The following are the outputs of the real-time captioning taken during the Tenth Annual Meeting of the Internet Governance Forum (IGF) in João Pessoa, Brazil, from 10 to 13 November 2015. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record.
***
>> VIDEO: Cyberspace, what brings us social and economic growth and intervention but we have to keep it open, secure and free. Together on a global scale. On April 16th, 2015 we launched the global Forum on cyber expertise. Our goals, develop innovative cyber solutions and exchange expertise to build cyber capacity.
We will work together, for instance, to make sure people are safe online, to build strong incident response teams, and to improve national cyber nets. Our members are Governments, intergovernmental organizations and private companies from all over the world. NGOs, community and academics are also involved. Help us make cyber a safer space. Join the Global Forum on Cyber Expertise?
>> MODERATOR: Okay. Cyberspace, well, welcome ladies and gentlemen, to the GFCE workshop, workshop of the Global Forum on Cyber Expertise. I'm David Fenduren, I'm head of GFCE Secretariat, and I'm here in good company, I can say, on my left is Mya Bian, she is deputy head of GFCE Secretariat, Cari McCachren, U.S. Government, Taylor Roberts on my right from the Global Cybersecurity Capacity Center. I always say the Oxford Centre -- that's okay, I guess -- and Thomas Labanowski from ITU. So they are all involved in the GFCE and for the next hour we will have an informative workshop on the GFCE. Firstly, this is the agenda and first we will start with an introduction with key elements of the GFCE. Second, we will give an update on initiatives and last we will get into the participating within the GFCE, Mya, may I give you the floor for your presentation.
>> Ladies and gentlemen, as you saw in the short film the GFCE was launched during the Global Conference on Cyberspace. The GFCE is a voluntary and non‑legally binding informal Forum to exchange best practices and expert on cyber capacity building, the GFCE operates on consensus and aims to identify policies practices and idea and multiply these on a global level.
What would be the added value of the GFCE? Well, the GFCE is about international cooperation on a global scale helping members to strengthen national cyber capacity. The GFCE consists of four key elements. Firstly, to The Hague Declaration and the accompanying framework document. The Hague Declaration is acknowledged by members. It contained common principles, for example, that GFCE contributes to a vision of an open, free and secure Internet. The framework document outlines structures and operations of the GFCE. The second key elements are the initiatives. Initiatives are coordinated by two or more members based on their own needs and interests in for thematic focus areas on which we will get back to you later this presentation.
At least yearly there is a high level discussion meeting. Part of this meeting besides updating on results achieved it is to have a discussion on cyber capacity building. For example, this can clue a discussion about transdevelopments within the field of cyber capacity building and pointing out priorities or white spots.
And, of course, the GFCE will not be a smoothly running operation without a support structure. The secretaries that is based in The Hague of which David and I are our representatives today. During the GCCS the GFCE was launched with 42 members with representatives from countries, private companies and intergovernmental organizations. I'm proud to say that now we have grown to 50 members across the globe.
Members have the resources and commitment to contribute and initiate the initiatives bring support to GFCE is a multistakeholder approach acknowledging that cyber capacity building should include expertise of partners of Civil Society, academia and the tech community, and it's up to the members to invite partners to participate in one or more initiatives. We are currently in the process of further identifying potential partners. Upon the launch of the GFCE members have identified four thematic focus areas, cybersecurity, cybercrime, data protection and eGovernance.
Within these four focus areas members can start an initiative on a specific topic and what we have seen so far is that members have a need for international cooperation on cybersecurity and cybercrime. Consequently, initiatives are developed around these focus areas. For the future, it's up to the members to develop initiatives under data protection and eGovernance.
I present you now a list of initiatives. At this moment the GFCE has ten initiatives currently ongoing and new initiatives are being developed. The Secretariat of the GFCE is hosted and financed by the Netherlands. The Secretariat is the first contact point for all potential members and official partners and external experts. The Secretariat administers a GFCE contact list and keeps it updated. The Secretariat processes membership requests and is the main point of contact for all requests regarding the GFCE we can be reached at Contact@the GFCE.com. The Secretariat provides analytical support to the members and their activities.
The Secretariat is also currently developing a catalog of services to assist members in carrying out their initiatives. Furthermore, the Secretariat supports the high level GFCE meeting as input for the meeting, the Secretariat provides an inventory of global capacity building projects. It does that in cooperation with the global Cybersecurity Capacity Building Centre in Oxford.
Match making is also an important task of the Secretariat. It facilitates further collaboration between members and members and partners. Is does this, for example, matching members who are working on similar initiatives or by supporting new initiatives in recruitment of earth owe members and partners it keeps a contact list of all relevant cyber experts who can be recruited for participation in initiatives.
And, of course, the GFCE would not be very cyber without a website. This is the home page of WWW.the GFCE.com. It is the most important source of updated information on the GFCE initiatives and document. On top of this page you see the menu and you can find general information about the GFCE thematic focus areas, initiatives and members and partners. It also shows latest news on the GFCE, for example, a news item on an initial initiative meeting, and last but not least questions and answers about the GFCE, questions members asked during the last few months.
This is the home page for each member or partner. This is an example page. In general this part of the website shows you flag, logo, and the initiative the member or partner is part of. Other relevant information can be added if need be. Initiative also are provided with a home page. The goal of the web page is to provide the main updated information source on initiative and the kind of content that is published here is a summary of the initiative, the agenda for an upcoming meeting, reports about the meeting, and other relevant documents.
Like I said before, we cooperate with the GCCS in projects and activities worldwide. That is why on our side, you will find the link to the Oxford portal on which we will hear more from Carolyn later on, but first I have to give the floor back to you, David. Thank you.
>> MODERATOR: Well, thank you, Mya. And indeed I will pass the floor to Carolyn and she is from the Oxford Center and she can elaborate something about cooperation where the GFCE to provide an overview of capacity building worldwide. So the floor is yours.
>> CAROLIN WEISSER: My name is Carolin Weisser Global Cybersecurity Expert Centre, University of Oxford. I'm glad to be here to promote the capacity portal which has the objective to show everybody concerned with cybersecurity capacity building on a regional and national level to find out about best practices, modes of partnership, solutions, innovations in the field, but also to present and to promote their own activities, their own collaborations and partnerships to a broader audience or global audience. It's a publicly available capacity portal. I'm going to give out some cards later because it is quite long, but you can find it on any kind of search engine if you type in Cybersecurity Capacity Building Initiatives.
I'm happy to answer questions afterward, and I hope that we are going to provide very soon one stop shop for everybody who is interested in international, regional and national actors in this field are doing. Thank you.
>> MODERATOR: Thank you, Carolin. So we just had a presentation about the organization and about working of the GFCE. If there are any questions from the audience about the presentation at this moment? So if not, we go to the, we go back to the agenda, and we are at point 2 of the agenda. We go into initiatives. At this point we will give an update on the initiatives within GFCE.
So next slide, please. So we already projected the ten initiatives that are going on at this moment. And first, I would like to give the floor to Cari from the U.S. Government to give update on initiatives that are involved. Cari, the floor is yours.
>> CARI McCACHREN: Thank you. I think first I would like to express the thanks from my office, the Office of the Coordinator for Cyber Issues in the State Department of the GFCE Secretariat for bringing this issue to our attention and inviting us to highlight our initiatives. The U.S. Government currently has four active initiatives within the GFCE construct. And three of those have regional focus, whereas the other is global. So I will divide my remarks in those categories. I think the key thing to note about these initiatives is that they fall within the categories of cybersecurity and cybercrime from the four categories that were outlined earlier, although from our perspective it's important to acknowledge the connectedness of these two topics with other issues of concern.
And so in our approach to all of these issues, we try to take a broad and comprehensive stance. So the first that I would highlight for you is the Cybersecurity and Cybercrime Trends in Africa Project. The U.S. Government is partnering with Symantec and the African Union Commission to promote this initiative. This initiative was born from recognition that policy makers, technicians and other experts engaged in cybersecurity and in Africa have noted that there is a lack of detail and reliable threat information regarding cybercrime threats and trends in the region.
We also acknowledge that information of that nature is valuable to us all in assessing and managing the cyber risk at the national and regional levels. So our goal with this project is to create a report that could assess the major trends in the region, sub Saharan African in terms of the threats to the cyberspace and potential impact that the threats could have on those that utilize the Internet from Government institutions to private enterprises and individual users through voluntary country surveys. This report will attempt to take stock of the advances in policy and legal frameworks that Government authorities have instituted in order to better address challenges that they face in an increasingly connected world.
And moreover, the project aims to establish and bolster relationships among stakeholders so that we can all share and aggregate specific cyber threat information. So at the end of this project what we hope to have is threat report that will help us to all have a comprehensive view of the major occurrences of cyber incidents affecting organizations and individuals in the territory of AU member states and to also use that information as Governments and other interested parties who may want to join this initiative to identify gaps in our current framework and to strengthen our prevention and response mechanisms.
This report will be widely distributed. It will be public and free of charge to all of those who would like to access it, and, again, we hope that through this report we will attempt to close some of the gaps we see in the information available on sub Saharan Africa. As I mentioned, we are originally partnering with Symantec and the African Commission to produce this report, but since the launch of that we have received interest from the Council of Europe and the Organization of American States in joining this project, and we welcome that.
An additional update to provide on the progress of this report survey questions that will go out to African Union Member States are being vetted and shared with all of the Member States and the stakeholders in an attempt to receive feedback and create a comprehensive document before those surveys are issued. So I believe we will take questions at the end. So I will just keep going.
So we have, as I said, three regional efforts. The second effort that focuses on Africa is an effort to promote cybersecurity due diligence in Africa. And, again, this is an effort with initiators of the United States Government and also the African Union Commission. At the moment this initiative consists of a group of subregional workshops that the United States Government and the African Union Commission have put on in partnership with regional economic communities across the region of those include the East African community, ECOWAS in West Africa, ECAS and also we have been able to include the participation of COMESA as a regional economic community although we have not been able to host a workshop in that sub region. Last but not least this last fall we were able to host a cyber workshop working with African countries and we are glad to note the participation of partner nations in that effort such as Portugal and Brazil.
That was important to us as we noted that the previous workshops had really addressed the needs of Anglophone and Francophone Africa, but Luciphone Africa had not had a spot to address needs. The workshops encourage collaboration among stakeholders.
They are multistakeholder in nature and we feel they have been successful in helping us all to share information and to coordinate our approach on a national, regional and global level. From this first outreach in the form of workshops on cybersecurity and cybercrime and other related areas we have also strived to identify partners with which we could help to develop national strategies. That project is just beginning so we would welcome interest from other entities in that, and we are also looking at C‑CERT development in particular in sub Saharan Africa and are in the process of identifying partners beginning there in in West Africa and hoping to partner with our ECOWAS colleagues. So that one is a bit more fuzzy, but another key project we have going on.
The last regional project is a project on preventing and combating cybercrime in Southeast Asia. This is an effort working with the United States Government, Japan and also the Government of Australia to address cybercrime as a threat to the interconnected world. We are through this initiative hoping to build on workshops and programs that were started by UNODC in East Africa, but this time with a focus on as I said Southeast Asia. And we hope that these workshops and projects will serve to improve law enforcement capacity and to improve their ability to investigate and prosecute cybercrime at a local level and that in a way that is undertaken with full respect for Human Rights.
So last but not least, and I know my other colleagues have more to share. I will wrap up, the United States and Canada have teamed together to promote, again, project on cybersecurity awareness raising, but in this case through a global effort. We recognize that there are challenges in organizing to educate stakeholders at all levels including Government, private industry, educators and individual citizens on the potential problems and issues that come with increased digital participation, and we are coordinating with the National Cybersecurity Alliance and private sector partners to promote, stop, think, connect, and with our Canadian colleagues get cyber safe as two examples of cyber awareness raising tools that are available globally.
Ideally we would like for everyone to recognize and see and address cybersecurity and cyber safety as a shared responsibility, and the main goal of the initiative is to use tools like these campaigns and these are only two examples, to encourage everyone to take this issue into their own hands. And we are pleased to note that since, again, April, the OAS has joined us in this initiative and through this initiative will be fostering collaboration, cooperation on stop, think, connect, but also working with its Member States to jointly promote cyber safety resources, and to coordinate cyber focused events using both in person workshops and other events that they have put together as well as social media tools. And last but not least to encourage the adoption of October as cybersecurity awareness month. So with that, I will turn over the floor to the next initiatives.
>> MODERATOR: Thank you, Cari. Thank you for your elaboration of your explanation about what you are doing and update on your initiatives. We will ‑‑ I will give the floor to Taylor to talk about the cybersecurity majority mobile initiative and at the end we'll ask you if you have any questions you can ask them.
>> TAYLOR ROBERTS: Thank you very much, David. And I appreciate you allowing me the opportunity to come and speak about the majority model, and I also want to say that it's very impressive, the breadth and the depth of the initiatives that the U.S. Government is embarking on. It really is such a budding area that there is so much to be done that I'm glad you are really taking the mantel and leading the forefront of this. I will talk a little bit about the cybersecurity maturity model that the global cybersecurity capacity center at the University of Oxford has been developing over the past ‑‑ we started in the past two years and have been going out and driving it this year.
So this maturity model aimed to really get a good comprehensive understanding of what cybersecurity capacity is in a country so that we can identify key areas on where to improve. This model was developed in consultation with experts not just from academia because that's where we lie, but also from Government and from Civil Society and the private sector, and not just from the U.K. but from all over the world. We wanted to make sure that we weren't reinventing the wheel in any way when it came to the development of the maturity model and indeed it actually reflects some of the best practices and good practices that are available in all sectors.
We developed this model last year and it covers five broad dimensions of capacity, looking at one being cyber policy and strategy, another being social and cultural aspects of cybersecurity capacity such as awareness raising. Skills development, what education initiatives, what training is going on. Another dimension looks at legal and regulatory environment for cybersecurity and finally the more technical dimension of cybersecurity. So there are five stages of maturity that this model outlines all which is available on line. It's not for our own profit as an academic institution.
So what we have done is we have gone and partnered with a series of organizations such as the Organization of American States. We have partners with the World Bank. We have partnered with the Commonwealth Telecommunications Organization as well as worked with Governments directly in order to implement this maturity model.
I should add that we have done so on every continent except Australia and Antarctica. The Organization of American States was looking at along with the IDB was looking at getting a regional understanding of cybersecurity capacity in Latin America and the Caribbean. What they did was use our maturity model as a foundation for gathering this information and developing a regional report which will be released at the end of this year or the beginning of the next. So they were able to get a comprehensive picture of what cybersecurity capacity is in the Member States.
With the World Bank our engagement was slightly different. They were looking at investing in major ICT products, but at this point didn't have the internal capacity with which to assess cybersecurity. So they are using our model to gain a comprehensive picture of what cybersecurity looks like in a country at which they are looking at making a significant ICT investment in. They are not making an investment without taking security into consideration first.
Also with the CTO, they have, actually they had a panel earlier today about their national cybersecurity strategy programs that they are embarking on so our engagement with them is to say, okay, get a picture of what cybersecurity capacity is in your member state so that when you are developing the strategy you know the key players and you are able to make sure that it really is a broad and all-encompassing effort.
So in the process of this we meet with stakeholders from all different areas. This is including Government, this is including private sector, academia and so they all respond to different aspects of this maturity model so we are not just getting one picture, we are getting a large picture, a large comprehensive picture as well.
So I should also add in sort of in closing that this is an evolutionary process.
We don't want this model to be a static, stick it on the shelf, we are done. Cybersecurity capacity is an ever developing field. What we have done is taken the lessons learned that we have been in this ten reviews we have conducted thus far and are re‑embedding that in the model so it becomes a dynamic and evolving model that can be used in a variety of circumstances, and I do encourage anyone that's interested to please come to me and find a way to work together. Thank you.
>> MODERATOR: Thank you, Taylor, for your passionate speech. Talking about the very useful cybersecurity model Oxford has developed. We will go to our other guest, Thomas, maybe you can introduce on the initiative on ‑‑
>> Thanks very much for this, and I'm very happy to be part of this panel, and, again, demonstrating, this panel demonstrates how collaboration can develop both inside this building but also outside and how we all need to work together to insure better cybersecurity.
So in terms of ITU, ITU is a co‑founder of global cybersecurity and co‑initiator of initiative which we initiated together with as well as Organization of American States and Microsoft. So, again, a lot of this information is fresh because only last week we had a GFCE kickoff meeting where more ideas how this initiative should work has been developed. Before I can describe this initiative, also to mention that we as well as other partners, it's not like we are coming to the table and trying to create something. All of the partners are already doing things in that area.
So ITU, for example, also does CERT building from assessment to the practices. So we did that in 65 assessments in 65 countries. We implemented 11 CERTs, now, national CERTs. The current implementation is also for extra CERTs and one CERT. And we have done 13 cyber drills involving countries. So, again, that’s what we contribute and the partners contribute as well. What we also note is the best thing is not just to do that by ourselves, but to try to build, look for synergies and build something that is bigger than one partner can contribute.
So C‑CERT maturity initiatives idea now and coming back to it is basically bring together all of the partners to help reach the next stage. So it's not only establishment of the CERT but making sure that they are working in a documented manner, in a manner that corresponds to the best practices and, again, building on the models that Taylor mentioned as well. So it's helping CERTs to reach next level in each country. So in terms of method of work, so there are two expert meetings planned for next year, which are not only open for other partners, but we will invite all of the practitioners and policy makers in that area.
The first meeting, the objective of the first meeting will be agree on terminology and common framework for these services, also to insure that we are making measurement tools available, so measurement, maturity measurement tools. Share best practices, guidelines, template documents, how to gain improve C certificate maturity and next steps and methods of work and the second one will progress together with partners how we can, how we implement these joint agreements.
So we hope that this will help all of us to align our practices and align our experience how we help countries to further enhance their CERTs and in that way enhance security further. So just as a parting thought because when we talk about these initiatives in GFCE and others we think of them as developmental initiatives, of something that we help other countries to increase their capacity, increase their cybersecurity, but cybersecurity is any more than any other area, it's not helping others, it's about helping ourselves because if other countries don't have the level of cybersecurity that they can protect from threats inside or outside the country, that will impact everyone.
So we only are strong in this area as the weakest link. So that's why I think, again, this importance of bringing all of the partners together to help, you know, is serving the interest of everyone, not only for the beneficiary countries if you will say, if I can say so, but also everyone around the world. Thanks a lot.
>> MODERATOR: Well, thank you, Thomas, for explaining this about this really relevant initiative on C‑CERT maturity. And you also pointed out that in that initiative within GFCE aren't always new initiatives, but a lot of time existing initiatives, existing expertise, and the GFCE is also about connecting all of these projects together.
I will myself elaborate a little bit about responsible disclosure. It's another initiative. Responsible disclosure, this is a topic, it is also called ethical hacking or white hat hacking. This is an initiative of Hungary, Hewlett Packard Romania and the Netherlands, and from my own experience coming from the Netherlands, responsible disclosure is really a success story. Two years ago the Netherlands established guidelines on responsible disclosure, and in essence I think responsible disclosure is about an agreement between an organization and a hacker actually, and if a hacker detects a vulnerability, he or she is warning the organization without further disclosure of this vulnerability. But on the other hand, the organization has a responsibility to fix this breach.
Well, in the nether hands, it's adopted this approach by especially a lot of organizations model on it from the critical infrastructure and really works well. And so it's also, it has a lot to do with private partnership because critical infrastructure is mostly a private, and it really helps, it really helped the Netherlands to make critical infrastructure more secure.
And so this is one of the best practices we team up with other countries and it could be useful also for other countries to pick this up. So these are initiatives I would like to thank my colleagues for, for elaborating on and giving an update on these initiatives, and I would I will, well, let's ask the audience, are there any questions to one of us regarding the initiatives?
>> LARA PACE: Thank you very much. My name is Lara Pace. I work with Global Partners Digital based in the U.K. I had the opportunity to participate in the launch of the GFCE last week in The Hague which was an illuminating experience and I have two questions, one for you, David, and then one for Taylor about the initiative. I mean, as part of the GFCE document there are a number of principles in the document, and one of them is the importance of adhering to the multistakeholder approach in cybersecurity. It was at the GCCS a number of groups, Civil Society groups have raised issues around involvement of non‑governmental stakeholders in the GFCE and when it was announced at the time there wasn't really an avenue for participation of non‑members.
So it's really great to see that you are planning on including that and opening up the initiatives to non‑members. My question is what particular mechanisms are you planning to put in place for that to happen and how will that, what would that look like? And my question for Taylor, I'm interested in whether you are also measuring and whether part of the measurement model is also looking at the adherence to the principles in the GCCS document, the outcome document that have to do with openness and multistakeholder approach.
Is that something that you are looking at? Is that part of one of the pillars? I know I have talked to some of your colleagues about this, but I wasn't clear how that is being looked at as an important element of maturity of a country when it comes to dealing with cybersecurity issues. Thank you.
>> MODERATOR: Okay. You can pass to the other person, yes.
>> AUDIENCE: My name is Ephraim and I have been, I was there during the launch of this in The Hague. It's a great initiative, and I would just, I would echo whatever Lara said about it’s good that right now we have opened up to other participants. On this, I just, I saw the initiative that you are working on in Africa. I'm from Axis, and we have been tracking down the developments from the African Convention on cybersecurity, the implementation.
Right now we are trying to update our work that we did at the beginning of the year, the legal framework, the Human Rights Convention and all of that. So on this specific issue in Africa, I see you want to work with African Governments to get technical data on cybersecurity threats.
I would be curious if you guys would look at technical data from not just Governments but other stakeholders. For example, I'm not going to mention specific countries, but in Africa, the incidences where there are attacks on let's say journalistic organizations from specific actors who within these ecosystem, like are you able to get that to the Governments but also to other stakeholders generally when you are doing or blogging or researchers because they are academic research institutions which have this kind of data on that.
And then also on the multistakeholder aspect, getting the threads from the other stakeholders. I would be curious to know if you are going to get the data. Thank you.
>> MODERATOR: Thank you. I think we will start with answering the questions. The last question, I'm looking at you, Cari, can you provide an answer?
>> CARI MCCACHREN: So the initiative that we have now is focused mostly on working with our industry partners in particular Symantec and the data they have available to build out this report. However, my understanding is that we are open to new partnerships so if there were other groups that could come forward and assist with that, then we would like to know about it and so I would welcome that information from you or from your partners. And I would be happy to provide my email contacts. Thank you.
>> MODERATOR: Thank you, Cari. And there are two questions from Leah, and I think one question was about the majority model and if it included a multistakeholder approach. Maybe you can provide an answer, Taylor?
>> TAYLOR ROBERTS: I think I can. So the multistakeholder approach is built in in two ways, one in the content of the maturity model and the other in its application. So in terms of the content, it doesn't have a unique dimension per se, but that's because the multistakeholder approach and openness should be embedded in all aspects of cybersecurity capacity. So whether you are developing policy, whether you are raising awareness, whether you are building legal frameworks, it really is to make sure that whenever you are embarking on an initiative that it embodies a multistakeholder approach, so an indicator of maturity in the sort of the privacy area to provide an example.
Every country sort of has a different take on what the level of privacy and security should be. But the ability to have that debate and the ability to embody different stakeholders and different opinions and actually have them contribute to that debate and that overall consensus to what that approach should be is an indication of maturity because you are able to say, okay, what does this particular sector say about this area and what does this particular sector say about this area or in the developing the national cybersecurity strategy, you are not going to have the most comprehensive approach if you are not taking other stakeholder into the consideration of the development of that strategy.
Now, in terms of the application of the maturity model, we make sure that every partnership that we have and every time we go into a country, we have a series of focus groups set up one of which may be dealing with ministers and ministries, but another one would be with critical infrastructure, another one would be with academia and Civil Society, another would be with international organizations, and we have dedicated slots for every one of these different groups so that the picture that we get doesn't just represent one particular entity, but really is comprehensive.
And it's interesting to see when one stakeholder group has one perception on this capacity and another stakeholder has a different perception on that capacity so that we could sit back and look at the data and say this is really interesting that there is this sort of friction between who is perceived to be responsible for this particular area of capacity, for example. And then we can be able to say follow it back and see what really is the issue here? Is it a lack of communication or was there just some misunderstanding? And so I think that we really do take multistakeholderism into consideration with the CMM.
>> MODERATOR: Thank you, Taylor, and I think there was one question left about what is the mechanism to include Civil Society within the GFCE. That is the last part, actually of our workshop, so if it's okay, we will get to that later. Is there any other question? Yes, on the right.
>> AUDIENCE: Yangon Sen from Bangladesh. Someone asked one question, but I want to know about the initiative in South Asia which you just described written in your slide. On the other hand, I have another question, I was in, I saw this year online. This is a very nice initiative, but this is very important to take consideration of in how we need to connect in this Forum, the Civil Society has alerted. I think it is very important because I feel that online and most of the participant audiences participates come from Government. And my second question is and the same question, second question joining or it's based on totally some internal agreement or something like that?
>> MODERATOR: Thank you for your questions. I will take up another couple of questions. We will start at the right and go to the other side.
>> AUDIENCE: Thank you. My name is Seita. I come from Indonesia. I would like to ask the person from the U.S., you were mentioning about original program in Southeast Asia and you were working with Government of Australia, Japan and the U.S. State Department. I would like to ask you why there is no representative from Southeast Asia countries in that program and how can, for example, Government in Indonesia or Philippines, for example, to be part of that initiative? Thank you.
>> MODERATOR: Thank you.
>> AUDIENCE: This is Francois from Germany. There is an initiative called First.org which serves as a platform for knowledge exchange between CSR and IRTs and between CERTs, what's the essential difference? Maybe you can, that's a quick one. The other question is as this is dual use technology, what mechanisms are in place to deal with dual use nature of such technology?
>> MODERATOR: Thank you for the questions. I think we have a quick round on answering them and then we will come back to the audience. First of all, we are asking some questions about the initiative in Southeast Asia, Cari, can you ‑‑
>> CARI MCCACHREN: I will do my best. I think I will take the liberty of answering in reverse order. So the initiative itself as it's built right now is a partnership between the United Nations, Japan and Australia working with UNODC and my understanding is that the initiatives are open for additional cooperation, and that we would gladly consider new partners and that the process for that is to contact either one of the initiators so up with of the Governments and I would be happy, again, to share my contact information, or to contact the Secretariat and express interest. And then the Secretariat can contact our partners in this initiative.
In terms of a bit more information, I will give what I can, and if there are more specific questions, I can take those off line and get back to you after consulting with our experts on this particular project. Essentially as I said, the model that UNODC has previously used in East Africa to consider how to effectively combat cybercrime is now going to be applied in ideally Southeast Asia, and from our perspective each program will be divided into two parts and each part will have separate courses for investigators and prosecutors.
And each of the regional trainings will be tailored to the needs of the recipients, so they could be slightly different depending on the audience that would be served in that instance, but could include network forensics, mobile forensic investigation, evidence analysis, cybercrime prosecution skills, cybercrime unit development, international cooperation in cybercrime cases and the effective handling of digital evidence.
And, again, these would be trainings or workshops hosted by UNODC or judges and judicial staff. And our goal is that from those workshops participants would better understand the digital forensic process, better understand how to gather and utilize digital evidence, understand a common or take a common approach rather to cybercrime related issues and to better address criminal procedure issues that are typical in cybercrime cases including Human Rights protection, international cooperation issues and also sentencing. Thank you.
>> MODERATOR: Thank you, Cari. I think there was another question about the membership and so the membership itself there are no costs involved in that. It's an Open Forum or an open initiative for the GFCE and there are two steps and Mya already explained one in becoming a member and the first is to formally agree as a potential member on the political declaration that was, that's on our website and that was already launched at the GCCS. So that's one thing. The other thing is that in the draft document, it's also included that the members have a say in who will join the GFCE so it will be sort of procedure that the members agree for a new member. So these are actually the two steps you have to take for being part of the GFCE but, again, there are no costs included. Let's see, and then we have, I think we had a question from our colleague from Germany.
I think Thomas, can you ‑‑ it was about, I think about first organization.
>> So, okay, similar question, similar response to others it's like of course we welcome as many partners as possible to these initiatives who can contribute, but in terms of you we as such already collaborate. We have an understanding with this, with the objective for that memorandum for understanding is basically when the CERTs are built, we are also helping them to align first and to be a part of that bigger network. So the idea is that, the idea is that they gain how to cross leverage between the work of everyone also doing. ITU can help implement a CERT but then CERTs help to continue established links between the CERTs and then cyber drills help them collaborate. So how to put all of those organizations in one mosaic and that's the best way for us to try to work together on that as well.
And then again, those all initiatives will, of course, will benefit from other people who kind of have clear contributions also coming forward and saying that's how we want to contribute and we want to be part of that.
>> MODERATOR: Thank you, Thomas. I will suggest that we have one round of questions, and then we will proceed with the workshop and in the end if you have some time left, then we have another round to ask questions. So who has any question? The gentleman over there, lady on the left.
>> AUDIENCE: I had a question about what sort of guidelines are in place and whether you are going to be counseling members on transfer of data across jurisdictions, especially with respect to privacy, but other jurisdictional issues as well. We have seen in the United States one of the main mechanisms for cybersecurity threat response is information sharing as it's called. I think that's a really euphemistic term as the Government often pressures companies to turn over cyber threat information without adequate safeguards for personal privacy, the right to privacy, the protection of data. And so this information sharing program is often not voluntary as it's meant to be, yet we do see this term in the latest draft of the World Summit Information Society review document as kind of one of the methods for combating cyber threats.
I'm also interested in how and whether you will discuss the mutual legal assistance system in relation to this program especially as you are coordinating between nations. Thanks.
>> MODERATOR: Thank you. There is a lady on the left. We first have ladies on the left if you have any questions.
>> MARY UDUMA: My name is Mary Uduma from Nigeria and I'm glad to be here and to listen to some of the initiatives that are going on in sub Saharan African. Particularly I'm interested in your cybercrime. One of the themes is to fight cybercrime. And in fighting cybercrime in our environment, we know that we have, those that are too difficult for us, and those that are easier. The too difficult ones are the ones that relate to recruiting terrorists on line.
Do you look at such as can you fight that, the program and the initiative, that part of your work to be able to, to build capacity on how we will combat that is a big threat for us because even our children are being recruited on line for terrorism and also all sorts of criminal activities.
So those are things that consider us a lot. So your focus, is it just to build capacity with law enforcement, I mean, with the legal sector or lawyers or judges or what. All of the people that will be part of the policy makers in the environment, do you also build capacity with them? Do you also help to see what we can do to combat the type of criminal activities online that we have in the region? That's one.
Secondly, I want to ask just like the colleague from Germany asked, first there is in part all of the cybersecurity related organizations, how do you relate with them? Are you duplicating what they are doing already or you are doing a new thing from what they have been doing? Thank you.
>> MODERATOR: Thank you. There is a gentleman in the back over there.
>> MICHAEL HICKSON: It's a long way to the back. Thank you very much for waiting. Michael Hickson, ICANN and thank you very much for this interesting, most interesting explanation. I think you ought to be congratulated for the initiatives that have evolved since The Hague Conference. Some of us were privileged enough to be there, and indeed watch the launch, the glitzy launch as I remember it with videos and dancing and it was, but it was a very, very interesting launch indeed.
But I suppose for some of us that are old and I know most of you aren't, but we have witnessed a lot of initiatives in the Internet Governance arena, and as someone said earlier, I think there is so much to do, so no one is saying that there is not work to do, but at the same time, there is the need for collaboration and cooperation. It does seem that you will certainly doing this in a number of areas.
So two specific questions, I suppose. One, on the cybercrime side, there is a major initiative by the Commonwealth, I'm sorry, the Commonwealth cybercrime initiative, which is work to enhance the knowledge of cybercrime in a number of countries in the Commonwealth, notably in Africa and now starting in the Caribbean, and it will be interesting to see whether you will be able to perhaps work with that in some of your initiatives.
And I suppose the second question is more general question. Is how the GFCE sort of relate to the general process of the cyberpeace conferences? The next cyberspace I think is in 2017. Will you be sort of if you like reporting back to that or are you sort of separate from that? An odd question, but were you spawned in The Hague so to speak and are able to do your own thing so to speak or are you going to be reporting back to the Government, to the Governments of the next cyberspace Conference in 2017. Thank you very much indeed.
>> MODERATOR: Thank you for these questions. The gentleman here in front of me. Can we have a mic to the front?
>> Hi, my name is ‑‑ I'm a business consultant and I want to ask a question to Cari, you say that you have a document which we can access which is free of charge. Can you tell us the site to download the document? Thank you.
>> MODERATOR: Thank you for this question. Maybe Cari, can I give you the floor? I think there were several questions I don't know if you wrote them down. I think there was something about information sharing in regard to the cyber threat information initiative. And there was a question I think from Nigeria about cybercrime online.
>> CARI MCCACHREN: Can I bundle some of these? Is that a possibility? I'm going to do my best. Let's see, so maybe first we can start with first. I think there was a question related there on two fronts. One thing that I would say, and I think this gets to the question, the information sharing question, the stop, think, connect question which was the program I was referencing and also others is that within the key initiatives that our office has been promoting in cooperation with the African Union Commission over the last few years the idea behind those workshops are that while focusing on cybercrime and cybersecurity as I mentioned our goal is to take a comprehensive approach to these issues and with these workshops in particular, the goal is to build relationships and to understand both the technical and the policy elements to these issues.
So to do that, we have taken a multistakeholder approach to implementing the workshops, and so there have been representatives from across the technical community, from across industry. We have invited Civil Society participants to come and for instance address on Internet freedom and the respect for Human Rights while combating cybercrime. We have talked about the role of the private sector in cybersecurity and the role of Government in cybersecurity and the role of the individual in cybersecurity, and because of that have been able to pull together some of the different programs that the U.S. Government overall has been promoting for years.
The beauty of the inclusion of this project in GFCE for us has been a more public recognition of the work that we have been doing, and the opportunity to identify new partners to work in that space. So, for instance, I think that the work that we have been able to do as an office apart from the work that our technical colleagues have been able to do in the department of homeland security with First has been better because we have been talking about these issues in a more comprehensive way. So I think that's overarching a couple of key points.
Related to the inlet process and information sharing, I won't go into details on that and if you have specific questions we can talk after the workshop about your concern, but what I will say is that one of the pieces of the conversation that we have been having a part of these workshops is the importance of tools in combating cybercrime. And those tools for us frequently include recognition of the benefits of the Budapest Convention on Cybercrime and the connections that come with that when you are talking about dealing with what is a transnational issue almost certainly. And there is also recognition from our office and our Government and our partners that combating cybercrime includes looking at how terrorists are using the Internet and what that means.
In terms of what the individual can do, I think that takes us back to another initiative which is the public awareness raising campaign, stop, think, connect, is one example. Our colleagues, our partners from Canada have another example, get cyber safe. The beauty of stop, think, connect is that for us over 150 Governments, academics, non‑profit partners including 25 international entities such as the African Union Commission and the Organization of American States have picked up the materials of stop, think, connect, and we would be happy to get you the website. I don't have it at my fingertips, but if you Google it, you can find it because I have found it that way.
Those materials are not just readily available, but they also come in multiple languages. I know that some of the questions have been how do we tailor a public awareness campaign to the specific circumstances either of a regional group or of a particular sector of society, for instance, young children? How do you make this relevant to young children while at same time making it relevant to users and different campaigns have done different things to try and dress the particular needs of different groups.
So what I would say is, again, the beauty of including an initiative like this that has been ongoing in partnership with the national cybersecurity alliance for a while is that we have the ability to not just flag our materials or the materials we have been using, but the materials that others either are using or think need to be created.
So we would welcome thoughts, again, of new partners, of partners who are creating that type of material about how to protect yourself, what to do to be safe online and we hope that we can continue the conversation. So I think that covered some of them.
>> TAYLOR ROBERTS: I just wanted to quickly comment on, especially on the ability to insure to be inclusive of other existing initiatives that are going on, and I want to highlight what Carolin and the GFCE are doing with this mapping initiative going on. It's to be able to see what are the plethora of initiatives that are going on in the various aspects of cybersecurity capacity and make sure that you are not do you mean indicating something that's going on, but, B, take advantage of things going on in your nation or region that you may not have been aware of otherwise. So this is a good initiative that the GFCE has embarked on.
>> MODERATOR: Thank you. Thank you, Cari. Thank you Taylor, for adding some points. I think there was one other question left about GCCS, the Global Conference on Cyberspace. In 2013 already in Seoul capacity building was pointed out as one of the main themes that should be picked up also on a political level, and in The Hague, we adopted this focus and created the GFCE to fulfill the need that we countries that were coming to the GCCS and also partners were pointing out on capacity building. And it will be related because the origin of the conversation in the lounge was at the GCCS, and the next GCCS the GFCE will be part of it, and I think the GCCS is a perfect forum or to have this political discussion on capacity building, and that's really needed to get it on the political agenda.
So, yes, it will be part of the process of the GCCS and fortunately in 2016 there is no GCCS. So we will continue with the GFCE, and in 2017 we will ask political attention at the GCCS regarding capacity building. What I would like to suggest is to proceed with the workshop. We have just one part left. If you have questions after this workshop you haven't asked yet, we sit here so you can come to us and ask a question. I will suggest that. We will proceed.
So there was a question, and this part is related to it on the participation within the GFCE and what sort of mechanisms do we have to include partners? So let me start with this, the GFCE is an informal Forum, and participation, multistakeholder and transparency are important values that are part of the GFCE.
And so first of all, at our website, the GFCE.com, you could find the latest information about the GFCE for members, partners and non‑partners. Secondly, we have a mechanism of members, private organizations, intergovernmental organizations and countries who participate and all participate in initiatives and also provide who are able to provide resources and commitment to initiatives. So that's really important.
But we need, we need also the full range of the multistakeholder community, and there is a lot of knowledge and expertise within NGOs, within academia and also the tech community, and our mechanism is that participation is the key, and initiatives are the core of the GFCE and if members are initiating an initiative, then they will search for the right and the relevant partners who can provide them with expertise and invite them to be part of the GFCE. I think that's one of the, that's one of the mechanisms to invite and to get partners on board.
And secondly, at this moment, we are also in the process of sort of developing an advisory board of partners who can, who can give their opinion and thoughts into the GFCE process. So these are actually the two mechanisms that work to include the multistakeholder approach within the GFCE.
So I would suggest to do a sort of last round with questions. I think we are almost through the presentation and the workshop. Are there any questions left at this moment? If not, I would really like to thank you ‑‑ oh, there is one question.
>> AUDIENCE: Thanks. You just keep using the term multistakeholder and I'm just not sure that the rest of the stakeholders, the partners as you term them are on the same footing as the members when we, I'm speaking as a Civil Society group need to be invited by the members to join, presumably if we can be invited, we also can be kicked out. Second question would be are members when they start a new initiative forced to actually invite stakeholders or can they just not? I don't know if there are any other questions on that line. Thanks.
>> MODERATOR: I will try to answer that. First of all, I think there are like two roles partners have. The first one is there are a lot of parties who can deliver expertise. That's the first one. And the relevant partner should be included into the initiative. So that's the first one. The secondly, and that is the one we are developing that's why we call it the partner advisory board, we are developing that and that's sort of a structural advisory board to get partners into the GFCE and we are in a process of for the next half a year to also to detect what should this advisory board look like? Who should be in there? That will sort of reflect the voice of the multistakeholder community.
So this is what we are at this moment the mechanism we are trying to do, and I think one of the things that we, that are part of this, our thinking of this mechanism is also that we want to make the GFCE also manageable, because if we have these meetings, it will be very hard if they are like for all of the members talking about the GFCE so that's why we try to figure out are there smart useful solutions to include the multistakeholder model and still make the GFCE an effective and workable and informal initiative.
So I hope this will a little bit give answer to your question. Is there any other question. The last question.
>> AUDIENCE: Just a clarification. When you say the Government agency is not eligible to be a member, so when you talk about Government, are you looking at the highest level or in like the ministry or is it those that partner with you at The Hague or what because from here membership is for countries. In ITU country membership thing and they always have a department that represents the Government there. So I don't know. Please clarify that for me. Should we, should I go back to present this to my Government and be able to tell them exactly what would qualify my country to become a member.
>> MODERATOR: Well, like every country is different and also cyber is different in every country. It's not always the same ministry who is involved in cyber, for example, but in the basically, what we, what we are aiming for is that a ministry on a high level is subscribing our political declaration and they are the contact person, you could say, for this country, and if there are other parts of the Government, for example, CERTs or other parts who are part of the Government they don't have to be a member then and they can be sort of ‑‑ and it is up to the responsibility of this country to coordinate within this country all of the other Government parts.
>> AUDIENCE: Thank you.
>> MODERATOR: Okay. I think we are up to the point to finish this workshop. I would really like to thank Cari. You had to work, isn't it, in this workshop, and Taylor who was really passionate in his speech and Thomas, who has good answers and Mya, of course, for the presentation. And especially I would like to thank the audience for this, for all of these questions, and if you still have questions left, then please come to us. We are here. Also you can, if you have questions about the GFCE you can contact the Secretariat, contact the GFCE.com and so I would like to finish this workshop. A last remark is we have left some pencils on the, it's a kind of new thing. There is a light on it and also a laser on it, and we have pencils over here, so if you are interested, you can pick them up. Thank you.
(Applause).
(Concluded at 17:23).