn to this gentleman first, and then those two.

 >> My name is Radin from Sudan. I will talk in Arabic, excuse me. There's a
 question of security on the Internet that can only be decided through
 international cooperation.  So what we need to find is an international
 framework where we could cooperate.

 >>KEN CUKIER:  Please.

 >> Hello.  My name is Tarek, I am with the Ministry of I.T., government of
 Pakistan.  The issue I would like to add to the agenda is that of continuity of
 operations.  It was embedded or sort of implied by the availability of networks
 which was the very first panelist had identified. But in terms of continuity,
 what I would like to specifically add to the agenda is the physical security of
 networks.  For instance, we faced a breakage in our only Internet C-cable two
 or three years ago.  Since then we added two or three more cables.  But that
 one breakage by a very innocent fishing trawler or something, caused a blackout
 for two or three days for the entire country. Similarly, there are physical
 threats to the infrastructure, or even electricity blackouts can cause a
 tremendous loss of confidence in the use of I.T.  So I would like that issue to
 be addressed, please.  Thank you.

 >> The issue I would like to add involved authentication.  Both routing
 authentication and address authentication, and then the derivative scaling
 problems of routing and tabling all the additional information.

 >>KEN CUKIER:  Thank you.  Please.

 >> I represent Tunisian civil society.  I would like to first of all thank the
 people who organized the seminar who allowed us to find a path to dialogue. My
 question is to find if we can have universal legislation which will allow us to
 deal with this problem. I think other countries as well have raised these
 questions because sometimes we want to surf to sites which our governments find
 should be prohibited. So I don't know how the people deal with this.

 >>KEN CUKIER:  I see another gentleman there.

 >> Hello, my name is Detrick from the metropolitan police and my question is
 regarding jurisdiction of basically international responses to critical
 instance.  And how the different governments will deal with that.

 >>KEN CUKIER:  In the back please, yes.

 >> Good morning.    I am from the Prime Ministerial service on development of
 the media in France.  There is a point I would also like to raise, is how we
 take into account the particular characteristics of linguistic diversity in the
 security, broader security issue, and also what is the protective technology
 which is used and how can we make it financially accessible to all.

 >>KEN CUKIER:  I see another person here, and then one here, and I think then
 we will go right into the session. Please.

 >> Yes.  I am from the Finnish parliament, from the Committee for the Future,
 and we have a very -- at the present there is a law, proposal for the law for
 the Finnish parliament which is called something, the National Health Data
 Bank. And there is a very international ethical problem.  Who is the governor
 of the National Health Data Bank?  There will be the whole history of all your
 medical treatment, your medicine, everything, the whole history.  Who is the
 governor?  Who gets the right to be the boss?  The patient or professionals,
 doctors?  Who is the main boss, the real governor?  And that's a very ethical
 question, and it's on the table now.

 >>KEN CUKIER:  Thank you.  In fact I would expand it and say who owns personal
 information is a broader issue. Yes, please.

 >> Thank you.  I am (saying name) from the province of Rome.  Dear panelists,
 how is your opinion about the role of local governments?  Do you think that
 local governments may be (inaudible) as a key actor in multistakeholders arena?
  We think so for a constant feedback from (inaudible) and from the civil
 society. And a last question. Is it important to discuss about ICANN and the
 role of ICANN in this delicate theme?

 >>KEN CUKIER:  Okay.  Thank you very much. Let me do this.  I think that let me
 close off the comments right now.  Let us go right into the panelists and here
 what the reaction is to some of this, and then we're going to open it up again.
 It strikes me that we now -- have a huge inventory of things, probably too long
 that we can possibly ever hope to deal with adequately in the time remaining. 
 So the best we can do is try to think of a framework about how to think about
 this. My first question to the panelists would be we have been talking about
 information security in its myriad of forms, even with new issues that are
 coming up that we didn't expect before, for decades.  Still, the problem is
 considered unsolved.  Still, the problem seems to be that more can always and
 constantly be done.  Are we forever stuck in the situation that we are never
 going to get it done or can we agree more can be done, we can identify what it
 is, and there will be a baseline degree of security that we can be comfortable
 with?  Essentially the question is, why have we not resolved this problem? Who
 would like to take the first stab at that?

 >>TERAYASU MURAKAMI:  Well, can I add a comment on the inventory of the
 security issues.  We did a study in the process of developing the ubiquitous
 network paradigm.  What will be the challenges of the network society now and
 in the future? Well, in that process, we identified ten different category of
 the issues, and ten different challenges in each ten categories.  That makes
 100 challenges we are facing with. Virus, Spam, phishing, and unauthorized
 access is only four of 100. We have another 96 source of headaches. So I think
 the important point of listing out the issues is that issues will change.  The
 security issue will constantly evolve, changing the shape. So it is, perhaps,
 no use to specify the kind of security issues we tackle.

 >>KEN CUKIER:  Malcolm, did you want to --

 >>MALCOLM HARBOUR:  Yes, I think in response to your question, because the
 level of security problems is growing faster than I think that we have the
 systems to cope with them. And that means that we have to talk about ways in
 which we're going to step up international cooperation, because that, I think,
 it at the heart of it. I am very wary, I have to say, one or two questions were
 raised about new international legal frameworks.  I work in a political system
 where we're trying to reconcile 25, shortly to be 27 legal frameworks, and it's
 extremely difficult and takes a long time. But it seems to me that the big
 issue that we need to talk about is how we're going to step up our exchanges of
 information on a timely basis, and to present information to each other in such
 a way that you can actually do something with it quickly and effectively. 
 Because surely the way to actually deal responsibly and quickly with these
 issues is to respond to alerts quickly, but above all actually to get that
 information flowing.  Because so many incidents and problems with citizens I
 think go largely unreported.

 >>KEN CUKIER:  It seems like we have institutions already to do that.  There's
 the European network information here in Crete, I believe.  Or Corfu? Yeah,
 ANESA {sp?}. We have our CERTs in the U.S. and in China and elsewhere. What is
 inadequate about the institutions that need to be reformed, first question. 
 Second question, is there a role that collaboration among different
 stakeholders can do to play a role in this respect to remedy those
 deficiencies? I impose upon you to respond.

 >>MALCOLM HARBOUR:  Well, I think you're right.  There are good examples
 working within particular geographic regions.  But as we know, the problem is
 not confined to those geographic regions.

 >>KEN CUKIER:  It's not like we even have good network security here in Europe.

 >>MALCOLM HARBOUR:  No, I agree.  I think we still have a lot more to do than
 we are at the moment.  ANESA is certainly intended to be a mechanism of
 exchanging information to be able to do that, but member governments still are
 doing a lot of collaboration among themselves.  And from country to country we
 see things like the Internet Watch Foundation which show what could be done in
 specific areas.  In the area of child pornography, for example. But it seems to
 me we ought to have a broader look at what is best practice and to use the
 power of this gathering for example to step up the work, and that can be the
 work of future summits of the IGF.

 >>KEN CUKIER:  Let me first ask -- Ilias, please.

 >> ILIAS CHANTZOS:  I'd like to -- I think we're getting a bit heavy on the
 fact that, well, maybe we're not doing that well.  Maybe we should be doing
 more.  So before we go there, I would like also to look a bit at the positive
 side. So let me begin by saying that the growth that we have experienced in the
 Information Society is there because we're actually doing quite well.  On the
 other hand, we need to face a fact that the success of the Information Society
 means that there is money there, and the criminals will follow the money trail.
  That's how it works.  People rob banks because that's where you put the money.
 So on that understanding, we need also to take into account that information
 security is not just a product.  It's not about just the technology.
 Information security is a circle.  It's a holistic approach around technology,
 obviously, people, and processes.  And often the people are the weakest links.
 Moreover, we need to take into account that whilst we cannot have 100 percent
 security, security is an evolving target.  Internet Society is involved,
 technology is involved, people get new technologies and so does the threatened
 landscape changes. The bad guys see the technology and see an opportunity. 
 We're there.  We're doing quite okay.  We are covering up, we are protecting
 our technology.  But since there is going to be another switch, there will be
 vulnerabilities found and they will move there. So it's an evolving target. 
 It's a moving target. So that's why, perhaps, we need to see also, if you like,
 a more positive side it have. Obviously collaboration is key, coordination,
 international approach.

 >>KEN CUKIER:  Yes, please.

 >>GUS HOSEIN:  I'm amazed that everything everybody is saying so far makes so
 much sense, and there is a reason why.  It's because we are speaking at an
 overly generalistic level.  We say international cooperation but what does that
 actually mean?  We say sharing of information.  What kind of information are we
 talking about?  Are we talking about people?  Which people?  Users or people
 working within companies?  We need to get into the specifics to really
 understand how complex this field is. Let's use an example.  We all agree to
 some extent that countries must cooperate to combat crime.  It makes a lot of
 sense.  But then let's say the U.S. puts in a request to a French ISP for
 information on a suspected criminal.  You would expect the French to say
 absolutely because we all agree on combating crime, increasing security.  But
 what if months later you find out that the U.S. was not investigating child
 pornography or terrorism.  They were investigating gambling, which is illegal
 in the U.S. but not illegal in other countries around the world. When we get to
 the specifics that's where you see the richness of the problem and how
 complicated it is.

 >>KEN CUKIER:  Thus, do you think because there is this conflict of law, that
 not every culture deems the same thing legal and illegal, that network security
 in this respect, the case of information sharing, is just impossible?

 >>GUS HOSEIN:  I think it has to be done with great care.  I think we can make
 a problem worse before we make it better.  I think we are going to decrease
 confidence.  When people heard during the European Union debates about data
 retention, that the data from ISPs across Europe could be sent to the U.S.,
 people were concerned.  That actually created a lack of confidence in European
 Internet policy, and that's a problem.

 >>KEN CUKIER:  Mr. Huang.

 >>CHENGQING HUANG:  Thank you.  I support the views expressed by the experts
 just now. We must increase international cooperation for network security. We
 have experience in this area, especially when dealing with network emergency
 incidents, quick response through international cooperation is very effective.
 For instance, our organization, CNCERT/CC, we cooperated with the U.S.,
 Australia, Japan, and other countries, and when dealing with network incidents,
 we have effective mechanisms. This July the 12th we received a report from
 Korea that an IP address falsified domain name and it spread virus.  We found
 out this address and closed it. The 29th of August, the Australian authorities
 reported to us that we have IP address which is sending Spam.  We found it and
 closed it. In early September, we cooperated with Internet law group, and we
 traced some Spam addresses. We think through such ways we can combat cyber
 crimes and Spams and other things.  How to establish effective cooperative
 systems globe-wise, that's very important, I think.  International cooperation
 is very important in this regard.  Thank you.

 >>KEN CUKIER:  Thank you very much. I see three of our panelists want to make
 remarks.  Mr. Kaspersen.

 >>HENRIK KASPERSEN:  I want to talk about the room.  The wish was we should not
 complicate things more than necessary.  And I have to think, we have different
 things here.  First we are talking about security, what infrastructure
 security, that is a very important issue, how to protect the infrastructure. 
 It's a dispensable tool, the Internet, and it should be protected.  That's one
 thing. The second thing is that we protect users and their systems from misuse
 by other users of the system. And I would like to make a distinction there.
 Protecting the infrastructure is extremely important.  Also in the room it was
 said that we might need to reverse the legislation to deal with it.  I'm not
 sure about it, because when we want to have legislation in this field, we
 should first agree whether, is the Internet and maintaining of the
 infrastructure, is that something we can leave to the private sector, or is
 that something where a government or the government should interfere?  That's
 also a very important debate.  What is the need for such an intervention?  And
 I will say we have so far seen that the Internet is organized by private
 industry, and we should maybe more emphasize, address the responsibilities of
 the actors in that field.  And the actors in the field are providers, software
 industry, and so on.  But also there is a responsibility for the individual
 people. Second point, when we're talking about misuse of the Internet
 facilities, then we might deal with a typical task for governments where they
 would like to criminalize or provide sanctions for that misuse.  And there I
 see an extreme need for international negotiations about what the common
 standards, behavior standards should be.  Otherwise, if we don't do that, any
 system would be without any effect in the end.

 >>KEN CUKIER:  Okay.  Thank you. Please.

 >>FREDERICO NEVES:  We should take in account that the network is quite big
 today, but it's growing in a tremendous rate.  Not in the development world but
 in the underdeveloped world. And actually what we should take into account is
 that new users should receive basic training about security.  Especially in the
 -- a lot of panelists are talking about vectors and the change of the vectors. 
 But most, most of the threats are imposed to the end user, because like --
 things that you normally face when you receive a telephone call or things that
 you don't normally act the way in the real world, but in the network, a new
 user will take --

 >>KEN CUKIER:  Let me ask you about that, Frederico.  In the Internet world so
 far, in the first billion users we have all been literate, we have all
 understood the ASCII character set so if we were Chinese or we were from
 somewhere else we would have to actually know the Roman alphabet with which to
 interact with information online. But if we're going to actually make the
 Information Society viable for everyone else, people who maybe are illiterate
 or simply don't want to go through the rigamarole of understanding the
 difference between a P and a Q, it seems maybe that we are setting too high an
 expectation about users would be able to take so much responsibility for
 themselves. Now, clearly, there has to be some responsibility, but maybe the
 networks, maybe the equipment providers, the software providers, hardware
 providers, need to take more of that on. In the telephone world, we have a
 degree of certainty about how transactions go on, but of course that's a
 centralized system, and we know that there's benefits to that but there are
 already drawbacks in the case of lack of innovation, et cetera. So, is it
 feasible to simply say that users need to just -- we need to educate the users?
  Or if we need to do more, what more should we do?

 >>FREDERICO NEVES:  One of the key points one of the people in the audience
 pointed out is that we should simplify.  But he talked about complex
 (inaudible) systems, but I will bring this to another level. I think the
 end-user software is too complex for the general user today, and we are failing
 in this area. And I think we should provide interface that are quite simpler to
 the end users. But besides that, basic training on security, basic security --
 I'm not talking about high-level techniques.  I am talking about not providing
 your credit card to the operator, to the marketing operator.  So why you
 provide it in an unsafe way on the Internet? So that's what I am trying to
 point here.

 >>KEN CUKIER:  Okay.  Let me ask first Rikke, then Christiaan, then some other
 panelists, and then we will go to the blog.

 >>RIKKE FRANK JORGENSEN:  Okay.  Just a very short remark to what we just
 discussed now and then the point I originally wanted to make.  I think there is
 a big problem that users are not interested in security, myself included, that
 I just want it to be there.  I don't want to have to think much about it, and I
 think many people feel like that. But another point I wanted to make was to get
 back to the link between privacy and security.  And to give a very concrete
 example on how we have tried to advance that link in Denmark where we have
 actually set up a task force by the Danish industry Association with industry
 people, I.T. company people sitting there together with privacy advocates and
 user groups.  And over the last eight months we have tried to take the point of
 departure in the privacy principles in the OECD guidelines and the data
 protection law at E.U. level and then to transform these principles into
 guidelines and checklists that the I.T. companies can then deploy in their
 daily practices. And this has actually been driven by industry themselves, and
 it has been a very good and very practical initiative that has resulted in
 guidelines that are out there now and that go out to all member organizations.

 >>KEN CUKIER:  Okay.  Thank you.  Christiaan.

 >>CHRISTIAAN VAN DER VALK:  I just want to go back to your first question, Ken,
 and give my perspective of that. We heard international cooperation is a term,
 obviously, that we hear a lot in these kinds of settings.  And one of the
 things I believe we do not stress enough is the fact that, and it's pretty
 obvious from the word complexity that we have heard as well, that security is a
 multi-disciplinary subject.  In order to get to security you need to take into
 account the process, you need to take into account the network, the people, but
 also aspects of law and a number of other things that need to be merged into
 the same approach. And I think one of the things I have seen a lot is the
 different disciplines that are involved in issues around security, talk a lot
 among each other.  There are plenty of groups of lawyers that talk about
 privacy and security, but the different groups don't talk to each other.  And
 there is no common process within the Internet world whereby lawyers,
 technologists and business process people, for instance, get together and
 hammer out what needs to be done in order to actually beef up security.  And I
 think that is one of the big problems we are facing today. We certainly don't
 have a lack, from my perspective, of international cooperation among
 governments.  We certainly don't have a lack anymore, and this is huge progress
 that has been made in the last ten years, in terms of a lack of consultation
 between business and governments either. The problem is more cross-cutting. 
 Technology people, policy people, regulatory experts and others talking to each
 other, sharing knowledge in order to get to a high level of security.

 >>KEN CUKIER:  Well, interestingly, one of the points of this forum, in fact,
 and this session is looking at areas of collaboration.  So let me ask David,
 when you respond, if you could do two things.  Tell me your response firstly
 towards the issue of collaboration among stakeholders.  Secondly, please try to
 tailor your response to the other theme of the Internet Governance Forum which
 is development issues for the developing world. I know I am putting you on the
 spot.  If you would like to yield your time, you may, and think about these

 >>DAVID BELANGER:  I'll try to do something, but first make the point I was
 going to make when I raised my hand. I thought I'd add a little bit of
 historical perspective of similarities and differences from the telephony
 world, which was mentioned, to the Internet world. And in this context, in
 telephony world it's called fraud -- in the Internet world it's called
 security, but it's a whole lot broader -- they share the criminal, the
 intelligent adversary, and they also share money, the motivation. They also
 share the fact that they are growing, although at different rates, so that
 telephony fraud, which we think of probably as a solved problem, is growing at
 estimated double-digit rates every year.  Fundamental new types of fraud come
 about approximately every month, that sort of thing. But what they don't share
 is an openness which is essential to the Internet.  And they don't share a
 newness, which leaves us in the position of not having quite as structured ways
 of reacting to it. Probably most important, they don't share the intelligent
 edge, which means that when people talk about all the software, all the
 hardware that goes into the edge, there's the opportunity to do more thing on
 it if you are a perpetrator.  But there's the problem of trying to manage
 something that, for most people, is a very complex beast, connected to a
 network which is an even more complex beast.

 >>KEN CUKIER:  Is there a way to take those points and think of them in the
 framework of what different stakeholders can bring to the table?  And also in
 terms of the developing world.  What they may need to know and how they should
 prepare for the same issues that we in the west had faced by dint of having
 developed our infrastructure further.

 >>DAVID BELANGER:  Let me try to address the collaboration and perhaps someone
 else can address the developing world better than I. One of the things that's
 happened over time is that there is enormous collaboration on these issues
 within industry, and I would say typically with governments, in the telephony
 world to the point where we would share what information we have that might
 help other companies protect themselves against fraud, rather than simply
 protecting ourselves. What I would say in the Internet, that that sharing is
 beginning to evolve over the major peering partners as they start to do what
 are actually very similar defenses and active defenses, actually predicting and
 anticipating security, at the network layer. Typically, the information of
 what's going on when you get all the way out past what might be a business
 enterprise's network, which can be controlled and watched very carefully, to an
 individual's PC, which may be being recruited as a botnet or its root may be
 attacked so it can be part of a sale to somebody who wants to attack us, that
 information isn't in the hands of a group who watches 7 by 24 what's happening.
  It typically is quite a bit richer information because every two people's PCs
 are quite a bit different. So I think that the approaches, both in
 collaboration and in technology and in operations that have been being used in
 the network are harder to apply at the web layer.

 >>KEN CUKIER:  Okay.  Thank you. I would like to ask Mrs. Lamia Chaffai a
 question, because on this question of the certification authority for Africa,
 we were talking about this beforehand.  Can you tell us about your experience

 >>LAMIA CHAFFAI:  Thank you for that question.  The question of cooperation on
 development in particular is a very important one.  In the African region
 today, there are quite a lot of countries which already have a regulatory
 framework for electronic commerce and signatures.  Others are working on that
 now.  And we have to ensure that all these countries have a framework of
 Harmonization for their legislation to ensure that they can participate and
 contribute to international exchange in order to bring about this development.
 So we must ensure that e-commerce carried out in a particular country should be
 recognized at international levels. So you need operator confidence for users
 in Africa, and that that is on the same footing as what exists at international
 level. So there are a lot of different areas of cooperation in terms of the
 legal framework standards, modus operandi among certification bodies, at the
 technical level, but also in terms of training of human resources, and
 awareness raising amongst decision takers in terms of the scope and the
 importance of this trust, this confidence in terms of development in this
 country. So that they genuinely can be concretely involved in this development
 of what we call the intelligence economy.  Thank you.

 >>KEN CUKIER:  In listening to your experience and some of the things that I
 have heard on the panel, I would still go back to an earlier question and pose
 in information security, the needs of different countries are so diverse and
 the cultures of different countries are so diverse that it makes sense to think
 of it not on an international level but actually maybe on a regional level
 instead.  And that might be best we can hope for. Would anyone on the panel
 either like to agree with that or disagree with that? Please.

 >>HENRIK KASPERSEN:  I would say in this respect, it's always difficult to
 choose the right approach. There are distinct two approaches, the bottom-up and
 the top-down approach. And I would think if so many countries and so many
 different states of development with different frequencies and occurrences of
 Internet in their countries, it would be extremely difficult to have the
 ambition that it should be done top-down. So I would be very much in favor to
 do it bottom-up. That means sector-wise, and, if possible, through more
 regional organizations that would benefit the whole process. But I would not
 have the ambition to do it top-down, because that is probably a very
 long-lasting process and probably not going to succeed in the end. That's a
 general remark on this issue. In the meantime, I also would favor, let's say,
 codes of good conduct of the actors in the field themselves. Actually, I think

 >>KEN CUKIER:  Sounds like wishful thinking. Who would the code of good conduct
 apply to?

 >>HENRIK KASPERSEN:  Well, to a certain group of actors in the field, where you
 have the network operators, where you have the access providers, or even where
 you have the Internet users as a group, that could be beneficial as well. It's
 all difficult. How do you start it? It should be the private initiative. But,
 nevertheless, it should be tried anyway. And this sitting here and saying,
 let's start, do something worldwide from top-down.

 >>KEN CUKIER:  Richard. Did you want to?

 >>RICHARD SIMPSON:  Yes. Yes, thank you. Just to pick up the point that's just
 been made about codes of good conduct and how you start to put together these
 cross-national or cross-jurisdictional solutions to some problems in the
 security area. What we underestimate in this area is the degree to which there
 is mutual benefit across industry and across countries to making the Internet
 work effectively and ensuring the online marketplace continues to grow. And the
 challenge, it seems, to us is to capture this mutual benefit in practical ways.
 One code of conduct that we were very successful in developing in Canada
 recently in response to the spam problem was a series of best practices for
 network management, which network service providers in Canada adopted. It later
 on became the basis for work at the OECD, and now there's a cross-OECD code of
 conduct along the same lines. We have figures to show that, actually, this
 network management best practices was greatly successful in Canada in cutting
 down the amount of spam initiated in our country through Botnets, primarily,
 because of certain technical arrangements that are made through this agreement.
 And if we had not put industry together to define their mutual interest in
 developing these standards and putting them into practice, we would not have
 had that success in dealing with spam, and the international community would
 not have had that model to work with.

 >>KEN CUKIER:  Interesting. I want to ask one more panelist for a reply, and
 then I'd like to bring it to the blogosphere and comments from the Internet. 

 >>ANDREW MAURER:  Just in terms of different countries, some developing, some
 slightly more developed in terms of security. There are some constructs, like
 the OECD spam tool kit, which acts as a starter set of some policies out there.
 It puts forward some legislation. It puts forward some advisories on things
 like industry collaboration that was mentioned just then, technical solutions,
 and educational material. Now, some of it's going to be very specific to
 countries that have been engaged with the Internet for a long time. But others
 of it, other elements of it can be taken away and built on or cut down or
 adapted.  And it provides a bit of a kick start for almost any other country
 that wants to look at the problem and make some headway. Often it's very
 difficult to engage with these problems with no source material or no
 background to work from. So drawing on that sort of broader resource is
 actually quite useful.

 >>KEN CUKIER:  The OECD spam tool kit, as you've described, it sounds very
 interesting, because it's a way for the developing world -- excuse me, the
 developed countries, who have so much experience with spam, to their annoyance,
 can take their learnings and codify it into the mechanisms of capacity-building
 in the developing world, if I understand you correctly. But the limitation of
 that is that it's only about spam. Might there be a way, a framework, an
 institution, to take other issues that the industrialized world has grappled
 with by dint of having dealt with it first, and then putting it forward in a
 way that developing countries can actually have a one stop shop on how to deal
 with this one particular issue of network security, information security across
 the wide, broad gamut of problems that they're going to face?

 >>ANDREW MAURER:  It would be a lovely idea. But as someone pointed out,
 security is so multidisciplinary that we're not always talking about the same
 thing. So the spam approach, I think, works really well for that. In many other
 cases, you have people building basic capacity. And perhaps the third model is
 something that works better there, where the people who are actually putting
 together the infrastructure and the services themselves, if they get the
 knowledge and the information exchanged that certs provide, then they're
 building in security at the same time that they're building the basic capacity.

 >>MALCOLM HARBOUR:  I just wanted to make a short point which linked to
 something that came up this morning. It's on the question of wireless and
 wireless Internet. If you look at what someone with wireless Internet delivery,
 they've come in later and actually put in different mechanisms for dealing with
 spam and unauthorized content. Now, if, as I think -- and maybe this is a point
 for the floor. But if the next billion Internet connections, I think -- my
 hope, obviously, is that a much higher proportion of those will be wireless
 than the current connections. And so people putting in in developing countries
 where there will be a lot of wireless-enabled connections, I think they can
 very much learn from the sort of packages that have been put in to protection
 wireless consumers. But on the other hand, of course, the security and
 integrity of the wireless networks -- and these are points that were made by
 expert panelists down the table -- perhaps present more of a challenge than
 fixed lines.

 >>KEN CUKIER:  Let me go right now to the comments that we have over the
 Internet. Please, Jeremy.

 >> Thanks very much. Well, there are two people who I have comments from. This
 is from the chat room on security on the IGF Web site. The first of
 them is Allison Wheeler, who is the CEO of Wikipedia U.K. And although
 discussion has moved on, at the time, we were talking about training new users.
 And Allison said that the bottom-line problem is that the Internet has become a
 general population toy rather than a capable and trained person tool, and she
 mentions the fact that computers are now sold alongside televisions and
 cookers, and that that's the serious problem here. They're not all white
 boards, but end users think they are. The next point comes from Michael Nelson.
 Michael is from the Internet Society, based in Arlington, Virginia. And he has
 a question for the panel. He says, how important are open standards in
 development of better Internet security? How have patent fights over new
 technologies slowed rollout of better security technologies and techniques? For
 example, he says, we desperately need better authentication in cyberspace, but
 most proposed solutions are based upon proprietary solutions. And he suggests
 that the IGF, if the IGF wants to have a concrete impact, it could build
 ubiquitous, open standards-based authentication.

 >>KEN CUKIER:  Very, very interesting. Let me do this. I think that Allison's
 point is very interesting, the notion of the generality that we need to have
 that affects how we treat information security. But let's treat that later on,
 because we're going to always come back to that, particularly as it concerns
 the developing world. Mike Nelson's point might be an area where we can drill
 down while we also ask the audience to come up with questions and to write it
 down, write their name or give their card so it comes up here, and we'll open
 it up to the audience for more questions. Let me drill down into Mike Nelson's
 question, which is the question of the development of standards. Clearly,
 listening to all of you so far, particularly in your opening summations,
 opening overview, there was -- you all noted that industry had a role to play
 and, in fact, was doing quite a lot. Yet you also noted that there were somehow
 problems and inefficiencies from realizing the robust enough security that we
 would feel confident with. To what degree do you believe that standards are a
 problem? How can we actually create these standards? And is there a role for
 something like the Internet governance Forum to help establish those standards?
 Or should we just say that they're for a technologist and for the private
 sector to come up with and we'll just wait until you do so? That's not a loaded
 question, of course. Feel free to challenge the question. All the other
 speakers have done so far. Please, Richard.

 >>RICHARD SIMPSON:  Well, I think Michael Nelson's made a very good point in
 talking about the importance of electronic authentication to the problem of
 security. And I would generalize it to be an issue that is more about an
 effective means for identity management online. If you look at a lot of the
 emerging threats that we are talking about, that we will continue to talk
 about, they relate to areas that -- like identity theft, which really have to
 do with the problems of identity online, identity both of an individual as well
 as in a corporate sense. So I think he's raised a good question, one that we
 should look at. There are now many instruments available where we could look at
 strange electronic authentication specifically, but also identity management
 online. The thing is that it's not just the I.T. community that is involved in
 areas like this. The banking industry worldwide has a significant interest in
 how this whole area unfolds. I know they're working on areas of authentication.
 Just the final point I'd like to make here, without sort of choosing whether a
 single forum or body could deal with an as complex as this. I think often that
 the private sector responds to -- very much to public demand in the first
 instance, as it's reflected in their business, but, secondly, also to
 leadership as it may be reflected by governments in terms of responding to
 their clients, which is the voter for all of our countries. So, you know, I
 think that we really should take a look at what we can do in terms of
 underlining the importance of the area, pointing industry to the need to come
 up with something like an open approach, let's say, rather than open standards,
 which is kind of a loaded term, but an open approach, which allows for
 interoperability and flexibility in dealing with the problem of identity
 management. Thanks.

 >>KEN CUKIER:  Let me ask, does government have a role to play in helping the
 -- the security industry to come up with these open approaches? Is there
 anything that the government can do? There's lots of tools that are available.
 Of course, the Internet was an example of a data networking protocol that was
 created in part because the government decided they didn't want to have a
 multiplicity of computer systems that didn't interact with each other. They had
 DARPA fund the idea and of course the government as a buyer of technology,
 through the DOD, was able to standardize around the TCP/IP protocol. That
 created a marketplace. Similarly, is there a role for government in this area
 for computer security and network security? I see a couple of questions.
 Indicate who -- the panelist who want to address this tissue issue. I see one,
 two, please, start from the -- Council of Europe, parliament of Europe. Sorry.

 >>HENRIK KASPERSEN:  In general, I would say that governments should not
 interfere in the process of standard-setting. I think that's something that
 should be left to private industry. They are most capable of doing so. They are
 dealing with competition. So, in principle, I would say there is no influence
 needed there of governments. The influence, nevertheless, could be some
 pressure to do it, convincing pressure to bring parties that far. But most of
 the time, what helps is really if in the discussion, societal discussion, it's
 clear that standards are needed to achieve a certain quality. If that quality
 has not been reached, it could be the case that courts, for instance, may make
 parties accountable for not having implemented certain measures. That will help
 considerably, too. But that is a very tricky process. But I think, in
 principle, state parties should not interfere in the parties of

 >>KEN CUKIER:  Ilias, I see you have a comment.

 >>ILIAS CHANTZOS:  Thank you. Well, being among the industry panelists, I think
 it's expected I would have a view on that one. So let's begin with a couple of
 points here. I think that, first of all, we can well argue that governments
 have already in their tool kit a number of tools which they could be using.
 However, the fact -- or which could be already applicable. However, the fact
 remains that if we don't want to be carving things in stone, it's very
 important that we understand and show that the market is there and able to
 innovate. And to do that, we need awesome standards and market-driven,
 bottom-up approach. Technology moves too quickly. We cannot afford to have a
 stifling in the innovation by not having a technological neutrality when we're
 getting things through the institutional democratic process. Having said that,
 yes, competition in the marketplace, openness, interoperability are key issues
 for information security. The fact that we're having right now a healthy market
 on information security, comparative market on information security, a diverse
 market, are key issues to ensure that we maintain a high level of information
 security. We cannot afford to have a security through obscurity. Now, having
 said that, I also need to point out that the fact that security and choosing
 security products, if you like, security solutions, should be based on the risk
 that we're dealing with and on the things that we want the product to do. That
 can be open source; that can be, if you like, proprietary. But that does not
 necessarily mean that just because open source is more secure. It's not the way
 that it's licensed; it's what it's made to do.

 >>KEN CUKIER:  Okay. Well, open source is one issue, among many. But the issue
 of open either silicon standards or even open approaches doesn't necessarily
 have to be open source; right? So let me press you on this. In creating the
 Internet, the -- it took academia and government to not just benefit one firm,
 but to change the state of the entire industry so that many firms could
 benefit. Clearly, you might see, as having proprietary standards, et cetera,
 and technologies, that you could grow your market even more, sufficiently more,
 with an open approach than you could if you had many different proprietary
 approaches that would put a brake on companies and countries and individuals
 from investing more in information security. So, essentially, government could
 fuel industry for a socially optimal outcome. Do you think that this is a good
 idea? If so, how would we go about doing it? Would this forum be an appropriate
 forum? Or even would this forum be the right place to raise this sort of issue?
 And then develop it, allow the issue to ripen somewhat, and then hand it off to
 another institution to see through? And who would that institution be? Do you
 have any ideas on it? And then I invite the other panelists to respond. But I'm
 going to challenge you first.

 >>ILIAS CHANTZOS:  You're going to challenge me with six questions or
 something. Let's try to tackle it in a constructive way. I think that the
 current marketplace is such that there are the drivers which would ensure that
 we see innovation and we maintain innovation. Certainly from our point of view,
 we aim to try and we aim to be interoperability. We aim to be operating across
 platforms, because that is what the market also needs. So as long as we
 understand that diversity, competition are key elements in the marketplace and
 we ensure and we strive that we maintain that, I think we're to start within
 the right path. Now, whether IGF is the best place to do this, quite frankly, I
 think that this is a very technical discussion. This is a discussion which is
 -- perhaps -- which runs the risk of perhaps boring the delegates to death. And
 I wouldn't want to see any people falling off their chairs while I'm speaking.
 So I think that though the IGF is a good place where we can kick the idea, hear
 the views of the different stakeholders, because that's the value of it, the
 diverse participation. We need, then, to make sure that the different bodies
 are, kind of like of the international c