EIGHTH INTERNET GOVERNANCE FORUM
BALI
BUILDING BRIDGES – ENHANCING MULTI-STAKEHOLDER COOPERATION FOR GROWTH AND SUSTAINABLE DEVELOPMENT
23 OCTOBER 2013
14:30
FOCUS SESSION (SECURITY):
LEGAL AND OTHER FRAMEWORKS: SPAM, HACKING AND CYBERCRIME
The following is the output of the real-time captioning taken during the Eigth Meeting of the IGF, in Bali, Indonesia. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
Also, don't forget to pick up headphones in case somebody wants to speak in an other language other than English. We provide translation. So we may as well make use of it. And please come closer, and I would like, then, our session Chairman, Dr. Edmon Makarim, to open the session and make his introductory remarks. Please, sir.
>> E. MAKARIM: Thank you very much for the opportunity. Excellencies, ladies and gentlemen, good afternoon. Welcome to IGF Bali tween. I hope you enjoy the conference and Bali surrounding in your busy schedules here.
We will now resume the meeting. I declare this afternoon session open. Please allow me to open this Focus Session, which is dealing with legal and other framework for spam, hacking, and cybercrime. I am looking forward to our discussion about these important issues that I believe decision is heart of dialogue for this IGF.
We have some distinguished speakers and one moderator. Our speakers are Jayantha Fernando, Director and Legal Advisor from ICT Agency of Sri Lanka. Chris Painter, coordinator for cyber issues from U.S. Department of State. And Karen Mulberry, Policy Advisor from Internet Society. Mr. Wout de Natris, consultant, expert, international cybercrime security and spam cooperation.
I would like to introduce our mood rater, Mr. Chris Boyer from AT&T, and Karen Mulberry from Internet Society.
I don't have much words to give the introduction, but I just remind you {OOPS/} {OOPS/} about some explanation from our website.. Soon we will discuss, so please start having ideas so we can hear from your comments and questions, regarding regarding economic and social impact of spam and other malware, successful education and capacity building initiative, effective approaches to public-private partnership and other forms of cooperation, model legal framework for addressing hacking and cybercrime, addressing criminal activity on the Internet.
I just want to share about my experience because I have some lessons learned and practice once we get involved in drafting and also implementing national law, regarding electronic information and transactions law. Single omnibus law for the nation's cyberlaw.
Some cybercrime cases have been handed, misuse of device, fraud, forgery, and so on. The heart is in the pluralism community due to any legal or unlawful content that is against the public morals and public norms, should not be construed as a simple thing also and underestimated.
In principles, we have known that cybercrime is the ult mum medium, but the most important thing is to prevent the crime itself. {OOPS/} It would be reduced by the effort to socialize -- might be forgotten to be pronounced and implemented in the society.
I personally would like to have enrichment from this discussion. Should we make a clear distinction between spamming and hacking outside of the scope of cybercrime issues, or it might be included in the scope of cybercrime.
I believe this topic has been at the centre of our dialogue at the IGF. I hope we will have lively discussion.
We have an excellent panel I have already pronounced, and before delivering to the moderators, I would like to give Mr. Kummer at least five minutes to state some important things. Thank you.
>> M. KUMMER: Thank you, Mr. Chairman. I will not take five minutes. I am Markus Kummer. I also work for the Internet Society, and I chaired the preparatory process. And in the preparatory process, we took note of the recommendations that came out of Working Group on IGF Improvements. There was a Working Group under the Commission of science and technology for development. {OOPS/} And one recommendation was that each IGF session should address two or three policy questions.
We thought it would be a good idea to ask the community for input, and we collected them, and they are available on the IGF website. Now, the policy questions for this session, legal and other frameworks, are up on the screen, and I know the moderator will go through them during the session.
We received nine questions, which is actually quite a lot and shows there is a lot of interest for this session, and some of them relate to what role can the IGF play in this important aspect of Internet Governance. And with that, over to you, Mr. Moderator. Chris, please.
>> C. BOYER: Good afternoon, everyone, and welcome to this session. As has been discussed previously, the session today is going to focus on legal frameworks for spam, hacking, and cybercrime. So from an organisational perspective, what I will do as the moderator is ask each of the panelists a few questions on each of the three topics. We will cover them one by one, so we'll start with spam and then spend around 30 to 45 minutes on each topic area and ask the panelists for their general perspectives there. And then once we are through each of the three topics, we will turn to the the questions that we were provided that Mr. Kummer mentioned and go through there. And I would like to encourage the audience -- this is intended to be an interactive discussion, so encourage the audience to ask questions. After the panelists speak to the different topics, if you have questions, please speak up and come to the microphones, and we would take input from the audience.
So with that, we will get started. So the first question here is really just regarding -- start with the topic of spam, and I think the initial question would be just I would like to get the panelists to offer a general perspective on how big of a problem is spam, you know, and how successful have we been in managing that problem over the past several years?
So maybe start, I guess, with Karen. Do you want to go first?
>>K. MULBERRY: Certainly. Thank you very much. I'm Karen Mulberry. I am with the Internet Society. And in terms of the problem of spam, my first exposure to the differences related to spam occurred during the WCIT Treaty Conference and the big debate about including spam in an international treaty. And then that built upon with all of the delegations and the countries that were participating what was the meaning of spam and what were the issues related to spam. In particular it was an issue for countries that in their view, every problem with the Internet was related to spam. Which led us to see what was truly spam and how that might help them better improve their network and better manage their Internet.
As a result of that, the Internet Society has developed a project to conduct outreach to developing countries, to help them build their capacity and better understand what it means to combat spam, what tools that are out there for them to use and what experts that are throughout that will assist them in better understanding their choices and the options that they may want to implement in their countries. So it's all about building capacity and creating that multistakeholder approach to sharing that information and providing some enablers.
That's kind of an overview right now of what's going on.
>> C. BOYER: Okay. Thank you very much.
Chris, do you want to go next?
>> C. PAINTER: Thank you. It's a great pleasure to be here.
I think when we talk about spam, I echo what Karen said, is that we have to define what we mean. And for -- and spam has a couple of major effects on networks, but first I think we need to be clear that when we're talking about spam or we're talking about unsolicited commercial email, not email that involves political speech or other kind of speech.
I think one of the concerns that we've seen is people try to address spam much in the same way we've seen concerns when people try to address the issue of cybersecurity is that it's not used as a proxy to infringe on various political speech or human rights. So we have to keep these things very distinct as we look at them, both in -- with respect to spam in particular, but more generally with respect to security issues and threats to the network.
And spam to me has two aspects; one, just the effects it has in the network in terms of bandwidth of the network and clogging the pipes, if you will, but also as a vehicle -- and this is where it bleeds over to some other areas of the panel -- as a vehicle for malicious code, for spear-phishing attacks, and other issues we will talk more about when we get to other areas of the panel.
There clearly is, I think, a real concern there, and there clearly is a need for this to be addressed by countries around the world, and countries are in different levels of addressing this, and I will talk a little bit about what we've done in the U.S. but also talk a little bit about the international efforts I think others here will address even more.
And I think the WCIT was a good example. I think we all recognize this is something that should be addressed. There are places where it can be addressed. And I think one of the values of this discussion at the IGF is that the IGF can act somewhat as a router, if you will, pointing to some of the places where this is being discussed and some of the actions that are being done.
So there have been a lot of multistakeholder efforts. You'll hear about some of them today to address this issue both by the technical community. There have been legal efforts around the world as people have tried to come up with the right kind of regimes to deal with this.
In the U.S., we have -- in 2003, we passed a lot to combat spam, and again, commercially unsolicited email called the controlling the assault of nonsolicited pornography and marketing act, CANSPAM.
Unsolicited commercial emails be labeled, though not through a standard method, also include an opt-out provision, and had a number {OOPS/} {OOPS/} of provisions dealing with deceptive practices.
You know, there were sort of mixed reactions to that act. It's been on the books for a while. It's been enforced for a while. But the key thing about it, I think -- and it certainly isn't a complete fix because it's a legal regime, but at the same time, you do need the technical community and industry to address this issue as a technical issue as well. The FTC, our Federal Trade Commission, has been the main enforcement mechanism for this, and they have taken action, both through preventative measures by helping educate consumers, and through enforcement measures by bringing cases against companies with pretty successful results, and I think that's been important. Often they work closely in a multistakeholder way with industry in those efforts, highlighting the value of having a public-private partnership here.
But how are we working collaboratively to address this issue globally? Because it clearly is a global issue as well. And what I'd say is there are a number of programmes that the range of stakeholders are engaged in, and the range of stakeholders are represented at IGF, through the Internet Society, as was just discussed, and some of those outreach efforts which I think are critical, given this is an issue for the developing world, and through the messaging malware and mobile anti-abuse Working Group, or otherwise known as MAAWG, and other groups that are very valuable and which we will {OOPS/} have it -- which we will hear about more from today.
I think some of those organic efforts, which include multiple stakeholders, but importantly, industry and others, I think really are something that perhaps are not that well known about around the globe. In particular, the developing world doesn't know all these efforts are under way. So one of the things I think it's incumbent on us and the IGF to do is to make sure there's awareness of those efforts and that there are things, places for other countries and other stakeholders to plug into.
You know, these efforts go a long way to addressing both the nuisance and the malicious nature of spam, which are the key components of cyber high general or due diligence measures that also improve cybersecurity more generally. We would be very interested to hear from all of you today that are here as part of this discussion about remaining concerns, about other ongoing efforts that are out there and other ideas for new efforts. But I think part of what we need to do is raise awareness and make sure that countries understand where this is being debated, how they can plug in, and not necessarily decide to go to different forms that may not have the expertise or ability to deal with this.
>> C. BOYER: Thank you, Chris. Jay and that.
>> J. FERNANDO: I will make a brief intervention here.
When we talk about spam, especially in a small developing country like Sri Lanka, we often ask ourselves the question, is it a mere technical issue, or is it a legal issue or a combination of both?
Our general consensus, particularly from my jurisdiction, is that this is a subject where the technical communities, as well as the legal policy communities, have to work together to address the issue. And spam is one area where the multistakeholder model can play a pivotal role, and I think Chris pointed out the various working groups and other fora working on this subject.
In Sri Lanka, we have taken certain steps requiring Internet service providers to ensure that as part of their license, terms, and conditions that they take steps to mitigate the dissemination of spam and to use spam prevention techniques, so on and so forth.
But my point which I want to throw out there, onto the table and to the community here, is to bring out the message that this is an important area where the technical legal dimension has to be married together in a very -- in a carefully thought-out manner to address a global problem. Thank you.
>> C. BOYER: So I think based upon the comments from the different panelists, there was a discussion of a wide variety of initiatives that are already under way to deal with spam -- oh, yes. Did you want to speak -- I am sorry -- before I go on?
>> W. DE NATRIS: I'm Wout de Natris.
I would like to take you back 13 or 14 years from today, and 2013 in between.
What we are talking about when we talk about spam is something which has to do with nuisance. People were receiving more and more emails in their mailboxes than regular messages, and apparently this got to such an irritating level that governments decided to do something about it.
And just like Chris mentioned, it is unsolicited commercial email. Well, in the Netherlands, it's a little bit more. It's also about unsolicited political messages, unsolicited charities. If you don't want to receive that, then it's also unsolicited in the Netherlands. It goes one step further. But it was implemented in May 2004, in the Netherlands. More than half of unidentifying Dutch language spam had disappeared. It wasn't because of this very fierce regulatory agency, but because most companies who were selling commercial messages did not want to be associated with fines and investigations by a regulatory office.
So in other words, that was very effective. Just having a law saying you have to opt in to receive messages, had to be able to send messages actually was very effective.
Of course, that didn't do anything for the international spam that we still receive today with illegal bills, et cetera, et cetera. But that's a different sort of spam because it's not really commercial. It's about products that you are not allowed to sell usually, for example. So that's also a different issue. And from there it became more harmful with -- you already said that also, Chris -- it's more about spam. Today it's more about how to infect somebody's computer or device than it is about commercial messaging.
That's why, in my opinion, I think maybe the laws that were drafted in 1999 or started to think about drafting in 1999 may not be as effective today as they were then. It doesn't mean to say that the regulatory framework as was developed in those days could not work as a starting point. But what everybody seems to have forgotten by now, the OECD worked on an ain't spam toolkit in 2004, '05, and '06, and that's an excellent starting place to look at if you want to know how to fight spam. The antispam toolkit is undoubtedly somewhere still on the Internet, on the OECD website, and it goes to show what sort of parties {OOPS/} should be there to be successfully fighting spam. And that includes industry, and industry has done its bit because, frankly, I don't receive a single spam message nowadays, except, oddly enough, phishing, but those always go in my spam mailbox, and gambling, two or three a month.
If we compare that to 2002, industry is obviously doing a good job.
Is spam still a problem? Industry says it isn't. But is that so for every country? I think that is what we should be discussing here because from a U.S. and a Dutch point of view, spam may not really be an issue anymore, but is it the same in every country? That is a question I am going to put back through the chair to you to let us know whether it's an issue in your country or not.
>> C. BOYER: I think that would be a good segue to understand issues from the audience when we get to that part of the discussion, around how big of an issue spam is in your respective countries.
I think we heard from quite a few of the panelists earlier that there are a lot of initiatives under way to deal with spam. I know I can speak for -- as Chris mentioned -- the Messaging Anti-Abuse Working Group. I am part of their Co-Chair public policy group there. They have been working on spam best practices since 2003, 2004, when that organisation was started, and they have published quite a few different documents outlining best practices that have been translated into multiple languages and are available to help deal with spam.
And there's also other actions under way. The London Action Plan has been very active on spam. And there was also a paper published by the east west Institute, a paper regarding MAAWG, regarding spam best practices. {OOPS/}
I think one of the challenges we have is how do we raise just general awareness of the different tools that are out there and different practices to help deal with spam, and how do we scale some of those solutions into a larger framework for cooperation?
So I'd like to ask the panelists to each kind of speak briefly to that topic of how do we scale these initiatives and make them more sustainable, in particular in countries that may not have as much experience in dealing with spam?
So Karen, you want to go first?
{ PSACE >>K. MULBERRY: Yes, thank you. Karen Mulberry from the Internet Society.
To build upon my opening comments, we have started looking at how do we address the question of what is spam, and how can we help developing countries have a better understanding of spam and what is available to avail themselves of to implement, not only within their country, but within their regions.
You know, the project we started earlier this year is, as Chris mentioned, leveraging the information from MAAWG, which is a very good industry association that focuses on the operational aspects of managing and mitigating spam, malware, botnets, and other intrusive network activities.
The London Action Plan, as Wout mentioned, is the enforcement agencies from about 30 countries, and they're growing even more, talking about crossborder enforcement and management of spam.
We have been working with the GSMA in terms of SMS and text messaging spam. So there's a lot of efforts from some very good industry associations that are willing to share. So what we have done at the Internet Society is kind of facilitate getting that information out to various regions. We held a couple of workshops to date and are planning more next year, where we bring the experts into a region. We were in Nairobi in September. We were in Argentina two weeks ago. So that the experts, and from these associations and from other venues, can sit down and talk about how do you address spam? And this is spam. And frankly, the common definition is unwanted or unsolicited form of electronic communications. You know, when you look at the ITRs and what came out of WCIT, I mean, they were focusing solely on bulk communication, which may or may not be relevant in the grand scheme of what you're trying to address. You know, it's all about what's unwanted or unsolicited and terms and processes related to managing them.
There's a lot of information out there, and there is -- at least what we are trying to facilitate is getting these experts in front of areas, governments, industry, and technical organisations so that they can have this exchange of expertise, the exchange of knowledge and administration to better arm them to make choices of what they want to do.
I mean, the programme and project we have is divided into three components. We're also building a toolkit to kind of build upon what OECD did with their toolkit, although it hasn't been refreshed for a number of years. So we're trying to look at this and refresh it so that we can provide the current best practices, the current codes that are in use by networks and operators. And then as well as the litany of tools that are available. Some of them are freely available. Some of them require more expertise and technical knowledge to implement. But we're trying to capture the list of choices and the checklists that, you know, in a developing country, if you want to move forward to mitigate spam, here are some of the things you need to think about as you go through this path to implement something.
You know, beyond our workshops for policymakers, we also have workshops where we're going to be doing hands-on here's network, operational, and management knowledge that we can share with you and better improve what you are doing with your own networks. We are doing this in association with MAAWG, the London Action Plan, GSA, and other bodies that have been working for a number of years on how to approach and better manage spam.
Spam is going to be one of those ills we will never cure. Spam we used to talk about has morphed into more phishing, botnet, and malware infections. So it's the delivery mechanism. So those who want to better manage networks have to stay at least even with the new developments that are out there for trying to deliver these infections into this system and the Internet.
>> C. BOYER: Chris, you want to go next?
>> C. PAINTER: Yeah, Chris Painter from the Department of State. I say Department of State, but I've actually had a number of jobs over the last 20 years that have dealt with cyber, including being a federal prosecutor at one point, so I know a lot about the cybercrime aspects of this.
Let me, first of all, endorse what Karen said. I think that the first element is -- and what we often hear, especially from developing countries, is where do I go to deal with this problem? Who do I -- I am interested in actually finding out how I can deal with this problem, who I can talk to, who has the expertise.
So number one is to make sure that that awareness-raising activity that Karen described is given priority. And awareness-raising so that countries around the world know what these forums are, know what the tool sets are that are available to them already.
And that should be married with capacity building. I will talk more about capacity building when we talk about cybercrime and even some of the hacking and cybersecurity issues because they are all kind of married together. But an element of capacity building should be how do you deal with this problem as well.
And secondly, I think as everyone has noted that spam is increasingly a vector for other kinds of malicious attacks. So it's not just, really, the spam issue. It's the issue of how you deal with these malicious attacks, which are cybercrime in most cases and hacking and being used, really, as a point of entree into people's computer systems.
Well, I think that requires a couple of different approaches. And again, we'll deal with this more when we get to the other areas of this panel, but one is policies, both with respect to cybersecurity, making sure that you have more secure networks, both government, private industry, and just ordinary citizen citizen networks and having policies around the world domestically around that. {OOPS/} And two is having good, strong cybercrime policies, strong cybercrime laws, capabilities, again, trained law enforcement, and ability to cooperate internationally. That's entirely applicable to this because, again, it's a vector for some of those malicious activities.
And then finally, one thing I found that has been particularly helpful is to bring together the different communities. So when we're talking about spam as being a vector for malicious activity and for criminal activity, there is a law enforcement community -- and Wout just talked a little bit about that -- there is the technical community who are in charge of defending networks, and there's the private sector who has a role in this as well. And bringing those communities together I think is critically important.
So we've done this over the years. One of the things I did was chair the G8 private network group, and we had a network that still involves over 50 countries. One of the things we started to do is have a joint workshop with the form of incident response and security teams, the FIRS, the technical teams there. In the beginning, the law enforcement and technical community didn't really know or trust each other. {OOPS/} {OOPS/} But having them come together and come together with the private sector, I think it means you have a more effective response to this issue, and that should be done domestically in all the countries that are dealing with this as well.
So I think there are some practices we could promote. There's some awareness we can raise. And we can do both of those things.
>> C. BOYER: Great. Thank you.
Jay Jayantha, do you want to add anything?
>> J. FERNANDO: Yes, Chris.
I agree with what both the previous speakers said, but in addition, what I just want to emphasize, more from a developing country perspective, is that many of us who are involved on a very regular basis in many of these technical, legal policy discussions around cybersecurity, cybercrime, cyberthreats, incidents, handling issues, we are very often aware of what's happening at OECD, the antispam toolkit, the work of the London Action Plan, Anti-Phishing Working Group, and so on and so forth.
But the bigger issue we see from day to day in our own countries is these developments happening around various sectors often don't percolate down to the grass-root level communities. And often we find some of these documentation available only in English, and of course, I know that once we told somebody at OECD by not translating the antispam toolkit into multiple languages, and I think there was some response to that.
But some of the {OOPS/} activity happening in this area are only available in English. So there is no problem with it, but at least some kind of summaries and key points and safeguards that should be taken at a technical level, ISP level, or at the user level should be available in multiple languages. And I believe efforts are under way from various organisations to get that in place.
My final point, Chris, is that this is a subject -- spam is a subject requiring, as I said earlier, the technical legal dimensions to be merged together, and countries may increasingly need to have cybersecurity strategies as part of their national security strategy, and in that, it is worthwhile considering whether we should have an agreement to prevent this problem from blowing out of proportion, and there is a need to act fast in that connection through coordinated cybersecurity strategies globally. Thank you
>> C. BOYER: Before I switch over, I believe our Chairman wanted to make a comment as well based on the last comments.
>> E. MAKARIM: Thank you. I would like to add some issue that might have been forgotten to explore.
The first one is talking about the privacy in this context, to what extent we can say it's unsolicited bad communication for commercial is against the privacy, particularly for the consumer protection rights.
So if we refer to it from a business perspective side, spamming must be okay. But for the every users' perspective, everything comes to my box, it means they use my space. So in this context, we are better off also to explore what difference spamming through Internet and spamming through mobile phone because the essence of the law, it's quite different.
The basic principles of the conventional communication is a private communication. It doesn't mean that everybody can call anyone. But for the communication through Internet, it's mass communication. So since the beginning, maybe you have a right to say hello to anybody and send commercial mail. So I'm just adamant that maybe some aspects are being forgotten. Thank you.
>> C. BOYER: Thank you very much.
Wout, do you have any additional comments?
>> W. DE NATRIS: Yes, thank you, Chair.
That was -- Wout de Natris.
On behalf of the London Action Plan, I think one of the things that it actually offered to the world was the knowledge of fighting spam for years and what is on offer is training individuals how to fight spam and what sort of tools are needed to fight spam. And that's the sort of knowledge that's available there.
So it's basically an invitation to join the London Action Plan if you are thinking about drafting a spam law or you are thinking about starting an agency or you have an agency that has just started. But what I understand is what one of the problems is the London Action Plan is now actually having its own meeting at this moment together with MAAWG -- already mentioned here -- in Montreal. They started yesterday or today also. So that's why I, as a private consultant, am now representing London Action Plan, which I actually am a member of from the commercial side of -- and spam fighting.
One of the problems are basically that this training is now in Montreal, and it's not possible for each country to travel there easily. And on the other side, in the London Action Plan, there's no money to travel to the rest of the world to give these sort of trainings. So in other words, there's some sort of a mismatch happening here between the demand and supply. And I am not the one that has the possibility to offer a solution for that, but it's something that maybe the right sort of authority should be looking at how it's made possible that these sort of trainings actually do start to happen around the world.
So I think that's an important thing to look at.
The other thing is that it isn't completely clear with the London Action Plan what the questions actually are. Is the demand the same as what is on offer at this moment? That's, I think, something which is worthwhile looking into also, and as far as I'm aware of, that has not happened so far. So I think that's another way to try and build capacity, but it is a problem getting the people together, apparently.
>> C. BOYER: I think that specific topic of how do we expand some of the activities of MAAWG and London Action Plan into other countries is an area that is being actively worked on. I know Karen mentioned the partnership that has been started between ISOC and MAAWG. MAAWG itself is establishing a foundation basically to support ongoing training sessions in other countries, so really taking it out of just doing the kind of -- MAAWG traditionally has three meetings a year, one of which is international. I think they recognize the need to be more active in other countries, and I think the partnership with ISOC is largely intended to help them take their technical expertise and expand it more globally to help educate folks on different techniques to deal with spam.
I don't know, Karen, if you have anything to add to that.
>>K. MULBERRY: Yes. Thank you. Karen Mulberry with the Internet Society. Indeed, that's what we are doing. We are also translating documents, both MAAWG documents and other materials that have been developed by experts in the field so that they are available in the UN languages, and in particular, French, English, and Spanish, to make sure that that, you know, where they need to be used, they're in a form and text and concept that can be used by the people who are so eager for that information.
I mean, we have run across that in many different venues where they really need to better understand it in French versus English. And we also need to look at the technical tone of a lot of these documents that have been developed over the years to make sure that they are understandable in many languages and they provide some context in relation to at least the toolkit that we're trying to assemble so that you understand the first step you need to take, and here's some material that might be useful for you to educate yourself, to expose yourself to some of the choices that are out there, so that you can discern for your own country or your own network what are the appropriate steps for you to take because it's going to be individual in terms of what you want to implement and how you want to manage it. But we try to lay out all of the details that you need to consider in the process because it's very important.
>> C. BOYER: Thank you. So we're about quarter after, so I wanted to ask if we have any audience questions. I believe we have one over here. And I would like to remind folks with questions that they should please introduce themselves when they ask.
>> Good afternoon. And hello to everybody. I'm going to speak Spanish, if I may, because that's my mother tongue. My name is Mayu Fumo, and I am the commissioner for the telecoms regulatory body from Mexico, which was set up after a constitutional reorganisation of telecommunications in my country, and it covers broadcasting and telecommunications in general, and everything to do with the computer sector.
What I think is interesting and what we see here is the fact that there has been such a strong effort to minimize what is coming up in the WCIT sector. And as head of this agency in Mexico, I know that we have signed all the final acts of all these international agreements along with other South American countries, like Brazil, Uruguay, Argentina, the Dominican Republic, and other non-South American countries too. Brazil, of course, is at the top of the list. Many other countries, too, have signed those same agreements.
But there is this constant attempt to minimize the issue by saying it's just a question of capacity building and so on, but actually, of course, it's actually that we do need the capacity building. People need to know what they are doing. They need the knowledge that is part of this. But when you are the regulator for international telecommunications, you can't use the word "spam" because lots of countries were opposed to the word "spam" being used in the text. So instead of talking about spam, we talked about massive nonsolicited electronic communications and about the measures that would be necessary to take in order to combat the sending of these sort of communications and minimize their effect. And Member States promised they would cooperate in this field.
It is an international problem, that's the point, not a local problem. Certainly a lot of work has been done in this area, but we need to increase international communication.
The last thing we need to do is minimize the problem by pretending that it's just a question of needing more knowledge and needing more technological knowledge and technological capacity.
Spam started arising 20 years ago. It's been around for a while. And we also need to take into account the opinions that we have from the WCIT experts. In my case, I have been working on the technical aspects, both at the national level and at the international level in this area. And we work, for instance, together with Japan, and we have learned from that that we need our interventions to be much more effective. Spam isn't just to do with the capacity or the knowledge available in one country; it is to do with national security, for instance, of a country. Mexico is a good example of that. In Mexico, we saw that in some areas we have an awful lot of email that is sent from laptops to people who, when the person clicks on a link within the body of the email, what they are doing is they are calling a police line for emergencies. So these criminals are using the system to saturate, to completely overwhelm the police emergency line and stop the police from doing their job. And in order to set up something like that, you need huge capacity in the criminal world. So we need an international strategy to combat that kind of attack.
So that is why it needs to be part and parcel of international telecommunications regulations. Thank you.
>> C. BOYER: Thank you.
Do any of the panelists wish to speak to any of the issues that were just raised? No?
>> C. PAINTER: Chris Painter from the State Department. I don't think people should confuse whether people thought it was appropriate for spam to be a topic in the WCIT meeting, which did not, by its nature, deal with content issues, and whether people thought spam was a legitimate concern of countries around the world. I think everyone believes it's a legitimate concern we should address. And I don't think that anyone should think that we don't believe there should be international cooperation on this issue. And I also don't think I heard any of my fellow panelists here say that, you know, these are local solutions that should be adopted. That's one part of it, yes, but these are also solutions that have been talked about that would help the international community cooperate better against these issues.
Now, I think the issue in part comes when you start talking about making the jump between international cooperation to deal with these threats, and when they end up being law enforcement threats or cybersecurity threats, those need to be addressed by strengthening those capabilities, just like we have in other types of threat areas. But that doesn't necessarily mean that that is the subject of an international telecommunications regulatory scheme. So I think we have to disaggregate this issue a little bit and make sure we are looking at the best and most effective solutions, both domestically for countries, and also how they work together and cooperate together.
>> C. BOYER: Thank you.
I believe we may have some remote participation as well.
>> Well, we have one comment that we need to do a lot more to make the developing countries have trust in Internet and what we do. There must be strategies to stop cybercrime. He also has one question: How can we help developing countries like Uganda appreciate the Internet without being trapped in the circles of cybercrime? Thank you.
>> C. BOYER: Does anyone want to speak to that particular question?
>> C. PAINTER: I can start. We are sort of jumping ahead in the panel in terms of we are going to be talking about cybercrime at the end.
But I think the reason you have good cybercrime laws, the reason you have good cybercrime capabilities, the reason you have interpretation cooperation to deal with cybercrime -- all issues we will be talking about later in the panel -- is to address the threats on the Internet. But to promote the good things we are trying to do on the Internet, whether it's commerce or social interaction, all of the kind of cybersecurity policies and cybercrime capacity building and also abilities to do cybercrime enforcement are not ends in themselves but a way to enable that kind of trust and that kind of commercial development. So we should do that.
And how do you get countries, particularly developing countries, to adopt good policies in this area? Well, that's really where we go to some of the capacity building efforts, and we've learned quite a bit of that around the world, the United States has, other countries have. There is a lot of emphasis on that. I will address that more when we get to the cybercrime section.
I come from a conference just held in Seoul, Korea, the Seoul conference on cyberspace, and one of the themes of that conference was the importance of capacity building around the world and building cooperative networks to deal with some of these cybercrime issues that deal with, really, the enentire world.
I think there are efforts under way, but the reason we do that is to enable trust in the networks and to enable economic and social growth on the networks.
>> C. BOYER: Thank you.
>> W. DE NATRIS: This is Wout de Natris. I would like to try to tackle both questions a little bit.
I am not a diplomat, so I was not at the WCIT. Just speaking personally here from the top of my head is that there's spam -- it's called spam here in this panel. In the Dutch legislation, which is a translation more or less from the EU policy directive, the word "spam" isn't used a single time. It's unsolicited commercial -- what is the other one? -- political or charity communications. So that's the official word. And we call it spam because that's the popular word for it, and just because of this funny Monte python's flying circus sketch on spam, which was the only thing you could get in a restaurant was spam, spam, spam, and that's where the joke comes from, basically.
So the next thing is to take away cybercrime, when we talk about spam, so unsolicited communication, we mean where the content is commercial. So as soon as it's not commercial anymore, it goes into phishing, it goes into trying to infect end users' devices, try to do whatever they do with it.
I think that's going into different discussion because then you are moving from spam, unsolicited commercial communication, into fraud or crimes or worse. So in other words, then you get away from in a way what's called cybercrime. Then the spamming, sending of messages is nothing else than a tool to reach another goal.
Then the question, can you avoid cybercrime coming into a country? Yes, if you throw away every device in your country and not connect to the Internet. So in other words, it's the same as happening on the street. I think law enforcement is there since the late 18th century, and it's not like crime has gone away because of it, but it keeps most people away from crime, and it keeps most people safer. But you can always be at the wrong place at the wrong time. And in real life, you can usually see which streets you'd want to enter and which streets you may not want to enter, but even then you can be hit by a bus because the driver is drunk. There's no guarantee.
But the fact is you can't see the bus coming on the Internet. You don't know if there is a driver. You don't know whether he is drunk or not. So in other words, that's where maybe this discussion should be going, how can you push crime back as far as possible, as becomes acceptable, just like in real life, and then you have a society we can actually profit as much as possible from the Internet, from all the beautiful things it also gives us and presents to the world, lots of opportunities, business opportunities, but also for personal people.
And I think that is where the distinction between spam and the content of the spam has to be made.
>> C. BOYER: Jayantha.
>> J. FERNANDO: Thanks, Chris. I think I will answer the specific question from the caller about how Internet can be promoted without being caught in the cybercrime trap, if I have understood that question right.
So basically, not just governments, from a developing country perspective, I think everybody in the community, the technical community, the Internet communities in your country has an obligation to promote the good side of the Internet. In fact, Chris also brought this out. Yes, we need to -- governments and Internet community has to address the threats associated with cybercrime, and there are best practice models available for that which we will be discussing later on today. But the negative side arising from cybercrime should not be brought out in a way that will stifle the innovation and the growth that a country can have with the powerful tool associated with the Internet.
And from a developing country myself, I mean, in Sri Lanka, we see this problem as a big issue because the local press often brings out the Facebook of users, the frauds associated with Internet banking, to many other issues, and those are given first page news items in our newspapers often. But talk of the good side of how the economy has been made to leapfrog with the Internet-based tools, those are given second, third page, small news items. So this is a problem that many developing countries are facing, and many organisations, the governments themselves can't grapple with that problem, and they cannot themselves promote the good side of the Internet.
And I think talking off that Ugandan remote participant's question, the question I would pose back to him is do you, for example, have an Internet Society local chapter in your country that can help to promote the good side of the Internet? And talking from Sri Lanka, I can tell you that the positive sides of the Internet was greatly promoted thanks to the best efforts of our Internet Society local chapter.
Thank you.
>> C. BOYER: Great. Thank you very much. And so we have a few more questions here from the audience, so why don't we go around this way. So you want to start there? Yes. You are next, yes.
And just a reminder to please introduce yourself.
>> Thank you. Actually, it's not a question. I think the gentleman raised an important point that in solving spam issues, it is important to have -- (Speaker off mic)
And so maybe it will not be ills that have never been cured. We still can reduce the negative impact of it. So because the consumers have the right to enjoy the benefits of the ICTs, like you said, and also when they enjoy the benefit of ICT to the maximum level without interference or annoying information, which is not based on their concern.
So because that's also the role of government and also responsibility of all sectors, including the business sectors. Thus, I think it is necessary that in regulating spam, consumers should be given more flexibility to choose whether or not they want the information. So if we see the condition now, many times consumers have no rights to choose. It's all like take it or leave it basis. If you want it, then you have to agree with all the restrictions and all the requirements. So it is important for the global community to support the regulations that give consumers small flexibility in choosing the information they want.
Thank you.
>> C. BOYER: Okay. Thank you. Next.
A reminder to please introduce yourself.
>> Thank you, sir, for giving me the floor again. I would like to ask something. I think that we who participate in this conference, we have a tendency to minimize what we don't understand. That was the commercial spam in legislation. And we know we have the context. This is a reality. Spam is a reality. International communications regulations, for people who aren't familiar, these are regulations which are very interesting, which make it possible to understand a great deal. It says clearly that it's nothing to do with the contents. The problem is that the information comes as spam on mobiles, for example, mobile phones. And the user thinks that it's an app which is coming for free. And they think that they're going to get a photo or a song or something, and then they click, and it calls a police call centre. So imagine the quantity of calls that can come in simultaneously if that's done to the police. So it stops the police from working.
This is linked to the question of cybersecurity and cybercrime. It's here where we are asking us to not remain aside from this, that we should try to find some definition and a strategy so that these new kinds of situations which are coming up, not just on the Internet, but in other international communications, also have to be dealt with.
>> C. BOYER: I'd like to ask if any of the panelists would like to respond.
>>K. MULBERRY: Yes. This is Karen Mulberry from the Internet Society.
I can tell you that the technical community has taken note of issues like that. The IETF, the Internet Engineering Task Force actually has created a group to address issues that are IP related, where, because VOIP or other Internet voice calling, there have been calls to emergency services, to police centers and everything else, and they're working on technical solutions for networks, on authenticating traffic so that there's a means of addressing what's malicious and inappropriate on a network.
So that the government agencies you rely upon in an emergency, in a disaster, and to provide the protective services are not overwhelmed and prevented from actually doing the job that they are supposed to be doing. So there is work under way. There isn't a solution that has been, you know, formally adopted yet, but there's a lot of discussion and there's a lot of motivation to come up with a solution, not necessarily the same as addressing spam, but they are looking at this as the -- a malicious network activity that they need to manage better.
So work is under way, and hopefully soon there will be some solutions out there.
>> C. BOYER: Okay. Thank you, Karen. It looks like we have several more questions to get through. Let me go to the gentleman here at the end of the table, and then I will go to the remote participants, and then a couple more gentlemen back here. And a reminder to please introduce yourself when you ask questions.
>> All right. My name is Jay Sadowski. I own {OOPS/} and operate an Internet infrastructure company in the United States. And I find it a little interesting that most of the panel seems to think that spam is limited to commercial -- or unsolicited commercial emails.
From my perspective -- I operate a lot of mail servers -- I don't go and deploy an anti-spam product that only addresses unsolicited commercial emails. It needs to address all of the different unsolicited kind of emails that we are getting, phishing, malware, identity theft. You know, so I would really encourage the IGF, if they are trying to produce a takeaway, that they include all these different subsets of spam in whatever they develop because to have it be limited to just unsolicited commercial email seems to do a disservice, especially to larger Internet community if they are trying to develop best practices, training, and things like that to limit the scope of that.
The other aspect of this, were my perspective, spam that is not simply unsolicited commercial email is most definitely tied to cybercrime in every way. Spam facilitates phishing, identity theft, malware. Spammers use stolen identities to sign up for fraudulent services. Spammers develop malware to steal credentials from end users and then hijack their email accounts. Spammers send out spam to get people to sign up for fake credit report services. You know, it's an ongoing cycle, but spam and unwanted email is essential to what a lot of these cybercrime outfits are doing.
>> C. BOYER: Thank you, and I'll ask the panelists to respond. I do think just one quick comment is I do think there's different definitions for spam, and different groups define it differently.
I know like at MAAWG, they generally define -- they don't even mention the spam. Most of their practices are really related to unwanted email, kind of to your point. So any of the panelists have a comment there?
>> C. PAINTER: So this is why we said at the top -- Chris Painter again -- both Karen and I said we need to define our terms here. And yes, there are different kinds of activities we are seeing. Spam is sometimes an enabler. But what we are really talking about is email. It doesn't necessarily mean it's spam. It could be targeted.
In fact, what we are seeing in phishing, more often now than ever before, is spear-phishing, much more targeted emails, not the wide distribution of things out there.
Then what we are really talking about is malicious activity, which we are going to be dealing with later on in this panel and the hacking and cybercrime part. And absolutely we need to make sure we're combating that malicious activity, and that's an international issue where I think the IGF can play a role in, again, making clear what's out there and what activities are being done and the legal structures that need to be done around cybercrime laws and capacity to fight cybercrime and investigate cybercrime.
Because even the example our colleague from Mexico brought up, you know, trying to get the police jammed, that's a crime. So how do you address those criminal aspects? How do you make sure you can investigate them, both within your country and work internationally because they often are not localized in one country? Those are important issues we need to address.
So at least from my part and I don't think from any of the panelists part, there's no attempt to minimize this by calling spam one thing and malicious activity another. We need to address both of those issues. And I think we will during the course of this discussion.
>> W. DE NATRIS: This is Wout de Natris. You are absolutely right. The fact is I represent London Action Plan, which is all about commercial unsolicited email, so that's the story I am giving here.
If I look at my background as a spam enforcement agency, the trouble we usually run into is there's a lot happening on the content, except our antispam law does not give us any rights to do something about the content. For that you need the police. And to be quite frank and honest here, if we walked up to the police in those days and said we have a fraud case here involving that many millions of euros, basically the question would be where's the body? No body? They'll see you again. And there was just no interest.
And that appears to be changing a little bit I hear from my ex-colleagues who are doing the first two cases ever together, which is completely new, and I think that's a good example of what the Dutch Minister of security and justice is doing through the national cybersecurity centre by bringing {OOPS/} all different stakeholders, public, private together and make Task Forces out of them on issues. {OOPS/} Perhaps we have time later to discuss that. But what I also said in my introduction, the law that was thought about in 1999 and drafted in 2001 and implemented in 2003 or '04 may not be doing what it is supposed to do nowadays because there's so much more than just commercial emails. So maybe it's time to start looking at law capacity people and drafting laws and policy people to look at what sort of a law would you like to have in 2016?
Because that's about the cycle we have from 2013 onwards, of course, is whether the sort of agencies that are effective now, like the Federal Trade Commission, like where I used to work, now called ACM, and a few others around the world, is could they actually assist in these sort of cases where the police, from an economic point of view, is not interested enough because the cases are clear not serious enough, but still involving millions which are billion siphoned off the economy? Would it be interesting to see if these sort of organisations could actually take on these cases also by being allowed to look at the content and perhaps also bring somebody to a criminal court instead just through a civil or administrative court. And that may frighten away some more people that now think, well, the fine of 10,000 euros and I am making a million, I'll go on anyway.
So in other words, the matter of fining and the profits they make may not also be compatible. So that's some food for thought for the future. What sort of law would you like to have in 2016 or '17, and would it have to be different than it is now?
>> C. BOYER: Thank you, Wout. I believe we are, for the sake of time, I will take a few more questions on spam. I think as Chris has pointed out a few times, we are kind of conflating topics here between spam, the hacking question, and also cybercrime. So we will move on to hacking next, but let me take the last couple questions here before we do.
I think we had one more online participant, I believe.
>> Actually two. First one is from Daniel from Kenya. He commented that --
And my point is uncontinueed review of legislations. Countries, especially from developing nations, have to custom design their legislations and get enough input from all stakeholders in order to develop proper and acceptable cyber legislation.
Thank you.
>> C. BOYER: It seems like those are comments. Any response there? Okay. We have two more. Yes. Next. And please introduce yourself.
>> Thank you. I'm John Lepris, a Professor at northwestern University. This is a question specifically for Karen. {OOPS/} Earlier we talked about how the IETF is interacting with our colleague from Mexico's issues on the network. If we are thinking of spam as a problem for network stability, you know, back in -- sorry, I've got one page up on my iPad, but back in 1999, IETF was looking at best practices for dealing with spam. Is the IETF still actively working on this issue? If we're framing it as a network stability issue, this would be another way to both build capacity and disseminate capacity through the engineering community.
Thank you.
>>K. MULBERRY: If I can respond, I believe the IET if is still working on network management and network stability issues. {OOPS/} Do they call it spam? No. They have moved on to more specific management of the elements within a network. To the group I mentioned before, it's called the STIR working group, and if you know the IETF, they like to come up with very interesting acronyms to define the work they are doing, and I'm not sure I can explain the acronym for that group, but it's a newly formed group, and they are actively pursuing how do you do network authentication to validate that the sender and receiver should allow the traffic to complete? So there's a lot of activities that are occurring to better manage issues.
There are a lot of other initiatives that could be undertaken as well, you know, compatible with what the Internet Engineering Task Force is working on too. I mean, much like MAAWG and some of the other places, they are working on the operational aspects of these things.
I know that GSMA has a very active initiative on SMS spam and what their -- their network operators, mobile operators, need to do to better management that to prevent all of the issues that a lot of countries have because they have an overwhelming amount of SMS spam out there.
>> C. BOYER: Thank you, Karen. I think that is it for the audience questions.
We have one more back in the back:
>> Thank you. My name is Pete Resnick. My expertise is on the technical end of things, but I actually wanted to ask a question {OOPS/} about the legal end.
I have been involved in several civil suit antispam cases in the U.S., and the law in the U.S. seems more or less completely ineffective because the folks who are large enough to really be dealing with spam, the Googles, the Yahoo! s, the other large providers of the world, {OOPS/} they use the technical tools to prevent spam and not the law, which leaves the law to be used by, shall we say, less reputable plaintiffs.
And we hear of a lot of cases dismissed because those folks are not considered real Internet service providers, real mail service providers. And it seems to me that allowing some more of these cases to go forward and to allow anyone to make these claims, to get the money out of commercial spam -- I am not talking about here cybercrime; I am talking about strictly commercial spam which is in the gray market of spam. There should be some way to adjust these laws to get folks out of making spam profitable, and I was wondering if the panelists would be willing to comment on changes to the laws such that any single individual could bring suit against large folks who are taking advantage of the fact that there are more nefarious players willing to send spam.
I am thinking of people who are large companies but allow botnet-like mail senders to send spam and make money on their backs.
Would anyone care to comment?
>> C. BOYER: Would you like to comment?
>> W. DE NATRIS: I'll try to comment.
If I remember correctly, Microsoft has done that a couple of times in the U.S., by bringing people to court, and I'm not an expert on U.S. law, but I think I remember the FCC saying once that every individual in the United States can bring a spammer to court. And whether that's a successful approach or not, that's something different, but maybe there's someone in the room who can check that fast on the Internet or knows it, but I think I saw that in a presentation once.
>> C. BOYER: I can briefly comment on some of the work done -- I don't know if anybody from Microsoft is here, but they've done quite a bit of work with law enforcement to do various takedowns of some large botnets such that has had a substantial impact on spam. I forget the name of the particular botnet, but a couple years ago they took down a botnet that I think reduced spam by a very large percentage worldwide, actually.
So there's been a lot of activity, at least in that instance, to do that, and also when you talk about -- and we are kind of, again, segueing into the hacking issue, but when you talk about malware, a lot of the ISPs as well have worked with Microsoft and others, the FBI in the United States, to alleviate some of those issues. A good example of that is the DNS changer botnet that was last year.
So there is activities from some of the larger players on the Internet to try to deal with some challenges.
>> C. PAINTER: As I said, there has been some pretty successful actions by the FCC and pretty successful criminal activities.
>> I am sorry, if you would be willing to allow me one follow-up. {OOPS/} {OOPS/}
I was, in fact, not talking about the criminal aspects. I am wondering more about the civil aspects for individuals being able to go after commercial spammers that are using botnets to their advantage, certainly, but going after the people who generate the revenue, the commercial gain, from sending out these commercial emails. That doesn't seem to be available to individuals, at least in the U.S.
>> C. BOYER: Yeah, I don't know that I can comment to that. I don't know if any other panelists can as well. It's kind of a U.S. law issue. So we'll have to table that question.
All right. Any other audience questions on spam? I think I'd like to move on to the next question, if I can.
Yes, the Chairman would like to make a quick comment. Then what I am going to do is then we are going to switch to hacking. Thank you.
>> E. MAKARIM: In Indonesia, it is regarded -- a civil case, and this can be conducted by all actions that are being taken and creates a loss for others. In Indonesia -- conduct, and based on the article of law of IT and also civil code, we can sue them in civil cases instead of the criminal also.
Thank you very much.
>> C. BOYER: Thank you very much.
All right. So that closes the discussion on spam. I think we've tackled a few of the other topics during the course of the conversation, but the next subject is really hacking and then cybercrime. So focusing on hacking, which I think we are going to define for the sake of the panel as really cybersecurity issues more broadly, I'd really like to just get everyone's initial comments on just general discussion of how they see cybersecurity, you know, from a global perspective, and then also just generally feedback on frameworks, what is working and what needs to be streamlined and strengthened to deal with cybersecurity hacking issues.
Who wants to go first? Looks like Chris is going to be first up again.
>> C. PAINTER: Well, I have been -- as I mentioned at the top, I've had a lot of experience with this since for the many years back in the '990s I was a federal prosecutor going after hacking crimes, I think back when people weren't as dependent on the Internet.
Back at the beginning of the Obama Administration, I moved to the White House to help write our cybersecurity strategy and our international strategy, and now with the State Department, so I have seen different aspects of it.
You may recall the President's account was hacked into. He was really leading the effort into trying to strengthen cybersecurity, both domestically and internationally, from the day he came into office.
We have been doing quite a bit in this area over the last, really, 20 years, and particularly over the last five or six years there's been a lot of activity, including having national strategies in this area, and it was mentioned by my -- one of our panelists the importance of national strategies. I think there is something like 25 countries now that have cybersecurity strategies or are working on those strategies, and it's a very important thing to raise the awareness of this issue, both within the government, but also within the public and the business sector in various countries.
You know, those strategies in the U.S. and elsewhere, I think they are the strongest when they are built, much like on the the IGF model, in a multisector way. Indeed, our strategies had a lot of input from both of those groups as we built this out. I am very glad to be able to discuss these issues here.
Since Baku last year, where we talked about this issue, we have taken some more steps with respect to cybersecurity, and I want to share those with you. In February of this year, President Obama issued an Executive Order and a Presidential policy directive on cybersecurity and critical infrastructure {OOPS/} that clarifies both government agencies' activities in the area and puts in place a cybersecurity framework for the development of standards and best practices. And rolling out that Executive Order, the White House characterized the current cyber environment as the "new normal," one in which cybersecurity threats are increasingly broad, sophisticated, and dangerous, and include persistent intrusions, privacy violations, theft of business information, and trade secrets, something that has been in the news quite a bit in the last year and been raised by our President in particular, and degradation and denial of service to legitimate entities trying to do business or get their message out on the Internet.
So how do we deal with this new normal, especially in an international collaborative way?
Well, domestic efforts like our own executive order should be supported by international collaboration on strategies that address the transnational nature of these various threats to our networked information systems. We need to find ways to share the burden of network defense across stakeholders and also across the globe.
Key elements of those efforts are prevention, preparedness, and response, and we have both policy and practical ways to achieve those goals together.
From a policy perspective, we are realising international venues to affirm the need for international cooperation. Since 2000, for instance, there are five UN General Assembly resolutions that have drawn attention to the essential defensive measures that governments can perform to reduce the risks of security and also tout the importance of raising awareness. They advance very useful concepts that we need to look at, including a resolution that talked about the role of governments in combating the criminal misuse of information technology and underscoring the immediate need to have modern effective national laws to adequately prosecute cybercrime and facilitate timely transnational investigations and cooperation.
Another resolution that talked about creating the culture of cybersecurity, drawing off work done in OECD and elsewhere, and the protection of critical political infrastructures providing an essential basis for facilitating international collaboration and risk reduction.
Yet another one that dealt with the responsibility of governments working with other stakeholders to lead all elements of society to understand their roles and responsibilities with regard to cybersecurity and the complementary efforts that stakeholders need to address. And still another that talked about the important roles of regional and international organisations, in particular in combating cybercrime.
While these UN General Assembly resolutions have been a valuable forum for the promotion of these fundamental concepts, the UN is not the venue I believe where most of the real substantive international collaboration is taking place, and we don't believe the UN should control or manage this collaboration. Relevant cyberspace issues, cybersecurity and cyberspace issues, are on the agenda of many other regional and international organisations which we support, including the OAS, the organisation for American states, the ASEAN group, the Asia-Pacific Economic Cooperation, APEC, OSC, the organisation for security and cooperation of Europe, the after Rican Europe, the OECD, the group of 8, the EU, and Council of Europe, among others. {OOPS/}
One thing we hear a lot from countries is they feel the lack of expertise to implement these goals and collaborate internationally -- and we are very sensitive and I think attuned to hearing that from countries around the world -- and therefore -- and I mentioned this a little earlier -- international cybercapacity building is a policy priority for us in the U.S., and we think it should be a policy priority, really, for all.
We are partnering with developed and developing countries to improve and expand capacity building efforts to, for example, provide the necessary knowledge, training, and other resources to countries seeking to build technical and cybersecurity capacity. This element was a real focus in the Seoul conference, and I commend the output of that conference, the Chair's summary and discussion of capacity building in particular to this audience.
We also work to continue to develop and regularly share international cybersecurity best practices around the world and enhance states' abilities to find cybercrime, including training for law enforcement, forensic specialists, jurists, and legislators.
Our international capacity building work is increasing, and we've done a lot of work particularly in Africa, west and East Africa and doing regional conferences, training to support the development of regional cybersecurity frameworks and strategies. And a lot of regional organisations have been working on this too. But this is only one of the practical measures that I think I referred to are required here. There are existing technical standards-based forums that we talked about earlier with prpt to spam that apply in cybersecurity as well, and we think discussions here could help both make countries more aware of this and raise the bar by getting countries to adopt national strategies and cooperate internationals.
Now, what I said is related to but separate than cybercrime elements, and of course, having strong cybersecurity laws in place, we believe modeled after the -- modeled after by ear accession to or modeled after the Budapest cybercrime Convention is very important, and having that ability to cooperate -- but we'll get more into that or I'll get more into that at least when we discuss the cybercrime aspects of this issue.
>> C. BOYER: Thank you, Chris.
Other panelists? I believe Jayantha would like to comment as well.
>> J. FERNANDO: Thank you, Chris. Again, from an emerging country perspective, cybercrime and cybersecurity are both important subjects, and there is a need for legislative measures to deal with this global phenomenon.
Even in our country, from my experience, what I can share with the audience is that with the huge focus given over the last seven to eight years on development, economic development activity associated with information and communication strategies, we saw a lot of hacking-related offenses, phishing of Internet banking websites, denial of service attacks against use of ICT in a country. And added to that was the issue of terrorism, where these cybercrime tools were used against state and nonstate players.
So having gone through that cycle, Sri Lanka adopted a fairly comprehensive cybersecurity strategy which included the legislative side that we will talk about later, to couple with technical approach to dealing with the problem, and the the technical side of it led to the establishment of a national coordination centre called Sri Lanka cert. So the CERT, the technical coordination work associated with CERTs, working together with the FIRST, the forum for incident response teams, in collaboration with APCERT, led {OOPS/} to hold a collaborative ecosystem to deal with a common problem that Chris Painter explained a short while ago.
From the legal side of it, the issue is significant. Countries can have different models in terms of their legislative practices. But the important point to realise is that there is increasingly a need for global cooperation on the subject of cybercrime. One country alone cannot deal with the problem, even if we have an investigation in our country and we have to contact law enforcement, either in UK or United States or some parts of Europe, in Japan, Australia, China maybe. There is a need for global collaboration, and therefore, there is a need for harmonization. And that was one of the reasons why Sri Lanka opted to adopt the framework associated with the Budapest convention that we will talk about later. And the need for harmonization and collaboration is the most important thing because mutual legal assistance between countries are becoming more and more complex to deal with the subject of cybercrime.
So I'll stop at that for the time being.
>> C. BOYER: Okay. Wout.
>> W. DE NATRIS: Thank you, Chris. I am going to do something very uncharacteristic there and give the microphone to somebody else. I am also representing NL IGF here, and we are going to sessions tomorrow on the examples of the sort of thing you are talking about, how we can actually deal with threats and the sort of capacity building that is taking place there and cooperation taking place there.
I am going to pass the microphone to Nina Johnson from the Dutch Ministry of Justice. She will say something about how attacks on government have been dealt with since the last year. Nina, the microphone is yours.
>> Thank you. My name is Nina Johnson. I am with the Dutch Ministry of security and justice. {OOPS/} Since you are taking the broader issue of cybersecurity rather than just cybercrime and hacking, I think it's interesting to share maybe some of the issues that will be hopefully or probably be covered in our panel tomorrow and maybe pose a question here to the table and to the participants as well.
Karen, you were talking about the translation of policy documents, providing them in different languages, making them available, strategies, guidelines. But as the Internet developed from the grass-roots level, we do the same at the national level, of course. And in the Netherlands, we are trying to make all our documents, strategies, et cetera, always available in English as well so we can share them with all of our international partners. -- one -- or a few of the interesting examples could, for example, be where we focus in our multistakeholder approach on operational, technical, and strategic level. Examples are national cybersecurity centre, which actually has liaisons from private companies in there, academia as well. We have a cybersecurity Council. We have even private initiatives {OOPS/} on botnets, which are connecting to our centre or to our policy level.
So all these cooperation methods and models we make available for our international partners.
We make case studies available, so we have a case which we experienced in 2011, and we're trying to engage with our partners, both at technical but also strategic level to really get the C-level commitment and realisation that this is an issue of -- for all of us, to get at the table to make people realise that.
So I guess the question here would be how do we engage these national or sometimes more often bilateral initiatives. Is there a gap between supply and demand side for this kind of information sharing? And if so, how do we -- how can we better organise these supply and demand for such models, for such information? Thanks.
>> C. BOYER: Thank you. Do any of the panelists want to comment on the question? Karen.
>>K. MULBERRY: Thank you. Karen Mulberry with the Internet Society.
I can tell you with what I am trying to collect that I am accepting donations, so if anyone has material that is a best practice, that is a technical solution or a recommendation or just even a general guideline that might be useful to be shared with others, please let me know because I've got a website that we have put together where I can host all of these materials, with your branding. We've got the MAAWG documents, we've got some Action Plan documents, I have some GSMA documents, other things that have been contributed by other experts who have devised either articles on these are things, how it works, or technical things and tools that one should pay attention to.
So send them to me, and I will post them and we will push them out through our chapters and through the work that we're doing right now so that hopefully the message will get out to a broader audience.
>> C. BOYER: Chris?
>> C. PAINTER: So there's a lot of good work that's being done in some of the regional organisations that I think can be shared. For instance, the organisation for American states has been doing {OOPS/} a programme with countries in that region national cybersecurity strategies. And so I think that kind of thing is very helpful because so many countries are now building those strategies.
You know, I also want to emphasize how important those strategies are as an organising concept because it's not just one government agency; it's really a whole government approach where there's the economic agencies, the security agencies, the police are all involved in this, but it's also the civil society and the private sector. So understanding how those strategies can be built are important.
The other is building institutions, like CERTs, and how you do that as countries are facing that, and I think that's part and parcel of some of the capacity building efforts, and that's one of the ways you get this into the hands of other people around the world is more the targeted capacity building that helps them do things like do these national strategies, build the institutions they need, and build the capabilities.
>> C. BOYER: Just a quick comment. You had mentioned some of the botnet activities. Just an example of how there is some information sharing going on. I participated in a workshop last month at APEC that was specific about botnets, and there were presenters, self included, from lots of different countries talking about activities being done to mitigate botnets that I think was very well done, and it was -- there was a good exchange of information about how different countries are doing different programmes to deal with botnets. I feel like that issue has -- has taken on some momentum of its own, and there's been a lot of activity to kind of emulate the model of notifying end users who might be infected with botnets as part of kind of keeping the Internet more healthy and clean.
>> C. BOYER: Any questions, other -- we have a question over here?
>> I'm Brian Tong from Singapore. I have maybe some comments from the panelists relative to the floor. I am relating this to the previous discussion also on -- that we had on spam, and I do see a correlation between spam, personal data protection, and cybercrime. Spam personally says don't send me stuff I don't want. Personal data says protect some of my stuff. And cybercrime says don't commit illegal activity that might affect me.
The three do work hand in hand. They overlap, but they do not necessarily cover each other completely. So my comment would be each one does have its place.
The interesting question, I think, from a developing country point of view, is as a matter of priority, which piece should come first if, you know, you had limited resources? Do you start off with law-based spam moving up to data protection and then to cybercrime, or do you start the other way, the one with the greatest impact, cybercrime down to data protection and then down to spam?
Thank you very much.
>> C. BOYER: Jayantha may have a comment on that one.
>> J. FERNANDO: Thank you. Well, it's a very interesting question, but quite difficult to answer because there is no open-and-shut, tailor-made mechanism that a country can follow or needs to follow. And every country may follow different options and different roots to legislative reform, combined with cybercrime, cybersecurity strategy.
Thirdly, from our perspective, the approach that I see many countries adopting more increasingly than -- more increasingly in the recent times is to give preference of priority to legislative efforts or legislation dealing with cybercrime, and then follow through privacy, data protection, and, of course, even in that you see different models and options. Some countries prefer to follow a legislative route, particularly those countries lead dealing with European Union data protection issues.
In our country, we tend to look at the safe harbor model followed in the U.S., the private sector code of practice. If you are from Singapore, you are familiar with the model of Singapore, the private sector code of practice, data, for privacy protection, that many countries like Sri Lanka prefer to adopt through mechanisms through self-regulation, self-governance in the area of privacy and data protection.
So there is no one route that a particular country can take. Countries can follow different routes. Certainly, from my perspective, what I have seen happening is the other way around, namely, giving preference to cybercrime legislation going forward, first mainly due to the reason that countries feel the desire to deal with the problem as an immediate steps and provide a mechanism for preventive steps to be taken and to empower the law enforcement and the judicial system to deal with issues that they feel should be prioritized more than anything else. Thank you.
>> C. BOYER: Yes, I believe Wout has a comment.
>> W. DE NATRIS: To be honest, I don't think it's up to me or anyone in the panel to say what a country should adopt or not, of course. What I can share with you is two times now through the Internet Society they asked me could you explain to the country's President how you dealt with the spam problem, the unsolicited commercial email, in the Netherlands. I said yes, of course I could, because basically, it's just one article. And if you allow me to say so, Mr. From Mexico, it says thou shalt not spam, with some exceptions and nice legal words. But that's a very easy way to tackle a first step, perhaps.
And then you have a few people dedicated to enforcing that because, of course, except for that article, you need some enforcement tools that you give to the agency. But if these people get the experience to work with the law and find their way into researching the Internet, doing something with the right tools, with the forensic tools, then they get the experience to go onwards and do more difficult tasks.
But if you also look at what happened in the Netherlands, basically, is that we found, from day one, all these cases that had to do with fraud or with others. We pretended often that it was just button pushing and went after these people anyway. Perhaps we lost those cases seven, eight years later in court, but the crime was stopped in 2004, '05, and '06. It was very effective against all sorts of fraud being committed in the Netherlands, even from abroad, because we just stopped, for example, with SMS spam saying congratulations, you won 500 euros. Call this expensive telephone number. We just called the operator and said do you want to be associated with fraud? Usually they said no and a day later the number was closed. So there was no enforcement. There was no forcing anything, just saying do you want to be associated with this, and they wouldn't.
So in other words, the Netherlands did not become attractive anymore to these sort of people, and we basically drove SMS fraud spam away from the Netherlands for years until a new guy came up, and he was stopped also. And then we could even find someone in the Netherlands.
So in other words, {OOPS/} you can be a lot more effective than just spam messages, but you have to have the provision in your law to do so. You have to have the commitment of an organisation. And we were only four people starting this. Just four people, and 85% went down. Remember? So in other words, it can be very effective if you have this dedication from the government that says I have a few people doing this, and they are allowed to do some training courses to know how to do this, and that's actually how you start changing things. And that's one option.
The other one is to start at the top, but that's up to a country to decide.
>> C. BOYER: Thank you.
Chris, do you have anything to add?
>> C. PAINTER: Yeah, just a quick comment.
I know it's difficult when you have limited resources, but I think this is not an area where you can necessarily follow a linear path where you say, well, first we'll do this and then we'll do that. I think you need to pursue parallel paths.
You have to have good laws in place, particularly good cybercrime laws, because you can have very trained personnel to fight some of these threats, and if they don't have the legal structure in place, it doesn't matter. The same thing, if you have great laws in place but don't have the trained people to enforce those laws, you are also not going to be effective.
So you have to look at these things together and look at both combating threats and strengthen things for networks. That's national strategies, that's building CERTs.
So there is a lot of material out there because a lot of countries have gone through this for countries to use and best practices for them to learn from and capacity building opportunities for those countries, particularly in the areas of building their legal structures and in building institutions like CERTs, and even for law enforcement training. But I think it's one of these things where you have to address it at multiple fronts at the same time and not say we'll do one thing and when we finish that we are going to start engaging the next step of the process.
>> C. BOYER: Thank you. I'd like to ask if there's any remote participation at the moment.
>> Yes. So Mr. Gideon from Kenya wants to make a video call and wants to comment.
>> C. BOYER: Okay. I assume you know how to arrange for that. I didn't know that was possible.
>> Wait a moment, please.
>> C. BOYER: No problem.
Can we take a few other questions while you are setting that up? Is that possible?
>> Yes, you can move on to the other participants. I am sorry for the inconvenience.
>> C. BOYER: It's not a problem. While you set it up, I will ask any other participants if they have any questions.
Yes, gentleman back here. Yes?
>> Thank you. Thank you. My name is Patrick. I am general manager for the Pacific CERT based in Fiji.
Firstly, an observation or something that I think that the panel might have taken for granted but I think so which needs to be mentioned, and that's we all seem to take for granted that these three issues, spam, hacking, and cybercrime, are important issues, are big issues, but I think it's. But I think it should be asked how big exactly are these problems? What I am getting at is the importance of statistics. We need to be able to measure these problems and not just measure them in the jurisdictions where they are measured currently now. We need to focus on the jurisdictions where they are not being collected now, like my own Pacific Island countries. There is no statistics for spam, for cybercrime, for hacking in these jurisdictions, and we don't know how big that problem is, and I think that's something that we need to focus on first.
And that leads in my second point in that when we are talking about these issues, we are talking about security, we are talking about the weakest link, you know, your security is only as good as the weakest link in that chain, and emerging developing economies, like in the Pacific, you know, we are getting on the Internet now, faster Internet, better connections, and there is a big potential for our economies to become hubs for cybercrime, to become hubs for spam because of the lack of expertise in our region. And I think that's something that we all need to keep in the forefront of our minds is that, you know, when we are dealing with these issues, you have to develop or we have to deal with them on a global scale. You've got to look at the smaller economies and help them to be as secure as the bigger economies because otherwise you are just going to drive these criminal factors into our own jurisdictions, so they will start operating out of our countries.
The last thing I wanted to -- well, to ask the panel is I was glad to see that two panelists had mentioned associations of CERTs. We have Sri Lanka CERT and there's the U.S. CERT as well, and ID CERT, Indonesia represented on the panel. You know, what I am asking is has the panel dealt with CERTs in relation to these issues? What are your impressions of CERTs in relation to these issues? And what do you think or what role do you think that CERTs should play in dealing with these issues from a governance perspective?
Thank you.
>> C. BOYER: Yes, Jayantha I believe would like to respond.
>> J. FERNANDO: Thank you, but are we having the remote call in, Chris?
>> C. BOYER: I was going to ask that question. Is the remote call ready?
Doesn't appear to be, so why don't you go ahead and go, then we'll circle back.
>> J. FERNANDO: Yeah. So thank you very much for the question from the gentleman from Fiji.
Well, I completely agree. All of the issues you mentioned are relevant, and there's importance for countries and organisations in those countries to work together to set up proper technical coordination to support law enforcement and policymakers. That is very, very important.
You asked the question about CERTs. I believe each of the panel members here are passionate about it, and they speak with one voice that the role of the CERT, both from a country perspective, from a regional perspective, and from a global perspective, is extremely important to deal either with spam and malware issues keshted with spam or whatever, to cybercrime enforcement issues, or any other issues associated with more broader cybersecurity and other areas that many of the panelists dealt with.
From our own experience, we see that CERT, by itself, in a country cannot work effectively unless they are part of a regional community. So in the Asia Pacific region, we are fortunate that with a lot of help from JPCERT and AUSCERT that the Asia Pacific cert, APCERT, has taken a leapfrog initiative {OOPS/} to support coordination in the Asia Pacific region. And Sri Lanka CERT became a full member of APCERT and became certified to host drill for CERTs.
That, by itself, is not enough. There is a need for global coordination, and that is where often we don't hear them very much spoken of in this fora, but the forum for incidence response teams first is a very important organisation from a global perspective, and we are increasing -- we increasingly urge countries that have established CERTs to become full members of FIRST in order to effectively collaborate from a global perspective. And that is all I need to add for the time being. Thank you.
>> C. BOYER: Yes. Any other comments on measurements and awareness raising?
Karen, I am sorry. Why don't you go ahead and go. I think we do actually have a written copy of the remote question. So can we ask that question and then kind of come back to this particular topic?
>> So Mr. Gideon, he commented that on the international crossborder identifications and conventions, they should be made as harmonization of existing cyberlaw. This ensures that all countries are in clear understanding of the proposed legislations to prevent a situation where laws are met on an international level and yet individual nations don't understand it. {OOPS/}
We also have one comment from Mr. Faso Hassan. {OOPS/} He asks is there any initiative to bridge the cybersecurity initiatives between the U.S. and the European Commonwealth and with the developing countries? Thank you.
>> C. BOYER: Okay. Chris?
>> C. PAINTER: Let me start with the last -- the live question that was asked and then go back.
So on -- well, actually, Karen was going to answer that, so let me pass.
>> C. BOYER: Karen was going to go first. This is on the measurements and awareness raising.
>>K. MULBERRY: I was just going to respond to the first question that was asked some time ago in the fact that as part of the programme that I have been -- I have put together, I do have a company that has offered to do free analytics for developing countries. So if you want to get a better handle of what's going on in your network and the the traffic and what your issues might be, come see me, and I will provide you the information and the instructions for getting a handle on the analytics, and hopefully that will assist you.
>> C. PAINTER: This is Chris Painter.
First on the statistics issue, I think that's a challenge for all of us, frankly. It's very hard to measure the cost of cybercrime, and we get various different results.
But I agree with you that it's important to have is that statistical basis to see what the scope of the problem is. We all know that the problem is large, but it helps drive policy as well.
On the issue of the weakest link and countries now getting connectivity dealing with these issues, that's absolutely right, but it also presents not just a threat but an opportunity, and I think the opportunity is that countries who are now getting greater connectivity, who are getting cable drops, et cetera, can now respond and put policies in place from the beginning rather than the U.S. and many others who have had to add policies after the fact. We had the technology, we saw the various issues it created, and then we started adopting policies.
Now I think you are in a position to have the institutions, have the strategies, have the cybercrime law in place, and really deal with these issues head on, knowing what's coming, and I think that presents a real opportunity, but that also means that you need to have the tools to deal with that, and that's where capacity building comes in again.
And on the role of CERTs, you are right. All of us here have said this is a critical element, and I totally agree that regional organisations play an important role in that as well, and I'd say that one of the key things in a national strategy is having a national-level CERT and cooperating with other CERTs around the world. And how often do we deal with CERTs? Even though I am at the state Department and have more of a policy role, I deal with folks in our U.S. CERT and Department of Homeland Security literally every day, {OOPS/} and it really is important to have different parts of your local government working together, including the technical community, law enforcement, and the policy community.
On the questions that came in over the -- I guess the phone, we do believe that the Budapest Convention I mentioned, cybercrime laws, provides an important model and really the only model out there that countries should either accede to that and get the benefits of that Convention or at least model their laws after it. It addresses consistency and allows much better cooperation on cybercrime.
I think the idea -- and it's been sometimes floated -- the idea of doing a new global convention, I honestly think that would take about ten years to accomplish, and you would end up with something not as strong as that Budapest Convention is now. So I do think this is something where many more countries are adopting it and modeling laws after it, and that's important.
As far as U.S. and European -- (Beep) -- cybersecurity strategies and how that could be shared with the rest of the world, that goes back exactly to this idea of capacity building and getting the message out.
You can learn, you know -- we've made -- we made, I think, a lot of good progress. We've also made some mistakes along the way. You can learn from both of those things, and I think we can share that information and, indeed, are intent on doing that through capacity building.
One last point in terms of the opportunities. A good example of this is Kenya. We did a capacity building seminar with the Government of Kenya, cosponsored it for the East African countries, and with that, we talked about cybercrime, we talked about building legal structures, we talked about cybersecurity, we talked about working with the private sectors and other stakeholders, and what was really amazing is Kenya has some -- they've recently gotten a lot of connectivity through cable drops there, and they've developed some tools like MPASA, an online payment system, in many ways more advanced than systems I have in the United States. {OOPS/} So you have innovation haming in the developing world, and for that innovation to succeed, having good policies in place is important.
So we have to link those together. {OOPS/}
>> C. BOYER: I would like to make a quick comment as an industry panelist, that CERTs are important from an industry perspective. In particular in the United States, U.S. CERT is really part of an entity called the National Center for Cybersecurity integration. There are companies such as many that literally have people in the room with a 24-by-7 operational capability to try to deal with some of these cyberattacks as they arise. {OOPS/} When we talk about cybersecurity, one of the issues we like to talk about is public-private partnerships. I think the partnership between some of the industry CERTs and U.S. CERT and working with entities like the NCIC within the United States {OOPS/} is something that will hopefully continue to grow and give us a better response capability.
So you asked the question about the roles of CERTs, I think it's also important from an industry perspective as well.
Yes.
>> W. DE NATRIS: This is Wout de Natris. I think a good example, as an Action Plan member and when we got an invitation to present, we presented there on the way we fight spam, et cetera. And we got very good responses from that presentation.
I think what's another good example is that with the national cybersecurity centre, Dutch CERT, what happened is when there's a crisis there, teams form around that crisis, and bringing in different sorts of law enforcement agencies, those of industry and governments, deal with the crisis together.
So I think that is a possible model to go forward and bring the right expertise into a crisis situation in a country when, for example, the telecommunications business gets hacked or something like that.
Also, I think a good example happening in Europe at this moment, there is an initiative called cyberevent centre, a 50% EU-funded project and 50% industry funded. {OOPS/} There is a consortium which has been built which has very different partners within it, so ranging from national CERTs to industry to law enforcement to governments and all trying to tackle the botnet problem together and mitigate it. And it has two different pillars. One is a set of national support centers like Germany has at this moment called Bot Free, in which users are being helped through a website in a back office to clean their PCs or devices once it is infected with malware.
The other thing is a little bit more revolutionary is that there's going to be a central database in which everybody who wants to share data on botnets or on malicious traffic can put that data into the database, where it gets analyzed, enriched, and mixed with all sort of other known data, so actually, the patterns behind botnet is going to be -- is going to become clear. And that means that you may also be able to do something about the people that are running the botnets or hosting the botnets or making use of the botnets. So in that way, you can perhaps over time push the problem back into less dramatic proportions, and that text may over time become less effective, so maybe it will even go away hopefully over time.
If anyone is interested in this project, in ACDC, as we call it, please come up and talk to me after the meeting.
>> C. BOYER: Just to elaborate, I think what Wout is mentioning now is in many countries, there has been an effort to notify users who may have been infected by botnets, how to mediate their machine. I believe those initiatives have started around the world. I know the Australian code is there, it has happened in Japan, Germany, and in the United States there are ABCs for ISPs developed, which a lot of ISP RZ are following to note -- ISPs are following to notify their customers. {OOPS/} There's also efforts under way to measure the State of Florida of botnets through metrics and other types of things. MAAWG has metrics initiative under way.
Chris?
>> C. PAINTER: Just under that batnet issue, one thing we are trying to promote around the world, in response, quite frankly, to some botnet and denial of service attacks on our financial institutions over the past year, is much greater international cooperation and fighting this threat. And what it's meant is we've reached out both through our U.S. CERT to their counterparts around the world, where there are counterparts -- in some places there are not, so this is the importance of having these kind of institutions in your government -- but also, interestingly, through diplomatic channels, to say, you know, this is not just a technical request you are getting through your technical authorities. This really is important to us. This is something where we really do need your help to combat a threat, just like any other threat that's out there.
And to be receptive that if a country makes a request of us to fight that same kind of threat that we're going to be responsive to them as well and to build that norm, if you will, of greater international cooperation. Not every country has the institutions in place to be able to do that effectively, and that's part of the capacity building, but I think these kinds of collaboration against external threats like botnets are a real critical way of going forward.
>> C. BOYER: I completely agree. I think that's a critically important issue. I think even on the industry side there's efforts under way to carry a little bit of mutual self-aid by establishing those relationships internationally among some of the major ISPs as well.
Wout, do you have anything to add?
>> W. DE NATRIS: Just reminded of another comment.
Coming back to the gentleman from Fiji on how actually to assist countries in developing countries with the problem, there is a lot of knowledge out there and tools out there that western companies at this moment are using, whether it's through filtering or other best practices that they actually use, is there a way to assist those companies in developing countries with getting access to these sort of tools so that you can actually implement it before the trouble really arises? Because that's probably one of the best ways to defend a new economy from all the harm that is being done here because we have implemented it years after the fact.
And I don't know if it's a financial or a technical problem, but it's something that may be worthwhile looking into and see if it's possible to do something from that angle.
>> C. BOYER: I don't know if Karen wants to comment on that, but I think that ties back into the capacity building side of things.
>>K. MULBERRY: Thank you. Karen Mulberry, the Internet Society.
Actually, that's part of what our project is all about is actually bringing together parties that have expertise in analytics and many different fields and forms into areas where they can work with providers, networks, governments, and understanding all of the components that are out there and the tools. As I mentioned, I've got one company that will do the analytics for a network operator to give you a better sense of your traffic and where, in essence, malicious emails may be coming from and what language they may be coming from to give you a better understanding of how you want -- you might want to approach management on your network.
So there are a lot of is vep dors and experts willing to -- vendors and experts willing to assist, and what we are trying to do is facilitate getting them in front of the developing countries that have the need so they can share. {OOPS/}
>> C. BOYER: Any other questions from the audience? We have about 45 minutes left. And just a quick comment, I'd like to talk briefly about cybercrime, and then we have about eight questions that were teed up by the stakeholders that I'd like to walk through as well to close the session. So let's quickly take a few more questions from the audience, and then we will touch on cybercrime, and then at -- promptly at 5:00, we will wrap up with the last 30 minutes addressing the questions from the stakeholder groups.
So any audience questions? Yes.
>> Thank you. My name is Tiarma. I am from Indonesia. I am a postgraduate student for defense management.
As much as we are gaining and benefiting from {OOPS/} the Internet, we promote democracy, human rights, equality, as much as -- by the way, I am studying terrorism. I mean, I am studying on terrorism object. They are also gaining benefits to, you know, propaganda on their narrative instructor capacity building and also operating military operations.
In Indonesia, we have established sort of like a counterterrorism, and I understand there is an Internet analysis integrated to this counterterrorism. But my question is actually what is your -- I want to know -- I would like to know your perspective on what is the effective way to integrate this into counterterrorism, probably based on your respective country's experience.
Thank you.
>> C. BOYER: Anyone want to take that question?
It doesn't look like it. So maybe we'll have to talk offline about that. I don't think we have anybody up here that has the expertise in that area.
>> C. PAINTER: The only thing that I'd say is there's two different aspects here. There's terrorists using the Internet to recruit, plan, et cetera. There's the concern of terrorists, just like other threat actors, attacking critical national infrastructures on the Internet. And there are two different issues.
The latter is something that we're worried about but we really haven't seen but we need to be prepared for, and that's {OOPS/} the same kind of steps we take to protect our national infrastructures, prioritize them, have good responses in place for that.
In terms of terrorists using the Internet just like other criminals that are out there that are doing it, you know, I think that we need to be aware of that, we need to take appropriate actions to deal with that, and you know, for instance, there is some laws in the U.S. about promoting -- of actual material support for terrorism, and there's been some enforcement around that issue.
So there's a variety of different ways the Internet is used and very different responses we have to adopt.
>> C. BOYER: It appears that we may have another remote -- one second on the remote question, and the other Chairman would like to speak as well.
>> We have a question -- (Speaker off mic). No, it's comment. The One question we need to ask ourself is are the strategies we have been using in developed countries to tighten cybersecurity work, where have we felt maybe the developing countries can copy from this?
Thank you.
>> C. BOYER: Thank you for the comment.
Mr. Chairman, would you like to speak?
>> E. MAKARIM: I would like to speak in Indonesia. Please translate.
The main word for terrorism, there are two things. Firstly, the belief of something that creates. Another thing, and being regardless, there are words that are offensive, for example. For this type of distribution, if there are illegal content in the related cybercrime itself, then you can bring this to court.
Cybercrime, first additional protocol.
But for the second criteria, we are still unable to protect all the infrastructures itself from the threats of terrorism if you think it's an effort to crack down our infrastructure. So we go back to whether cybercrime that is within a law of a certain country has reach to the illegal content and the interference of the system itself.
Thank you.
>> C. BOYER: Okay. All right. I'd like to now quickly shift to cybercrime and ask each of the panelists to comment there, and I think the main topic is around, you know, what are some ways to strengthen law enforcement cooperation, particularly internationally, in dealing with cybercrime?
I don't know who wants to go first. You want to go first? Jayantha is going to go first.
>> J. FERNANDO: Chris, is there a specific question that is required to be answered?
>> C. BOYER: I think it's really just around what should be done to enhance efforts to deal with cybercrime.
>> J. FERNANDO: Right. Well, dealing with cybercrime, we need to have proper legislative and enforcement mechanisms in place. That's the first thing. But having statutory legal framework by itself in a particular country will not be sufficient if it is done in a manner where it is not compatible with global practices and norms that ensures greater collaboration and cooperation for law enforcement agencies to collaborate.
This is where, when countries adopt legislative measures, they must -- they can look at options, they can look at available models, but they have to put in place statutory features that ensures harmonization and best practice tools that are available globally.
So in Sri Lankan experience, what I can say is that when the ICT development strategy was adopted about ten years ago and with all of the technology-based innovation-based activities coming into the market, we had a string of or a burst of activities around criminal behavior using Internet as a tool to hack into our systems, and there are certainly vulnerabilities detected.
To address this phenomenon, we looked at options available, and of course, Sri Lanka being part of the British Commonwealth, we looked at the Commonwealth common law as a template or tool we could use. We Looked at the computer misuse act. {OOPS/} And adopted features {OOPS/} of both in our national legislation and included provisions that are known as the Harari Convention for mutual assistance and legal cooperation that is {OOPS/} applicable to countries which are part of the British Commonwealth. However, we found that was insufficient because we had to engage in cooperation with United States, Japan, and European countries that were not part of the British Commonwealth. So when we looked at the legislative options, we found that the Budapest Convention was the best available template or the tool in terms of legislative norms, not only for its substantive law elements that western able to use, but in terms of the checks and balances that -- that we were able to use, but in terms of the checks and balances that are {OOPS/} necessary for investigation and prosecution of cybercrime-related offenses.
We found that the Budapest Convention was the best way forward.
So what was done was to use Budapest cybercrime Convention as the the model for our {OOPS/} legislative formulation of the statute called the Computer Crimes Act that was passed through parliament in 2007, and that, in turn, led to {OOPS/} a series of other activities associated with capacity building, empowering the law enforcement with digital forensic tools, et cetera, et cetera.
But from a global perspective, what is important for a country to realise is that, as I said earlier, cybercrime cannot be dealt with one country alone. It has to be done in collaboration with multiple countries and with multiple law enforcement agencies sitting in with different forms of legal traditions.
We had common law tradition, and we sometimes had to deal with countries having civil law tradition. So Budapest Convention is the best available because across traditions, you have one single Treaty that allows for law enforcement cooperation to deal with cybercrime.
In terms of capacity building -- one last point, if I may, Chris -- we found that putting in place a statutory framework by itself was not sufficient. Law enforcement and the judges had to be educated. And there again, we did not have the resources to do that by ourselves. So we reached out to the Council of Europe, and just the week before last, we hosted a very effective law enforcement judicial training programme in conjunction with Council of Europe in Sri Lanka where over a hundred participants covering the judiciary, law enforcement, and private sector took part, and there was a lot of collaborative efforts put in that connection.
And what I want to finally highlight is that the Council of Europe has put out a very useful tool called electronic evidence guide that provides {OOPS/} for a regime that can be adopted in any given country in gathering of forensic evidence and presenting them before codes of law.
So these tools and best practices and access to these best practices was the end result of engaging in a collaborative exercise with the Council of Europe.
So with that, I will close for the moment, but I will be happy to answer any questions connected with the need for harmonization and to effectively deal with law enforcement cooperation.
Thank you.
>> C. BOYER: Thank you very much. Any other comments from the panelists?
Wout, you want to go first? Yes.
>> W. DE NATRIS: This is Wout de Natris. As I said, I am representing the London Action Plan now, and when you heard my comment, you know I put that cap down, I put my own one on at this moment. So I am speaking in a private capacity.
But last year I was able to do a comparative study in Europe, sponsored by one of the bigger companies in the world. What we actually did is we approached organisations in Europe that we knew were somehow working on cybersecurity either from a security point of view or from a legislative point of view, and we asked several questions. And what the main conclusion basically was is that we need to break down silos at the national and international level. Because these organisations said it is so hard to even cooperate together because whether it's from a privacy point of view, from a financial point of view, or because we can't speak technically to each other, it's almost impossible to share information and data and specifically privacy-sensitive data. So how do you go about solving problems like cybersecurity if you can't tell what is actually going on, with whom, and where.
That is at the national level, because organisations do not find each other, they don't know who they are, and that's at the international level even worse because then you don't know at all who to address unless you're in the same community together. So what actually happened is these organisations also stated, but it's not in my remit to change this. That's where I come back to the London Action Plan where we discuss this sort of thing very often, where everybody concluded it is not for me, as an independent regulator, often, to discuss this with my government because I have been given a specific task, and it's not there to criticize my government that I can't do my job in the right way.
So in other words, these organisations just do their job, and it's not their job to break down silos or find new paths or do massive international relations work or coordination work if that's not in their remit. So in other words, if that is not looked at, things will never change.
And then we come back to the role of a government, that it may be time to reevaluate the new world where we are. Because this is a new world without barriers. The criminals don't have any boundaries, borders, legal whatever. They just go over a fiber optic wherever they want to go. And of course, in the end, the crime is always being done at somebody's doorstep. The trick is to find out whose doorstep that is.
And as a last comment, I will go into a court case that my former employer lost in the highest court possible this spring. It was on a malware case where a Dutch company that was selling advertisements online, advertisements, had a lot of people working for them to infect computers around the world. These guys were very effective because they were number 7 in the world in 2006. They had about 23 million computers all around the world at their disposal.
What we were able to do to shut down the organisation itself, but then we started investigating, and they had 1770-something what they called affiliates, people who infect computers. Some were effective, some weren't. But of those 1770-something, only 3 were in the Netherlands. Two were moderately successful, and one wasn't effective at all.
The other of the 1770-something were abroad, so in other words, there's nothing a Dutch legislator could do about it, and how do you reach people in Colombia, in Venezuela, in Russia who were doing the actual infections?
Then the guys who commissioned the infection were acquitted of that in court because the attribution rule in the law was not written in the correct way. So in other words, they were not responsible for their deeds according to Dutch law. The second judge said yes, after that, the computers were shown commercials or things and spamed, but they were sent abroad, so the violation was abroad. So there's nothing you, Dutch regulator, are allowed to do about that because the violation is somewhere else.
And now the strange things happened that we already knew that somebody sent spam to us, the Netherlands, from around the world, we would never have jurisdiction because the buttons is pushed somewhere else. So now we have this strange contradiction that when the button is pushed in the netterlands when it goes out of the country, the regulator is no longer allowed to deal with it. But the other way around when it gets on my computer and infects my computer or spam is shown on my computer, it's also not allowed to do something because the button is pushed somewhere else. So in other words, if governments don't start dealing with this angle of the problem, then we are lost. If somebody doesn't do anything when they push a button and send to a Dutch computer -- and there are not so many around anymore.
So here is the major challenge. How do we take down borders and help these organisations actually be able to do their jobs? Next to finding the right sort of laws in countries that don't have them yet.
(Beep)
That's another beep in my words. I didn't say that myself.
(Laughter)
>> C. BOYER: Chris, do you want to comment?
>> C. PAINTER: I think that a couple of things. One, this is really the other side of the coin from the cybersecurity thing that really go together. One is making sure that you take all the precautions you can and build all the defenses you can to protect your networks, but you also have to have consequences for the people who break into them or use them for illegal purposes, fraud, et cetera.
So if you have the best security, some people will still get into networks, still cause criminal misconduct, and if there's no consequences for them, they'll keep coming and the threats will get worse.
And if you only have good enforcement but no cybersecurity, then it's also not a complete solution, so they go hand in glove.
I will say I've seen a real advance over the time I've been doing this over the last 20 years, and certainly over the last five years too -- (Beep) -- there are three, I think, elements of this. One is having good legal structures in place. You may remember years ago with the I love you virus where they traced the person, you know, to a country and that country did not have any laws that punish that kind of conduct. And there was another example where someone broke into the court system in another country and took information, but they said well, that's not property. It's just information. So that wasn't a crime there.
And a lot of countries now have modernized their laws, either, as we've said, our strong preference -- and I think many countries are -- is to adopt -- become a member to ratify and become a member of the Budapest Convention, but if not, {OOPS/} to actually emulate its provisions because that provides a really good framework. So having that legal structure in place is one pillar.
The second pillar is having trained enforcement authorities, and that's something that, you know, does require effort in countries to make sure that people have the technical training and the ability to work and also are working with the private sector and others in their countries.
And the third is how you deal with cooperation internationally. And there I mentioned this 24/7 network before. Interpol is doing a lot of work. In fact, they are establishing an Interpol centre in Singapore next year, for instance. So there's been work around that. And there's been a lot more international collaboration and cooperation on those threats because these are transborder threats. Almost every cybercrime is not located within one particular country.
So I think all of those efforts need to be continually promoted. Countries need to join on those. I think -- and I go back again to developing world countries too because I think it's critical that they have those legal structures, those trained officers in place, and work with the rest of the international community in collaborating against these threats.
So I think those are all critical elements going forward.
>> C. BOYER: Thank you. Any other comments? I believe Mr. Chairman has a comment.
>> E. MAKARIM: Thank you very much.
I think if you would like, we would revert to the characteristic of the formulation of the sentence itself. In Indonesia, we call this the link. If this is a formal offense, it means if the activities have been done, no matter the result has already finished out yet, result created yet at the victim, since the beginning, after they are finishing their bad activities, the criminal would be applied.
So in this context, since the beginning we had already imagined that everyone goes to Internet, have a motivation to go globally. So in multiple jurisdictions, every country will have a right to put -- to implement their jurisdiction. If they don't have jurisdiction, it might be a big problem. But if every country has their own article saying that extra-territorial jurisdiction, we can consider to what extent the dual criminality in each country had formalized in their sentences in the legal provisions.
I think the people have already known about that. Thank you.
>> C. BOYER: Thank you very much.
We are down to about the last 20 minutes. So what I'd like to do now is go through -- I am sorry. Do we have a question? Yeah? No? I don't think we have any more time. So what I am going to do is do a quick wrap-up of some of the takeaways I have from the session this afternoon, and I'd like to ask each of the panelists to maybe comment if they have any final comments that they'd like to offer to close here.
So what I heard throughout the discussion was -- yes, before I begin, there is a series of questions that were provided prior to the session from the stakeholders of the IGF. In looking through them, I believe we've addressed just about all of the questions. If anyone -- if folks have not seen them, they are available through the website. If there are -- but if you have additional questions or feel like these were not adequately addressed, please let me know.
Most of the questions deal with areas that we've touched on, including the Budapest Convention, the role of the IGF in helping sustain countries that are less equipped to deal with various cybersecurity issues, the territoriality of fighting things like spam, hacks, botnets, and cybercrime; the role of law enforcement; then uniform laws on cybercrime and the legal mechanisms to support Internet Governance and multistakeholder structures.
I think we've touched on most of those topics throughout the conversation this afternoon, but if folks have additional questions they would like to raise, I would like to ask that as the final part of this session.
The main takeaways I had were there seems to be a consistent theme in dealing with both spam, hacking, and cybercrime around capacity building, particularly in developing countries, sharing some of the practices that are already available today, and how to make some of that scalable on an international basis. Karen talked extensively about the programmes that ISOC has initiated to help with that effort, but there seems to be a general theme there around general capacity building.
Another theme I had was there's a need for international and regional cooperation, even at the operational level through the role of some of the CERTs and other capabilities. And then from a cybercrime perspective, the need for legal frameworks and just general harmonization around some of the different cybercrime laws and general discussion of the Budapest Convention. So those are some of the things that I took from the Panel Discussion.
But I'd like to ask each of the panelists if they have any closing remarks.
Okay. Chris, go first?
>> C. PAINTER: Sure. I mean, I think this is a very useful discussion, and as not surprising, all three of these topics were interrelated, and they are interrelated, and I think it's important that we think about how -- you know, how we can make sure that the things that are being done around the world and things like the Budapest Convention, like the capacity building efforts, like the best practices that are out there, like the work of MAAWG, et cetera, are known throughout the international community.
I think that the IGF can play an important role in highlighting some of those efforts and calling countries' attention to it.
There were a couple of questions in those questions we got, Chris, that I thought were interesting and perhaps we didn't completely address them. One of them was how can we achieve both security and openness, and I think that's an important one. And what I'd say is cybersecurity is critically important, but we have to do that the same time as securing the openness of this platform because the openness of the Internet is what drives the economic innovation and growth and social growth.
And so in the U.S., when we did an international strategy for cyberspace, we explicitly said we wanted an open, interoperable, secure, and reliable information communications infrastructure, both in the U.S. and around the world, and we had to have all of those things. We don't need to make one over the other. We can't use security in a way that impinges on openness, but we have to have both because security make openness possible.
The only question I think we didn't really address is someone said they don't see that many people from, for instance, the law enforcement community here, and I think that's an interesting point. I think it's very valuable at forums like this and at the next IGF to have as many different stakeholders here, not just stakeholders in terms of the three communities -- or four -- civil society, technical community, governments, and industry, but also within those different communities have a good variety, and even for governments having both law enforcement and policy people and people involved in other areas. I think that's critically important, and I'd encourage that.
So with that, thank you for this discussion, and thank you for the questions.
>> C. BOYER: Jayantha?
>> J. FERNANDO: Thank you, Chris.
So once again, this has been a very interesting and a rather lengthy Panel Discussion, I must say, even without a break, and I must thank the audience for being with us because I thought we would be the only ones ending up here by this time.
I have a couple of points I just want to make in conclusion. I agree with Chris that all these three topics are connected with each other, and there's -- there is a role for governments, the private sector, civil society, and all of the community that we are part of in all of the elements that we discussed this afternoon, and that is a key message I want to give.
Secondly, when countries adopt cybercrime, cybersecurity strategies, they must remember they cannot address it in isolation. They have to do so in a collaborative manner, and in engaging in collaboration, they must look at options that are best in terms of global coordination, harmonization, and effective judicial and law enforcement collaboration.
Thirdly, countries dealing with cybersecurity, cybercrime issues should work with regional groups, subregional groups, et cetera. So I believe Mr. Mark from the UK government is sitting right next to me. He is heading a Commonwealth IGF discussion, I believe on Friday, {OOPS/} that will look at some of these issues in relation to countries which are part of the British Commonwealth. Sri Lanka is part of the countries that were part of the earlier British rule, so there are 53 countries roughly within the Commonwealth, and that regional group has done an enormous amount of work in the area of cybersecurity and even helping countries to formulate cybercrime legislation through initiatives known as the Commonwealth Cybercrime Initiative.
So there is a need for countries to work together in collaboration with regional groups, subregional groups, and whatever group that they can work with to better harmonize to ensure global cooperation in the effective fight against cybercrime.
Then one of my final messages would be that in putting structures to support law enforcement to deal with all of these issues in a country, law enforcement themselves cannot do it. They have to depend a lot on the network service providers, et cetera. And they have to be regularly updated with the new technologies and the novel methods of dealing with cybercrime incidents and so on and so forth. To do that, there is a need for private sector collaboration. There is a need to work in conjunction with international organisations, such as the Council of Europe or Asia Pacific CERT or FIRST or whatever European organisation. So a country should remember that they should not be working in isolation with a small group of people to put structures in place. They have to look out for best practices that might affect their own territory.
From Sri Lanka, from my own experience, having looked at all of these options, we have benefited significantly.
Chris Painter mentioned sometime earlier that Kenya adopted a mobile payment system. Sri Lanka did the same in August last year, and we became the first this year to issue a mobile payment license to international player who started operations in the country, and one of the reasons why that happened Waas because we satisfied the best practice rules in the area of effective management of cybersecurity incidence responses as well as legislative mechanisms to deal with cybercrime offenses. So there's a lot of benefit the country will have if we adopt global best practices. So that is what I need to mention in conclusion.
Thank you very much.
>> C. BOYER: Thank you.
Any other comments from the panelists?
Karen?
>>K. MULBERRY: Yes, thank you. Karen Mulberry, the Internet Society.
I just wanteded to thank everyone for allowing me to have the opportunity to explain to you about our spam initiative, and I look forward to working with everyone in the -- that has participated in this discussion and growing this and hopefully having it as an enabler to encourage a lot of international collaboration, as well as pulling the multistakeholder community together to work on this initiative.
Thank you.
>> C. BOYER: Thank you, Karen.
And I'd like to propose that as part of the final report that we actually include some of the examples that you mentioned today, including some of the MAAWG practices, the London Action Plan. We can attach them to the report for this session. Unless there's anyone who objects.
>> W. DE NATRIS: This would be maybe a bit of a wild idea, but they are at an IGF in a specific region each year. That's one. There are most excellent minds present with a lot of knowledge, so is there a possibility to, for example, kick off the IGF on Sunday or Monday with specific trainings? There are a lot of people here that want to know things, and in a panel of one and a half hours, there's a lot of knowledge shared, but it's not training. It's not hands-on something. So that -- is that an option to look into, if that's actually possible to do in the future? Because then people go home with something else than just talks.
>> C. BOYER: Perhaps that's a recommendation that we could put in the report for the IGF stakeholders as an output from this session
Since one of the main themes was capacity building throughout the conversation today. Okay. So that and the attachment of some of the examples that Karen discussed will be two of the outputs from the session.
All right. With that, I think this session is closed. Thank you very much for participating. We appreciate all the questions from the -- oh, yes. Sorry.
(Applause)
Let me see if the Chairman has any remarks. Yeah, the Chairman would like to make a final closing comment.
>> E. MAKARIM: I just want to make only one paragraph to saying about our discussions.
Based on the qualitative perspective, I found that it was undisputed there is strong correlation between spamming and cybercrime. And it depends on the motivation. If only promotion, it might be legal and legitimate interest. But if the motivation is bad, to make the consumers become unpleasant or destroying or make the system not working properly, it would be classified as cybercrime.
To handle cybercrime cases, maybe it would be better if in the future we will talk about transfer of cases because in the multiple jurisdictions, I believe transfer of proceedings may be one of the solving for all of the countries that have power to implement their cybercrime legislation.
Thank you, and I give Mr. Kummer also a chance.
>> M. KUMMER: Not closing remarks, more from an organisational point of view.
Some of the issues touched upon, and in particular the very last question we received from the the stakeholders, which is about a reasonable balance between the nation's interest in protecting the security of its citizens and the citizens' rights to privacy, freedom of expressions, access to information, freedom of association, will be dealt with more in depth next Friday, on this coming Friday, under emerging issues. We will deal with government surveillance, and the session is not as indicated in the written programme only one and a half hours, but we have extended it to the full three hours as we think it is of great interest to most participants. So if you want to always have the latest version of the programme, please consult the IGF website. Just notice the session on surveillance, Friday morning between 9:30
and 12:30.
With that, Mr. Chairman, I give it to you to formally close the meeting.
>> E. MAKARIM: Thank you very much for all the speakers, moderators, and participants for fruitful discussion. We can -- I personally take some advantage from that's discussions also.
I call the session closed and pass this microphone to the IGF Secretariat. Oh, there is not? Okay. I will close the session. Thank you very much for your attention.
(Applause)