IGF 2017 - Day 0 - Salle 4 - Mexico: Identifying Best Practices on Cybersecurity Through Cooperation


The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> VICTOR LAGUNES:  Good afternoon.  We're starting in 2 minutes, please.

Good afternoon, everyone.  Please, take your seats.  The session is starting now.

Thank you, everyone for being here in day 0, just starting our IGF ‑‑ (speaking language other than English).

I'll have this presentation in English, although I believe our audience is all Spanish speaking.

We set out to create our national policy for cybersecurity early in the year.  The difference mainly on the approach that we set out, and that we planned was not to create a public policy from government to the citizen, but actually create an ecosystem or get support from the Internet ecosystem to be able to create a multistakeholder policy.  From there, we basically set out our topic for today, identifying Best Practices in signer security through cooperation.  Four, five years ago we created a national data strategy, but it was missing one key piece, which was the support from cybersecurity and what that would entail in cooperation or collaboration with Civil Society with the English, with the technical and the academic groups.

There are not ‑‑ there is not a lot of information to start from in Mexico, right now some of the stories are telling us that the damage done by cybersecurity breaches is around 3 to 5 billion U.S. a year and this is increasing dramatically.

So there are a lot of initiatives and a lot of ministries dedicated towards the protection, of course, of the citizens online but the efforts are not coordinated, are not in collaboration with the Civil Society.  We, with the sport of the OAS this year, we created five events which were three workshops and two fora in which we basically invited the whole ecosystem to discuss openly any and all topics regarding, you know, the use of Internet and the threats of the Internet.  We did it in such a way because we wanted to invite Civil Society and the industry to discuss any topics in an open fashion, in transparent fashion.  We believe this issue of, for example, trying to establish or launch a public policy on cybersecurity while at the same type protecting Human Rights online is paramount, one of the most challenging ones.

All countries, they're having the same challenge.  The most mature, detailed countries, they have the same issue as well, trying to implement public policy on cybersecurity and also there is a perception or reality on the citizen that the Human Rights or privacy or censorship are being trumped upon.  We shared the document, and we did so with the whole community.  We shared it online.  We were open to ‑‑ it was open for discussion.  From there we took all of the questions and the comments and integrated a much more cohesive and stronger public policy document.  Throughout the year as I mentioned, we have the support of the OIS not only as an observer but as a contributor with experts from international landscape to come do Mexico and discuss these topics.

We also did a Forum with the government agencies, so basically the Senate, the Senate and Congress as well as the General Attorney's office and also we invited academic fora in which there were stories provided and a lot of dialogue from the academic sector.  The last one, which was one of the more interesting things, was with Civil Society, and we were invited to discuss openly topics around censorship and monitoring privacy and data protection.  The concern is the same for us.

It is still the same challenge that any country has, which is protecting citizens online while at the same time protecting their Rights as well.

We created a commission on cybersecurity, on what we call the commission of interministry for the government, and that's mainly the mechanism that we're using to publish the cybersecurity policy or the national strategy on cybersecurity.  From there, we learned from other countries in terms of Best Practices and their own national policies, so we encompass those and we summarized those and made in collaboration with the whole ecosystem we basically decided which pillars or objectives we were pursue and which ‑‑ which topics we would create as working groups.  So we'll be focusing our efforts in one society and Rights, two, economy and innovation, three, public institutions, four, public security and five, national security and national security is going to be done in collaboration with our national security agencies but it will be worked also as a separate effort.  What we call the cross‑cutting topics, or the horizontal topics we'll focus our efforts in, the culture of cybersecurity, prevalence in Mexico we moved from 50% to 70% of Mexicans connected over the last five years, and this means that our youth are connecting for the first time.  One of the biggest efforts in terms of our national strategy would be to create prevention mechanisms and prevention campaigns to increase awareness on what it is to be connected, not only realizing, of course, the full benefits of being online, but also understanding that there are a lot of risks associated with it. 

The other is capacity development and the creation of capacities around not only technology infrastructure, but also talent, trying to work with the academic sector to create those   graduate in diplomas and degrees around this area, not only in intel but cybersecurity. 

Coordination and collaboration, that's number three, and that's increasingly important as the policy, as I mentioned, has to be done in collaboration with the whole ecosystem, has to be done with collaboration with industry, technical sector and with Civil Society and ICT research development and innovation.  This also is a topic that will be launched in collaboration with the academic sector to foster those areas and continue growing, for example, the eCommerce platforms in Mexico.

Standards and technical criteria, very relevant to work with the international community, to be able to talk in the same language in terms of cybersecurity persecution and also the whole chain of ‑‑ therefore, the critical infrastructure, this applies, of course, to those agencies in Mexico that control the critical infrastructure, the energy, the oil, the gas, and also in collaboration with the banking industry, the aeronautics industry, so on.  Legal framework, self‑regulation, we need to mature, and we're also evaluating the whole legal framework in Mexico so that it can develop more agile in terms of, for example, new cyberthreats or new cybercrimes.  This also is done in collaboration with the international community.

The last one, measuring and monitoring:  So as this policy is getting developed, it needs to be monitored and measured.  It will be done as well in collaboration with Civil Society and different research, academic institutions.

All of these topics will be led by the one ministry.  I think we believe early in the year we're having ‑‑ we're having a meeting to discuss which agencies will be leading each of the topics so we can implement them fully and in a more agile way.

We, of course, posted as well our national strategy online on cybersecurity.  We call it a live document.  It will be improved upon with not only feedback and comments from the whole ecosystem within Mexico but also in Forums such as the IGF in which we continue to learn Best Practices and bringing those forward to the community as a whole.

We believe that this is the only way to create a policy that's implemented in a transparent way and can foster trust with our citizenship.

As we said, it is not so much as to create a national policy on cybersecurity, it is a balance between cybersecurity and privacy or data protection, so on, but to be able to create in parallel so that we have checkpoints when we launch the different campaigns and we set out to develop the different topics so that the citizenship in the country feels more secure but also trusts more in the frameworks that we're actually working in collaboration with them.  The public policy is published in Spanish and we have it also published in English.

With that, I leave it to questions if we have any.

>> I'll speak in English as well.

So, it seems to me that what we're lacking is tools to actually implement the policy in cybersecurity.  Let me tell you an example.  Crimes are already in the criminal code.  You can pretty much take the crime definition from the physical world to the digital world, right, but what we're missing is the tools for the cyber police, for example, to allow them to prosecute this crime in an efficient and speedy way as opposed to going to the attorney general and having to explain actually what's been committed in the Digital Environment.

I would assume that the next step of this effort, which I think has already delivered very good results would be to try to design this framework of implementation so that all levels of government and also the duty sharing and the police are able to implement this Best Practices for the management of the whole population.

>> Yes.  It is one challenge.  Definitely.

I believe it was one of the hurdles that we have to go through or have understanding when once we have created a national policy and once we create, for example, the cybercrime on the law, then the criminal exists and you have to prosecute that by law.

Now, the challenge is to be prepared for that, the whole chain, not only to be able to detect when it happens or to respond when a citizen is attacked or a system is breached to be able to prosecute, to investigate transparently, to investigate responsibly, but also to be able to educate or create the capacities, as you said, within the judiciary system so that we all understand that the crime happened or happened ‑‑ that's a challenge that I believe Mexico is not an exemption.  I believe we have to bridge the gaps rapidly. 

A step that we took is to launch this document as a public policy document.  It overarches or is an umbrella document that will serve as a guide to all of the different agencies, and we start working together and bridge those gaps faster.  We're learning a lot from the international landscape as well as to which steps we can take first to be able to gather capacities faster.

Did I answer your question?

>> AUDIENCE:  I have a follow‑up question.

How can one be more involved in helping developing and shaping the policies?

>> VICTOR LAGUNES:  We're part of an ecosystem.  And I was going to say we open the discussion, but the reality is that sometimes we lead the discussion and we create the forums and sometimes we're invited to different forums. 

The policy, it is an open document, a live document.  We're going to continue with this workshop and we're going to continue with the different forums in which we not only welcome feedback, but also contribute towards the different initiatives, the different groups that are launching.

In your capacity, for example, as Civil Society, we need to codevelop the points so that we can implement them.  I mean, specifically in terms of privacy, in terms of data protection, in terms of massive monitoring, so on, so we're closing the gaps faster and as I mentioned, we foster more trust in the whole ecosystem in the country.

Any other question?

>> Another question, firsts to congratulate you and the Mexican government because first of all in Mexico, I have been working with you, the Government of Mexico for seven, eight years and with not just this government but previous administrations, so in my capacity I have to say that it is ‑‑ it has been very difficult to connect to the outcome.  Many people have positive or negative criticisms on the document with valid points and I think everyone needs to be very humble to understand the different dynamics of the country.

The most important thing, it is that there is a document that took a lot of effort.

We do recognize as an organization that there was a recognition to pay more attention to the Technical Community, to Civil Society, of course, to the private sector, to accredited associations, to academic or the different organizations represented or documents for your consideration.

Of course, now you have as government challenges, which is the implementation.  We have the biggest challenge which is that this administration is about to end and you need to produce the results in really short terms and the current government, you have to do that as soon as possible and to the next administration, whichever it will be, it is to take this document, continue with implementation and to build on whatever it is already.

Congratulations again for all of the effort that I have witnessed, you and your team did the best that you could.

>> Thank you.  Thank you.

I openly recognize these areas, it is because of the support.  You well know that we set out to work together and I think that the team that we created was very strong and set out to develop this public policy, the national strategy with your full support.  Thank you so much.

You're right, we know that by launching the document we already know what it is missing and where it has weak points.  We understood that from the very beginning.  This is the first step, as you mentioned.  By challenges, the weak spots, it is basically the implementation point.  so a document is a document for itself, the work we need to do for the future, that is where the value comes from.  The administration is shifting next year.  We still have time.  We have time to leave a footprint so that the next administration can take that or take the second, the third step, we believe this is something that our national strategy, now the national strategy on cybersecurity, that basically it will continue.  It has nothing to do with administration changes.  It is a topic that needs to be worked upon by the whole ecosystem.  One part is government changing, but the other parts, which are the industry as you said represented by academia, a mix, so on, it is still there and still there to keep checkpoints as well.  Civil Society also and also academic and technical sectors.

>> AUDIENCE: Firstly, I thank you for this interesting, frankly necessary presentation and also would like to apologize for my tardiness, because of that, I would like to ask the speaker his name and also if you could repeat point 1 and 2 it, I got the third point on collaboration but I don't have 1 and 2.

Thank you so much.

>> Sure.  I'm Victor Lagunes.  I'm Chief Information Officer to the Office of The President in Mexico. 

The main focus on our strategy is what we call the strategic objectives, which are five.  I think you got those.

Then the next ones, we call them the ‑‑ the first, it is culture, enhancing a culture on cybersecurity.   So mainly prevention, awareness.  Second one, it is capacity development, so the creation of capacities as it pertains to the academics or graduates or those with graduate degrees and also as Leon mentioned, how to create the capacities even within government to be able to understand, prosecute cybercrime in a responsible manner.

>> AUDIENCE: I was tempted not to make a question.

I just want to know, having in mind that we're living in a global world, we're preparing these policy, this Mexican policy, did you take into account the examples of the cybersecurity policies of all countries and in this case, how the policy could connect with others established by other countries.  I'm asking this because, you know, we don't have international framework to deal with the issues.  It is it a kind ever necessity to have it more or less a policy around the world in order to address the common issues and the common threads.  If you could elaborate on that, I would really appreciate it.

Thank you very much.

>> VICTOR LAGUNES: We research fully around nine strategies, national strategies in cybersecurities and U.K., for example, Canada, the U.S., Japan, so on, and they ever some key differences as they approach topics, for example, on national security and military operations, so on.  Our policy specifically does not touch fully on those   scenarios and we will work those on coordination with the national security agencies.  Those operating, mainly the military and defense ministries, they'll still operate as they do but we'll be having a line of collaboration with them, mainly our focus is around prevention and creation of awareness.

I think that's where we can bridge the gaps faster if we fully develop our ministries or agencies towards those goals.

The answer is yes.  Basically the need for a public policy document in Mexico, it is basically understood by the whole ecosystem stated that we needed to focus on those topics first.

Awareness, culture, cybersecurity and collaboration.

We work very hard to be able to adhere to the Budapest Treaty.  We do have some issues around the Budapest Treaty, and the telecommunication bill that we launched four, five years ago, it doesn't preclude ‑‑ for example, it doesn't prevent our international cooperation.  The fact that we're not in the Budapest ‑‑ actually the ministries that are prosecuting cybercrime, basically cross‑border, they work with many and all agencies around the globe.  That work has been done.  We still believe there is a chance that in the near future we will adhere to the Budapest Treaty because we're talking the same language, if cybersecurity threats are by its own nature crossing borders, then the cooperation and collaboration within countries have to be very fluid and agile.

Many thanks to you all.