Stress testing the multistakeholder model in cybersecurity – WS 09 2017
Reality or wishful thinking: a new take on cybersecurity governance and multistakeholderism
#collaborative security, #multistakeholderism, #relationship with the PPP model, #best and worst practices, #good practices, #cybersecurity governance model
This session will focus on multistakeholderism in cybersecurity governance and both the practical and policy tools to serve to that end. Further discussions to be held from this perspective on the collaborative security model as a different take on the multistakeholder approach.
This session will not run in the traditional panel format, instead there will be two moderators on stage (and one remote moderator) and key participants as resource persons to actively engage the audience for a vibrant discussion.
Internet Society Report on Collaborative Security (available at http://www.internetsociety.org/collaborativesecurity )
- Frederick Donck (Internet Society), Ceren Unal (Internet Society)
Subject Matter Expert (SME):
- Tatiana Tropina (Max Planck Institute)
- George Christou, University of Warwick (https://www2.warwick.ac.uk/fac/soc/pais/people/christou/)
- John Crain, ICANN (https://www.icann.org/profiles/john-crain)
- Patrik Fältström, Netnod (https://icannwiki.org/Patrik_F%C3%A4ltstr%C3%B6m)
- Dominique Lazanski, GSMA (https://www.gp-digital.org/board/dominique-lazanski/)
- Eneken Tikk-Ringas, IISS (https://www.iiss.org/en/persons/eneken-s-tikk-ringas)
- Robin Wilton, Internet Society (https://www.internetsociety.org/who-we-are/staff/robin-wilton)
- Tatiana Tropina, Max Planck Institute (https://www.mpicc.de/en/home/tropina.html)
- Sally Shipman Wentworth, Internet Society (https://www.internetsociety.org/who-we-are/people/ms-sally-shipman-wentworth)
- Fotjon Costa, Albanian Ministry of Energy and Industry
Organising Team (Org Team)
- Farzaneh Badiei, Georgia Tech (http://www.internetgovernance.org/people/farzaneh-badiei/)
- Oliana Sula, EBS (https://ebs.ee/et/meie-inimesed/oppetoolid-ja-keskused/ettevotluse-oppetool/kulalissoppejoud-2/oliana-sula?tmpl=component)
- Fotjon Kosta, Albanian Ministry of Energy and Industry (https://www.linkedin.com/in/fotjon-kosta-8321aa4b/?ppe=1)
- Ceren Unal, Internet Society (https://www.internetsociety.org/who-we-are/staff/ceren-%C3%BCnal)
- Cybersecurity is a global concept and solutions to cybersecurity problems are beyond national borders. Considering how the internet was constituted and works each party needs to take responsibility to ensure resilience and to take a collaborative security approach to foster confidence and protect opportunities.
- Every stakeholder has different incentives and different economic interests and different logics (regarding security/privacy/DP), a good multistakeholder process would bridge these differences.
- Although governments usually try to take the lead, the role of civil society is important to monitor accountability and transparency.
Provided By: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: 1 877 825 5234, +001 719 481 9835, www.captionfirst.com
This text is being provided in a rough draft Format. Communication Access Realtime Translation (CART) or captioning are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
>> SALLY SHIPMAN WENTWORTH: Hello, Tatiana, are you ready for us to get going?
>> TATIANA TROPINA: Absolutely. We can wait for another two minutes or -- yeah, let's wait.
>> SALLY SHIPMAN WENTWORTH: Okay. We will wait for a few more minutes, since people are finishing lunch.
Okay. I think we are going to go ahead and get started, everyone. I want to be respectful of people's time. So I would like to welcome everyone here today to this panel discussion or community discussion on stress testing the multistakeholder model in cybersecurity.
My name is Sally Wentworth, I'm the vice president of public policy at the Internet Society and I'm joined here by a very esteemed panel, plus -- in addition to a person Dominique Lazanski who is coming in remotely.
I thought I would do a quick test Dominique to make sure that you are able to weigh in and speak up and that we can hear you.
>> DOMINIQUE LAZANSKI: , yes, hi, can you hear me.
>> SALLY SHIPMAN WENTWORTH: Hi, very good. So we have -- this is always the most difficult session right after lunch, so we are going to try to keep everyone engaged and interested. This session, as I said is called stress testing the multistakeholder model in cybersecurity. Yesterday there was a plenary session on -- on multistakeholder governance in cyberspace.
>> SALLY SHIPMAN WENTWORTH: Hello? Hello? Do we have multiple people? I guess I should use this opportunity to pause for a moment and make sure that everybody --
>> Oh, lovely!
>> I think we are going to go ahead and get started everyone.
>> SALLY SHIPMAN WENTWORTH: Oh, you are playing this back. So I would like to welcome everyone here -- I do like the sound of my voice. It's good.
That's right. Don't comment. I want to introduce my co-moderate, Tatiana, do you want to say hello.
>> TATIANA TROPINA: Hello, everyone.
>> SALLY SHIPMAN WENTWORTH: Do you want to say more about yourself?
>> TATIANA TROPINA: Yes, I'm Tatiana Tropina, I'm with Max Planck institute in German I.
>> SALLY SHIPMAN WENTWORTH: We hope that we get' conversation going here, and that we come out with a very kind of pragmatic view of this issue of the multistakeholder model in cybersecurity. The way we will structure this is we'll have a bit of a dialogue with the panelists here and Dominique online and then we really want to turn it over to the room and have a conversation that can probably go in any number of directions.
So as I mentioned yesterday, there was a session on cybersecurity, and it was quite interesting. I was on the session with Tatiana. We are like the dynamic duo this week. There was a perspective that seemed to come through that session, was that governments have a leading role when it comes to issues of cybersecurity. And certainly, there were differing views in the group but that was a perspective that came forward very clearly and I will admit that I was a bit surprised that that was quite as strongly held a point of view.
On the other hand, we, in the Internet community, have been speaking for some time about the quote/unquote multistakeholder model, this notion that to develop solutions in the cyberspace, in the Internet space, we need to bring all stakeholders together, and that there's a role to play for various expertise to come to solid, robust sustainable solutions.
But it's been my experience and perhaps others have similar experience, that as of late, as we have moved into an environment where security is the issue of the day, where cybersecurity, however defined -- and that's probably a topic for conversation, how do we define this term because it means a lot of things to a lot of people, that that is -- cybersecurity issues, issues of security in general relate to national security, to law enforcement, and that those are serious issues for serious people, and that the multistakeholder model, however nice it may be, is often not the model that you hear about when it comes to dealing with the issues that are seen to be serious cybersecurity.
And so I think the question that I would like to grapple with today is do we accept that point of view? Do we accept this notion that the multistakeholder model may be good for some things but when it comes to issues of security, perhaps it's not ready? Or, in fact, is this idea of bringing stakeholders together to solve problems still valid and relevant in issues related to security and related to cybersecurity? And if it is relevant, do we have very practical examples of how that's working? Do we -- can we have a conversation about what are the pros? What are the cons? What are the shortcomings? What are the things we need to be looking at when we attempt to apply this multistakeholder model to something as, you know, hard core as security?
So that is sort of my jumping off point. Tatiana, I thought I would ask you if you have any initial comments to make and then we'll turn it to the panelists for a first round of comments.
>> TATIANA TROPINA: Thank you, Sally. I would like to turn to the panel as soon as possible, but I would like to say as well that as a moderator, and as someone who participated in the organizing team in the plenary, it was a big surprise to me that the governments were not coming up as a leading stakeholder. We were not expecting it when we put up the toll, this scale and exercise.
So I would really like to give it to the panel now and express your views. Thank you.
>> SALLY SHIPMAN WENTWORTH: So I think the question that I'm asking and we can go in a number of different directions but this first question of -- is the multistakeholder model relevant to issues of cybersecurity.? And then the follow-up question I would ask, if so, where do we see it being applied today? Can we look at practical examples of where that's happening now?
John, I will turn it over to you.
>> JOHN CRAIN: Okay, I'm John Crain, senior security geek at ICANN.
So if you look at organizations like ICANN, we're always talking about the multistakeholder model. Multistakeholder when it's used in the sense that everybody can participate, works really well for things like policy developments. Often in the security world, you are not talking about developing policies. You are often talking about being practitioners and actually doing something operational. So when it comes down to operational matters, what you want is the people that have the knowledge and the capability to actually make operational things take part.
Now, that's not just governments. The Internet is not run by governments. Much of the infrastructure is run by private industry. Much of the expertise is held outside of governments, but governments, of course, have a very important role. One of the parts of government from a public safety perspective is, of course, law enforcement.
So, you know, in a law enforcement matter, of course they take the lead dealing with that but often they need to bring in other stakeholders. You know, in our world if they are dealing with things like bot nets that will affect the Domain Name System, they will need to bring in the experts on reverse engineering the botnets, but they also need to bring in the DNS people that will actually affect the system.
So in the policy realm, I think I'm discussing what are the policies around cybersecurity, issues like human rights, et cetera, that's where you -- that's how that's affected and that's where bring in the full multistakeholder model if you like.
But when you actually get down to practical elements of dealing with security issues, you have to narrow that down to the people that can actually have a practical influence.
>> SALLY SHIPMAN WENTWORTH: Patrik.
>> PATRIK FALTSTROM: Patrik Faltstrom, I'm with Netnod. I'm with an advisory committee on ICANN. I will continue on what John said and express it slightly differently. It's hard to disagree with what you are saying. I'm not.
If we think about how the Internet is constituted -- it is compared to the old world where we had the telco and the monopoly and a wire from there and we had the phone that we got from them and we could use the services they provided for us, they even gave us the electricity that the phone was using. That world is gone.
So nowadays on the Internet, you have multiple entities where each bring something together. Some bring fiber, some bring ISPs, and some give services to others. The way the Internet works is each one of those have to be taking responsibility for the functionality of whatever they bring to the table and that's how the Internet works. And that's a different way of explaining from my perspective of what John just said. Whoever runs -- whoever brings something that brings the Internet must ensure that that works. So that has to do with the responsibility and that is absolutely multistakeholder. It's up to whoever runs it to make sure it continues to run. Governments do some things and private sector do other things.
We have policies that we need to live up to. Those exist in two specific forms. One has to do with a more contractual perspective, one in the market perspective and the norms we are playing along in the society. And those are things that are very much already today developed in the multistakeholder fashion. We know how to do that, but then we have another portion and that has to do with the form of legislation that actually governments, which -- which government right and they have to come up with these legislations which both for example give the ability for law enforcement to do certain things and for the prive a sector not do certain things. And that's where we have the human rights. 9 human rights are promises between states on what they are supposed to do within anywhere jurisdiction.
So that's why I agree that governments do have a very big role there. That's where you have the fundamental basic sort of legislation that governments have to do to either force people to do things or prohibit people to do other things. And it's quite hard to also have a true multistakeholder process there. It's more like an outreach process, than a multistakeholder.
That's why I think we have these three different buckets. Operations, each one has to do whatever they do. Norms and other kinds of things, more CSR-like that can be multistakeholder and then governments have to do their part.
>> SALLY SHIPMAN WENTWORTH: I think that's a very interesting framework and I would like to come back to. George, if I might, I want to make sure that we didn't lose Dominique. Is she still here?
>> DOMINIQUE LAZANSKI: Yes, I'm here. I'm sharing my video but I don't think you can see it.
>> SALLY SHIPMAN WENTWORTH: We cannot see you. So Dominique, if you would like, I would like to turn to you, to come from your perspective at GSMA and whether you think the multistakeholder model is fit for purpose when it comes to issues related to security.
>> DOMINIQUE LAZANSKI: Sure. And thanks for letting me join remotely. I'm sorry I can't be with you this week.
Just perhaps building a little bit on what everyone said so far. We absolutely support the multistakeholder model but also acknowledge that different experts have different roles to play in cybersecurity. Obviously from the mobile industry, we are often the first ones to deal with the issues whether it has to do with content on our networks or our networks in general or end point devices. We are often the first ones to get notified of that, as well as to have to deal with the issue.
So we actually strongly believe in the multistakeholder model because it takes all actors to contribute to -- to solving this issue in a variety of different ways.
I think governments tend to focus a bit more on their role, which is focused right now and very much in the media on protecting public safety, and while that is one of many, many aspects, we think that it's a collaborative aspect to cybersecurity that's really important.
So we kind of see it in four different buckets. One is about protecting consumers and this includes education as well, to have appropriate legal frameworks and resources available for consumers to understand what they are actually doing in our networks and with our devices and part of that includes protecting consumer privacy too, but we do feel strongly about protecting public safety. Again, oftentimes we are ones that are right there in the forefront, we have to work quite closely with law enforcement on this and that requires a proportional legal framework too, which I think is an important component to all of this as well.
And then finally protecting network security and device security is something that we take quite seriously. I would suggest that maybe later when we talk about multistakeholder model, one of the things that we can talk about is counterfeit devices, and handset theft and how we approach that from a very Multistakeholder point of view, and a consumer point of view. It's important to have a specific and appropriate processes for these that include a CERT, a security incident response team, and securing the value change and the mobile ecosystem. That includes public/private partnerships obviously to make that happen.
So overall, I would just say that I absolutely come from a point of view in the mobile industry comes from a point of view that multistakeholderism is important but understanding that there are different roles to play. Thank you. And thanks for the video working.
>> SALLY SHIPMAN WENTWORTH: Nice to see your face.
>> DOMINIQUE LAZANSKI: Thank you.
>> SALLY SHIPMAN WENTWORTH: George, do you want to weigh in on this question?
>> GEORGE CHRISTOU: George Christou with the University of Warwick in the UK. Yes, multistakeholder, it's a slippery concept. Each of us have given the definition of what it is.
We can take the all encompassing definition that means that all stakeholders must be involved all of the time. I don't think that's what anybody is saying. I think the key is to be nuanced about when we use it and how we use it. The relevant stakeholders should be involved across the different levels that we operate in terms of cybersecurity policy, but, again, cybersecurity, what is that? And what levels does that operate? We can't say cybersecurity. It's cyber defense. It's cyber offense. And certainly we don't expect to see civil society representatives, for instance, turning up at the US headquarters for cyber storm, for example or cyber warriors, for example. We have to take that into being.
It's a relevant concept, of course it is, and I think -- but it has to be broken down. So what are the alternatives? How does it embody itself? We see lots of networks operating around cybersecurity. Public/private partnerships is a new buzz word. Probably as slippery as multistakeholderism. There are many thousands of public/private partnerships within cyber itself. What does that mean? How do they work? I mean, I think there's some relevant models here but I think we need to get down to that level to actually understand multistakeholderism in cyber and whether it's relevant for not. There are public/private partnerships that have worked very well. There are some that haven't, okay, that are very well documented, whether in Europe or elsewhere.
So I think for me, to start with, I think we need to engage with the people here in public/private partnerships and multistakeholder fora to have a conversation about how it works practically and who should be involved.
I will leave it there for now and I hope that's where the discussion will go.
>> SALLY SHIPMAN WENTWORTH: Absolutely. Last but not least, I will turn to my colleague, Robin Wilton who may have been partially responsible for the start of the government discussion the other day. So robin, over to you.
>> ROBIN WILTON: Yes, it's not often you get the luxury of having a second bite at something like this, especially when it has generated such lively discussion.
So I think it's important, first, to look back to the context of yesterday's discussion. I tend to think of cybersecurity as those aspects of digital -- the digital world that overlap with the critical elements of national infrastructure. I think what it does is clarifies part of the role of government. And my opening comment yesterday was I think governments have a responsibility for citizen safety and as Dominique said, public safety is one of the buckets here.
Governments have the role of keeping the critical national infrastructure available and resilient. At least that's a responsibility that they might pass to others. So they might not be the operational owners of that, but if the critical national infrastructure fails, who else's responsibility is that in a nation state?
So let's make it a little bit less abstract. Think of the botnet, that almost took a country offline. So one view of cybersecurity is that that government had a responsibility to ensure the resilience of its national infrastructure and that national infrastructure came under threat. Okay?
But is it up to the government to ensure that bots can't be created? Probably not. That's someone else's responsibility. It might be the responsibility of the designers to ensure that your connected toaster cannot be subverted and turned into a bot.
And then you come into the incentive on those commercial providers. As someone else remarked yesterday, if you are developing a toaster, you have to pay for the development of that toaster and recoup your costs by selling it, but you don't suffer the financial damage whether your toaster is part of a botnet attacks some other country's infrastructure. So there's no financial incentive for you to be worried about someone else's national infrastructure. So there's a misalignment of incentives there which I think the multistakeholder approach has a role in correcting.
>> SALLY SHIPMAN WENTWORTH: Well, robin I think you can have done it again. I can see Patrik squeezing his face here. I will let you weigh in.
>> PATRIK FALTSTROM: Yes, there were a couple of things which you said there which I think are interesting. You said, for example, taking a country offline. I don't know what that means. That's the first thing.
And you also said governments are responsible to ensure that critical infrastructure something -- I don't remember the exact wording.
>> SALLY SHIPMAN WENTWORTH: Stays online.
>> PATRIK FALTSTROM: Stay online. Here in Estonia. They have made a decision on what is critical and we haven't in Sweden. We haven't determined what critical infrastructure is. One of the reasons that Estonia has survived, they have made a decision. They have made an agreement in some type of process that might look like multistakeholder, what is important. Given that everyone knows what is important, it has been easier in Estonia, than, for example, in Sweden for each individual player to make decisions so that things work. But the actual -- the actual operations, to go back to what John said, the actual actions later on is something that each individual player is doing. And that is not in multistakeholder as others. It's not the case that I don't disagree with you. I hear some of the terms that we are using and things that are discussed exactly like you were saying with mull and which you also said. Are we really talking about multistakeholder, or private/public partnerships? Or whatever.
>> SALLY SHIPMAN WENTWORTH: Okay.
>> ROBIN WILTON: It's good to know that national approaches differ and to be honest, I didn't know that Sweden had that approach of simply not defining what CNI is. So, for example, in the UK, I know that there's a government forum where participants from the energy industry, telco, transport, pharmaceuticals and drainage, are invited to discussions in how to keep the national infrastructure resilient. I'm aware that that was not the case in other countries. That's interesting to know.
If you do have that approach -- for example, the energy industry. It's a long time UK since that was a government owned and run thing. It's privatized but if the country's energy infrastructure seizes to function, it's the government who will -- ceases to function, it's the government who will take it in the neck.
>> SALLY SHIPMAN WENTWORTH: Go ahead, John.
>> JOHN CRAIN: Another term or another statement, which is it's about national critical infrastructure. And that sort of gives the idea that infrastructure stays within national boundaries, and, of course, as we all know, it doesn't.
So, you know, when you talk about cybersecurity, you can't really bound it by the national infrastructure. It may be infrastructure of national importance, but it may also be corporate infrastructure. Some of the major piece of infrastructure there are used by the economy but they are not built in the sense of national infrastructure.
And I think that's a good definition, but it's only one definition. But I think one of the interesting things you said, which does count across all of this is about the imbalance of the economic incentives. I think in both cases that counts, but, you know, a lot of places around the world -- a lot of governments and also nongovernmental people haven't quite grasped the concept that the network doesn't follow those nice pretty little boundaries that everybody likes.
>> SALLY SHIPMAN WENTWORTH: Right. Right. It strikes me -- and then I think we will turn it over to the room here. It strikes me that attacks that we have seen recently want to cry or even the Mirai bot where you had critical infrastructure impacted, the solutions were far beyond national borders, right?
So it was while -- while the government certainly, I think took interest in these attacks. Everyone was talking about it. The solutioneering for that was a global network of -- of people working together and not directed by the government or otherwise a single national solution set. I mean, is that a fair reading?
>> DOMINIQUE LAZANSKI: I would like to pop in here. It's really weird to me on the large screen.
Sally, you brought up something that is really interesting and something that I think we should cover. The problem is for us, you know, a lot of our operators run national and international networks and yet when we go into different countries, there are different concerns, different legal frameworks and different stakeholders, different approaches culturally, technically, whatever it might be to that particular national boundary. I'm not saying, you know, Internet boundary but national boundary and that we have different challenges in different countries whether or not, you know, the attack comes from five or ten or 50 different servers all over the world. One the real challenges is seeing how we can seek sort of global agreement and global participation, right, in order to solve the problem at local level.
That's something that personally, I don't think can be achieved through one global treaty, but needs to be taken into consideration when you go into a treaty. Perhaps we can talk about that a little bit more when we talk about case studies a little bit later.
>> SALLY SHIPMAN WENTWORTH: So Tatiana, should we open this up to the room? I see we already have a few comments.
>> TATIANA TROPINA: I already see several interventions so we don't need to pose the comments.
>> SALLY SHIPMAN WENTWORTH: It makes the moderator's job easy.
>> AUDIENCE MEMBER: As far as I can tell, one if not the main point of multistakeholderism is that the stakeholders have different interests that are occasionally conflicting. None of them has, by definition, the right one. We can't assume that the gov is in the right. A utilitarian government, they are to make sure that the citizens are not too secure in their own communications.
And we come to a point is this a policy or implementation decision, as Lawrence said, it's low. The implementation standards, technical implementations have direct policy implications like obviously anonymity, encryption, stuff like that.
I think that the main reason for multistakeholder, to make sure that all stakeholders take everything into account.
>> TATIANA TROPINA: For example, Patrick was talking about multistakeholder approach and the policy making level and not on the operational level or the implementation or enforcement level. So basically is your statement also coming from there would be a problem -- or we have to take into account different interests and the encryption on the implementation level, this is why we have to have multistakeholder on the policy levels so you are basically agreeing with Patrik.
>> AUDIENCE MEMBER: We have to take this in on every level.
>> TATIANA TROPINA: Oh, so every level. Please?
>> AUDIENCE MEMBER: Yes, my question builds on the last one. There's a general consensus that the governments should take the lead role or have a major role in terms of the policy making and the operation of cybersecurity. If you look at recent studies in the US and UK and other European countries, do you think that those kind of actions undermine the argument that they should be the solely lead responsibility and whether it means a true multistakeholder.
>> TATIANA TROPINA: I will throw this back to Robin. I believe that you had more of the same point.
>> ROBIN WILTON: Thanks for that. When did I sign up for this role? It's a very good question, and I think what you have described there, where you have governments who are stockpiling things that potentially add to the vulnerability of citizens and their devices and systems, I think that's a microcosm of attention that we saw after the Snow revelations where a single governmental agency was responsible for advising the governments in how to secure their systems and also developing the techniques to exploit the systems and the intelligence. That arises out of functions of government. Most governments, I suspect, see it as part of their responsibility to see that they can collect intelligence.
So how do you compartmentalize them in a way that reduces that tension. I don't think there's an easy technical answer.
>> SALLY SHIPMAN WENTWORTH: A couple of thoughts and I think Patrik and George wanted to weigh in. One of the readings before this session was this notion of the Internet Society and others have worked on together open this notion of collaborative security, this idea of how you approach the development of security all the way up and down these layers that I think Patrick was talking about, whether it's operational all the way up to the laws and the legislation and the norms.
But to this question on stockpiling, I think one of the key principles of that collaborative security framework is that we approach security from the perspective of fostering confidence and protecting opportunities; that the fundamental properties of the Internet should be the core guide for our approach to security.
And then the final one is that while you may act -- or not final, one is if you may act locally your actions in a networked environment have global repercussions and I think this is what we are seeing when we talk about stockpiling and this notion of vulnerability hording and all the rest, is that it has implications on the globe and on these global networks. We are part of a system.
I think as we encourage whoever is taking these actions at whatever level, whether it's at operations or norms, that we operate from a certain set of approaches and for that to guide the approach to security, not this notion of locking things down or hording or protecting.
So just a potential response to that. Patrik and George.
>> PATRIK FALTSTROM: It sounds like I'm against multistakeholder things and not. People who know me, know I like a lot.
As we talk about the buckets about whatever legislation is needed by governments and needed for multiple definitions of need and down to pure operation, that individuals or individual organizations are doing, everything can, of course, be run by the evolution of norms and policies sort of in the center bucket. And if that is done, my view is that if that is done in a proper way, then you will sort of taint the other process, for example, if it is the case that people have certain need for certain products then the market will develop those products and they will be deployed otherwise they will not be able to sell anything.
A good multistakeholder process turns into a market flavor, even though the market itself when operating is not a multistakeholder one. So the multistakeholder process can influence the other ones. So it goes back to the question of what do we mean by multistakeholder, where we have different definitions.
>> SALLY SHIPMAN WENTWORTH: George?
>> GEORGE CHRISTOU: Yes, I'm very much for multistakeholder, but I wish people would give it in context, and where it's useful in a sense.
I think we need accountability. I think we need transparency. Civil society always has a role there in whatever the government is doing. I think that's a salient point, probably a slightly separate issue. My question is: In terms of the multistakeholder model where is the space where that can happen? Where can it happen systemically and then when we come to cybersecurity, we see many spaces where civil society can interact, all right.
So for technical standards agencies that claim to be multistakeholder, certainly there's civil society representation in there but we need to look closer at representation and the power of civil society to achieve their aims within those. So we talk about multistakeholder, we need to be clear about what are the roles of the stakeholders within the fora that we're looking at.
And I think we really need to get down to some specifics, you know, examples of where that's happening. Where it's happening well, and where it's not happening so well. What are the lessons we have learned so far? I'm sure people in this room are engaged in those very processes and we have people here from ICANN, Sweden, the national level, Robin.
As an academic, I have a broad overview ever these things. I can talk about various European-based institutions.
It has a specific function for me.
It would be nice to expand that discussion to the audience as well.
>> SALLY SHIPMAN WENTWORTH: And that's where I think I would like to take the discussion but I think we have a few more comments, remote comments?
>> TATIANA TROPINA: Yes, I think we have a couple of remote comments. The first comment was probably -- now I think we are making it too late. It referred to the first part of our discussion and said why we talking so much about the governments.
And I believe that we have an answer to this and I will -- I might grab you to answer. We talked a lot about this surprisingly yesterday at the cybersecurity plenary and these discussions were surprised as well, and many people were supporting the leading role of the government.
We have a question, someone is asking what is multistakeholderism. A multistakeholder does nothing.
Right now before we move back to our panelists, are there any questions or comments from the floor? From you? I would really like to ask a question, if I may. A question about public/private partnerships. What concerns me is we equal multistakeholder. For me, public/private partnerships is industry and government mostly. Are we broadening the definitions of public/private partnerships to multistakeholder. Are we making these equal? And I want to make a quick comment for Dominique. Dominique, I'm watching you on the big screen. So any time you want to intervene, raise your hand. No worries.
Sally, back to you.
>> SALLY SHIPMAN WENTWORTH: Let's take up that question of public/private partnerships. Is that narrowing the feel or broaden the field? What is the place for public/private partnerships in the cybersecurity discussion?
>> So it does narrow the field. It comes back to the question of what is happening. If you are in an operational world, a public/private partnerships or a partnership -- or even a private/private partnership, but partnerships between the affected bodies and the bodies able to make effects can be very proprietor. So it is scaled down, if you like, but with a purpose. So I do say it's smaller.
>> I agree. I believe it goes back to the comment from remote participant, that being multistakeholder it simply doesn't help.
>> SALLY SHIPMAN WENTWORTH: Yes. George, I want to come back to this point that you made earlier about perhaps it's time to get specific. Perhaps it's time to be pragmatic about what are some of the models or the -- the -- what are some of the work that's out there, that -- that is maybe not government driven, but that is core to the security of the Internet. What are some of the examples -- maybe it's multistakeholder, maybe it's public/private partnerships. Like I said yesterday -- reflecting yesterday, on laws and procedures and government-driven solutions.
But I think it's important to put on the table some of the real world work that is happening to contribute to the cybersecurity environment. George, may I start with you and then we can open it up for that discussion?
>> GEORGE CHRISTOU: Yes, sure. In terms of them not being government driven, public/private partnerships has some element of public body participation. So it's very difficult to find forums that don't have involvement.
A typical one that's cited in the UK is the CISP network, which you might be familiar with, or may not by the look on your face which is basically a platform that's paraded as a good practice model for government and industry to come together to share information, and information sharing seems to be quite critical here. How do we share information? How do we incentivize the private sector that works to a different logic, a competitive logic, a profit making logic to share their information with essentially what they see as their main competitors okay?
Now, what they tried to do in that specific partnership is to bring in all the relevant government bodies including intelligence, services, GCHQ, the cabinet office, with the players, corporate players, I can players and the membership has expanded I'm not sure what the number is right now. But obviously then trust becomes a critical issue for this sort of model to work. How do you build trust? And then we come down to different models where people cowork, and so industry and government analysts cowork to gather intelligence and pass that intelligence back to private sector and to government officials, okay?
That seems to be a fairly effective way of working. I have other examples, at the European cybercrime council. We will get into that. We get into concrete examples here. I'm not saying there's not a problem with CISP. There are various issues around CISP in terms who have shares and when they share and, you know, what sort of corporate bodies participate, who can -- who is excluded, et cetera, but it's just one example.
>> SALLY SHIPMAN WENTWORTH: Good. Thank you. Patrik.
>> PATRIK FALTSTROM: I think also we have to differ between, for example, the government or some agency creates a platform by which information can being shared and given the information that shh shared by the trusted parties, they can choose who they are participating with and during an incident or accident, to be able to solve this specific issue. So that's where you might have sort of a public/private partnerships regarding the tools but then the actual work is done between a subset of the participating parties.
It's also the case that it sounded a little bit alarming that we in Sweden don't know what is critical. But because we, of course, do have the same kind of cooperation body and tools that you just listed but what we have seen in Sweden, specifically regarding cybersecurity, it's difficult to know what is critical because the various different kind of incidents.
We had a large storm that brought down power through Sweden for multiple days. The ones that needed communication, the one that we gave special radios and national roamings with SIM cards. Anyone can guess who got those special radios? Those were the drivers of the trucks with diesel. They were the most critical sort of people in Sweden during those weeks. And the only person that died in the storms were the electricians who could not communicate.
The electricity and the telco sectors can share information, also cross sectors so they know and cooperate when restoring electricity or cell phone network.
Another example, so there's one kind of collaboration. The other thing -- when I say we don't know in Sweden what is critical is for example, we had a terrorist attack, like it seems to be popular to have that. With also had one in Sweden some weeks ago. What we saw then was that the telecom phone system collapsed. He with had a discussion whether it's more important that people can communicate with other, where people can talk to each other. And by the way that was the view that Estonia during the attacks in 2007.
In Sweden, it's more important that they can talk to each other or call 112 services? And that is a multistakeholder discussion. What is really important? So the problems for telcos and ISPs they don't know how to prioritize. They only have the SLAs from the customers and then the legislation. So unless there's clarity from the multistakeholder community, you don't know how to sort of deal with critical situations in the network. And sometimes they are over in 15 minutes. You don't have time to communicate with each other and coordinate during an attack.
>> SALLY SHIPMAN WENTWORTH: The multistakeholder model sets the environment by which the environments, the operators can implement in the moment. Security not something where you can sit around and have a coffee and decide whether or not the principles apply. You have to be able to work within those principles because there's consensus on what those are.
>> TATIANA TROPINA: I see a couple of registration from the audience, but I want to -- let's collect them. I want to read a question from one of the remote participants. I have a question for Mr. Crain from I can. Does he ensure ICANN security base on multistakeholder model. Do multistakeholder make policies and he enforces them?
John, I'm sure you will be happy to answer this question in a moment.
>> AUDIENCE MEMBER: I discussed a little bit this. My question is about restrictions on movement of the border. Some governments are claiming by restricting the data from moving cross border that it is safer. And this is something that's implemented, for example, Hale care data in the UK, the companies are invited to process data in the healthcare data and some European companies for public data and I have spoke went people specializing in this issue. Some people tell me it doesn't have any impact on security at all, just makes things more expensive.
Some other people tell me, actually, if it's kept within the hospital, it may be safer. Other peoples tell me it's less safe because it's more easily hackable if it's centralized rather than decentralized. So what is your opinion on that?
>> TATIANA TROPINA: Thank you very much. There are other questions or other intervention before we move to --
>> SALLY SHIPMAN WENTWORTH: I heard two questions then, right. The first question to John on -- is ICANN security based on the multistakeholder model?
>> TATIANA TROPINA: Do they create policies and you implement them?
>> JOHN CRAIN: There are different ways to look at ICANN. I work for the ICANN organization. We run networks, et cetera, right? The same thing that every corporation has. So -- but then we also have the ecosystem which ICANN enables the multistakeholder model to develop the policies for and some of those actually have an influence on security issues. What do the policies around TLDs look like? And then there's the implementation of those that they are put through SLAs, et cetera. But that's a multistakeholder model with input from governments when it comes to the cybersecurity issues such as for example, how the DNS abuse is handled, that we have a public safety Working Group inside the Government Advisory Committee but then we also have many other groups that look at these kind of issues and whenever there's a policy development with ICANN, it goes to public comment. So literally anybody can get involved in those discussions.
So when you are talking about the ecosystem, where ICANN has a role in policy development, absolutely that's multistakeholder.
>> TATIANA TROPINA: John, given that the public safety Working Group of ICANN is inside the governmental advisory committee, does it say something about the roles of the government?
>> JOHN CRAIN: I think it possibly does. So that group -- it's not the only group that talks to security issues. For example, we have a gentleman here who chairs a committee.
>> SALLY SHIPMAN WENTWORTH: I wondered if he with would weigh in.
>> JOHN CRAIN: It does say something about how governments see their role and they formed a group. We didn't form that group. They formed a group that deals with public safety concerns and that they consider oddly or not that law enforcement is a government agency, right, is a government service.
So it says something about how they see it and how they have set up a Working Group to deal with public safety issues.
>> SALLY SHIPMAN WENTWORTH: Patrik, and then I will move to Dominique?
>> PATRIK FALTSTROM: Yes to address some of the things he was saying, I think this boils down to what do you mean by security?
I think a lot of legislation or the rules we have regarding privacy, also have to do with the norms in the society and the fact that we have different norms and some of the norms are, of course, implement in legislation. So I this some of this cross border things, if we -- if we just talk about is it more secure to move -- to have data locally instead of moving it to another country, I think that is -- can we viewed as a consumer rights issue that you as a person described, you expect to give the information to treat the information in a certain way, and not give it away more than in certain ways.
And what the governments are doing, one way of making you feel more -- more secure is to ensure that the data stays within sort of the ecosystem, where people shared the same norms.
So that is one way of looking at security. Regarding storing data in the decentralized, that goes back to each entity is responsible for something, storage or service, they have to do their own risk assessment and see on contingency plans and whatever, and normally, on the Internet, redundancy and robustness is the best thing. So replaceability in one place, that's good.
You need to make sure that you can restore whatever you are doing given that that storage is going away. That's a risk.
So the important thing from my perspective is that there is a risk assessment provided, not what the result of the risk assessment is.
>> SALLY SHIPMAN WENTWORTH: Thank you, Dominique, do you want to weigh in on this from an industry, GSMA perspective.
>> DOMINIQUE LAZANSKI: I want to say it's my colleagues in privacy who are much more expert than I am. I want to support what Patrick said and I think it's really important that we understand that obviously there is a trade off, but there's national and international and there are laws and mechanisms to ensure.
It I'm sure you had other discussions throughout the last couple of days at EuroDIG but for us, especially for the mobile industry, the cross border data is really important for the industry, and also for what Patrick said in terms of security not to have a centralized system but to have a fairly robust system network across different countries as well.
But obviously, you know, you see a lot of economic benefits to this in terms of innovation and business development, but I would say sort of watch this area from the GSMA and my colleagues will follow up a bit more. It's a hot topic right now. I don't think it will go away any time soon. Thanks.
>> SALLY SHIPMAN WENTWORTH: Do you have more from the remote?
>> TATIANA TROPINA: I do. Just a comment. I don't know if it's better to start discussion on this or close the discussion on the government. So John, further to what you say, the comment is it seems like governments are taken more seriously at ICANN regarding security issues than other stakeholders.
Do you want to respond to this?
>> JOHN CRAIN: I think everybody is taken seriously. I mean, there's always this impression that, you know, if the government says something, it has to be that way. If you look at discussions around, for example, access to registration data and who is. If that was the case, we would have had a solution -- I'm not saying it was a good or bad solution but we would have had one years ago.
That is an issue where there are issues of security, but also privacy and that conversation is highly active, and the community has to figure out a solution there and that really is a case of a multistakeholder process where all the different views have to come in at some point a sensible solution will come out and then we as the workers, the worker bees will go and implement that in some way.
I think the answer is that they are taken seriously and so are the other areas. If you have ever been to an ICANN meeting and watched the communications between various parts of the Government Advisory Committee and I know there are people in the PSWG here and the registry, and the registrars and the at large which often talks about privacy issues, et cetera, and trademarks, people, you know, everybody is there. And everybody gets to get their say. It's fascinating.
>> TATIANA TROPINA: So maybe we will see it soon as yet another multistakeholder example in the public safety or security.
Are there any further comments as to what has been said?
>> AUDIENCE MEMBER: I'm from Brazil, from the Internet Steering Committee. I would like to make a brief comment about multistakeholder organization that we are. It's very important to have multistakeholder organization, because we are not only governmental organization. We have nine members from government, 12 from civil society, academia, the market, company, users and it's very good to have a place to discuss all of these kind of problems, including cybersecurity.
Not only way -- with only one point of view. Just to give an example when we had recently the problem with wanna cry, we invited people from Microsoft and the head in Brazil for cybersecurity came to our first meeting to explain the problem and what they were doing to solve it.
We are very respected and we were named by the government as a technical advisor for all of the subjects related to Internet and security.
And just to enforce the importance of the multistakeholder model, maybe most of you are following the instability, the political instability in Brazil. Maybe we change the president in the next period but the CGI will remain the same because they are independent politically and financially. That's very important what makes a good model.
>> SALLY SHIPMAN WENTWORTH: Patrik.
>> PATRIK FALTSTROM: I think that's a very good model that people should have a look at. Sharing information in the way you do it in Brazil one way, and Sweden we do it slightly different. I think in each country, in each group, you should look at what is efficient in your context, because the good thing with multistakeholder is also whenever you have the discussion or share the information each party can go back and make a more informed decision of what is right instead of making a decision just within their own context, because governments, of course, they want to make decisions that the people are happy with, otherwise they don't get reelected. Private sector won't be able to develop services that sell things on the market, and the civil society wants to know -- and we consumers want to buy good products.
So each one of us make decisions within our context but the multistakeholder model can help each one of these groups that that decision can be more informed and informed by the multistakeholder sharing the information where you in Brazil do exactly the same you explain and other people may do it in other ways. Thank you.
>> TATIANA TROPINA: Thank you, Patrick. I think we have one more intervention.
>> AUDIENCE MEMBER: Yes. I have been listening and thanks for the discussion, this has been great. I was a little bit surprised because I haven't heard any of you mentioning the big elephant in the room, about encryption. I think there's a lot of information about encryption. That it is perhaps the security issue.
A question to all the panelists. Do you think the multistakeholder model can address the challenge of encryption?
>> TATIANA TROPINA: I think we have roughly 20 minutes for discussion that would have taken two days.
Any more interventions.
>> SALLY SHIPMAN WENTWORTH: Let's take that one. I think it could take some time and I think it's an interesting one in light of -- because I took notes, Patrik, in light of sort of the tiers that you talked about. There's the idea of the norms, the operational work but in this instance on encryption in many ways, the technology is out of the bag. It's running too. It's being deployed. There are technical principles around end-to-end encryption. It's out in the marketplace and it's being used. It feels like this is where the norms or the legislation is trying to push to figure out how to keep up or work within in this in terms of how we do this.
How do we play this model out in light of the encryption discussion? George, may I turn it to you or does anybody want to bite on this? Maybe I don't have to put nip on the spot. Patrik will bite. Oh, go, ahead, George.
>> GEORGE CHRISTOU: It's multistakeholderism a solution, a potential solution to encryption. Probably not a solution but different perceptions on encryption need to be heard. I think you touched on some of the conflicts, the broader despite is security vs. encryption. It's important to everybody, everybody's perspective is heard.
It means some voices will be heard more than others in the current context, but it's precisely why multistakeholderism does become more important in terms of trying to achieve the right balance between the security and the rights of people online.
So for me, it's important that we do get some perspective on this. It's clear that there are conflicting interests and that security logics can interfere quite often with the privacy and the data protection logics. Is there a silver bullet in terms of a particular forum that we can say will solve the issue? No, I don't think there is. There is some good practice in terms of targeted access, as opposed to mass surveillance which can help towards resolving some of the issues, but it's -- it's -- it is inevitably a complex issue. There's cyber criminal prosecution and collection that needs to be addressed. And there's privacy. I probably created more questions than answers. I think it's an important issue that stakeholders need -- need to be engaged in.
>> PATRIK FALTSTROM: I think people are adding too many questions and too many issues under the word encryption. I don't see a problem with the word encryption whatsoever. That's why I'm not talking about it. What do you do if it's the case that someone is breaching the rules and the norms that are agreed upon in the society. For example, by not handing out data which you are supposed to hand out, date that you might have encrypted somewhere an you have someone who has not given out that data that to me is the following the rules and rule enforcement. If you don't follow the rules then it might end up being a question of encryption or de encryption but that's corollary of the -- and the anonymity. So anonymous for whom? Under what circumstances? Within what context? So.
So I think those are the issues that should be discussed. I don't see it as an encryption question. So both the ones if favor of encryption and the ability to encrypt data, and the ones that don't. I think both of them miss the target. Just like broadband. Encryption and broadband I don't want to hear. I want you to repeat what you just said without using broadband or repeat what you just said without using encryption and then it might be a more interesting discussion.
>> SALLY SHIPMAN WENTWORTH: Go ahead, Robin.
>> ROBIN WILTON: It feels like a web comment to be made in response to the Internet Society.
But the Internet Society -- we think that strong encryption should be put at the disposal of the consumer. Trying not to do so it creates absurdity.
If you Google an article by Cory Doctorow and banning encryption. You will find about 12 reasons why it's probably unworkable and leads to some absurd positions.
How do you stop someone from downloading from another jurisdiction where it's legal a software package that allows them to perform strong encryption?
That's just one example and as I say he has about a dozen others but I cannot see that attempt to curtail or ban encryption being fruitful in any way.
>> SALLY SHIPMAN WENTWORTH: John?
>> JOHN CRAIN: So I have talked to many people on both sides of that discussion, and I agree with Patrik, that, you know, talking about encryption and it's just pure, it's all about encryption. It doesn't get you anywhere. Of course people need to keep that data safe, which is what encryption is about.
And there are some real discussions to be had about when appropriate authorities and under what rules can get to that data. And when you talk to people and you do what Patrik says, you take encryption out of it and you talk to people on the law enforcement side, they are actually very aware of the fact that if we didn't have encryption, we wouldn't have an Internet or eCommerce.
A lot of times you see these very polar discussions in the press, et cetera, and sometimes by politicians because they do the sound bites they are told to sound. When you talk to people who are in the actual world of thinking about it, you find it's much more nuanced. You know, it's not -- encryption is not the big, bad, boogie man for data or for people who are privacy advocate. It's controlled access, et cetera.
>> SALLY SHIPMAN WENTWORTH: Yes, of course.
>> PATRIK FALTSTROM: I think that's a really good framing of it. I have heard law enforcement agencies -- so I will try and obey the Faltstrom rule and try to talk about this without mentioning the e word. I have heard law enforcement agencies frame the question like this: There should be no way by which data can be put beyond the reach of the duly served warrant. Okay?
And I think that's probably a position that you have heard as well. My slight quibble with that and it's not a black and white thing, but my slight quibble with that, I think that imposes a higher obligation regarding digital data, that it imposes on data that is put out of reach by other means.
So, for example, if I write down my own passwords in some code that is understandable to me, but not understandable to anyone else, there's no third party who can reveal that data on my behalf. I think that some of that discussion about law enforcement access imposes a higher burden on the user than for data secured by other means.
>> SALLY SHIPMAN WENTWORTH: I will turn it back here -- we have another question here and then another one in the back.
>> AUDIENCE MEMBER: Just a brief comment. Without going into -- this should be decided in multistakeholder fashion. We should not assume that the government has the right thing.
I think one of the key characteristics or maybe idea of a democratic government that it deliberates its own means what we can do. For example, we might agree that the government should not torture people, even if it results in the topples of a government. The governments should fall if they cannot torture people.
Are there things they should be doing to protect themselves? Should we have encryption -- okay, I said the word, sorry. Allowing people to use that way, eastbound law enforcement in some cases, should there be absolute right of the law enforcement to be able to get at it? Should people be able to use encryption to overthrow the government. Should it be something like that?
>> PATRIK FALTSTROM: And I think those are exactly the kind of questions that you have to have with those people in the room, and everybody else, because we all have opinions on this. For example, I don't want anybody to be able to get my data ever. I encrypt everything, but that's just my opinion, right? So that's exactly why we need a multistakeholder approach to some of these discussions.
Because I think most of the opinions are valid in certain contest. And that's when you bring them to go and you understand each of the view points that you might come to a solution on this. Might.
>> TATIANA TROPINA: We have one more intervention.
>> AUDIENCE MEMBER: Good afternoon, Arnold from the Dutch government. When I was working on my laptop during lunchtime, I didn't know that my laptop was not adjusted to this time zone. So I was living in one earlier time zone and I'm so sorry I missed this wonderful panel to hear what they would say about the multistakeholder approach with respect to cybersecurity and combatting cybercrime. I'm so sorry.
I only have one question before I can elaborate a bit more on that. Did the global forum on cyber expertise has that been mentioned as a multistakeholder model, combatting cybercrime? I think that peace the perfect example where multistakeholders get together to come up with concrete solutions regarding problems with respect to cybercrime. It is a platform which has been raised during the last global conference on cyberspace in the Hague in 2015.
It's now up and running, 60 members, 38 countries, governments, 13 international organizations and the rest private sectors assisted by an advisory board comprised by the technical community and the civil society and they are working together very closely and very productive, I must say.
There are already 13 concrete initiatives where they are working together in a truly multistakeholder setting and a couple of days ago, the global forum of cyber expertise had its annual meeting and they had agreed with the upcoming chair for the next GCCS, the global conference in cyberspace in India to come one security cyber building.
They are working on a roadmap to a global good practices in this field.
So very clear examples where they are working together. And then a few initiatives like Internet infrastructure initiatives which main goal is to assist developing countries in implementing modern security standards DNSEC and there are many more. Just to give you a short glimpse of this wonderful work and I will close with some national initiatives in the Netherlands.
We have set up a so-called secure email coalition between the government, the private sector and the civil society to really urge all the participants to implement secure, modern safety standards in order to combat, for example. Next to that, we have a multistakeholder whose main aim or goal is to also implement private organizations and other organizations, implementing the so-called safety standards.
Well, I will stop here because I can go on forever. But at least I try to inform you about all of those initiatives which are going on not only globally but also nationally and I think this is the way forward.
>> TATIANA TROPINA: Thank you very much, Arnold. There are quite a few initiatives mentioned, indeed and thank you very much for aiding on. This.
And I also believe that the -- it's also part of freedom online coalition Working Group especially for Internet free and secure.
Concerning your comment about everything going on the national level, I think you missed some parts of this discussion but I believe that some of our panelists already commented that it might be different on the national level. It might depend on the country.
Are there any more --
>> SALLY SHIPMAN WENTWORTH: So Tatiana, I'm just looking at the time here.
>> TATIANA TROPINA: Shall we start wrapping up?
>> SALLY SHIPMAN WENTWORTH: I think so. I think what I would like to ask the panelists to do, is think of your parting thought with what you would like to leave the group back. And going back to the session teaser. So with that going with our going in question. Is the model fit for purpose? How does it work in practice when we are dealing with the very real issues of security of the day?
I would like to ask each of you in terms of your parting thoughts what would you like people to walk away with. John, we'll start with you.
>> JOHN CRAIN: I will keep it short. I think yes, the multistakeholder model has a role, especially in areas where it involves policy and discussions about what policy should be.
But we also need to understand that it's not always the solution. When it comes to down to operational matters then it's really about getting the people involved that separate the infrastructure or have specific roles. Patrik?
>> PATRIK FALTSTROM: I think we need to have the multistakeholder discussion so we agree on what is right and wrong, what is the norms based on that and with clear sort of directions from the multistakeholder community. It would be much easier to deal with the operational issues which are included in the real security works.
No, security is not a multistakeholder discussion but it should be informed by multistakeholder discussions.
>> SALLY SHIPMAN WENTWORTH: Good. Dominique?
>> DOMINIQUE LAZANSKI: Thanks for having me. I also agree. I think continuing to have discussions not on encryption but on policies and on solutions and on even what Arnold was saying, approaches to capacity building is absolutely essential. We have seen today the wide range of topics between -- well, with everything from, you know, cross border data flows and encryption and also from network security point of view, critical, national infrastructure.
I have think we will need to continue to have this discussion. I also just wanted to say to -- add on to what Arnold was saying, the next global cyberspace conference is the 23rd and the 24th of November in India and I can guarantee that there will be a lot of different stakeholders. So thank you for having me for London.
>> GEORGE CHRISTOU: Multistakeholder is alive and needed. It offers different perspectives -- I think the different perspectives needed at the global level. One thing that we have not mentioned is the political significance of multistakeholderism around cybersecurity because of the many states that don't believe in multistakeholderism but believe in bordering digital space. For that very reason, multistakeholderism is working and it will be interesting to find out more about why such platforms, global platforms work, and why they work at the European and national levels and how they work very well.
I think a political level, a think multistakeholderism is critical going forward for cybersecurity and Internet Governance both.
>> SALLY SHIPMAN WENTWORTH: Robin.
>> ROBIN WILTON: I think rather than just violently agree, I will tweak the topic and come back to the question that was raised about the cross border data transfers because I think there is an aspect that we didn't explore and can teach us a lot and that is the privacy aspect.
So cross border data transfers often crop up in the privacy debate. Privacy is a social construct and as Patrick said, it reflects sets of social norms and those norms change from one country to another. So what happens when data crosses from one set of norms to another? Is that you cross that boundary. And data may be used in ways that don't reflect the social expectations of person it was about.
Well, sometimes those privacy expectations are reflected in laws. Sometimes they are not. Usually what's reflected in laws is a subset of your full set of expectations about privacy and sometimes your privacy expectations are reflected in technology. But technology turns out to be a really clumsy language with which to express something that is nuanced as privacy.
So that's a long way of saying this has to be a multistakeholder discussion because you have to bridge the gap between different sets of social norms and different legal frameworks and -- and clumsy technical implementations, which mean that technology alone cannot fix either the security problem or the privacy problem. So there have to be policymakers. There have to be people in the discussion who can explore the economic dimension and the economic incentives.
I don't think there's any way to escape the multistakeholder model and as you pointed out, because there are inherent conflicts between the different incentives of different parties involved.
>> SALLY SHIPMAN WENTWORTH: Well, good I was relieved. I was nervous coming out of the conversation the other day that governments would do security alone. I think we reopened the box and let more people in. I appreciate the nuance, which I think is sometimes lost in these discussions about the layers and the roles and the responsibilities that people have, depending on their -- where they sit in the ecospace and their responsibilities to the infrastructures.
I think this was very fruitful. I think my job is to turn it over to Ceren, quickly, she's the reporter for this session and she will walk us through the summary bullets that will then be passed on to the Secretariat.
>> CEREN UNAL: Yes, that was a different -- that was a very difficult task. I should confess.
So a good amount of stakeholder process is essential and we need to have a consensus with the audience as well. If you disagree, please let us know.
Considering how the Internet was constituted and works, each party needs to take responsibility to ensure some resilience. Solutions to cybersecurity problems are beyond national borders. We need to bridge that divide and acting locally might result in global implications. That's why a collaborative approach is important.
>> TATIANA TROPINA: Anyone disagrees? No, I don't see any.
>> CEREN UNAL: We have different interests and different economic incentives between the stakeholders, especially with regard to -- okay. Sorry, sorry. And also we have different logics when it comes to security, privacy, data collection.
Having a multistakeholder approach is critical, particularly for information sharing which is an essential element for us to share information with the competitors and in order to provide some sort of accountability and transparency, and in that case, role of civil society is also crucial. Although governments seem to take the lead, civil society should take a role to monitor.
>> TATIANA TROPINA: Here we go, Sally.
>> SALLY SHIPMAN WENTWORTH: I don't think we came to consensus that the governments always take the lead.
>> CEREN UNAL: They seem to take the lead.
>> SALLY SHIPMAN WENTWORTH: Strive to take the lead. Better.
>> It goes back to how you define security given that countries, including inside the EU, the state is responsible for the protection of the country itself. They have the law enforcement and they have signed the human rights where they promised to protect their citizens. So that's from some definition of security, they must by definition take the lead, to stress things --
>> TATIANA TROPINA: Patrick, I think I will not argue here, though I think it goes back to your argument that there's no multistakeholder in enforcement any way.
>> SALLY SHIPMAN WENTWORTH: Okay. So this is good! We are leaving on a note of -- what's the term? Is it dissonance, but this is controversy. That's right. We leave the discussion for another day., we keep going.
>> CEREN UNAL: And one last thing is cybersecurity is a global phenomena, that would require cooperation and collaboration.
>> TATIANA TROPINA: I think we can violently agree with that.
>> SALLY SHIPMAN WENTWORTH: Thank you very much. I would like to thank the panel, thank Dominique for coming in remotely and Tatiana, lovely to work with you once again. Any final statement?
>> TATIANA TROPINA: Thank you very much to you, Sally. It was wonderful. Thanks to the panel and thank you very much, Dominique, for agreeing to -- for your schedule to be online. And a big thanks to the technical team of EuroDIG. It is my third time with a remote speaker and moderator and it really goes well. Thank you very much.
And when we give applause to the panel, please let's give applause to the technical team as well.
This text is being provided in a rough draft Format. Communication Access Realtime Translation (CART) or captioning are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.