Cybersecurity challenges ahead! How would you shape regulation to address changing technology? – WS 07 2019: Difference between revisions

From EuroDIG Wiki
Jump to navigation Jump to search
No edit summary
(30 intermediate revisions by 2 users not shown)
Line 1: Line 1:
20 June 2019 | 11:00-12:30  | YANGTZE 2 | [[image:Icons_live_20px.png | Video recording | link=https://youtu.be/52j085MM8fk]] | [[image:Icon_transcript_20px.png | Transcription | link=#Transcript]]<br />
[[Consolidated programme 2019|'''Consolidated programme 2019 overview''']]<br /><br />
[[Consolidated programme 2019|'''Consolidated programme 2019 overview''']]<br /><br />
{{Sessionadvice-WS-2019}}
Working title: <big>'''Responsibilities to address new technical challenges'''</big><br /><br />
Proposals assigned to this session: ID 8, 18, 29, 56, 87, 137, 156, 163, 181, 191, 192, 206 – [https://www.eurodig.org/fileadmin/user_upload/eurodig_The-Hague/statistik_proposals_all/proposals_for_2019_2018-12-04__01_final_web_IDs_ver1.pdf list of all proposals as pdf]<br /><br />
Proposals assigned to this session: ID 8, 18, 29, 56, 87, 137, 156, 163, 181, 191, 192, 206 – [https://www.eurodig.org/fileadmin/user_upload/eurodig_The-Hague/statistik_proposals_all/proposals_for_2019_2018-12-04__01_final_web_IDs_ver1.pdf list of all proposals as pdf]<br /><br />
== <span class="dateline">Get involved!</span> ==  
== <span class="dateline">Get involved!</span> ==  
You are invited to become a member of the session Org Team by subscribing to the [https://list.eurodig.org/mailman/listinfo/WS07_2019 '''mailing list''']. Please be aware that an email will be send to you requesting confirmation of subscription, to prevent others from subscribing you to the list. As spam detection systems are rather aggressive today you may need to have a look to your spam folder too.
You are invited to become a member of the session Org Team! By joining an Org Team you agree to that your name and affiliation will be published at the respective wiki page of the session for transparency reasons. Please subscribe to the session [https://list.eurodig.org/mailman/listinfo/WS07_2019 '''mailing list'''] and answer the email that will be send to you requesting your confirmation of subscription.


If you would just like to leave a comment feel free to use the [[{{TALKPAGENAME}} | discussion]]-page here at the wiki. Please contact [mailto:wiki@eurodig.org '''wiki@eurodig.org'''] to get access to the wiki.
== Session teaser ==
Cybersecurity has become a buzzword for a plethora of actors, issues and spaces. In the past years, the EU has sought to bolster its approach to create shared norms and principles for regulating emerging technologies and building institutions to address challenges for the peace and stability of cyberspace. This includes, but is not restricted to, the NIS Directive, Cybersecurity Act and Digital Single Market strategy. However, this session invites participants to think together on how to keep up with emerging technical challenges deriving from new technologies in the next decade.


== Session teaser ==
== Session description ==  
Until <span class="dateline">15 April 2019</span>.
 
There are many possible pathways to addressing the changing nature of security and regulation vis à vis the expansion of emerging technologies. This session takes on the challenge of looking forward and engaging the audience in responding to several main issues:
 
(1) '''Setting the Scene''' - what are the technological challenges for cybersecurity?


1-2 lines to describe the focus of the session.
(2) '''Navigating the maze''' - how do we cope with technological challenges?


== Session description ==
(3) '''RED ALERT! What to do when things go wrong?''' - The cybersecurity Act, GDPR and other regulations have sought to prescribe new mechanisms for responding to breaches and cyber attacks. What happens when trust, cooperation, and existing mechanisms are not enough to assess, identify, and respond to new vulnerabilities. How do we assess the red lines?
Until <span class="dateline">30 April 2019</span>.


Always use your own words to describe the session. If you decide to quote the words of an external source, give them the due respect and acknowledgement by specifying the source.
(4) '''Will regulation run out of time?'''


== Format ==  
== Format ==  
Until <span class="dateline">30 April 2019</span>.


Please try out new interactive formats. EuroDIG is about dialogue not about statements, presentations and speeches. Workshops should not be organised as a small plenary.
The session will engage the audience and resource persons in interactive dialogue guided by the moderators. Both key participants and the audience will provide examples of how they have been coping with the pace of technological change by working in their respective areas, identify and discuss the regulatory and other responses to new vulnerabilities.  
 
Ultimately, both key participants and the audience will conclude with target-focused contributions on the biggest challenges for securing emerging technologies in the next 10 years, and on the possible/desirable regulation in Europe in the near future.


== Further reading ==  
== Further reading ==  
Line 38: Line 41:


'''Organising Team (Org Team)''' ''List them here as they sign up.''
'''Organising Team (Org Team)''' ''List them here as they sign up.''
 
*Chivintar Amenty, YouthDIG 2019
The Org Team is a group of people shaping the session. Org Teams are open and every interested individual can become a member by subscribing to the mailing list.
*Louise Bennett
*Fotjon Kosta, Coordinator of Albania IGF
*Olga Kyryliuk, The Influencer Platform
*Erlinda Lleshi, IT


'''Key Participants'''
'''Key Participants'''
 
*'''Marco Hogewoning''' - RIPE NCC
Key Participants are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. They will be selected and assigned by the Org Team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance.
*'''Ceren Unal''' - ISOC
Please provide short CV’s of the Key Participants involved in your session at the Wiki or link to another source.
*'''Wolfgang Kleinwächter''' - Professor Emeritus from the University of Aarhus, Commissioner, Global Commission on the Stability of Cyberspace (GCSC)


'''Moderator'''
'''Moderator'''
 
*Louise Marie Hurel, Cybersecurity and Digital Liberties Programme | Igarapé Institute Media and Communications (Data and Society) | London School of Economics and Political Science (LSE)
The moderator is the facilitator of the session at the event. Moderators are responsible for including the audience and encouraging a lively interaction among all session attendants. Please make sure the moderator takes a neutral role and can balance between all speakers. Please provide short CV of the moderator of your session at the Wiki or link to another source.


'''Remote Moderator'''
'''Remote Moderator'''


The Remote Moderator is in charge of facilitating participation via digital channels such as WebEx and social medial (Twitter, facebook). Remote Moderators monitor and moderate the social media channels and the participants via WebEX and forward questions to the session moderator. Please contact the [mailto:office@eurodig.org EuroDIG secretariat] if you need help to find a Remote Moderator.
Trained remote moderators will be assigned on the spot by the EuroDIG secretariat to each session.


'''Reporter'''
'''Reporter'''
*Stefania Grottola, Geneva Internet Platform


Reporters will be assigned by the EuroDIG secretariat in cooperation with the [https://www.giplatform.org/ Geneva Internet Platform]. The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:  
The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:  
*are summarised on a slide and  presented to the audience at the end of each session  
*are summarised on a slide and  presented to the audience at the end of each session  
*relate to the particular session and to European Internet governance policy
*relate to the particular session and to European Internet governance policy
Line 69: Line 75:


== Messages ==   
== Messages ==   
A short summary of the session will be provided by the Reporter.
*All stakeholders need to be represented at the table in their respective roles. Despite the fact that some issues have to be settled by a specific stakeholder group with expertise, conclusions can only be reached if all the stakeholders’ perspectives are taken into account.
*Current technological challenges have created a global appetite for further regulation; nevertheless, flexibility is needed for understanding, on a case by case basis, whether further regulation is needed. Some of the challenges currently hampering the regulatory policymaking process are related to the false dichotomy that privacy and security are in contrast with each other. Security and privacy by design could be a solution.
*The current approach has promoted self-regulation. Debates on effective regulation need to consider and implement stronger enforcement mechanisms which existing institutions and tools tend to lack. In the absence of an independent judiciary for cyberspace, new mechanisms for dispute settlement should complement existing legal frameworks. Moreover, the implementation of best practices by like-minded countries can further strengthen the adoption of responsible behaviour to a larger number of actors.
*In order to address the challenges posed by emerging technologies, better transparency and accountability mechanisms are required. Digital literacy, security, and consumer awareness need to be better implemented for a more effective holistic approach.


== Video record ==
== Video record ==
Will be provided here after the event.
https://youtu.be/52j085MM8fk


== Transcript ==
== Transcript ==
Will be provided here after the event.
Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-800-825-5234, www.captionfirst.com
 
 
''This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.''
 
 
>> MODERATOR: Hello? Hello, everyone. Let's take one minute before we start, but I just wanted to invite you all that are sitting at the site to join us at the table. The table is now at a special place. The space where all of us should be sitting. I'd like to challenge you, over there, to engage and to be at the table. We're going to have some very good discussions and we're going to need your interaction. This is not a Plenary, this is a place for you to talk.
 
Okay... let's take one minute to see if any other person is going to come in and we'll start. Okay... I see some people have taken on the challenge of joining us in this table. I'd continue to encourage you to join us at the table. I'm going to stand because I feel, you know... let's break this post Plenary environment and be very at-ease and... be willing to grab the mic, so... there's a mic over here, there's a mic over there, there's a mic over there. If you want, you can just sit beside Marco and grab the mic over there. There's a lot of opportunity for us to talk today. This session is called cybersecurity challenges ahead! How would you shape regulation to address changing technology?
 
I'd like to first thank Tatiana for being such a supportive person throughout this process of helping grab people and have them over here. This is pretty much a follow-up from the discussions we had yesterday at the Plenary. Looking ahead, thinking about what we mean with regulation of emerging technologies. Thinking about the constraints in terms of dealing with security, value accountability and transparency. Some of the things we heard yesterday at that Plenary, we're looking for the perfect legislation and we're looking for regulation in the present. Another thing that was said was, if you want your policy to endure, you need to look to the past and to the present. And now, we just got back from an interesting Plenary session, talking about the UNGGE, the United Nations Group of Governmental Experts. Talking about different norms at the international level. How do we understand, actually, the trickle down of these norms? How do we understand that? How to implement them?
 
As Maria was saying, we have a very good understanding, specifically at the Internet Governance Community, we're looking at accountability, transparency in the processes, but are we talking about implementation?
 
So... this panel is very much focused on bringing us back to, you know, let's talk about the feasibility. Let's talk about the implementation, let's talk about, should we regulate emerging technology? Shouldn't we regulate it? How do we go about the gap between these international norms, these international cybersecurity processes, and what happens at kind of like the operational level? What happens at, you know, the technological level?
 
So... I'd like to challenge you today to join me in this conversation. First of all, I'd like to present -- please feel free to join at the table, too, I'd like to present, first, Wolfgang Kleinwachter. Sorry if I didn't say that correctly, my German is really bad. But... he's a commissioner at the Global Commission on Disability of Cyberspace. Marco, help me with your last name. Hogewoning. I'd like to start out by asking Wolfgang, please take my seat over there. Because... I think it might be easier, but... I'll pass it over to you. Wolfgang, tell me how do you see -- I'll give you the mic, no worries. How do you see the progression between the discussions that we were having at the Plenary, specifically in terms of cyber norms at the international level, how do we make this more palpable? How do we bring this to our everyday reality? How do we ensure that these processes, actually, are effective?
 
>> WOLFGANG KLEINWÄCHTER: The easy question, difficult to translate into reality. Internet Governance debates are like the Mississippi, it flows, it flows, it flows, and still, 1,000 miles to New Orleans, and if you arrive in New Orleans, you have a delta and you cannot oversee, you know, how many small rivers are there.
 
So... it's very complex and so far, the debate we had just in the previous session was very helpful to discuss this multi-stakeholder multilateralism, which concluded in the recommendation. It's nonsense to have, debate it in an ideological way. You need all stakeholders on the table, in their respective flows. I think this was the, the language which was introduced already to this agenda when the working group on Internet Governance defined what Internet Governance defined what this is. Stakeholders operate in their respective flows. It means there, are issues. Because we have so many issues there, are issues which has to be settled by a complete stakeholder group. The technical community has a special responsibility. The businesses have their own responsibility. Civil Society has their own responsibility. Governments have their own responsibilities. It means there are issues which should be negotiated within the stakeholder groups, but embedded in multistakeholder environment. That means no stakeholder alone, can come to a final conclusion or final decision, you know, without having a consulting process or whatever, by taking into account the positions of the asset stakeholders. No stakeholder can substitute the other stakeholder. Civil Society cannot substitute government, business cannot substitute government, government cannot substitute business.
 
But you have to have the various perspectives. There's no single answer to an internet issue, you can have various perspectives. And... you can come to reasonable outcomes, only, if you take the various perspectives onboard and on basis of this, let's say, knowledge and then you can come to a sustainable decision by people who have a day to decide. Technical people would be stupid to ignore the broader environment and just do the RFC in their own silo and the same, you know, with the group of governmental experts in the United Nations. It's intergovernmental body and probably governments under certain circumstances have to talk to each other. But... they would be stupid to ignore the debate outside the, the UN headquarters and... not to have this open consultation and oh, let's wait and see what these two processes, which we'll start now September in New York, will produce, but... I think the pressure from the community should be, you know... we live in this one world and... and... we are, do not live in, let's say, closed communities anymore.
 
And... so far, to have this, let's say, conceptual discussion about the, how to combine in an effective way, multilateralism and multistakeholderism. The general has used the language, inclusive multilateralism. This is interesting, he has used the language, smart regulation. Means there's no need to regulate everything, but in certain circumstances, it's good to have, let's say binding legislation, then you can have more nonbinding, voluntary codes and things like that, so... it means you have to work with the full spectrum of, of opportunities and so... so far, this is, you know... a lot of discussion. The 2020s will be very interesting. We need small concrete outputs, but... do not expect that somebody has a silver bullet on both sides of the problems over the next two years, thank you.
 
>> That's perfect, I'd like to bring a point from our previous discussion, I think it's very interesting and I want to give back to you, Wolfgang, which is, we had that poll, right? And one of the answers that we had was that participants had agreed that we need more norms for state behavior and regulation for corporate behavior. So... we -- do we need more regulation? That's, perhaps, my question. What do you think, Wolfgang?
 
>> WOLFGANG KLEINWÄCHTER: Yes and no. It depends from the case. I think in previous terms, we had regulation and input every issue under this broad regulation. In the information age, I'd build regulation around the issue. There are issues which need precise regulation. There are issues where you could say general framework is better, this offers more flexibility. Certainly... if you come to various security-related issues, we will discuss a little bit later, certifications for products which have a lot of vulnerabilities and could risk life, then... probably, here, you need strong regulation.
 
>> Mm-hmm.
 
>> If it's just some guidelines for the development of AI, probably, then... voluntary guidelines, single guidelines are better. It depends on the issue.
 
>> Thank you, Wolfgang. So... I think I'm now going to pass it to Ceren (?) Could you say what are the main technological challenges we see ahead. We were talking about the future, looking at what's ten years from now and looking also in terms of regulation. Should we regulate? Shouldn't we regulate? Should we be talking about the question of regulating or not regulating? Where's the starting point. I'd like to hand it to you.
 
>> That's the million-dollar question, isn't it? Also, like, reflecting from the poll from the session earlier, it's like after relationship, for example, I remember a similar poll. After Cambridge Analytica, it's the companies that need regulated. There's this global appetite to regulate, which is understandable. We've been working for the last two years on the campaign on IOT security at internal society, IOT is a very complex ecosystem and privacy and security cannot be isolated from each other. Everything is strongly-connected to each other. We were focusing on consumer IOT, which is particularly vulnerable. It's, it's more than 60% of the market share. And... there's also an economic aspect to that, which probably, we can talk about that later, but... what we did is, also with this global appetite, we showed a survey in combination with consumers intonation. Most of the people stated they thought IOT devices were creepy, yet... they said they're going to buy them anyway. They also said somebody needs to do something about it. That somebody, who? The jury is still out.
 
What we tried to do, it's -- the internet is, by definition, a globally interdependent network of networks. That's how the internet works. When we talk about multistakeholderism, it sounds cliche, but it makes sense. That's how the internet works. No single actor, even if they come up with the most -- I mean, I'm a lawyer by training, so I love that we can talk hours on how to draft, how to craft norms and... which rejections should be embedded and things, but by the end of the day, you need to cooperate on a global level. This isn't some nicety offered by governments or Civil Society or technical community to sit on the table. Simply, we need each other. Everybody has a say, everybody has to play a role in this.
 
And... what we try to do is we started our multistakeholder process, it started, first, in Canada, including the government, private actors, Civil Society, now it's spreading. Why I'm saying this, it works on a global level. Now we have another multistakeholder process going on in France. Another one has start instead Senegal, another one just started in Uruguay. This actually works.
 
This was a very, like a voluntary norm, developing process, mainly focusing on privacy, security, resilience and transparency aspects. Which goes on for the whole lifecycle of the products. Our whole campaign was based on the internal society, the Online Trust Alliance. They built up a very substantial, detailed principles called the IOT trust framework. So... the discussion was going around that. I'm glad to see that now the Canadian process is finished and... we'll see how the implementation goes and I think multistakeholders, we're going to discuss that further, but... if we want to have technology proof, norms, we need to have, we need to be realistic. We need to have some sort of flexibility. We need it to be adaptable to changes. So... these kinds of norms, which are built by consensus, by agreement for both stakeholders. In the IOT market in particular, the toughest part is to incentivize. I'm also kind of scared on a personal level, I'm scared of, I agree that there's an urgency to address some issues. I agree that the governments obviously have the, the main duty to protect their citizens, but if you look at the G7 outcome documents, for example, we're really worried about some of the proposals which are being currently discussed around the globe and Europe, that we can encryption, which is the strongest tool for security and another challenge, it's not a technological challenge, but a mentality challenge, we still hear the "I have nothing to hide" argument from the general public and also the false dichotomy of privacy versus security still exists, which is probably another issue to discuss. Thank you.
 
>> I definitely agree there's a component of education that comes together with understanding the technology and effective ways to build policy. What's the kind of process that we need and what kind of outcome are we actually looking at? I forgot to mention, but I think one of the good things for us to think about over here, at the international level, we talked a lot about the international norms and talked about, you know... different sets of norms that are coming up, be it at the UNGG or the GCSC proposing different packages. I think that one of the things at the European level that we've been seeing is definitely like an increased attention to cybersecurity, a robustness not only in terms of institutions, but policies. The EU Cybersecurity Act that was mentioned earlier, we have also, the ANISA [phonetic] gaining a new body, a new institutional role. We also have, on the other hand, other proposals such as developing a blueprint for coordinating cyber attacks in Europe. I'd like to pass over now to Marco, Marco, what are your thoughts coming from the technical community. How do we reconcile emerging technologies and most-importantly, the focus of this discussion, how do we consider security on all of that and don't end up in this endpoint as Ceren was mentioning, between security and privacy as dichotomous. How do we go about that?
 
>> MARCO HOGEWONIG: It's a tough question to answer. I'm looking and just my background isn't technology, so... I'm kind of looking this -- sometimes in my technocratic engineering way. I think it's, I see a lot of people reinventing the wheel. I think from a technical perspective, it's also, look at what you have. And try to improve on what you have rather than spin up another venue, institute, institutionalize somebody else to take care of it.
 
I want to jump back to the principles of Internet Governance. Everybody in their own respective roles. Where I sit more and more, we throw technology at technology. We see technology as a threat. We put more technology to counter that threat. What happens at the same time, we more and more, seem to be shifting the role, where more and more of what is a regulatory role is privatized. We are looking at the big corporations to regulate themselves. Yesterday, during one of the sessions, I think it was Commissioner Garfield that said regulation is filled. If we agree to that point, where self-regulation is filled, then we are telling them to self-regulate. I think we have to understand that self-regulation actually means regulation. It's maybe not the regulation that failed, it's probably better to look at the enforcement that failed. Whether that's the existing institutions that are lacking the capacity to understand what goes on and be effective in the enforcement. Whether we have to define new ways to enforce it, that's something we can discuss. And it was also pointed out by Jaya [phonetic] yesterday in the panel, we all know that product is bad, take it off the market, stop selling it and I do believe there is existing regulation and product informity that would enable us to do that. Stop here, right now, take it off the market, come back when this product is safe.
 
>> MODERATOR: Great, Wolfgang, do you agree with Marco when he says it's about enforcement?
 
>> WOLFGANG KLEINWÄCHTER: Yes, and here we have a gap in the ecosystem. We don't have mechanisms that mean if two parties have a conflict, how they settle this. And... if the German government says we have hate speech and fake news in these other networks and delegating to Facebook, that's not the right way to do it. You have to have a neutral third party which will then, if there's a governmental approach and private sector approach, decides this... under neutral conditions, based on norms in the law. We do not have the so-called independent judiciary for cyberspace conflicts. If you start a procedure, then probably, it takes years until you have an outcome. So... I would think for a lot of this, very practical issues, we could be able to introduce new mechanisms for dispute settlements contributing to enforcement. Companies know if they do not respect the norms, they have to pay consequences.
 
Also, other states have to face consequences. So far, a cyber attack against another state remains without consequences. This is an invitation for us to say, okay... we can just, you know... hack somebody in another country and the price is low that has to be paid. You know... it's difficult to attribute and all this. We don't know all the complexities, but so far, we do not have a price list for wrong-doing in the internet. So... a lot of wrong-doing on the internet remains without consequences. This relates to the enforcement, but... for enforcement, we do not have the adequate mechanisms. So far... this is an invitation to be creative and to come up with something which is new. We have the domain name, [indiscernible] in the 1990s, when trademark and domain names were mixed. It was a very complex issue, and then a new thing was introduced, invented. The UDRP [phonetic] that works quite well. You cannot settle all the issues. There'll be 5 or 10%, probably, to go to us, the procedures, but my experience tells me 60% is more than 40%, 80% is more than 60%, 100% is nearly impossible, but... if you can remove 80%, of wrong-doings and hate news and fake speech, you have achieved a lot.
 
>> MARCO HOGEWONIG: I want to add to your example. What we see, a lot of CCLPs are adopting the WIPO arbitration procedure. We are kind of jumping back to established mechanisms to settle disputes on the internet. There's a lot there, it's just that we have to apply it correctly.
 
>> WOLFGANG KLEINWÄCHTER: There's no need to reinvent the wheel. I fully support you. If you have the wheel, use the wheel, but if you have no wheel or the wheel was stolen, you need a new wheel.
 
>> MODERATOR: Absolutely, Jackie?
 
>> On that, Wolfgang, thank you for bringing up the notion of the wheel. How do we go about designing the wheel? If we see the struggles that are apparently real at an intergovernmental level as well as on a company level to agree on fundamental principles, let's say, such as, is international law applicable to cyber -- to offenses in cyberspace? How can we create alignment around a mechanism, for example... that everyone subscribes to or the key party subscribes to in terms of enforcement? I wonder how, how we should go about bridging ideological gaps, maybe? Maybe there's other gaps, and ideology, I don't mean just political, but also community-based ideology, for example, thank you.
 
>> WOLFGANG KLEINWÄCHTER: The world we live in, you miss political will of key players to come together and find common solutions, so... [indiscernible] has this wonderful project on internet restrictions. The basic idea is you have protocols among states and different jurisdictions, which would allow, you know... to settle a lot of these issues, just by following the protocols which link states together. Like the TCIP protocol links networks. The difference between networks and jurisdictions is networks do not have a political will. But... jurisdictions are represented by governments, have a political will. If you have no political will, it's an illusion to find the right pictures. The only way out or way forward is to build groups of like-minded countries and to bring good practice, so the practice is so accepted by a majority of stakeholders that the, the countries will feel pressure and have no other alternative than to join the club. So... this is what Bill Clinton has defined, years ago, as stumbling forward. No big jump, but small steps. Here a little bit, there a little bit and you have a complex mechanism with a lot of smaller things that can be pulled together like the dots. This creates a mainstream which could, you know... improve the situation in the next ten years. We're talking about the 2020s, so... this has to be done in a process and not as a project.
 
>> MODERATOR: I'd like to pass over to Ceren now. It might be interesting. Wolfgang was talking about the challenge of getting to the table of how you build legitimacy around these processes and like to pass over to you Ceren to share how was it with the multistakeholder group in Canada and how you see this going forward, specifically. You said that it has been proliferating across different countries and has been vetch bottom-up. How do we engage? How do we approach security and trust in IOT? How do we think about this looking forward? And what are kind of like the best practices in this experience of actually getting people to the table?
 
>> CEREN UNAL: I think the first trick is like, being very realistic and picking the right topic. So... consumer IOT might not strike as the biggest threat to consumer IOT -- to cybersecurity, but... I'll just say two words. Mirai botnet. The governments need to do something about it and the technical community was kind of, I'd say, they wanted to act before some sort of unexpected heavy regulation appears, which is a good way to incentivize the businesses, the industry. And of course, the users, they were scared, they were using these devices because it's convenient, it's convenient, it's cool, it's nice, it's, we're talking about IOT still as emerging technology. It's here, it's here to stay and going to evolve. That's why, like, overregulating is very tricky.
 
When we did the, when we did the economic analysis of the market, we work with -- I love how you can have an economic explanation to almost everything. In IOT, it's particularly tricky because... first of all, we have information asymmetries. So the level of information between the parties and sometimes, even producers of these devices are not very well-informed. They just think it's time to go and there's this constant rush to the market. They want to act quickly because... the shelf time is not that long.
 
And... also... there's this misaligned incentives and some externalities, if your device suddenly turns into a botnet, part of a botnet, you might not as well notice it. It's your baby cam that might still be working. What the economic analysis told us, regulation, also... is not the only thing that the governments can do. There are several other options, they can promote responsible disclosure of vulnerabilities. They can use these principles for security and privacy, being embedded from the design process. They can also come up with some standards, but... as mentioned earlier, some minimum level of standards. Some governments are really keen on regulating, like, every single, little detail. Which like, probably in six months or so, if they're lucky, are not going to be implementable. Everybody has to play a role.
 
When we're discussing among us, there's this risk, when it comes to IOT devices, unless you have some sort of global level of harmonization, countries or communities who are less resourceful might end up with the, not so secure devices in the end, which is a whole new level of security divide and we don't need that kind of divide on top of the already-existing divides that we have.
 
So... it all makes sense on an economic level. It makes sense on how the internet works. What the GDPR did, for example... it worked as a really good catalyst for the, for our campaign, on a global level. So... Europe regulated, but what happened in the end, because Europe is the business partner for almost all the producers of these devices, it all made sense that now we see a convergence of laws around the globe. With good data governance principles, including privacy by design. And... so... when you have this level of harmonization, the rules that you develop by the end of the day are going to work.
 
So... you can develop brilliant norms, if you cannot manage to get it out, if it doesn't make sense on an economic level, on a practical level and global level, because we need this global corporation as well, in order to make norms work. The biggest problem of international law is based on the notion that all states are equal.
 
So... life doesn't work that way. In real life, unfortunately, so... that's why, there's this reluctance towards more treaties, in general. I'll stop here.
 
>> MODERATOR: Yeah... one follow-up on that, really quickly. You mentioned kind of like, two dimensions. The first, you talked about, you know... this global kind of like, states level and you also talked about like a practical level. I wouldn't like to separate them, but for the purposes of the discussion, I'd like to throw it to you, Marco, on the practical level, what happens, then, when our Cayla doll in our house is over there and we're saying, it's vulnerable, don't have it in your house, but at the same time, you have your Alexa over there? What happens with this integration? That's the very reality of the practical level. Obviously, we should be mindful that not all countries are in the state of thinking about smart homes, but they are, in fact, with their devices at hand. They are, with SmartPhones, how do you see that, Marco?
 
>> MARCO HOGEWONIG: Practical terms, you said, it's all interconnected and that somewhat makes it complex, but... I think we shouldn't [indiscernible] the problem. You have that doll and it's bad, we should remove it. We keep using the same components and devices, in terms of what can we do, what we see from the market is there is an awful lot of reporting going on. And create, let's put work on the table. It's transparency. They might be bad for privacy, but you have to consider the other side. Somebody on the internet is struggle to keep its DNS service alive and you're like "why does my Twitter not work?" Because your webcam is attacking your Twitter and the interconnection goes around and creating that transparency, it, it could help. We've seen it from other industries and I do think you raise a good point. From where I'm standing, the biggest threat to me is consumer electronics. It's the biggest field, it's the least controlled field. I've got far less worries with industrial, yes, the impact of industrial failure is much bigger, but... in real systems, there's more thinking about health and safety. There's more integrated thinking, is this really secure what we're doing and you've got less actors to work with. That's a much more controllable space.
 
In terms of, consumers, that's where you really need multistakeholders, we need to get the consumer on board as well, to take their role and take their own responsibility in keeping this environment safe. Sooner or later, we're going to have like the big earthquake and everybody's like "where did my internet go?" It was our fridges or our washing machines.
 
>> Thank you, Marco, you anticipate the question I have for the panel, actually. We had an interesting debate a few minutes ago, on the Plenary, talking about multistakeholder versus multilateral. And I heard that, well... this is something that is outdated, we would need to try to merge all the stuff and let's not be ideological. This is ideological, actually. This is a difference between countries believing that it can continue to regulate something on their own and then, the conception that on the internet, we are all interdependent and that is the multistakeholder process.
 
Talking about security, and the multistakeholder process, even here, the last two days, I was surprised to see how many people still see security on one side and that is inward security. Like... very medieval approach. We identify threats there, we build a wall, we wait for the threats to come and we combat it and put soldiers on the wall.
 
Well... as you just said, Mirai botnet is a wonderful example. You protect your wall, perfect, but someone uses your device, your system, everything. We're all interconnected and interdependent. I'd like to hear from you guys.
 
>> Who would like to start?
 
>> WOLFGANG KLEINWÄCHTER: In the global commission, we introduced a norm, there's a need to distribute this norm more widely and the norm is called cyber hygiene. As an element of security, you can't avoid this even if you have a very, hygiene in your daily practice. You can reduce the risk level, substantially down. This is not case. If I look, into, you know, consequences of cyber attacks or cybersecurity breeches, 70, 80% could have been avoided if all the partners and not only the end user, but also the service provider, the ISPs and you know... all elements in this big train or... this big server would have followed, well-established rules, but they are widely ignored. I think the famous case, it was mentioned in the Plenary of the DNSI checking in January, in Sweden. You know... this was, the negative effects were reduced because... the Swedes, you know... had a good hygiene in place. It means this is a good example and should be more popularized so the people understand, they can't do a lot against these attacks if they follow the well-established and known rules. And... to, to, with these norms, cyber hygiene and bring this more in the media. 4 billion end users, you'll have an idea -- I think people understand even in India and Brazil, if they cross the street with a red light, they risk their life. We don't have such a mechanism in the minds of the 4 billion internet users, that if they open their laptop, they should be very careful. So... this is the common task of all stakeholders and... you know, if we talk about multistakeholder corporation, we should, you know... have in mind, there's 4 billion end users and if they work, they're safe, soon we'll have 5 billion users. If we talk about the role of government, this is underestimated, governments are responsible for the educational system and... I really have my doubts, after being, myself, you know, a teacher at a university, that our educational system is from the industrial age. It's not prepared for the new challenges of the information age. And it starts with kindergarten and goes to universities. We have no fundamental discussion about reform in the educational system over the last ten years. We have something here, something there, but it needs a fundamental, new design of the educational system which would include cyber hygiene as an important topic, thank you.
 
>> MODERATOR: Marco, Ceren, would you like to comment on that.
 
>> MARCO HOGEWONIG: You're right. What we need is a behavioral change. It's fine, you need to learn to wash your hands and we talked about the example yesterday, like... yesterday, you kind of know that you have to cook chicken and if you eat raw chicken, you're going to learn the hard way and next time you'll cook it. It sounds really stupid, but... it is -- that's, that's what's happening and... to repeat for transparency, people need to understand what they're doing wrong and a good point [indiscernible] isn't here, but she, in the prep was also -- yeah... we can teach people to wash their hands, but make sure they have clean water to do so. That's something for the technical community, what we're investing in is capacity-building, building the tools, but in the end, we can build all the tools you want. If you're not using it, we have firewalls, we have -- we know how to -- we can teach you how to set safe passwords, but if you don't go in and change your password... there's nothing I can do -- don't look at me, I'm not going to save you.
 
>> MODERATOR: Just a quick follow-up on that and perhaps a provocation that we also had, okay... so we have to be more aware, we have to be more educated. We need to, you know... understand, don't use the same password, don't use 1, 2, 3, 4, 5, don't use A, B, C, D, E, but... what happens, and then I also like, bring the discussion, not only in terms of security awareness and also in terms of kind of like consumer awareness. Especially how... we go to the fine line of overburdening the user or overburdening, perhaps, the consumer, with the notion that they should already do X, Y, zed before they have, acquire product, even though it says it's safe, you already restored your computer, everything's fine, it's encrypted, but... not.
 
Just wanted to leave that there, just want to leave it -- we have lots of questions on the floor, that's amazing, I'd like to start out with Zoë, right? Please introduce yourself.
 
>> I'm Zoë, here part of YouthDIG. I couldn't agree more. However, my question, for the panel, is, first, we're overburdening consumers, especially when it comes to IOT security. A lot of critics are saying it's too little too late. As a general consensus, consumers are being saturated with data breach reports every day, British Airway losing people's personal data, so... there's almost a lack of urgency and priority when it comes to education, because... you think consumers have access to all these information already, because of the internet, but... nothing is standing out. So... what is the best way forward to increase this benchmark level of understanding when it comes to privacy and security.
 
>> MARCO HOGEWONIG: We read about it in the newspaper, but where's the person from British Airways explaining what he did to his colleagues to prevent other ones, tomorrow it's Jet or Air France. That's what I missed in the conversation, that's part of the enforcement. We tend to think of this as right and wrong -- and who does wrong, must be published. From a private sector perspective, it's all about liabilities, you sit on that secret for as long as possible because publishing it is a liability. We're going to come after you and publish. I think in that sense, in terms of norms and behavior, we might also want to think about it and maybe, accept that we are just learning to ride a bicycle. We will fall off occasionally and the best thing is to keep riding, but also, not punish each other or ourselves. Just accept it.
 
This is really in its infancy. We haven't seen anything yet and we expect this perfect world, it's, it comes from an engineering thing, but failure is always an option. We have to accept that and... rather than just go after them and punish them, accept there was a failure. What can we learn from this failure?
 
>> WOLFGANG KLEINWÄCHTER: Just one comment. If you buy a car, you expect that the car manufacturer gives you a secure car. You know... with an air bag and seatbelt and good breaks. So... but, it's... then, it's up to the driver to use this car in a responsible way. An irresponsible driver can kill innocent people with a safe car. You have a divided responsibility and you cannot take away the responsibility from the end user, but certainly, that end user shouldn't be responsible for the air bag and the, and the seatbelt.
 
>> CEREN UNAL: You're absolutely right. We definitely need more transparency and accountability on a bigger level. What we, particularly try to do, when I mentioned the campaign, we really tried very hard not to say anything, do anything to put additional burden. Unlike cars, IOT devices are not that easy to figure out for the consumers, most of the time, and... when we're talking about -- I'm curious about the outcomes of the proposal.
 
Going back to my legal nerd side, law is all about, or regulation or -- it's all about distributing liability, balancing interest, and what, especially in continental Europe, you have this like, level of, level of behavior that you expect, but that level is different for businesses and for consumers.
 
So... for a regular person, you need to act in a reasonable manner, but from businesses, you need to behave as an experienced businessman would do. It's a higher threshold.
 
So... we shouldn't -- we should never forget about that while trying to find a solution for this. So... working in a collaborative manner, we partnered with the biggest consumer organization on a global level. We also talk to the governments for sound policies, which are not necessarily regulation as I mentioned earlier and also, to raise awareness in the industry to adopt these principles by design. So... it cannot be an after-thought. It's always too late. And there's always going to be a breach, so... the only thing that matters is how well-prepared you are and how transparent you're behaving. The damage gets worse when you just sit on reports and on a, from a compliance perspective, it's like -- the fine that you're going to get if you hide it will be bigger too. But... still, information sharing between the stakeholders is crucial as well.
 
>> MODERATOR: Before we go to the question, I was looking there with the question that Zoë did, I just saw that Frederick was like... no... do you agree? Your expression was just like... I don't know if it overburdens the consumer. I'd like to bring it back to you.
 
>> FREDERICK: Yes, my body language killed me. I appreciate what you're saying, but... I was reacting to what you were saying because... look... we, we always, often compare internet with climate and ecology. I think there is some good grounds for doing this. You remember the calls after the tragedy of comments in the ecology, if you just throw your trash in the sea, it will come back to you, you will suffer. Well... the first one to suffer will be your neighbor. You won't realize it, but at the end of the day, you'll suffer.
 
The internet is just the same. I believe, yes... we might come back a little bit too often, I don't know how we need to do this, but consumers need to realize that this internet is a common good and this is just not [indiscernible]. You are taking something. You are contributing to it, you are co-responsible for this. If you, in front of me, just don't behave in the right way, you might not suffer, but I will. We are all interdependent. This is what I was saying. I believe we might come back too often with this message to consumers. That's a reality -- there's a shift in something where we all are responsible. This is the base.
 
>> Perfect... let's go to Walt [phonetic].
 
>> Thank you, we will have a session in Berlin, exactly on a topic like this. I'd like to come back to Wolfgang's example that he said, having safety belts in cars. When did that become obligatory and how many people flew through the windshield before that started happening? I've been told because one car company said "we are the ones with the safety belt" and the rest started to follow. There probably will be lessons there, because now it's law, I'm sure, how did that get into law? Who started the pressure? Who started to change that? In my opinion, what is often missing is that with internet standards, they're all there, like Marco said, we have all these standards in place, but why are they not being used? Not being deployed? What sort of pressure needs to be put on industry and by whom to change the outset? That could be one, another company, that will start doing it and being the best example, but... the second one is that politicians start to understand what this is about, but consumer organizations, when they test a new device, they don't just look at how smart it works or how fast it works, but have these standards in place and you have all these boxes, which is going to show bad compared to others or perhaps others will take up the notion, hey, this needs to be changed. How do we get these people at the table? This is something I'm trying to do very hard and hopefully we'll have this session in Berlin with politicians, with consumer organizations, with industry and the rest of us here in this room. And try to make sure it happens. The question is, how do we actually get to engage and actually reach out and make action programs that these people are engaged with and not just talked about.
 
>> MODERATOR: That's a great point. Just before I pass over to the panel, I think that brings us to like the next part of this discussion, which is... what do we do when things go wrong? And I think we already touched upon different aspects of it, but since you mentioned the safety belt, I think that's a really interesting analogy for us to think, are we waiting for a big, you know... cyber attack to happen, because that is definitely kind of like the discourse of, you look at Brad Smith's discourse on the biggest cyber attack is yet to come, then we'll need something bigger to respond to that and then we'll have to raise the awareness of everyone. I think the one did that a little, but we're still far, far from -- is that the only scenario where, when consumers, when users, when you know... different sectors that are also you know -- getting more digital, transforming themselves, is that the moment when they're actually going to realize? And if that's the moment... what are the tools that we're going to have?
 
So... I wanted to bring that, right? Because... I -- I'll give it over to you, Wolfgang, I know the commission has done, has published a single norms package, a great example of, how to specify different processes, such as vulnerabilities equities processes, so... if you could follow up on that, with Walt's question in mind as well.
 
>> WOLFGANG KLEINWÄCHTER: It's impossible to answer the question. Some people have called it a digital Pearl Harbor, have used, historical analogies. If you look back in history, sometimes you could say, yes... mankind needs a disaster to learn from their mistakes. So... the hope is always, with us, that we can avoid a digital disaster and to learn just from anticipation of what could happen.
 
So... but... the wisdom is an issue which is not fairly distributed among all stakeholders around the globe. If you look into some governmental circles, they hide better slight in the middle ages and so far, the title of the UN Report is you know, very useful and this fits what Frederick has said. We live in an interdependent world. Even if some governments believe they can hit another government, sooner or later, this will fire back on themselves. We do not have, like... in the nuclear age, the mutual distraction, which, you know... kept the level of, let's say... you know, certain levels that we had no nuclear war where the whole world disappeared and we have not had such an instrument in the digital age. As Frederick has said, whatever government is doing and believes we can create harm to our enemy... even it's -- you have rights to have an enemy.
 
But... this will fire back to you and... how we can bring this message to the negotiation table now in New York, I think this is important, Russia, China, the Americans, the Africans, Brazil, India, Europe has to understand. They are sitting in one boat and if somebody tries to bring water into the boat, risk the lives of everybody.
 
>> MODERATOR: Would any of you like to comment on that?
 
>> MARCO HOGEWONIG: I was going to, but Wolfgang wrapped it up, we should polarize this as right and wrong. We're all in that boat together. Yeah... it's mutually shared distraction. We created the beast and it's going to eat us, unless we, unless we train our little dragon, now is the time.
 
>> CEREN UNAL: I also think when we're dealing with cybersecurity issues or these breeches, the last thing we should do spread panic. (?) Our experience and Internet Society for the last two years, working on consumer IOT, focusing on this, it was really eye-opening, because... it was -- we were concurrently working with multiple stakeholders at the same time and now we have established like these multistakeholder processes and also... a platform to share best practices, so... it's an ongoing process, like... no silver bullet is going to solve this silver, gold, or whatever, bullet. Yeah... we're in this ship together... this technology is still fascinating, the opportunities still outweigh, in my view. So... we should find the right narrative to reach out to every stakeholder and again... on an economic level, to turn secure devices, as a competitive advantage. That's, that's the...
 
>> MODERATOR: I'd like to pass over to the question with the gentleman in the back.
 
>> I'm with Economic Affairs in the Netherlands. I have a few remarks, I heard a lot of remarks about industry, about consumers. I think, well... from my personal experience, a couple years running around in this whole environment, I think we're trying to solve the whole information society problem in one half hour. And I think there are several aspects. Raising awareness in consumers, being small, medium enterprises or whatever. I think, that's very difficult because we are selling them dangerous cars, like you mentioned, but still, we expect them to check them everywhere and drive safely. But then we decided to regulate the cars. I think in IT, I don't mention IOT-specifically, but in IT in general or ICT, whatever term you use, I think we just forgot to regulate, I don't know if I'm using the right words, being from the ministry, but... to regulate the security by design principle.
 
Everything is brought on on the market, come to market is short. Business cases are very, very difficult and we accept on the market, everything that is manufactured, some are in the, in the world. And I think, the basics should be -- they should be safe then we can have a second phase, raising awareness to units, but then awareness can be simple. I think we, as a society, we have to take care that things are safe, by design. I think that's our main challenge and we forgot to do that. The business cases and the economies of all countries are very based on what's being sold and what's being used as a service.
 
Since this is a global economy, we are a little bit afraid to, to take -- to accept that it might have come a little bit too fast.
 
So... I think that should be on the industry and... getting them to the table, as a stakeholder, to take apart and talk with each other. I think security should be a competition issue. On consumer, I think we have to, indeed, take care that we not raise a burden on consumer, that they just get so much information and they just think, well... it works, it's a nice story, I can use it, I can then, I can get a discount if I hand in my data and who cares? That's a situation where we are in. Another remark I'd make, our community here in the western-minded world, we're thinking we have our culture and we have our truth and I think we have to be very careful that other countries in the world, other regions, it was mentioned a couple times, are kind of the majority, say... well... the western countries, nice, nice try, but we take the authority and now we regulate how it will be. And... then, our free internet is gone. I think that's a few remarks -- not necessarily from the minister.
 
>> MODERATOR: Mm-hmm. Any comments on that? Okay... let's, let's keep it going --
 
>> Sabina: I'm here on a private capacity, not so much on the free internet, but all the talk about seatbelts and waiting for a big incident that we're talking, but... actually, looking at different threats on different levels. From a consumer perspective, the Hindenberg incident might never come. The personal perception risk is no way related to the actual risk. If I get on a plane, a lot of people are deathly afraid of doing so. In a car, not so much. In each case, reality doesn't match the perception. That's something you might have to keep in mind when you look into regulation, in consumer products, people feel safer or might feel safer than they actually are.
 
On the other hand, I'm not sure I agree with Walt that sort of, that seat lets might have been a unique selling point. I mean, if you look at older generations, people hate putting them on. They feel infringed on their personal comfort and personal freedom and so on, but... indeed, it showed that they work, they protect you from death, they protect you from injuries, so... like... bit-by-bit, I don't know... they were introduced and I think they're here to stay, so... sometimes you must also, I guess, assume a perspective of not just, what does the customer want? What do they feel most-comfortable with, but what is in the interest of herding unity. I think this is a great way of looking at it. We have a lot of low-level risks, but for a large number of people.
 
>> MARCO HOGEWONIG: Quick response, one important point there. Let's not forget to regulate behavior. If you're not wearing your seatbelt, you get the fine, not the car manufacturer. If you don't send your car to the MOT to hook-up to Siemens, for example, you get the fine, not the manufacturer. That's part of, back to the principles with to each and everybody in their respective roles, there is a role here for the user. There is a role here for the consumer and there is a role here, essentially, for law enforcement to where that user exceeds its boundaries to regulate that behavior.
 
>> MODERATOR: Just to provoke and I'll pass over to the next participant. I think the symmetry of perception is interesting, you're saying there's a perception of risk at the user level, which is vetch, not the perspective of the real risk. Do we actually know what the real risk is?
 
So... I'll leave it that and give it to you.
 
>> Thank you very much. I'm not a European.
 
[Laughter]
 
>> I'm from Taiwan. I have a couple points and I think this is a wonderful session and a really excellent dialogue in between, you know... the peoples. I think, first of all, don't forget, we are living in a world with a lot of law existing or... already, it's not, we are not living in the world, is not law at all (?) First of all, if you [indiscernible], can be justified. Property, privacy, you know... that kind of thing, the law is still there. Don't assume there's no law at all.
 
I think, Wolfgang talking about using a car. It's an interesting thing. I have a couple comments about it. One is... when the car has a seatbelt, we have a very good, scientific testing we know that's effective, it works. The difficulty, when we are talking about the regulation, into the cyberspace, to be honest, is a, we don't have evidence to measure that work.
 
So... be careful, you put into a regulation, into the cyberspace and you're not sure there's effective and there is work. It could be possible to damage the user or, for us itself. That's my point... is... unless you really have evidence, you have an effective vendor it works, you put yourself in the risk.
 
>> WOLFGANG KLEINWÄCHTER: The copyright regulation of the European Union is a good example.
 
[Laughter]
 
>> MARCO HOGEWONIG: I can give you a direct answer, what's the risk here? I'm one of the 12 root server operators. At current, there are 993 incidences of DNS root server. I don't even need to talk to Michael about what the current background noise is, but I bet you next year there'll be 2,000 DNS root servers. We need to keep up with the continuous hammering of vulnerable devices that send us junk. We'll end up with 5,000 incidences and somebody has to foot the bill. Currently, it's my members, footing that bill, partially and we keep adding instances and we keep adding capacity to that network, just to keep up, I'm not sure we're going to win that weapons race.
 
>> MODERATOR: Weapons race. Okay... over to you.
 
>> Thank you for the talks. I agree with what you said, but also disagree slightly as well. My background is law enforcement, I work for a cybersecurity company. I think we've had critical instances already, but people just label them differently. There was an attack on NHS and the U.K., that disabled the system for two days. I think that's not quite zero day, we've had the attacks on elections, I think these are all critical events that people forget and trying to gloss over and we talk -- I do agree about the IOT things, but there's big things happening that we just don't talk about enough.
 
I think we do need regulation and strong regulation because... there's manufacturers that don't take it as seriously as we do. If a company can build planes and say we can do software updates, there's something going very wrong.
 
And then, what I do like... what you're talking about, is our ideas, but what are the practicalities? Some of these are very aspirational. What would you say we need to do in the next 24 months to say this is going to change things? But also... if those are the things you want to happen in 24 months, what are the measurements to say they worked or haven't worked. That's something we don't do either.
 
>> MODERATOR: That's the million dollar question. I'll pass over to the panelists and anyone in the room that wants to react to that as well. I think it's a collective effort of thinking about how we measure the effectiveness of, you know... how do we respond? How do we measure the effectiveness of the responses that we have. So far, is it regulation that will actually provide us with better safeguards, either in terms of developing protocols for responding to incidents or in creating spaces for cooperation or instances where we have to cooperate. So... yeah... I'll just pass it over to the panelists. Anyone wants to start with that?
 
>> MARCO HOGEWONIG: Good current example, airplanes. Usually these kind of disasters, these kind of very big disasters don't happen because of a single thing going wrong. It's, it's a sequence of events and back to my point, we need to learn what went wrong here, because... as, as people are still investigating, yes, the regulation was there, but actually, the regulator told people to take the box theirself. That might not be a good way to enforce regulation.
 
Yes, it wasn't a zero day, there was a [indiscernible] available, why it wasn't in the system is the second question we need to ask, but then also, in that term, again... back, we have to, all, change behavior. Zero days are actively traded by people who think it's a weapon to somebody else. That's from an industry perspective, quite problematic. If somebody finds zero day, rather than call the manufacturer, put it out on the market and sell it to another government. I can't keep up. That's something I will never, ever win from. Don't ask me to improve my products if you don't tell me I have a vulnerability.
 
>> CEREN UNAL: I'll try again. It's a difficult one. But there are several indicators that will show success. So... what we aim in general, consumers somehow shifting the market for better products, more secure products. Eventually we'll have less. We can never promise zero incidents, zero breeches. That's not realistic, but it'll be less damage, it'll be less in number and we can always say it's like, the minimum standards imposed through regulation or other kinds of processes, so... security, privacy, at least from an IOT perspective, which will improve the overall security of the internet infrastructure and... another, maybe, another discussion topic is like... most of the stuff we talk about, around cybersecurity or, and around internet regulation, instead of Internet Governance, is things happening, which are already illegal under several existing laws, which are happening on the application layer.
 
So... what's happening to the infrastructure when you try to regulate these incidents, these cases is another issue to look forward. Because... there might be some unintended consequences with regulations, with totally good intentions. I'm not naming or blaming anything.
 
>> MODERATOR: Okay... well I'd like to go back -- oh, well, sure.
 
>> Yes, it's on now -- I'd like to respond to the comment the gentleman in front of me made. Just to add to that, if you lived in the Ukraine in the winter of 2018 or 2017, I can't remember what year, when the electricity went down for days and weeks on end, you had your doomsday scenario, if you lived there. That certainly doesn't affect the rest of the world and not myself. But there are examples of certain parties that have gone through very serious incidents, except, how do you translate to a world level.
 
The other one is on measuring, I think that it was in 2006 that the, our state's Secretary of Economic Affairs said we need to do something about botnet mitigation and it took seven years for the center to open. But... what it did was actually, they got everybody on board because the, the ministry funded the start-up, the registry said "we'll host the device for you" so that the market didn't have any cost, but... what they coupled to it was measurement. So... they asked the university to actually come up with reports on does this action work? That's how you can change something by a little incentive from the government, but... making sure that the good guys and the bad guys are starting to stand out and after a few words, they named the shame in the reports. Pressure should be put on the market to start cooperating on a tool that's made available. That's an example, how you can actually measure results from what the government says is a good direction to move into and facilitate that. Perhaps there are other examples in the world that could be shared, that could be used by others to copy, for example.
 
>> MODERATOR: Anyone wants to comment on that? I just wanted to throw the ball back to Wolfgang because... I know and I've been in several of the hearings of, or... the outreach of the global commission, so... I was just wondering, Wolfgang, how was it, in terms of kind of actually getting other stakeholders on board, I was there over at ICANN, I saw at the Global Conference on Cyberspace, how was it to get other parties to understand? Some of these norms actually kind of like reecho a lot of what we have been talking over here.
 
So... why don't we just actually take them forward? How was it for you, Wolfgang, as a commissioner, to see that going forward?
 
>> WOLFGANG KLEINWÄCHTER: That's indeed a problem that we have now, so many different initiatives and... this, kind of, natural interest to create an environment which, you know... promotes security in cyberspace, on the various levels, the state level, the business level, the technical level and so on. It has led to this, many different initiatives, you know? Siemens, Microsoft, Telefonica with a new deal, now we will see, soon, the Cyber Peace Institute, we have the Global Forum on Cyber Expertise. When we started work with the commission, we had another element to it. When everybody was talking about principles for Internet Governance, you know... we had to, you know... dozens of initiatives, the Council of Europe, the OACD adopted certain principles for policy making and in 2013 a workshop with 15 different instruments on principles for Internet Governance. This is confusing for the public.
 
So... the conclusion was from the Bali meeting, we have to look into various initiatives, all have their limitations. A number are only supported by one stakeholder group, like government or the Civil Society, as is are just for the region. And... the outcome was okay... can we create something which is multistakeholder and global? And... the result was the net majority iteration. It was put forward by Snowden and the need for the transition, but finally, now we have a document that is the declaration that is global and multistakeholder and the best reference point we have, so far, for Internet Governance in general. This is what I see, now, with the cybersecurity discussion, that we are moving to a certain moment where we have to come, probably in two or five years from now, probably in 2025, when we have the next World Summit on Information Society, it's not yet decided how to organize this meeting, but it's already decided that we have a meeting in 2025, so... only five years to go. You know... to bring this, various initiatives into, this process of enhanced communication, but... enhanced corporations, people talk to each other and feel out what is needed so this is for the whole globe and involves all stakeholders and the UN panel, the proposal to have a call, a global call for trust and security in cyberspace, which reflects a little bit on the Paris call that's already on the table, is the next step and probably, we can bring all these various initiatives into, into a general framework which would allow them to deal with the very single, specific issues. Because... you cannot manage the whole cyber secure issues in one big treaty. You can have a big framework, but then you have to go to the individual issues and also the proposal made by Uri Rosenbaum [phonetic] to declare attacks against the root server system. The DNS, the IP address system, routers, servers, satellite, cables, as a crime against humanity. Could be a first step, it's a small step, but could be a cornerstone to build in the 2020s, a whole cybersecurity architecture which would include a smaller number of individuals, smaller treaty, so... that you can handle this case by case, issue by issue, and... this would, then, constitute in the next ten years, you know... a framework for cybersecurity.
 
>> MODERATOR: Thank you, I think we are about to wrap up, but before we wrap up, I would just like to say that the objective of this session was mainly for us to really try to get the perspective of how do we look forward? And how do we also, bend, you know... the bridges, how do we build the bridges between this kind of like international norms discussion and kind of like the very practical, as we state a lot of times in the discussion, talking about the user, the consumer, what are the types of safeguards? Should we just go for self-regulation? What are we looking at, the next ten years. What is the type of regulation, if any, are we looking at as we look forward? What kind of security do we want to see for the next ten years? How do we respond effectively? How do we build a specific measurement? How do we know how to implement? I think the main, the main question, over here, was how do we connect these two different levels, which are not, necessarily detached from each other, but are definitely, in two different narratives. How do we make them converge.
 
That was pretty much the effort over here. I'd just like to pass to our reporter for the five main points -- three main points of our session. Yeah...
 
>> Stefania Grottola: Thank you, everybody, we are producing reports from all the sessions, independent reports from all the sessions and we also produce the five messages... can you... these are the messages from this workshop that will be sent to you and the secretariat, but I need a rough consensus.
 
The first message is all stakeholders need to be represented at the table in their respective roles. Despite some issues have to be settled by a specific expertise-based stakeholder group, conclusions can only be reached if all the stakeholders' perspectives are taken into account. To this extent, inclusive multilateralism could address current tension between multistockholderism and multilateralism? Is there consensus on this? What do you think? Yes?
 
Current technological challenges have created a global appetite for further regulation, nevertheless, flexibility is required in understanding on case by case whether further regulation is needed. Some of the challenges currently hampering the regulatory policy making process are related to the false dichotomy that privacy and security are in contrast with each other. Security and privacy by design can be a solution.
 
The current approach has promoted self-regulation. Debates on effective regulation need to consider and implement stronger enforcement mechanisms which existing institutions and tools are lacking. In the absence of an independent judiciary for cyberspace, new mechanisms for dispute settlement should complement existing legal frameworks. Following this line, the implementation of best practices by like-minded countries can further strengthen the adoption of responsible behavior to a large number of actors.
 
In order to address the challenges posed by emerging technologies, better transparency and accountability mechanisms are required. Digital literacy, security and consumer awareness need to be implemented for a more effective holistic approach is. That okay?
 
>> Yep!
 
>> MODERATOR: Paul, right?
 
>> Paul from the U.K. government. Thank you very much for a really good discussion. I really enjoyed it and I learned a lot from this discussion. Thanks very much, to the panelists. I have just one comment on this, the last sentence of the first paragraph, I'm not sure that we had a very developed discussion of this idea of inclusive multilateralism. I personally, am not sure what it means, still. I think we need to talk about that a little bit more. It sounds a little bit like a contradiction in terms to me, so... I wouldn't, personally include that in the messages coming up. I don't think we covered it in our discussion.
 
>> MODERATOR: I think Wolfgang mentioned that, it's more, you're bringing the example of the high-level panel and digital cooperation. And we can just leave it as multistakeholder, if that's okay with everyone. I believe we have greater consensus on that. And I think that's, that's perfect. I'd like to thank you all for the great participation. I hope it was as enriching for us as it was for you and... I'd like to personally thank just all of the panelists, I'm really honored to have you here and Tonya, again, for the great help in all of this. Thank you all for being here and look forward to the next EuroDIG.
 
[Applause]
 
[Presentation concluded at 12:29 PM Local Time].
 


''This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document or file is not to be distributed or used in any way that may violate copyright law.''


[[Category:2019]][[Category:Sessions 2019]][[Category:Sessions]][[Category:Security and crime 2019]]
[[Category:2019]][[Category:Sessions 2019]][[Category:Sessions]][[Category:Security and crime 2019]]

Revision as of 16:08, 8 July 2019

20 June 2019 | 11:00-12:30 | YANGTZE 2 | Video recording | Transcription
Consolidated programme 2019 overview

Proposals assigned to this session: ID 8, 18, 29, 56, 87, 137, 156, 163, 181, 191, 192, 206 – list of all proposals as pdf

You are invited to become a member of the session Org Team! By joining an Org Team you agree to that your name and affiliation will be published at the respective wiki page of the session for transparency reasons. Please subscribe to the session mailing list and answer the email that will be send to you requesting your confirmation of subscription.

Session teaser

Cybersecurity has become a buzzword for a plethora of actors, issues and spaces. In the past years, the EU has sought to bolster its approach to create shared norms and principles for regulating emerging technologies and building institutions to address challenges for the peace and stability of cyberspace. This includes, but is not restricted to, the NIS Directive, Cybersecurity Act and Digital Single Market strategy. However, this session invites participants to think together on how to keep up with emerging technical challenges deriving from new technologies in the next decade.

Session description

There are many possible pathways to addressing the changing nature of security and regulation vis à vis the expansion of emerging technologies. This session takes on the challenge of looking forward and engaging the audience in responding to several main issues:

(1) Setting the Scene - what are the technological challenges for cybersecurity?

(2) Navigating the maze - how do we cope with technological challenges?

(3) RED ALERT! What to do when things go wrong? - The cybersecurity Act, GDPR and other regulations have sought to prescribe new mechanisms for responding to breaches and cyber attacks. What happens when trust, cooperation, and existing mechanisms are not enough to assess, identify, and respond to new vulnerabilities. How do we assess the red lines?

(4) Will regulation run out of time?

Format

The session will engage the audience and resource persons in interactive dialogue guided by the moderators. Both key participants and the audience will provide examples of how they have been coping with the pace of technological change by working in their respective areas, identify and discuss the regulatory and other responses to new vulnerabilities.

Ultimately, both key participants and the audience will conclude with target-focused contributions on the biggest challenges for securing emerging technologies in the next 10 years, and on the possible/desirable regulation in Europe in the near future.

Further reading

Until .

Links to relevant websites, declarations, books, documents. Please note we cannot offer web space, so only links to external resources are possible. Example for an external link: Website of EuroDIG

People

Until .

Please provide name and institution for all people you list here.

Focal Point

  • Louise Marie Hurel, Cybersecurity and Digital Liberties Programme | Igarapé Institute Media and Communications (Data and Society) | London School of Economics and Political Science (LSE)

Organising Team (Org Team) List them here as they sign up.

  • Chivintar Amenty, YouthDIG 2019
  • Louise Bennett
  • Fotjon Kosta, Coordinator of Albania IGF
  • Olga Kyryliuk, The Influencer Platform
  • Erlinda Lleshi, IT

Key Participants

  • Marco Hogewoning - RIPE NCC
  • Ceren Unal - ISOC
  • Wolfgang Kleinwächter - Professor Emeritus from the University of Aarhus, Commissioner, Global Commission on the Stability of Cyberspace (GCSC)

Moderator

  • Louise Marie Hurel, Cybersecurity and Digital Liberties Programme | Igarapé Institute Media and Communications (Data and Society) | London School of Economics and Political Science (LSE)

Remote Moderator

Trained remote moderators will be assigned on the spot by the EuroDIG secretariat to each session.

Reporter

  • Stefania Grottola, Geneva Internet Platform

The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:

  • are summarised on a slide and presented to the audience at the end of each session
  • relate to the particular session and to European Internet governance policy
  • are forward looking and propose goals and activities that can be initiated after EuroDIG (recommendations)
  • are in (rough) consensus with the audience

Current discussion, conference calls, schedules and minutes

See the discussion tab on the upper left side of this page. Please use this page to publish:

  • dates for virtual meetings or coordination calls
  • short summary of calls or email exchange

Please be as open and transparent as possible in order to allow others to get involved and contact you. Use the wiki not only as the place to publish results but also to summarize the discussion process.

Messages

  • All stakeholders need to be represented at the table in their respective roles. Despite the fact that some issues have to be settled by a specific stakeholder group with expertise, conclusions can only be reached if all the stakeholders’ perspectives are taken into account.
  • Current technological challenges have created a global appetite for further regulation; nevertheless, flexibility is needed for understanding, on a case by case basis, whether further regulation is needed. Some of the challenges currently hampering the regulatory policymaking process are related to the false dichotomy that privacy and security are in contrast with each other. Security and privacy by design could be a solution.
  • The current approach has promoted self-regulation. Debates on effective regulation need to consider and implement stronger enforcement mechanisms which existing institutions and tools tend to lack. In the absence of an independent judiciary for cyberspace, new mechanisms for dispute settlement should complement existing legal frameworks. Moreover, the implementation of best practices by like-minded countries can further strengthen the adoption of responsible behaviour to a larger number of actors.
  • In order to address the challenges posed by emerging technologies, better transparency and accountability mechanisms are required. Digital literacy, security, and consumer awareness need to be better implemented for a more effective holistic approach.

Video record

https://youtu.be/52j085MM8fk

Transcript

Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-800-825-5234, www.captionfirst.com


This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.


>> MODERATOR: Hello? Hello, everyone. Let's take one minute before we start, but I just wanted to invite you all that are sitting at the site to join us at the table. The table is now at a special place. The space where all of us should be sitting. I'd like to challenge you, over there, to engage and to be at the table. We're going to have some very good discussions and we're going to need your interaction. This is not a Plenary, this is a place for you to talk.

Okay... let's take one minute to see if any other person is going to come in and we'll start. Okay... I see some people have taken on the challenge of joining us in this table. I'd continue to encourage you to join us at the table. I'm going to stand because I feel, you know... let's break this post Plenary environment and be very at-ease and... be willing to grab the mic, so... there's a mic over here, there's a mic over there, there's a mic over there. If you want, you can just sit beside Marco and grab the mic over there. There's a lot of opportunity for us to talk today. This session is called cybersecurity challenges ahead! How would you shape regulation to address changing technology?

I'd like to first thank Tatiana for being such a supportive person throughout this process of helping grab people and have them over here. This is pretty much a follow-up from the discussions we had yesterday at the Plenary. Looking ahead, thinking about what we mean with regulation of emerging technologies. Thinking about the constraints in terms of dealing with security, value accountability and transparency. Some of the things we heard yesterday at that Plenary, we're looking for the perfect legislation and we're looking for regulation in the present. Another thing that was said was, if you want your policy to endure, you need to look to the past and to the present. And now, we just got back from an interesting Plenary session, talking about the UNGGE, the United Nations Group of Governmental Experts. Talking about different norms at the international level. How do we understand, actually, the trickle down of these norms? How do we understand that? How to implement them?

As Maria was saying, we have a very good understanding, specifically at the Internet Governance Community, we're looking at accountability, transparency in the processes, but are we talking about implementation?

So... this panel is very much focused on bringing us back to, you know, let's talk about the feasibility. Let's talk about the implementation, let's talk about, should we regulate emerging technology? Shouldn't we regulate it? How do we go about the gap between these international norms, these international cybersecurity processes, and what happens at kind of like the operational level? What happens at, you know, the technological level?

So... I'd like to challenge you today to join me in this conversation. First of all, I'd like to present -- please feel free to join at the table, too, I'd like to present, first, Wolfgang Kleinwachter. Sorry if I didn't say that correctly, my German is really bad. But... he's a commissioner at the Global Commission on Disability of Cyberspace. Marco, help me with your last name. Hogewoning. I'd like to start out by asking Wolfgang, please take my seat over there. Because... I think it might be easier, but... I'll pass it over to you. Wolfgang, tell me how do you see -- I'll give you the mic, no worries. How do you see the progression between the discussions that we were having at the Plenary, specifically in terms of cyber norms at the international level, how do we make this more palpable? How do we bring this to our everyday reality? How do we ensure that these processes, actually, are effective?

>> WOLFGANG KLEINWÄCHTER: The easy question, difficult to translate into reality. Internet Governance debates are like the Mississippi, it flows, it flows, it flows, and still, 1,000 miles to New Orleans, and if you arrive in New Orleans, you have a delta and you cannot oversee, you know, how many small rivers are there.

So... it's very complex and so far, the debate we had just in the previous session was very helpful to discuss this multi-stakeholder multilateralism, which concluded in the recommendation. It's nonsense to have, debate it in an ideological way. You need all stakeholders on the table, in their respective flows. I think this was the, the language which was introduced already to this agenda when the working group on Internet Governance defined what Internet Governance defined what this is. Stakeholders operate in their respective flows. It means there, are issues. Because we have so many issues there, are issues which has to be settled by a complete stakeholder group. The technical community has a special responsibility. The businesses have their own responsibility. Civil Society has their own responsibility. Governments have their own responsibilities. It means there are issues which should be negotiated within the stakeholder groups, but embedded in multistakeholder environment. That means no stakeholder alone, can come to a final conclusion or final decision, you know, without having a consulting process or whatever, by taking into account the positions of the asset stakeholders. No stakeholder can substitute the other stakeholder. Civil Society cannot substitute government, business cannot substitute government, government cannot substitute business.

But you have to have the various perspectives. There's no single answer to an internet issue, you can have various perspectives. And... you can come to reasonable outcomes, only, if you take the various perspectives onboard and on basis of this, let's say, knowledge and then you can come to a sustainable decision by people who have a day to decide. Technical people would be stupid to ignore the broader environment and just do the RFC in their own silo and the same, you know, with the group of governmental experts in the United Nations. It's intergovernmental body and probably governments under certain circumstances have to talk to each other. But... they would be stupid to ignore the debate outside the, the UN headquarters and... not to have this open consultation and oh, let's wait and see what these two processes, which we'll start now September in New York, will produce, but... I think the pressure from the community should be, you know... we live in this one world and... and... we are, do not live in, let's say, closed communities anymore.

And... so far, to have this, let's say, conceptual discussion about the, how to combine in an effective way, multilateralism and multistakeholderism. The general has used the language, inclusive multilateralism. This is interesting, he has used the language, smart regulation. Means there's no need to regulate everything, but in certain circumstances, it's good to have, let's say binding legislation, then you can have more nonbinding, voluntary codes and things like that, so... it means you have to work with the full spectrum of, of opportunities and so... so far, this is, you know... a lot of discussion. The 2020s will be very interesting. We need small concrete outputs, but... do not expect that somebody has a silver bullet on both sides of the problems over the next two years, thank you.

>> That's perfect, I'd like to bring a point from our previous discussion, I think it's very interesting and I want to give back to you, Wolfgang, which is, we had that poll, right? And one of the answers that we had was that participants had agreed that we need more norms for state behavior and regulation for corporate behavior. So... we -- do we need more regulation? That's, perhaps, my question. What do you think, Wolfgang?

>> WOLFGANG KLEINWÄCHTER: Yes and no. It depends from the case. I think in previous terms, we had regulation and input every issue under this broad regulation. In the information age, I'd build regulation around the issue. There are issues which need precise regulation. There are issues where you could say general framework is better, this offers more flexibility. Certainly... if you come to various security-related issues, we will discuss a little bit later, certifications for products which have a lot of vulnerabilities and could risk life, then... probably, here, you need strong regulation.

>> Mm-hmm.

>> If it's just some guidelines for the development of AI, probably, then... voluntary guidelines, single guidelines are better. It depends on the issue.

>> Thank you, Wolfgang. So... I think I'm now going to pass it to Ceren (?) Could you say what are the main technological challenges we see ahead. We were talking about the future, looking at what's ten years from now and looking also in terms of regulation. Should we regulate? Shouldn't we regulate? Should we be talking about the question of regulating or not regulating? Where's the starting point. I'd like to hand it to you.

>> That's the million-dollar question, isn't it? Also, like, reflecting from the poll from the session earlier, it's like after relationship, for example, I remember a similar poll. After Cambridge Analytica, it's the companies that need regulated. There's this global appetite to regulate, which is understandable. We've been working for the last two years on the campaign on IOT security at internal society, IOT is a very complex ecosystem and privacy and security cannot be isolated from each other. Everything is strongly-connected to each other. We were focusing on consumer IOT, which is particularly vulnerable. It's, it's more than 60% of the market share. And... there's also an economic aspect to that, which probably, we can talk about that later, but... what we did is, also with this global appetite, we showed a survey in combination with consumers intonation. Most of the people stated they thought IOT devices were creepy, yet... they said they're going to buy them anyway. They also said somebody needs to do something about it. That somebody, who? The jury is still out.

What we tried to do, it's -- the internet is, by definition, a globally interdependent network of networks. That's how the internet works. When we talk about multistakeholderism, it sounds cliche, but it makes sense. That's how the internet works. No single actor, even if they come up with the most -- I mean, I'm a lawyer by training, so I love that we can talk hours on how to draft, how to craft norms and... which rejections should be embedded and things, but by the end of the day, you need to cooperate on a global level. This isn't some nicety offered by governments or Civil Society or technical community to sit on the table. Simply, we need each other. Everybody has a say, everybody has to play a role in this.

And... what we try to do is we started our multistakeholder process, it started, first, in Canada, including the government, private actors, Civil Society, now it's spreading. Why I'm saying this, it works on a global level. Now we have another multistakeholder process going on in France. Another one has start instead Senegal, another one just started in Uruguay. This actually works.

This was a very, like a voluntary norm, developing process, mainly focusing on privacy, security, resilience and transparency aspects. Which goes on for the whole lifecycle of the products. Our whole campaign was based on the internal society, the Online Trust Alliance. They built up a very substantial, detailed principles called the IOT trust framework. So... the discussion was going around that. I'm glad to see that now the Canadian process is finished and... we'll see how the implementation goes and I think multistakeholders, we're going to discuss that further, but... if we want to have technology proof, norms, we need to have, we need to be realistic. We need to have some sort of flexibility. We need it to be adaptable to changes. So... these kinds of norms, which are built by consensus, by agreement for both stakeholders. In the IOT market in particular, the toughest part is to incentivize. I'm also kind of scared on a personal level, I'm scared of, I agree that there's an urgency to address some issues. I agree that the governments obviously have the, the main duty to protect their citizens, but if you look at the G7 outcome documents, for example, we're really worried about some of the proposals which are being currently discussed around the globe and Europe, that we can encryption, which is the strongest tool for security and another challenge, it's not a technological challenge, but a mentality challenge, we still hear the "I have nothing to hide" argument from the general public and also the false dichotomy of privacy versus security still exists, which is probably another issue to discuss. Thank you.

>> I definitely agree there's a component of education that comes together with understanding the technology and effective ways to build policy. What's the kind of process that we need and what kind of outcome are we actually looking at? I forgot to mention, but I think one of the good things for us to think about over here, at the international level, we talked a lot about the international norms and talked about, you know... different sets of norms that are coming up, be it at the UNGG or the GCSC proposing different packages. I think that one of the things at the European level that we've been seeing is definitely like an increased attention to cybersecurity, a robustness not only in terms of institutions, but policies. The EU Cybersecurity Act that was mentioned earlier, we have also, the ANISA [phonetic] gaining a new body, a new institutional role. We also have, on the other hand, other proposals such as developing a blueprint for coordinating cyber attacks in Europe. I'd like to pass over now to Marco, Marco, what are your thoughts coming from the technical community. How do we reconcile emerging technologies and most-importantly, the focus of this discussion, how do we consider security on all of that and don't end up in this endpoint as Ceren was mentioning, between security and privacy as dichotomous. How do we go about that?

>> MARCO HOGEWONIG: It's a tough question to answer. I'm looking and just my background isn't technology, so... I'm kind of looking this -- sometimes in my technocratic engineering way. I think it's, I see a lot of people reinventing the wheel. I think from a technical perspective, it's also, look at what you have. And try to improve on what you have rather than spin up another venue, institute, institutionalize somebody else to take care of it.

I want to jump back to the principles of Internet Governance. Everybody in their own respective roles. Where I sit more and more, we throw technology at technology. We see technology as a threat. We put more technology to counter that threat. What happens at the same time, we more and more, seem to be shifting the role, where more and more of what is a regulatory role is privatized. We are looking at the big corporations to regulate themselves. Yesterday, during one of the sessions, I think it was Commissioner Garfield that said regulation is filled. If we agree to that point, where self-regulation is filled, then we are telling them to self-regulate. I think we have to understand that self-regulation actually means regulation. It's maybe not the regulation that failed, it's probably better to look at the enforcement that failed. Whether that's the existing institutions that are lacking the capacity to understand what goes on and be effective in the enforcement. Whether we have to define new ways to enforce it, that's something we can discuss. And it was also pointed out by Jaya [phonetic] yesterday in the panel, we all know that product is bad, take it off the market, stop selling it and I do believe there is existing regulation and product informity that would enable us to do that. Stop here, right now, take it off the market, come back when this product is safe.

>> MODERATOR: Great, Wolfgang, do you agree with Marco when he says it's about enforcement?

>> WOLFGANG KLEINWÄCHTER: Yes, and here we have a gap in the ecosystem. We don't have mechanisms that mean if two parties have a conflict, how they settle this. And... if the German government says we have hate speech and fake news in these other networks and delegating to Facebook, that's not the right way to do it. You have to have a neutral third party which will then, if there's a governmental approach and private sector approach, decides this... under neutral conditions, based on norms in the law. We do not have the so-called independent judiciary for cyberspace conflicts. If you start a procedure, then probably, it takes years until you have an outcome. So... I would think for a lot of this, very practical issues, we could be able to introduce new mechanisms for dispute settlements contributing to enforcement. Companies know if they do not respect the norms, they have to pay consequences.

Also, other states have to face consequences. So far, a cyber attack against another state remains without consequences. This is an invitation for us to say, okay... we can just, you know... hack somebody in another country and the price is low that has to be paid. You know... it's difficult to attribute and all this. We don't know all the complexities, but so far, we do not have a price list for wrong-doing in the internet. So... a lot of wrong-doing on the internet remains without consequences. This relates to the enforcement, but... for enforcement, we do not have the adequate mechanisms. So far... this is an invitation to be creative and to come up with something which is new. We have the domain name, [indiscernible] in the 1990s, when trademark and domain names were mixed. It was a very complex issue, and then a new thing was introduced, invented. The UDRP [phonetic] that works quite well. You cannot settle all the issues. There'll be 5 or 10%, probably, to go to us, the procedures, but my experience tells me 60% is more than 40%, 80% is more than 60%, 100% is nearly impossible, but... if you can remove 80%, of wrong-doings and hate news and fake speech, you have achieved a lot.

>> MARCO HOGEWONIG: I want to add to your example. What we see, a lot of CCLPs are adopting the WIPO arbitration procedure. We are kind of jumping back to established mechanisms to settle disputes on the internet. There's a lot there, it's just that we have to apply it correctly.

>> WOLFGANG KLEINWÄCHTER: There's no need to reinvent the wheel. I fully support you. If you have the wheel, use the wheel, but if you have no wheel or the wheel was stolen, you need a new wheel.

>> MODERATOR: Absolutely, Jackie?

>> On that, Wolfgang, thank you for bringing up the notion of the wheel. How do we go about designing the wheel? If we see the struggles that are apparently real at an intergovernmental level as well as on a company level to agree on fundamental principles, let's say, such as, is international law applicable to cyber -- to offenses in cyberspace? How can we create alignment around a mechanism, for example... that everyone subscribes to or the key party subscribes to in terms of enforcement? I wonder how, how we should go about bridging ideological gaps, maybe? Maybe there's other gaps, and ideology, I don't mean just political, but also community-based ideology, for example, thank you.

>> WOLFGANG KLEINWÄCHTER: The world we live in, you miss political will of key players to come together and find common solutions, so... [indiscernible] has this wonderful project on internet restrictions. The basic idea is you have protocols among states and different jurisdictions, which would allow, you know... to settle a lot of these issues, just by following the protocols which link states together. Like the TCIP protocol links networks. The difference between networks and jurisdictions is networks do not have a political will. But... jurisdictions are represented by governments, have a political will. If you have no political will, it's an illusion to find the right pictures. The only way out or way forward is to build groups of like-minded countries and to bring good practice, so the practice is so accepted by a majority of stakeholders that the, the countries will feel pressure and have no other alternative than to join the club. So... this is what Bill Clinton has defined, years ago, as stumbling forward. No big jump, but small steps. Here a little bit, there a little bit and you have a complex mechanism with a lot of smaller things that can be pulled together like the dots. This creates a mainstream which could, you know... improve the situation in the next ten years. We're talking about the 2020s, so... this has to be done in a process and not as a project.

>> MODERATOR: I'd like to pass over to Ceren now. It might be interesting. Wolfgang was talking about the challenge of getting to the table of how you build legitimacy around these processes and like to pass over to you Ceren to share how was it with the multistakeholder group in Canada and how you see this going forward, specifically. You said that it has been proliferating across different countries and has been vetch bottom-up. How do we engage? How do we approach security and trust in IOT? How do we think about this looking forward? And what are kind of like the best practices in this experience of actually getting people to the table?

>> CEREN UNAL: I think the first trick is like, being very realistic and picking the right topic. So... consumer IOT might not strike as the biggest threat to consumer IOT -- to cybersecurity, but... I'll just say two words. Mirai botnet. The governments need to do something about it and the technical community was kind of, I'd say, they wanted to act before some sort of unexpected heavy regulation appears, which is a good way to incentivize the businesses, the industry. And of course, the users, they were scared, they were using these devices because it's convenient, it's convenient, it's cool, it's nice, it's, we're talking about IOT still as emerging technology. It's here, it's here to stay and going to evolve. That's why, like, overregulating is very tricky.

When we did the, when we did the economic analysis of the market, we work with -- I love how you can have an economic explanation to almost everything. In IOT, it's particularly tricky because... first of all, we have information asymmetries. So the level of information between the parties and sometimes, even producers of these devices are not very well-informed. They just think it's time to go and there's this constant rush to the market. They want to act quickly because... the shelf time is not that long.

And... also... there's this misaligned incentives and some externalities, if your device suddenly turns into a botnet, part of a botnet, you might not as well notice it. It's your baby cam that might still be working. What the economic analysis told us, regulation, also... is not the only thing that the governments can do. There are several other options, they can promote responsible disclosure of vulnerabilities. They can use these principles for security and privacy, being embedded from the design process. They can also come up with some standards, but... as mentioned earlier, some minimum level of standards. Some governments are really keen on regulating, like, every single, little detail. Which like, probably in six months or so, if they're lucky, are not going to be implementable. Everybody has to play a role.

When we're discussing among us, there's this risk, when it comes to IOT devices, unless you have some sort of global level of harmonization, countries or communities who are less resourceful might end up with the, not so secure devices in the end, which is a whole new level of security divide and we don't need that kind of divide on top of the already-existing divides that we have.

So... it all makes sense on an economic level. It makes sense on how the internet works. What the GDPR did, for example... it worked as a really good catalyst for the, for our campaign, on a global level. So... Europe regulated, but what happened in the end, because Europe is the business partner for almost all the producers of these devices, it all made sense that now we see a convergence of laws around the globe. With good data governance principles, including privacy by design. And... so... when you have this level of harmonization, the rules that you develop by the end of the day are going to work.

So... you can develop brilliant norms, if you cannot manage to get it out, if it doesn't make sense on an economic level, on a practical level and global level, because we need this global corporation as well, in order to make norms work. The biggest problem of international law is based on the notion that all states are equal.

So... life doesn't work that way. In real life, unfortunately, so... that's why, there's this reluctance towards more treaties, in general. I'll stop here.

>> MODERATOR: Yeah... one follow-up on that, really quickly. You mentioned kind of like, two dimensions. The first, you talked about, you know... this global kind of like, states level and you also talked about like a practical level. I wouldn't like to separate them, but for the purposes of the discussion, I'd like to throw it to you, Marco, on the practical level, what happens, then, when our Cayla doll in our house is over there and we're saying, it's vulnerable, don't have it in your house, but at the same time, you have your Alexa over there? What happens with this integration? That's the very reality of the practical level. Obviously, we should be mindful that not all countries are in the state of thinking about smart homes, but they are, in fact, with their devices at hand. They are, with SmartPhones, how do you see that, Marco?

>> MARCO HOGEWONIG: Practical terms, you said, it's all interconnected and that somewhat makes it complex, but... I think we shouldn't [indiscernible] the problem. You have that doll and it's bad, we should remove it. We keep using the same components and devices, in terms of what can we do, what we see from the market is there is an awful lot of reporting going on. And create, let's put work on the table. It's transparency. They might be bad for privacy, but you have to consider the other side. Somebody on the internet is struggle to keep its DNS service alive and you're like "why does my Twitter not work?" Because your webcam is attacking your Twitter and the interconnection goes around and creating that transparency, it, it could help. We've seen it from other industries and I do think you raise a good point. From where I'm standing, the biggest threat to me is consumer electronics. It's the biggest field, it's the least controlled field. I've got far less worries with industrial, yes, the impact of industrial failure is much bigger, but... in real systems, there's more thinking about health and safety. There's more integrated thinking, is this really secure what we're doing and you've got less actors to work with. That's a much more controllable space.

In terms of, consumers, that's where you really need multistakeholders, we need to get the consumer on board as well, to take their role and take their own responsibility in keeping this environment safe. Sooner or later, we're going to have like the big earthquake and everybody's like "where did my internet go?" It was our fridges or our washing machines.

>> Thank you, Marco, you anticipate the question I have for the panel, actually. We had an interesting debate a few minutes ago, on the Plenary, talking about multistakeholder versus multilateral. And I heard that, well... this is something that is outdated, we would need to try to merge all the stuff and let's not be ideological. This is ideological, actually. This is a difference between countries believing that it can continue to regulate something on their own and then, the conception that on the internet, we are all interdependent and that is the multistakeholder process.

Talking about security, and the multistakeholder process, even here, the last two days, I was surprised to see how many people still see security on one side and that is inward security. Like... very medieval approach. We identify threats there, we build a wall, we wait for the threats to come and we combat it and put soldiers on the wall.

Well... as you just said, Mirai botnet is a wonderful example. You protect your wall, perfect, but someone uses your device, your system, everything. We're all interconnected and interdependent. I'd like to hear from you guys.

>> Who would like to start?

>> WOLFGANG KLEINWÄCHTER: In the global commission, we introduced a norm, there's a need to distribute this norm more widely and the norm is called cyber hygiene. As an element of security, you can't avoid this even if you have a very, hygiene in your daily practice. You can reduce the risk level, substantially down. This is not case. If I look, into, you know, consequences of cyber attacks or cybersecurity breeches, 70, 80% could have been avoided if all the partners and not only the end user, but also the service provider, the ISPs and you know... all elements in this big train or... this big server would have followed, well-established rules, but they are widely ignored. I think the famous case, it was mentioned in the Plenary of the DNSI checking in January, in Sweden. You know... this was, the negative effects were reduced because... the Swedes, you know... had a good hygiene in place. It means this is a good example and should be more popularized so the people understand, they can't do a lot against these attacks if they follow the well-established and known rules. And... to, to, with these norms, cyber hygiene and bring this more in the media. 4 billion end users, you'll have an idea -- I think people understand even in India and Brazil, if they cross the street with a red light, they risk their life. We don't have such a mechanism in the minds of the 4 billion internet users, that if they open their laptop, they should be very careful. So... this is the common task of all stakeholders and... you know, if we talk about multistakeholder corporation, we should, you know... have in mind, there's 4 billion end users and if they work, they're safe, soon we'll have 5 billion users. If we talk about the role of government, this is underestimated, governments are responsible for the educational system and... I really have my doubts, after being, myself, you know, a teacher at a university, that our educational system is from the industrial age. It's not prepared for the new challenges of the information age. And it starts with kindergarten and goes to universities. We have no fundamental discussion about reform in the educational system over the last ten years. We have something here, something there, but it needs a fundamental, new design of the educational system which would include cyber hygiene as an important topic, thank you.

>> MODERATOR: Marco, Ceren, would you like to comment on that.

>> MARCO HOGEWONIG: You're right. What we need is a behavioral change. It's fine, you need to learn to wash your hands and we talked about the example yesterday, like... yesterday, you kind of know that you have to cook chicken and if you eat raw chicken, you're going to learn the hard way and next time you'll cook it. It sounds really stupid, but... it is -- that's, that's what's happening and... to repeat for transparency, people need to understand what they're doing wrong and a good point [indiscernible] isn't here, but she, in the prep was also -- yeah... we can teach people to wash their hands, but make sure they have clean water to do so. That's something for the technical community, what we're investing in is capacity-building, building the tools, but in the end, we can build all the tools you want. If you're not using it, we have firewalls, we have -- we know how to -- we can teach you how to set safe passwords, but if you don't go in and change your password... there's nothing I can do -- don't look at me, I'm not going to save you.

>> MODERATOR: Just a quick follow-up on that and perhaps a provocation that we also had, okay... so we have to be more aware, we have to be more educated. We need to, you know... understand, don't use the same password, don't use 1, 2, 3, 4, 5, don't use A, B, C, D, E, but... what happens, and then I also like, bring the discussion, not only in terms of security awareness and also in terms of kind of like consumer awareness. Especially how... we go to the fine line of overburdening the user or overburdening, perhaps, the consumer, with the notion that they should already do X, Y, zed before they have, acquire product, even though it says it's safe, you already restored your computer, everything's fine, it's encrypted, but... not.

Just wanted to leave that there, just want to leave it -- we have lots of questions on the floor, that's amazing, I'd like to start out with Zoë, right? Please introduce yourself.

>> I'm Zoë, here part of YouthDIG. I couldn't agree more. However, my question, for the panel, is, first, we're overburdening consumers, especially when it comes to IOT security. A lot of critics are saying it's too little too late. As a general consensus, consumers are being saturated with data breach reports every day, British Airway losing people's personal data, so... there's almost a lack of urgency and priority when it comes to education, because... you think consumers have access to all these information already, because of the internet, but... nothing is standing out. So... what is the best way forward to increase this benchmark level of understanding when it comes to privacy and security.

>> MARCO HOGEWONIG: We read about it in the newspaper, but where's the person from British Airways explaining what he did to his colleagues to prevent other ones, tomorrow it's Jet or Air France. That's what I missed in the conversation, that's part of the enforcement. We tend to think of this as right and wrong -- and who does wrong, must be published. From a private sector perspective, it's all about liabilities, you sit on that secret for as long as possible because publishing it is a liability. We're going to come after you and publish. I think in that sense, in terms of norms and behavior, we might also want to think about it and maybe, accept that we are just learning to ride a bicycle. We will fall off occasionally and the best thing is to keep riding, but also, not punish each other or ourselves. Just accept it.

This is really in its infancy. We haven't seen anything yet and we expect this perfect world, it's, it comes from an engineering thing, but failure is always an option. We have to accept that and... rather than just go after them and punish them, accept there was a failure. What can we learn from this failure?

>> WOLFGANG KLEINWÄCHTER: Just one comment. If you buy a car, you expect that the car manufacturer gives you a secure car. You know... with an air bag and seatbelt and good breaks. So... but, it's... then, it's up to the driver to use this car in a responsible way. An irresponsible driver can kill innocent people with a safe car. You have a divided responsibility and you cannot take away the responsibility from the end user, but certainly, that end user shouldn't be responsible for the air bag and the, and the seatbelt.

>> CEREN UNAL: You're absolutely right. We definitely need more transparency and accountability on a bigger level. What we, particularly try to do, when I mentioned the campaign, we really tried very hard not to say anything, do anything to put additional burden. Unlike cars, IOT devices are not that easy to figure out for the consumers, most of the time, and... when we're talking about -- I'm curious about the outcomes of the proposal.

Going back to my legal nerd side, law is all about, or regulation or -- it's all about distributing liability, balancing interest, and what, especially in continental Europe, you have this like, level of, level of behavior that you expect, but that level is different for businesses and for consumers.

So... for a regular person, you need to act in a reasonable manner, but from businesses, you need to behave as an experienced businessman would do. It's a higher threshold.

So... we shouldn't -- we should never forget about that while trying to find a solution for this. So... working in a collaborative manner, we partnered with the biggest consumer organization on a global level. We also talk to the governments for sound policies, which are not necessarily regulation as I mentioned earlier and also, to raise awareness in the industry to adopt these principles by design. So... it cannot be an after-thought. It's always too late. And there's always going to be a breach, so... the only thing that matters is how well-prepared you are and how transparent you're behaving. The damage gets worse when you just sit on reports and on a, from a compliance perspective, it's like -- the fine that you're going to get if you hide it will be bigger too. But... still, information sharing between the stakeholders is crucial as well.

>> MODERATOR: Before we go to the question, I was looking there with the question that Zoë did, I just saw that Frederick was like... no... do you agree? Your expression was just like... I don't know if it overburdens the consumer. I'd like to bring it back to you.

>> FREDERICK: Yes, my body language killed me. I appreciate what you're saying, but... I was reacting to what you were saying because... look... we, we always, often compare internet with climate and ecology. I think there is some good grounds for doing this. You remember the calls after the tragedy of comments in the ecology, if you just throw your trash in the sea, it will come back to you, you will suffer. Well... the first one to suffer will be your neighbor. You won't realize it, but at the end of the day, you'll suffer.

The internet is just the same. I believe, yes... we might come back a little bit too often, I don't know how we need to do this, but consumers need to realize that this internet is a common good and this is just not [indiscernible]. You are taking something. You are contributing to it, you are co-responsible for this. If you, in front of me, just don't behave in the right way, you might not suffer, but I will. We are all interdependent. This is what I was saying. I believe we might come back too often with this message to consumers. That's a reality -- there's a shift in something where we all are responsible. This is the base.

>> Perfect... let's go to Walt [phonetic].

>> Thank you, we will have a session in Berlin, exactly on a topic like this. I'd like to come back to Wolfgang's example that he said, having safety belts in cars. When did that become obligatory and how many people flew through the windshield before that started happening? I've been told because one car company said "we are the ones with the safety belt" and the rest started to follow. There probably will be lessons there, because now it's law, I'm sure, how did that get into law? Who started the pressure? Who started to change that? In my opinion, what is often missing is that with internet standards, they're all there, like Marco said, we have all these standards in place, but why are they not being used? Not being deployed? What sort of pressure needs to be put on industry and by whom to change the outset? That could be one, another company, that will start doing it and being the best example, but... the second one is that politicians start to understand what this is about, but consumer organizations, when they test a new device, they don't just look at how smart it works or how fast it works, but have these standards in place and you have all these boxes, which is going to show bad compared to others or perhaps others will take up the notion, hey, this needs to be changed. How do we get these people at the table? This is something I'm trying to do very hard and hopefully we'll have this session in Berlin with politicians, with consumer organizations, with industry and the rest of us here in this room. And try to make sure it happens. The question is, how do we actually get to engage and actually reach out and make action programs that these people are engaged with and not just talked about.

>> MODERATOR: That's a great point. Just before I pass over to the panel, I think that brings us to like the next part of this discussion, which is... what do we do when things go wrong? And I think we already touched upon different aspects of it, but since you mentioned the safety belt, I think that's a really interesting analogy for us to think, are we waiting for a big, you know... cyber attack to happen, because that is definitely kind of like the discourse of, you look at Brad Smith's discourse on the biggest cyber attack is yet to come, then we'll need something bigger to respond to that and then we'll have to raise the awareness of everyone. I think the one did that a little, but we're still far, far from -- is that the only scenario where, when consumers, when users, when you know... different sectors that are also you know -- getting more digital, transforming themselves, is that the moment when they're actually going to realize? And if that's the moment... what are the tools that we're going to have?

So... I wanted to bring that, right? Because... I -- I'll give it over to you, Wolfgang, I know the commission has done, has published a single norms package, a great example of, how to specify different processes, such as vulnerabilities equities processes, so... if you could follow up on that, with Walt's question in mind as well.

>> WOLFGANG KLEINWÄCHTER: It's impossible to answer the question. Some people have called it a digital Pearl Harbor, have used, historical analogies. If you look back in history, sometimes you could say, yes... mankind needs a disaster to learn from their mistakes. So... the hope is always, with us, that we can avoid a digital disaster and to learn just from anticipation of what could happen.

So... but... the wisdom is an issue which is not fairly distributed among all stakeholders around the globe. If you look into some governmental circles, they hide better slight in the middle ages and so far, the title of the UN Report is you know, very useful and this fits what Frederick has said. We live in an interdependent world. Even if some governments believe they can hit another government, sooner or later, this will fire back on themselves. We do not have, like... in the nuclear age, the mutual distraction, which, you know... kept the level of, let's say... you know, certain levels that we had no nuclear war where the whole world disappeared and we have not had such an instrument in the digital age. As Frederick has said, whatever government is doing and believes we can create harm to our enemy... even it's -- you have rights to have an enemy.

But... this will fire back to you and... how we can bring this message to the negotiation table now in New York, I think this is important, Russia, China, the Americans, the Africans, Brazil, India, Europe has to understand. They are sitting in one boat and if somebody tries to bring water into the boat, risk the lives of everybody.

>> MODERATOR: Would any of you like to comment on that?

>> MARCO HOGEWONIG: I was going to, but Wolfgang wrapped it up, we should polarize this as right and wrong. We're all in that boat together. Yeah... it's mutually shared distraction. We created the beast and it's going to eat us, unless we, unless we train our little dragon, now is the time.

>> CEREN UNAL: I also think when we're dealing with cybersecurity issues or these breeches, the last thing we should do spread panic. (?) Our experience and Internet Society for the last two years, working on consumer IOT, focusing on this, it was really eye-opening, because... it was -- we were concurrently working with multiple stakeholders at the same time and now we have established like these multistakeholder processes and also... a platform to share best practices, so... it's an ongoing process, like... no silver bullet is going to solve this silver, gold, or whatever, bullet. Yeah... we're in this ship together... this technology is still fascinating, the opportunities still outweigh, in my view. So... we should find the right narrative to reach out to every stakeholder and again... on an economic level, to turn secure devices, as a competitive advantage. That's, that's the...

>> MODERATOR: I'd like to pass over to the question with the gentleman in the back.

>> I'm with Economic Affairs in the Netherlands. I have a few remarks, I heard a lot of remarks about industry, about consumers. I think, well... from my personal experience, a couple years running around in this whole environment, I think we're trying to solve the whole information society problem in one half hour. And I think there are several aspects. Raising awareness in consumers, being small, medium enterprises or whatever. I think, that's very difficult because we are selling them dangerous cars, like you mentioned, but still, we expect them to check them everywhere and drive safely. But then we decided to regulate the cars. I think in IT, I don't mention IOT-specifically, but in IT in general or ICT, whatever term you use, I think we just forgot to regulate, I don't know if I'm using the right words, being from the ministry, but... to regulate the security by design principle.

Everything is brought on on the market, come to market is short. Business cases are very, very difficult and we accept on the market, everything that is manufactured, some are in the, in the world. And I think, the basics should be -- they should be safe then we can have a second phase, raising awareness to units, but then awareness can be simple. I think we, as a society, we have to take care that things are safe, by design. I think that's our main challenge and we forgot to do that. The business cases and the economies of all countries are very based on what's being sold and what's being used as a service.

Since this is a global economy, we are a little bit afraid to, to take -- to accept that it might have come a little bit too fast.

So... I think that should be on the industry and... getting them to the table, as a stakeholder, to take apart and talk with each other. I think security should be a competition issue. On consumer, I think we have to, indeed, take care that we not raise a burden on consumer, that they just get so much information and they just think, well... it works, it's a nice story, I can use it, I can then, I can get a discount if I hand in my data and who cares? That's a situation where we are in. Another remark I'd make, our community here in the western-minded world, we're thinking we have our culture and we have our truth and I think we have to be very careful that other countries in the world, other regions, it was mentioned a couple times, are kind of the majority, say... well... the western countries, nice, nice try, but we take the authority and now we regulate how it will be. And... then, our free internet is gone. I think that's a few remarks -- not necessarily from the minister.

>> MODERATOR: Mm-hmm. Any comments on that? Okay... let's, let's keep it going --

>> Sabina: I'm here on a private capacity, not so much on the free internet, but all the talk about seatbelts and waiting for a big incident that we're talking, but... actually, looking at different threats on different levels. From a consumer perspective, the Hindenberg incident might never come. The personal perception risk is no way related to the actual risk. If I get on a plane, a lot of people are deathly afraid of doing so. In a car, not so much. In each case, reality doesn't match the perception. That's something you might have to keep in mind when you look into regulation, in consumer products, people feel safer or might feel safer than they actually are.

On the other hand, I'm not sure I agree with Walt that sort of, that seat lets might have been a unique selling point. I mean, if you look at older generations, people hate putting them on. They feel infringed on their personal comfort and personal freedom and so on, but... indeed, it showed that they work, they protect you from death, they protect you from injuries, so... like... bit-by-bit, I don't know... they were introduced and I think they're here to stay, so... sometimes you must also, I guess, assume a perspective of not just, what does the customer want? What do they feel most-comfortable with, but what is in the interest of herding unity. I think this is a great way of looking at it. We have a lot of low-level risks, but for a large number of people.

>> MARCO HOGEWONIG: Quick response, one important point there. Let's not forget to regulate behavior. If you're not wearing your seatbelt, you get the fine, not the car manufacturer. If you don't send your car to the MOT to hook-up to Siemens, for example, you get the fine, not the manufacturer. That's part of, back to the principles with to each and everybody in their respective roles, there is a role here for the user. There is a role here for the consumer and there is a role here, essentially, for law enforcement to where that user exceeds its boundaries to regulate that behavior.

>> MODERATOR: Just to provoke and I'll pass over to the next participant. I think the symmetry of perception is interesting, you're saying there's a perception of risk at the user level, which is vetch, not the perspective of the real risk. Do we actually know what the real risk is?

So... I'll leave it that and give it to you.

>> Thank you very much. I'm not a European.

[Laughter]

>> I'm from Taiwan. I have a couple points and I think this is a wonderful session and a really excellent dialogue in between, you know... the peoples. I think, first of all, don't forget, we are living in a world with a lot of law existing or... already, it's not, we are not living in the world, is not law at all (?) First of all, if you [indiscernible], can be justified. Property, privacy, you know... that kind of thing, the law is still there. Don't assume there's no law at all.

I think, Wolfgang talking about using a car. It's an interesting thing. I have a couple comments about it. One is... when the car has a seatbelt, we have a very good, scientific testing we know that's effective, it works. The difficulty, when we are talking about the regulation, into the cyberspace, to be honest, is a, we don't have evidence to measure that work.

So... be careful, you put into a regulation, into the cyberspace and you're not sure there's effective and there is work. It could be possible to damage the user or, for us itself. That's my point... is... unless you really have evidence, you have an effective vendor it works, you put yourself in the risk.

>> WOLFGANG KLEINWÄCHTER: The copyright regulation of the European Union is a good example.

[Laughter]

>> MARCO HOGEWONIG: I can give you a direct answer, what's the risk here? I'm one of the 12 root server operators. At current, there are 993 incidences of DNS root server. I don't even need to talk to Michael about what the current background noise is, but I bet you next year there'll be 2,000 DNS root servers. We need to keep up with the continuous hammering of vulnerable devices that send us junk. We'll end up with 5,000 incidences and somebody has to foot the bill. Currently, it's my members, footing that bill, partially and we keep adding instances and we keep adding capacity to that network, just to keep up, I'm not sure we're going to win that weapons race.

>> MODERATOR: Weapons race. Okay... over to you.

>> Thank you for the talks. I agree with what you said, but also disagree slightly as well. My background is law enforcement, I work for a cybersecurity company. I think we've had critical instances already, but people just label them differently. There was an attack on NHS and the U.K., that disabled the system for two days. I think that's not quite zero day, we've had the attacks on elections, I think these are all critical events that people forget and trying to gloss over and we talk -- I do agree about the IOT things, but there's big things happening that we just don't talk about enough.

I think we do need regulation and strong regulation because... there's manufacturers that don't take it as seriously as we do. If a company can build planes and say we can do software updates, there's something going very wrong.

And then, what I do like... what you're talking about, is our ideas, but what are the practicalities? Some of these are very aspirational. What would you say we need to do in the next 24 months to say this is going to change things? But also... if those are the things you want to happen in 24 months, what are the measurements to say they worked or haven't worked. That's something we don't do either.

>> MODERATOR: That's the million dollar question. I'll pass over to the panelists and anyone in the room that wants to react to that as well. I think it's a collective effort of thinking about how we measure the effectiveness of, you know... how do we respond? How do we measure the effectiveness of the responses that we have. So far, is it regulation that will actually provide us with better safeguards, either in terms of developing protocols for responding to incidents or in creating spaces for cooperation or instances where we have to cooperate. So... yeah... I'll just pass it over to the panelists. Anyone wants to start with that?

>> MARCO HOGEWONIG: Good current example, airplanes. Usually these kind of disasters, these kind of very big disasters don't happen because of a single thing going wrong. It's, it's a sequence of events and back to my point, we need to learn what went wrong here, because... as, as people are still investigating, yes, the regulation was there, but actually, the regulator told people to take the box theirself. That might not be a good way to enforce regulation.

Yes, it wasn't a zero day, there was a [indiscernible] available, why it wasn't in the system is the second question we need to ask, but then also, in that term, again... back, we have to, all, change behavior. Zero days are actively traded by people who think it's a weapon to somebody else. That's from an industry perspective, quite problematic. If somebody finds zero day, rather than call the manufacturer, put it out on the market and sell it to another government. I can't keep up. That's something I will never, ever win from. Don't ask me to improve my products if you don't tell me I have a vulnerability.

>> CEREN UNAL: I'll try again. It's a difficult one. But there are several indicators that will show success. So... what we aim in general, consumers somehow shifting the market for better products, more secure products. Eventually we'll have less. We can never promise zero incidents, zero breeches. That's not realistic, but it'll be less damage, it'll be less in number and we can always say it's like, the minimum standards imposed through regulation or other kinds of processes, so... security, privacy, at least from an IOT perspective, which will improve the overall security of the internet infrastructure and... another, maybe, another discussion topic is like... most of the stuff we talk about, around cybersecurity or, and around internet regulation, instead of Internet Governance, is things happening, which are already illegal under several existing laws, which are happening on the application layer.

So... what's happening to the infrastructure when you try to regulate these incidents, these cases is another issue to look forward. Because... there might be some unintended consequences with regulations, with totally good intentions. I'm not naming or blaming anything.

>> MODERATOR: Okay... well I'd like to go back -- oh, well, sure.

>> Yes, it's on now -- I'd like to respond to the comment the gentleman in front of me made. Just to add to that, if you lived in the Ukraine in the winter of 2018 or 2017, I can't remember what year, when the electricity went down for days and weeks on end, you had your doomsday scenario, if you lived there. That certainly doesn't affect the rest of the world and not myself. But there are examples of certain parties that have gone through very serious incidents, except, how do you translate to a world level.

The other one is on measuring, I think that it was in 2006 that the, our state's Secretary of Economic Affairs said we need to do something about botnet mitigation and it took seven years for the center to open. But... what it did was actually, they got everybody on board because the, the ministry funded the start-up, the registry said "we'll host the device for you" so that the market didn't have any cost, but... what they coupled to it was measurement. So... they asked the university to actually come up with reports on does this action work? That's how you can change something by a little incentive from the government, but... making sure that the good guys and the bad guys are starting to stand out and after a few words, they named the shame in the reports. Pressure should be put on the market to start cooperating on a tool that's made available. That's an example, how you can actually measure results from what the government says is a good direction to move into and facilitate that. Perhaps there are other examples in the world that could be shared, that could be used by others to copy, for example.

>> MODERATOR: Anyone wants to comment on that? I just wanted to throw the ball back to Wolfgang because... I know and I've been in several of the hearings of, or... the outreach of the global commission, so... I was just wondering, Wolfgang, how was it, in terms of kind of actually getting other stakeholders on board, I was there over at ICANN, I saw at the Global Conference on Cyberspace, how was it to get other parties to understand? Some of these norms actually kind of like reecho a lot of what we have been talking over here.

So... why don't we just actually take them forward? How was it for you, Wolfgang, as a commissioner, to see that going forward?

>> WOLFGANG KLEINWÄCHTER: That's indeed a problem that we have now, so many different initiatives and... this, kind of, natural interest to create an environment which, you know... promotes security in cyberspace, on the various levels, the state level, the business level, the technical level and so on. It has led to this, many different initiatives, you know? Siemens, Microsoft, Telefonica with a new deal, now we will see, soon, the Cyber Peace Institute, we have the Global Forum on Cyber Expertise. When we started work with the commission, we had another element to it. When everybody was talking about principles for Internet Governance, you know... we had to, you know... dozens of initiatives, the Council of Europe, the OACD adopted certain principles for policy making and in 2013 a workshop with 15 different instruments on principles for Internet Governance. This is confusing for the public.

So... the conclusion was from the Bali meeting, we have to look into various initiatives, all have their limitations. A number are only supported by one stakeholder group, like government or the Civil Society, as is are just for the region. And... the outcome was okay... can we create something which is multistakeholder and global? And... the result was the net majority iteration. It was put forward by Snowden and the need for the transition, but finally, now we have a document that is the declaration that is global and multistakeholder and the best reference point we have, so far, for Internet Governance in general. This is what I see, now, with the cybersecurity discussion, that we are moving to a certain moment where we have to come, probably in two or five years from now, probably in 2025, when we have the next World Summit on Information Society, it's not yet decided how to organize this meeting, but it's already decided that we have a meeting in 2025, so... only five years to go. You know... to bring this, various initiatives into, this process of enhanced communication, but... enhanced corporations, people talk to each other and feel out what is needed so this is for the whole globe and involves all stakeholders and the UN panel, the proposal to have a call, a global call for trust and security in cyberspace, which reflects a little bit on the Paris call that's already on the table, is the next step and probably, we can bring all these various initiatives into, into a general framework which would allow them to deal with the very single, specific issues. Because... you cannot manage the whole cyber secure issues in one big treaty. You can have a big framework, but then you have to go to the individual issues and also the proposal made by Uri Rosenbaum [phonetic] to declare attacks against the root server system. The DNS, the IP address system, routers, servers, satellite, cables, as a crime against humanity. Could be a first step, it's a small step, but could be a cornerstone to build in the 2020s, a whole cybersecurity architecture which would include a smaller number of individuals, smaller treaty, so... that you can handle this case by case, issue by issue, and... this would, then, constitute in the next ten years, you know... a framework for cybersecurity.

>> MODERATOR: Thank you, I think we are about to wrap up, but before we wrap up, I would just like to say that the objective of this session was mainly for us to really try to get the perspective of how do we look forward? And how do we also, bend, you know... the bridges, how do we build the bridges between this kind of like international norms discussion and kind of like the very practical, as we state a lot of times in the discussion, talking about the user, the consumer, what are the types of safeguards? Should we just go for self-regulation? What are we looking at, the next ten years. What is the type of regulation, if any, are we looking at as we look forward? What kind of security do we want to see for the next ten years? How do we respond effectively? How do we build a specific measurement? How do we know how to implement? I think the main, the main question, over here, was how do we connect these two different levels, which are not, necessarily detached from each other, but are definitely, in two different narratives. How do we make them converge.

That was pretty much the effort over here. I'd just like to pass to our reporter for the five main points -- three main points of our session. Yeah...

>> Stefania Grottola: Thank you, everybody, we are producing reports from all the sessions, independent reports from all the sessions and we also produce the five messages... can you... these are the messages from this workshop that will be sent to you and the secretariat, but I need a rough consensus.

The first message is all stakeholders need to be represented at the table in their respective roles. Despite some issues have to be settled by a specific expertise-based stakeholder group, conclusions can only be reached if all the stakeholders' perspectives are taken into account. To this extent, inclusive multilateralism could address current tension between multistockholderism and multilateralism? Is there consensus on this? What do you think? Yes?

Current technological challenges have created a global appetite for further regulation, nevertheless, flexibility is required in understanding on case by case whether further regulation is needed. Some of the challenges currently hampering the regulatory policy making process are related to the false dichotomy that privacy and security are in contrast with each other. Security and privacy by design can be a solution.

The current approach has promoted self-regulation. Debates on effective regulation need to consider and implement stronger enforcement mechanisms which existing institutions and tools are lacking. In the absence of an independent judiciary for cyberspace, new mechanisms for dispute settlement should complement existing legal frameworks. Following this line, the implementation of best practices by like-minded countries can further strengthen the adoption of responsible behavior to a large number of actors.

In order to address the challenges posed by emerging technologies, better transparency and accountability mechanisms are required. Digital literacy, security and consumer awareness need to be implemented for a more effective holistic approach is. That okay?

>> Yep!

>> MODERATOR: Paul, right?

>> Paul from the U.K. government. Thank you very much for a really good discussion. I really enjoyed it and I learned a lot from this discussion. Thanks very much, to the panelists. I have just one comment on this, the last sentence of the first paragraph, I'm not sure that we had a very developed discussion of this idea of inclusive multilateralism. I personally, am not sure what it means, still. I think we need to talk about that a little bit more. It sounds a little bit like a contradiction in terms to me, so... I wouldn't, personally include that in the messages coming up. I don't think we covered it in our discussion.

>> MODERATOR: I think Wolfgang mentioned that, it's more, you're bringing the example of the high-level panel and digital cooperation. And we can just leave it as multistakeholder, if that's okay with everyone. I believe we have greater consensus on that. And I think that's, that's perfect. I'd like to thank you all for the great participation. I hope it was as enriching for us as it was for you and... I'd like to personally thank just all of the panelists, I'm really honored to have you here and Tonya, again, for the great help in all of this. Thank you all for being here and look forward to the next EuroDIG.

[Applause]

[Presentation concluded at 12:29 PM Local Time].


This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document or file is not to be distributed or used in any way that may violate copyright law.