Difference between revisions of "Cybersecurity revisited, or are best practices really best? – WS 05 2016"
|Line 1:||Line 1:|
== Session teaser ==
== Session teaser ==
Latest revision as of 16:55, 4 December 2020
10 June 2016 | 11:30-13:00
Programme overview 2016
This session is about good practice in cybersecurity, but we want to hear your case studies too: do they give you a warm fuzzy feeling, or a cold prickly feeling?
There’s an elephant in the room, but that’s OK… we’ve got it under surveillance.
It’s clear that cybersecurity threats can cross national boundaries; can cybersecurity defences? What are the challenges in doing so, and is anyone addressing them successfully?
Technologically, the direction of travel seems clear: it is easier to collect, share and process personal data than ever before, and to do so in greater quantities. Whole sectors of the economy are based on that principle. But how much does the technology improve our security, and how much does it erode our privacy?
And that elephant in the room: are cybersecurity concerns being used to undermine our fundamental rights?
OK - let’s acknowledge that cybersecurity has many stakeholders, and their interests often conflict. Is there a collaborative approach that can lead to better outcomes for all?
Cybersecurity ; Best Practice ; Privacy ; Risk ; Collaborative Security
The key message here is: please come ready to take part.
This topic reaches into the lives of all of us: we want to hear your perspective and, above all, your examples of good (and not so good) practice.
- Moderator's opening remarks, to set context
- Questions and best practice examples from the audience
- Comment and responses from the panellists
- Interactive Q&A (everyone)
- Moderator's wrap-up and the "Wishing Tree"
- Focal Point : Robin Wilton, Internet Society, UK
- Key participants
- Prof. Ian Brown, Oxford Internet Institute, UK
- Prof. Brown is an accomplished researcher and expert in cybersecurity policy and technology issues. He is a Principal Investigator for the Global Cybersecurity Capacity Centre at Oxford Martin School.
- Nigel Hickson, ICANN, UK
- Nigel is ICANN's Vice President for UN and IGO engagement, and is responsible for ICANN's public policy at the European level.
- Lea Kaspar, Global Partners Digital, "rootless cosmopolitan"
- Lea is Head of Programmes and International Policy at Global Partners Digital - she works at the intersection of international affairs, digital communications, and human rights.
- Alexandru Frunza, Council of Europe, France
- Alexandru has an impressive law-enforcement background in both theory and practice, having served in drug-trafficking and cybercrime enforcement and in public prosecutors' offices.
- Remote moderator: Fotjon Kosta, Ministry of Energy and Industry, Albania
- Org team
Nertil Berdufi, "Hena e Plote" BEDER University, Albania
- Reporter: TBC
The reporter will take notes during the session and formulate 3 to 5 bullet points that:
- are summarised on a slide and presented to the audience at the end of the session
- relate to the session and to European Internet governance policy
- are forward looking and propose goals and activities that can be initiated after EuroDIG (recommendations)
- are in (rough) consensus with the audience
- are to be submitted to the secretariat within 48 hours after the session took place
See the discussion tab on the upper left side of this page.
Conference call. Schedules and minutes
- dates for virtual meetings or coordination calls
- short summary of calls or email exchange
- be as open and transparent as possible in order to allow others to get involved and contact you
- use the wiki not only as the place to publish results but also to summarize and publish the discussion process
- People tend to cluster together and collaborate within trusted communities, because with a trusted relationship something can be done. How to broaden this cooperation by binding with other clusters/communities?
- We need to collaborate to get things done, and the essential point is then to create trust between stakeholder groups: successful examples were when battling spam and cooperation between CERTS and LEA’s. It can be done.
- Diplomatic communities (with a so called ’military tradition’) and technical communities often mean something completely different when talking about security. There is a massive gap. But they are talking to each other and there certainly is an intention to continue the dialogue.
- How to keep the different ‘clusters’ open, where issues are discussed? More transparency is necessary when it comes public-private-partnerships: all stakeholders should (be able to) participate.
- There is a multitude of platforms and initiatives working on cybersecurity, all spending money and doing capacity building: but are they indeed open and transparent, and what effect do they have and how to bring them together? This is an open question…
Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-481-9835, www.captionfirst.com
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
>> OLAF KOLKMAN: As we say in Dutch good. It is now 11:30. People are still coming in, I assume. But I think we’ve got quorum. It’s always important to have quorum.
Welcome to this workshop on cybersecurity. We have two panels today within the workshop, this morning and this afternoon. This morning, we’re going to talk about current practices in cybersecurity, try to get an inventory of practices which people think are at least current, and perhaps even best current practices, or maybe even the worst current practices.
The format that we have is hopefully highly interactive. I want to start with you all, peoples. I want you to ask the question to the panel, and not have the panel make the statements so that you can respond to them.
But before going into the details, I would like to introduce the panel. In our midst we have Ian Brown. He’s Professor of information security and privacy at the Oxford Institute and, Ian
>> IAN BROWN: Ian.
>> OLAF KOLKMAN: Ian, okay. This is unknown native so I what was the last thing you Tweeted?
[ Laughter ]
>> IAN BROWN: It was to, I think it was telling everyone to participate remotely in this panel.
[ Off Microphone ]
>> OLAF KOLKMAN: So we have Alexandru Frunza who is the programme Officer for Cybercrime Division of the Council of Europe.
What was the last spin message you opened? What was that about?
[ Off Microphone ]
[ Laughter ]
Okay, and then we have Nigel Hickson, ICANN’s Vice President on international organisation engagement. I’m going to ask a leading question. Nigel, what was the best news you heard in the last 24 hours?
>> NIGEL HICKSON: Well, I suppose it must have been about football. Could it have been about?
[ Off Microphone ]
No, the INF transition. Of course. We’re programmed to respond like that.
>> OLAF KOLKMAN: Now I have to come up with a smart question for the customer who is responsible for the international policy at global partner digital. Let’s see, cybersecurity.
>> Cybersecurity and women? I don’t know.
>> That’s a good one.
>> OLAF KOLKMAN: So how often do you find yourself to be the only woman on a panel?
>> You mean, the token woman on the panel?
>> OLAF KOLKMAN: Which in this case, I assure you, you are not.
>> I would have to say I was contacted fairly early, so I do suspect this was a genuinely proactive outreach.
>> OLAF KOLKMAN: How often does it happen that it happens a lot. This industry is still dominated by men, as I call them.
Okay, those are the panelists, and I’m sure they will have interesting perspectives.
By the way, my name is Olaf Kolkman. I’m with The Internet Society. I have a technical background. Among us we have Tatiana Tropina from the Max Planck Institute. She will be our co moderator. We’re moderating this session together.
She will be walking around, handing you the microphone if you have something to say.
Then we have Fotjon Kosta. He’s over there. He is the Remote Moderator. Fotjon, can you see how many people have joined us online?
>> FOTJON KOSTA: Three.
>> OLAF KOLKMAN: Three people are online.
[ Off Microphone ]
[ Simultaneous Speakers ]
>> FOTJON KOSTA: All 3700 of my followers.
[ Off Microphone ]
>> OLAF KOLKMAN: So much for the Internet bringing us together. We need to meet face to face. We have a reporter. At the end of the meeting we’ll give him 5 minutes so he can read out so he can report out this panel in three to four bullet points. I don’t want to forget Roy Graves, behind. He’s the person who does all the captions here. That I always find something very nice to have as a non native speaker. I think it helps our diversity. And besides, when I lose concentration, I can always see what the captioner brought us.
We’ll talk about best practices in cybersecurity, a very broad field. I have an agenda for this meeting and it’s a very personal agenda. The Internet Society, shameless plug, we have developed a framework for Internet security. We call it Collaborative Security. My agenda for today is listen very carefully to what people bring here, and see if it fits into this framework or not, whether that framework applies, and what we can learn from this.
So I am here to listen and learn, and apply what I learn in my day job. Sort of interested, if you in your audience have take aways that you hear that you will take back to your day job. If during the session you hear something that is very interesting that you will use in your day job, I would like to learn that, too, because I think that is the success of what we do here.
So that is all by means of introductions, as far as I’m concerned. Tatiana, do you have something to add?
>> TATIANA TROPINA: No, I don’t think we have to introduce anyone. Just to warn that we will move soon to you, to the audience. I will have two microphones, I will be that annoying person running around with two microphones and I do lend you one of them, for you to state what is your cybersecurity concern or maybe what kind of question would you like to ask any of the panelists, not necessarily particular panelists but a general question or what do you think is your best practice in cybersecurity? Or what would you like to change?
So imagine we are at the cybersecurity jazz jam session and you have your say and you have a microphone, so anyone wants to go.
>> OLAF KOLKMAN: Is there somebody who wants to
>> TATIANA TROPINA: If nobody wants to go I will pick up people who I know and make them intervene so you’re better to volunteer.
>> OLAF KOLKMAN: Just by means of time line, we have 20 minutes set aside for your input now. It would be very embarrassing if we don’t get your input because after that the panelists have 13 minutes to respond to that, and after that we go into 10 minutes of shared time together again, and then we end with a wrapup so that’s sort of the time line today. The meeting is now yours. It is yours. I’ve got yep?
>> I guess I’ll start.
>> TATIANA TROPINA: Can we switch on the microphone?
>> I’ll start off. I’m Stacie Walsh, I’m from InterConnect Communications, and I think I’ve been doing a lot of work on the IoT lately and I think my biggest cybersecurity concern or Internet concern is IoT, and how we build that in when we’re connecting a million devices, and the fact that until very recently, a wearable, some wearable still, was transmitting unencrypted data, and from that data you could get the wi fi password to whatever wi fi you’re on and from there you can get into your house, your car, anything like that. Then also the cost that is incurred on companies putting in maybe a good way to say is proportionate security into their devices so that if you’re building a smart light bulb you don’t increase the cost of that light bulb three fold.
So what type of security should something have? And how will that fit into the broader security ecosystem?
>> TATIANA TROPINA: Thank you very much, Stacie. I also think that these questions I saw Ian Brown nodding, and I know there are at least two people in the room who had a very vivid discussion on IoT on Day Zero, so this question will go to the panel, and maybe it’s something also to make note about to discuss on the second session, because we’ll have follow up.
Who was the second?
>> Hi. My name is Anska Kuna, from University of Nottingham, and raising an issue of our experience. Recently we were contacted by the National Crime Agency in the U.K., and somewhat surprisingly, they seemed to feel that people especially young people, might not really care much about privacy that much. And that was a bit of a surprise to us.
>> TATIANA TROPINA: Actually this fits also
>> OLAF KOLKMAN: I’m going to ask you a clarifying question. Do you know the motivation for that statement?
>> Basically, they were contacting us they’re busy with a scoping exercise to understand how they can go about surveillance in the coming years, what basically, how far can they push it before people will say, this is not policing by consent anymore.
>> TATIANA TROPINA: I took a note of Marco and then I will come to you, and anyone thank you. I took a note.
>> MARCO: I’ll probably come back to this IoT thing, because it is concerning. What’s more in general concerning and also in relation to is the cyber in cybersecurity. We put so much trust in technology and tend to forget the technology is built by humans, and at some point we sort of start this arms race towards better security where other technology is trying to defend ourselves.
Isn’t this turning into a human problem rather than a technological one?
>> TATIANA TROPINA: Thank you very much, Marco.
>> Thank you. I’m with the Dutch Ministry of Foreign Affairs. Some U.S. politicians seem to believe that building a wall makes you safer in your country. I’m not sure if that is the case but it certainly doesn’t help with a digital wall around your country.
I’m interested in hearing the panel’s views on international cooperation, and especially how to work on cybersecurity in developing countries.
>> TATIANA TROPINA: We have a perfect person for this on the panel, Lea Kaspar, who is leading many cybersecurity capacity building efforts in foreign countries. I don’t know whether better to come to this side first and then come back to you.
I saw some hands raised here.
>> OLAF KOLKMAN: I see a lot of hands but I’m going to ask for a little bit of focus. There are a lot of questions about future, but very little examples of what we’re doing now, and what are the practices from which we can learn.
So if people can weave that into their thinking at this moment, we’d learn something about the current practices.
>> TATIANA TROPINA: Taking this into account
>> Hi. I’m Corinne Cath from Article 19. A current practice we’ve been running into a lot, especially with local offices, is they are confronted with cybersecurity legislation that is more or less a coverup to limit freedom of expression especially of activists, and this is something we’re very concerned about and also we’re trying to figure out how can you best enable local people and enable local activists to stand up against this? Because it requires not only a lot of knowledge about legislative processes but also about the hard technical cybersecurity to be able to see, oh, this is a legitimate cybersecurity threat and this is a coverup for trying to do something else by a certain Government.
>> TATIANA TROPINA: Thank you very much. Now it will go around.
>> My name is
[ Off Microphone ]
I was one of the other people in the IoT session on Day Zero. A few things, the first one is the presentation of Google going through forwards to 2026 yesterday saying this world is completely safe, the IoT thing. If you look at today, it definitely is not. So in other words there are either ideas floating around or they’re trying to pass a message that is not correct. And we’d like to know what the ideas are because that would be best practice of the near future.
Another thing how companies go about is the Windows 10 update, for example, on my laptop. So far I could ignore it, because I didn’t want it. All of a sudden that changed, and it started updating by itself because I pushed it away.
Also, the security on my computer vanished, and I haven’t been able to restore it yet, so all sort of updates on there don’t work anymore. The AV doesn’t work anymore. So what’s the thought about best practices in cybersecurity from that angle?
Another thing, and I’m going to plug an LIGF workshop proposal for the coming IGF, is looking for best practices in cooperation. So there are several public public, public private, private private initiatives that are working together and succeeding, and what are their best practices? And that is something I would like to try and find out, having the chance to do so at Guadalajara, because then you’d actually be able to present them to other initiative starters saying: Ignore this, because it’s proven in the world it doesn’t work, and we’re trying to get as much organisations to get together.
For example, doing anti malware work, that is apparently succeeding because the numbers seem to be going down. Why doesn’t the European version, why isn’t it active at this point, despite the 60 million Euros they had to deploy it?
Why does the G7 network between the enforcement agencies work?
>> OLAF KOLKMAN: So why do certain collaborations work? And why do some collaborations
>> There are best practices we need to find out about and you have best practices in cybersecurity as well.
>> TATIANA TROPINA: It’s also why certain collaborations work on the local level but cannot be leveraged on the National level. I saw first here and then I will come to you.
>> I’m from electronic frontier Finland but I’d like to make first a general observation that security is different for different actors. Sometimes even contradictory requirements of the company and its clients may have different requirements and needs, thinking of system administrative viewpoint, how much data I collect and keep of the people using it, because it’s useful for tracking down infringements but also dangerous in case it leaks and it may be against the interest of people using it that somebody can get it.
So always keep in mind: Security is not just same for everybody. And the same transaction, different actors have different and even conflicting security needs.
>> TATIANA TROPINA: Thank you.
>> I’m Collin Kurre from Internet and Jurisdiction Project. As the name implies, my question is about jurisdiction on the Internet. To root my question in something in current practices, I know there’s been a lot of debate recently about modifying the protocol and the standards for cross border access to user data, so I wanted to address the specific practices of law enforcement agencies and other cybersecurity related parts of Government and how that relates to cross border the cross border Internet, basically how to reconcile territoriality in practice with the cross border Internet.
>> I’m from The Internet Society, and one word I didn’t hear yet is encryption, and as a kind of user, I wanted to understand it’s a buzzword in the community. All should be encrypted, some say not but as a user I still think there’s lots of unclear things as to when my communication automatically encrypted? When do I have to switch something on? Which layers are protected? Is this a cover all solution? What are the complimentary things we should be thinking about.
>> TATIANA TROPINA: Thank you very much. While I’m roaming here, raise your hands and I will see who is
>> Thank you, I’m from Erasmus University in Rotterdam. Like a looming question is the Internet of Things. Another looming question I think is much talked about at the IGF is the next billion users.
The next billion users. The fact that those next billion users are usually coming online in the global south on very cheap devices with little room to pay for connectivity let alone for security. Big numbers, lots of mobile. What impact does the panel think that will have on global Internet security?
>> TATIANA TROPINA: Sorry. Was trying to accommodate people.
Anyone with a question on this side, on this side? Then the microphone is going to Marco.
>> Sorry again but good point Olaf. What do I do today with security? The high level objective there is promote openness and transparency not only in the governance level but also at the technical level because I do think security improves by being open and transparent on what you’re doing.
>> TATIANA TROPINA: Thank you. I don’t see any more hands right now. Shall we move to the panel? Or shall we wrap up a bit? Because there are so many questions, there are so many issues raised on different levels of security, on technical level of security, on users’ level of security, on encryption, on collaboration, on jurisdictions.
[ Off Microphone ]
>> OLAF KOLKMAN: Did somebody capture them from the Tweet?
>> TATIANA TROPINA: I saw the Internet of Things questions on cybersecurity, trust in technology. Basically most of all when I was following the Twitter wall it was rather reflecting questions that were already asked, so I think we are capturing everything so far.
>> OLAF KOLKMAN: Okay. That sounds like a plan. I’ve made some notes but I saw the participants writing away frantically too, at least some of them.
So let’s start with some of these reflections. Maybe start from that last observation, as a general rule of thumb, is openness and transparency one of the basic features that we need in order to get to security?
Panelists, please respond. Ian?
>> IAN BROWN: Absolutely. And I think a great benefit of a Forum like this is you can have very detailed technical discussions. You can go from the very technical end right up to the legal and philosophical end, so I would say both ends absolutely.
From the technical end and my Ph.D. 20 years ago was in computer security the techies amongst you might know Kerckhoff’s Principle, which is the security of a system should not depend on the secrecy of the system, except for very, very small parts like decryption keys. Everything else in general you get much more benefit. It’s the philosophy of the IETF and other open standards bodies, you publish everything for review. The more people get the chance to review and even ideally these days in the IETF, we were talking over the break, actually run automated security checks on new protocols to look for holes, which has proven quite successful. Some of the key IETF standards people have found holes in using these mathematical proof systems. So absolutely from that end.
And I think that is it’s important in the Internet standards that we’re all using. It’s even more important I think from a Public Policy perspective in Government security systems where some elements of for example to take an extreme example security services, intelligence agencies where their default position is to keep a lot of what they’re doing secret, I think that causes all sorts of problems.
Kathy Brown I think very rightly said yesterday morning even the Governments, not to name any that are heavy promoters of the multistakeholder model in Internet Governance, rush to close security forums to make security decisions, and that’s the wrong way around. I think the security decisions are the ones that have the even bigger impact on society and on people’s rights and it would be wonderful if going forward we can find a way to bring those security debates much more into this multistakeholder world.
>> TATIANA TROPINA: If we’re talking best practices do you know an example of best practice which can be leveraged concerning what you’re talking about or any of the panelists?
>> IAN BROWN: Again, a technical and a more Governmental example. The IETF itself, the Secretary directorate, not just on security specific protocols but actually every IETF standard has to have a security consideration Section. There’s been work on whether that should be expanded to include privacy and human rights. That would be a great thing as well. On the Public Policy and Governmental level sorry for the blatant plug but we have a center at Oxford which is trying to do this, a global center for cybersecurity capacity, I get the acronym wrong because it’s so long. My colleague over there can correct me. Where we’re trying to do exactly that and where we’re not just doing this in the U.K. or in Europe. We’re actively setting up Regional hubs around the world. We have our first one just opening in Australia in Melbourne but we’re also looking to do that in Southeast Asia and over time, this is with partners in those regions, not just Oxford University arriving and telling everybody what to do. Which would be a huge mistake. We’re looking to do that in the Americas and in Africa so I think mechanisms like that, we are hoping I think to participate fully in the IGF in Guadalajara. It would be great to use the discussions to mar greatly institutionalize future multistakeholder dialogue.
>> OLAF KOLKMAN: Lea? There’s also a microphone you can hand over.
>> LEA KASPAR: Not that I disagree with what Ian was saying and I don’t think I’m not suggesting to the fact we need more openness and transparency coming from a human rights Civil Society I would never argue that. I think if we start from that as a basic point, we need to push the question a little bit further.
In the last couple of years I’ve been hearing this argument over and over again. What we haven’t actually cracked is how to convince people that that’s actually useful and that actually leads to better solutions and better outcomes.
One example where I think this was pretty evident is during the global conference in cyberspace that the Dutch organised last year. It was very interesting because, we were participating in an initiative to bring Civil Society and kind of open up the discussions at the conference. And in the end there were I don’t know over 300 non governmental participants on the Civil Society side, with private sector it must have been more. What we saw is that a lot of discussions moved into bilateral rooms so you had discussions in the Plenary. They were non controversial but the real discussions moved into more closed forums and I was talking to someone yesterday about how a lot of the discussions are moving into the G20 or forums that a lot of us don’t have any access to.
Perhaps to bring, to answer your question about examples of best practice in this, we’ve been working Global Partners on building a multistakeholder framework for engaging in cyberpolicies at the National level, and we published that last week and I think what we’re going to try and do is work with partners in different countries and try and pilot that.
However, there isn’t yet a model that people say that is working. I know that in Poland, some of the stakeholders I know that have tried setting that up and a similar model that Internet Governance multistakeholder have been pushed to a number of IG initiatives and one last point at the U.K. level we do have a Multistakeholder Advisory Group on Internet Governance that I’m a part of. I think that’s best practice example in that side. However when it comes to cybersecurity and when we made the case that, well, can’t those discussions, interministerial discussions, be opened up to other stakeholders when it comes to cyber, there was a much greater push back, so I’d be interested in discussing how we can move from this principled approach to yes we need more openness and transparency to how do we actually get there.
>> OLAF KOLKMAN: Perhaps that is something we can come back to but doesn’t that greatly depend on what type of discussion we’re having? Cybersecurity is a broad field perhaps we can reflect on this topic. Any of the other panelists? Nigel?
>> NIGEL HICKSON: Shall I speak in this? Yes, if I may I’ll put my glasses on because I can’t even read the screen. Well, I think this gets to the heart of the debate, so I think when the questions started to come in, again on this issue of cybersecurity, we have this very wide canvas, and this wide canvas is advantageous and we have cybersecurity and Internet security and there’s lots of different ways of describing it but at the same time it does cause a certain amount of confusion. Are we talking about technical security? Are we talking about surveillance? Are we talking about rights online?
There’s a whole canvas here. But I think the question posed to us here gets to the heart of the matter, in that what we are seeing, from what I’m seeing after sort of 25, 30, 35 years dealing with these issues, is that we’re almost going back in time, so back in the ’90s, Governments discussed Internet security we didn’t call it Internet security then. We called it information security or whatever. And we discussed it amongst Governments. Just occasionally we’d allow the odd academic into the room. Civil Society, you know, come on! Don’t be silly.
Business, well, you allowed some businesses in, as long as they paid the Government.
[ Laughter ]
>> OLAF KOLKMAN: Why does this sound so rude with a British accent?
>> NIGEL HICKSON: So we had a very closed environment. And then it started opening up. And it started opening up really because of the, if you like, the academic input, the Civil Society input, the growing awareness that these were problems that everyone ought to have a locus on, and there’s been such excellent multistakeholder open work that the IETF and other organisations have done and what Ian is doing at Oxford et cetera, and there’s great examples. But at this same time we have this dichotomy where on the one hand we have open discussions in The Internet Society and technical forums, in ICANN, in IGF, these great multistakeholder dialogues and then at the UN, for me, I ought to be able to get into the UN, you know.
Well, actually not, so I tried to get in
[ Laughter ]
I tried to get into a meeting on cybersecurity at the UN, and they said, who are you? First I said I’m Nigel Hickson, ICANN, which cuts in ice at all. I said I’m the British Government actually. They said you’re lying, go on, and this was a discussion. This was a preparatory discussion for the Government Group of Experts. The Government Group of Experts, they’re not a secret tryst or anything. They’re a group of Government officials of various countries and the number of countries vary. Starting this summer it’s going to be 25 countries meeting for perhaps a year at the United Nations and discussing cybersecurity at a very high level.
There is no input to this process. It is not transparent. So how, as we as citizens and users, can really trust what Governments are doing is an issue and therefore I think this whole issue of transparency and openness is crucial to this debate.
>> OLAF KOLKMAN: I’m first going to let it to the panel. The 10 minutes is after the
[ Laughter ]
I might break that rule at some point but Alexandru, go ahead.
>> ALEXANDRU FRUNZA: Thank you. So cybersecurity is also related with rule of law. The Internet and its capabilities of forging new communities, boosting democracy or driving economic growth is also open for abuse. So it’s used for connecting terrorists, facilitate crime, or enabling mass incursions of privacy.
So in order to preserve the best of the Internet, we need to tackle the worst of it. So Governments need to protect their citizens against crime, and also protecting human rights and liberties, so...
>> OLAF KOLKMAN: So the question rises, given that a lot of the Internet is managed and operated by the private sector, doesn’t that private sector have a role in helping Governments with weeding out the worst? And when having that discussion around weeding out the worst which by the way weeding out the worst of the Internet to keep that Internet open is I think the appropriate approach but isn’t that in essence a multistakeholder discussion? Because some of the measures imposed by Governments might break the fundamental nature of the qualities of the Internet, so to speak. And then that hooks into a remark that was made earlier, Governments typically operate on National territories or Regional Coalitions so to speak. How does that faction in with the global nature of the Internet? I think that’s a bridge to what was mentioned earlier as a question. Ian? And Alexandru I’ll return to you.
>> IAN BROWN: Thanks, because that’s a great link to my second plug, which is for my book, which you can have for free. I’ve bought free copies. If you want a copy, this is an example I think where we tried to do precisely what was just described. This is from an EU funded research project called VOX Pol, about violent online extremism. This report is assessing the ethics and politics of policing the Internet for extremist material. Indeed we did exactly what you just described.
We had a workshop in Brussels where we had people from European intelligence agencies, police forces, the Council of Europe, the European Commission, National Governments, Civil Society, industry, and we spent two days trying to thrash out some of the very difficult issues raised as Alex said by the way that terrorist groups are using the Internet, and as you all know, certainly in Europe and I imagine many other regions of the world, it’s a red hot political topic because of foreign fighters going to Syria and elsewhere, then coming back to their homelands and killing people.
I also did follow up interviews with a range of those varied stakeholders and I hope, I’m not saying this is the perfect answer to those difficult questions, but by getting all those perspectives both separately and together, that you can start to answer some of them in a way that doesn’t make everyone completely happy because of course there isn’t a perfect solution, but a way that both keeps most stakeholders feeling they’ve been listened to and the solutions being proposed are relatively workable, another important fact of the multistakeholder model. Rather than recommending something that later a stakeholder whether it’s industry or others tell you, this will just never work, you can try to run through all those bugs before you make recommendations.
But it also lets me make the broader point that I think a critical best practice for cybersecurity well, two critical best practices for cybersecurity, which in one sense are old best practices, one of them is newer which is the multistakeholder model but one is much, much older and Alex it already and it’s the rule of law. It’s a basic practice across all areas of Government and democracy. The rule of law is that laws are made democratically by legislators who have a mandate of voters. They’re discussed openly in Parliament and media, discussed with Civil Society and other stakeholders, and they’re applied impartially and accountably by the courts and by law enforcement. We do as if you’ve heard Joe McNamee speak over the past couple of days, I think it’s a very negative trend we see in cybersecurity, a lot of measures that do not follow that model that are agreed behind closed doors
>> OLAF KOLKMAN: Do you have a recent example of that?
>> IAN BROWN: The EU’s new Code of Conduct, for example, which Civil Society groups tell me I’m not saying this is the gospel truth, but the Commission vigorously disagrees but tell me was not agreed in a transparent, inclusive multistakeholder way, and Civil Society groups led by EDRi have therefore been very critical of it. We should try to avoid that in future nor a number of obvious reasons. One, it’s contrary to rule of law. Unsurprisingly, when these measures takes a long time but get considered by the court of the European Union, as we saw with the data retention directive are struck down with a vengeance, it doesn’t help the security interests, let alone freedom of expression and other Civil Society interests but on the practical level we’re likely to get much more effective cybersecurity mechanisms where they’re agreed among all stakeholders.
>> OLAF KOLKMAN: And the book is still available.
[ Laughter ]
[ Off Microphone ]
Yes. And then we return to
>> TATIANA TROPINA: Then we to
>> I’m sorry, I think people in this room, many people have different ideas of what cybersecurity is, and one essential aspect of cybersecurity is protecting yourself once you’ve been attacked, and making sure that you stay protected.
And I think a very good example of good practice, which is done internationally with different associations of manufacturers, and it’s done in the U.K. with most areas of industry, is that groups like pharmaceutical companies immediately tell all the other pharmaceutical companies what attack they have had, how it was done, and they find out from the specialists how to protect yourself from it.
Now, I think this is very important good practice, because while we’d all like to prevent, the important thing is to minimize the harm that is done to everyone, so I really think that is a good practice that every country should have, and it’s certainly done in the U.K. and it’s done internationally within certain groups of industries.
>> TATIANA TROPINA: So you’re basically talking about Sectoral, so you’re basically talking about Sectoral information sharing, or cross sectoral information sharing because it corresponds very well with what have been said, something that works in one Sector or in one country, the question is, why can’t we sometimes leverage it to other sectors, other countries?
>> It started in the defense and aerospace Sector many years ago, and it spread into new sectors doing exactly the same thing. Now certainly in the U.K., as part of our cybersecurity policy, all sectors get the information, so they’re told very quickly about a new attack, and some of those attacks are specific to certain sectors, and others are much more widespread.
And they’re also told how to defend themselves from it, and I think that is a very important thing.
>> OLAF KOLKMAN: Before we go into this information sharing in sectors, which I think relate a lot about trust
>> TATIANA TROPINA: In the second session maybe.
>> OLAF KOLKMAN: Building trust networks, I want to return to Alexandru, because I think before we hop over to that topic of trust networks, let’s close the intergovernmental piece.
>> ALEXANDRU FRUNZA: In relation with good practices, I may exemplify a practice. I know it is good because it is ongoing, so it’s the work of the Cloud Evidence Group of the Council of Europe with the group established by the Cybercrime Convention Committee, T CY.
>> OLAF KOLKMAN: What is the name of the group?
>> ALEXANDRU FRUNZA: Cloud Evidence Group, so at the Budapest Commission, the Cybercrime Committee is the one that the Committee of the Council of Europe that assess the implementation of the Budapest Convention in domestic legislation and also find the solutions to the new challenges identifying in this area. And the Cloud Evidence Group is a group established by the T CY in order to identify solutions to the new challenges of the criminal justice access to transborder electronic evidence which is an issue of importance for all criminal justice authorities.
And the Cloud Evidence Group had collaborative multistakeholder approach as it tried to obtain the views of all important stakeholders, so we tell the exchange of views hearing meetings with Data Protection organisation in order to identify if this new proposed solutions will be in line with Data Protection requirements. Had two meetings in December 2015, and April this year, with Internet service providers in order to obtain their view on this issue.
And also held a meeting at Max Planck Institute in Freiburg.
>> TATIANA TROPINA: I can confirm.
>> ALEXANDRU FRUNZA: So in the first part of 2015, the Cloud Evidence Group identify which are the challenges for this criminal justice access to electronic evidence, and this year in February it issued a an informal summary which is online on the website of the Council of Europe, where different solutions are proposed to address these challenges.
And this solution goes from practical measure in order to make MLA a process more efficient.
>> OLAF KOLKMAN: For MLA? Sorry.
>> ALEXANDRU FRUNZA: Mutual Legal Assistance process more efficient. It goes for transborder cooperation between criminal justice authorities and Internet service providers, and it can be it can go to an additional protocol to the Budapest Convention to address this all new challenges.
>> TATIANA TROPINA: Sorry, a question from me. There was some questions asked about human rights, so are human rights taken into account in these transborder data flows? Because the question of safeguards is very important.
>> ALEXANDRU FRUNZA: The thing of developing new solutions to address these challenges under the umbrella of the Council of Europe who stands for human rights rule of law and democracy, I think it’s the best safeguard we can have.
You also the Budapest Convention in its Article 15 clearly states that human rights and liberties should be protected and be embedded in all these new solutions.
>> OLAF KOLKMAN: I see you brought the Convention
>> ALEXANDRU FRUNZA: It was very helpful when I was the prosecutor.
[ Laughter ]
>> OLAF KOLKMAN: I was sort of hoping you would hand those out free, as well. You want to respond very shortly. And then after that I want to ask what’s been heard so far so we’re sort of talking about the transborder issues and Government approaches.
>> IAN BROWN: Just to say I think it’s great for the reasons Alex just said. The Council of Europe is getting more involved in this debate and as others have said this morning, I’ve seen, we can either wait for states to come to us, or we can also go to the forums where the states are talking to each other, and not so carefully listening. So I would really encourage people: Join these groups where they are open to broader participation, online and in person.
>> TATIANA TROPINA: Can we give microphone to Lea, as well? Maybe you want to address this?
[ Off Microphone ]
Yeah, okay, please go ahead.
>> LEA KASPAR: It’s okay, I’m listening to this and going to IGFs and EuroDIGs and the conversations, what strikes me is we’re all singing in agreement, right? It’s almost like preaching to the choir, right? And it’s concerning so last week, I was in, I’ll tell you why I think it’s concerning. I mean, it’s great that we have agreement here.
So last week I was in a meeting of the global Forum on cyberexpertise and that was founded after the GCCS conference in the Hague, and all that I heard was talking about threat, so there are increasing threats. How do we deal with attacks? How do we deal with this? I don’t know if anyone mentioned human rights or openness and transparency. There was very little conversation about this so if I just may, I think we can keep talking about this, but the problem statement that I would like to kind of nail here, and clarify is that we need a paradigm shift in how cybersecurity is being approached and how we talk about these things.
At the moment, it’s still very binary and I know that a number of conversations in EuroDIG have been about this so how do we avoid the binary framing between human rights and security? How do we ensure and promote policies where both sides see that security and Human Rights are reinforcing? That you need security in order to enjoy your Human Rights and vice versa.
And that’s the there was a conversation about economy and Human Rights, as well.
>> TATIANA TROPINA: It struck me, it struck me that this dichotomy is even in the title of the Plenary Session. I got used to cybersecurity versus Human Rights, but seeing economy versus Human Rights struck me, because about paradigm shift, sorry from the comment from the Moderator. I think if we are at EuroDIG at multistakeholder foras put these in the titles, we are already sending the wrong message and then I’m wondering how much time it will require to actually shift this paradigm.
Olaf, with your authority, where should I go, panel or
>> OLAF KOLKMAN: I sort of want to listen to our Rapporteur to create a little rest to see where we are and what he’s taken away, and then we continue where we were.
>> Yes, thank you very much, everyone. What have I taken away? Let me start off by paraphrasing Nigel, it has been a very wide canvas, and from that perspective it’s been very interesting. When we started giving the floor to the audience and we went from the Internet of Things, and how far do you want to go when investing costs when securing devices? Is it actually a human challenge or a technical focus that we need here?
We touched upon international cooperation and what does this mean for developing countries? Article 19 even mentioned, like, cybersecurity being used as part of a different agenda to actually cover up other things and harm freedom of expression, for instance.
The responsibility of software vendors, Windows 10 was mentioned. But I heard five points I actually find most important. First of all the technical versus the human component that Marco started off with. Ian referred to the fact from a technical perspective we do not want to see security by obscurity, refer to the open standards and how we work within the IETF. From a human perspective the focus has been on cooperation and expectations but also that security means a lot of different things to different people, different interpretations and how does that work cross border? This brings significant challenges for Governments who work within their National jurisdictions.
The openness the important of openness and transparency. Wonderful, very nice principle, but how do we put that into actual practice? I like the example of what happened at the Global Conference on Cyberspace, like all the nice words used in the Plenary, but actually where the business was done, was bilaterally in closed sessions.
>> It’s Dutch, isn’t it there?
>> Yes, that is very recognizable. Are we going back in time, like where it started off in between amongst Governments and then opening up the multistakeholder process and now as Governments have more of an eye on what’s actually happening in cyberspace part of the agenda seems to go back and is being determined amongst governments. I like the two critical best practices Ian referred to both the multistakeholder model and the rule of law which seem actually very clear to me and that’s a nice starting point.
And last but not least, Tatiana I think referred to it, are Human Rights sufficiently taken into account when discussing different approaches?
>> TATIANA TROPINA: There were several people referring to it. I believe it started with Article 19 and Lea and me and Ian.
>> OLAF KOLKMAN: Fotjon, any response from cyberspace? No?
>> TATIANA TROPINA: There is an intervention from the audience and then I will go back to Nigel because he want to intervene.
>> Thank you. I’d like to respond to Lea on the Global Forum of Cyber Expertise. I think you have to understand where it comes from. The Global Conference on Cyberspace, the GCCS, was organised by three Dutch Ministries Foreign Affairs, Human Rights, Security, and Justice so everything to do with threats and all the other things, and a little bit by economic affairs about the economy of the Internet. The GFCE is run from the National Cybersecurity Center of the Netherlands, where the Secretariat more or less is positioned, so if you want a real debate with those people, have them on your panel.
And on the other hand is that they also do things like responsible disclosure so there are definitely topics which are different from threats, and it’s open for everybody to come up with topics, so in other words if you manage to strike a Coalition.
>> LEA KASPAR: The last one is incorrect. It’s not open to everyone on topics. Actually on the Advisory Board of the GFCE, and while I’m amused by mansplaining, it’s incorrect. You have to be a member. Membership to the GFCE was closed by Governments and private sector and the Advisory Boards were set up as part of the Dutch Government initiative to open it up, and I think that’s great, but we have a long way to go before it’s open and before people can actually suggest what should be done there.
>> I’m wondering why the transcript is covering Lea Kaspar to if you can change it, it could be good. When Lea started talking, there was a transcript. I don’t know if there’s confusion in our voices or confusion in something else.
>> The main message remains: Make sure that the right people are on your panels, because that’s the only way to open up a discussion and I don’t really see them sitting in the panel and that changes things because you start talking to each other.
>> TATIANA TROPINA: I saw your hand. I will come to Nigel, and then I will come back to you. Or would you like to
[ Off Microphone ]
>> OLAF KOLKMAN: Let’s stick to the audience for a while. See where it go?
>> MARYANT FERNÁNDEZ: This is Maryant speaking, I’m from Brazil. I would like to voice Lea’s concerns about openness and participation. I know that Lea and others in Civil Society have done a great job in opening up the Cybersecurity Conference. I think the Dutch Government has been very prone to opening discussions as well but this is not the only space where cybersecurity discussions are taking place. We have an upcoming GGE discussion starting the Governmental experts in the UN First Committee.
There are some experts academics that have very much contact and a frame of thinking that come from the Military Sector that are trying to move forward discussions on legal basis how to implement the manual that has a traditional understanding of how sovereignty should apply to cyberspace. We had a meeting at the beginning if the year, Olaf was there for us. It’s astonishing how Governments still see sovereignty as something that applies without being transforming to something else on cyberspace and these are spaces and I agree with Lea in which we do not have opportunities enough to participate and we are not really aware that this discussion is taking place.
And this needs to change, because we did not have yet any major disruption or cyberconflict of big proportions in cyberspace, but when we do and this moment probably will come in the future these are the people that Governments will resort to that everyone will want to listen in the future, not multistakeholder community but people that are advancing the discussion from a military standpoint.
So I think it’s really important for us to bridge these silos and if they don’t come to us then we should go to them somehow.
>> OLAF KOLKMAN: So I think this is a good bridge into something that I’ve heard before, so to speak, that I call it subsidiarity to some extent both on geographical as well as topical areas. People tend to cluster together and collaborate with trusted communities, that’s sort of my observation.
Good examples of that are CERTs. The pharmaceutical example that was given is a very nice example where I would say both on a geographical scale like within the U.K., but also on a topical clustering naming pharmaceuticals, people got together and said we need to fix something here. We know our space. We have trusted relationships, let’s get this done.
My thesis listening to this is that in other environments, namely military environments where cyberwar and cyberthreats and cyberdefense are discussed, the trust relations with the other sectors have not yet been built. So that’s sort of the thesis that I want to throw at the audience.
How is it that sometimes these trust relations work? And why is it that sometimes they don’t? I think that question was asked earlier, but to me, it feels like that is sort of an undercurrent of the discussion that I heard so far.
Is this related to trust between communities?
>> TATIANA TROPINA: We threw this question to the audience so Nigel, I’m sorry, we’ll come back later to you with the microphone.
[ Laughter ]
>> Hi. I’m from the European Network Information Security Agency. On that particular area, we have already made the produced the reports, how have you built trust communities, first. And second, we maintain a lot of different groups from different sectors, both Governmental, industry, and so on.
What I would like as a general rule of thumb, I would say that there is a tendency to particular cultures. It’s a matter also of nationalities I would say, and in general, the countries south trust less the Governments when compared to the countries in the northeast. The most successful
>> OLAF KOLKMAN: Question, is that a European division or a global division?
>> I’m talking about European, because all the studies we do is for Europe. Only for Europe. For Europe.
This is a general rule of thumb, and the best so to say good initiatives for a setting is we can find in the Northern countries especially the Scandinavian countries, this means something. This means that people there, they trust each other more, and they have established communication channels a lot with a long history back.
This is one of the
>> OLAF KOLKMAN: A cultural aspect, a true cultural aspect.
>> And one remark I would like to say is that we never use the term best practices, it’s wrong. Because the better is always an indefinite loop, so all the time you can find better and better practices. So we use the term “good practices.”
>> TATIANA TROPINA: That’s a very good point. We put the title of the session with a question Mark, are they really the best?
>> OLAF KOLKMAN: Best current practices. We actually talk about current. Dennis?
>> I wanted to direct to your point act the division between two groups and how to build bridges. I think there’s another cultural aspect there and it is that it is National Security service, this is military organisation that are now turning towards the Internet who have a very specific esprit de corps who have a very specific notion of what their role is which is nationally oriented which is thinking in terms of National survival, have a long tradition of thinking in this way, and now transplanting it to the Internet, which is wholly different from the way the Internet Community, especially the technical community, has always seen and construed the Internet, as a global asset, as something that is collaborative, that is open. These two things clash.
We were at the same meeting in Geneva which was actually in the run up to the next GGE so there’s not like there’s no context at all but it’s very limited. One of the takeaways I had there was these communities look at each other as the diplomatic communities and the people in this case from the technical community looking at each other and sort of baffled by the fact that when they talk about security they mean something totally different, completely different.
But as one small glimmer of light that came from that there was a tendency, okay we need to do this more often because we do mean something completely different. We’re in this boat at least to a certain extent for the ride. And we need to know more about each other’s definitions and what we actually mean.
Also from a realization I think with some of them at least that when it comes to actual cybersecurity to actually keep up the network it’s not the military that’s going to do it. It will be technical communities, it will be companies, it’s going to be all the partners within the global infrastructure that are going to be responsible for doing that so they need to turn to somewhere also when push comes to shove.
But I think there’s a massive gap and it has to do with a long, long, long tradition, military tradition is a lot longer than the Internet so give them time.
>> OLAF KOLKMAN: And the rule of law.
>> TATIANA TROPINA: Thank you. Anyone else in the audience? Please.
>> George Christopher, University of Warwick in the U.K. I want to expand that further in terms of culture. You talk about between countries but much of the interaction I guess between the technical, the police, judiciary is cross jurisdictional as well so I wonder if there’s any further information or studies or research on actually, because I know those reports were done quite a long time ago on how they actually cooperate and what works for them, there was some good work on secondments for instance so people start to learn how different cultures work and they gradually begin to work together in a better way but I just want to throw out and wonder if there’s anything else out there that we could talk about in terms of good practice.
>> I’ve been involved in several initiatives in the past 10, 12 years cross border and National, let’s say cross border between very different institutions and where everything starts with is bringing the rate people together. And just like Dennis is saying, that as soon as people have met three times, things tend to change because all of a sudden they start to understand their own background better, but also the background of the other organisation and that’s the starting point of building trust, and yes there has been several successful initiatives. I remember being involved in ENISA, CCERT, and enforcement meetings where I was able to give presentations in the past years, and then I went away to my own consultancies or left the job I was in, and I heard last year someone from the CCERTs defend the cooperation with law enforcement. In the meetings I was in, that was something that was totally unthinkable. They don’t cooperate. They come from a different planet. We’re technicians and you’re something else.
I had that with spam enforcement agencies across the world that meet two times a year and it was possible to call someone from the Netherlands in Washington saying I need your help. We found this IP address or Domain Name where first cooperation wasn’t possible, now it is. Nationally I think mLani is an example where people are working together. Perhaps you’d like to say something about it.
There are things that work.
>> OLAF KOLKMAN: I’m going to take five more minutes for the audience. See one more hand there and a second hand there and the third hand there. That’s the end of the queue, those three hands. After that, we run to the panel. The panel has 10 minutes to respond. And then we need to wrap up. Things go fast when you’re having fun.
>> TATIANA TROPINA: I also saw that the panel feels impatient and abandoned but we’ll go to the audience first.
>> I’m sort of silently sitting here in the corner listening but what I miss a bit and that a lot of this and I know the kind of security in general is reactive. We’re looking at sharing best practices but then it’s mostly about sharing information about breaches. Sharing practices on how to trace it. What I miss in this discussion is, is there anything we can do proactively in sharing our best practices to defend ourselves?
>> OLAF KOLKMAN: I want you back in the next session which is forward looking. Thank you.
>> A question or rather something that I’ve noticed in this discussion is that there’s a lot of talk of public private partnerships, and the problem with that as Lea had already mentioned, if Civil Society perspectives aren’t welcome or aren’t allowed to be in the room, then we end up with Code of Conduct that don’t necessarily align with the rule of law as we have it, or with the perspective of Civil Society. I think it’s very important to point that out. I also think it’s important to look at the alternatives where we can have such partnerships but everybody is around the table and you really have multistakeholder. David Kaye, who published his report on Monday, the Special Rapporteur on freedom of expression, specifically focuses on the responsibility of private actors in the digital age, and says if you want to be able to do something like this, you can’t have that be a conversation between Government and the private actors and keep everybody else who will be subject to these rules that come out of it, out of the discussion.
>> TATIANA TROPINA: Thank you, Corinne.
>> Hi, Sasha from the University of Sarajevo. I wanted to reflect on a couple of things. One of them is cooperation amongst industries. This is a story from the trenches. Sometimes I work with law enforcement agencies. We had a breakout of attacks on electronic banking in Bosnia that the same attack that was used someplace else, some other place. It seems the banks have not exchanged any information whatsoever and eventually people got hurt because companies attacked, their bank accounts were emptied basically for a lot of money and banks were not really helpful at that stage.
Another thing that came as a question that is raised here, cross border evidence. Basically, most of the attacks happened using tools from various countries. First attack was based on Russian developed software, a company. Part of the attack was realized through a U.S. based company. Law enforcement agencies have rather good cooperation with the INTERPOL, Europol to access data from other law enforcement agencies, but they don’t have real influential way to tell them to give data on a particular IP address or ISP provider, there’s one in Bulgaria, the other is in Russia so that kind of cross border cooperation doesn’t really work. Actually it does work but if it’s after two months it’s worthless basically.
>> OLAF KOLKMAN: I’m looking at the clock. We have 2 more minutes and I had seen a hand over there so I’m extending the queue by available time.
>> Thank you, very generous. I’m from the EU so I have hear the European Union focus. One issue because was mentioned good practice, best practice, in Austria we set up a cybersecurity platform which is a public private partnership for business, academia and administration within the Austrian cybersecurity strategy, this is one point where people can exchange and maybe develop trust getting to get to know each other. Maybe just to throw some facts or some in the discussion because it was mentioned the rule of law.
We have now in the European Union, you have the Network Information Security Directive, which is I think the first ever legal measure which was now adopted, which will come into force in two years. And maybe also Data Protection, what was also mentioned, the Human Rights focus, you have Data Protection regulation but you have also now for the first time a directive for Data Protection, for law enforcement purposes, let’s say it like this. It’s not the correct title but it’s a very long title, just to throw it into the discussion. Thank you.
>> TATIANA TROPINA: Thank you very much.
>> OLAF KOLKMAN: Thank you. That is all very timely because now we go back to our panel, and I see Nigel shifting in his Chair for quite a while now. What is so interesting about the Twitter wall behind us is that we also see our panel participate through Twitter.
>> TATIANA TROPINA: Yes, I saw some mischievous smiles on the panel. People were Tweeting.
>> NIGEL HICKSON: Truly interactive panel. Start again, I was slightly frustrated, because I wanted to intervene a bit earlier because I thought we had a really, I’m not saying the last thread wasn’t interesting but I thought the previous one, we were really getting to something very significant. And I think in this room, this IGF, at this EuroDIG sort of meeting, we need to stay at this level. And I think Lea really put her hands on it with the explanation of the GFCE.
And what we are seeing I think perhaps I was too jokey in my first intervention we have a multitude of platforms. We have a multitude of initiatives. We have lots of areas where issues are being discussed on what we term cybersecurity. And I know there’s different areas on that.
But the question we come back to is, A, are those initiatives sufficiently transparent and open?
Are they too narrowly focused? What real effect do they have? And how are we going to bring these different initiatives together?
And may observation having sort of worked on these issues in ICANN a bit is that we are in a very difficult situation, in that we do have some excellent initiatives going forward, and what Ian is doing at Oxford, and I’ll just say he’s sitting next to me, but that is an initiative which I think has the potential as Fadi Chehade, the former CEO, if you like the focus of being the way, of being the methodology of bringing some of these issues together, because if we look outside of the other organisations working on this, the Dutch initiative, we’ve heard has some issues with it. We have the overall initiative of the Cyberspace Conferences and will it be picked up again? And it’s really moved into something which it wasn’t supposed to be when the U.K. set it out. We’ve got the Council of Europe doing some excellent work but how does it bring in? We’ve got the ITU doing work in this area.
We might say what does it have to do with the ITU? But the ITU spend a lot and lot of money in this area on cybersecurity standards some of which I’m told perhaps are good. Some of which I’m told are not good. We’ve got the commonwealth telecommunications organisation. We’ve got the organisation of American states. We’ve got The World Bank, we’ve got all these different initiatives, spending money, doing capacity building and what real, what is the end effect? This is where I think we have the worry.
>> OLAF KOLKMAN: I think I hear you.
[ Laughter ]
I agree with you so this is where I’m reflecting back to this is my teaching moment with respect to collaborative security, which indeed says, we have to work from a set of values. We have to be risk based if it comes to the Internet. We don’t want to flush the baby with the bathwater. We have to be, the values as Human Rights and so we have to take that into account. The thing that I’m not quite sure I agree with you is the bringing together part.
And the reason is, if we look at, say, other initiatives, coping with big society, global issues, it is not always the case that all these initiatives are necessarily aligned. People do a lot of things, and sometimes they’re effective and sometimes they’re not.
I do agree when we say we need to know of each other, I do agree when you say, make sure that the people who do the work are in the room. I’m not quite sure if we need to get everything bolted together but I’m not sure if you said that, so
>> NIGEL HICKSON: I didn’t say everything. Nothing is always bolted together. Climate change has managed this to an extent and I think the real danger on the cybersecurity agenda is that it gets so fragmented, I’m talking about the Internet being fragmented but the debate on cybersecurity gets so fragmented that you lose the real nuggets of expertise which are out there.
>> OLAF KOLKMAN: I think you’re right. The amount of clue in the universe is a constant and that clue cannot be everywhere.
>> IAN BROWN: Following up I very much agree with Nigel on that. I’m very disappointed to hear about the GFCE because I thought that was not making the same mistakes again so I hope either that can be fixed in future or it becomes a back water because clue and attention is limited, those of us that spend much of our lives going to these meetings can just about keep up but that’s very few people in the world and everyone else shouldn’t have to rely on that small number of people doing that. A more academic perspective I would give to you all on that as well, which I think is particularly relevant for Civil Society, is if you read a book called Information Feudalism, which is an excellent account of how the trade related it’s such a mouthful the WTO’s Agreement on Trade Related Aspects of Intellectual Property Rights came about, and the core message from that book which is very relevant for cybersecurity is: States, big states, not just the U.S., but the U.S. is one example, are very adept at Forum shifting as academics call it of finding the Forum that is most aligned to what they want to get and then focusing all their attention there and excluding other interests, whether that’s Civil Society or certain parts of industry, that will get in the way.
So this is another risk of the fragmentation that Nigel describes that I don’t know if there’s anyone from the U.S. Government in the room and I don’t mean this as an attack on the U.S. Government but fragmentation leads to the most powerful actors getting their own way to the exclusion of almost everyone else in this room, I would say.
>> OLAF KOLKMAN: Cognizant of time, I want to give the panel the opportunity for final remarks. And with the panel I include you Tatiana for final remarks.
>> ALEXANDRU FRUNZA: Two final remarks, the first one is in relation to the question made by the question from the gentleman from Sarajevo. This issue of cross border investigation is an issue very important for criminal justice authorities who need data, who now is located in different jurisdictions. In 2015, more than 100,000 requests for data were transmitted directly to service provider the 6 big service providers, Apple, Facebook, Twitter, Yahoo!, and two more two others, and in 60% of the cases this request for data replied were replied. So there is a concern on this type of data flow.
And how can this be covered and embedded in Human Rights perspective and rule of law? This is an issue the Cloud Evidence Group is trying to address.
And the second remark I would have is that we need to have a clear line between National Security measures and criminal justice investigations. We have to be very clear on what these two types of gathering electronic events concern.
>> OLAF KOLKMAN: Okay, thank you. Nigel?
>> NIGEL HICKSON: I don’t think I’ve got anymore to say. No, I won’t say anything.
>> OLAF KOLKMAN: In that case, thank you.
>> NIGEL HICKSON: But I think this has been an excellent opportunity. And I’m glad that you have another panel that can carry forward some of these issues.
>> OLAF KOLKMAN: And I hope you will be there and contribute from the audience, Nigel. Thank you.
>> TATIANA TROPINA: Before Ian wraps up, as a Twitter user maybe you can wrap up in 140 symbols?
>> OLAF KOLKMAN: No, we’re not there yet. We’re not there yet. We still have 6 minutes for wrapup.
>> IAN BROWN: I’ve got three Tweets. I agree with everything that’s just been said. I encourage the Council of Europe to make sure Civil Society is fully involved in those debates because you sometimes see even within the Council of Europe slight polarization between the more law enforcement focused parts of the Europe and the more Human Rights focused parts and that Civil Society in practice, this is something we didn’t get to but it’s very important to Civil Society. They have to in practice contribute and not in theory. That might mean us as the Council of Europe does to pay travel expenses and for the EU and ICANN to continue their work to actually pay for some of their time, because it is part of my job to come to meetings like this. Civil Society activists, the money has to come from somewhere so I think that’s really important.
My second and closing other practical small but very significant issue builds on what Dennis said. One of the reasons it’s so difficult for National Security type discussions to be multistakeholder is that the people in those communities are very used to excluding even former senior civil servants like Nigel that don’t have top secret security clearance. They’ll leap to say you probably did given what you used to do but I don’t know about the rest of the world but actually in the U.K., it’s very difficult to get what’s called DV clearance in the U.K. I really would be surprised if someone like me would get it. I don’t mean that I’ve done anything particularly outrageous in my youth. But it takes 6 months. It costs 30,000 pounds plus. You have to have a sponsor.
So that automatically, the moment discussions go into those kinds of fora by definition they cannot be multistakeholder, and unsurprisingly some of the consequences are bad for the technology industry, the Internet, Civil Society interests, academia, everything else.
>> OLAF KOLKMAN: Lea?
>> LEA KASPAR: Yeah, thanks. And the first point that Ian made gave me a segue into what I wanted to say. It was to do with resources, and if you wanted to focus your attention on something that, what we’re discussing here, I’d say you can’t cover Nigel is right, you can’t cover everything. What you said is actually on point. There’s so many different this is such, in part that’s a problem, the complexity of what cyber covers. IoT, surveillance, Data Protection, cybercrime, cyberwarfare. There are all these levels. How do you figure out where to go? So if you have limited resources what we’ve been trying to say is all right, let’s focus at the principle level and try to promote the paradigm shift. Tatiana will be working on this as well and think about how you define cybersecurity and how you frame the debate so when it comes to all these forums they have a starting point already based upon a Human Rights respecting approach to cybersecurity. Thanks.
>> OLAF KOLKMAN: Do you have any comment?
>> TATIANA TROPINA: I have only one comment. I think I I think this discussion was an excellent bridge for our follow up session, because we still have so many discussion points where we didn’t even touch that much like Internet of Things and I believe that we have so much points to discuss in the follow up session I think it’s excellent.
>> OLAF KOLKMAN: Good. Send me a free book. We’re not done yet.
>> TATIANA TROPINA: You’re not free yet. You can’t run away.
>> OLAF KOLKMAN: We have 5 more minutes before I’m going to give the word to Bustjan to summarize what we talked about, try to summarize what we talked about. I’m going to ask you to close your eyes after the summary and think of an ideal world, and think of what, if you were the absolute ruler of the Internet, which best practice would you impose on the Internet as a whole, or the society that deals with the Internet?
What best practice that makes the world more secure would you impose on the world? That’s the question.
The answer? You all get to answer that in a Tweet. The panelists get to answer that in a Tweet read out to you all. So that’s the question, and now over to Bustjan.
>> TATIANA TROPINA: I’ll give you the microphone if you promise it will be only four points.
>> I can combine two of them. Thank you, Tatiana. I think we had a very interesting second part. I won’t reiterate what I summarized after the first 45 minutes.
Olaf started off the second part with mentioning people tend to cluster together and collaborate with interested communities, with a trusted relationship something can be done. And how to build on this with other clusters and communities and potentially combine them.
We need to collaborate to get things done, and then the essential point is to create trust between stakeholder groups. That remains a challenge. There were positive examples mentioned between CCERTs together with law enforcement and battling spam.
Dennis then made also a very interesting comment with regard to diplomatic and technical communities trying to get together but the gap remains huge.
Positive, though, that the intention is to continue the dialogue. But how if you have these clusters, it’s interesting to see that there are a lot of initiatives ongoing, but how to keep them open. More transparency is necessary, especially when there are public private partnerships, and other stakeholders, like Civil Society, cannot participate.
Last, maybe not least, we have a multitude of platform initiatives. They’re spending a lot of money in doing capacity building, but how open and transparent are they? What effect do they actually have? And how to bring them together. The latter part is an open question still. Maybe we can go into more detail this afternoon.
>> OLAF KOLKMAN: Thank you. So I want to get a look at that thing that is exactly on time.
[ Simultaneous Speakers ]
I want to do an experiment. He just gave a summary. I want to get a sense of the room where that summary aligns with your thoughts and I’m going to do that with the ITFM so I’m going to ask you a question which is I’m going to ask you a question whether Bustjan’s summary was a reasonable summary of the events. If you think that is the case, you hum, which is just go mmmmm. Then I’m going to ask you whether it was not a reasonable summary. If you think that is the case, you hum.
Based on the audio level, we get a sense of the room. This is a methodology that is used to get a sense in the room in the IGF because a show of hands is sort of binary and here you get the feel of
>> OLAF KOLKMAN: Unidentifying sense of the room. So if you think that Bustjan’s summary was reasonable. Then please hum now.
[ Humming ]
I shouldn’t hum because the microphone is on. If you think it was not a reasonable summary, please hum now.
[ Applause ]
So your Tweet, what best practice would you impose on the world? Lea?
>> TATIANA TROPINA: 140 symbols, Lea.
>> LEA KASPAR: I’m going to try to. Start again. Build an Internet that has Human Rights baked into its infrastructure.
>> TATIANA TROPINA: That’s a very nice one.
>> IAN BROWN: Make security considerations, Human Rights considerations, in all RFCs, and rule of law.
>> Make a rule that we never talk about these issues without all stakeholders around the table.
>> ALEXANDRU FRUNZA: And balance security with confidentiality and other Human Rights on the Internet.
>> OLAF KOLKMAN: Thank you all.
>> TATIANA TROPINA: Thank you very much.
>> OLAF KOLKMAN: I hope to see you all back. I hope you all Tweet your wish for now. After the break, we reconvene in this exact room, and then we’re going to look forward. We’re going to look towards trusting our cyberenvironment, and what is needed to build that trust. Thank you very much.
>> TATIANA TROPINA: Thank you very much.
[ Applause ]
Session twitter hashtag
Hashtag: #eurodig16 #EuroDIGsec