Non-state actors in Europe and beyond: The true shapers of cybersecurity norms?! – WS 09 2018

From EuroDIG Wiki
Revision as of 17:37, 4 December 2020 by Eurodigwiki-edit (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

6 June 2018 | 14:00-15:30 | MASTER ROOM | YouTube video
Consolidated programme 2018

Session teaser

While often involving technical matters, cybersecurity is a socio-political realm where various voices from academia, business, and civil society have called for the development (and enforcement) of pertinent norms. This session looks at non-state actors as key norm shapers and wants to elucidate their role in the broader context of cybersecurity governance in Europe and internationally.


Cybersecurity, cybernorms, standards, multi-stakeholder governance, non-state actors.

Session description

Over the past two decades, the public domain has experienced far-reaching phases of reconstitution. Forces of globalisation and technological advancement have added new degrees of complexity to international affairs and have given rise to a sweeping pluralisation of actors. Polymorphous non-state actors have come to inhabit central areas of international steering and policy-making, including among others, cybersecurity.

A domain of rising political, economic, and cultural relevance, cybersecurity has been subject to considerable non-state actor engagement. Apart from acting as providers of services such as end-point protection or technology consulting, non-state actors have also been seen to contribute extensively to the development of international cybersecurity norms.

This session wants to shed light on the following questions:

  • How are non-state actors in Europe and beyond involved in norm-making processes?
  • What strategies are employed in Europe, and internationally?
  • Are norms appropriate tools to regulate international relations and provide stability and security in Europe and beyond?
  • Should policymaking be a non-state concern?


As a matter of public debate, cybersecurity norm development should concern everyone, which is why the session follows an interactive and inclusive format. In addition to the roundtable participants (representing different stakeholder groups), it is up to the audience to shape the discussion and provide thought-provoking input.

Session structure:

  • Moderator opens the session and provides the context for discussion (with audience contribution)
  • Round table participants provide opening statements
  • Audience challenges round table participants
  • Following initial discussions, moderator moves to interactive Q&A
  • Round table participants provide final statements
  • Moderator wraps up

For participants who cannot attend the session in person, remote participation is greatly encouraged. All voices will be made heard.

Further reading


Focal Point

  • Jacqueline Eggenschwiler (EURALO Individuals’ Association)
  • Laurin Weissinger (University of Oxford)

Organising Team (Org Team)

  • Jacqueline Eggenschwiler (EURALO Individuals’ Association)
  • Laurin Weissinger (University of Oxford)
  • Ilona Stadnik (Saint-Petersburg State University)

Key Participants

  • Dr. Wolfgang Kleinwächter (Member of the Global Commission for the Stability of Cyberspace (GCSC))
  • Nata Goderdzishvili (Head of Legal Department, Data Exchange Agency, Georgia)
  • Maarten Botterman (ICANN Board)
  • Dominique Lazanski (Public Policy Director, GSMA)
  • Christoph Steck (Director Public Policy & Internet, Telefonica)


  • Tatiana Tropina (Max Planck Institute for Foreign and International Criminal Law)
  • Jacqueline Eggenschwiler (EURALO Individuals’ Association)

Remote Moderator

  • Fotjon Kosta (Ministry of Energy and Industry, Albania)


  • Ilona Stadnik

Current discussion, conference calls, schedules and minutes

  • Please join the mailing list for more information.


  • A strong regulation of cyberspace could stifle innovation and development.
  • The understanding of norms differs from strict legal rules to self-regulation. Moreover, there is a problem in the acknowledgment of the existing principles – ‘western principles’ vs. ‘eastern principles’.
  • States have made great progress in negotiating principles for cyberspace regulation, despite some failures, such as the recent GGE in 2017.
  • Transnational commercial giants cannot dictate international conventions for cyberspace. It is the responsibility of states to come to legally binding norms. The industry has its own interests in the norm-making process to enable the development of their markets. Civil society is likely to stimulate the industry to come to norms, rather than produce independent initiatives.
  • Politics is inevitable in cyberspace due to the ongoing cyber-arms race. In contrast to cyberwar, the issue of cyber stability provides more space for all stakeholders to contribute to the drafting of rules that would ensure the development of information society and digital economy.
  • There is a disconnection between the new technologies and the response of the regulators. Therefore, self-regulation by the industry may serve as a starting point for building norms on an international level.
  • All stakeholders are responsible for their actions in cyberspace.

Find an independent report of the session from the Geneva Internet Platform Digital Watch Observatory at

Video record


Provided by: Caption First, Inc. P.O Box 3066. Monument, CO 80132, Phone: +001-877-825-5234, +001-719-481-9835,

This text is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text is not to be distributed or used in any way that may violate copyright law.

[No audio.]

>> Holding processes and here we expect a work cloud. Who do you think either is most important or who do you think is most engaged? Let's see if it works. so if you have access to your phone or laptop you can go to, enter the phone and we should see a beautiful work cloud hopefully growing.

On the other link, we just need to switch the screens again. It's a little bit of a back and forth. and please let me know if it's working. So again the code is 745516. And the address is There we are. Okay. It's building.

So, so far we have states, civil societies. I'm assuming it's international organizations, the private sector. Let's see who's getting the most votes right now: Lobbyists, that's an interesting one. Law enforcement agencies. Whoever said "me," I would like to talk to this person.


Because that would help a lot. Having a direct person to talk to. so in terms of numbers of votes. It seems like according to the voting capacity here, which is actually a perfect bridge in terms of what we want to cover. Okay. It keeps growing prominent example. Figures on our list. Technical communities now appears as well.

And just to give you a bit of background in terms of norms discussion, you might be aware that norms-based discussions started or at least the discussion about regulating for an international treaty, for example, started to surface in the late 1990s with a proposal by the Russian government to work on the legally binding security treaty which was proposed in the setting of the United Nations and then from there moved across various status, got a bit sift. In terms of legally binding treaties to what we often associate with softer norms. And moved through different stages of what's called UN group of governmental meetings. And the latest in terms of which resulted in a nonconsensus outcome in 2017.

And while there has hardly been any agreement on how to address responsible behavior in cyberspace early on, we see a bit more convergence now, particularly we see the surfacing of quite a number of non-state actors in this area.

And that being said, I would now turn to the panelists, I hope to have provided them a bridge, and ask them first of all to introduce themselves, a bit more context and highlight their affiliation with or -- with norms in particular and whether or not they matter. So we'll kick off with Wolfgang if that's okay, as one of the members, as I said, of the Global Commission for the Stability of Cyberspace who have just issued their second norm and maybe Wolfgang can tell us a bit more about that.

Thank you.

>> DR. WOLFGANG KLEINWÄCHTER: Thank you very much. Yeah, questions of cyberspace and norms is indeed a long story and it did not start with the Russian proposal in 19999, so we had this discussion already in the 1990s.

I think the first real proposal on the table was the proposal from the Vice President of The United States of America in the ITU telecommunication development conference in Buenos Aires in 1994 when he proposed a global information infrastructure.

And part of this GII proposal was, you know, to frame a little bit of the emerging information society. This was followed by a proposal by someone in 1997 to draft a declaration for the information society, and this triggered the process which led to the world summit on the information society.

The Russian proposal in the General Assembly of the United Nations was much more oriented on security issues. On how security issues. While the other proposals were more of a general nature to frame the information society.

And the world summit on the information society where the question of: Do we need a cyberspace treaty like a treaty for the law of the sea or out space.

And the debate in all these years was: No.

If you introduce two strong regulations in a field that's full of innovation, then you stifle innovation and then you stop the development.

So that means the Kofi Annan, the Secretary General of the United Nations argues, that in 2003 for the first time of history we discuss an issue we have not yet acknowledged about the dimension.

So it means: Let's keep the space as free as open, let's stimulate innovation and then come back, if we have a clear picture, how much we have to regulator not and how much we have to have norms and not.

And I think with all the events in the last five, seven years, see, I wouldn't say a turning point, but the general approach is changing; and you have now a much great. Pressure and a broader understanding that norms are not only a bad thing, norms are needed.

You know, with so many, let's say, bad actors in the cyberspace, so you have to stick within the rules, you have to agree on certain rules and then you have to also implement certain rules.

And so far, you know, the reaction to the Russian proposal in the United Nations General Assembly changed a little bit and so they were looking for a middle way which led to the group of governmental experts and not to hide legal norms but to confidence-building matters and some soft norms and which pave the way for a new approach and it's not only governments anymore that act in this field there's also non-state actors, but we will come back to this a little bit later, the role of non-state actors.

But I think it's important to have this general understanding so then you can much more clearer define what are the realistic options for the future.

Thank you.

>> Thank you very much, Wolfgang. I believe Tatiana has a question.

>> TATIANA TROPINA: Could you please discuss on the results of this pool.

We start with the norms of Russian development and the world regulation was said several times.

But we see on the screen like the most responsible for private sector technical communities is this more inspirational or reality? Does it reflect reality?

>> DR. WOLFGANG KLEINWÄCHTER: You know you are a lawyer, law is made in the discussions by states.

The group of governmental experts on the consensus report in 2015 agreed that international law is relevant both offline and online.

So far, you know, this reflects not the reality. The reality is that if it comes to legal norms, then it's in the end of governments.

But the challenge is now because we know that governments cannot control the whole cyberspace, they do not have the knowledge to understand if it comes to issues like attribution.

Ann so far, we are not just there, but there is a debate to go beyond in the governmental arrangements and to include more private sector at the moment.

And I'm surprised civil society is here the strongest partner because this is indeed a good proposal.

It's a good idea, but at the moment it's wishful.

Civil society is not sitting on the negotiation table. It should be because they are affected by the results. But the reality is it's government only, and they opened the door a little bit to the private sector.

>> Thank you very much. If you want to reflect on aspiration versus reality and the issue, maybe not in your introductory statement, but maybe better.

And for everyone in the room, because I believe that you have your opinion, especially those who put civil society there, thank you.

>> Thanks, we'll move on to Maarten, please.

>> MAARTEN BOTTERMAN: I'm Maarten and I'm on the ICANN board and I would also like to speak in my private capacity as an independent strategy adviser on Internet and society.

I will say from the ICANN perspective part of the norms are set in our contracts with our contracted parties they determine elements that contribute to a secure and stable Internet in terms of the DNS system.

It's a minor part of it, but it's a part and it's a norm; it's not a legal norm, but a contractual norm.

I think if we look to the industry, that we see that there is an interest of industry to also keep up certain norms to allow a market to flourish, to allow consumers to want the product and to make sure that not to mark abuse of those consumers abuse of that has been made.

In that way, there are also soft norms that are developed by industry that sometimes they keep each other, too, in terms of self-regulation.

So I think that's been growing importance, as well, because the legal norms makes to the international law are only applicable in the country itself and that makes it very limited, particularly when you talk about cyberspace.

Civil society, I would say, is an aspirational remark here. Civil society is important in noticing mishaps and raising the flag and starting discussions, but it's very seldom, in my experience, that they end up setting the norms; they may stimulate industry to come to norms, they may stimulate states to come to agreements, but they don't set the norms themselves, is my experience.

And if people disagree, please, please let it be known.

So, altogether because of the limitation of law that first cannot follow the quick development of technology adoption in society; but, secondly, it's limited mostly by national borders.

I think it's very important to see that state actors have to step up even more and can also not hide behind laws that exist to set norms, therefore very clearly are responsible for making sure that the norms that are there are kept, too, and are known to those people using the products and services that are related to it.

>> If I may, do we have any interjections or questions to Maarten's comment? I see a raised hand at the end? No? Okay. That was a false alarm.

>> MAARTEN BOTTERMAN: So everybody agrees, thank you.

>> MODERATOR: I would challenge the gentleman at the end of the row.

Please go ahead.

>> Just more of a comment than a question.

I think we got those answers because we were using the true norm and maybe we should just define what we do mean by norm because sometimes panelists have been using law as a specific norm defined that law could be a norm, as well, where some of us may have more or less the interpretation that a law would not be called a norm.

>> Thank you very much for your comment.

This is why after Wolfgang's intervention, I asked the question that: Do you think that we have to change the general notion of norms? Because actually if you think in general what is norms? Norms are the standards of behavior that everyone should follow.

It could be law or whatever.

And then what do you mean when we say norms? When we say engagement the norms make.

And further to your comment, I agree with you that maybe we don't mean the same thing.

Whoever put civil society means something different and this is something to share from you.

>> But just one remark.

I don't think there's norms that everybody supports which is generally accepted norms.

>> You just basically asked the question I was going to discuss at the beginning of my presentation, and if it's okay I might just talk briefly about norm setting and not focus specifically on the comment just made at the moment.

Basically I was thinking about this because I was at cy con. That was the NATO cyber conference. And there was a lot of discussion, unfortunately after you left, Wolfgang, around, you know, the norms that that particular group, NATO, and some of its allies as well as the private sector and other actors, but primarily government, are -- there was a lot of discussion around the fact that that's western norms. That would include the -- in terms of cyber conference, aggression, being attacked, things like that.

So my question to all of us, things that we should think about: You know, if norms are adopted by certain countries and by signaling from those countries including like attribution and various things that they're adhering to those norms, not everyone else is going to adopt those norms, right?

So if you think about cyber conflict, you think about the fact that state on State attack, those two different states are likely to be operating under their separate definitions of norms, right? And so it's a question for all of us to think about, what does that actually mean in terms of like if there are norms that have been set but not everyone is adhering to them at the same time.

And it was an interesting discussion because the author was there, as well, who happens to be very charismatic and very interesting.

But from the private sector perspective, and I think Christoph will probably speak a little more with this, hopefully with the tech accord and some other principles and things, the mobile industry itself has developed a set of key principles to adhere to in terms of privacy security and data protection, and I can go into that later, but I just wanted the kind of put that out there.

>> Perfect, thank you very much for this, Dominique.

And I think we already see an interesting development in terms of first of all the question being asked: What are norms? And having different perspectives at the table.

And I would now like to move to Christoph, if possible, to comment on it from a private sector perspective if that's possible, thank you.

>> CHRISTOPH STECK: Yes, hello, everyone, can you hear me?

>> TATIANA TROPINA: We can hear you well, yeah.

>> CHRISTOPH STECK: Fantastic, good.

So first of all, sorry I cannot be with you, but I have to say it's fantastic to be sitting here in my office and be able to contribute and to listen to your comments.

So a little example how well the Internet is working, I have to say, so fantastic to see that working so well, and congratulations to the organizers, that's really well done.

Just to continue what Dominique just commented, I mean, what is a norm? From our point of view, I would say there are maybe three or four different types of norms.

I mean, first of all there is something we will call regulation or a law and that's obviously what we all know.

Then there is something which you might call self-regulation that means that the private sector in itself, together with others, maybe, but mainly not driven by governments or anyone is setting norms of behavior.

And then there is something which might be in the middle which you might called cope regulation, which is a form of self-regulation where at the same time governments and third parties act as supervisors, for example, and so on, so it's kind of an in-between what you might call regulation or self-regulation.

And the fourth dimension are standards, from my point of view.

So standards, we forget very, very often that there are many standards set, and standards very much help us to coordinate globally or at least regionally a lot of these activities.

And I suppose that that's an interesting area to think more about: What do we need to do on the side of standards for cybersecurity? And the reason for that is that going forward, the big change we're going to see for the Internet is that we're going to connect a lot of things to it, so you're going to see the Internet of Things happening and we all know that.

But what it really means is that anything, any device, can become intelligent and will be, of course, also source of cybersecurity risk.

So up to now I think we are actually living in a quiet, easy-to-manage-world because the people and the companies who are responsible for the major infrastructure and service platforms and so on are actually technology companies and they know more or less what they're dealing with.

But tomorrow, you know, any thing, any washing machine, can become intelligent connected device with all the risk for cybersecurity.

And I suppose that most of the people who are going to construct these things will not be experts on that and might not have the resources, even, if you think about more simpler things being connected to care about cybersecurity.

So I think we're going into a time where risks are going to increase exponentially and very fast, and we have to think how to manage that.

And I suppose that, for example, standards and norms could be a good way, which could happen upon that.

>> TATIANA TROPINA: Thank you very much for this perspective, Christoph.

I'll move now to mat an and this is a rather traditional perspective that it comes from a public perspective, so, Nata, if you were, perfect, just unmute yourself I think, please, you have the floor.

>> NATA GODERDZISHVILI: Thank you very much.

I represent Data Exchange Agency which is working in terms of e-government and cybersecurity in Georgia and to raise our perspective that we see in Georgia that international legal regimes and cybernorm-making process as I understand is government to government deliberation process.

And clearly international -- subjects of international law are states who are negotiating for legal or diplomatic channels what is the regime? Quite honestly I'm very skeptical about Microsoft digital genetic convention and how even big multinational companies can dictate international conventions rather than, of course, industry, of course private companies have a big role in setting setting-specific standards in applying the standards and building capacity and building new technology based on this legal educations; but at the same time, these are states who should agree we can see there's a lot of failures as we see from the UNGG of 2017 but still there is a lot of progress made by states.

And least we have come to the standard that we say that cybersecurity is not wall-free zone and law applies, and we need the interpretation of these laws.

Again, the biological discussion between lawyers is that we need separate bunch of law? Or just we have to interpret the existing legal regimes to cybersecurity and not have parallel conventions to physical and offline and online world; this is, again, the next topic of discussion.

And as a continuation of this question, I see that, yes, private sector plays a big role, but it's still government's responsibility to come to an international binding legal regimes.

>> TATIANA TROPINA: Thank you very much for this, Nata, do we have any questions? Now we've heard quite controversial positions.

Looking around the world.

>> Questions or statements? Because while you are thinking, I would sum up what really struck me here.

First of all, civil society on the world cloud, how aspirational this is? And I think the goals of you might want to provide your point of you.

Then of course what norm mean, and I think this is a biggest source of did I have urgency here because if we mean ones as binding agreements between governments of course they are not flexible in terms of stakeholders shaping them, but if we mean industry standards, this might be quite broad and flexible.

And then, of course, what struck me about Nata's contribution is -- I will not provide my personal opinion here, we are supposed to -- but big digital companies cannot provide conventions as binding norms, let's put it like this as far as I understand.

So, yes, please.

>> Thank you.

So my name is Lyra.

I'm really happy to be on this panel and I have one comment.

If we think about this -- of cyberspace and dependency of cyberspace, why we need the governments to regulate anything? They didn't shape Internet for cyberspace or cybersecurity; they're only one part of the action.

So I think that in this kind of norms that have one work, it's called geopolitics of cyberspace, and we don't really need the governments, we only need hackers or technological communities to regulate some things about cybersecurity because governments sometimes can provide cyber offensive over the common users or nongovernmental organizations, which is like universities in countries is very common problem, so thank you very much.

>> Thank you.


>> Thanks, Rodney, DIPLA Foundation, so building up on the previous comment, on one hand there will be of course the perfect solution fortunately the problem is the governments actually are already well into cyber arm amount and that is already a politicization of cyberspace for quite sometime.

And we've recorded about 30 countries which openly state in their national documents, doctrines and so on, that they have, for instance, cyber capabilities, and this is probably not going to go down; we are not likely to see cyber disarmament any time soon.

So in that sense, unfortunately we need to bring in politics, there's no other way to fight politics except with politics.

The other question is, however, I think it's important that civil society and business actually impact the whole discussion is that we are moving, because of this cyber arm amount, we are moving into securitization of digital space and digital questions and you can see that where it's entirely within the security communities.

And when you try to open it up a little bit beyond security communities, you have the old common feeling of the governments that have to be close when they are discussing security issues; they don't want to be much open.

On the other hand, if you talk about the international business security and the norms respectively, we are not just talking about cyber attacks; there is a broader aspect of stability which is stability of community of digital society, digital economy and not just the attacks as a narrow focus.

And in that sense, there is a huge, huge role that other stakeholders need to play in order to sustain international peace and security.

In that sense, shaping the norms doesn't only reflect the governments, which may prevent attack of critical infrastructure and so on, but it also introduces the roles of other stakeholders such as the private sector when it comes to vulnerabilities and security by design such as civil society when it comes to, let's say, Human Rights and so on.

So it's much broader than just at tax and cyber conflict; it's about preserving digital economy and digital society.


>> Thank you. I think we are being flash mobbed here.

>> Indeed it seems to be the case, which is why I would propose to move to the second question.

>> Just one moment.

I think we are going to create this intervention, there was a hand and then we'll move, please.

>> Thanks.

Hi, my name -- and I'll keep this intervention very short because it was really just a question.

And I've been intrigued by the graphic that was on the screen ahead of us and the inclusion of civil society and I was really hoping to hear from someone who might have accessible society as being very engaged in nonbuilding processes? And maybe this is just my opinion here, but where there might be opportunity for civil society participation in the development of norms, I do feel like the reality is when there is not any particular muscle behind a position that is being put forward or a norm that is being developed, it goes no where.

And states have muscle by virtue of their sovereignty.

The private sector has muscle by virtue of economic power.

And civil society, in my view, has much less influence and much less muscle, if you will, to be able to draw upon.

And so if civil society was to be engaged in a norm-building process, it would really need to partner with one of those other more powerful actors or at least that is my interpretation, but perhaps I'm completely mistaken and naive.

And if anyone who does think that civil so sit holds more power than I thought it did, particularly before when it was one of the largest words on the screen, I'd like the hear from you; thanks.

>> Yeah, I think one of the biggest achievements of the discussion of the last 20 years in this field is the acceptance that issues can be settled only in a multistakeholder environment.

There is no way that one stakeholder alone, neither government nor the private sector, can settle Internet-related issues alone.

The question is: How might the stakeholder corporation is organized? If it comes to norm building, I think we had clear different understanding of norms, political norms, technical norms, ethical norms, legal norms and things like that.

But if it comes to the role of civil society, the NETmundial declaration which was adopted by the overwhelming majority of Internet-related stakeholders in the world, you know from big corporations to nearly more than 100 governments to all the Istar options and big civil society organizations, there was a process where civil society played a key role in drafting the norms which are laid down in the NETmundial declaration, eight principles, which create a political framework for the information society.

We should not forget these are now existing norms; there is no need to reinvent norms for the cyberspace.

What we are discussing here, also, details, it comes to security. And even if governments believe, say, can negotiate behind closed doors the inter-related trade packs are good examples that this will fail. The power of civil society was in the states.

Two things failed not only because governments could not agree because the protests in the streets was so high that finally this collapsed.

And one in the field of security, I think we see an interesting development; and so far I would partly disagree what you have said.

It's not the private sector -- I would agree that the private sector cannot dictate governments what they have to do; but I think it would be wise for governments to open ears and eyes to arguments coming from the private sector and arguments coming from the civil society if they consider norms or at least legally binding treaties for the cybersecurity field.

So far the mighty stakeholder spirit of cooperation is different from the old dictated, the government dictates to the people what they have to do or the private sector dictates the government what they have to do.

These are outdated models; the model to are the future is the multistakeholder equal cooperation.

>> Thank you very much for this intervention. Nata, do you want to respond? Because I saw your hand.

>> NATA GODERDZISHVILI: Yes, I absolutely agree that cyber regime effectively works if just all the parties agree to that because just one stakeholder, as you say, cannot do anything.

And I remember Georgia proverb for that: So much you share, the much you get back, so this is important, sharing opinions and getting into account the other.

>> Thank you, Maarten and then.

>> Just short definition, the definition of norms is indeed what leads to some talking that doesn't seem to come together but maybe it does.

Norms are very much at a different level.

When Wolfgang talks about global level enforceable norms, it needs to be multilaterally underpinned, even then the reasoning for that is brought forward in the multistakeholder fashion.

If I talk about for instance the mutually agreed norms for rooting security, then the rest of global society has less to do with that; yet, it is very much an element that enhances cybersecurity because if that particular community, the routing community, keeps to those norms, we will see that there is less leaking, that there is less space for abuse.

So let's distinguish that, as well.

There can be very specific norms for very specific communities that are very important impacts on the reliability of the Internet and the trust in that as a whole.

>> Thank you.

We have two interventions.

Go first.

>> Quick one on what just said.

It is important to have the multistakeholder approach, the question is how do we ensure with the governments? I think it is framing.

As long as the framing is in the discussion of international peace and security approaches the topic we're not going to manage it; once we try to pull it out and show it's about digital economy, digital society and security in that sense, then we might be able to make them listen, possibly.

>> Actually quite like how multistakeholder meetings are put in one word, multistakeholder meetings.

So, please, you're the next in the queue.

>> I have two or three brief statements.

So you mentioned innovations in the first, I still think we don't need norms; we still need innovations in cyberspace, in cybersecurity, so we need more freedoms than norms and laws.

The second, we also talk about cyber warfare as the one buzzword.

We need cyber pacificism not cyber warfare.

Truly cybersecurity is one form of cyber pacificism.

That's a long story.

How can we ensure that government will act as a fair subject? Because there is unpopular geopolitics on some topics; they are making security theaters, they are securitizing inscription, privacy and limiting -- how can we make sure that government will not use the power to convince people that something is a problem and it's not like security theater or about hackers or ethical hackers and many more? Thank you very much.

>> Yeah, I think that is perfectly the second bridge to the second questions, audience questions, sorry; if we can move to that one and have another poll.

Because it asks: Are norms appropriate terms to provide stability and security in cyberspace in Europe and beyond? And are they the right means? I think this is what you were getting at.

And how can we ensure that if we take the government position and have laws that these are enforced fairly and not discriminatory in any kind of way?

Or if we see private actors engaging in norm-setting, how can we ensure that these adhere to certain expectations?

And in terms, I just wanted the make a comment, as well, in terms of talking about norms from different perspectives.

I guess what we can identify, be it technical, political norms or even ethical norms, there is an underlying normative element that kind of motivates or stimulates either conception of a norm, which I think is a factor that we can rely upon.

So let's move to the second question, please.

>> I guess technology is failing us now.

>> We just need to collect the arrow on the screen that's already up.

Yeah, there we are.

So, are norms appropriate tools for regulating international organizations and provide security in cyberspace it should say in Europe and beyond.

And this is a less controversial poll in the sense that we only have three options to choose from.

>> [Inaudible]

>> We can discuss afterwards, we'll see.

Are you still able to vote or not? Right.

Then we'll do it without technology and just do a show of hands.

>> I totally love this idea.

So I'm going to come this part of the room and you that part of the room.

>> Well I'm going to ask the questions who believes that norms are the right tools to provide security and stability in cyberspace? Show of hands, please.

Could we roughly say half of the room seems to agree?

>> Roughly.

>> Who is of a dissenting opinion? They are not the right tools?

>> I see one hand here, there, here, three.

Anyone else? Four.

>> Right.

And who is undecided for whatever reason?


All right.

>> So let's have some context to that and explanation.

Those who voted for yes, they are the right tools, can I have a proponent arguing the case for why norms are the right tools to employ, please?

>> If there is no one of you who voted because I remember some of you, I will make volunteering from the panel because I saw a couple of hands there.

>> Thank you.

>> All right.

I think the Internet is global and seamless.

And what we need is laws or treaties that would be applicable for, yes, this global medium; but most of the times we see that we just do not -- we're just not able to come up with treaties or laws that are internationally binding, so I do see norms as rough consensus of the IGF applied to policy.

So I'm thinking of norms as something that is formulated, that is stipulated under participation of a variety of different stakeholders and that becomes or those norms become accepted; and by that, more or less mandatory because the different stakeholders underpin those norms, and by this underpinning we get a regulation or a mindset that is applicable for this seamless medium and not -- period -- applicable for the serious medium.

So we're not relying on governments because we cannot come up with international laws and treaties, anyway, so norms will just be a substitute for something that we cannot come up with; and this substitution could be stipulated by a variety of different stakeholders.

>> So if I may summarize and understood you correctly, it's an almost second best option because we cannot agree on legally binding tools or laws.

And I heard, as well, I think, that it reflects the community aspect a bit more in terms of engaging different stakeholders to come up with solutions, if I interpret that correctly.

>> Fine, thank you.

>> All right, thanks.

So now we have a show of hands here, please go ahead.

>> Actually I am surprised that we did not mention Council of Europe convention on cyber crime; this is absolutely a success example of legally binding norms.

Unfortunately, I do not know about multistakeholder participation in writing of this convention.

But in Ukraine, for example, we really have multistakeholder platform for full implementation of this Convention.

And I know that a lot of non-European countries also signed this convention.

Thank you.

>> Thanks, perfect intervention Tatiana.

>> Would not come as a surprise.

We do have a person from the Council of Europe who is -- but as I am correct your hand was for not being the right instrument? I think that this is a very nice transition to your contribution.

I'm going to ask him why.

>> Thank you very much, from the Council of Europe -- but I'll be speaking on my personal behalf not the office.

But I think I have to put my answer in the context of the question which said about security, not cyber crime.

Should it be about cyber crime my answer would be different because of course there is a norm in cyber crime, security responses to crimes in cyber space.

But two reasons why I think that norms at the moment do not work and one is that there are players who are willing to trample the norms.

So basically the only response economic or military pressure to a certain behavior; so even though there is international law to support the proper, let's say, action of states in cyberspace, as well, then there are some who do not.

And secondly it also follows my previous answer, which I'm of the opinion that the current framework of state responsibility towards each other also applies to cyberspace, as well and there is no reason to reinvent the wheel because there are lots of regulations that extend to states acting offline, I would say, but also extend to anything that they do to each other in the online world, as well, so it's quite simple.

But, again, very big distinction between cybersecurity and cyber crime.

>> Thank you very much.

Do we have any further -- I believe that our speakers might feel abandoned.

Do you have any comments to what has just been said? Jackie, over to you unless there is someone else who wants to contribute.

>> JACQUELINE EGGENSCHWILER: Would either one of you like to add to that? No.

We also had, which I think would make for an interesting position, a show of maybes.

So, I know these three gentlemen, for example, raised their land, Laurin, Aiden, Vlada, if either of you would like to comment on why you're saying maybe they're the right tool?

>> Well, there are two parts to the comment.

One is when it comes to regulate international relations, I don't think it's necessarily enough and I don't think the international law is necessarily enough because we see in aspects other than cyber it just doesn't work.

So the application of potential law is something different than international law and the norms and that's why it's not enough; we have to see how to implement and apply.

When it comes to the second part of the question, provides security, back to my previous comment, I don't think the norms and regulations in general are the only way to provide stability and security; it is also in the behavior and, well, standards, behavior, awareness and all of that that the other stakeholders need to do, so in that sense it's partial yes they can contribute but there is much more that needs to be done.


I'd like to turn to our private sector participants, if possible, Christoph, are you still with us? I don't see you on the screen anymore but I hope you are.

And Dominique, I can definitely see you.

So maybe I'll kick off with you.

And can we please ensure that Christoph is still with us and can hear us?

In terms of private sector work, norms or let's call it standards do matter, I believe, for what you are trying to do and how you're trying to integrate the community, as well.

Can you provide us a perspective on that? How you would deem the importance of these instruments?

>> DOMINIQUE: Sure, I think I can talk about norms in terms of why -- you know, I'm generalizing because our members have to agree to top level position this is the mobile industry.

But in terms of that, it's to something Wolfgang made a point about in terms of multistakeholders; for the private sector, even though increasingly we tend to be running the network and owning a lot of the data centers and the networks on which state attacks take place in general, I'm generalizing again.

One of the things that norms does for the private sector is it brings in the aspect of multistakeholderism.

So if there is a treaty or multilateral negotiation or another GGE or another high-level panel or whatever it might be, that's only multilateral or only government-focused, just like civil society, the private sector does not have access to that.

Now, there are ways to participate in conferences that are UN conferences, there are governments that obviously allow for participation of civil society and private sector and others, but that's different than actual like GGE or negotiations.

And so I think from a personal perspective, one of my issues with the digital Geneva Convention is that if it's a proper convention in the UN setting, it takes away others to be there.

That said, I think that convention has changed quite a lot and how Microsoft is approaching it.

Another is standards. one of the big issues about standards is that standards making, specifically technical standards making has moved in the last 15 years from a multilateral-focused centre to a more industry-led and I would say normally multistakeholder fora, and significantly the drop in private sector participation in the technical standards Miking of the ITU and 3 GPP IGFF and other standards making bodies.

And that's a trend we're seeing primarily on who's building out, who's investing in the network.

So I think from a technical standards point of view, it's really important to see that there are different participant levels and there tends to be, you know, a different approach in terms of there was maybe 15 years ago.

And I think Wolfgang made the point that the idea of multistakeholderism is one of those reasons.

So I think I'll stop there, but maybe Christoph, if he's online, has more because Telefonica has done quite a lot of work on this and can answer a number of these questions specifically from their point of view.

>> Perfect, thank you, Dominique.

Christoph, can we turn to you? Can you still hear us?


>> If you'd hike to comment.

>> CHRISTOPH STECK: Interesting debate, honestly.

I think that going back to the question of the roles of different actors, of course we have to go a little more detail here and say where can each basically stakeholder function better in this process? And I think it's clear that no one is putting down states or governments should still work on policies and they should still work on finding international policies between them and that will be very helpful.

So the Geneva Convention -- the cyber crime convention the Council of Europe is a very important document and it should keep the status.

But having said that, it's from 2001, 17 years old.

There was before most of the companies and services we are using every day were even founded, so it might need an update; and I'm sure that the Council of Europe might do that, but the processes are slow and let's not necessarily forget that.

We are talking about digitalization here, it's happening very fast.

At the same time, international policy processes tend to be very, very slow.

So we clearly have a disconnect between the speed of developments and the speed of reaction from the government side, and that's not to criticize governments, just if you have to agree to it everyone on norms, that's quite an issue.

So I think solutions to are that could be first of all, go forward on maybe regional levels and try to find consensus, a little bit what the European Union is doing, for example.

It's still difficult, but you might have easier -- it might be easier to come to compromises you go to regional levels.

And that would also have on a global scale, as well.

And second of all, I would like to really make a pledge here for private companies as a key player and of course civil society, as well, but private companies, let's not forget, are the ones who run most of the infrastructures, most of the services we just talk about when we speak about digital services today.

And I suppose that there is a huge role we are playing already as companies in that by following norms, by implementing the standards which are agreed between companies and even thus by policymakers and I think that's fine.

But at the same time, we can also go to self-regulation, and I think Dominique mentioned earlier the technical and just look at that; I mean that's agreement between or fleshed by round 40 meeting technology companies in the world, and they say that we're going to cooperate with government, we're going to have our customers to make their digital lives safer, and we're also not going to contribute to make the Internet a place for warfare.

And just stay with that for a second.

Because that's like air book saying we're not going to build any fighter ships.

So that's private companies pledging to not make the Internet a place for warfare, and that's a huge impact; it's not set a norm, maybe, just self-regulation and it's something that would make our lives hopefully safer in the future.

But it's very important that you have these inputs from self-regulation because they're very fast; it took us a couple of months to put that together, telephonic an is part of it.

Imagine coming up with something like that on a global scale, would it take years if not decades.

So we have to work here in different areas in parallel to try to make fast achievements maybe through self-regulation, through norm setting standards; but at the same time, also, of course, the states need to work on that and need to come -- make their homework and come up with international policymaking hopefully with input from the private sector, from civil society, because actually the Internet is not like any other policies here.

>> Thank you, Christoph. if I may ask because you mentioned the tech accord and the fact that Telefonica is part of it and it's been a speedy undertaking, what were the key drivers for Telefonica's participation, for example?

>> CHRISTOPH STECK: We have a huge interest that Internet is a safe place. of course we were here because we like people to use Internet, we like people to basically engage; and we know that there are a lot of people getting more and more concerned with the issue of cybersecurity.

We speak a lot about privacy, but actually what affects your life sometimes even stronger is cybersecurity; I mean just ask someone whose digital identity has been stolen and has been misused by criminals about cybersecurity.

I mean, that's something none of would you say like to experience.

It's an experience that is not very nice.

So we noticed that our customers are getting more concerned with these issues.

They are not going to use services if they feel unsecure.

They are not going to go to online banking to use a stupid example if they feel like this is somehow not safe and somehow something might happen.

And I can just remember you that last year we had the one Accra incident and Telefonica was affected by it, as well, we were the first major player, the first company, for sure, which kind of communicated openly to the whole community, publicly, to the government, to what we have in the European system where we have national reaction centers for these kind of cyber incidents, and we immediately communicated that there is something going on which looks like a huge attack and the information was shared immediately with all the other networks so people could basically take activity to kind of go against it.

And at the same time, we worked hand-in-hand with government, with others, with hackers, by the way, to find solutions to the problem; and we put our, for example, program how people could recover some of the data, which was encrypted, and these kind of things, we have small to cope with the attack.

So these are contributions and are done by society today but we might improve that.

>> Thank you, I'll hand off to Dominique.

>> DOMINIQUE: I have to leave, I'm sorry, I have to catch a flight, I have to catch up to what Christoph was saying he made a very important point.

It is to Europe and to the world and exactly what he mentioned: Information sharing.

Because oftentimes a lot of the traffic and changes that happen on the network that indicate a major cyber attack or something else going on is seen first by at least operators in the first instance.

And so that's another reason why there needs to be multistakeholder participation.

But I'll just leave one last thought in terms of norms, one of the things we have to think about is not just talking about norms but actually doing norms, right? So if we're going to, all stakeholders, participate in security, safety and I think trust is what Christoph was indicating there, as well I think we need to actually show we're actually doing that from all our respective stakeholders groups.

Thank you, and sorry I have to leave but I get to go home after two weeks.

>> Thank you very much for your last words today.

Wolfgang has an intervention, as well.


I think Christoph made an interesting statement which is really crucial: It is a process and nothing is fixed, let's say, in time for a long time.

And the whole development is driven by new technology and technological environment by, you know, market needs and others.

So this leads to a situation where you have always to find and to re-fix the balance between stability and flexibility.

And I think people, end users but also governments, need both so that means we have to have a certain degree of stability; and norms and regulation contribute to a stable environment, but you have also a flexibility -- you need a flexibility, and then you have to decide, you know, which norms, you know, block or strangulate innovation? And so far this is I would not say it's an effort to find the right balance.

But this is, you know, it's not new.

For centuries we know that freedom goes not without responsibility; rights are linked with duties.

So to find the right balance is an ongoing process, and thus so far if we have legal instruments, the question is not only as some people have said, the interpretation or the implementation of this; we have to enhance our understanding of the existing norms.

And if there is a need, if we see things have changed, then we have to adjust it.

This is a very normative process and nothing will be fixed in stone.

So if you go back in the 1990s where all the cyber idealists and pass fists say we create a new society, governments go home, the world is in the hand of the international community, jack made this point recently in Las Vegas when he said we believe there is no need for governments, then we created new networks.

With the new networks came big money.

With big money came the crimes and with the criminals came the governments, here we are again.

So that means you have a circle which you can manage only if you are always up-to-date and include the wisdom of all involved stakeholders.

And so far, again, this is the biggest achievement of the 20 years of discussion that we have to recognize: There is no one single stakeholder solution; everybody has to sit on the table.

>> Thank you.

>> Be a norm, that it's is et in single stakeholder fashion cannot do it anymore.

And please remember governments are also stakeholder in this.

And, secondly, that such a norm is actually not an objective in itself. It's the sustainable future.

And in all that, all stakeholders also have their own responsibility; so norms without responsibility doesn't work, either.

And, again, just pointing out that it's established at multiple levels, sometimes in bilateral contracts, sometimes in multilateral agreements, and sometimes by calls for action as GCSC has done, as well, like don't touch the core of the Internet; respect the core of the Internet.

So the norm is there, and now it's up to us to live up to it.

>> Maarten, a question.

What kind of norm? This would be a standard alone?

Coming back to our issue of the norms, how would you define it?

>> MAARTEN BOTTERMAN: I would say part of my norm system consists of what my parents taught me.

And in that way I would say it's of getting more conscious about responsibilities and living up to that because sustainable future is in the interest of all of us in the long term; the short-term, this may be some gain in breaking the norm and being a beneficiary of that.

And for that we need actors to react on that.

And the difficulty in the digital age is that bad behavior can partly be -- well, obviously explicitly mischievous behavior, but it can also be not doing anything, like protecting your own machines from being part of an attack to other machines, the attack where my machine is not used that it's used for other purposes.

So that makes it actually difficult.

But it's really coming down to responsibility and pointing out what the effect is.

We do know from today's public debate that not everybody agrees with that, even on whether we have global heating or not.

But in the end, I think that serving those norms and calling clearly for it in the communities that are months at effected for it is the way forward and I don't want to give up on that despite these kind of exceptions.

>> Christoph, did you want to say something? I saw a show of hands but maybe it was accidental? Okay, probably not, sorry.

We'll move in that case I see Vlada has a comment.

>> Yeah, I was wondering building up on what Maarten said, how do we actually move this discussion where we agree that there needs to be a multistakeholder approach of some sort? How do we move it more towards what governments are currently doing within the GGE and so on? I think that should be one of the questions we should discuss because here we also don't have governments, actually.

We do an couple of examples, the global commission is definitely a good example of how nongovernment stakeholders include something governments, are helping bringing that to the agenda, the GFC, the global science expertise which doesn't deal with that actually helps bringing more communication between different stakeholders and has the potential to bring some such topics more on the agenda of the governments.

There is an initiative by Swiss government, the other governments also doing that, the Swiss government is just initiating the Geneva dialogue on responsible behavior of actors in cyberspace, which is going to discuss the roles of states but also the roles and responsibilities of the private sector and other communities through the interaction of different communities and what one thinks about the role would be another and there will be a couple of events throughout the year, in November there will be a main conference in Geneva and so on, I'll let you know more.

But there are initiatives that we actually have to find a to send a message from this panel to the governments and that's my question: How do we do that?

>> Thank you, Vlada, we have one intervention from here.

>> Thank you for giving me the floor.

From government of Ukraine, a member of the bureau of the Convention, and I would like to give an example of what governments are doing, not only governments.

So we are adjusting now our Convention to do more than situation, and we set up article drafting Working Group which is setting up the norms which allow them to -- the situation, we direct operation with service providers count. Action to attacks on critical infrastructure and other things.

There were many experts are working in this regard on these norms, and we involve private and IT sector, as well, to this.

And I'm sure that this will be a positive example to all of us, thank you.

>> Thank you very much.

Anymore comments from the floor? Nata, please?

>> NATA GODERDZISHVILI: I would like to give the experience from locally how in for instance not European country like Georgia cybernorms are built up.

With the huge demand of the international organizations like Council of Europe, the European Union, when building new cyber policy or cybernorm or information security legal act in Georgia, we, by law, are obliged to consult and take comments from the private sector; and in private sector, we mean telecommunication agencies, Internet service providers, banking sector, and watchdogs like in your community.

But what is really missing here -- and we had to practice that with the second hearing in parliament with a very critical comment of the private sector, the law was thrown back and it was about cybersecurity, for instance.

So this is the practice.

But what we are missing is that this cooperation and collaboration is still sporadic, and it's still ad hoc and not institutionalized and not like common practice from just good examples.

So this is, as I see it from the government perspective, the direction Georgia and maybe some other countries, as well, need to develop, it's not really good practice but it's rule to have private sector involvement, active involvement in the cybernorm building process as such.

>> Thank you very much.

I think that also goes to what Wolfgang said, that the fact that it's a process; and also with processes come time requirements, so it can't just develop from now to then.

We have about 15 minutes left, and I would like to maybe close with the last question and then give the floor to Ilona who has kindly enough agreed to report for us.

But before that, let me highlight a number of contentions that I heard from the room.

I can already tell you that the last question is going to be: Where do you see the key challenges for norm development? Greatly enough, already alluded to that.

The points of contentions that I've heard or taken from this discussion I have is that first of all of a definitional matter, as well, what is a norm and what do different stakeholders consider to be a norm?

Second of all, who should be involved in developing what we all consider to be a norm?

And third of all, how can we get to alignment or congruence given that disparity of this environment?

So I would kindly ask you if you have any interventions or comments on that to please comment before we hand over.

Nigel, is that? Perfect, thanks.

>> Yes, thank you very much.

This is an excellent session.

Sorry I had to miss part of it.

I suppose the observation is one of the urgency, really, as others have said and Wolfgang is probably the preeminent expert here.

This discussion has been going on.

It was highlighted for me in the UK in 2010 when our foreign sectary came back from the Munich security conference and said to us officials in the UK government, "look, I want to do something about the Internet."

Well we've heard people say we want to do something about the Internet before, but he had a particular vision.

And this vision was that everyone has a responsibility for the Internet.

It wasn't particularly norms at that stage, it wasn't captured in any particular sort of word; but it was the roles and responsibilities of different actors.

That conversation led to us organizing the first global conference on cyberspace in London in 2011.

And that had the ambitious aim at the start, if you like, agreeing roles and responsibilities, agreeing norms, agreeing sets of standards of behavior on the Internet.

Now, that process is ongoing, there was an excellent iteration of that in India last year.

That process is ongoing; other processes are ongoing, we have the Geneva work, we have the work that -- done, the we have the government group of experts have done.

We now hear that the UN Secretary General is contemplating setting up a UN panel to look at these issues, as well.

So there's an awful lot of work in this area; it's clear that the governments cannot do it on their own as we found from the group of experts work, it's true it has to involve all stakeholders; but how is it going to involve all stakeholders who is going to take responsibility for this? Who is going to take the leadership for this? Who is going to get people together and actually do some work? As I think someone said earlier, we've talked about this for a long time, but perhaps we haven't globally sat down and done the work.

And this is why I think this discussion is useful.

I hope there will be a discussion on this in Paris at the main IGF, because I think this is one of the preeminent questions for our time.

Thank you.

>> Thank you, Nigel.

Anymore reactions from the floor?

>> I guess we have reaction.

>> All right, thanks.

>> If I may, I want to talk about the key challenge that was asked.

For me, and for my country, the key challenge are the countries who are not following the norms and who are doing everything to ruin the existing norms and to set up something new, we call it, as we said our bicycle on what is going on, I'm talking about Russia and China.

So, those countries are not following what all other countries are following, the majority of other countries are following, trying to persuade the rest of the world that what eye what they're proposing is the best.

This is the challenge, the countries who are not following the norms.

>> Thank you.

So that's a question of alignment and enforcement, to some degree.

And looking at the time, I'll turn to our participants and panelists who have been very patient, especially Christoph, thank you very much for still being with us although being so far away.

Last words in terms of the challenges that you see maybe from each one of the four panelists that are still with us, starting with Christoph if that's okay.

>> CHRISTOPH STECK: Yeah, thank you very much the challenge I know I said in my initial statement, I think we're going here to a world where much more things are going to be digitalized and connected.

So it's not going to be as easy anymore to have everyone in the room.

So I mean we're really going to each and every company producing products to know about cybersecurity.

Because cyber security's only as strong as the weakest link of the whole value chain, so I think that's going to be the key challenge going forward.

How can you really bring this knowledge, which is not very well developed, to everyone? I think that the key players today, communication companies and so on we're not perfect but we have an understanding and we have a very high agenda, but I doubt that anyone producing any connected device is doing that.

And I think there are a lot of examples in the past that things have gone really bad on that side.

That is going to increase and will be difficult to manage.

But I want the give hope here and not just end with the dystopian view of things.

I think that a way forward could be to have more cooperation on national levels, to be honest.

I think the international leave sell important and we should work on it but it's usually slow and complex.

I think that on national levels, people can come together between culture and languages that they are living close to each other and they know each other and they have confidence, so governments, private sector, civil society on local levels should cooperate more and start working, you know, more locally, nationally, to improve these things.

The good thing about this is then when they come to the global level, they are more educated and better informed, for example, governments who have installed multistakeholder processes for cybersecurity, they will come with a better knowledge when they then discuss maybe the international norms.

So that's a very important bottom-up process and we should not forget it at all, I think it's a key here.

And just to give you an example, in Chile just a couple of weeks ago, and this is a little bit outside of the scope of EuroDIG, they just founded the national security alliance locally where we participate with local business and they are actually working on one very interesting issue, which is education.

Education is going to be so key.

I mean we all know that we have to lock our doors when we leave the house, but we don't know what happens with our WiFi keys or the access to whatever service.

And people are just waking up to that.

So I think that educating people about that, and that's something where actually the states and the governments would have a huge task to bring that forward.

That cannot be done by the private sector or civil society, for example, it has to be done by the states.

And that's going to be so key going forward.

And as I said, the cooperation on that.

So there are examples coming up, and I would say as someone earlier said, institutionalize these kinds of cooperation between different actors.

And we all share, more or less, the objective of making Internet safer and more secure.

So really going forward working together on that, national, local levels could have a lot for the global. thank you.

>> Perfect, thank you, Nata, if you would like to go next.

>> NATA GODERDZISHVILI: Also challenge as our Ukrainian colleague told us, not all the parties and not all the big advisories are even part of the even Budapest convention and this is a real problem for the countries like Georgia and like Ukraine.

One issue is having norms, and the second issue is enforcement of the norms; and this is the big challenge here.

And as a positive continuation of these challenges, we see that maybe not conventions but, like, policy work and confidence building measures can be a soft mechanism that step-by-step can ensure the better cooperation or even like naming and shaming and using some more diplomatic channels can work here rather than legal regimes and legal conventions.

>> Brilliant, thanks.

Maarten, up to you.

>> MAARTEN BOTTERMAN: Yes, there will be less left for Wolfgang to say, there is already less left for me to say.

Very much support the importance of awareness and education.

If ignorant, it's very difficult to create a safe Internet-driven world.

Whatever we do with norms, let's not assume that any norm we set will be followed by everybody; that will be a mistake in thinking.

Nevertheless, setting norms will help.

And setting with that understanding that not everybody may follow it, but that it still may help the way you set it up.

The other remark also made is global norms are very useful, but they will be very global and not precise.

It's about how you implement it locally.

And to talk about the GCCS initiative that Nigel mentioned and in the way Wolfgang is also one of the followup of that, there's also the global forum and cyber expertise that stimulates to take global norms into local action.

So in the end you need to do it in the region, as well.

So last but not least in the end it only works when we become -- when actors become accountable, when actions become transparent; and, here, the complexity is in the complexity of technology, so technology will need to help to make transparent.

Second sub-bullet here is very important is how data are collected and acted upon, and we need to have support in understanding how these things hang together maybe in the same way we need support for how bookkeeping used to work many -- a Century ago or something?

And last but not least, so accountability of actors, transparency of actions, and clarity on what is considered good practice.

>> Sorry. we'll move to one remote participation question and then come back to you, Wolfgang, David, go ahead.

>> Do you guys hear me? So we have one I believe it's from Kiev, one remote question from -- and so the question is: As an organizer, as a co-offering. Of the youth IGF UA, it is interesting for me to find out what you all think the panelists of the role of youth and youngsters of cyber security? How can the youth, the youngsters influence today's process? Thank you.

>> Thank you for that question.

Wolfgang maybe you can answer it giving your concluding statement.

>> DR. WOLFGANG KLEINWÄCHTER: Our last speaking, our last question, learning, learning, learning and then acting, acting, acting.

Be active.

Become engaged.

Your voice is important.

But before you raise your voice, you have to know what you want to say; and so far I can only stress what Christoph and others have said: Educating.

It's key for the future of the security in cyberspace, and it does not start at schools, it starts at home in the kindergarten.

I have lived 15 years in Denmark, 50 percent of the norms of the daily life in Denmark are unwritten rules which are just your mother and father tell children you shouldn't do that or this is not allowed, and there is no need to have a written norm because these are the unwritten norms which regulate a lot of our daily life.

And so far this is really a responsibility for everybody, for every stakeholder but also for every families to create, let's say, an unwritten norm of -- normative behavior in cyberspace, a culture of behavior in cyberspace.

I think this is an important challenge but it will not be enough.

It's 50 percent, yes, but 50 percent much more complicated.

And then two quick comments, how to move forward, two have mentioned we have much rooming of different initiatives -- mushrooming, and the risk is that all these initiatives will reinvent the wheel or, you know, not work hand-in-hand but create more competition; travel budgets will explode because people cannot follow all these meetings.

The one opportunity is really in the IGF framework, to organize big hearings in the IGF where all these organizations are invited; it means to Secretary Generals or the executive directors, just our quilt, quote/unquote by the public, to ask questions, not give statements, lopping statements, but like in the U.S. hearing that senators ask questions to people who have to testify.

And I think this is probably a way forward both for the IGF, the global IGF but also for EuroDIG.

And my very final statement, what to do with the bad guys.

I understand all these concerns.

Head bank is not the right option.

You need a portfolio of different reaction that is goes from hard measures to soft measures; this is absolutely clear.

But one thing is -- and you cannot avoid this, you know -- you have to pull all the bad guys into a dialogue, if you exclude them, this is fact -- naming and shaming is important, but you have to -- you know, we live on one globe, we have one Internet, and we have to have this dialogue also with bad guys, and it's a better way to put them or to keep them accountability and say yes, these are the norms.

Be careful if you just go home and then behave in another way.

But it's not alone, the dialogue, so you have to have a portfolio.

And I think what is discussed in the Italian manual and others, we are seeing that such is developed, and if somebody can do bad things and will not -- there is no risk that there will be an answer, this stimulate doing more bad things.

And so it's like children: You have to follow these rules, otherwise you will see consequences.

And I think unfortunately, this is a bad development, but that's why I say we have to have both, we have to have a system of reactions to bad behavior; but we have to have also this dialogue where we try to build confidence and do all the soft measures which you have mentioned.

Thank you.

>> Thank you very much Wolfgang.

I'll hand overtoil own an now, if you're happy to share the messages? Yeah, sure, it's on its way.

>> ILONA STADNIK: Okay, it was a bit of a tough task to summarize what was going on on this panel because you voiced very contradictory points, but I will try.

So the first is strong configuration of cyberspace could stifle innovation and development.

I would like to ask you if you agree with this statement or disagree? Because it's important for messages.

So no objections? Okay.

The understanding of norms differs from strict legal rules to self-regulation; moreover, there is a problem of the acknowledgment of existing principles, for instance western principles versus eastern principles.


States made a great principle for cyberspace regulation despite some failures like the recent GGE of 2017.

Okay, yeah, no objections.

Translational commercial Giants can dictate interdimensional conventions for cyber space it is the responsibility of states to come to legally binding norms.

Industry has its own norms to develop the development of their markets.

Civil society is likely to stimulate industry to come to norms rather than producing abundant initiatives.


Okay, yeah?

>> I think as a talking point, yeah, probably not as an agreement for every participant, but, yeah, but keep it on this for now.

>> We can leave it as it is.

>> Yeah, let's leave it on there for now.

>> Politics is inevitable in cyberspace due to the cyber arms racing.

In conference to cyber war the issue of cybersecurity provides contribute, to drafting the rules and can -- the information society and digital economy.


And the final one, there is a disconnection between the new technologies and the response of the regulators; so a self-regulation by industry may serve as a starting point for building norms from international level.

Yeah? Great.

>> Thank you very much for your great work.

And to conclude, yeah, sorry, Maarten, please go ahead.

>> MAARTEN BOTTERMAN: I missed the issue that all players are also accountable for their actions.

>> Good point and multistakeholder involvement.

>> In the meantime, if I may, I would like to extend a really big thank you to all the panelists and my co-moderator Tatiana and our remote moderators over there, Lauren who organized the session and everyone who contributed so lively.

Thank you very much.

I think this was a great session.

And I'll hope we'll hear some more interesting thoughts later today, as well.

Thank you, again.

Show of hands for you.


>> CHRISTOPH STECK: Thank you very much.

>> Thank you for sticking with us for so long.

>> CHRISTOPH STECK: Thanks, was great, thanks.


(end of session)

This text is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text is not to be distributed or used in any way that may violate copyright law.