Alice in wonderland – mapping the cybersecurity landscape in Europe and beyond – Pl 01 2017

From EuroDIG Wiki
Jump to navigation Jump to search

6 June 2017 | 11:30 - 13:00 | Grand Ballroom, Swissotel, Tallinn, Estonia | live streaming
Programme overview 2017

Session teaser

Cybersecurity threats make it to the daily headlines: massive DDoS attacks against Dyn DNS Service, alleged elections hacks, espionage, terrorism and cyberwarfare. How does this change the cybersecurity landscape and influence the perceptions and actions of different stakeholders? This session will discuss these cybersecurity threats and the strategies in Europe. How does the industry's economic rationale meet the governments' calls for regulation? How to align the need to address cybersecurity with civil society's efforts to bring human rights on the top of cybersecurity agenda? And, ultimately, how do we walk cybersecurity talk in Europe? Join our session and let's discuss together!

Keywords

Cybersecurity, security, cyberthreats, cyberstrategies, cyberwarfare, cybernorms, standards, multi-stakeholder

Session description

The session will seek to map the cybersecurity landscape in Europe and internationally under three axes:

- Regulation: How much regulation, if at all is needed? Is this a sole domain of governments? How can other stakeholders participate? Industry’s attempts to take the lead in norm-setting: how successful can they prove? Do we need a cybersecurity Treaty? What about self-regulation?

- Economics: how the economic rationale of the industry correlates with growing pressure to address cybersecurity threats? Attacks are costly and damaging - do they provide economic incentives for companies to invest more in cybersecurity? What about the costs of compliance if this is required by regulation: does the cost of compliance change investment opportunities from more proactive to more reactive and static?

- Technical: what do threats teach us? What are the next developments and how do we marry technology with regulation and economical issues? Can technology provide many of the answers to the current state of affairs?

How can Europe contribute to bringing together these three pieces of the problem now only regionally, but beyond? How can we find a middle ground that will take into account the interests and incentives of all stakeholders, that are frequently conflicting?

Format

We consider cybersecurity to be everyone's business and responsibility. It is up to those who attend the session to shape the discussion: we will collect the questions to the panellists first and ask them to provide their perspective based on the input from everyone.

To make the session as interactive and inclusive as possible, we decided to structure it as follows:

  • Moderator's opening remarks: setting the context for discussion
  • Questions to the panellists
  • Comment and responses from the panellists
  • Interactive Q&A and discussion (everyone)
  • Wrap-up

We will also collect twitter comments before the session and will pay a close attention to the twitter wall during the plenary. Last but not least – we do aim to make remote participation a true participation and not mere listening. If you are not in Tallinn – please join us and we will take care of your voice being heard in this discussion.

People

  • Focal Point: Vladimer Svanadze (Internet Development Initiative - IDI)


  • Subject Matter Expert (SME): Tatiana Tropina (Max Planck Institute)


  • Key Participants
    • Kaja Ciglic, Director, Government Cybersecurity Policy and Strategy, Microsoft
    • George Jokhadze, Cybercrime Programme Office of the Council of Europe
    • Marina Kaljurand, Former Foreign Minister of Estonia, Chair of the Global Commission for the Stability of Cyberspace (GCSC)
    • Sally Wentworth, Vice President of Global Polic Development, ISOC


  • Moderator
    • Tatiana Tropina, Max Planck Institute for Foreign and International Criminal Law
    • Vladimir Radunović, DiploFoundation


  • Remote Moderator


  • Organising Team (Org Team)
    • Konstantinos Komaitis
    • Adriana Minovic
    • Fotjon Kosta
    • Oksana Prykhodko


  • Reporter

Vladimer Svanadze

Video record

https://www.youtube.com/watch?v=Dka9tX3v3mY

Messages

  1. Cybersecurity is a part of International Security, which is depend on national security, and in this process the leading role of government with technical community is very important, also civil societies is very power full;
  2. International cooperation is very important for the development process of cybersecurity;
  3. The role of education and awareness of consumers in the process of cybercrime is also an important topic for protection of critical infrastructure;
  4. Cooperation between all stakeholders (government, industry, technical community, civil society) necessary. In the field of regulation, the focus should be on the complexity of the interaction between industry and different types of consumers;
  5. For human rights and security in cyberspace the Budapest Convention on Cybercrime is the basic document. Also, trust from consumers (end users) to government and law enforcement agencies in this field, will be very important for democracy in cyberspace

Transcript

Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: 1-877-825-5234, +001-719-481-9835, www.captionfirst.com


This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.


>> GERT AUVAART: Ladies and gentlemen, welcome back. I hope you enjoyed your short break and had wonderful Estonian pastries along with your coffee.

We are moving into the first panel discussion of the day, dedicated to cybersecurity, and the session will be moderated by Tatiana Tropina from the Max Planck Institute. With this, I give the floor to her.

>> TATIANA TROPINA: Thank you very much. Can you hear me? I'm Tatiana Tropina and I'm very glad to see you all here. We have an amazing panel, which I'm going to introduce in a minute, because maybe I will wait for more people to come here.

But I would like to make a disclaimer, because during the open mic session, which by the way set very high standards for both moderation and the audience engagement for me and for all of us, there were some voices who asked for more engagement from the audience. And this session was planned despite, you know, having stage and speakers, despite having this room layout where I will have to watch who is raising their hand and when, I do encourage you to participate. I do encourage you to raise your voice, to make your statements, to ask your questions. Because I believe that it's not we on the stage who are the stars, But it's all of us. And that's how we have to address cybersecurity altogether.

So on the panel today, we have the panelists asked me to go with the first names only. So if you knew the sir names, you can go to the wiki page and check the programme.

So we have Sally from ISOC. Global policy Director, I believe -- or Vice President. I'm sorry.

Marina former Foreign Minister Estonia and now the Chair of Global Commission on cybersecurity.

And then we have George from Council of Europe, Office of Security on Cybercrime.

And we have Kaja from Microsoft, Director for Cybersecurity.

And as we named the plenary for this series, "Alice in Wonderland," taking into account what I said about participation, my second moderator, my partner in crime, whose name is Vladimir Radunovic, he is now acting remotely from Belgrade. Because we do believe that you don't need to be present here, not only to participate, but also to moderate the session on site. And I will give it to Vladi. Vladi, now the floor is yours.

>> VLADIMIR RADUNOVIC: Thank you, Tatiana, for a good introduction and for allowing this sort of experiment today. I hope you can all hear me well.

That's how we usually start remote participation. Can you hear me? But we tested and I hope the technology will not fail us today.

As usually as it goes in EuroDIG and IGF, their a couple tracks of discussion. One is on the panel. The other is the rumors in the audience. The third one is remote participation. And then our idea today is to merge them all. Track 2, 3, 4 discussions, and I'll try to help with that. I'll follow all of these streams online and get back to panelists as well from time to time with some provocative, more or less, questions. And also have a lot of -- some sort of polls, so we can, as the diplomats would say in some occasions, feel or sound the temperature of the room.

And before I give back to Tatiana quickly, I just wanted to invite you to start with the first one. I know most of the sessions have their laptops and phones in your hands. Don't leave them, don't switch them off, just switch off the tone. But keep them with you. And go to the website that you can see on the screen, and use the code 397208 and add your key word. What is the key cybersecurity challenge in Europe today? And you'll see what the audience thinks, what is the cloud of words that we think that is the main cybersecurity challenge in Europe today.

So start with that. And, Tatiana, back to you with a comment or more is you wish before I turn to the panelists.

>> TATIANA TROPINA: Yes. Because I'm on-site, I see some of you are looking with your laptops and not looking at me with your phones. So please do us a favor, go to the website and add your words, add the answer to the question: What are the key cybersecurity challenges in Europe today? We will project the results and we will build upon them. So just go and enter your words.

And I'll like them to turn to our panelists and ask them in a very short manner tell us your top three challenges in your field, for Europe or globally. And I'll start with Sally.

>> SALLY WENTWORTH: Thank you --

>> TATIANA TROPINA: How do we turn the microphone number --

(Feedback)

>> SALLY WENTWORTH: I think it works. Thank you very much, Tatiana, and to the organizers of the session. I'm watching the word cloud come up, so this is sort of fun. I do think that if we think carefully about the big cybersecurity challenges, and I'm going to look at this from a global perspective, I think that there is a real challenge or the potential for fragmentation, that the security solutions lead not to interoperability or global reach, but rather fragmentation.

I think that there is a clear challenge related to trust. Do the solutions that we put in place actually result in greater trust in the Internet?

And then I think that there is a real question and challenge for end-users on how to interact in an increasingly complex security environment. So if I were to say I'd put those three issues at the top of my list.

>> TATIANA TROPINA: Thank you very much.

Marina, I see that there is one word in this cloud which says Russia. I'm not going to go into politics or any names of country --

>> MARINA KALJURAND: You already went.

>> TATIANA TROPINA: Yes, I already went. But just because we have it in the cloud, but the Russian nation might read these words, but could you please tell us from your perspective, from the perspective of the Foreign Minister, forget about the names of the countries, and from the perspective of the Chair of the Global Cybersecurity Commission, which challenges do you see in policy and politics and national security?

>> MARINA KALJURAND: Well, thank you, Tatiana.

You know what diplomats are known for: they never answer the questions. They say what they want to say. So I want to start with a personal note.

And first of all I'd like to say how happy I am that EuroDIG is in Tallinn. Two or three years ago we talked with Sandra, the Secretariat -- Sandra is there in the back row -- and now it's here. You can see that we can provide relatively nice weather, which is the best we can do in June, trust me. Last week it was snowing.

And I'd also like to thank our people engaged. I'll not say the names, but you know them. They have been on the stage. And the Secretariat for putting this topic on the agenda.

As to the challenges, my background is Government. I'm a career diplomat. I've been an Ambassador to six countries so my background is Government. And I'm a lawyer by education. So I trust in law, I trust in norms, and I respect law.

If I have to say a couple of challenges is, one, then today the role of Governments. Because Governments have to be leaders.

Second, Governments can't do it alone. It has to be an all nation approach, all multistakeholder approach. There is a specific growth for industry, but also for Civil Society and for experts.

Third, International cooperation. Without International cooperation, cybersecurity can never be efficient or achieved.

And I'll stop here.

>> TATIANA TROPINA: Thank you very much.

Vladi, I would like to ask you, would you like to comment on what we just heard or on the cloud, what we see?

>> VLADIMIR RADUNOVIC: What I'm trying to compare is what we have heard and what we see. And privacy absolutely dominates and awareness dominates. As you mention, Russia is somewhere there. What I don't see much, and it's interesting, is there are not many technical issues, actually. There are almost no technical issues. That's quite interesting.

There is a lot about trust, and there is not much about Governments or about industry or about the roles in general.

So I guess we will get back to that later. But maybe that is also sort of a -- sort of a teaser for your next panelist to comment before going into their own thoughts.

Over to you.

>> TATIANA TROPINA: Thank you very much. And I actually have a nice segue to the next panelist, because MARINA mentioned norms and law as a lawyer. George, you work on the norm making side. You work on the cybercrime side, on setting standards on the Council of Europe side. What are the main three challenges for you?

>> GEORGE JOKHADZE: Thank you for giving me the floor. I'm speaking not only on behalf of the Council of Europe, but I'll be speaking also on behalf Adolpha, (sp) the people that they brought in here that have primarily the law enforcement background. They will listen to the all the excellent and engaging discussions here, because for them it's also the way to connect to the other parts of the thinking and discussion.

But when it comes to Regulation, of course the Regulation would be in itself the first challenge for us. And the Regulation not only in terms of introducing new rules, but following the old rules, which would be the Budapest Commission on Cybercrime, which remains up to this very date the only global statement when it comes to cybercrime and by extension cybersecurity when it comes to international relation.

The second challenge, I can see it there with the help from the audience, it's awareness. And when it comes about awareness, it's awareness of the law enforcement, of the criminal justice systems, of the challenges and technology. Challenges of how to deal with them in a manner that complies with the rule of the land and human rights.

And the third one, it was mentioned, the International cooperation from my esteemed colleague, Marina. But I would have a different twist on it, for us, especially the countries that I represent here, at least in partnership, is the service providers, such as Microsoft, Facebook, Google. Because it's it is challenging. It's all about data. It's about the data that is held beyond your jurisdictions that we need to have access to as a law enforcement officer. So that's my top three at the moment.

>> TATIANA TROPINA: Thank you very much.

Kaja, from your perspective of the industry, of the Microsoft Company, which is probably cooperating with the Council of Europe and with the Governments and with Civil Society and building capacity, what are your three challenges?

>> KAJA CIGLIC: I think they were largely sort of mentioned here, so I think we are in agreement.

So I think the one that sort of scares me a bit is the questions you put up there. I think the challenges are not Europe specific. They are global challenges. And I think looking at it even from a regional, instead of global perspective, sort of introduces new problems into the equation.

I think the need for cooperation and more efficient and effective cooperations across the multistakeholder lens is also important, whether you are thinking about Governments or private Sector or whether you're thinking about Civil Society. I think there is more to be done on everybody's part in that space.

And I think the role of Governments or looking at the future as you are moving into cyberspace more from a national security defensive, offensive perspective will be one of the main challenges for us going forward. Just because some of those actions -- and we have seen it before. I would say it's probably not just Russia --

>> TATIANA TROPINA: There are other China and other countries in the word cloud.

>> KAJA CIGLIC: Yes. And I think it really significantly can undermine the trust in the online environment. And the online environment itself -- so then I guess the last point is humans, which is one of the things I saw up there as well. Because many, even though -- you know, in recent times we have seen a lot of big headlines. A lot of the techniques used to do these hacks were very simple things, where basic security measures, basic security awareness, would have prevented them. So I think we need to do a lot more, still, on making individuals more cyber savvy, I guess.

>> TATIANA TROPINA: Thank you very much.

I'd like to turn to you, to everyone who is sitting here. Are there any comments on what you put into this word cloud and what is missing here?

Sorry, my sound disappeared.

Are there any questions, comments, statements? Like, for example, it was me who put China into the cloud, someone says. Not me. And I think we have to consider these because of these one, two, three.

You don't have to queue to the microphone. Just raise your hand and there is someone with a roaming mic.

There is a gentleman over there.

>> AUDIENCE: Hi. I'm Katalan from the University of Frankfurt.

I think one word which I'm missing is the question of whether we should think of drafting a cybersecurity Treaty. Whether we should rely on a formal binding International legal basis, or other. Whether we should apply existing norms this, such as customer International law and principles such as cooperation and due diligence, which also have some duties. So do we need new treaty or just apply other norms better and more realistically.

>> TATIANA TROPINA: Thank you for the question. I'll not pass it to the panel, unless you have a very short answer, Marina. I think I'll make the questions a big part of the sessions. Because I think they should be discussed, be on the cloud or not.

Marina, the floor is yours.

>> MARINA KALJURAND: No, no, no. I cannot answer in one sentence because I have a very specific key word to add. I'd be happy to wait for the discussion, but I'd like to comment on that later.

>> TATIANA TROPINA: I believe Microsoft might have a very specific view on this and Council of Europe has a treaty. So I will put it aside right now.

Vladi, do you have any other questions or comments before I would like to ask you to do something?

>> VLADIMIR RADUNOVIC: Nothing in particular. I think, yes, it will be quite tough for the two of us, Tatiana, to actually streamline the discussion, because I see a couple of tracks that are developing. But let's try to stick to who should do what and what is the role of Regulation, technology and economy.

If you agree, I would move then to the next kind of a teaser, which is let's start with thinking about a superman. So we need a superman who is going to save us in the cyberspace. And my question is probably not the right one, but I'll anyway ask it, and I'll change the slide and you can vote and I kindly invite you to do so.

If we would need to somehow rate whose primary role and to what extent is to protect cyberspace and us in the cyberspace, would it be Government? Would it be industry? Would it be technical community? Or would it be users? It's not either/or, of course. It's a scale of one to ten for each one of those, and probably some sort of a combination. But I challenge you to start with that, who do we think that actually -- who do we trust the most to save us?

And, Tatiana, I would get back to the panel with the same question, now that they have a bit of time to think about the response. But maybe you want to go to the audience with a couple of reflections on who thinks that a Government should be the one, or the industry? Tatiana?

>> TATIANA TROPINA: Yes, I will. I was told that I cannot leave the stage. This is one of the major drawbacks of this setting.

But I want to actually reflect first on the panel and not on the audience. I changed my mind. Because I think that what we are planning in this plenary, in this scaling -- it's a bit cheesy, I know, that you have to scale, you have to pick up, it's not an easy question -- but what struck me was when Marina was talking about her three challenges, there was a statement about the role of the Government. And I think it fits very nicely right now.

So I think that the scale and exercise is going very well. We have some for more of less for governments and technical community.

So is there anyone to comment? Do you believe that Governments will protect us, or maybe not? Guys, raise your hands. You asked for participation.

Could we have a microphone here?

>> AUDIENCE: Thanks. Robin Wilson from the Internet Society.

I think Governments must have a role, because they are responsible for, first, the safety of their citizens.

And, second, so much of the critical infrastructure that a modern state depends on, and indeed, a nonmodern state, even things like sewage counts as critical infrastructure. And the more it's controlled by computer systems, the more vital that is as an element to cybersecurity. So the sewage dimension to cybersecurity. I bet you didn't think you'd hear that this morning.

>> TATIANA TROPINA: Thank you.

Is there anyone from the technical community or is there anyone who wants to comment first? Because otherwise if there are no volunteers from the technical community to tell me if you think you should or should not have a leading role in protecting critical infrastructure? I'm looking at some people from the technical community and I'm going to approach you, so you are better to stand up or raise your hands.

I think I see some people from technical communities sitting over there. So I would ask either of you to comment.

>> VLADIMIR RADUNOVIC: Before they comment, just kind of an invitation for two of them, basically, try to be specific. How is that, if technical community can help us, or no. What is it that the technical community can do?

>> AUDIENCE: Chris Buckridge, RIPE NCC.

I think this is not exactly the right question. And I'm going to be sort of the first person here to stand up and use the dreaded "multistakeholder" word.

I think what is clear from any of this, and what we have said here, even, is that there is no single answer to this. Government clearly has a role, but Government doesn't have the expertise that the technical community is going to have. So there has to be sort of cooperation here in some way of bringing those different areas of expertise together. And that's -- how you do that, I'm not sure. I think that's something that is a work in progress. Something we're trying to look at how we do.

And there are venues like the OECD is one that springs to mind where there has been work to bring together Governments, sort of the key members of the OECD, but then outside stakeholders through advisory committees, so the technical committee, the advisory committee, there's a business advisory Committee, there is Civil Society, and that's actually produced the OECD privacy guidelines. And we can debate about how effective or comprehensive they are. But it's at least a move towards actually facilitating and operationalizing that multistakeholder ideal of different perspectives and different areas of expertise working together.

>> TATIANA TROPINA: I think while you were talking, the technical community went, you know, went zero points, two points higher in the question. So you probably impressed.

I would say I also thought that maybe this was not the right question. But we are talking about multistakeholder for such a long time. But the question is who actually leads -- I understand that we need multistakeholder. But, I'm sorry, we don't have it right now in cybersecurity in many venues. So who should have a leading role? I'm handing it over to you.

>> VLADIMIR RADUNOVIC: Thanks, Tatiana. And I owe a little bit of explanation on the panda thing, because it's an internal joke. Some of you are using social media might have seen that joke of when you mention certain terms, every time you do that the panda dies. No panda was hurt. It's a joke.

But the point here is just to try to avoid using multistakeholder as much as we can today. Not that the term is bad, but try to avoid going into cliches and be more focused on what do we mean when we say multistakeholder?

Maybe this is a good time for Marina to jump in, because I'm sure she is eagerly waiting to also share her thoughts. I know that you have a very specific opinion on the role of the Government, and in a way that -- that the dialogue evolves.

One question to maybe help you with this or to provoke you. During the Cy Con this year in the City of Tallinn, there was one sentence that was written quite well, and it said the "the Governments are mastering cyberspace when it comes to defense and even offense. But they are not actually mastering the protection of cyberspace."

Just to feed into your comment. And I pass the floor to you.

>> MARINA KALJURAND: Thank you very much. I can wait. But since you gave me the floor, I'm happy to talk.

First, if we return back to the chart that we see, I think that the percentage very much depends what is the audience who is answering the question? So I'm not surprised that at EuroDIG the percentage of technical community but also industry and users is very high.

My personal view is very much as the view of the gentleman who said that cybersecurity is part of security. It's what citizens are waiting from their States and Governments, to provide security. Whether it's terrorism, migration, whether it's national crime, no difference. So for me cybersecurity is the same. Part of security. And here Governments have a role.

What is the role of Government? If I just give a wild guess, I would say 50 percent. And the rest divided between industry, experts, when I say experts, I mean also technical support or technical people, IT geek, and Civil Society.

But Governments have to lead and Governments have to lead the multistakeholder approach. They have to listen to.

If you say the Governments have failed, there are different Governments, yes? So we don't want to be one Europe. We don't want to be one Africa. We are all different countries. You're in Estonia. After the presentation today, in the morning, I can't agree that Governments fail. On the contrary, today when there is so much criticism about Internet voting, or e-voting, why country continues to do it. And when our people were asked last autumn after the hacks of DNC servers, do you still want to continue with Internet voting? The answer was yes. And it's the duty of the Government to take care that it's secure, to take care of the integrity of data, to take care of secure exchange of information, and authentication of people. So I also see here the role of Government.

Yes, we can set standards to industry and we are setting them, but the lead has to come from the Government and from International cooperation. So let's not talk about Government as if it's one.

Different Governments are facing different challenges. I understand here in the morning it was the President of Lithuania speaking. She made it clear, Lithuania is not ready for Internet voting, and I accept it. Although I urge her to look into that, because at some point Lithuanians will wake up and say we want to do it the same way that Estonians are doing it. Please provide us for opportunities for Internet vote, which is secure and safe. And anonymous. I think anonymous was the word she said.

I'll stop here, you can see it's a topic which is close to my heart and I could continue and continue and continue. But I'll keep myself.

>> TATIANA TROPINA: Vladi, I see that Sally wants to comment on this.

>> SALLY WENTWORTH: Sure. And I want to thank Chris for speaking for the technical community, taking the first step.

I might take maybe a slightly different approach than Marina. I would fully agree that there is a role for Government in the security, the Internet security discussion, absolutely. Governments are asked to do things, protect their citizens. They need to be at the table, and any suggestion otherwise I think is not helpful.

But I also think that it depends on the issue at hand in terms of where the leadership may come from. And I think we have to acknowledge the fact that in areas where we are talking about innovation, the next services, the next ideas, this is an area where industry and entrepreneurs around the world are, in fact, leading. So how is it that we want them to lead? We want them to lead in a way that is security minded, that is trust minded, that is privacy conscious. That is taking note of and really putting core values at the center of their innovations.

When we're taking about growing the network and ensuring that it scales to meet the demands of the future, this is an area where the technical community is going to lead. And it's going to be mindful and careful about the requirements that Governments have, that industry, that Civil Society has.

So I think it's perhaps why we're struggling with the question is that while we don't want to say the dreaded word, there is value in an approach that is collaborative and understands and respects where the different stakeholders need to come in and take their roles seriously. And I think what we're all saying is that this notion of security, this notion of trust, has to be at the forefront of our minds as we're making those decisions. And the leadership is going to come at different parts of the discussion or of the action required.

>> TATIANA TROPINA: Thank you very much. Sally.

I really have thought that maybe yes, it was a simplistic question, but the disagreement between the panelists already shows that maybe it was the right question to ask.

>> SALLY WENTWORTH: Could be.

>> TATIANA TROPINA: Before I move to George, is there anyone who wants to comment --

So first, then you'll be the second. And yes. I'm keeping a track on it.

>> AUDIENCE: Louise Bennett, BCS.

I wanted to follow up what you were both saying. I think the absolute key thing is that vendors of hardware and software, particularly applications and Internet of Things, should be providing those things with security by default and privacy by default. And I think Governments have a role in demanding that that is what their consumers get.

We also, for it to work globally, we need International standards. And it's particularly true in the Internet of Things, where most of the end devices have no security at all.

>> TATIANA TROPINA: Thank you very much.

Can we move here, but the microphone can be handled there as well.

>> AUDIENCE: Hello. Good morning. My name is N. Vagae (sp). I'm responsible for the Portuguese National Cybersecurity Center, but I come from the technical community.

If we compare with other areas of security, for example, role security, Governments have a role to put rules and to make them to be obeyed. The industry has a responsibility in providing security cars, together with technical community in the area. But the users are crucial. If they don't drive safely, everything breaks.

Here in cybersecurity, Governments must have a role. As we mentioned concerning the essential services, the gentleman answered critical infrastructures, but in Europe we have the DNAS directive, which is under the process of being transposed. And with the critical dependency of those infrastructures with IT, there is a framework that has been created by Governments to establish the rules. Because some rules, if they are not there, the industry, trying to save money, is not investing the necessary financial and human resources in protecting our society.

So it's an area of shared responsibility, of course. Governments must have an important role. But the industry must provide products that we can rely on. And users also have have to be educated and have the capacity to deal with the always changing world.

Thank you.

>> TATIANA TROPINA: Thank you very much. Could we have a microphone over there. Yes. I see. Luca.

>> AUDIENCE: Good morning from my side as well, I'm Raul from the eGovernance Academy from Estonia.

And what the organisation is doing is to implement the trusted information society road to build. So we help countries to implement secure Internet and electronic services.

And, actually, I thought that I'm going to be quiet this morning, but as Marina said, once we talk about Internet and cybersecurity, Estonians get passionate, so I have to say something about it.

First of all, I think that when we talk about cybersecurity, we tend to think or consider incidents. Cyber incidents and incident management. And in this context, this question is relevant. The two might have the most important role in this fight.

But what I can say from Estonian practice, that what our Government has done already 15 years ago is not only how to manage cyber incidents well, but first of all how to prevent them. That's why we have invested a lot to technology, how to protect our electronic services. That's why all of these technologies are there. An electronic identity, different trust services, all the things same that EI is talking about or the Regulations.

So the technology is there. In the Estonian case the Government is clearly leading it. And the industry is involved in the development process. And I personally, in this 15-year period, I haven't had any personal incident. So the Estonian cyberspace is safe and I'm happy to use that. So the protection there is. We don't have to talk about it anymore. The solution is there. Just use it.

>> TATIANA TROPINA: Thank you very much.

Before we move to George and Kaja, I'll take three more interventions. Then after three I'll close for now because we will take more later after the two panelists talk, because we cannot abandon the panel completely.

So could we have the microphone, please. Oh, Luca, you have microphone. Please.

>> AUDIENCE: Good morning, everyone. I am Luka Belli, and I work at the Centre for the (Inaudible), FDV. FDV is the academic institute (inaudible) who developed the Democracy of the Internet, for those who don't know it.

I to first reinforce what Marina was saying. I truly believe that Government has a leading role not only because they have a role, but because they have a duty. They have a duty to provide security. They have a duty to provide education. And without education, I hardly see an end-user being capable of having a role in cybersecurity. And they have also a duty to protect consumers. And without strong Consumer Protection, I hardly see any developer, any service provider, enforcing cybersecurity.

And also, I think they would be very wise in providing data portability right to users. Because only when the user can migrate with all of their data from one service to the other, the business actors are truly stimulated in reinforcing their security. Because they know if they will not have as secure an environment, the users will migrate with all of their data from one service to the other.

>> TATIANA TROPINA: I have to admit that when we were applying in this session, I never expected it to take a turn into reinforcing the discussion about Government's leading role, especially at these premises, so it turns a bit unexpectedly. But it provides us with a nice segue to the issue of Regulation, which also came up several times with regard to the IT issues and the duty to protect the citizens and users.

I'll take three more interventions.

Yes, I remember. Could we have microphone over there? And we have two more and then I'll close. So please don't raise your hands for now, because we will have to more interventions of the panelists.

>> VLADIMIR RADUNOVIC: A quick one before the gentleman or lady takes the floor. Just noticing that the pole is changing a little bit. Now the Governments are not the top one, but the technical community.

The answer to the question is the question is not the entirely right now. But I think it signals something to what extent that we believe technology can save us or that the Regulation and sort of the social conduct can help us.

Back to you.

>> TATIANA TROPINA: Thank you very much.

>> AUDIENCE: Thank you. My name is Mattias (?). I'm from the Austrian Government.

Although not working in the, let's say, cybersecurity field, I'm working in the human rights field, but this is of course no contradiction.

I think the question of who should protect cyberspace, we have to differentiate a bit. Because there is no doubt at all that Governments must secure cyberspace, as it was just said. Because the European Court of Human Rights says there is a positive obligation of States. And therefore it's not the question of if they should, they must. But what we have to discuss, and that's why I highly appreciate this discussion now, so often we have in fora like that, the role that we speak about the Governments, and as Marina said, we have to say that the Governments are in very different positions on their views.

But, nonetheless, and I think that's how we work on the Council of Europe, I think we should work on indicators, as we did in recommendations on Internet freedom. What would be the minimum positive obligations of Governments, altogether, let's say, from the angle of human rights positions?

So what should be -- it was already said. It's not only, of course, the Regulation. The Regulation could also secure freedom. But it's really, for example, this whole question of fostering awareness of users. How does the state plan for schools to be developed? So there are many, many roles as facilitators for Governments, and I highly appreciate this discussion.

Thank you very much.

>> TATIANA TROPINA: Thanks you very much.

Over here, one intervention from here.

You can give the second microphone here, because I'll take the last one.

>> AUDIENCE: Thank you. I'm (?) from the Frontier of Finland.

I want to point out that Government sometimes cannot be the threat. Sometimes users need protection against Governments. So I agree that Governments have a role and can say that Governments should protect the cybersecurity, but we should not trust that the Government will do that. We should keep a balance.

And I'm sure we can think of Governments that are not as trustworthy as the Estonian Government. And we can think of our past histories. I think more or less all countries have had bad Governments in the past. So a balance is needed. We can say that a Government must protect, but we should not trust them to protect. We must protect against the Government in case the Government goes bad.

Thank you.

>> TATIANE TROPINA: Thank you.

>> AUDIENCE: Thank you. Maarten Bottermanl

I filled in all four equally, actually. Well, one thing, the more I work with it, the more I'm convinced that it's truly multistakeholder, whatever you do.

Governments have an important role, I agree. If they don't put in the rules, it's very difficult to maintain them.

But I would like to go to a comparison that has been given more often this week already. Let's take a car. It's clear that safety belts make sense now. We didn't have them until the Government put the Regulation in place. We didn't have them until they were developed in such a way that they actually support us. For instance, only the waist belt would tear us apart, you know that? And only when industry was really implemented then.

But that wasn't enough. Because people who don't wear them are still not protected. I think this is a very good parallel for the Internet, too.

There is a lot of means out there, and if you would all use them then it would be much safer than it is today.

>> TATIANA TROPINA: I'll close interventions for now.

And I'll turn it over to Kaja first. Because we talked so much about the role of the role of the Government. What is your answer to this as industry? What do you think?

>> KAJA CIGLIC: Sure. I think the way it is now, it's sort of equal. What the gentleman just said, I think it's the right thing. I think that governments definitely have a role. I agree with you. I think when it comes to protecting critical infrastructures and they have a duty to inform the citizens. But I think at the moment, at least, in technology when technology is moving so fast, is this is sometimes very challenging for them. And it's sometimes counter productive if they do it in isolation from other stakeholders, whether it's industry or Civil Society.

I think also to your point over there, you're right. I think Governments play different roles. They sometimes protect citizens. They put rules in place. But they also have national security roles that may be threatening other citizens. Or indeed some Governments are less Democratic than others.

And, also, Governments are all at different stages of development. You know you have Estonia, which is very advanced. But even in Europe, you have other countries that are only now setting up their CERTS, which is the basic Government infrastructure for securing the -- sort of the online environment.

I'm Slovenian. I think in Slovenia we have about 3 or 4 people in a CERT. I know it's a small country, but that hard for four people to keep up with the technological developments and updates and sort of consume all of the information.

I think on the third point that I'd like to make is also I think that bigger industry, in particular, has -- the ICT industry has matured over the last few years. I think it has understood that big attacks, big breeches actually damage business and they need to invest in security. Microsoft invests in security and so do all of our major competitors.

And we have also, as an industry -- I think the other industry that can be put up as a good example of this is the financial services industry -- actually started working together on sort of solving threats that we see and sharing information. Because we don't see it necessarily as a competitive advantage, but central to the fact that if there is no trust in the online environment, there is -- we will have no business. So I think -- so that is important to note.

I think the other thing that I also will put out there is especially in the Internet of Things sort of dialogue, I think we need to -- we do need to educate consumers. I think the fact that people put products on the market as soon as they can, just so they are first to the market with security sort of at the back, maybe we will do it if the product succeeds, that is also driven by the fact that customers still to this day are not willing to pay for security. And at some level you need -- you know, you have to kind of vote with your wallet. It's more expensive. It's harder to produce secure software.

>> TATIANA TROPINA: Thank you very much. You are next.

>> GEORGE JOKHADZE: Thank you very much. Actually, one of the interventions I was going to make already was covered in a way by the gentleman from Austria. That is the human right to a safe and secure Internet that was reinforced by the European Court of Human Rights in (inaudible) versus Human in 2009.

For us, the division cybercon office in the cybercon division that deals with this is one of the leading sources of authority in there.

When we speak about cybersecurity, we shouldn't fall into the trap of have treating it like a monolith of one issue. It's different issues put altogether with different stakeholders. And one of the stakeholders is the criminal justice community. Because it's not only the protection of citizens by layers of technical solutions, but going after the bad guys. Serving justice upon them. And this is where the cybercon units and the law enforcement comes in. And this is where, actually, the obligation of the state to protect their citizens is expressed the most here. And of course the human rights component of being solved by these units is very important.

I'll turn back to, if I may, to one of the previous points that was made earlier in the discussion about the need for Regulation, and probably tie it in about the need for a new treaty on cybersecurity. And I think Marina has views on that. But with the Council of Europe, we are more of the opinion that the current obligations that are already there, they need to be implemented first because there is still a lot of life in them. And a lot of value in them, such as the Budapest Convention on cybercrime.

And it has actually grown exponentially. For example, the latest addition was Tonga, of all places, just a couple of weeks ago became the 55th member of the European -- Council of European Nations Cybercon, which has become a little bit creepy more and more.

So I think there is still life in the standards that exist right now, and we need to take them further before we start discussing the totally new set of rules on the cybersecurity that may be quite difficult to agree upon.

>> TATIANA TROPINA: Thank you very much.

Are there any immediate interventions to what you just heard? Because I really would like to say that we plan to talk about Regulation. And I actually didn't expect it to come up like this, also, like from the BCS about the Regulation of the Internet of Things. Because in the past few months and even past two days, Ive heard about the Regulation of the Internet. You know, we all did in some circumstances. Like, for example, with the resumes that we have terrorist attacks and we have to regulate the Internet. But this is a particular case.

But there is a bigger debate, for example, about IoT. About the botnet, when those devices which were mass produced were hacked, because they were not designed to be secure. And some of the big names in the technical community are now calling for Governments to take the leading role, to regulate.

And I was taking notes here after your interventions, after the panelists' interventions, and my notes are Internet of Things, Regulation, education, more security devices, who should pay for these and who should regulate these.

But before we move to the overarching issuse of regulations, should we regulate because of the dangers? What are the dangers? Who is going to set the norms?

I'll give the floor to Vladi if he wants to wrap up.

>> VLADIMIR RADUNOVIC: Thank you. Maybe just a thought before we move on. Listening to all of the parties, to some extent we discussed who should do what and who is responsible. But then there is the underlying question of trust which was also visible in the cloud.

And I sort of encourage you all to think also on how do we rebuild trust in each of the stakeholders? For instance, many Governments are doing their best to also try to protect cyberspace, as we discussed. There are Governments which are, and not a few of them, Microsoft has a list of about 30 countries investing in defensive capabilities. We followed about the same number, at least, that reported. So there is diminishing trust in Government's work because of the exploits.

Then we have sort of dimension trust in the corporate Sector, because our industry -- because the one example showed that even the patching system doesn't really fully work. Many products remain, as they call it, abandoned Ware, without support, and many people use it.

When it comes to law enforcement, with all due respect, we don't think that law enforcement is doing the most they can do with often limited resources. But there is also a lack of trust that law enforcement can actually do something.

In the case of Warner Cry (?), we had very few reported cases. And it's not only that people didn't turn -- in many cases people didn't turn to law enforcement because they don't think law enforcement can actually help them in such an outbreak.

We're thinking about how can each one of us as stakeholders increase this level of trust and what should we do?

Before passing the floor back to you, we are posting the next one, sort of an openended question. Just answer with the same website and same code, 397208. What are the to-do notes? What should each of the stakeholders do in order to -- well, in the regulatory aspects, in the technical aspects, in the economic aspects? So just feel free to add whatever thoughts you have, almost like a Twitter. And we can turn occasionally to that and get the inputs.

>> TATIANA TROPINA: Should I proceed with the Regulation question or do you want to talk about trust?

>> VLADIMIR RADUNOVIC: No. I think trust is underlying. It's just a cross-cutting issue. So I think you can go and refocus on the Regulation, having in mind trust.

>> TATIANA TROPINA: Thank you very much.

And I'll turn it to Sally, first. Sally, what do you think about Regulation? Do we need Regulation? So we need more Regulation, especially for new challenges and new technical aspects, like IoT, and who should be the norm setter? Who should contribute? Who should lead this?

>> SALLY WENTWORTH: So I think it's important that we look at sort of the range of tools that we have in our tool chest when we're trying to approach something like security. And you mentioned specifically security of the Internet of Things. The Internet of Things raises a whole level of complexity as we are crossing all sectors of the economy and all different regulatory regimes that come into play when you start dealing with that.

But I think certainly there may be a role for Regulation. There is a role for Public Policy and establishing, perhaps, certain baseline requirements. But how we approach that, I think, is important. You don't show up and say okay, I've implemented a security rule and now I can walk away and things are safe going forward. We know the technology is constantly evolving. And any sort of policy tools need to be nimble enough and evolutionary enough to deal with technology changes as they emerge.

I think we also have to recognize that in an IoT environment, we are often, I think somebody mentioned, we are often talking about devices that are very, very, very inexpensive. And as you add security requirements to those devices, you can quickly double, triple the cost of those devices. And so you're dealing with a market incentive set of questions that I think is really quite challenging and necessary to address.

There was also a comment about Consumer Protection. Clearly very, very important -- I can't watch that and talk at the same time. So I'll let you tell me what is being said there. But on Consumer Protection, yes, there is a role for Governments, and Governments around the world have Consumer Protection regimes.

I'd also note that there are a number of initiatives that are emerging around the world to enable consumers themselves to demand the kind of security and privacy that they have every right to expect from their devices.

So, for example, in the United States, there is an effort underway now by Consumer Reports to develop a digital privacy standard. They're trying to do this in an open way with all stakeholders involved, to figure out what are the components of a basic privacy that consumers can demand when they are out purchasing in the marketplace.

So while we can talk about Regulation, I think we need to be very careful not to turn to that as the default and suggest that that is somehow going to solve the problem magically on its own. I think there are other forces that we have to take into account.

>> KAJA CIGLIC: And if I -- this is more like a clarification. The other thing, as we start this debate out, I would say be specific about what aspects you think about regulating.

>> TATIANA TROPINA: Absolutely.

>> KAJA CIGLIC: And it's not just if we think -- you mentioned the resume. I think that's clearly moving into content --

>> TATIANA TROPINA: Yes. The content regulation, if I mention IoT, it moves into Consumer Protection.

>> KAJA CIGLIC: But not even that, because I think in IoT -- at least sort of in the Microsoft world -- we don't do any consumer products in IoT. But I think we do much more stuff with enterprises. So we put devices on airplane engines, and they connect data back to our cloud product. And sort of that is an enterprise instead of IoT practice.

But that's also a thing to think about. You have to think about who is a manufacturer of the actual device? Who develops the software that sort of connects the device? It's often not the same person. Who deploys the software? Who actually puts it into like the enterprise or puts it in stores? And then also like how does this connect to the cloud environment? Sort of how do all of these four communities talk to each other? How do they cooperate on security? And sort of how -- I think that is -- it's just a really complex sort of debate. That's why I think we should be clear.

>> SALLY WENTWORTH: Yes. And just to jump off that, I think in the past if you manufactured a device, a toaster or a baby monitor, it was a single device that was in somebody's home that was for their own personal use.

As we now know, it's trite to say, but these devices are now all sort of affecting the rest of us. So now you're in an IoT environment, basic consumer goods or enterprise goods that might have been stand-alone in the past are part of a system. So the failure of one can have broad implications for others. That's a mindset shift that is going to be required across all sectors of the economy. And then as you pointed out, in the distribution and implementation of them.

So I think it's a different way of thinking, and the regulatory environment is going to have to keep pace with that complexity.

>> TATIANA TROPINA: I have to admit that before, when the organising team was planning the session, actually we were thinking about more norm settings like the Geneva Convention and Cyberspace for Microsoft. But I'm actually glad that this debate moved to the regulation of IoT and this complexity to show that this is really a complex issue and it goes beyond regulation.

Marina, before I hand it to you, I'd like to sum up some of the to-do notes and what our panelists said. Because I see, for example, in the to-do notes: Industry should be liable for security. Security by design, by industry, enforced by Governments.

But what I really liked what Sally said, that consumers should demand security. And how we bend these two together -- I don't think we really have an answer. And I don't think -- many of us think that Regulation is the answer.

I'm registering hands from -- Marina, would you mind if I go to -- no. I'll have a short intervention and then I'll hand it over to the panel.

>> AUDIENCE: One quick comment and then I shut up.

So in regard to how to -- I think your question was how to bring -- how to enforce industry to demand, or how to force or lead the consumers to demand security.

Just a very short Estonian piece. Before we implemented our electronic ID card, this solution was demanded by Estonian banks, because they wanted to provide better security for the electronic bank users. So they came together. They saw that they, together, cannot be the third trusted party. So, basically, they asked the Government to take the role, to issue the ID cards, and through that to provide better security.

So it was a request from the financial Sector to the Government, and Government came and did it. So now, after that, banks and all others can use it. So that is our story.

>> TATIANA TROPINA: I thank you very much. I think this intervention connects a few dots about consumers have to demand, but also what Kaja was saying earlier about consumer education. I know that maybe I'm not -- I'm not here to express my opinion as a Moderator, but I've been in the cybersecurity field for 15 years. I don't see much of consumer demand for security. I think consumers go for what is cheaper, mostly. And if consumers would have more educated, they might have demanded.

>> KAJA CIGLIC: One thing to that. I would I also say not just individual consumers. I think we have slowly started seeing a shift in industry in sort of companies that buy software to start thinking this is important. But this has only happened in the last two years. So it's beyond individuals. You should think about it across the whole ecosystem.

>> TATIANA TROPINA: Yes. We are moving there.

Can I first give it to Marina and then to George.

>> MARINA KALJURAND: Thank you.

I'd like to make a couple of points on norms and regulations. There are different layers. We are talking about States, Governments, national and International cooperation about the industry.

The first point is cyberspace is not a wild jungle. Cyberspace has rules, regulations, laws. We have laws on our national level and we have agreed already in 2013 that International law applies to cyberspace.

The question today is how. And that is the role of Governments to say how. Because only Governments can interpret International law and can apply International law.

Experts have done a terrific job. A couple of months, for example, the Tallinn Manual on Applicability of International Law to Cyberspace was presented. 600 pages of legal text how lawyers see it. But that's their proposal. It's now up to the governments to look into that and to make Governments more, as I said, Governments interpret International law.

And for me, all the proposals about writing new laws, for me it's kind of a sign of not doing, not applying what we have today, but postponing application.

In International law, to write a Convention, I would say 50 years and you're still at chapter one definitions. We shouldn't be naive. The questions that we have not been able to solve in real life, for example, the definition of terrorism, we will not be able to solve inside that. Which means that we have to look carefully at what we have. I don't exclude that at some point we might come to the point where we see that something is missing, that we have to have either some additional provisions or amendments or maybe even new Convention. I don't exclude that. But at the moment, I would like to urge everybody, and especially Government representatives here, to look into International law and Civil Societies to remind it to the Government, it's their obligation. And trust me, Civil Societies can be very, very powerful.

>> TATIANA TROPINA: Thank you very much.

>> GEORGE JOKHADZE: Can I go back to a bit of discussion of connecting between the regulations and trust. And I'm sort of worried how disconnected these two issues are.

Because when it comes to the law enforcement action in cyberspace, which is fighting cybercrime and the components of evidence, and the way we do it, from the Council of Europe perspective, there are intrinsic levels of trust towards the Government from the industry of how the data should be exchanged. One of the questions from the floor was what solutions can we offer there? There are some solutions that we are working on that are quite practical and down-to-earth. In three of the countries that we work with, based on partnership, they have concluded special cooperation agreements between the industry and Government which regulate how the data is going to be exchanged. On top of all of the legal regulations, how practically they are going to exchange the data in the criminal investigations and what guarantees and what technical and administrative details are there. And this is something that can be followed.

So the trust and regulation sometimes go hand in hand. Sometimes you have to regulate by the most obvious thing that is lying before your eye, agree on it, and put it on paper.

>> TATIANA TROPINA: Thank you.

I'd like to hand it over to Vladi if he has any intervention or summary or thoughts of what we heard and what we see on the screen from the to-do notes.

>> VLADIMIR RADUNOVIC: Sally was worried that she wouldn't be able to follow the incoming stream of comments. But that's basically my role, and to look at that and the Twitter feed.

But just a quick summary of some of the many interesting notes. There are many interesting notes. One was: Security by design should be done by the industry and enforced by the Government.

The rights based approach to cybersecurity is a must towards digitally empowered citizens.

Technology proof and Regulation is needed, so we don't change it every year or two.

An interesting one is the role of the technical community is to set Internet standards, and then my sub question is how do we make sure that the standards are implemented?

Capacity building among Governments was mentioned.

There was an interesting tweet by ISOC, by the way. I don't know, Sally, I guess you didn't do that. It's quite a good thing, quite a good note. We need to be careful not to turn to Regulation as the default setting for cybersecurity.

And then an interesting one, users shouldn't become cyber experts when buying a fridge. So the Government should had a law when it comes to regulation.

And then one last would be, out of the chosen ones would be, users never will demand safety. So let's face it. So let's face it that we cannot do it that way.

I wanted to turn to Kaja with two small questions reflecting, one, on what Marina mentioned. It might take ages to get any sort of a treaty. And then, of course, Microsoft came with a very interesting proposal on the digital Geneva Convention. To what extent can we expect this is a doable or just simply a nice wish list?

And then the second one is within the package that Microsoft came up with on the norms and proposals for Governments, there is a package of proposals for industry. Which also outlines several good steps that industry should do in order to enhance cybersecurity.

My question would be: Is that enough? Is there a need? We saw one of the comments sort of inviting for regulation which would put on liability for nonsecurity problems by the industry. Should we go that far? Or is it enough, what you suggested, that industry should do in the sense of building, let's say, security by design into the things? Is it possible in the sense of software coverage that is very complex? I leave it at that.

Maybe Kaja you wish to --

>> TATIANA TROPINA: Can I add something to these? What was interesting about the question and about Microsoft's initiative, I know that the six norms came up two years ago in The Hague. I remember them. And then for me it was a big surprise when Microsoft came up again with something like a bit fine tuned, but then rebranded into the Geneva Convention. And Marina also told it will take ages and ages. So I understood why it took two years maybe to rebrand, to fine tune, and to come up with these again. But maybe you can briefly, briefly tell us what happened in those two years to the six norms?

>> KAJA CIGLIC: Sure.

I think -- lots of questions. I'll try to answer them all. But I think those are two -- in my head, these are two slightly different subjects. I think we talked about, when we were talking about IoT and security, baseline, security baselines or protecting critical infrastructures, they tend to be domestic regulations or laws. So the focus tends to be Governments passes a law because they want to protect their infrastructure. And liability provisions, which I'm assuming will eventually be introduced, will similarly be domestic. While we think it's good that Governments cooperate and it's sort of exchange of information and best practices, utilizing International standards, it's not necessarily the same thing as sort of getting a Convention done. So I think I just wanted to clarify that.

I think in terms of the International cybersecurity norms, but also we were talking about the treaty, I think -- we support the Budapest Convention, we don't want to it do go away, more people should sign up. But I think Microsoft has been active on the International Cybersecurity Norm for about five years now. I think we put out so far maybe three or four papers. And you're right, I think the recent -- the announcement we made in February and sort of a couple of times since is largely a rebranding exercise. And I think the substance of what we put forward, the proposals that we put forward, the very clear focus not on content regulation at all, but on specific sets of -- or limiting specific sets of Government behaviors. Things like maybe don't attack critical infrastructures, Maybe don't attack CERTS, don't put in back doors have been there for the past three years and have not really changed.

What changed was kind of like the external environment. I think there has been a lot of, particularly in the United States, the attention on Government roles in cyberspace has been immense. And so it's -- we sort of try -- and also at the same time we found that the movements in coming to agreement, part of the reason is because of sort of the challenges to come to an agreement, it has been very slow. And we expect it to continue to be slow. So the rebrand was more about putting attention on it, driving more discussion, and trying to move it forward, both from Government and private Sector perspectives.

The substance really hasn't changed, but we got a lot more attention on it. It's true.

>> TATIANA TROPINA: The UN Convention on Cyberspace sounds much better than --

>> KAJA CIGLIC: Exactly. It does. And if you think about it, and those of you who were here at CyberCon last week must have heard about it, we really think about it in three pillars, as Vladimir said. One is a Government pillar, where we put I think it's -- maybe eight now. But proposed eight norms for countries to discuss in terms of what could be in the long-term, very long-term, I agree, hopefully not 50 years, but like probably ten, the basis of the treaty.

Then we have a clear focus on -- and we have reached a clear focus on technology providers around the world. And we sort of have begun reaching out to our partners in the industry, not just in America, but in Russia and China and India and Europe, because we feel that this is critical that this is not just a U.S. industry focused effort. That looks at what could industry agree on in terms of what they won't do.

The industry norms kind of map to the Government norms. So if there is a Government norm that says don't put back doors, the industry norm is don't take back doors. Think about it in that space. And we sort of are starting to pull this coalition together and also starting to think about the assurance around it. How do you make sure that the people who sign up to this really are behaving in accordance to what they signed up to?

And the third pillar, connected to their assurance, is this concept of potentially introducing an independent attribution organisation that would basically be separate from Government, separate for industry, but have technical experts and would be able to, if a Government or a private Sector entity would walk up to on it and be like: Can you investigate where this comes from? actually start collecting the data that sort of, basically a database more or less of data, that would help them identify attacks and improve retribution of cyberattacks.

I think the reason that we say -- why we we feel that there is a need for an independent group is we have heard both from Governments, particularly smaller ones, where they are like -- well, we are attacked, but we don't want to say it publicly. And I think all of the big players at the moment are, if you get hacked by a member state by Microsoft -- sort of a I think Microsoft or Yahoo! or Facebook, you'll get an email that says you've been hacked by a nation state, but we don't say which one. Part of the reason for it is because they are often our customers. So having an independent body that sort of deflects that heat I think would be something that would be useful.

>> TATIANA TROPINA: Thank you.

Before I turn it to Marina, if anyone wants to respond--

>> MARINA KALJURAND: I put up my two fingers to say I didn't want to sound super pessimistic, I don't agree to the full of what Microsoft is proposing, new Convention, new International organisation. But I'd like to recognize to having the discussion, to proposing norms, that is something that I would also like to encourage other industries and other private companies to do. That's extremely useful, and thank you for doing that.

>> TATIANA TROPINA: Marina, and how it correlates with the idea of Governments taking leading roles? Would it be just taking a role in a different area or industry coming up with a proposal Governments support and take an immediate role and agreeing to these?

>> KAJA CIGLIC: There was no difference who was at the birth of the norm. Whether it's a Government expert, some smart lawyer from academia, or from the private Sector, I don't think it's crucial. The crutial is that the norms are discussed, they're being discussed, and now please stay tuned. Google, cyberstability, the dot org, it is the new multistakeholder format organisation, and I'm happy to see Wolfgang, our commissioner, here in the first row, that's the discussion that we're going to take on. So not only Government is discussing in one corner, industry in another corner, what we bring is all multistakeholders into the same room and discuss exactly the same issues.

>> TATIANA TROPINA: Thank you very much.

Sally, would you like to follow up? Because I'll start taking interventions from you if you have any. So were there any hands raised? Because I see the microphone going there. Yes, please.

>> AUDIENCE: Nigel Hickson, ICANN.

Just one point on the regulation point of view. Two points actually. First of all, I think there are lots of different types of regulation that we're talking about here and lots of different types of sort of policy intervention. And if we take the Teresa May statement that she made after the terrorist atrocities in London, I think there are two areas her.

First of all, it's the content area, which is not inconsistent with what the UK and other Governments are saying in terms of the responsibility of actors like Facebook or Google or whatever, to enhance their monitoring of content. And that's an issue of itself. But that's one aspect.

But the more intervention aspect was the fact that she talked about regulating Internet governance, and that I think is something which I would like the panel's input on.

Because although -- while we're talking about the different forms of regulation, and product, and et cetera, and the very interesting Microsoft intervention in terms of a Geneva forum, of course we also have proposals that are being discussed at the UN level, which are all about enhanced cooperation. And actually giving the UN a role in Internet governance. Giving them a role in some of the numbering and someof the naming aspects. And there are countries that proposed this at the UN and those discussions at the UN are going on on this. And we resume discussions in September on this, and the proposals that we put to the UN General Assembly sometime next year. So this is not abstract at all. And Governments are involved in this, in the same way that Governments are involved in other discussions.

So I think Governments have a responsibility here as well to be like consistent and also to involve the right players in the right discussions.

Thank you.

>> TATIANA TROPINA: Thank you very much, Nigel, for bringing these issues and putting it more into the context of the Internet governance.

Anymore interventions, please?

>> AUDIENCE: (?) I would say that when we are talking about shared responsibility, then we also should talk about the shared opportunity for different stakeholders to come in and to work on the norms. Because I'm an International lawyer, and I know how long it takes to come up with some particular document. But when we talk about International law, it's only about Governments to come and impose the rules on the other stakeholders. But in the Internet, we also should give the opportunities for the others to be heard and to make their voices to be heard. So maybe it's not only the International law, which is the proper instrument to regulate the cybersecurity, and I would agree with Nigel who mentions that it's happening on different levels. So yes, it's truly the right. We also should take into consideration the self regulation, the self law, and that it should all be happening at the same time. Because International law is not the only way and maybe not the best way to regulate this.

>> TATIANA TROPINA: Thank you very much.

Sally, would you like to follow?

>> SALLY WENTWORTH: I think that was a very excellent comment. I didn't catch your name, but thank you for that.

And jumping off of something that Nigel said, I think, and when we're in this room and we have been having the conversation about the role of Government, it's been largely in the context of talking about how to protect consumers, how to do right by our citizens, how to respond and do the things that protect critical infrastructure.

Many of us, however, sit in other intergovernmental discussions where the role of Government is not focused on those things, but is really focused on control. It's focused on whether explicit or implicitly a desire to achieve a particular political outcome with respect to regulation.

And I think we have to be really clear, when you look around the world and you see the emergence or the rise of shut downs happening before elections in the name of security, when we see revelations about surveillance, online surveillance in the name of security, I think there is a very real set of questions that end-users have when Governments say they are going to lead when it comes to security.

So in that light I think I would join Marina in congratulating Microsoft for really teeing up the issues and many of the really important issues that go into a broad security discussion.

The one thing that I think needs to be a part of that Convention or at least the principles surrounding that Convention is an explicit role of Civil Society in this conversation. Because, I think to the point that somebody made earlier, the role of Civil Society and the security discussion is to keep Governments honest and committed to the core values of human rights, free expression and the rest. Any discussion about security can quickly go down this role of control and shutting things down rather than opening things up.

So I'd put that marker down particularly if you're getting into an environment when you're talking about treaties and InterGovernmental Discussions. The more openness and sunlight and transparency and the more inclusion, I think the better the results that you'll get for everybody.

>> TATIANA TROPINA: Thank you very much.

Are there further comments? You have two or three minutes to make your intervention before we start wrapping up.

Please.

>> AUDIENCE: Hi. My name is Dennis Heyden (?) And I represent Young (inaudible) of Europe Organization.

And my point is I want to come back to the Internet of Things connected toaster that we were speaking of before. Because this toaster is obviously built by someone, and both the hardware and software are created by people. And people make mistakes. And so the first thing is that there always will be holes in that. And the Governments should agree on there being a big no-no that there are holes in there and trying to put their own holes in there. So that's the first step we have to agree on.

The second step is: How do we find out before someone uses that hole that we fix this hole? There we are clueless right now. There are no good solutions in this room I have heard of so far. One solution might be open sourcing, because if more people have the chance to look at that code, then we have a better chance of figuring out something -- some solution for the problem before actually some exploit gets set into place.

The third thing is how do we patch after something has happened? There I think regulation might be a very good idea. Because if we force the vendor to quickly fix it after something has occurred, that is the only way how -- like there will be a sustainable solution for it, for like this particular piece of software. And I think we are very, very far away from these three points that are the actual underlying problem, when we talk about some forms of International regulation that try to enable the industry to come up with something. But what is it actually that the industry is coming up with?

>> TATIANA TROPINA: Thank you very much. (Applause)

Are there anymore interventions before I hand it over to Vladi for wrapping up? Because we don't have that much time left.

Anyone? Vladi, over to you.

>> VLADIMIR RADUNOVIC: Thank you. An amazing discussion. I think you can ask the organizers if we can get another hour and a half to continue.

>> TATIANA TROPINA: I'd like to go through to-do notes. They are very nice and interesting.

>> VLADIMIR RADUNOVIC: There were a couple of new one, which were quite interesting. One is that the International organisations, should take their members accountable for implementing rules.

That sometimes the Governments can provide a safe environment when working with International industry, because of jurisdiction problems, lack of cooperation with industry, and so on. I assume that George would have also something to comment on that.

And also that a couple of instances, that the Government should also protect privacy.

And, finally, that too many regulations can impact freedoms and Freedom of Expression. There were many others, but I think we can stop there.

Since we are running out of time, what I wanted -- and we still have my friend Latimer to do the reporting, I wanted to pass the floor to the panelists with maybe one last final comment in the form of a tweet, if you can. So try to be 140 characters. It's allowed if you go to 200. What is your takeaway message that you simply want to wrap up this whole discussion today and share with the audience? Maybe someone who is tweeting can tweet your thoughts. And retweeting is not allowed, so you have to have your own tweet.

And I'll open another blank page for the audience. Of course, those who are tweeting, please tweet. The others can use the same thing, code 397208, to share your take away messages.

Sally, what is your take away tweet?

>> SALLY WENTWORTH: People in ISOC will know that I'm a terrible tweeter. I would say there is no silver bullet to security. This is a complex challenge that requires a collaborative security approach.

>> My tweet would be: Happy to see so many women discussing cybersecurity. Doesn't happen often.

(Applause)

>> TATIANA TROPINA: It wasn't intentional. It was when we composed the panel, unfortunately for me Marietje couldn't join us, but for us -- for me the gender balance was kind of striking. It wasn't done intentionally, but we came up with a very gender balanced panel.

>> GEORGE JOKHADZE: My takeaway would be -- unfortunately, the lady who did this intervention left -- but more opportunities and more input to the development of regulations by different stakeholders. That would we do it, but sometimes we don't realise it, and it's better to make a good practice.

>> KAJA CIGLIC: Mine would be to keep these kinds of discussions going. I think these are critical for security to improve and critical also not to forget the lessons of the past and to exchange lessons from different communities and different stakeholders around the world.

>> TATIANA TROPINA: Thank you very much. Before I will invite Vladimer Svanadze, who is the focal point of this panel and one of the team of the -- maybe the next host, thank you very much for all of your input.

I would like to thank the panel. Navigating this discussion between security, content, regulation and the national convention is not easy. It's confusing, but you did an amazing job.

Vladimer, over to you.

>> VLADIMER SVANADZE: Thank you, Tatiana. Thank you, speakers.

I will be reviewing briefly, and I'll try to summarize your interesting panel. It will be very difficult because we have very good speakers.

The first point is cybersecurity is part of the International security, which depends on the national security. And the role of Government is increasing; the technical community, also.

Also, second is implementation of International conducts, and that's very important, also.

Third is International cooperation between some agencies, some state agencies and some agencies is very important, also.

Role of education and the Council message is very important for cybercrime.

And cooperation between all stakeholders, Government, industry, technical community, is important.

And the field of regulations, the focus should be on the complexity of the interactions between industry and the different types of consumers.

And last is human rights and security in cyberspace. It's very important to discuss. Because it's -- regulation is also part of the Convention.

And the trust from end users for law enforcement and agency is very important. And I can say about our Georgian example in all of this.

Okay. Thank you.

>> TATIANA TROPINA: Thank you very much. I would share my tweet, which I will take from, unfortunately, I think she left, Olga from Ukraine. Shared responsibilities and shared opportunities. This would be my tweet.

And before I hand it over to Gert, Vladi, maybe you want to share your tweet or things, whichever you want to share.

>> VLADIMIR RADUNOVIC: Well, I notice that you can see one of the graphic messages over there, I really like it. All the stages of crying and being nervous and happy at the end.

I'll maybe just get back to what one of the participants mentioned, which was that the process itself, discussing the norms and regulations, should be more open to stakeholders. And I think that is important and might be my underlying message.

Just to thank you. It's always a pleasure jazzing on cybersecurity with you.

Thank you to the great panelists and audience and definitely to the remote participation team. Arvin and others who helped breaking through the remote participation and taking it to yet another level. And maybe next year we will do the other kind of experience as well. We will see what comes next.

Thank you for being with us today.

>> TATIANA TROPINA: Thank you very much.

(Applause)

>> GERT AUVAART: This has been thought provoking, indeed. And as a small token of our appreciation, some Estonian chocolate to the panelists to take away. I've been giving away these white bags all morning without saying what's in there. But it's Estonian chocolate. And for you as well, Tatiana. Thanks for moderating. Thank you.

>> TATIANA TROPINA: Thank you very much. This session is adjourned.

>> GERT AUVAART: Thank you.

And talking about chocolate and food in general, lunch is waiting for you. We tried together with the Chef of Swissotel to create Estonian oriented cuisine. It will be served in the lobby area plus also on the 8th floor restaurant. The food will be the same in the two places. You just choose where you want to enjoy it

And we will see you back here at 2:30. And the room will be divided into three for the Working groups, plus the smaller rooms on the other end.

Thank you very much.


This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.