Security as a multistakeholder model – WS 06 2013
21 June 2013 | 11:30-13:00
Programme overview 2013
- Sabine Dolderer, DENIC
- Marco Hogewoning, RIPE NCC
- Richard Clayton, University of Cambridge
- Michael Rotert, eco
- Oliver J. Süme, EuroISPA
- Manuel Baros, Henning Lesch, eco
- Governments should act as facilitators, give incentives and encourage the dialogue between the stakeholders, the capacity building and education.
- Security should be a multistakeholder model and therefore a shared responsibility of all stakeholders.
Abstract: The Internet has become increasingly the key infrastructure and platform for social, political and economic activities. This implies strong dependency on the basic infrastructure and on the services and applications that use the Internet. Therefore it is essential to maintain stability, reliability, security and trust in the Internet. The Workshop covered different aspects and approaches of Cyber Security.
Key Points: The panelists are strongly committed to security and constantly improve, enhance and foster the security level on their services and apply most recent technical security standards (e.g. availability and accessibility of services, resilience, data security). The participants of the workshop agreed and concluded that security is shared responsibility. Therefore the key to improve security is working together with all relevant stakeholders in order to improve overall security. An essential aspect is transparency, exchange and information about security threats. Participants identified that the main challenge to improve overall security is to involve all stakeholders - especially on all levels / different sectors / all stakeholders ( IT Hardware Manufacturers, banking sector for example were mentioned).
The dialogue with the audience identified key questions:
- What is security (especially cyber security)? A cross-border definition and common understanding of „cyber security“ is necessary. Because all operate globally, it is an global infrastructure, therefore close collaboration and cooperation is necessary to raise the overall security level.
- What means Multistakeholderism in this context? A complex question, in brief cooperation, transparency, information sharing, engagement and collective learning.
- How much security is necessary or do we need? There should be a balanced approach and interference with other aspects or fundamental rights needs to be examined (e.g. human rights).
Summary: It is essential to have common definition and common understanding of „internet / cyber security“ and Mulistakeholderism on an European and likewise an international level. It was consensus that a bottom-up approach is target-oriented and preferable because a top-down approach from governments / regulators without much doubt will not work. Additional self-regulation is a good and efficient way to improve overall security level. Regarding the role of Governments: Governments should act as facilitators, give incentives and encourage the dialogue between the stakeholders, the capacity building and education. Disproportionate Governmental intervention and regulation could have negative impact, lead to less technological innovation and less cooperation. There was consensus that not law and regulation is the solution: Regulation and legal frameworks lead to control, monitoring and enforcement of the compliance with the legal framework and the bottom line to more and more regulation. This will not improve the overall security level. Leading towards the common aim is “smart regulation”.
Conclusion: The participants of the Workshop agreed without doubt that security has to be a Multistakeholder model and that there is a shared responsibility of all stakeholders (Industry, Users, Academia, Civil Society, law-makers, Regulators and Governments) in order to improve overall security level.
Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-481-9835, www.captionfirst.com
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
>> OLIVER SUME: Good morning, everyone. Good morning, ladies and gentlemen. We would like to start the workshop. Thanks for being here. My name is Oliver Sume. I am the vice-president of the European Internet Service Provider Association, EuroISPA. We are representing more than 1,800 ISPs all over Europe and I am very happy to have the pleasure to moderate this workshop here today. We are dealing with two issues which are very broad and I am sure that if we would only focus on one of them we would be able to talk and discuss with you in the next 90 minutes. First issue we are addressing today is security and it is very broad. And in addition to that we will try to ask the question which role has a multistakeholder model for security. And I think there will be a lot of questions on that and hopefully we can answer together with you some of them.
As in all the other workshops this is not a Plenary session in terms of having speeches or interventions by the panelists. We want to get involved with you and exchange with the audience at a most early stage. Feel free at any time during this session to raise your hand if would like to contribute to this discussion here, or if you have any amendments, please feel free to do so. And with regard to the panel, first of all, I have to say that unfortunately Richard Clayton who you will find on the list had to resign his attendance because of organizational reasons. But I am very happy that Tatiana Tropina was able to jump in and that by the way also leads to a gender balanced panel. So we are very proud of that. Thanks, Tatiana, for helping us. We have Marco. And we have Sabine Dolderer, CEO of the German .DE. And Michael Rotert and who is also running a mobile WiFi provider. That is also interesting in terms of security maybe.
The first thing that we would try to work out when we are talking about security, what are we talking about? What is the definition? Are we able together with you to find a definition for this very broad, broad word? And I would like first to ask the panelists what security means for their business that they are running or from that perspective. And where they see the security that they are focusing on. In a broader sense is this – where is the place of your personal, of your business security in the cloud of cybersecurity. I would like to start with Sabine. You are running the registry for the CC Top-Level Domain .DE. And you are running infrastructure. And I guess that security is a very serious matter for your infrastructure. And I think it would be interesting to hear what your business perspective and your infrastructure perspective on security is and where you see your part of security in the cloud of the cyberspace.
>> SABINE DOLDERER: Thank you very much. I think your question is, first of all, it is very difficult and it is very easy. Because it is very easy because if you talk about what does it mean for our businesses, it relates very much to the classical definition of IT security. The classical definition of IT security for running a registry is really focused on what is IT security about. IT security is about – is actually to ensure the availability of our service, is to ensure the authentication of our data and that the data we are providing is authoritative. It is really the core business to secure the data for all the .DE space and to provide the service as a whole for the .DE and for the global Internet community who are interested in the accessibility of the .DE. It is all – it is a hierarchical system and there are a lot of operators involved. We are relying on the service from the root operators and the end customer who want to access the .DE domains is relying on the names of the provider of the second level. And then it starts to get complex. Because, first of all, yes, of course, we are only operating a small piece and we have to do that to the highest security standard thinkable within the IT business. So what is actually – so what we are doing from a business perspective really look on security standards, IT security standards, ISO 27001 to secure what our piece is about but on the other hand side we are –
>> OLIVER SUME: Who is it?
>> SABINE DOLDERER: – we are part of an overall picture. We are part of an overall picture where the root operators are involved. Second names operators are involved. Registrars are involved and, of course, ISPs are involved providing access to the Internet and actually using the DNS to make the accessible readable. And there the complex piece starts and in that respect we all have to work together to raise the level of security we all want to have on the Internet.
>> OLIVER SUME: That’s already the first cause for a multistakeholder approach, saying we all have to work together. And another interesting question you were mentioning IT standards would also be – who is developing these standards? Who is responsible for that? What approaches do we have to get to a certain level of IT standards and come in to a situation where everyone complies with these standards. Before we do so, Marco, you are responsible for security on a network level at RIPE. So what is your security perspective at RIPE? And where do you see RIPE and security aspects that are touching RIPE in the cybersecurity cloud?
>> MARCO HOGEWONING: Again relationship is an IP registry and, of course, we have got our corporate IT security. We share on a large chunk of data. We are one of those root servers and general practice to keep IT security to the highest standard because we want to protect our infrastructure and data and have to ensure that those systems will be running and our systems are secure.
To the larger cybersecurity thing, we stand a bit on the side. We don’t operate a network. We don’t own – well, apart from our own corporate IT we don’t own a network. We don’t ship packets around. And as an IP registry all we do is provide the authentication mechanisms. They can identify who they are talking to and we contribute to the IP security in general. And the same goes with rooting, whether the Internet registry or RPPI, we provide people means to authenticate or identify network users. And so that’s our role
The second role we have as a RIPE NCC we provide a platform for the technical community to come together and exchange ideas. And that’s another role we take in IT security to bring technical community operators and other stakeholders together to discuss these issues and work on best current practices and identify the areas where things might need improvement.
>> OLIVER SUME: That sounds like another multistakeholder approach if I understand it if you exchange with clients, with other people from – that are relating to your business and to your technique.
>> MARCO HOGEWONING: Yeah, we are one of those multistakeholders where people can come together.
>> OLIVER SUME: From the IT perspective the Eco Association has run about 400 ISPs to members. In addition to that you are running a WiFi provider. What is the IP perspective on security which is the most important security aspects? And where do you see these things related to other security aspects in the cyberspace?
>> MICHAEL ROTERT: If you say ISP, what kind of ISP? Access ISPs may have different connections – may have different ideas about security than hosting providers and so on and so forth. I don’t want to go in to detail in this issue. The main thing is that especially ISPs are facing two sides of the coin already which is one side against protecting themselves and their customers against the Internet with security. So it is absolutely necessary to work together with other stakeholders. For instance, like DENIC or relationship to ensure the network security on this side. And on the other side the security goes to the customer. And this is an issue where the customers are running PCs which are not protected and making the ISP vulnerable if the ISP doesn’t have enough security.
There are projects in this area in order to educate customers by the various ISPs. So the ISP industry tries to protect themselves by educating their customers on one side. On the other side was always a wish of mine to have from the operating system manufacturers more security by default which means when they send you a version, a new version or a new operating system that the security level is in the various products is on the absolute maximum. And the customer has to get knowledge on how to lower the security. At the moment most of the operating system manufacturers deliver with a low level security. And if you want to have more security as an end customer, you have to educate yourself. You have to get training yourself.
This is one thing which I think would improve the overall security of the Networks and would help the ISPs in particular. But as another point I would like to raise, the ISP industry also provides the so-called computer response – emergency response teams an infrastructure worldwide where they pass on security incidents which others might not be aware of at the moment and also to fight as a community against this. My question to the audience now would be and this is just following the EuroDIG to involve the audience as early as possible, do we need additional national cybersecurity centers provided by governments? Most probably with additional goals. I mean if a minister of the interior runs a cybersecurity center, they have more in mind as just protecting citizens for against the arts of the network. Do we really need these when the ISP industry, when part of the self-regulation is already providing technical certs?
>> OLIVER SUME: Are there any representatives of Governmental bodies in the room? Even not people in the room have a say on that? Nobody?
>> MICHAEL ROTERT: No.
>> OLIVER SUME: All right. Can we have a microphone, please?
>> That was a surprise for the operators to get ready the mics.
>> OLIVER SUME: Please be so kind and introduce yourself so that the audience and the remote participants know who is talking.
>> My name is Manuvo. I am the security operations director of AnaCom. The issue – I would like to answer your question and also to ask a question. So I will begin with my question and then I will answer. Everyone seems to be in total agreement with the model of multistakeholder approach to security. I would like to defy you on what we think our challenges are, the difficulties this model brings. Is it just a rose garden or something might happen here. Answering your question, the issue of a national cert comes upon the coordination between national authorities and having single points of contact between the authorities at the Government side. And therefore to be able to articulate or to coordinate easier than just having a number of too many people listening without a flow of information that is properly known in advance and it is better articulated. So it is a question of coordination on the information flow. There is also another argument that calls for a national cert, is in case of a need of contingency that escalates beyond the – what markets should provide. Then the argument goes following that – in that case there is a need for a given cert assumed the coordination on a given plan.
So these two issues are brought about when, for example, at proposal of the cybersecurity strategy and the proposed elective, the issue of a national cert. If we follow this argument, then we should address how a multistakeholder model would provide the information flow, coordination necessary as good or better than the other model and how the escalation issue is held.
>> OLIVER SUME: So clearly in favor with national cert from your perspective. There was another hand raised over there. If you could pass the microphone please and if you would also be so kind to introduce yourself.
>> Thanks. Hello. I’m Adrian Coster from the Swiss Government and I work in cybersecurity. We have a gov cert in the technical competent center for Government. It is aimed at actually that Governments can talk to each other, that they have a contact point. If that’s useful or not, I believe it is to have this from Government side. If you – of course, everyone who runs a network should have also a cert. And we from Government will not come in to your network and fix your network when it is broken. But if you need assistance, we might be able to provide some technical expertise or some contacts that you not already have. Not every cert part of first form of incident response teams which is global. We totally support the private industry if they have certs or we encourage them to have certs and to be reachable by others, but it might happen that in another country some network operator is not responsive or not really – doesn’t yet – doesn’t respond to your inquiries, then it is good to actually have a contact on a Government level so then the Government can go because it is in their jurisdiction and then the Government can go and tell this network operator to get his or her things in order.
>> OLIVER SUME: Okay. Very interesting. Are you in exchange with national certs of other Governments and other European countries? Is there a platform?
>> Yes, we are on one hand on the European level and on the other hand, we are also part of first, which is the global one and is also – I mean there is – basically it was built up by private certs but now Government certs are getting more and more involved also with the first community.
>> OLIVER SUME: Thank you very much. Michael. Excuse me.
>> Good morning. My name is Lynn. I am a lawyer. So perhaps you will excuse me because I probably will speak in some technical with less technical default. But I think that perhaps in this area we will have to first define what can Governments do and what can ISPs and companies do because Governments work by law and perhaps security can be better resolved by code, by software and by technical solutions. And the Governments are useless in that area. So perhaps some things can be done by a technical solution and the Governments are not needed. And other things Governments perhaps are needed. And perhaps first determine which competents should be contributed to each participant and perhaps that’s what a multistakeholder is all about.
>> OLIVER SUME: Thank you very much. But there are – currently we are aware of several legislative approaches regarding cybersecurity, regarding IT security. You will all be aware of the cybersecurity strategy of the European Commission that has been launched in February of this year and the Commission is working on a directive that aims to have a certain level of network information security in the European Member States. In addition to that maybe you are aware of several national approaches. There is an approach in Germany for IT security law and similar approach in France and similar approach in Finland. And there are certs. And we heard about at least ideas of multistakeholderism and security. And Tatiana, you are dealing with all of these issues from a policy perspective and I would like to ask you from your – for your view on that.
>> TATIANA TROPINA: Thank you very much. Actually what I am going to say it corresponds quite nicely with the last intervention from the floor about the role of the Government in all of these processes and the industry from the policy perspective. So first of all, how I see cybersecurity. For me for someone who is a lawyer and working on the policy shaping level it is a collection of tools, policy frameworks, regulatory frameworks, legal frameworks which are aimed to analyze cybersecurity threats, to prevent, to disrupt early, to detect cybercrime and, of course, to investigate but it is related more to the law enforcement than to cybersecurity. This is the final point when cybersecurity fails and we have to do something. But if we are talking about different dimension of cybersecurity for me it is, first of all, crime reduction level. So if we imagine cybersecurity as a pyramid, as a triangle on the very bottom of it I see a crime reduction level. That’s where we got the most number of stakeholders involved. Because we have got security on the personal level and we have got law enforcement agencies and ISPs and we have got Civil Society, and a lot of organisations operate in this area, in this ecosystem of crime reduction and crime prevention and crime control level. If we go a bit higher in this pyramid, the second level is network resilience and here we have less stakeholders because some of the stakeholders from the bottom are excluded. And if we go higher, the last concerns which were raised on the Governmental level especially recently is Governments attacks Governments, I call it the level of national security. And here we have got the less number of stakeholders because of different things. Because of security clearances, because of the – on this level industries are not that keen to, industry players are not that keen to share information with each other like depending on the sector.
So when I talk about multistakeholder environment and safe environment in cybersecurity I always define the level of this protection of the operating level. And I think that dependent on this level, dependent on this concern, crime reduction and prevention, and network clearance and national security and we have different levels of involvement.
>> OLIVER SUME: Platforms that you mentioned are coming together and developing standards –
>> TATIANA TROPINA: For example, on this lower level I can mention different organisations like International Council of Europe, different think tanks. If we go to network resilience level it is European cybersecurity. It is still not defined and there is a big debate. Some countries are trying to link this issue to cybercrime. If you go to UDC level, you will see a big debate. Shall we go to the crime level or go to national security level and some platforms like, for example, garner cybersecurity Forum. They got this diplomatic level of discussion and some Governments link the issue to national security and we need to discuss collective security approaches, but if you go to any platform now, for example, including ITU you will see again the issue of cybersecurity brought up by some Governments in terms of Internet regulation. So for me it is a cross-sectorial issue of which touches to everyone who is dealing with the Internet.
>> OLIVER SUME: Okay. Thanks for that. Are there any questions by remote participants now? Hopefully not. So again I would like to open the floor for the audience. Are there questions? Over there. Do we have a microphone in the last row please?
>> Hello. My name is Jan. I am a lawyer from Portugal. And about the topic you already spoken, I wanted to question the panelists as do you think it is legitimate to a country to defend itself from another country in terms of cybersecurity by attacking it? And another level, another level do you think that – it is not mine.
>> It was the Moderator.
>> It is the Moderator.
>> And another level do you think that it is legitimate for companies to defend themselves from hackers and maybe from other countries, especially in the industry espionage by attacking the hackers with several resources? I would like to know the opinion of the panelists on this topic.
>> OLIVER SUME: That’s a very interesting question. Tatiana.
>> TATIANA TROPINA: If we are talking about criminal law and defense and prosecution, we need to attribute these attacks, but on this high level of national security it is really hard to attribute. For example, when Governments are attacking Governments or when economic security like big player security is threatened, it is very hard to prove technically who is behind this attack and legally who is behind this attack. And sometimes, for example, you have got 1,000 indicators that it is Country A but ten indicators it is actually Country B that is attacking. This is a gray area. To regulate this you need a clear attribution. But if you cannot attribute technically or legally, you are entering the gray area of foreign policy level and that is cross-border. It is a question of humanitarian law of the international law, of the law of the international treaties and so on and it is a bit different from – I mean, of course, it is related to cybersecurity, but there is a clear line of what can be regulated and not regulated. Counterattack for me as a lawyer is what would be legitimate. Since we always happening around now it is really hard to attribute it goes to the policy level and it is totally a political decision what you are doing with this.
>> OLIVER SUME: Okay. Thank you. Mike.
>> MICHAEL ROTERT: Yeah, I mean it is an interesting question and it is currently addressed by the Council of Europe as far as I know and it runs under the title cross – you can put it under the title cross-border Internet. And the problem I can see there is that if a Government does this, this goes in to the area of Human Rights infringe or can go in to the area of Human Rights infringements. If you fight on the network and hinder the other one with – on the citizens finally to access the Internet because you – you fight against them and by accident cutting off all lines, whatsoever. I would say if you need more you should go on the Web page or talk to people who are on this conference from the Council of Europe on this issue. You will – you might get a better answer than from the technicians. Technically it is not a problem.
>> OLIVER SUME: Thank you. I think that Marco has a view on that as well.
>> MARCO HOGEWONING: Yeah. We need to keep in mind that cybersecurity or IT security is a joint responsibility. It is really easy to look up to Government and ask for legislation or ask for regulation. But the same it is good to have a law that says you can’t break in to a house. At the same time you are still supposed to have locks on your door and you are actually supposed to lock your door when you leave it. And it is the same with IT security and we have to also and Adrian gave a good example of that for public sector, for Governments it is focused on capacity building. Explain to people what they can do in making the world safer and making it secure. Because yes, one country can attack another country. But at some point it is also the operators of that infrastructure that can take their measurements and indicate whether that attack is easier. Sooner or later you are going to take it offline. There is a lot that can be done on the operational level, and that’s where we need to work together and with search and with first and Governments also learn from each other on best current practices in making the infrastructure more robust and educating people on what can be done at their level to make this a better place instead of immediately running for legislation.
>> OLIVER SUME: Working together on that level with each other, the first step means we have to exchange information about attacks, about things that happen. And Tatiana already mentioned that seems to be a gray area sometimes because we maybe don’t have all the information we need. We all know that companies are not very much in favor about telling everyone about the number of cyber attacks they had suffered. What can we do to get this information and to share them?
>> TATIANA TROPINA: It is interesting because I cannot really say what we can do. I can clearly say what we shall not do.
>> OLIVER SUME: Okay.
>> TATIANA TROPINA: So I believe that – I mean well, I would like to start with one remark. It really depends on the industry. If you take high technology companies, like, for example, Microsoft, Google and so on they do share information. If you go to the financial industry, banking industry you will see a different picture concerning information sharing. So it really depends on the sector which is operating in this field of cybersecurity. What we shall not do I believe we shall not put regulation which put the regulation in place which obliges operators of Networks to share information. I believe this will not work. There should be incentives maybe by Governments, maybe promoting this collective security, maybe encouraging industry to join, for example, national security programmes and make it easier for the industry to participate without all this complicated security clearances because it is not only the walls between the industries, the big wall between industry and Governments when there is no clear point to collaborate with national security.
I believe the first step would be incentives to collaborate would be clear dialogue before we implement any framework on this collaboration, any regulation in place. There should be clear dialogue, open dialogue between industry and Governments to encourage industry to share, to encourage industry to participate. To remove the wall between the sectors and so on.
>> OLIVER SUME: So according to your view that would mean the European Commission is on the completely wrong way with other things they are setting up now in the directive because the draft directive is exactly doing what you mention, saying in companies that are part of critical infrastructures have to report attacks and they have to keep a certain level of IT security and they should be obligated to impose technical measures on their system, things like that because it is in the law. And your view is that one word.
>> TATIANA TROPINA: I will say it will work partially in promoting cybersecurity. It will probably increase the level of reporting attacks, but I believe that any regulation which you – strict regulation that you impose on the industry will cause counteraction. Because we can see some heavily regulated industries like the banking industry and so on. Sometimes they are not keen to collaborate with the Governments. The only response they get is more regulation, more regulation and we can see how it goes with the IT infrastructure and critical infrastructure. I believe it is a very important step.
Recently I was trying to analyze the cases of alliances, cybersecurity and security between Governments and infrastructure operators and so on and lots of them really failed not only in cybersecurity but also in terms of national security. There were several projects, for example, in the U.S. in introducing some kind of intelligence services and so on. They all failed for different reasons. Security service was not willing to cooperate. So concerning your cybersecurity strategy yes, it is good that it is in place. It sets the goals clearly in trying to get industry involved but instead of more regulation we need smart regulation and we need incentives left to the Government.
>> OLIVER SUME: Smart. Sabine, you wanted to contribute to that.
>> SABINE DOLDERER: I want to contribute to the discussion because I think it leads a little bit in a wrong area because it looks like that we obviously all know what IT security is and we are only on track to find the best way to implement it. IT security is very much also, security very much depends on the point where you are standing. So if you are traveling let’s say by car in one country, you might see the street being very unsecure and in other country you will see a very secure infrastructure. There is no clear definition what is secure, what is unsecure and what is a threat and what is not a threat. The Internet as we see it now is a common infrastructure and we all operate globally. That’s like the air is a similar global infrastructure, and I am sure if you are in one country where you have an enterprise which pollutes the air is seen as a threat to the other country. Just beside – on the other side is just the way how we operate our business. So I think it is very important that we understand actually how we are operating and that we actually understand how different levels are and that we actually narrow our levels and that we raise the level of security together in a way and that needs close collaboration and close understanding what actually is the definition each one actually currently has and its respective market and respective environment and its respective infrastructure. I think if we talk from a – from the security definition per se, that’s not the case. That’s not there. I think that’s really what we have to keep in mind when we talk about Internet security or security as a whole.
>> OLIVER SUME: So you would say that there is – it is possible to have a clear definition of security. It depends on what is your part in the Internet and the security world or the cyberspace.
>> SABINE DOLDERER: I think that the cyberspace as a whole we have to understand that there are places where the definition is different than in other places. And that we have to acknowledge that. It is like we have the discussion in the panel before where we say we have legislation in different countries which are different. I think the definition of security is also different. The definition of excellence, operational excellence is different and we have to understand that we have to accommodate – we will not come to the one single definition, but we have to accommodate an Internet where it is possible to have those differences in a way balanced and to negotiate amongst each other our different needs and come up with a solution which fits both – all of us in a way. So compromises mostly.
>> OLIVER SUME: Michael.
>> MICHAEL ROTERT: Let me go back to the multistakeholderism on the security in this area. But this is where the various stakeholders should cooperate and this brings in many cases the – especially one of the stakeholders, the ISP industry in a peculiar situation because when you have – when you have applications which are end to end and have end to end encryption, the ISP or the Government can no longer or the ISP can no longer fulfill his obligations against the Governments on certain issues, on interception and these kinds of things. We have the case in Germany where we have secure e-mail provided by Government called dmail which does not allow end to end encryption for various reasons I guess.
And – but if the ISP wants to conform to Government, Governmental obligations, they cannot introduce encryption but encryption would give the end user also one of the stakeholders much more security on their data and on whatever they are doing on their system. So that’s – that is a question in my sense which is not solved yet.
>> OLIVER SUME: Okay. Speaking about the end user I am sure that there are end users, private persons in this room. Do you have a perspective on that? Do you feel that you are part of – part of the multistakeholder approach, for example, in terms of setting standards? Do you feel that you at your computer at home that you are a part of IT and Internet security? Please. Thank you.
>> I am from the University of Karlsruhe. And when I hear about the multistakeholder approach my question is are really all actors involved in decisions related to security measures? And, for example, I don’t know who represents NGOs at this panel, who represents Civil Society so to say. And when I look around in the room I see that a certain part of Civil Society, mainly those who are interested in Human Rights issues are not represented here. What I take from this we have a certain separation of communities. There is a community who is interested in security issues and another community which is interested in Human Rights issues and others.
And the challenge in my view is to bring them more together so that Human Rights people who would be involved when it comes to security issues and security interested people would be involved when it comes to Human Rights issues, et cetera. And that is in my view not yet possible or not realised because there is a certain uneasiness of dealing with each other. But we all know that important decisions which are being taken on, security measures having social consequences and therefore need also this import. You could maybe say there is an inception, certain outlines which are even operated on NGOs and which have, for example, where you can complain about certain contents of the Internet. And like in the UK you might have an NGO who decides about remains, what has been taken off. But this is specialized NGOs who are not really representing let’s say Civil Society in that respect. So for me the challenge is how to involve Civil Society in a more broader way in to issues like the one being discussed here today. Thank you.
>> OLIVER SUME: Marco. Yeah. Thank you for that.
>> MARCO HOGEWONING: Nice lead in to a point I was going to make and Tatiana gave the lead here and from a technical perspective there is things that security through obscurity is the best you can have. A lot of people are uncomfortable openly discussing security, openly discussing security measures. And a lot of these things are done in closed fora. And I think if we can open up and if we can use the open Forum to be more transparent in security and indeed allow other stakeholders to participate in those discussions and at least EuroDIG is an open Forum where we can have the discussion right here. But transparency is a vital ingredient to security, and from a technical perspective that turns out to be – if people can review your code I can check that it is secure and too often security people close up but they don’t want to share because they think it is a risk. And I personally believe that openness is a vital ingredient in making things more secure.
>> OLIVER SUME: Openness and transparency is a key issue in your view. On the other hand, talking about IT security, isn’t it always a matter of security? I don’t know. Where is the limit? Where is the border?
>> MARCO HOGEWONING: That is indeed always the tradeoff but history shows that a lot of times where openness is involved, people catch faults. People will make mistakes. And if you share and if you openly discuss security measures, you have got people who can think about it and point it out. I here take note.
>> OLIVER SUME: Okay. We start with the last row and then we come. Yeah.
>> Thank you very much. Good morning to you all. My name is Nona. I am a member of the Noncommercial Users Constituency. It is a constituency within GSO and a small one within ICANN. I welcome the – in fact, the issue of security is mult-disciplinary dimension. And I would like to point out that in my role as a member of the Noncommercial User Constituency the Civil Society has always been very active, at least within our group and within ICANN discussing and defending issues regarding to Human Rights and security and not only security but all the problems related to Internet governance. I would like to point out our work which is being done mostly within our discussion lists which has been carried out to ICANN and to other fora by our representatives. And I would like to invite all the members that can apply to join the Noncommercial User Constituency and to enrich our discussions.
>> OLIVER SUME: Thank you. Another raised arm in the second row.
>> Hi. I am Tim. I’ve worked on security for 15 years. I am a security advisor and I used to represent a big vender, especially here in Portugal. And you are talking about transparency. You are talking about security but security is basically nowadays managing risks and yet talking about transparency. Here from what I watch because I was involved a lot in projects in finance, whatever and so on, people don’t want to share and even when they have their own private Forums, like financial they don’t even share why because they have one more than the others because they don’t know how to handle the threats. Many in the middle, for example, attack on the browser, for example. There is no way to really fight that. So they tried to share information to see what is working, for example. Even the military force here they have their own SOCs, Secure Operation Centers. And they are sharing part of the information. Why? Because we can only prevent or try to manage risk if you know what is happening outside with the others because we get that intelligence to try to see if we can manage when it is our time.
So about cybersecurity, we all have to contribute. We all – we have also as a personal person, as a user to contribute and people sometimes try to contribute with simple things. They just by antivirus, I don’t care from which vender and they can click a box to say you want to share information, these attacks and this will contribute because venders will share this information that has happened. We as a user, as a citizen have to contribute to this proactive I can say approach to security. But people don’t share information. And if people don’t share information it will be a more difficult task. That’s the truth.
>> OLIVER SUME: Thank you. Could you pass the microphone to the gentleman in front of you? Thank you.
>> My name is Dick. And I am the President of the Internet Society in Poland. I would like to second Marco and Tatiana, it is all about cooperation. I have got management experience in providing dedicated communication services to companies in Europe. It works inside the company effectively and everyone understands that good quality of service you need good security. And if it is reaching everyone’s ears inside the company it works by itself. Openness that nobody dares to make mistakes. It works very fine towards our customers. Why? Very simple. Because the prospects, potential customers come in. We show them our security. We apologize to them that they are on the cameras in the end in most of the large banks in Europe. Transparency is a selling item and also an enabler for true security like Tatiana said. Thank you.
>> OLIVER SUME: Thank you very much. Okay. Are there other questions or comments in the audience? Do we have anything from remote? Not yet.
>> Comments from me.
>> OLIVER SUME: Comments from the panel.
>> Yeah, I would like to come back to what Wolfgang said. One idea when we had this programme because security is mainly considered to be a very technical subject to discuss and if I look at the audience, it is some kind of a proof for that. And the idea was really to increase because it is necessary the cooperation between the various stakeholders on a first glance to alert the other stakeholders to participate in this discussion. Unfortunately, the success as I can see it in this audience was not as expected to have people from the, for instance, Civil Society participating. You pointed out to the panel because the panel was not already structured, not really structured as a multistakeholder panel we relied on this area much more than the audience and the audience will come up on their issues of how to participate. But the primary idea was really to alert people that security is not only a piece of software coming from a malware software manufacturer going down to the end user and that’s it. There are much more stakeholders including the end user or the Civil Society in this area.
We maybe have to look for a different approach to alert the other stakeholders.
>> OLIVER SUME: Thank you. There was a comment here in the second row, please.
>> CHRISTINE RUNNEGAR: Good morning, everyone. Christine Runnegar from the Internet Society. It is a question or a couple of questions. Looking at the title for the workshop, Security as a Multistakeholder, I would be interested to tease out more of what it is you as the panelists see as security. What are you trying to solve with the multistakeholder model. And the second part once you have identified what that is how do you balance that with other interests that the community might have. I appreciate that’s a bit tricky but I appreciate your thoughts.
>> OLIVER SUME: Can I pass the question to you, Michael?
>> MICHAEL ROTERT: Sure. I think as RIPE, an administrative body for the community we have this open platform where people can meet. And recently we have seen Governments getting more involved and the police getting more involved. And I am more than happy to also welcome the NGOs in those discussions. And we have this platform, but it is – in the end it is the people that participate, whether they want to share the information or whether they want to be open and, for instance, provide a good postmortem of the text so people can learn and people can learn how to protect their network against the next Forum. So yeah, we are open and we are multistakeholder, but in the end it is up to everyone to decide for themselves how far they want to take it in sharing information and how far to take it. I think our main take there is in a broader sense capacity building provides a platform where people can learn from each other and provide a platform where people exchange ideas in making the world more secure. Whatever the definition of security is, whether that’s national or to the end user.
>> OLIVER SUME: Sabine, please.
>> SABINE DOLDERER: Yes. What we are trying actually coming to your question is registry usually provides a service and there is not a lot of development. So with the service itself. What we are doing nevertheless when we have points which we want to actually develop further and I think Dena said in the last couple of years a huge issue where we tried to come up with and we know actually we have to address the whole community and the whole stakeholders in Germany and even in abroad. In Germany and abroad we try to bring the people in. We have made meetings and we have had public consultation lists and we set up tests where each and everyone can participate. So we have in general an attitude where we try to be open for questions coming up and in certain cases and others really point wise. Point wise if there are issues developing we really outreach and try to incorporate people to come up with all the minds and with all the information and bring it back to us. And what we also do is within the daily operations or the daily operation with the DNS as we do it, we also do regular meetings with those actually who are affected. So we have regular technical meetings for the technical community to – where we go in to a dialogue, how to improve our systems, how to actually further advance what we are doing. And, of course, we are participating in the national – in different national foras to like certs, like the – on a national level, a security Internet – security exchange platform. We try to be as present as possible in a lot of foras, to be accessible and to incorporate people who are targeted by our service or use their service.
>> OLIVER SUME: This kind of exchange also something that you would recommend from an academic perspective, Tatiana?
>> TATIANA TROPINA: Yes, yes. I would like to answer your question. I will come to exchange a bit later. As a born lawyer I see from my cybersecurity is legal and regular frameworks. I am not thinking about regulation per se, like direct Government intervention. Apart from criminal law where we cannot be flexible because it is the highest degree of Governmental intervention, I believe in co and self-regulation and I believe in the bottom-up approach. I see my role in promoting this approach, in explaining people, Governments, businesses, that it is not only criminal law and criminal enforcement that shall work in cybersecurity. It is public/private collaboration and it is capacity building and technical capabilities. It is something that which is the common interest for everyone. So when I am involved on this policy shaping level I try to promote not only regulation but promote moving away from direct intervention and move to exchange, move to incentives, move to bank up good initiatives.
>> OLIVER SUME: What do we if we have companies that do not do the things that were mentioned by Marco and Sabine? Is that something that a regulator has to force companies to comply with these –
>> TATIANA TROPINA: You asked me if I agree or disagree with the cybersecurity strategy. Company reports about incidents. If you regulate, you come to the second issue. It is control and regulatory. How much input from the Government, how much intervention in to the normal business processes Government can provide. It is not only – it is not only frameworks. It is also time. It is involvement. It is more – it is technical capability. How do you know that this company actually is not complying with the obligations? How do you know that this company is sharing information about all attacks? There are visually really no tools to control these. Again I am moving to the example of banking industry and money laundering. There are so many cases that cannot be controlled, when banks are not reporting when they do not apply techniques. So that’s why I do believe in incentives and bottom-up approach. So if industry comes with initiative, Governments shall back up. So it is not about direct intervention. It is about sharing.
>> OLIVER SUME: Okay. Thank you. Marco.
>> MARCO HOGEWONING: Yes. Well, in often response to what you said and pretty much a question to the room is do we really think legislation and regulation can keep up with the speed of technical developments? Lawyers push a lot of paper around and paper is slow. Have to realise that most of the security and that’s why it is vital to have that transparency. As in design phases people tend to respond to incidents and that’s tomorrow. And once you have legislation that prevent incidents and tell companies to take initiatives to prevent those incidents we are three, five years down the road. So what you were saying again here comes transparency. Do you want to tell companies to take security measures, or do you want them to be transparent so that the users can choose whether they trust that company with their data or whether they don’t trust the company with their data.
>> OLIVER SUME: Leave it to the industry. Is that fine for industry innovation?
>> MICHAEL ROTERT: That is exactly what I see as a problem. You have mainly industry on this panel. And it seems as if it is a kind of self-defending of the industry here to pledge for more security without looking at – without really having other stakeholders. But coming back to the Government and the legal aspects and this is something that industry wants to avoid to get more regulation, to get more laws because they don’t help. This is one part. And the other part is coming more from the customer side. How much freedom are you willing to give up for how much security? I am not talking only about cybersecurity. Also about what was mentioned before the CCTV cameras which you have around and then the software developed on the basis of these CCTV cameras on automatic recognition and these things.
At the beginning, at the very beginning of this workshop it was addressed I think by Sabine that there should be a definition of security and of what we are talking about. And I think this is the major problem we are facing. If you ask the industry, industry tends to talk about cybersecurity, about bits and bytes and stuff like that. And for the other stakeholders, security might be something totally different. But it all has to work somehow together coming to solutions or to final messages. I think it would be essential to have a view on security which we all can agree with and which we are I think most probably sure that it doesn’t cover the whole range of security.
>> OLIVER SUME: Okay. Thank you. Are there further remarks or comments from the audience? So – yeah. Please. First row here. Gentleman over there.
>> Thank you. I am from the Russian center for policy studies, nonGovernmental think tank and I would like to provide some comment, highlights in the peculiarities of Russia, Russian approach on multistakeholder and some issues that were raised in the course of today’s discussion. In many respects Russia still remains a special case compared to the rest of Europe and sometimes it is presented as a tearing cognitivor when it comes to approaches in the field of cybersecurity regulation if compared to Europe. Despite the fact that Russia is a member of the European community and despite the fact there is, in fact, cooperation between Russia and between European states on both an Intergovernmental level and a technical level through cooperation of national certs and so on. And there is also cooperation and exchange of information on the expert level on the level of IT industries, but on the other hand, there is a striking difference on the very conceptual level of policy making and legal regulation. Just to mention the fact that the very notions of multistakeholderism and cybersecurity themselves are not accepted on the level of Russian legislation in this field. Let alone the fact that Russia does not participate in some core mechanisms to providing general framework for cooperation in encountering cybercrime, I mean the European Council’s Convention on cybercrime. But there were some interesting developments in Russia recently. For the moment the Russian Council Federation since the second half of 2012 has been drafting the first national cybersecurity strategy. For the first time using the term cybersecurity in the document which is also more important the process of drafting this strategy has been conducted in a very – in a truly multistakeholder environment headed by the Council of Federation as a national regulator but with very active participation of experts from the academia, from the Russian IT industry. And this is one of the first examples of the multistakeholder approach. Still the future of the document is not defined. We are not sure for the moment that it will be preserved just in the Forum and with the definitions it has now in its draft version. That it will not be completely reviewed on the later stage by national regulators.
So my point with regard to today’s discussion is that much effort still needs to be made to provide mutual understanding between European regulators and Russian regulators in terms of what is multistakeholderism, in terms of how should it be understood and promoted on the level of policy making and on the level of official regulation in the cybersecurity field.
And just to finish my comment one more interesting development has taken place in Russia in the sphere of education and on the sphere of – in the field of cybersecurity culture. Another document has been drafted since 2012 which is dedicated to the issues of cybersecurity culture in Russia. On one hand it also shows striking differences in approach. Just mention – just to mention the fact that according the Russian document cybersecurity is understood and cybersecurity culture is understood as a definite condition which has its final point, not as a process of continuous and endless risk management but some condition which once can be achieved and then the task is completely solved.
But on the other hand, the very process of creating such document and expert discussion only its text provide opportunities for discussion, for dialogue with European representatives, with European experts and the opportunities for bridging approaches. And this is the opportunity for us because pure center is focused on the process of bridging Russia’s approaches in the cybersecurity field and approaches of us partners. Thank you.
>> OLIVER SUME: Thank you very much. So actually seems to be that we have a need for a multistakeholder approach in terms of security on different levels, right? The level that you mentioned there has to be an exchange. And in order to achieve a common understanding of what we are talking about, if we are talking about multistakeholderism on the one hand it is about definition. What is our understanding from security or cybersecurity. That would be the one level, and the second level is the one that we discussed in the beginning of the session, the exchange and the openness and the transparency of the security itself would be a different level, a different approach for multistakeholderism and security. Something that the audience would agree. And my personal conclusion of this discussion would be it is not a question if security or multistakeholderism is an aspect of security. I understand in particular Marco and Sabine, it is like a condition of security. Would you assign that?
>> MARCO HOGEWONING: Yes. If you sit in your only little world that won’t get you that far I think.
>> OLIVER SUME: Okay. Other questions or comments from the audience? No participation remotely unfortunately. Okay. And we have five minutes left and I would like to ask the panelists for some closing remarks. Michael, would you like to start?
>> MICHAEL ROTERT: Okay. The discussion was interesting and a point on how to involve other stakeholders on one point. And the other point it is clear if you talk about security, the topic is too large. It has to be somehow dedicated either to incidents or whatsoever. Industry can do a lot with security. Can do much more than they did in the past, no matter which industry including the software industry. Also providers, providers are increasingly doing more by delivering devices with highest security level already installed. So there is a small – it is getting a little bit better. But the other side, the security holds or security leaks or however you call it, incidents are also increasing due to a lot of applications. And we didn’t touch the world of mobile security so far which brings in totally other aspects, but also a multistakeholder and I would wish for the next EuroDIG that we have security again but then much more focused and then see if we get all the stakeholders on board with maybe a different concept, not only having industry talking about security but having some kind of more discussions in smaller Working Groups to work on this issue of how to incorporate other stakeholders. That would be my conclusion out of this discussion today.
>> OLIVER SUME: Thanks. So the first message is for the EuroDIG 2014. Sabine, what do you take away from that session today?
>> SABINE DOLDERER: Yes, I think in line with what Michael said I think we should sharpen actually the issues, what we are talking about, which definition about. I think there is clear within the real technical framework, there is best industry practice towards how to implement a secure layer. And I think we should go ahead, but I also like your idea, what you bring in your security policy, how much security you want on an overall level is very much about risk management. It is about risks and it is also about how much freedom you want to give up to gain more security and that is another level. I think there is the technical level of providing those services where there is clear technical measurements. And the other is really debate where we should focus on how much actually – how much freedom we want to give up for more security and that is completely a different debate which is enforced where I am a technical – somebody operating a technical piece. I am also only one of the stakeholders and have to provide – can provide my input as a citizen and not as an operator, in an operational level. So there is a security on the operational level where we – I think we have clear ideas and standards and where we can really strive to get more security. But also the other aspect of security as a whole where it is about risk management and yes, have the freedom and individual rights and so on.
>> OLIVER SUME: Marco, your closing remarks.
>> MARCO HOGEWONING: Going on the freedom, it is innovation without permission and I think one of my concerns is that we have to be careful always when legislation and regulation comes in to play, that we don’t restrict ourselves too much in what tomorrow’s possibility is because that will be also tomorrow’s threat. So I would like to end with an invite to everyone in the room who has a stake in this to join our platform and to join the IGF and other open platforms and in an early stage of the process raise their concerns about security, raise their concerns about privacy because that’s always depending on each other and work together in making a more robust Internet and more robust applications possible.
>> OLIVER SUME: Thank you.
>> MARCO HOGEWONING: You are welcome to join.
>> OLIVER SUME: Tatiana, your conclusion?
>> TATIANA TROPINA: Thank you very much. Coming back to my first statement where I told about different dimensions of cybersecurity and compare it to the pyramid with the lower level and middle and higher level security. On this level of crime reduction and crime control and this activities in this field and this ecosystem, there are many stakeholders involved. And it is already working. So what I do see as a way forward coming to the level of network resilience, coming to the level of national security is seeing how these competencies of the industry, of Civil Society can be maybe leveraged to the levels which are considered like more important for the national security than, for example, crime reduction. So I am for sharing good practices, analyzing experience and leveraging these core competencies of different stakeholders involved.
>> OLIVER SUME: Thank you very much. Okay. So what I learned from this session is security has to be a multistakeholder model. Thanks to the panelists here on the panel. Thanks for being here, for your contributions and great – thank you also to the very valuable contributions from the audience. Yes, and my last remarks are have a good lunch. Thank you.