Cyber security – cleaning-up businesses and infrastructures – PL 02 2011

From EuroDIG Wiki
Revision as of 13:56, 19 November 2020 by Eurodigwiki-edit (talk | contribs) (Created page with "31 May 2011 | 9:00–10:30 <br /> '''Programme overview 2011'''<br /><br /> == Session teaser == Starting with discussion on the differences betwe...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

31 May 2011 | 9:00–10:30
Programme overview 2011

Session teaser

Starting with discussion on the differences between cyber-security and cybercrime, the aim of this plenary is to address Internet security issues affecting small to medium size businesses and critical infrastructures, in particular in dealing with attacks and other incidents. Mindful of the different layers of security at the levels of content, applications, and infrasructure, discussions will culminate in reflections on how/what measures are needed to make the Internet a safer place.

People

Key Participants

  • Marie Georges, Council of Europe
  • But Klaasen, National Counter Terrorism Bureau
  • Luis Magalhães, Knowledge Society Agency, Ministry of Science, Technology and Higher Education
  • Yuliya Morenets, Together Against Cybercrime
  • Branko Stamenković, Republic Public Prosecutor’s Office of Serbia
  • Pedro Veiga, University of Lisbon
  • Rolf Weber, University of Zurich

Co-moderators

  • Denis Coragić, Security and Defence Committee at the National Assembly of the Republic of Serbia
  • Ton van Gessel, Microsoft

Session report

Cyber security is a major concern, in particular noting the increasing abuse and threats that occur via the net. Different regulatory levels are concerned by these challenges. The resilience of Infrastructure was considered important for preventing DoS attacks and preparing response teams (CERTs), implementing DNSSec, and sharing knowledge on best practices for prevention and responses. That said, security concerns cannot be confined and delegated to technical and expert communities. Increasing awareness among decision-makers and users is also indispensable.

Awareness of the needs and ways to enhance security should be improved among policy makers, users, teachers, and parents alike. The need to empower them to protect themselves/their own PCs was underlined.

There was broad agreement that increased responsibility and capacity building among various user groups are key factors for timely security standards. Training programmes should include interprofessional communication (authorities, business, users, media) as well as multi-disciplinary approaches (infrastructure, legal, economic, social, educational and cultural aspects). Knowledge exchange, experience transfer and learning from each other should be broadly promoted.

There was broad consent that security issues and fighting cybercrime cannot just be delegated to the governmental or regulatory level in democratic and open societies. Closer cooperation between all stakeholders and various actors and user groups was stressed with better reconciliation between freedom and openness plus security requirements. Participants expressed concerns about vested economic/business interests in relation to the protection of public interest on the Internet. Governments and regulatory authorities have a special responsibility to make sure that economic interests do not superpose or undermine public interest. Public institutions and media should cooperate in building trust about Internet services instead of only raising fear and unease among anxious users; a balanced review of both risks and opportunities, trust and fear, was called for. EuroDIG was seen as having the potential to facilitate this review.

Transcript

Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-481-9835, www.captionfirst.com


This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.


>> Hello. Good morning everybody. Before we start this, our first plenary this morning, we again have to do some announcements.

So the first announcement this morning is regarding society events on IPv6. You have probably seen it on the Web site. It was shortly organized, accomplished before the start of EuroDIG. And it’s an interesting additional programme slot, and it will not happen as it was indicated on the Web site parallel to the workshops this morning. It was shifted to the afternoon. And I give now the microphone to Cris to say a bit more about it. You can still do some publicity on it.

>> CRIS: There is not much more publicity I need to do. It will be happening at 2 p.m. in parallel with the new media plenary here. It will be in theater three, which is a round table format. So we want to have a discussion. We have got some updates in terms of details, as far as how IPv6 adoption is going and what IPv4 exhaustion will mean in terms of the industry and Internet Governance. But it would be good to have people from as many sectors or stakeholder groups as we can to talk about how it will affect everyone and what this means. So yes, hopefully I’ll see some of you there.

Thank you.

>> Thanks, Cris. The second announcement is there will be a briefing of the speakers and moderators for workshop 5 immediately after this plenary in the coffee break, and this briefing will happen in the room next to the back office. If you go out here, cross the lane, there are two rooms. One is back office. There is another one, and we will meet there for speakers moderators for workshop 5.

The last announcement is a reminder regarding all sessions. I was asked by the remote moderators to remind you, when you speak, please tell your name. Remote moderators cannot see you. They otherwise don’t know who you are. Therefore, please say your name when you speak up. This was the third and last one. Thank you very much.

And I hand over now to the moderators of the first plenary this morning. Thank you.

>> DENIS CORAGIC: Good morning ladies and gentlemen. Today we will continue with the EuroDIG conference. Today we have one of the most intriguing and the most interesting topics which are related to the question of cybersecurity. And today we also have top-rated speakers on these subjects. Let me introduce them respectively.

We have a gentleman, But Klaasen, programme manager in the National Counter Terrorism Bureau from the Netherlands. We have Professor Veiga, from Portugal, of course.

We have we have Professor Rolf Weber, from the University of Zurich in Switzerland. And also to introduce my fellow colleague, Ton van Gessel, who comes from Microsoft and he is senior security advisor.

I hope that you have slept well and you are pretty eager to discuss and that you’re pretty focused and concentrated. But we will firstly start with the question of cybersecurity.

We will try to explain those concepts, and we will appreciate very much if you get involved and ask as many questions as you can.

First of all, I would like to ask our Honorable speaker, But Klaasen, from the National Counter Terrorism Bureau in the Netherlands to share his experience in cybersecurity, to explicate this concept to us, and to give some guidelines for the rest of the session. Mr. Klassen.

>> BUT KLAASEN: Thank you very much and thank you for this opportunity to it speak here in the wonderful inspiring environment of the EuroDIG conference.

It’s not an easy question you have, because, in effect, hundreds of years ago it was far more easy than it is now. We had four domains, land, sea, air and also space. And actually, cyber could be the fifth domain. All the other domains are regulated and the fifth domain brings new challenges. Cybersecurity is borderless. The legislation does not keep pace with the developments in cybersecurity. Technological innovation also affects what I would call the dark side of our society, or for digital society.

With anonymity it makes it difficult. And governments try to rule, but the Internet is owned by the private sector. So the cybersecurity is very – it’s huge. It brings challenges. And now we are talking about cybersecurity. And what is cybersecurity and what is cybercrime? That is in fact the question. Actually, I think crime is about catching criminals. And cybersecurity is a more broad term. And I would like to mention that in the Netherlands we have established cybersecurity strategies a few months ago. And this strategy consists of six pillars or six action lines.

And the first is public/private cooperation. The second is threat and risk analysis. The third is cyber resilience for infrastructures. The fourth is response capacity. And then we have number five, track and prosecute cybercriminals. And six is research and education and innovation. And this brings us to cybercrime, which is in effect one of the six pillars.

So that should be my conclusion I think. I think cybercrime is just a part of cybersecurity.

I think cybersecurity is how we can get a safe and secure cyberspace, including, and I think it’s very important, including economic development and innovation. We don’t shoot – we don’t have to fight cybercrime, track criminals and punish them as our only focus. The Internet is a wonderful world with a lot of opportunities and thus should go hand by hand. So that is the reason why in cybersecurity we also have a lot of focus on economic development, research, and innovation.

So, to conclude, I think cybersecurity could be seen as an umbrella; and cybercrime, tracking the criminal, catching them, that is one part of it. Thank you.

>> DENIS CORAGIC: Thank you very much. Ton, do you have anything to add or to comment or to ask some of the other speakers? I saw that you have the affirmative waiver. So I believe that you mostly agree with Mr. Klaasen.

>> TON van GESSEL: To be honest, I’m happy that we from Microsoft did a small adding in the – in the document that Klaasen talked about, about cybersecurity strategy. I think when you talk about cybersecurity strategy, cybersecurity issues within a country, you have to collaborate. And we have done that in the public/private partnership solution. We want to work that further more in-depth.

But I think I’m very curious about what the opinions of you guys and girls are about the approach we followed in the Netherlands. Are there some questions regarding this topic? I’m very curious.

>> DENIS CORAGIC: It’s too early I think.

>> Yes, definitely.

>> TON van GESSEL: They are not awake.

>> We will have to –

>> MODERATOR: Sorry. We have one comment.

>> AUDIENCE: Just a question.

>> MODERATOR: Please present yourself.

>> AUDIENCE: Good morning everyone.

Jaque from the law office, Belgrade. I would really like to hear from Mr. Klaasen some statistical data. Like how many people have you caught and how many people have you convicted? Please. I need that info for my clients.

Thank you.

>> BUT KLAASEN: You’re talking about the Netherlands, Europe, worldwide? And that’s a problem because a criminal in Brazil can do a lot of bad things in the Netherlands and has a server in Germany or here in Belgrade, whatever.

So it’s very difficult to get reliable statistics. Actually, I think, we are missing those metrics. It’s not that we are guessing, because we are seeing a lot of cyberattacks. We are seeing a lot of misuse of the Internet. But we don’t have really reliable statistics.

We do have trends. We are every year our computer response team in the Netherlands makes research about the new topics, situations, new threats that are raising, and they are describing it. It’s more in a qualitative way, not so much quantitative.

That gives us insight. But we don’t have actually the hard figures. And I’m very curious if there is any council in the world who does have them.

>> MODERATOR: Professor, sorry, you have anymore questions?

>> AUDIENCE: Being aware of that, I just wanted to know how many convictions did you have, for instance, last year? That is hard data you can give me. Right? Or you can’t?

>> BUT KLAASEN: Yes, but not from my head. I have to look it up.

>> MODERATOR: Okay. We concluded that the principle is the most important of the issues and not the statistical data. But that is very good.

Could you please give some developments and experiences from Portugal. How actually do you approach those problems and to those institutional solutions and architecture actually in your country?

>> PEDRO VEIGA: Okay. Good morning. The problem of cybersecurity as my panel colleague mentioned deals with the safe, secure environment. But I want to add another dimension because it’s one that I’m concerned about is the resilience of the infrastructure. We need that infrastructure operating all the time on a 24-hour, 7 day basis, despite the existence of criminals and some other problems.

And I am following the work that the European Commission did on critical information for cyberprotection. And this is very important for me since I ran the top level domain for Portugal, and that is an infrastructure that we need in permanent operation.

But coming back, this has been done. The critical infrastructures for cyber, to keep cybersecurity space safe, the work has been done. It’s been identified as a cross-border thing. They are critical Internet exchanges. It’s another critical structure. The root of the DNSSEC as a worldwide richness, so we cannot in Europe. We have the top level domain servers, and then we have some resources. And also some of the ones that I mention are in the possession or in the management of the private sector, as specific routers that are critical for the protection of the Internet. Public and private sectors. All the infrastructures are very critical concerning the top level domain of Portugal, and what I will say can for sure be replicated in all the other countries. It’s a critical infrastructure. As in many areas of security, it relies on good technology, good practices of staff, and also cooperation.

And I would like to mention this area of cooperation. Cooperation is very critical. We work in a very diverse but distributed infrastructure. For example, we have two main servers that we operate in Portugal. Our primary server and the secondary server, located in different places in the country. But we cooperate with many other countries in the world. For example, we have other named servers in other continents, in cooperation with Brazil, for example.

We operate in Portugal, two replicas of two of the 13 route server, so it’s for a more resilient and secure infrastructure. And we cooperate with other countries because we are a target of a lot of attacks, as in the DDOS attacks, and so on.

And for these, we operate a Cert. Our Cert is affiliated with the incident response teams. And it’s through this cooperation where we need to interact with people with more expertise or expertise in some specific areas that we don’t have. But also, when we have incidents, we can interact with them in a secure and reliable and trustful way, so that we keep our infrastructures working. And this is one of the dimensions of cybersecurity that I would like to mention.

Just one more minute to talk about the NSA. We were one of the first TLEs to implement that. Our user bse is not aware of the benefits and also the difficulties in implementing that. SMEs, and this is something that maybe my colleague will then have, DNSSEC, the technology is there, but there is a lack of knowledge of Internet users, the companies, about the use and benefits that they can get. So there is a big need to make campaigns, to make users aware of the threats and the security measures that exist on the Internet.

Thank you very much.

>> DENIS CORAGIC: Ton, would you like to emphasize something?

>> TON van GESSEL: I think to be honest that Pedro has a point. When you talk about security, you have, like in real life, also, normal companies.

I have trouble with the microphones. How is this one?

>> Now it’s okay.

>> TON van GESSEL: Pedro is right. I think we need to emphasize on DNSSEC within Small and Medium Enterprises, but also large companies, because that will enhance the security also.

Another issue, I think, is also that I think when we – when I made the small bridge to Yuliya, Yuliya, you would have something to remark about as a small, medium enterprises, about their way they see security and some other security related issues.

>> YULIYA MORENETS: Thank you so much. I’m from the Together Against Cybercrime. I’ll use this opportunity to speak in French.

I wanted to draw your attention to this problem of SMEs and online cybersecurity. If we look at the problem of SMEs now, why SMEs are faced with such a problem, I believe that many SMEs do not acknowledge and recognize the problem. They think they are not affected by this problem and they don’t know how to solve this problem using online resources. They don’t know where to go or what to do.

And they believe they can solve the problem in a positive manner very often, and that is seen in the field in our work in the field. We have worked with many SMEs in the past, and they very often feel that they don’t have strategic data in their own systems.

A week ago, for instance, I spoke with a lawyer and I said to her, because we spoke about cybersecurity, I asked how she managed resources online and what were her ways of securing online data. And she said listen, I’m a lawyer. I have a lawyer’s office, and there are many of us in my office, and who is interested in our data? We do not have any strategic data here. So why should we invest in systems to secure our data? And I said this is very important, because you have files with personal data which can have an impact on the individual for whom you work. And you have strategic data on trials, for instance, and courts’ judgments.

So this is called strategic data. So some people might want to know about this data.

This is the kind of attitude we’re faced with. SMEs very often do not have the right resources or the knowledge. They don’t know how to solve the problem, basically. And I’d like to look at the problem from a general angle. We have a great number, in France at least, a great number of tools available, and publications. But there is no harmonized approach. A region in France has developed something for SMEs, another region has developed something for other SMEs. But there is no holistic approach or comprehensive approach to deal with this problem of SMEs. And we should cooperate – law enforcement agencies should cooperate with SMEs, amongst others.

And I’d like to give you another example. A company that hosts a site in France, they had a problem with their server. And the clients offer this company or SMEs, mainly, and for a few days, attachments that were sent to their clients did not actually reach the clients. They were lost in the cyberspace and all documents and attachments included strategic and confidential data. What is interesting here on their site there was no information on the problem. So they were faced with a major problem but there was no transparency regarding the problem they were faced with on their server. They were not saying anything at all on the timing to solve the problem. And when we called them, when we called the hot line, they said we are going to solve the problem. And we asked the question where were the attachments lost? They said anywhere on the cyberspace.

So I was just wondering, I was asking myself a question, and that is a question which was asked by many SMEs, how should we go about solving the problem? Who is in charge? How could we get strategic documents back? If the clients are lawyers they are SMEs, they have innovations, they have licenses, but how can they get confidential documents back? And once they have solved the server problem, not all attachments reach their clients.

So I’d like to open the debate now. One action plan would be to make sure that SMEs participate in the debate. Remote participation could be used. They could be invited to take part in the local hub. We should show that we are concerned and we should make sure that SMEs are heard. When we organize a debate, local authorities are very important. They should also cooperate. Professional unions of SMEs should also take part in the debate.

I would like to share an initiative that has been developed in the east of France with local and regional authorities and professional unions as well as SMEs. And that is the creation of an excellence center for SMEs, which would be a center to support them and provide advice and help them out.

Thank you very much.

>> MODERATOR: Thank you very much. You’ve intrigued us with some of the most essential topics on this issue. I would like to transfer the floor to Mr. Klaasen to show his view on those particular issues.

>> BUT KLAASEN: Well, I think that Yuliya touches a very interesting point. The fact that she shared the SMEs, which is in france PMEs, I suppose, they don’t recognize the problem and they don’t know how to handle and they are asking who is responsible.

And, actually, if you admit it, I would like to ask a question.

>> MODERATOR: Of course.

>> BUT KLAASEN: And the question, if there is a responsibility for government, for the governments in these issues.

>> YULIYA MORENETS: I think we have the responsibility of governments, but also of local authorities. Because we have them at local level, the work – well, with the clients, the local level. But some of them are European or the international level. It’s very important to, of course, involve them in the resolution of the problem, governments, but also local authorities. I think it’s very important.

For example, I can give you an example. This day, today, they have in France, it’s a French German border, and we don’t have a big number of representatives of local authorities present in the room. We have PMEs, or SMEs, sorry, we have the representatives of the seal society, of the national authorities, but we don’t have a big number of representatives of local authorities, which I think we have to involve.

Maybe we have to speak more at the European level concerning this problem and to say to them: You are involved. You are very important here. You have to help to assist these SMEs.

>> MODERATOR: Questions or remarks from the audience?

>> AUDIENCE: Thank you. I’m here as part of the British Computer Society team. But I’d like to speak on something else.

Within the UK we have a chapter of the American ISSA, the Information System Security Association. And that chapter addressed this exact same problem some two and a bit years ago. And we created a sub group called the Information Security Awareness Forum. That forum does not aim to actually go out and inform people. What it aims to do is to coordinate across a number of groups. At the moment I think we have about 25 groups, including the British Computer Society, including the ISC squared company, who do the certification. You have a whole raft of them.

You have a number of groups that are looking at again – we have an initiative up in the Yorkshire area doing exactly the same as the east of France, bringing excellence to the SME community.

And it is probably – it would be a good idea if we actually took that international. Obviously France is addressing it. And it would be good for the ISSA and ICAF to actually reach out. Because we have a common problem and the problem is that many people – and it’s not just the SMEs. You go up into the bigger companies, and the senior people don’t get it. And the big problem is that we as security professionals often are not talking the same language.

>> MODERATOR: I follow you. Thank you so much for your remark.

We have one more question over here. Yes, sir?

>> AUDIENCE: Thank you. Mike Silver.

I have a concern and it’s one that certainly I share and I think that awareness raising is absolutely imperative. At the same time when an SME or any business owner goes to the bank, the bank has a responsibility for securing its premises. But when somebody walks out of the bank carrying a large sum of cash, the bank’s responsibility ends there.

I think it would be very useful for banks to make its customers aware of security concerns, and obviously there are more effective and efficient ways of doing business, in transfers or otherwise, instead of walking around with a big wad of cash. At the same time it’s ultimately the customer’s responsibility. If the customer is walking around with highly confidential documents or very valuable personal documents, birth certificates, passports, identity documents in their briefcase, it’s their responsibility if they get on a train or bus to keep that briefcase secure. It’s not the train operator or the bus operator’s responsibility to do that.

And I think the critical thing here is to remind people that simply because they’re dealing in an online world doesn’t absolve them of all responsibilities that now they can transfer that to some higher power just simply because they’re in a nonphysical world compared to the standard physical world that we live in.

I suppose the challenge being people are more used to securing things in the physical world and they don’t always do a good job of it. But certainly in the nonphysical world they are not used to it and oftentimes they don’t know how to go about it.

>> MODERATOR: Thank you very much.

We have one more question from the gentleman in the fifth row.

>> AUDIENCE: And I have one by myself.

>> MODERATOR: Okay. Here we go.

>> AUDIENCE: Jose from IGF. You have spoken of the importance of the surveys, and also to have the expertise people. Are you referring to physical servers?

Then my question is what is your feeling about the B to B server and what is the situation about the standard? Do you want to use the data from one server to another?

>> MODERATOR: Pedro, can you have an answer on this one?

>> PEDRO VEIGA: Okay. I suppose you have the same problems with virtual servers, implementation technology. But, of course, there are many challenges. But we agree in the table that we will not go to cloud computing, not in this session, but there are a lot of concerns related to the infrastructures.

And maybe in my presentation that was focused, one of my areas of expertise, as the operator of TLD, it was related to the infrastructure. But I am concerned also with the periphery. We have Internet work. We have the core, and we have the periphery where we have SMEs. And this is a big problem.

And I would like to mention that in Europe we have the European Information and Network Security Agency. One of the moderators participated in one of those reports.

The problem is awareness raising, because those reports do not arrive to companies and they don’t put into practice the good practices included in those documents.

And when we talk about the physical and the virtual world, we forget sometimes, for example, for company, devices like this. This is a pen drive with the capacity of 8 gigabytes. One of my staff members, if I don’t have good security measures, can take my customer base and sell it to the competition or can do industrial transfers of information, take drawings of new devices, new ADM data devices or something like that. So we are in a very complex world. And we have – we need to have security in the infrastructure, to have a resilient safe infrastructure. But we also must take care of the periphery.

For example, concerning DOS attacks, many of them come from computers that have been infected by Trojans and then they are treated to make attacks. So this is a very complex problem and awareness raising is very critical.

There is a lack of expertise and also a lack of technicians. We don’t have enough people knowing how to deal with these issues in the amount that we would need.

>> MODERATOR: Thank you very much.

>> BUT KLAASEN: If you would like, I would like to comment on the previous speaker telling about the bank and the awareness responsibility.

I think, in fact, one of the biggest problems we are challenging is that if every company or every government stops its responsibility within its own – within its house, shall I say it that way, most problems don’t have an owner. So I think it’s very important to cross the line, to look where we have shared problems, and try to solve them in a shared way.

And I want to mention one example in the Netherlands. Actually, in world banks, we started an awareness campaign. They started the campaign on television, radio spots on the Internet, about how to secure your password, et cetera. This was not really their responsibility, but they felt it because they – I think that they just crossed the line and took a responsibility for more than just their ordinary business and more as a social problem that we have all to live in a secure Internet.

And I think that’s a very good thing and I wanted to mention this.

>> MODERATOR: Thank you. We have one more question.

>> AUDIENCE: Well, thank you. My name is Luis. Well, we heard about DNSSEC and its adoption. It’s being adopted by a lot of entities, even though there is this difficulty of how the overall users use it.

But we also know that beginning in January 2010 launched a routing security system, which at least when you are about it, seems to be quite useful from the point of view of also introducing a little bit more security into the system. And I’d like to know from the people in the panel what they can say about the implementation of the system and what they think about its usefulness.

Thank you.

>> MODERATOR: Pedro, you have the floor. Pedro, you can answer? But I have a question still waiting in the queue.

>> There you go. Wait to ask.

>> MODERATOR: Wait after Pedro.

>> PEDRO VEIGA: I will make a brief statement for all the audience. Indeed, sometime ago there was perhaps a digital – basically, digitally signing the routing tables. But the deployment and full use of that needs the implementation of some technologies, but most operators are taking care of that. So I am confident. Because usually the operators of the core of the infrastructure, because it’s critical for their business, they are very much aware of the technologies and they are implementing them as fast as they can.

For example, DNSSEC, when the technology was mature, most of the registry operators started to implement them. And in the next wave of new GTLE, that is a mandatory requirement.

So also for other areas, like the one that you asked, the operators are implementing that.

And usually it’s my opinion that the operators of the core of the network, most of them are very much aware of the relevance of new technologies to have a resilient and secure infrastructure.

In my opinion, the main problem – it’s not – a big problem that we have is the periphery of the network. Because users, the technology is evolving very fast. Users are not fast enough in reacting to new evolutions. And although I do not like to jump to cybercrime, cybercriminals are fast in adopting new technologies, and this is a problem.

>> MODERATOR: Thank you very much.

Our honorable reporter has to ask something.

>> VLADIMIR: I’m Vladimir Radunovic. I have the role of reporting for this session, so I wanted to try to maybe make a summary of what we mention, and also misuse my position to ask a question.

We mentioned the importance of the strategic planning on the national level. We mentioned the resilience of the infrastructure, the role of the CERTS and response team, the importance of the knowledge and awareness, the roles and the responsibilities of SMEs. I think the two things that we mentioned the most and that the discussion is most about is awareness building on all the levels: The governments, the business and the users. And then the responsibility and clearing up where is the responsibility and where are the lines.

If I missed anything, you can add up.

My question to the panelists, and you can respond now or at the end, is what should be the next steps to go for raising this awareness in all of the three levels, government, business and the user? And where is EuroDIG in these discussions? How can we help to bring them in, to raise their awareness, to clear up the responsibilities and so on? What are the next steps?

>> YULIYA MORENETS: Thank you for the questions. Concerning the SMEs, because I will refer for today at first, I would refer to what EuroDIG can help, that’s what I said before. I think the organisation – first of all, for the SMEs, more participation possibilities. It’s a great opportunity to hear and to have the messages for SMEs from local levels but also to involve them in all of the process, and maybe to initiate debate, including the local authorities. So it’s practically good for the organisation of hubs in different countries and associating SMEs and other actors in order to speak about SME cybersecurity and the concerns and problems and ideas and propositions.

Concerning what to do next, we told you about, and as I said, we have the initiative concerning the cybersecurity center effectiveness. But it’s like a place where the SMEs can come, have this legal technical assistance, and just to exceed to these reports.

First of all, I think it’s a place for expert advice and assistance concerning knowledge –

>> MODERATOR: Exchange the information.

>> YULIYA MORENETS: Exchange the information.

>> TON van GESSEL: I’m from Microsoft and from Microsoft we also try to work together with government, with Institutes, with universities, to address this topic. So I think it’s a combined efforts.

And – go ahead?

>> YULIYA MORENETS: Just to add something, I think it could be very important to have this at a national level but also local levels. We take France, we organized the center in Paris, so it would be once again very – maybe only for Paris regions, center. It will not go to the local SMEs and bring them the information. So maybe this kind of information we can give another name to the center. It should be located at the local levels and go attach directly to the SMEs.

>> TON van GESSEL: I agree. But whether we talk about cybersecurity, regulation, we talk about companies, but we forget one thing: We forget the people itself. We forget the guys at home. We forget the parents, sometimes. Because in the real life, we say I have a few kids – I have three daughters and one foster daughter – and the point is we can say everything about cybersecurity, but we forget the source of things. We forget to address this to our kids how to secure it, and the dos and don’ts. I think that is also a cybersecurity issue.

And having said that, I think we can go a little bit also to – you have another question?

>> AUDIENCE: Yes, I have two questions, sorry.

>> MODERATOR: Mr. Jan+++++, I pass you the floor.

>> AUDIENCE: Just a brief comment from our experience related to WikiLeaks. And we followed what happened after WikiLeaks in the Ministry of Foreign Affairs. And we noticed that all ministers of Foreign Affairs took the WikiLeaks as a security challenge. They invested in cybersecurity. And if you follow also the values of the companies, cybersecurity companies after the WikiLeaks, it raised sharply.

That shows that they completely misread the message of the WikiLeaks. It wasn’t the question of cybersecurity. It was the question of internal organisation and calculated risk that the United States State Department took to increase sharing of information using the security. So, therefore, I think that idea of fear and cybersecurity is becoming dangerous, because it is blocking, it is providing good business for the cybersecurity sector, but it is not serving public interest. And I think that public institutions have to invest much more time and energy to counterbalance the cybersecurity sector, which is basically like towards creating fear.

And also media also works a lot on generating fear and the stories around fear. We have to rebuild this balance between fear and hope.

>> MODERATOR: Enable research. Yes.

>> This is a strong function for a public institution, for governments, for a regional organisation like the EU to have a discussion on cybersecurity and how to balance the risk. We cannot live in a risk free society.

>> MODERATOR: I agree. Everybody has to take responsibility in this path. You’re right.

>> MODERATOR: This was an excellent point. Gentleman, you wanted to ask a question?

>> Thank you. More of a comment than a question. Following up on my statement about banks don’t take responsibility for your money outside of the borders, and everybody made the comment – and I think absolutely correctly – that we can’t simply say well, our responsibility ends at the borders of our domain. It has to go beyond that. What I think is one of the major challenges is how we explain also to consumers, customers, businesses, whether they are large, medium or small individuals out there, that their responsibilities also go beyond their machine or their surfing habits. That the availability always on broadband Internet has led to large numbers of protected machines being up to attack of botnets that are used to have broader attacks on our institutions and computer systems.

And I think that responsibility of being a responsible online citizen needs to be drilled down, not just to business, but down to the very individual user.

There have been some initiatives in some countries, including liability, if a personal machine is used as part of a botnet, that the owner of that machine then becomes responsible potentially criminally responsible even if they are not operating the botnet work. I think that’s going too far. But at some stage we have to say you can’t simply surf obliviously. You can’t simply connect obliviously and say I don’t understand what is going on and so therefore I don’t take any responsibility. I don’t understand how the engine of my motor vehicle works in any particular detail, but that doesn’t mean that I can drive however I want and knock over pedestrians in the street. I have to take enough responsibility even without understanding the technical details to ensure my action and activities don’t have a negative impact on others.

>> MODERATOR: Thank you very much. I agree. But we can – this afternoon we have a workshop for information security also, and I would like to emphasize also that legal part of cybersecurity. Because we are discussing now the things we should do, the things we have to do, but also the legal aspect into it.

And I would like to pass my words to Rolf.

>> ROLF WEBER: Thank you very much. To be called as the last panelist has the advantages of having a broad playing field, but there is also a little bit difficulty to draft now a couple important messages and to reflect them in the legal mirror.

At the beginning, we heard some panelist saying well resilience of the infrastructure is very important or cooperation between governments and other authorities is important in critical situations. However, we should not forget that we have, at least in Europe, understanding the fact that the Internet is global, more than 40 countries. In principle these 40 countries have their own national legislations. And in order to come to a situation which would not be reflected wrong or into a situation in which the different national legislations do not interoperate with each other, there is a need to come to a higher level legislation. And I’m very happy that it was said at the beginning, cybercrime is only a part, maybe only a minor part of cybersecurity as far as cybercrime is concerned.

We do have, for example, the cybercrime convention of the Council of Europe and even nonEuropean countries have adhered to this convention.

However, of course, you have a lot of other instruments which could be of importance, such as the electronic signature directive of the European Union. And if you look at the broader scale, we need to have further instruments, as was said, for example, for economic development facilitation, et cetera. And in this context I would like to recall that the Council of Europe is also very keen on a project that looks at the integrity and the resilience of the Internet. And apart from the channel principles, which have been mentioned already yesterday, there is a project which should lead to a recommendation outlining States’ responsibilities, States’ duties and obligations to cooperate in order to avoid harm which is caused by insecure structures in order to encounter a situation which has been mentioned.

Cooperation is really working in critical situations. And they are finding also some proposals to look at responsibility in this context, to look at strategic planning, et cetera, and it could also be a contribution of EuroDIG to influence this process within the framework of the Council of Europe.

Thank you.

>> MODERATOR: Thank you very much, Professor Weber. I would like to ask something not only of you but all panelists here on this plenary. I have one question in mind, which concerns actually the most appropriate model for cooperation. And of course the problem of capacity building, of governmental institutions who actually lack the expertise of the issues.

Do you have something to share with us, to give us some general, how to say, guidelines for those models?

Professor Veiga.

>> PEDRO VEIGA: When I talked about infrastructure, I mentioned CERTS, and they are a critical resource, and they rely on cooperation of CERTS around the world, and that is very critical.

But also in the issue of awareness raising that is very important, I have the opinion that the awareness raising is a shared responsibility. It’s not only government, it’s all the actors.

Let’s go to the case of banks. They are a center of activity where they rely on trust. If the customers trust on them, they put their money there and so on. And they must contribute in specific case of banks, they must contribute to build trust on their customer base. In my country they are doing that. Whenever I go to an online banking system, sometimes it’s a bit annoying to have always the same message, stating be careful and not doing this or that. But it’s critical, because the infrastructure is becoming very complex.

But just to finalize, Governments have responsibilities. Inside the EU, the European Member States is acting, and there are already some countries that have written their cybersecurity strategies. Up to now it has been Estonia, Germany, UK, Netherlands and France that published their cybersecurity strategies, and there is a dimension on posting this information to the public.

For example, I have in front of me the French plan, where at the end they have communique to inform and convince. So, it’s a very important dimension of the cyberstrategy of countries, and I’d like that more countries – I’m proposing in my country to the Government the cybersecurity strategy. It’s my idea, together with the other actors. Because we must have some strategic dimension in our protection of our infrastructures and awareness raising to people. People in their different roles as citizen, as owners of companies, are very critical actors.

>> MODERATOR: Thank you.

>> ROLF WEBER: I have a question, of course. We don’t have the models, but we have to think how we can develop models. There are certain examples from the past, such as public/private partnership, and this is a relatively well-known model. However, I do not think that it would be easily fit into the needs of cybersecurity. On the other hand, as far as the legal structure is concerned, we should really come away from the traditional principle and develop new structures for having private enterprises involved in some kind of rule making process.

And this has been done recently, some two years ago, as far as the security firms are concerned. Well, that is very traditional on the Internet. But nevertheless it was some kind of combination between basic rules, concluded amongst the government, and additional codes of conduct to which the private corporations have adhered and have then taken over some general principles of good conduct.

>> MODERATOR: Thank you. Mr. Klaasen?

>> BUT KLAASEN: I totally agree with Mr. Weber.

The point is with a regulation, it’s always a top down process. And that’s what is bothering me, because the regulation is made by governments. And governments – well, I’m part of it. I work for the Ministry of Security and Justice, but I see it all around other governments. They are slow, they are bureaucratic, and if you compared it with the private sector, which is quick, which is where the brains about the Internet lies, this is a very difficult process I think to make top down regulation.

And, actually, yesterday we started with a new initiative, a project with Germany, UK, Belgium, Netherlands, Spain and Europe called clean IT. And the idea from this project, it focuses on how we can handle terroristic content on the Internet, terroristic activities. But the whole idea of this project is to do it another way around. To start with the private sector and to put them in the lead and let them make a recommendation for the government, and not the government for the private parties.

So, I don’t know where this project will end, this very strange project that normally you start with the result and you built your project. But we start with talking to the private sector and we will ask them how we will find solutions. And I think it’s an interesting experiment and I hope in the future to give you very interesting results from this bottom up process. Thank you.

>> MODERATOR: Thank you very much. Vlada you had a question?

>> VLADA: I am from the DiploFoundation. Between the private sector and the governments and the capacity building, on the one hand we have awareness building – which is what we have here in EuroEIG and the remotes and SMEs – so it’s planning and implementation where we need to do capacity building for institutions. And that means from our experience in the DiploFoundation, it’s important to put all the stakeholders together on the different trainings and capacity building programmes, so that you have the direct interaction between the private sector and governments and user comments and SMEs. Interprofessional communication is important.

The second thing is the couple of different areas that need to be covered in the cybersecurity. You have the engineers, which can very well act within the CERTS and other kinds of institutions and response teams.

But they might not have the awareness of the social habits or of the legal environment.

On the other hand, you have the governments that usually do have the awareness of, at some point at least, of the legal environment, what they need to do on a strategical level, but they don’t understand the infrastructure and they don’t understand what is possible or not possible to do. So in that sense all of them have to go through different layers of the Internet, when it comes to education, capacity building, when it comes to infrastructure, legal aspects, socio-cultural aspects. So I want to re-emphasize the importance of the capacity building and the multi-stakeholder when it comes to planning.

>> MODERATOR: You asked what are the next steps? One of them, continue with this EuroDIG conference, because here all the stakeholders are together I think is an excellent instrument.

>> MODERATOR: Thank you very much. Yuliya?

>> YULIYA MORENETS: I agree with my colleague when you told about – when you spoke about the responsibilities and risk. I think I agree that when we speak about safer Internet and cybersecurity, we have also to speak about responsibilities of the users, the users’ responsibilities and the respective roles, as you said. And I want to add that concerning the developed tools and documents, the Council of Europe developed great tools and especially the guide – a training guide for training for Judges and prosecutors, but also a guide for the development of public and private sector cooperations. So it exists. And if you go to the Council of Europe Web site you can find that.

>> MODERATOR: Thank you very much.

A person from the third row present yourself.

>> AUDIENCE: Hello. I’m from the Ministry of Foreign Affairs from Albania. I agree that we have to invest in the cybersecurity. But, I want to know longer term, cyberdefense, I didn’t hear it until now. Just know what they share together with cybersecurity and if it’s – what is the difference, if it’s not sharing.

>> MODERATOR: Do you want to answer this or should we part this one for the session 7, the cybercrime session this afternoon?

>> MODERATOR: Well, let’s try a short reaction and then put it to the workshop for this afternoon, if you don’t mind.

>> AUDIENCE: Very short, I think – I think if it’s cyberdefense, there are States involved. It’s about protecting your state. Also, if a state possibly is one of the attackers. The point is you never know. The kind of cyberattack, you never know who is the attacker. It can be a young guy in Brazil, sitting in a Starbucks Cafe. It can be an organized group in Africa. It can be secret service from some country. We will never know.

And that is the problem. So I think it’s a mix and it’s a very difficult discussion.

So the short answer, and I think the rest will be in the workshop this afternoon.

>> MODERATOR: Thank you very much. We are pretty active today.

Madam?

>> AUDIENCE: This is Ivana from the Council of Europe. I had a question for Mr. But Klaasen. You mentioned that there can be a viable model of private sector making recommendations or companies making recommendations to governments. What to do, actually, to ensure the resilience and stability of the Internet.

So I’m just wondering how will the definition of roles and responsibilities play out there? Who is ultimately responsible for ensuring the resilience of the Internet and who is ultimately – who ultimately will be held accountable for that?

>> MODERATOR: Thank you.

>> Actually, these are exactly the questions we will try to avoid, because if we want discussion about who is responsible for what was liable, I’m pretty sure we will never get a solution. This is such a complex field. And therefore I think we will try and approach any other way. We will try to see what do we have in common? Do we see a common problem that we have to solve on an equality way – equal way, governments and private parties on the same level? This is what we are going to try. And again, it’s a very good question. But if you will try, certainly in this project to answer that, we will never finish it I’m afraid.

>> MODERATOR: Thank you very much. Madam? You have the floor.

>> AUDIENCE: I have a question from the remote participant. Rudy from Belgium. He runs an Internet ombudsman for six years in Belgium. He asks how strong is the cross-border policy with regards to cybersecurity activities? We know that some countries have hackers and no action has been taken to take down the network of hackers, especially in Turkey.

>> MODERATOR: May I answer that one? I think – this is cybercrime related thing. It’s a very good question. Taking down of hackers and botnets and other stuff, that is a governmental thing. It’s like real life, when you are speeding, you are getting a speeding ticket. And I think when you’re on a governmental level and you do something wrong on the cyberissues, and the cyber thing, and it is – you can debate it. But I think we want to – I would like to shift this one to the workshop this afternoon about cybersecurity, if you don’t mind.

>> MODERATOR: Thank you very much. We have one more question. Mister?

>> AUDIENCE: My name is Andish from the Swedish Telecom Regulatory Authority. And I would like to comment on the model of public partnership and the cooperation mechanisms, public/private partnerships.

It was mentioned, for instance, concerning the clean IT project. And I believe this is a very, very good way to combine the knowledge among operators and ISPs with the possibilities by governments to facilitate more cooperation.

And as has been mentioned, the responsibility is shared between all different stakeholders in our societies on cybersecurity. And in my country, we have a long tradition in this cooperation mechanism and has performed over the last ten years several hundred projects in this, to create more resilience and also in crisis management. So, we are in favor for what we can say soft regulation but strong cooperation.

>> Join the party.

>> MODERATOR: Thank you very much. We have one more question from the same row.

>> AUDIENCE: I’m Rolf, the chief executive of the registry for the Dutch ccTLE.

I just want to come back to the question the lady raised and But’s reaction. I think it gets complicated when you formulate the question in the sense that who is responsible for the stability of the Internet or the availability of the Internet. Because there is not a single authority. There is not a single regulator. There is not a single technical service provider. But on the other hand, I think it’s a question, if you take it down to the different parts, that we shouldn’t try to avoid. Because it’s at the core of the whole discussion.

From my perspective, the IDN +++++ is responsible for the availability and security of the services that we provide to our customers. And we are accountable for that.

And there are other service providers that together make up the whole Internet that have the same position and have the same responsibility for their part. It’s just that there is not a whole and you have to always address the right party.

>> MODERATOR: Thank you. Professor Weber?

>> ROLF WEBER: Very shortly. I’m really glad about this intervention, because we might have – it’s like – we might have a slight conflict of opinion here on the panel. You mentioned that you wanted to avoid terms like “accountability and responsibility” by entering into this special kind of partnership. In my opinion, accountability and responsibility can never be avoided. It can just be rephrased, discussed who should be responsible and accountable for what.

And I think your approach is really appropriate. We have to identify who is indeed accountable for what.

>> MODERATOR: Thank you. Madam?

>> AUDIENCE: My name is Marie and I’m from the Center for Technology and Society in Brazil. It’s my perception that the cybersecurity agenda has been captured by other interests, the lobbies of the cultural industry, for instance. And some things of public interest, such as fighting pornography online, has been used to capture attention. But the bills that are being discussed in several countries, including Brazil, they aim at something else. We have a draft bill in Brazil in Congress now. The aim was to fight pedophile, but it’s actually a Trojan horse for something else. It criminalizes personal copies of works, for instance, that are made with no commercial purposes. It criminalizes circumventing DRM, so if you have a DRM on your iPhone, you can go to jail in Brazil.

This is something that is makes the cybersecurity agenda lose credibility.

I’d like you to comment on that. How do you see this association of the cybersecurity agenda with other interests?

>> MODERATOR: Thank you.

>> Some of the panelists – Yuliya?

>> YULIYA MORENETS: I’m not sure how to answer the question. I think the question was raised about the balance, how to find the balance between the cybersecurity measures and – and other interests, actually, in the field.

So I think one of the possibilities, it involves the difference in this debate and to discuss about – to propose solutions enough to go into actions in order to take all opinions into account.

>> MODERATOR: Thank you very much.

>> MODERATOR: But we can take this up also this afternoon in the workshop. This is cybercrime related.

>> MODERATOR: We have one more question from the first row.

>> AUDIENCE: I’m from the European Commission. Just a couple of comments. First concerning accountability responsibility and public/private partnerships. Our position, the position of the European Commission, is that PPPs or any cooperation between the public and private sector is not meant to avoid the question of who is responsible for what or accountable for what. That is not their purpose. That question as mentioned should be addressed.

The important thing from our perspective is not to be bogged down into legal analysis with who is responsible for what immediately, while we have urgent problems to solve. But this doesn’t mean that the question can be avoided and the question cannot be avoided because the scenario or environment is complex. You have much more complex scenarios in other policy fields, safety, et cetera, and yet we manage to find a way to manage responsibilities and accountability.

And the second comment concerning the possible highjacking of the cybersecurity agenda by other interests, this is a general problem in any kind of policy there are always special interests that try, from the perspective of those who don’t like this, they try to highjack. From their perspective, they are justified to make the policymakers interested in their particular point of view on what cybersecurity or other policy fields should do or not do. I don’t have any solution to that. I’m not claiming that in in moment the cybersecurity agenda is more hijacked or completely hijacked or more hijacked than you have the risk in any other fields.

The important thing, I think, which is not happening in my view in the cybersecurity field, is that you need to involve more people in the discussion.

This is very challenging security, because the reality is that politically speaking, security is difficult. It’s difficult to attract especially policymakers to security, because the measure of success in security and cybersecurity is when nothing happens. And that is very difficult to sell politically. So there must be some form of engagement of some community and of other communities to make sure that a broader range of stakeholders understands the cybersecurity and gets interested into the discussions of cybersecurity. That usually is the best way to avoid very narrow perspectives which risk to derail the discussion and make it less useful than it might be.

>> MODERATOR: Thank you very much. Any response?

>> BUT KLAASEN: About the first point you also raised, also raised by my neighbor, Mr. Weber, you are right. We cannot avoid totally things about liability or responsibility.

And I think I need a bit of clarification of what I meant. What I meant is that they are very difficult discussions. Legal aspects of this shouldn’t be a barrier to find solutions that we can agree upon. That is what I meant. Just for clarification. Thank you.

>> MODERATOR: Thank you very much.

We have one more comment, question.

>> AUDIENCE: It’s from Edward. He is in the Ukraine hub. How do you establish that universities place the data providers of services in external stores, and warehouses in the form of outsourcings? Is it safe and secure now?

>> MODERATOR: Whoa, that’s a general one. Well, thank you. Edward it was? Edward?

Okay. It’s a very difficult question. I think that is data about scientifical research and all the other related data should be secured on certain premises.

I know how we are handling data. But in Europe we have a European cloud and a European cloud is pretty secure. So if you want to put data into it, there are several vendors who provide the proper services. So I think it’s very good secure.

On the other hand, how you do it by yourself at this moment? If you have a local data stored local, then you have similar problems. Is it secure over there?

So you have to balance always the risk, where you store it, what are the agreements you made with your provider, and what is about the ownership of the data.

>> MODERATOR: Thank you very much. Professor Weber, did you have any remark?

>> ROLF WEBER: Well, if I understood correctly the question was also related to universities. And insofar as I’m perhaps a little biased, but I should say that as far as I can see, universities do less care about security than private firms. At least in my home country, I somehow wouldn’t confirm that data are really securely stored. And this has perhaps also to do with budget cuts, et cetera, in the public sector, insofar as I’m rather skeptical to say that universities are at the forefront.

>> MODERATOR: Thank you very much. I think first Pedro and then Yuliya.

>> PEDRO VEIGA: Okay. And I also have some responsibilities in my University. And some kind of information we have a lot of security measures. For example, the administrative data for students with rankings, we have very tough security measures, for example, to avoid that the student tries to improve his ranking by some trick.

Of course, on the other side, we have a user base of youngsters, for example, I’m a professor of computer science. They are potential hackers, just for fun many cases, not to be a criminal in the most strict sense of the question. But universities take care of some kind of data with special measures, because it’s more relevant.

Okay. I have another topic but it’s a different issue if we have time. But I will pass to Yuliya.

>> MODERATOR: Thank you.

>> YULIYA MORENETS: Just to add, I would like to join my colleague. And the University in Strasbourg, we have quite secure also measures. But the problem or maybe the challenge, it’s a lack of knowledge and awareness raising. Because Professors and also students that don’t use all possibilities of this. So, practically, they use it a very simple way and don’t really have the information how to use it in order to secure.

>> MODERATOR: So this is awareness.

>> YULIYA MORENETS: Yes.

>> MODERATOR: So we have to also emphasize on awareness whatever you’re doing with your data?

>> YULIYA MORENETS: Yes.

>> MODERATOR: Thank you. More questions for this topic?

>> PEDRO VEIGA: We have only a few minutes. It’s something that in the afternoon when we have been preparing the session we discussed IPv6, if we should put IPv6 on the table, if it is related.

And I would like to have one minute to state, for example, the introduction of IPv6 is slow by many operators. And on the 8th of June, we have the world IPv6 day to try to promote IPv6. But this is an example that most ISPs are very slow moving, because they run – they have an economic interest in the networks. So the later they can do investments, the better for them. And IPv6 awareness raising is things that cost money.

And it is also the role of governments to put some pressure on the – some very important stakeholders of the infrastructure, that they should invest reasonable resources to keep the infrastructure secure and usable.

So, this is it.

>> MODERATOR: Thank you very much.

>> MODERATOR: Thank you very much.

I have a small question to the youngsters under us, because I see a lot of boys and girls who are a lot younger than I am. And they are using I think social media. They are using Twitter or they are using all the other stuff. What are they thinking about their security? As somebody of those populations, some remarks to make?

>> AUDIENCE: Okay. On Twitters I’m secure.

>> MODERATOR: We have one question from the young gentleman in the last row.

>> MODERATOR: There he was.

>> MODERATOR: We will pass you the word.

>> AUDIENCE: Hello. My name is Hagum from the Netherlands. I’m a student. I’d like to stress that I’m a little concerned about this public/private cooperation that Mr. Klaasen was talking about. Because if I’m understanding it right, it will be for the private sector to decide if I’m a criminal or not.

>> MODERATOR: No. No.

>> BUT KLAASEN: It’s not – that’s not right.

>> AUDIENCE: That’s not the case.

>> BUT KLAASEN: It’s about collaboration and – correct me if I’m wrong – it’s about a collaborative effort to secure the environments. And it’s not the private sector who says that hey we do privatizing of the legal system. That’s not what we’re doing.

>> AUDIENCE: But the leadership is on the private sector, right?

>> No.

>> We will bring him in front to find solutions but not to bring them to justice.

>> That is a governmental thing.

>> MODERATOR: We have one question from the lady in the first row. One moment.

>> AUDIENCE: Good morning. I’m Letitza +++++ and I’m working for the European Youth Forum.

I’m sorry, I will ask again, because this is important. Cybersecurity cannot be something not of public interest. If there are economic interests inside this debate, they need to be marginal. I’m sorry, this needs to be addressed again and again. And I want an answer on how our public sector is going to ensure that public interest is kept in this debate. And this is important to address not in the workshop, but also in this plenary. Because I want everybody to know what is the State of play.

And if Mr. Gloriosa says it’s everybody in the economic interests, I agree. but I want to know what the European Commission, what the public government, what everybody is doing to make sure that people of this world have rights on the Internet. And this is not governed by interests of corporations that earn money on our shoulders.

(Applause)

>> MODERATOR: Quite a striking remark from the honored speaker. Panelists, any comments on this? Do you agree, in general, or not?

>> Thank you. I do agree. If you ask how they are doing now, if you look at government, they are doing it in effect the same way as they are doing in our daily life, in our – in our nondigital way. Cyberspace is new for them so they are looking for ways how to extrapolate or how to handle the same thing they are used to doing now in cyberspace. And this search has not ended. They are looking – it’s new for them. They are looking for it. They are making much purpose. And just as you say, it’s very important that you have individual rights. We have our common goals of society that should be protected and that is certainly a goal for government. And I’m pretty sure they will enforce it and make themselves strong for it.

>> MODERATOR: Thank you. Professor Veiga?

>> PEDRO VEIGA: Just on the screen that we have in front of us, this is stating cybersecurity of public interests. I was looking to the screen and it just popped up. We live in a world where the telecommunications sector is private. It’s a critical infrastructure for the information society. And it should be the role of governments to push the private sector so that they invest the necessary resources. For example, the IPv6 maybe is not the best example concerning cybersecurity, but it shows that the private sector, when it can slow down investments and make them one or two years later, just to have more income in this year, it’s a potential problem.

And they should understand that also their survival as relevant players in the cyberworld requires the vast resources. And they take care of users, the users who pays the bills at the end of the month.

>> MODERATOR: Thank you. I agree. Sir, you have a word.

>> AUDIENCE: I’m from the European Commission. I actually agree. We actually agree with the lady from the audience, that security or cybersecurity in particular is a public concern. A concern of everybody. And the Commission, I can’t go, for reasons of time, I can’t go into the details of everything that we’re doing and I’m happy after the session to provide my contact details so that I can go into more detail.

But, the position of the Commission has been consistently to call upon public authorities to take the responsibilities to do more than they are doing at the moment. It should also be reminded that, I don’t want to bore people with the institution or the details of the European Union, but security responsibilities, responsibilities in the field of cybersecurity in the EU tend to remain in the hands of the Member States. The Commission can at most provide coordination and support, which is exactly what we are doing. But on the other hand, and I hate to be kind of the bad guy here, as has been mentioned before, there are economic considerations to be made. You can either be very – and I’m being blunt here – you can either be the white knight and make bold proclaims that everybody should do this or that, you can put in place regulations that nobody in practice will follow.

Or you can recognize that there are interests at play and sometimes it’s not in the best interests of companies to do what we would like them to do. Sometimes it is. And it’s up to public authorities to kind of find the right approach so that it remains in the interests of companies to do what they should do.

But I think it’s quite, again to be blunt, it’s useless if not damaging. It’s not recognizing the fact that the private sector owns or operates the majority of ICT infrastructures. If we don’t recognize this factor, we are going to make policies which are ineffective and quite frankly in the end we are going to lie to citizens. We are going to tell them that we are being effective, we as public authorities, we are being effective, when we are not.

I personally prefer to be a little bit more pragmatic and to discuss with people and to recognize the fact that it’s not because we care for the economic interests of the private sector, but it’s because the private sector has a very significant role to play that we need to engage them. As I mentioned before, and this is very important for us, this does not mean at all that we forget about the accountability and responsibilities and even liabilities, which is not a term that I used before, because it opens a broad discussion. It doesn’t mean that we forget about that. But just going all guns blazing, top down, and telling people that you must do this, when you don’t have the legal instruments to force them to do something, it’s simply not going to work, certainly not in the short-term and probably not in the medium or long-term.

>> MODERATOR: Thank you.

>> I have one remark from the lady here, just 30 seconds.

>> MODERATOR: No problem.

>> AUDIENCE: Yes. Okay. So, public – private sector is running the ICT infrastructure. What about the fight that we have all over the world to keep alter infrastructure in the public sector interest?

>> MODERATOR: You have the word, please, microphone for you.

>> AUDIENCE: If we had two microphones it would be easier.

I think it’s always a bit – it’s very interesting, and I find it very interesting to make parallels between different policy fields. It can also be dangerous because each policy field has its own peculiarities. If what you are suggesting is that we should make a push so that the communication and ICT infrastructures should come back into the hands of the public sector, or should be handled in a more publicly conscious way, if it is the first I don’t think that is possible. Frankly. We had it 30 or 40 years ago. There were changes to that model and I don’t think we can go back, personally.

If it is the second, it all boils down to understanding what it means that a certain infrastructure, whether it’s water, ICT, energy, transport, has to be handled in the public interest. Since we have laws by definition, everybody’s infrastructure has a public interest complement in the Democratic countries at least. The question and its an honest question and I would love to discuss the matter more with people here and with you perhaps after EuroDIG is in practice, which process do you put in place to ensure that the public interest is reflected? We at the Commission, after considerable reflections and attempts, some of which failed, some which didn’t succeed as well as we wanted, we concluded that dialogue with the private sector and the cooperation in the form of public/private partnership is the most effective way to assure that considerations are taken into account.

But if people have different ideas, and I’m being checky here, I’m interested to hear about that. We are always in time to change our direction. But we need, as I think I mentioned yesterday in other contexts, I would encourage people to be practical, focused and actionable. Because vague statements don’t help. We cannot go to the private sector and tell them you must perform your activities and duties in the public interest. They will say of course. How? Tell us what we should do? And then we have to give an answer.

>> MODERATOR: Thank you very much. Yuliya? Quick response.

>> YULIYA MORENETS: Thank you. I would like to go to your first comment. You told about and you had the question about users rights. I think it’s very important that users should be aware that once being online, they have their rights. But they have also to respect other users’ rights. And probably we will, like this, have less problems with the hate speech content and other expressions.

>> MODERATOR: Thank you very much. One short question. I have to warn you that we are running out of time.

>> I’m Alexander from of the private party of Serbia. This is a bit of remark and I want to share information with you. Several days ago, President Obama said in one sentence that piracy and terrorism will be fought against, because they are threatening the security and integrity of people. So, take a look at me, and I’m the pirate. And I share information, share the data with other Pirates and with all of you. And I just want to call for reason and pragmatism. We have everything we need, and we have free tools to ensure our freedom on the Internet. We have practically everything, actually. I mean, when I say everything, I mean everything. We need to safeguard the Internet.

And the mechanism is simple.

So why should we complicate the regulations and technology by applying the more complicated technology when people already don’t understand the current technology? I don’t want to be on the other side of the progress. That is not the idea. But we should use the current resources first, then go to the most complicated ones.

>> MODERATOR: Okay. Thank you.

>> MODERATOR: Thank you very much. I have to announce that we actually ran out of time. I appreciate your activity and I’m very grateful for your questions and comments. I have to thank to the panelists for their quite interesting remarks and their expertise. And on behalf of the moderating team, comprised of me and Ton, I’m closing this session and the summary of this session will be uploaded online. So thank you very much. And I ask you for one big applause for all the participants. Thank you very much.

(Applause)

>> Now we have a coffee break. I would like to ask you to be back to the workshop rooms, depending on the workshop you have chosen, immediately at the time stated, at 11. And I have to hint you that the title of the workshop 7 has slightly changed. If you look at the back of your badge, and the real title is in the printed programme.

Actually, “What actually is cybercrime and social networks sites.” This is the final title of the workshop 7.

>> And workshop 8 is also different. And the title for that one is “What is the role of Human Rights in the Internet Governance?” Thank you.

>> Thanks Dixie. And please be back in time.

>> Just once again for those who were not here in the morning, a side event on IPv6 has changed. This was shifted to the afternoon. It will be now parallel to plenary 3, new media, in room 3/1, the side event on IPv6. It’s not happening before lunch. It’s after lunch. Thank you very much.