Promoting CyberSecurity and Trust
04 December 2008 -
A Main Session on
Notice (8): Undefined index: Topic [APP/View/Transcriptions/show.ctp, line 18]
in
Hyderabad,India
Internet Governance Forum
Hyderabad, India
Open Dialogue
December 4, 2008
Note: The following is the output of the real-time captioning taken during Third Meeting of the IGF, in Hyderabad, India. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>>MARKUS KUMMER: Good afternoon, ladies and gentlemen. We're here for our second open dialogue session. It is rather a big room, and there are many people right at the back. We would suggest that they move forward a bit to create a more cozy ambience.
Before we start, I have an announcement. We had some participant who had one of the more than thousand backpacks that are around, and he lost his own. And it includes his passport. Otherwise, it's no -- it says it's the usual stuff everybody else has in. So please check whether you have his passport. His name is Mawaki Chango. And he also has a network power in there. But I think the passport is the most important thing. And should you find it, please hand it back to the lost and found desk.
Also another announcement. We have checked with the registrations, and we have now 1273 registered participants. That includes 133 media.
[ Applause ]
>>MARKUS KUMMER: Which is, all in all, I think, a very good show-up, considering the circumstances.
Are we ready to start? Okay. Then I hand over the microphone to Jonathan, who is our moderator for this afternoon's session.
>>JONATHAN CHARLES: Good afternoon. Welcome to the session. Thank you very much, indeed, Markus (No audio).
Of the IDN, which is cybersecurity. And all the issues that raises to do with the balance between security and privacy and threat to the Internet from many areas (No audio).
You have probably been in the sessions this morning. If you haven't, don't worry. We're going to get the rapporteurs on the two sessions to come and give us the full input of those sessions so we know how -- this is really your chance to get your input.
What we're going to do is, if you want to make a comment, you'll stick up your hand and we'll bring a microphone around to you so you don't have to queue up at the microphone. I'll pick you out in the audience and have someone bring a microphone to you and make your point.
I'm very keen that we stay on topic, that we move through this logically, and that (inaudible) that you make comments that are appropriate to that particular point (inaudible).
We will move forward to conclusion and come back (inaudible) and try and (inaudible). These debates are much better if they're focused on the issues that are being discussed at that time.
And if you react (No audio).
Cybercrime, though we know what that is, we know there are millions of viruses out there. We know the threat to the net. We know that real pessimists say that if these issues are unchecked, that the Net itself will fail five years down the line or ten years down the line or maybe five months down the line. So great threat.
What we want to come up with today, I suppose, is to try to work out some of these tradeoffs between security, on the one hand, protecting ourselves, and the need to keep the Net dynamic and open, where (No audio) -- the balance lies on that particular part.
And also what role can we play here in the IGF on trying to take the debate forward and trying to come up with solutions to what has seemed quite an implacable problem.
I'm going to start by introducing one of our co-chairman here. We are joined by Gulshan Rai. He is director of the Indian computer emergency response team. He's going to say a few words. Then we're going to hear from the rapporteurs from the two sessions today. Then we start throwing it open to the debate, to you.
>>GULSHAN RAI: Thank you. We have the open session -- we had the plenary session in the morning where we talked about the cybersecurity and cybercrimes over there. We had chairman, and the second session was also very important for the security. This was chaired by Mr. Shyamai Ghosh and reported by Mr. David Gross.
It very clearly emerged that the Internet and the mobile telephony are the two important discoveries of the 20th century there. It has made a great impact on individual life. And, in fact, these two technologies are inseparable from our day-to-day life.
But then what happened that has it brought a real potential, have we realized the full potential of these two technologies for our societal application or society?
Today, we have more than three billion mobile connections in the world and more than one billion Internet users in the world.
The -- as I said, we still have to realize the potential. The reason is the lack of trust of the user in the usage, particularly the e-commerce and other financial applications there.
The user is worried about the cyber threats, like virus forms or trojans or identity theft. The organizations are worried about the stealing of data.
The infrastructure, critical infrastructure, is worried about his data (inaudible) or the malfunctioning of the infrastructure.
In the session which I was a member in the morning, the -- it was emerged that there are five pillars of cybersecurity. Alone, the legal infrastructure or technology is not the answer. We have to looked at integrated manner, if we have to keep the trust of the user in the applications, because we expect this one billion number will definitely increase to number of billions in the time to come, maybe in five to seven years.
The five pillars which were identified were the legal measures, technical and procedural matters, the organization structure, the capacity-building, and the international cooperation. This in fact has to be looked at an integrated manner if we have to provide a safe and secure cyberspace to our citizens and to users, they have to put trust in that.
This session is an open session where we invite each and every one to put forward his views, put forward his comments. And the session is open to all.
I give it -- with these comments, I give it to Jonathan to conduct this.
>>:Jonathan Charles: Thank you very much, indeed.
Before we go on, let me introduce my co-moderators who are over there on the left. Closer to me is Natasha Primo, who is national ICT policy (inaudible) in the association for -- sitting (No audio) is recall at the Brazilian embassy in Washington, D.C.. He is vice chairman -- I'll try to speak up -- vice chairman of the GAC and a representative of the Brazilian government. Their job is they're going to intervene regularly. They're going to keep an eye on some of the questions. They're also going to pick up on some of the salient points, as they said, and move us on from time to time. It's not just questions, of course, that you can pose by sitting in your chair. You'll all have been given pieces of paper. They're going to be collected by the ushers. If you want to write down a question, then feel free to do that. Write down your name. Write down the question. Hand it to one of the ushers, and they'll bring it to us at the front. And we'll also probably be taking some questions from our remote access audience, from people who are watching us at various hubs around the globe.
Let's start, then, by just recapping on what were the main points of the two sessions today, which we had earlier today, on cybersecurity.
First of all, let me call on Bertrand de la Chapelle to actually tell us the main points from one of the sessions this morning.
>>BERTRAND DE LA CHAPELLE: Thank you. Just rapidly, a few points as we've agreed to have five bullet points basically.
The first one is the notion of prevention, not only remediation, prevention, proactive measures to make attacks and exploits harder and have a more resilient architecture.
The second point is the notion of a feedback loop between prevention, analysis of incidents, and remediation, the three feeding in one another to increase the awareness and increase the knowledge about how to respond to attacks.
The third thing that has been used a lot is the notion that there are a large number of actors that are involved in the prevention, the remediation, and all those issues. They are from all categories of stakeholders. And the building of trust networks among those actors is essential, and it requires time, and it really requires to base them on the relationship and the trust among them.
The fourth point is the notion of avoiding to address issues in silos of actors and avoid having the governments on one side, the private sector on the other side, and civil society or other actors on the third side, and the technical sector. But, rather, to organize discussions on an issue base, to get people by categories of incidents, categories of dangers, categories of problems, and bring all the actors together in a multistakeholder (No audio) -- is the notion of organizations, the brought frameworks and having broad frameworks doesn't necessarily mean a (No audio) -- but agreed (No audio) that was suggested. One theme was the question of the cost of security. Another theme was raised by somebody who belonged to the software development sector about standardization of security issues (No audio).
The third point was the role of the IGF on this issue and why it is and how it can be appropriate space, what role it can play. And the last question was raised was -- is the role of the various organizations that are dealing with those issues in various regions, in various categories of actors and how they can interact with one another, just to feed into the debate.
>>:Thank you very much, indeed. Let me call on our other (inaudible). You were at the other session. Give us the rundown of the five main points from that session.
>>:Thank you, Bertrand. So, yes, we had a really nice and interesting debate during the second panel of the morning. And if I have to resume and find out with five points, the first one will be (No audio) -- in the debate on (No audio).
>>:I think we're losing you.
>>:Okay. It's better now?
>>:Yeah.
>>:Yes. I was saying, on our first point, the role of the Web 2.0 in the protection and preservation of privacy, security, and openness, and particularly what social networks are affecting or how privacy is related to these new technologies.
And a second point, the importance of freedom of expression and access to information and global information flows and how to keep preserved and enhance those rights in the Internet.
Then a third point on the importance of information literacy, on being able to use those technologies to understand the potential and the risks of those technologies.
And a fourth point, how do we deal with different cultural, legal frameworks across countries.
And the fifth point, if, in the debate on privacy, security, and openness, we have to confront several stakeholders. How can we find a common ground, and how each one of the stakeholders with his role can help draw a line and define the spheres for security, privacy, and openness. So those were the five main points. So I hope in this debate we can have further discussion on those. And interrelate with the session on cybersecurity.
Thank you.
>>JONATHAN CHARLES: All right. Andrea, thank you very much, indeed.
I'm going to start by -- maybe we should -- it would be useful to have examples. Maybe you've had to deal with it (No audio) -- for example, I had one only the other day in which I discovered something on my credit card for a very large (No audio) what had happened was that my card -- sold to an Internet site where criminals actually trade card details. And it's then being used to make a number of other transactions. That's just one example of -- another example of Internet crime where a Web site is being set up (inaudible) -- join this Web site using passwords, and they then swap details to use in a variety of places. That's just one example of cybercrime, one of the cybersecurity issues.
Anybody here have any other example. If you'd like to put up your hand. This gentleman down here. We'll get you a mike.
>>:We have multiple such examples. I run an ISP with, like, 40 million users. And every time I keep running across people who forward into spams and (inaudible), for example. One gentleman actually was very upset with me that our filters blocked his e-mail, that it was sending all his credit card details to Nigeria. And he was like, why did you stop me? I have a business deal that's going to earn me about $100 million, poor man.
Anyway, there's one stakeholder I think that did not get mentioned here, and it is a stakeholder that has been making the news for quite some time, at least one registrar believed to be owned by cybercrime operations and one large-scale Web host, that's domains and MC (saying name) were taken down because of articles in the Washington Post by Brian Krebs which basically had detailed exposés on the cybercrime links that were associated with these groups. And the media is one organization that helps those bridge between industry and civil society, it is a way to quickly disseminate information.
>>:An educational element.
>>:Yeah. It's not just educational. Based on investigative reporting and based on his work --
>>:I use education in the widest possible sense.
Okay. The gentleman there. We'll just get you the microphone.
>>CHRIS DISSPAIN: Thank you. I think you -- hi, Chris Disspain. I think you asked for some examples of security.
How many people in this room have got a computer open?
And are connected to a network. And how many of you are connected to something called "free public Wi-Fi" because that's not the network. That's someone's computer. And there will be at least four or five of those in this room right now. And you could very easily have your computer connected directly to somebody else's computer, which means they can see what you're doing.
>>:Right. That's a good example.
Gentleman over there.
>>STEPHEN LAU: Stephen Lau from Hong Kong. Let me look at some statistics and quote some U.S. statistics. As far as identity theft or people as individuals' personal data got compromised. The latest are the survey from the FTC, Federal Trade Commission in the U.S., say that 3.8% of U.S. adults have been -- had their identity compromised or identity theft. 3.8% translates to 8 million people in the U.S.
So this is a really very prevalent, very wide kind of problem. And I think the business community, we have been reminded by various business organizations, including BASIS, ICC, that business organizations have not only to respect personal data of its customers and its employees, not from the point of just because it's a right of an individual. It's only just because compliance to law, because a lot of countries have laws to deal with infringement of personal data privacy. It has to be treated as a business imperative, as a business issue. It is a business differentiation issue. It is also a competitive advantage issue.
The reason why I'm saying that is, various surveys have looked at the issue of data bridges, which are becoming more and more prevalent in this world. And everyone of this data bridge, on average, would cost the organization, apart from branding issues, reputation issues, cost in terms of transaction, in terms of regulatory punitive measures, costs about -- I can't remember the exact figures, but it's absolutely in the millions. I think it's three to four million per episode.
And we said this morning, in Internet, trust is the issue. It's not price. It's not cost. It is respect, and it is trust. And so you have a trusting culture respecting your customers, respecting your employees' personal data, that it would help a lot. As I said, not only in terms of cost, prevention, but also in terms of reputation and branding, as well as a business imperative and business differentiation.
Thank you.
>>:Stephen, thank you very much, indeed. Stephen Lau.
Any more examples of people who have been either suffering cybercrime or have dealt with it in some way? Yes, it appears, that gentleman in the back with his hand up there.
>>:Good evening. I am (saying name) from (saying name) Hyderabad. I'm (inaudible).
When the government top director requested me, he has received an e-mail threat from an unknown person from Yahoo! stating that he is misusing his (inaudible), and the mail was addressed to the superiors of the authority.
>>JONATHAN CHARLES: Can I ask you, sorry, just to hold the microphone much closer to your mouth. Because we keep losing some of your words.
>>:Okay. The -- one of the top directors of the company has received an e-mail telling that he is misusing his authority, and the copies of the mail has been sent to his boss. In fact, he has lost a lot of mental disturbance because of that e-mail threat. He's unable to focus in his day-to-day operations. And he wants to track down, trace who has sent that e-mail which is disturbing his entire business, daily work schedule.
So this is a total misuse. He is unable to trace down who has done this damage, which is unwarranted.
>>JONATHAN CHARLES: Right. Okay. That's an interesting line.
Let's go over to the left here. Two people, I think, want to speak. Gentleman, yes, in the suit, first of all, in the dark suit.
>>JONATHAN CHARLES: Right. Okay. That's an interesting one.
Let's go over to the left here. Two people who want to speak. Yes, gentleman in the suit. First of all, in the dark suit.
If you could just stand up and we will get you the microphone.
Very good. There's one coming over to you right now, at high speed.
>> (saying name), federal prosecutor in Brazil. And Mr. (saying name) from (saying name), an NGO in Brazil.
We usually have two different approaches regarding security on the Internet. Infrastructure threats and human rights threats.
More than computers, the Internet connects people.
We all agree that human rights are universal and defined by international standard and treaties and must be respected and protected worldwide, including cyberspace. National and regional legislation was sanctioned in order to protect human rights, which means to protect and fight against their violations.
It's not matter about one right versus another. It's a matter of how to protect these rights in a global view.
Moreover, as Mr. Gulshan Rai has observed in this morning's session, in five or six years, another billion people will access the Internet worldwide.
These new users come mainly from developing countries, like India or Brazil.
How to protect the security and the rights of these new users, especially children and adolescents considering that, one, crimes have been committed by nationals who take advantage of the borderless nature of the Internet to violate fundamental rights. Second, despite the efforts of constraining the cooperation among law enforcement agencies, the current instruments of international cooperation are not efficient in order to cope with thousands of cases involving, for example, distribution of child pornography using international services provided by Internet providers based in the United States, like Google, Yahoo!, or Microsoft.
Third, unfortunately, the self-regulation model which has been successfully implemented in Europe has not been working well in developing countries.
Fourth, despite all the risks that countries can use their power to violate human rights, including freedom of expression and human rights.
Under the international law, the states still keep the responsibility to promote and to defend human rights.
Therefore, concepts like sovereignty are not totally old fashioned in the Internet world.
For this reason, we, members of the Brazilian federal prosecution service and the NGO Brazil have been arguing that under certain circumstances it is totally legitimate to enforce local offices of transnational companies to comply with our own legislation and jurisdiction.
We believe that the situation in Brazil is paradigmatic because it creates a new form of creating social control and governance, balance between law enforcements, users of data requests, application of national legislation and jurisdiction, and big international ISPs, worldwide policies and strategies. Reflecting on the Google's Orkut case in Brazil can help us find the balance between preventing and reacting on cybercrimes and protect freedom of rights and democracy in developing countries.
>>JONATHAN CHARLES: I am going to be a really horrible moderator this afternoon because I don't want you to put your hands up unless it is directly related to the bit of the topic we are discussing right now.
Because we have a long way ahead of us and we are going to try to take things in a logical protection. If you have something to say on the topic, fantastic. If not, wait to the next one. I'm sure you will have something to say on the next one.
One last lady over there.
>> Just to follow on what the gentleman said about rights. I would just like to extend it to talking about the rights and freedoms of women and bringing the issue of cyberstalking. That's a cybercrime; right?
>>JONATHAN CHARLES: Do you have an example of cyberstalking?
>> Yes, there is the case of Amy Boyer, I believe was her name, a woman who was pretexted. Information about her was sourced from a man who then used that information to get access to her stalker, and it resulted in her death. A very well-known, well publicized case. So if we could just put that on the agenda as well.
>>JONATHAN CHARLES: Yep, definitely. And we are going to be talking about rights in the next hour or so.
Before we go on and look at what we need to promote cybersecurity and trust, let's look at one more thing, which is if you sit here and think what is your worst fear about what could happen to the Internet unless we tackle this issue of cybercrime, what comes into your mind, I wonder if anybody has any thoughts as to where they think this is going to end for the Internet unless we do something on cybersecurity.
Anybody like to put up their hands or where they think, the damage they think would be done to the Internet if this is not resolved?
Gentleman here.
>> People will simply be too afraid to use the Internet, though right now, cybercrime has always been it happens to somebody else, it happened to a bloke I knew somewhere.
Not many people, the vast majority of Internet users are not victims yet.
But this is likely to change, and it's likely to change for the worst if cybercrime continues to be uncontrolled, and as we see new people, new crooks deciding that cybercrime is a viable option for them.
>>JONATHAN CHARLES: Anybody else got any worst fears as to where they think the Internet is going, what is likely to happen to the Internet if this is not resolved?
Gentleman over there in the white shirt on the left-hand side.
>> I would be concerned that, as new users come onto the Internet, the first thing that they will see is criminal activity, and they could very easily come away with the conclusion that that is what the Internet is for and that it's acceptable to continue to engage in criminal activity online.
I think that's quite a bit of what we have seen, unfortunately, with the folks in Nigeria or who claim to be from Nigeria.
>>JONATHAN CHARLES: Okay.
All right. Well, I think we know, then, what's at stake. We set out what's at stake. At a moment, we're going to start looking at where we might go with that.
Let me turn to my co-moderators. Everton, I think you want to say something.
>>EVERTON LUCERO: Thank you. Thank you, Jonathan. I think all the examples that were given were perfectly valid, and they show the complexity. Situation. And of course there are many more.
I would like to pick up on some points and perhaps based on your last comment on damage to the Internet, I just would like to emphasize also that it is important to concentrate on the damage to people. Because, of course, we all want the Internet to be safe, secure, reliable, but most of all we do not want the Internet to be an instrument for criminals. I think that's one basic notion that perhaps we could explore together.
Just picking up on the comment that was made by the federal prosecutor from Brazil, and if you allow me, I would like to mention -- take this opportunity to mention that it is an example of a national solution or an attempt to find a national solution, bringing together the social -- the civil society and the law enforcement agents, the lawmakers, because the way that it was possible to get to an agreement with Google, that runs Orkut, a very popular service in Brazil, on a term of conduct to fight child pornography was precisely through a special commission of inquiry at the Brazilian federal senate, which also brings us the idea of the important role of parliament in democratic societies in trying to frame this issue.
Of course, a national approach will not be a solution applicable globally, but it is a start and perhaps this will also be a case study for others to continue.
But I just would like to suggest, Jonathan, that I say here a suggestion that everyone who speaks identify themselves and where they come from and what they do before they speak, for the sake of the debate.
Thank you.
>>JONATHAN CHARLES: No anonymity here.
Natasha, do you want to say anything about anything that has grabbed you so far?
>>NATASHA PRIMO: Well, what I would like to suggest is that we also take some examples of how people have had their access to information blocked. Let's not just talk about cyber stalking, cybercrimes, but also what implications that has for different groups and individuals in accessing their rights.
>>JONATHAN CHARLES: Yes. So we will do that.
Let me -- I think everyone here agrees -- Is there anyone here to doesn't agree -- Let's take a little straw poll. Everyone here agrees there is a problem, I take it.
Everyone here agrees that something should be done. Put up your hand if you believe something needs to be done about this problem.
Something should be done about this problem.
Okay.
Put up your hand if you think nothing needs to be done about this problem; that somehow, it will resolve itself.
Bertrand, you think there's a third question. What is it?
>>BERTRAND DE LA CHAPELLE: Third question, is everybody aware of what is being done?
>>JONATHAN CHARLES: Third question -- good question. Is everyone aware of what is being done?
Okay. And is everyone working together?
The answer is, it doesn't look as though there's much unity here. There's no unanimous approach, so let's start down our track of trying to work out where we need to go in order to improve cybersecurity.
And let's start with the question which I would like you to stick up your hand and try to answer, and I will come to that -- very quickly, that gentleman there.
>>ALUN MICHAEL: I am just a little bit worried about the set of questions. Of course we don't all know what's happening. The point of the morning panel I think was very good in giving a pretty comprehensive view of a lot of things that are being done. It was useful for that point of view.
Most people don't want to be aware of everything that's being done. What they want to know is that they are safe and that their concerns are being dealt with somewhere.
And that's why I made the point this morning that we need to build up from the national level the use of national level IGFs, which is one of the developments we promised last year we would do in the U.K., involving government, parliamentarians across party, industry and civil society. And secondly, looking at the bad side of the Internet, the criminal activity but also the low-level nuisance activity to say what are the things that people want -- dealt with and how do we manage to do that through a partnership approach, not a legislative approach which we know won't work.
So I think with respect -- in the cracks between your questions is where the real action has to be.
>>JONATHAN CHARLES: That's fair enough. And I will identify you. I think you are Alun Michael; right?
>>ALUN MICHAEL: Yes, Alun Michael. Member of parliament U.K.
>>JONATHAN CHARLES: Please make sure you identify yourself and where you are from.
There are lots of things that need to be done. We are not all aware of what's going on, and some of us aren't sure of how to proceed down this road. Let's start the debate proper. Let me start with a question, which is who do you think should be responsible for improving cybersecurity? Does the responsibility lie with me, the user? Does it lie with companies? Does it lie with government?
Where does responsibility lie in this? And in what way does responsibility lie?
That's what I would like to hear from you all on.
First of all, there is a gentleman at the back standing up. We will get you a microphone, if you could identify yourself and say where you are from.
>> Good afternoon, gentlemen. My name is Freder. I work for an anti-virus company from Finland. I am from (saying name) corporation.
The question is who is responsible for ending cybercrime?
If I am allowed to talk, I would talk a bit about your previous question: Where is this going to end?
Well, Internet is a playground, as I say that. It's for good people and the bad people. So however much we secure it, there are still people who can break it, because all this is written by human being.
So anything that is written secure, can also be broken.
It's obvious that all the viruses, all the malware, whatever is spread on the Internet is also a software.
So an anti-virus company is trying to break into that software and stop it from entering into your computers or the network.
So it's a similar human brain on the other end who is trying to break your antivirus software. So it is a software-to-software game.
So there is no end to it, and one thing that I would say is that there isn't going to be any serious harm that's going to be done to the Internet by these things, but it's going to be an ever lasting thing. An antivirus or a virus, good and bad, everything is going to exist, like the human beings, it's the Internet.
The same thing.
>>JONATHAN CHARLES: Where does responsibility lie, then, for improving security? Who does responsibility lie with, do you think?
>> The responsibility lies in no government, no organization, but the individual who uses the Internet.
See, there are two things here. One is enforcement. The other thing is education. And both these things put together could do a bit of improvement, but not 100 percent.
So education is important, enforcement is also important.
So what is to be enforced? There should be some body which works universally, should not have any country borders, no country law should be applicable for Internet because if I write a bit of content, a piece of content on the Internet on a particular Web site, or it could be offending for some countries, it could not be offending for some others.
So what should be the -- I know the deciding factor to say whether a particular piece of content or a particular act on the Internet is legal or illegal. So there should be a party, a governing party, which does not have any geographical boundaries. So the moment you're hooked up onto the Internet, you're no more a citizen of India, no more a citizen of U.S. The day I think someone starts working toward this, then I think we'll see a beginning of the end to the problem.
>>JONATHAN CHARLES: Thank you very much. Thank you. Maybe (inaudible). Lady here, I think you wanted to say something. Yes, we'll get you the microphone.
If you could identify yourself.
>>ANNE CARBLANC: Thank you. My name is Anne Carblanc, and I work with the OECD, but this is my personal opinion.
I think that, first of all, the leadership in fighting cybercrime should lie with governments. But governments are not the only actors. They need to work in partnership with the others.
>>JONATHAN CHARLES: Just let me question you, one question coming back on that. What is it you think governments can do, bearing in mind that they may not be acting on an intergovernmental level or are you suggesting they need to act on an intergovernmental level?
>>ANNE CARBLANC: Well, governments are the best place to identify and devise an action plan. And they need to facilitate coordination at national level, with the private sector. And responsibility lies with each actor as concerns cyber criminality.
This morning, people said that users need to also consider -- realize that they are part of the Internet and take minimal measures to protect their systems and networks. And governments also need to cooperate with other governments. So it's kind of vertical or intranational and horizontal across countries.
>>JONATHAN CHARLES: Okay. So we've got one person who's in favor of governmental, and one person who is not in favor of governmental intervention.
Gentleman here.
>>SURESH RAMASUBRAMANIAN: Did somebody forget the word multistakeholder?
>>JONATHAN CHARLES: Right. Go ahead. We haven't mentioned it. So go on.
>>SURESH RAMASUBRAMANIAN: I know, I know.
I would hardly accuse the OECD of forgetting it, because you have the OECD tool kit dating back to 2005, which was one of the earliest models of multistakeholder cooperation and joint action against spam specifically. But most of the principles would apply for cybercrime and cybersecurity in general.
And the point is that there are several very fine, very workable models available that make a lot of sense on multiple levels.
>>JONATHAN CHARLES: Give us an example. Give us an example.
>>SURESH RAMASUBRAMANIAN: The OECD antispam tool kit, as I said. And the ITU has some very fine projects, such as a botnet medication tool kit and a readiness tool kit that a country can take to assess how ready it is in terms of combating cybersecurity.
And there are several other examples, such as a series of best practices put out by the messaging antiabuse working group, MARK, which is an industry group.
But best practices are not very useful as long as they are on paper or as long as the only people who are following best practices are actually the people who are already doing the right thing.
We have got a whole lot of people in developing countries and in developed countries that need to be reached out to and that need to be anything from educated to perhaps, in some cases, pressurized into following, by community sanction, shall we say, into following best practices.
And these multistakeholder models actually need to be taken out of paper and translated into actual work.
I'm glad to see that this is happening. But it's happening very slowly. It needs to take place much faster. That's about it.
>>JONATHAN CHARLES: Okay. Thank you very much.
Please remember to say your name and who you represent when you speak.
>>SURESH RAMASUBRAMANIAN: Sorry. Suresh Ramasubramanian. And among other things, I am a consultant developing a botnet medication tool kit for the ITU. I also work for one of the largest ISPs in the world. And I run an NGO, antispam NGO, in the Asia-Pac that does capacity-building and policy and technical issues for local people. That makes me neither fish, flesh, nor fowl.
>>JONATHAN CHARLES: That makes you very multistakeholder. Thank you very much, indeed.
>>EMILY TAYLOR: Emily Taylor from Nominet, the dot UK Internet domain name registry. An observation is that many of the speakers seem to think that somebody else should hold the responsibility for sorting out security. And perhaps echoing the point made by Anne from the OECD, I think this is a shared responsibility in which each actor has a part to play.
I think there is a role for best practice sharing.
As the Internet is a new, emerging issue, people are doing what they can on the grounds to combat issues as they come up. And sometimes solutions will be formulated by industry. So, for example, our "Best-Practice Challenge," which we did this year, highlighted the example of Barclays Bank PinSentry, which has been very effective in combating phishing and has also been adopted in South Africa and in Turkey. This is an example of how developing best practices can actually helping. It doesn't solve everything, but if people can do their bit to take responsibility for what they can see and what they can affect, I think that this is a good model.
>>JONATHAN CHARLES: Yeah, perhaps I'm a Barclay's customer and it's an excellent security tool that's made a big difference. Lady over there in the blacktop, we'll get you a microphone. If you can say who you are.
>>LIESYL FRANZ: Good afternoon. My name is Liesyl Franz, and I'm with the Information Technology Association of America.
I'd like to build upon Emily's remarks and say perhaps the question isn't who is responsible, but what are the roles that the various players have in securing greater cybersecurity for the users, whether they be individuals or companies or governments, because all three we do have to recognize that those are the three various types of users.
So what are the roles of each of those constituencies in protecting their part of cyberspace, whether it's something that they provide to others or whether it's something they -- is determined by how they use the Internet, whether it's for citizens' services, whether it's for their own social and individual consumerism, or whether it's for their business operations.
So I think that -- really, what are the respective roles is really the question.
So government normally has a coordinating role or a law enforcement role or an intelligence-gathering role. And industry has a role in developing what the tools and solutions and services are for their clients or customers. And it is basically that innovation and that provision is something that we definitely need to preserve in any of the efforts that we take or we wouldn't have the services that people are using.
Productivity, efficiency, that's all part of the program that needs to be preserved as well.
One thing that we have talked a little bit about is the responsibilities of the users, whether it's an individual. And that social behavior is something that, unfortunately, some malicious actors do take advantage of. So providing educational opportunities for people to understand how to behave on the Internet, like the poor gentleman who thought that he was going to make a million from the Nigerian -- presumably a Nigerian Internet scam. That's very difficult, because it is such a widespread user base. But it is an important aspect as well.
So what are the various roles? And then, importantly, how do those players interact to be able to address the spectrum of Internet use, then the various aspects of cybersecurity from prevention, detection, when there's a problem, to, when something actually does happen, how you manage that incident, and then how you prosecute the malicious actor. So each player has a role to play. And in interaction, integration with the others.
>>JONATHAN CHARLES: Okay.
>>:Thank you.
>>STEPHEN LAU: Stephen Lau, Hong Kong. I just wanted to pick up a point, is, if we are talking about a law enforcement issue, and even though it is a multistakeholders, as mentioned early on, I, as a citizen, will look for leadership somewhere. And for law enforcement issue, if I cannot turn to my government and ask for help, then I think it will be very sad for any particular occasion or jurisdiction.
Now, the problems that are very complex is the border, multiple stakeholders and all that. But I like to feel that the government has a very important leadership role in terms of responding to the citizens' law enforcement issues.
>>JONATHAN CHARLES: Do you feel the governments recognize that now?
>>STEPHEN LAU: Oh, heck, yes.
>>JONATHAN CHARLES: With any capability, though, as opposed to feeling it with impotence?
>>STEPHEN LAU: Are we talking about -- first, are we talking about leadership, are we talking about sort of as a law-abiding issue, I think government has a role to play.
Now, how do we actually enforce, how do we solve a crime, how do we accord, now, that's a separate, separate issue. And to follow on that, I hope later on we can discuss an issue.
This morning, we were talking about an incident reporting, incident investigation, it's very complex, transborder, cross border, and multiple roles and all that.
Now, I am here to learn. I like to listen to experts who have been involved in investigating law enforcement of cybercrime.
The strength of any endeavor is as strong or as weak as its weakest link.
From your experience, from those who are the experts, could someone tell me from their experience where is the weakest link? And if we know that, we can then address it.
>>JONATHAN CHARLES: Okay. If someone knows that, that would be very good and they can stand up.
I think there was a lady there in the green who would like to say something.
>> Thank you. My name is Manjima. I am an independent consultant. Right now I am here with the APC.
I actually like the word that this lady used which is how the governments respond rather than enforce.
As a user, I would like to know if I face a situation of cyber stalking or cyber harassment, where do I go? Who do I report to? What are the channels I have? Do I go to my local police station? Is there a special department? Are they online? Is there a number?
Moreover, what is the process? What is the procedure that will be followed?
My point is basically that other than regional sharing of best practices and online activity, off-line are governments prepared with a system, a mechanism, an infrastructure, do they have the expertise, the people to respond to these situations?
>>JONATHAN CHARLES: Okay.
That's an interesting one, isn't T it is the question of definition as to where criminality lies and where responsibility lies.
I will give you a quick example before we go on to many other people who want to comment.
I had an e-mail the other day from a social network that I belong to, Linked in, and it was a message sent to my personal e-mail from somebody who left a message for me on Linked in and this person wrote on Linked in, they put their name and they said, "We used to date in Spain before you got married." And they then went on to say, "However, I now understand you have married X and you have children X and Y."
I had never heard of this person before. I have certainly never dated anyone in Spain.
But they had somehow exploited the whole Internet resources to find out a lot about me.
They had found out the name of the person I had married. They found out the name of my children.
They had -- And then I put two and two together, and someone alerted me a few months ago to the fact someone was asking a question on Yahoo! questions, do you know the names of Jonathan Charles' children?
So people have done a lot of research.
Now, is that a crime? No. Or it might be.
Is it a cybersecurity breach? Certainly.
And there's a real gray area, isn't there, in all these issues.
And what to do about it and how to proceed on these issues.
Gentleman there, yes, with the microphone.
No translation).
>> My name is (saying name). I come from China Internet association. I am a Secretary-General of the association.
I would like to utter the Chinese voice. Concerning the issue of security, I fully agree with the idea that multiple stakeholders -- that is the government, civil organizations, companies and users -- should jointly share responsibility in resolving a problem. For example, the government in resolving cybersecurity issue, it should stipulate the rules.
Well, for enterprises it should deal with the technical issues concerning the infrastructure establishment. And concerning several organizations, their focus should be on coordination and communication. Of course, for users, they should have some ability to defend themselves.
And in China, concerning anti-spam issues, inspired by the forum starting from 2006, we initiated a multistakeholder initiative.
In the first place, our association did something concerning this Spam issue. For example, we asked the enterprises to strengthen their management of the issue and relevant rules and regulations were promulgated.
In March 2006, the government issued a law concerning this issue, which specified what is computer Spam, which in a way tells the society that this is something that violates the rights of citizens.
In this process we also organized enterprises and produced a black list, revelation of people who are involved in these kind of activities, and furthermore, in order to help the enterprises to deal with the issue, we have established a technical and other ways to identify these problems.
This is to ensure a smooth operation of e-mail service.
Also, we did a lot of -- issued a lot of cards to tell people how to identify the Spams and how to deal with them.
On the part of the enterprises, they have improved the training concerning operators up to about 1,000 people.
And starting from 2006 to 2008, in the course of two years, China's Spam constitutes about 20% of the world's total, and by the year 2007 it accounts for about 5% of the total volume. We can see it is a rather dramatic reduction.
This is a result done by SOFY (phonetic), a famous company in the U.K.
I want to share that a multistakeholder, joint action is very important. Of course there are other issues to resolve concerning cybersecurity, like concerning a lot of technical issues, like Bet Net which affects people's confidence in cyber.
This is a focal point of where we should work. And this is will show that in the future the forum might establish a kind of mechanism to coordinate our efforts in this area in the future, to establish rules concerning the black list, concerning the share of the responsibility, and concerning our joint action in this area.
I believe this is the next direction we should go so as to give substantive progress in our work in this field.
>>JONATHAN CHARLES: Thank you very much, indeed. We will discuss what the IGF might do a little later on.
Before we take even more of your comments from the floor, I think Everton wants to have another word.
>>EVERTON LUCERO: Thank you, Jonathan.
The more we hear, the more it gets clearer to us that no solution fits all; that this is a huge, complex issue. And that it has to be taken on broadly environment, with all the stakeholders, and also with shared responsibilities.
But perhaps we could, to guide the debate, think of two -- of a first division of possible issues to be taken, and on short term and long term.
On the short term, we have seen the challenges to law enforcement at national jurisdictions because today, as we all know, it is only governments that are able to enforce the laws in their own jurisdiction, as we don't have a global one.
And so that's one, a first set of issues that we need to address. How to overcome these challenges to law enforcement.
But we also need to think on the long run. And we have said from the beginning, we have heard from the beginning suggestions regarding education, related to education. And I think we could explore also a little bit, in the long run, shouldn't we work better on how to evolve, how to have quality education? And now I remember Mr. Abdul Khan from UNESCO this morning, he also mentioned that education was one of the pillars of the knowledge society.
By the way, I know that most of the panelists of the morning session are present, and perhaps eventually you could ask them to contribute and further develop their ideas in light of the comments that were made.
Thank you.
>>JONATHAN CHARLES: Natasha, is there anything that strikes you from the past few minutes?
>>NATASHA PRIMO: I would just add that maybe one of the ways to take the debate a little bit further, and picking up on some of the ideas around the responsibilities of industry, for example, is to explore how, currently, the different industry players are pursuing a secure Internet agenda while also holding in balance other rights, rights to privacy, free flow of information.
>>JONATHAN CHARLES: Yeah.
Let's bear in mind as we go on to further comments, let's bear in mind the last comments of Natasha, because we are all very keen, aren't we, to protect our rights and our privacy on the Internet.
And one thing we ought to be considering, and I ask you to consider this, is where does the balance lie between our personal privacy, our personal rights, and the need for cybersecurity?
Because in some ways, there is a tension between improving cybersecurity and continuing to protect our own personal privacy.
It would all be a lot easier, wouldn't it, if we all had to register to go on the Internet and say who we were. That would make fighting crime much easier.
It is the difficulty of identifying people on the Internet which makes it easier for crime.
Let's have more of your comments. Have a think about that, have a think about this question of where does the balance lie between privacy and fighting cybersecurity.
Before we take more questions from the floor, have we heard from any of our remote access commentators, people watching who want to comment?
Is there any comment from the remote access hubs on what we have been discussing?
He not yet.
Okay. More questions from the floor.
A gentleman here has been waiting a very long time.
If you could identify yourself so we know who you are.
>> Thank, Jonathan. I will speak in French.
My name is Jean-Jacques M. from Gabon, and I am a specialist in the area of ICT.
I work in Geneva.
Now, before defining the private and the public as far as developing countries are concerned, I would like to start by referring to some of the presentations of this morning and get to the specific with regard to cooperation.
Everybody talks about cooperation. What do they mean by cooperation? And what does it mean doing?
Everyone talks about it, the weakest link, but I think the weakest link is the poorest areas in developing countries, and all clients there are going to be using resources, existing resources will be used in order for crimes to be committed.
So -- or to do something bad.
To refer to what was said earlier, this agenda which has been set up is fine. It's an excellent initiative. What we would like to hear now is what are organizations doing with regard to a specific agenda for cybersecurity. What's being done outside of these seminars for child security? UNESCO is doing something to help teachers who work with children in school, but what's Interpol doing in terms of the police? But what we are doing right here is setting up a coalition of networks, but we don't really know what the police are doing, for example.
So we have to work on security from the outset, and we have to work on resolving the problem.
We need to stop and think about these networks. What are the people outside the networks doing?
It's not today that we're going to invent something, but the universities involved in research, private laboratories are here, so we need to start the initiative again, pick up new tools. We talk about a lot of problems, but from the very outset, we need to put the security problem on the table. And then as the OECD said, the developed countries are working in different common economic areas and they can harmonize, they can pass legislation. But that's not going to stop cybercrime and promote security just because there's a law on the books.
Just because you have laws doesn't mean that you are going to stop cybercrime or promote security. But from the very beginning, you need to provide all kinds of different pillars of support. You need to provide law enforcement and legislative support.
So laws without law enforcement doesn't do very much good.
So you need to have training, then, for people involved in the legal system, so that law enforcement can take place appropriately.
Now we're asking people to be involved in these networks. We are trying to set up police for the network, but they have to be trained. It's a very specialized kind of knowledge that's required in order to provide policing of the networks.
Now we have the ITU has done this for the global agenda, but once this is done, you have to go one step further. As you said, you have to know what is the difference is between the public and the private. You have to discern the dinners.
Now you have talked about the Internet, but information is out there. It exists somewhere.
Once the information is published, it's out there.
Now, the person who is farming land is Gabon, in my country, is going to get a computer because he is told, well, with this computer you are going to be able to produce more bananas and more corn and he has to pay for that, 1,500 French CFAFs and he will spend 45 minutes cleaning up Spam and he doesn't even know what it is, so he is basically wasting money.
And then we are going to come and tell him that this is going to facilitate his trade or help him make a living? I don't know; it's sort of an unending cycle.
So the industrial business sector has to find technologies and solutions in terms of technologies.
And others have to stop cybercrime and promote cybersecurity.
Everybody has to work together: The users, those responsible for law enforcement, the technology producers. We have to work together, set up a network and have a collective effort to stop this.
Thank you.
>>JONATHAN CHARLES: The lady in front of you.
>> My name is (saying name), and I am from the association for progressive communications.
I would like to respond to the definition of cybersecurity, and offer a different -- maybe a different definition that has not come up. And also the issue of the balance and harmonization.
And I want to give you three examples where it does show that in some cases, while we talk of harmonization or we talk of different stakeholders, law enforcement, in some cases the law enforcers, in fact, may not be the best option.
For example, access to information. In situations where access to information is difficult, where there is political repression, for example, or where women are not able to access information in their countries but they are able to access information that is not allowed in their countries, now how do you -- is that part of what we are discussing here in relation to cybercrime?
In this instance, the person can be liable because of the loss of the national laws. But we were talking about earlier in the morning, for example, is that that does then is not -- contravenes freedom of expression.
My thinking is that we have an opportunity here to, in fact, use this to say that how do we use that to look at freedom of expression, expand freedom of expression because in places where that's not -- it's not all equal is, what I am saying, in terms of national laws that are in place. In some cases, it's repressive, and in some cases it is not allowed.
For example, people who use the Internet to network. People of different sexual orientation, who use the Internet to talk to each other. And what happens to them? They are persecuted because the laws in the country does not allow that.
Now, where does that fall in? How do we respond to that?
This is the only place that it's safe for them, where they find expression, where they are able to exercise their rights.
And they are exercising their rights in this space, and they are looking to international laws, they are looking at rights, international rights.
So where does that fall in in this discussion.
So in some cases, in fact, it's national governments and national laws that are repressive and are not helping.
>>JONATHAN CHARLES: All right. Let's put that idea out there.
There is the balance, isn't there? It is possible in tackling cybercrime that we are going to restrict our freedom of expression.
So where does the balance lie there? And how do you protect freedom of expression at the same time as you are tackling cybersecurity? I will come to Marilyn in a minute. Gentleman there first.
And then Marilyn.
>>CASPER BOWDEN: Casper Bowden, chief privacy advisor for Microsoft in Europe.
I just wanted to address your question of the balance between cybersecurity and privacy.
It might seem obvious that this should be conceptualized as a question of balance and trading off one area against another, but this isn't necessarily so.
There are opportunities now with new cryptographic technologies to actually distinguish between the concept of identifying somebody and authenticating somebody to access a particular Internet resource.
The opportunity this creates is, in certain areas, to actually improve both privacy and cybersecurity.
It isn't necessarily a zero sum game.
And, in fact, I would --
>>JONATHAN CHARLES: Good to have an example. That's an interesting point. How?
>>CASPER BOWDEN: For example, in many situations that we have discussed over the past few days, we considered the question of child protection. But also, the preservation of freedom of expression for adults.
So the test is can you find a way of checking somebody's age? But on the other hand, actually distributing somebody's date of birth, that's extremely identifying information. It actually virtually identifies you in many circumstances.
So using some of these new technologies which I have referred to, and to give a plug, will be discussed further at a workshop tomorrow, 9:00 a.m., using these new technologies you can actually create a proveable assertion that somebody is over 21 or that they are under certain years of age.
Without allowing as it were the specific individual to be identified.
Now, these techniques are not perfect. In other words, there will always be real-world leaks and loopholes.
But using that idea of essentially proving one's membership of a group that is entitled to access some resource, but without necessarily specifically identifying the individual, I think we can make great improvements in both privacy and cybersecurity at the same time.
>>JONATHAN CHARLES: All right. Just to clarify that, though, they would presumably be identifiable to someone, the person who is verifying their age.
>>CASPER BOWDEN: Nope, not necessarily.
>>JONATHAN CHARLES: Okay. Right.
Marilyn, sorry, I promised you. I know who you are, but identify yourself to everyone else when you get a microphone.
>>MARILYN CADE: My name is Marilyn Cade. I am a private consult and have been involved in Internet governance issues now for some time.
I want to just comment on, if I might expand the definition of the debate we are focusing on by saying that, in my view, it isn't just balancing privacy and cybersecurity, but also balancing openness, balancing -- so we've talked a bit about freedom of information. But I think the issue of openness of the Internet, openness of the architecture of the Internet, that includes all those concepts that I think involve the ability of the individual to access information and resources they're interested in and also to be able to do so based on a choice they make. When they do that, they are in fact often putting themselves at risk.
And so I'd like to sort of expand the debate to say, you know, it's not just privacy or freedom of information, but also openness. And will we be driven by fear and by views that the perils of the Internet are so great that we are willing to sacrifice major benefits of this commitment to openness on the Internet? And that -- earlier, when you said what's your greatest fear, that's my greatest fear, because being afraid holds people back. Being naive keeps people at risk.
So I'll just say one final thing. I think that -- and I said this before in a conversation that you and I had -- the greatest single threat to the Internet today is the user. The greatest single hope for the Internet is the user. But we have an uninformed user population. And we're about to add to it. We're about to add millions to billions of mobile users who are very used to a different environment and one where somebody else makes a lot of decisions for them.
>>JONATHAN CHARLES: So we're coming back to our education argument, aren't we, the need to educate. I think we'll look at that in a bit nor more detail in a few more minutes, because it's worth identifying in a minute. Alun Michael in a minute. Gentleman here and gentleman there. If you could identify yourself.
>>:First, I'm rather confused, because all the questions are being put at the same time, and it seems to me that there are some things that are working. Others work less well. And you approach things differently depending on one's perspective.
I would say that what works well -- and we could identify that. We did this morning -- the CERTs. They cooperate quite well amongst themselves, brilliantly. And they work in an anticipated manner.
You can also think of Interpol, which works well as well, in the area of protection against child pornography. And there are other areas of successful cooperation as well. So we've identified a number of different players that work successfully.
And as the OECD representative was saying earlier, states also have an important role to play.
I'm rather astonished that there's so little reference to the conference of the Council of Europe on cybercrime. It was, however, signed by Canada, the United States, and Australia, in addition to the European countries. This convention was signed. Now, that doesn't mean it was ratified. The problem of ratification always supposes that states assume responsibility for what they're doing.
But, still, here, we're dealing with cybercrime in terms of the definition provided by the Council of Europe. So that's the state role.
But I should say that in a forum like this one, what would be important, internationally speaking, would be for us to recognize the fact that there are tensions amongst us. Although they may not be crimes in and of themselves, phishing or other kinds of profiling, they're still -- even if they're not crimes, there's disagreement about them internationally. There are very different points of view from one country to another with regard to these ideas, phishing or profiling. And then there's the issue of spam, which is something that weighs down the Internet, but it continues to exist. And the same could be said with profiling. There's an upside and a downside.
Clearly, the Europeans have directives in place. But we also know how hard it is to obtain an agreement on travel safe harbor principles with the United States. And, in fact, as soon as Pr