IGF 2017 - Day 4 - Room XI - WS118 Towards an Inclusive Cybersecurity Capacity Building Approach


The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> MODERATOR: Okay.  We can trade places. 

>> PANELIST: You can sit there. 

>> MODERATOR: We need one more chair.  Sorry.  Good morning, everybody.  Okay.  Perfect.  Thank you very much, all of you, for being here this morning.  I foe that many of us are already tired of very interesting meetings.  I hope that you have found this idea very successful.  I would like to thank you for participating in this workshop.  We have a more inclusive approach to cybersecurity capacity building.  We have been trying to over the past years, Technical Community, our main stakeholders.  But actually, that's one of the reasons why we have here actually invited to my right from the organization to cyberspace, Lisa France from the U.S. State Department, from Microsoft, our colleagues from Oxford, (?).  Of course, my colleague. 

I will ask you ‑‑ I know that we have a very nice panel, really nice speakers.  So I would like to ask each of you to provide in five minutes from each of your organizations your views on how we can make cybersecurity capacity building initiatives more inclusive in a more pragmatic way.  So to start with ‑‑ with Lea, if you want and we'll go like this. 

>> LEA KASPAR: Sure.  Hi everyone.  My name is Lea Kaspar, the executive director of global partners digital and I'm really happy to be here.  And thankful for the OAS for organizing this session.  I think it would be really interesting to get into a conversation here and get out of our kind of panel versus the audience.  So I'm just going to briefly outline what we do as an organization.  I guess I'm sitting here as a Civil Society representative and very much proud of the OAS and the work that we've been doing together in promoting this approach.  Our work on cybersecurity capacity building is twofold.  On the one hand, we work to facilitate meaningful engagement by nongovernmental stakeholders in cyber policy development at the national, regional and global level. 

And secondly, we've been working on developing a framework for implementing these approaches, which is issue agnostic as well as actor agnostic.  So if you're interested in implementing an inclusive approach and you have ‑‑ but you have challenges in terms of how you would go about that, we've been developing a kind of set of questions that you might want to ask. 

Now, I kind of want to stop there and come back to the more substantive issues later on if that's okay, Belisario. 

>> BELISARIO CONTRERAS: Yes.  Thank you very much, Lea.  We are doing great initiatives for those who are interested, yesterday or today, we launched an online course for small and medium enterprises on cybersecurity.  So if you want to take it, it's totally free.  So please. 

>> PANELIST: Good morning.  It's a pleasure to be here and thank you for organizing the workshop for the Spanish organization that I belong is very concerned about the inclusive way, the approach from a point of view, the inclusion to the cybersecurity because we are dealing with many challenges.  We are going to talk about in this session.  And the most important part about these challenges is we are moving stakeholders environment.  And so it's very important to meet here, public and private representatives because we are talking about a very difficult group of concepts.  And not everybody is talking about the same things.  We are talking about managing breaks in information security.  When we talk about cyber attacks, it's very important to understand the point of view of the others to reach a good level of corporation at the international level.  Thank you. 


>> PANELIST: My name is Kerry‑Ann Rice.  I work at the University of Oxford.  Thank you for inviting me to speak at this panel.  Our model is a cybersecurity maturity model for nations which we have applied together with our partners or our partners have applied in a total of about 60 countries around the world.  And the core of our methodology, when we go to the countries to collect the data for maturity assessment is our stakeholder consultations over three days.  So we invite various stakeholders who are working on issues regarding cybersecurity, and we emphasize, encourage ‑‑ emphasize as a priority that different stakeholder groups are participating in these groups and are able to provide perspective on cybersecurity capacity.  So it's a very core part of these maturity investments. 

>> BELISARIO CONTRERAS: Thank you.  I want to say that we have a report in March in Panama. 

>> PANELIST: Fingers crossed.  I'm director of cybersecurity policy at Microsoft.  And as he said, we work quite a lot with all the stakeholders around this table in terms of cybersecurity, capacity building.  We have found that the efforts both sort of through GSE and sort of the OAS but also efforts by the United States government, sort of the U.S. DPI training have actually exposed us to lots of new things.  So I think the one thing to remember is the stakeholder ‑‑ the multistakeholder capacity building efforts are important not just because, you know, people on the ground actually learn good security best practices or good practices.  But there's always a two‑way exchange and lessons learned that others in that discussion can take back and improve their own internal processes as well as sort of training going forward. 

We sort of try to engage on several levels, both on country, both on regional and global.  And what we do is we take the lessons we've learned from ourselves from both sort of getting our engineers to learn about security but also the practices we have and also looking at, because we have global footprint, looking at practices governments have put in place and see how we can help others sort of avoid of some the mistakes some others might have made early on in the process.  We publish lots of papers in the policy space, but we also publish lots of best practices and training on the technical side.  So developers of technologies can take some of the best practices that Microsoft's own internal processes and apply them, you know, in their start‑ups and going forward.  Like I said, I will be quick as well.

     >> BELISARIO CONTRERAS: Wow.  We're good with time.  Thank you.  Lisa, thank you.  The state department is one of our member states and actually one of our main partners.  So thank you for being here today.  

>> LIESYL FRANZ: Sure, thank you, Beli and thank you all for inviting me to be on this panel as well.  As Beli said, my name is Liesyl Franz and I'm the coordinator for public issues.  As many of you know, we have been engaged in a number of issues along a wide range of activities in cyberspace and capacity building is one of those activities. 

We are strong proponents of utilizing what we call a whole of government approach but also an inclusive approach to our foreign policy and national security objectives, and that includes our cyber capacity building programs in which we engage.  It's important, I think, to note that our policies reflect that from all nations to benefit from cyberspace politically, economically and socially, the Internet must remain secure and reliable.  That's the baseline for all of our capacity building efforts and the partnering that we do, promoting that vision and a base for setting the agenda. 

I mean, obviously, I don't have to go into the importance of the Internet for various aspects of society and the fact that it is a great medium, a great mechanism, but also ways that we do see a lot of threats from a wide range of actors.  And that there are any number of ways to address them.  And it's because of that variety and that complexity and that increasing (?) of the threats that we see and the attacks that we're seeing that we really need to look at it as not ‑‑ look at dealing with cyber issues as not any one actor that can solve the problem, not any one solution that can meet that need.  And so it's important to work with any number of actors in the various like stakeholder groups, I would say but experts across countries. 

You know, the threats are not contained within geopolitical borders, transnational.  So working not only with partners within any country but within organizations like the OAS and with those in industry and the Technical Community and Civil Society as well.  We find that it enriches all of the work that we do.  We see that states are one of the stewards or caretakers who work with stakeholders to ensure that the Internet is available to all to reap the benefits and rewards.  And so that is infused into our capacity building programs as well. 

I would just mention, too, quickly, we have, over the years, developed a sort of methodology but working with what we call implementers of our capacity building programs.  Mitre Corporation and Carnegie Mellon are two that we work with to address working with nations on helping to build their strategic approach to cyberspace, so it's a more policy‑based approach or organizational‑based approach, how within any particular country or region they can work in their own environments to take on what a strategic approach that works for them and then a more operational or technical level building sustainable national computer emergency response teams. 

So Mitre has developed a national cyber strategy engagement plan.  And SEI has been the architect behind our sustainable SEI cert initiative.  Like Beli said, we work with many organizations around the world.  I look forward to the discussion. 

>> BELISARIO CONTRERAS: Thank you, Liesyl. 

>> CHRIS PAINTER: Thanks, and obviously I endorse everything Liesyl said.  I used to work with Liesyl, that was one of our main thrusts was ‑‑ capacity building was one of the core elements we were trying to do because we thought capacity building was a foundational element to really almost everything else we do.  If you're trying to engender more international cooperation against things like shared threats, capacity building helps you get there because it brings people up to speed both in terms of a technical matter but also in terms of policy.  And I think it's important, you know, to think of capacity building as not this monolithic thing.  In my view, there are three different types of capacity building.  One is the kind of technical training that's done with, you know, law enforcement officers, et cetera, which is critically important to build the skills.  So I call that the skills training.  The other is the institutional capacity building.  This is a lot of what the OAS has done, for instance, which is national strategies to make sure that, you know, there's this institutional framework in different governments or certs that they actually have a national cert which a lot of countries still don't have but many more through the OAS have them and I think that's important, again, to engender that global cooperation. 

And the third type is policy.  Or policymakers.  And there's been work that's been done by, you know, in the U.N. system, Unideer and a number of other things around the world that have tried to get policymakers to understand some of the policy challenges here and not think of this as just a technical issue.  And I think that's critically important because if, you know, a lot of governments, particularly developing world governments, if they don't understand both the opportunities and risks involved and they think of this as a technical issue and just outsource to the technical experts, they won't deal with human rights et cetera that are involved in this.  I think what we've done a bad job of as a community in the past is coordinating some of these efforts. 

I used to say that we had lots of great capacity building training programs at one time in the U.S. government, which if I mapped them all out, it would take about a year.  I don't think it was a comprehensive list even at the end of that.  I know others have over time tried to do this in a lot of different forums.  And I think that's important.  And you want to avoid training the same three guys in the country, you know, by everyone in this room training the same three people on the same things.  So you want to, with the limited resources, make sure you coordinate it. 

The other thing I think we've not done a good job at is linking the various types of capacity building we're doing.  So when we go and do the kind of technical skills‑based capacity building or when we go on to the institutional capacity building, you need to link that to the political level in countries.  You need to link that to the higher governmental levels, because there are really, I think, two goals in capacity building.  One is to actually build the skill set so that they can work with us in handling threats and protect themselves and work with each other.  Because it's not just a hub and spoke thing.  It's a global community. 

The other, frankly, is to, you know, get into the game of understanding the policy dimensions of this and hopefully endorsing the open, interoperable and secure Internet that we believe is important, that you don't have to make major tradeoffs between those.  And I think, you know, if you don't have that link between what you're doing on the technical and institutional side and the political side, you'll have situations where people show up at political meetings in the U.N. or other places having no idea that all this work is being done to try to build this capacity and no link between it.  And I think we need to do a much better job of linking between that. 

Obviously the global forum for cyber expertise is one of them that tries to bring this together.  I think there are others as well.  I think that, you know, I think as each of us either in Civil Society or governments do this, we should think about some of these goals of what we're trying to achieve and make sure we're also making the link to the higher policy levels in the various countries we're talking to. 

>> BELISARIO CONTRERAS: Excellent.  Thank you very much, Chris.  I would like to maybe ask Lea, Carolyn and Kaja, I represent the private sector, maybe a little bit about challenges.  That maybe you face working with government and actually between you, we can ‑‑ yeah ‑‑ within your community or with other stakeholders building this inclusive capacity building approach.  I think it would be very interesting to hear your views.  And of course, I would like to maybe see the reaction of Liesyl how we can maybe, sometimes limitations or how maybe what measures are taking governments to do this and cyberspace, maybe what could be some proposal or some other challenges.  So Lea? 

>> LEA KASPAR: Sure.  Thank you, Belisario.  I think challenge is the most interesting fact.  And I'm glad that we're having this conversation at the Internet Governance Forum.  Before we started working on cybersecurity, I was following for a number of years just Internet governance and looking at how the multistakeholder approach applies to Internet governance I think gives us food for thought when we think about how it applies and the challenges that we'll have in applying it to the field, more specifically field, I think, of cybersecurity. 

I think that in Internet governance for those of you here who are IG ‑‑ familiar with the IG space, we kind of tend to see as a community, we tend to see multistakeholderism, the multistakeholder approach is part and parcel of Internet governance.  That's how the Internet was developed.  The fact that that's how we have domain names and numbers managed in the ICANN system.  So I think the inclusive approach is almost ingrained and taken for granted if you come from the IG space. 

So when we started ‑‑ and there are a number of cases how that works in IG.  When we started working on cybersecurity and said, of course, this is part of Internet governance if you think about it, if you think of Internet governance in a broader space ‑‑ or in a broader, I guess, conceptual way, is that the level or the kind of normative principles that underpin Internet governance are not necessarily the same normative principles that underpin some of these conversations that discuss cybersecurity.  So that was something ‑‑ that was the first kind of learning point for me when I entered the field. 

I think the maturity of the conversation about multistakeholderism and IG has advanced much more.  It has been around the IG space for so long, compared to cybersecurity.  And I think we're still at a lower level of maturity and sophistication when it comes to applying it to cybersecurity discussions.  And that's the first challenge that I want to know, and I think we're still learning how to do this. 

The cybersecurity space brings with it specific actors.  And I think a hint is in the name.  I think cybersecurity and when we start talking about security, that means a lot of the time a lot of the discussions are relatively securitized.  And that's completely understandable.  But what that means is that our, I think, kind of the taken‑for‑granted approach, everyone should be involved in this conversation is not necessarily what some of these ‑‑ some of the security actors, you know, if you bring in the defense or intelligence services, how they would see how their work should be done.  That's one.  We're progressing but that's one of the biggest challenges, the nature of the issue and actors involved poses specific challenges when it comes to implementing the approach. 

And just secondly, and I'll be very short on this, the second is related to that is the practical issue of lack of practical guidance of implementing this approach.  But we can come back perhaps to that.  But I want to kind of point out these two things. 

>> BELISARIO CONTRERAS: No, no, I should advocate maybe it would not be good to continue with the same securitized language, but maybe in a more gentle or humanitarian way because maybe our police or law enforcement official will be maybe, you know, to sell it in a different way?  That could be a possibility or?  No, you, yes. 

>> LEA KASPAR: I'm not sure ‑‑

>> BELISARIO CONTRERAS: Of course, the language is on security.  It would be very difficult or I think right now it's very difficult.  So what's the proposal to change the language?  You say that the language ‑‑ the discussions are really securitized, right?  So what could be the proposal to work out that challenge? 

>> LEA KASPAR: I think that the inclusive approach is the solution to that in a way by bringing in actors who can bring in different approaches.  You can offset that trend.  So it's actually the approach is the solution.  To the problem. 

>> BELISARIO CONTRERAS: Okay.  Carolyn?  Kaja? 

>> PANELIST: Yes.  The first point on my list regarding challenges is different language.  Yeah.  Cybersecurity hasn't been traditionally a theme of the Internet governance world.  I think it's remarkable how cybersecurity became seen over the last three IGFs.  I remember my first IGF was in Brazil, and cybersecurity was on the list quite late.  It was a completely different issue this year.  And I think that's maybe one of the major challenges there, new actors in the field who maybe traditionally were not talking to each other, but now they kind of have to come together and to talk about those things. 

And that's something, I think, on the global level, but also, like, what you observe in the assessment that also on the country level, the actors don't know each other, probably don't know of other actors in the same realm.  A lot of language problems but also the next point, awareness.  Awareness among policymakers.  What is cybersecurity?  What does it mean?  There's so much to discuss at the IGF, it's very interesting.  And it shows different groups talking to each other.  Again, it's also a problem on the global level, but also observed in the countries.  And three, strongly connected, a lack of existing relationships, and yeah.  Actors don't know actually what they're doing, maybe, yeah, it's a different kind of environment and I think there are big gaps which have to be closed to be able to cooperate. 

>> BELISARIO CONTRERAS: And what do you think we could do, the lack of awareness, not just in the UK, of course, worldwide, but maybe in those developing countries, what do you think could be the remedy for institutions? 

>> PANELIST: I think it's also like looking for evidence and also what is kind of doing the research of bringing stakeholders together raising awareness is very important across government but also across different human rights, people working on human rights.  So people must become and understand what it's about.  I think it's very important that we include all the stakeholders and allow them to be part of the discussion and, of course, give them some ownership and coordination.  I think with all these kind of gaps by coordinating, by bringing everyone talking in the same language kind of brings ‑‑ overcomes the challenges (?). 

>> BELISARIO CONTRERAS: Thank you.  Kaja. 

>> KAJA CIGLICA: I would actually agree with a lot of what you said.  There are definitely challenges in terms of language, I think.  I think, you know, when we engaged, I think we see probably three different areas conflated.  You get the content regulation.  You get network security.  And then law enforcement, cyber crime.  Kind of get all mixed up as one.  And some of it is sort of different communities coming together.  And some of it's the way the words translate into different languages don't necessarily work or the cultural interpretation of what some of those are, are different.  And I think that actually makes the discussion more difficult.  I think also, the UK put together a workshop as well in Berlin like a couple months back where, you know, we worked together in the development community so there's the Internet access people saying maybe security should be there at the beginning.  And it was interesting just from, you know, like at the end of the day, I think there was a clear, like, almost a break where all the security people were, like, we feel ‑‑ a long way towards talking your language.  And the others were like it was completely dominated by security.  It was a valuable workshop.  It forced the people to talk together. 

I think in terms of sort of just security and it being by very nature a little bit more close to access than sort of some of the traditional Internet governance issues, I think some of that won't go away.  Some of the ‑‑ some of the national security issues that sort of translate into Internet, I think, will stay.  But I think it's also the question how countries deal with it.  And I think both sort of Spain, I think the recently consultation of the network information security directives open sort of the NIST security framework in the U.S. ‑‑

[ Laughter ]

Sorry.  That is awesome.  Really, really speak out and wide‑ranging consultation.  It's not just with U.S. entities, private and public and Civil Society with interpret participation I think is the best practice that we encourage everybody around the world to look at.  So I think there's things that can be done.  There's still stuff that is a long way to go, but there's definitely, you know, best practices there. 

>> BELISARIO CONTRERAS: Perfect.  Thank you very much. 

>> PANELIST: Thanks.  I think one of the biggest challenges is probably the most fundamental thing, which is the dynamism of the Internet and the ever‑evolving landscape with which we're dealing.  So it makes it very hard to say, oh, here is your cybersecurity solution package.  Just go implement that.  So even if you have a toolbox or some kind of methodology that you are espousing or has worked for you that you are sharing with other people, it's never going to be static.  So I think that's one big challenge.  We always say security is a journey, not a destination in this case.  And there's a constant need for reassessment.  So that needs to be something that's infused into the solution sets or the training or capacity building that you're doing. 

Clearly the complexity and interconnectedness of cyberspace, not just as a medium, but also I think when we're talking about language, you were talking more about the terminology.  I also think that the various aspects of what we call cyber, everything from, you know, network security to international security to cyber crime to cyber bullying, say, I mean, there's a whole list of things that fall into what is a cybersecurity or a cyber category, and that makes it also a very disparate set of issues that you're trying to deal with in any discussion. 

I think someone mentioned the lack of relationships.  I think what's important about is it's not only, you know, who do you call?  Who are your ‑‑ who are the interlocutors that you can engage with but also building up the trust and the long‑term relationships not necessarily between individuals, although I know that that's certainly absolutely one of the trust that has built up on the Internet, but there's got to be some way to make that repeatable or make it built into the system a little bit more. 

I'll just mention two things that, you know, we're not starting from zero in a lot of cases, and we're not starting from a place where no stakeholders have been involved in the cybersecurity arena.  For example, in the U.S., many years ago, there was a huge recognition that the Internet was ‑‑ our critical infrastructure including our ICT system and our telecommunication systems were owned and operated by the majority by the private sector.  So there was no way that any government‑only solution was going to work.  And we established a whole framework for dealing with each of the critical infrastructures in a collaborative manner.  So that need, I think, remains and is only getting stronger.  Build those pieces. 

And then I would say that we dealt with them all in separate sectors.  But that also became sort of ‑‑ that has become more and more untenable because not only are sectors sort of boring, but also the interdependencies between sectors are so crucial that you really can't stay in those silos.  So I think that's bringing those disparate types together and different folks that may never have ‑‑ have never connected before. 

And I think Chris mentioned the global forum for cyber expertise.  I think that's a good goal for them to do that on a more global basis than sort of just the national context in which I was talking about.  The other sort of more recent example is the development of the NIST cybersecurity framework that you mentioned, which was a very bottom‑up process.  It was convened by our national institute for standard technology, but it was fueled by stakeholders from the private sector, academia, Technical Community to pull ‑‑ to compile a set of standards and best practices.  Not that you or you or you need to do this, this set.  You need to do these all, but you need to figure out of that menu what works for you.  And it has a whole methodology.  And that's going through a view now.  So again, it's not like the framework was done at, you know, 1.0.  They're reviewing that and taking input into that now.  So that's another example of sort of that iterative process. 

>> PANELIST: Yes.  We should remember that information security is more difficult than managing any other values of technology.  Because of the ubiquity, because of the dependence of the economic activity, the daily life of all the people.  If you don't have confidence on the technology, you don't have any opportunity to benefit from the opportunities of the information technologies.  As a person, as a consumer, of course, the dependence on society is the key.  But the first challenge is the lack of enough knowledge and the skills, of course, at the level of the users.  (?) that is the first target of our traditional first stage of national strategies for the governments. 

But the second challenge is the lack of skills that meet policies of capacity building, dressing the technical staff, of course.  But new stakeholders groups.  Every year the Organization of American States and the government participates with a compass.  And we have incorporated few sessions of training dedicated to the law enforcement and law agencies, and we need to provide, of course, this level of knowledge and abilities to these kind of new key actors at the level of the public actor.  But more than that, at this moment, we are trying to provide new knowledge and skills to new (?).  And Belisario mentioned before the open online enterprises.  We should remember that 99% of key actors in the world of information security are private actors.  And these are enterprises, not only the consumers, the users, and we are facing the problem of not enough. 

And in the perspective of inclusion, we are addressing new objectives because what's the first problem that involve more and more people (?) to provide this level of acknowledgment.  This problem is the underrepresentation of women in cybersecurity. 

>> PANELIST: (?)

>> PANELIST: There's a high percentage on this panel. 

[ Laughter ]

     >> PANELIST: Yes.  Less than 10% of all the workforce involved in cybersecurity in Europe are women.  And this is the best thing I think we can work for because we're trying to provide enough training to people to the enterprises, to the agencies with technical knowledge and competencies.  But this is another topic.  But we can say that the most important challenge is the lack of knowledge and abilities in many of these stakeholders that more necessary than ever in information security at the international level. 

>> CHRIS PAINTER: First of all, I would not shy away from using the term cybersecurity.  And the reason I say that is because that is such a hot topic now for governments around the world that that's what they're asking for.  And you can then slip in everything else under that.  So once they ‑‑ I remember we did this with a lot of the Internet freedom programming.  A country would ask for cybersecurity because that's what they thought they wanted.  You also wanted to talk about other issues.  I wouldn't change the name to fluffy bunny or something like that.  Less threatening.  I would make clear that it's beyond just the cybersecurity.  I would make clear also that it involves a policy, so it's just not how you fix your computer.  I think that's something you were getting, too. 

I agree with bringing on various communities together.  I know when I chaired what was then the GA Grime group, we brought the cert community and the law enforcement 24/7 that worked together, and they each thought each other were completely insane.  The law enforcement people thought the cert guys, we don't know what they do and they don't cooperate with us.  And the cert people thought the law enforcement people, they scare us.  And building those bridges is important between different communities.  Both in the security area but even beyond that. 

And I think that's reflected also when you try to work with countries to have a multistakeholder way of doing some of these key things like, you know, in terms of doing national strategies, for instance.  We work closely with Chile in doing that.  And saying ‑‑ and even though in Chile, the effort was led in part by their military, which is not the most inclusive ‑‑ you know, that's not what you think of as being a multistakeholder group, they had other ministries involved, too, I heard on day zero they were saying that was good.  They actually did that.  So that's good.  And that's what we want to see more of. 

And then I think one of the other things I've seen is that a lot of countries ‑‑ we talk about a multistakeholder system.  A lot of countries don't have any background or history in multistakeholder systems.  They don't even have a history of dealing with their private sector, let alone dealing with Civil Society.  So there have been times when we've done ‑‑ and I think this will continue ‑‑ we do capacity building especially with a lot of developing countries who don't have that history.  They don't have that tradition of actually helping them set up that system.  You know, having them actually talk to their private sector and Civil Society.  And that's a pretty big challenge in some places.  You know, that's the foundational part of actually having this multistakeholder involvement. 

I remember when we did our first ‑‑ one of our first capacity buildings back in 2011 in Kenya.  We were able to bring Civil Society ‑‑ and this is the cybersecurity and cyber crime capacity.  We were able to bring industry in.  They invented something which was more advanced in an online payment system, even more advanced than the U.S. even had.  And that was a helpful model.  We tried to do that in other ones.  I think that's very useful. 

The other thing that was mentioned is bringing the development people in.  And I think, you know, I recently did something, I think it was at the World Bank where they had the development program managers for the key ‑‑ for really water and power the ones where they saw the connection more clearly than some of the others.  So I think maybe focusing more on ones ‑‑ and water and power are big development projects.  So seeing which ones you can actually influence because one of the issues is in this area of ‑‑ and one of the big challenges is in this era of limited resources where I really worry that we're not putting enough funding behind capacity building because it frankly is foundational to so many other things that if we start pulling the plug on that ‑‑ and the U.S. are already everywhere else in the world and I think every country is facing this challenge.  It's going to have second and third‑world effects in terms of policy. 

And the final thing, I think as much as the IGF has started adopting cybersecurity as the theme, you know, I still think there's a challenge in getting the right people here.  So, you know, I remember the first time I thought about going to an IGF was in 2008, I think it was.  It was in India, I think, at the time.  And I knew Liesyl then.  She was telling me why I should go.  And I was working at the FBI.  I was, like, why the hell would I go, it has nothing to do with the things I deal with.  She convinced me it was a good thing at the time. 

[ Laughter ]

But, you know, I think that that can be good.  It doesn't necessarily see the value of these discussions or simply think because it's called the Internet Governance Forum that it has nothing to do with what they do because it sounds like Internet governance and it's beyond that as we all know. 

I think having tracks on these issues, you have more participants on these issues.  But if you look at the day 1s and you see what kind of ministerial and government people show up, it's almost always the ICT ministers who often don't have any security responsibility.  So, you know, you have to figure out how to get these different communities to come together and not have it simply talked about here but maybe bring some of those other communities in here at a higher level and look at other places to do it.  So I'll stop at that. 

>> BELISARIO CONTRERAS: Thank you.  Thank you very much, Chris. 

>> CHRIS PAINTER: And this is an important forum.  I'm not at all diminishing this forum. 

>> BELISARIO CONTRERAS: Before I go to members of the public, I want to actually to get an impression from you on one topic that was raised.  This year at the GFC, we launched an initiative on cybersecurity.  Actually participated in one activity that we had in Spain.  And I actually would like to ask your impressions or whatever panelists want to say, because the topic was inclusive ‑‑ more inclusive participation is not just the stakeholders but actually inclusion in capacity building.  To give you an example yesterday we opened this call for this online course, it's free.  It's available to anyone in the world, particularly in America.  We have around 600 registered.  But right now we have only 15% are women.  Of course, I see there is a good diversity on ages and countries, but it is really shocking that we are not able to move on a more gender diversity, certain countries or certain regions or certain social groups being more participative of these issues.  I would like to see if any of you have any ‑‑ yeah ‑‑ any perceptions or maybe what else governments or private sector should do or what should we do together maybe to tackle this issue?  Because for me, it was still really shocking that this morning I see these numbers that say, why?  I still don't understand. 

>> PANELIST: Maybe if I just start.  I think it's always been a problem.  It's a problem across the tech sector.  But I think it's also not a problem, though, we solve in a year, right?  I think we need it, like, literally start educating, in this particular case, girls I think across the board.  Small children on cybersecurity and awareness, right?  I think, you know, if you go to up universities ‑‑ by the time girls decide to go to university to study ICT or ICT/cybersecurity or specific cybersecurity, at that point, it's too late.  You lost them.  A lot earlier on a lot of the time.  So I think it's more like a marathon than something that we'll see a solution immediately.  I think we all should work together.  I just want to say. 

>> BELISARIO CONTRERAS: Sure, please. 

>> LEA KASPAR: Maybe a slightly different view on this.  I agree with that.  I just think we need to be more precise about what we're talking about.  If you're just saying, you know, inclusion for the sake of inclusion I think that's fine.  But if we're focusing on securing the network and solving cybersecurity issues, it's how you pose the problem.  Are we talking about lack of inclusion as a problem in itself, or are we trying to say, you know, how do we actually ‑‑ how do we actually solve cybersecurity issues?  And I think we had conversations about ‑‑ similar conversations about human rights.  Just saying that cybersecurity needs to be human rights respecting in and of itself doesn't really help anyone solve a cybersecurity problem if we don't dig deeper.  And I really want to ‑‑ like our approach is that there is no one size fits all when it comes to cybersecurity.  There isn't, like, a number.  If we're thinking about developing policy, there isn't a number of women or men or stakeholder groups that you need to involve.  And then therefore you will have ‑‑

[ Phone ringing ]

‑‑ it happens to everyone.  It happened to me earlier.  Do you know what I mean.  So I think it's important to say that.  That there is no, like, set of ‑‑ number.  Like if we were all women on this panel, would that make it a more ‑‑ like better outcome?  I don't necessarily think so, right?  So I think inclusion does not just mean, like, a set of ‑‑ like a set formula, if you have women, you solve cybersecurity issues.  I don't think that's right.  And I think the solution is much more holistic.  It doesn't come from having an all‑female panel.  It's a much more holistic approach that we need across all issues in society.  So, yeah.  Thanks. 

>> BELISARIO CONTRERAS: Thank you.  I don't know if the audience would like to make any comments or questions to the panelists.  We have a couple of minutes.  Please. 

>> AUDIENCE: David from Switzerland.  I work with critical infrastructure protection.  I have two questions.  One question, one remark.  In proportion to agencies, we've been discussing a lot in the last two days about lawful interception and these kind of things.  But another point is actually if I'm the victim of a ransomware, where can I go file a complaint and that we have those statistics?  That seems one thing that is sort of the positive side that we are a bit missing. 

Then the second one, we want to build capacity.  But we need ‑‑ so we want to build universities and these kind of programs.  But we also need people from other domains, not just technicians that are only going to do IG, but that can come from different areas and get quickly into a feel and the groove of what we're discussing about in cybersecurity.  So do you have any inputs on that?  Thank you. 

>> CHRIS PAINTER: On the reporting one, yeah, I think that's fair.  I mean, I think that ‑‑ you know, ransomware and other things, one of the things that you could argue is that you actually ‑‑ law enforcement, if they're doing their job correctly ‑‑ is privacy protecting because they keep, for instance, theft of PII.  They keep it more restrained by actually getting the bad guys.  It's a challenge because every country is still trying to figure out how to deal with it.  In the U.S., there's no one number you call.  There's a couple thing like Internet fraud that the FBI runs that aggregates a lot of these smaller cases.  If you have a small case and you go to the FBI, that's a small case.  But if they aggregate it, it isn't an international scheme, which it often is.  Other countries are doing that, too.  There need to be better education between the public and law enforcement on that. 

On the second issue, that goes to another point.  It's not just the technical people, as you said, you need.  People have asked me, you know, what's the career path to do cyber policy?  There is no career path to do cyber policy.  I think all the people who have done it on this panel and around this room, I think, have all pursued different ways of doing it.  I'm a recovering lawyer, for instance, and so I think people have come from different ways of doing it.  That's changing a little bit because there are a number of schools and universities who are setting up policy programs in this.  And in the U.S. certainly but I've seen that in other places as well.  But I think you also benefit from having people coming from different perspectives in this space.  I don't think you just want that technical perspective.  I think one of the problems is people, you know, when senior policymakers say this is a technical issue and write it off, they don't understand.  So you need those people to make that translation. 

>> AUDIENCE: In Spain, we have a help line.  We have a telephone every citizen can call for help if he's attacked or he has any doubt about the impact of global threat to the level of strategic industry, at the level of critical infrastructure, but in other areas.  So we provide a portfolio of services to citizens and enterprises.  And in many countries in the European union, we are advancing in this sense, yeah. 

>> BELISARIO CONTRERAS: Anybody want to add something else?  Sure. 

>> PANELIST: I would like to add something which also relates to what Kaja and Lea said earlier.  I think inclusion shouldn't be for the sake of inclusion, but it's important to very early include cybersecurity in the application framework.  Because I think if you spark interest, you also get the best talent and girls who often maybe drop out of high school but earlier because of different reasons, particularly in poor countries.  So maybe there's some interest sparked for these issues, and then they go into those fields.  It's not only good for the cybersecurity field because you get the talent but also, of course, for the girls and women later.  So I think having this from the very early beginning as an issue not only for creating the talent but also having, like, awareness and the skills for those people. 

The second thing ‑‑ oh, yeah.  Just by the way, I have a B.A. in literature of the Barack times. 

[ Laughter ]

I mean, there are different ways.  And the other thing is like about reporting, I think that a lot of, like, what's very important is to ‑‑ I have mechanisms to report those things which are very easy for everyone for citizen children, women.  Also, other groups as well.  Another marginalized group should get into this field and also be able to report.  So yeah, there are different mechanisms which are important for a country to have to offer to their citizens and businesses. 


>> LIESYL FRANZ: So I think even if there was a number to call, I'd be interested if all the citizens of Spain know the number to call.  I think that's an interesting question.  I think many people probably think about calling their provider first of all and, you know, no offense, but probably get put on hold.  Or do you just call, you know, whatever your emergency hotline is?  Whether it's 911 in the U.S. or whatever.  I think it's an important question. 

But not just about the number to call, but just as awareness, generally, and education generally, two things.  We have an awareness program in the United States.  I think they've been here this week, national cybersecurity alliance.  And they put out a number of guidance and advice for various types of end users for how to protect yourselves online. 

I used to be affiliated with that program.  And one thing we tried to do many ‑‑ or ten years ago was to get, like, a Smokey Bear anti‑fire ‑‑ you know, protect forest fires type of campaign.  And it has been an uphill battle, and we never achieved that.  But it could be something like that. 

But I will say that I'm really good to see that the girl scouts for you have a cybersecurity badge. 

>> BELISARIO CONTRERAS: Yeah.  A campaign from the Internet.  Actually ‑‑ yeah, they've done a really good job and we're actually very proud to partner with them.  And other western hemisphere.  I think you had a question. 

>> AUDIENCE: Thanks, Belisario.  From the DiploFoundation.  A quick comment on the profession.  I spoke with a colleague from Simon Tech at some point.  How do you recruit people?  What are you looking for?  Engineers or lawyers or what kind of skills?  And he said what I'm looking at is passion.  That's the only thing I need.  I need passion from the person for cybersecurity.  So it's interesting how the private sector sees that because it's a disciplinary complex. 

A couple of experiences from what Diplo does in capacity building which responds to great points that all of you raised.  So something that we found that works or helps, one is a holistic and multidisciplinary approach.  Because that also helps ‑‑ and Chris mentioned that ‑‑ also human rights, not only that, different layers, different aspects of cybersecurity, technical, policy, national and international mechanisms, international relations and so on.  But then also relations of cybersecurity with the economy and human rights.  But then also soft skills.  Such as cross‑professional communication.  That's something that's a big, big issue.  And if we approach that way, then all the different stakeholders that we involve feel comfortable at least in one bit of that discussion.  And then they're eager to learn the others that they don't know about.  This helps also with the inclusiveness. 

Then the format needs to be exchange and engagement.  It can be off the shelf something that's, you know, we are teaching and preaching.  It really has to engage people.  Because everyone has, again, something to share and that drives people from different stakeholders to share. 

Then we need to mention that already we need to turn from people‑centric capacity building, which is important, to institutional capacity building.  And that's much longer, much more complex.  But more sustainable process. 

Then it needs to be a global wherever it's possible, a global exchange of opinions.  And that's where definitely, as you mentioned, online courses help.  We have a lot of experience with that.  And it really helps exchanging views from different countries. 

And lastly, sometimes we think of capacity building as a simple training or simple course.  But it's actually a way comprehensive process which usually lasts for a year, two years, three years.  It's compiled of different bits and pieces.  So the course is one research is another possible component.  We used to have IGF fellowships to bring people to the IGF to other fora.  We have less and less of that.  And even if we have that, we bring people that might not have gone through some of the capacity‑building programs.  So that should be sort of a combination for the next IGFs, comprehensive capacity building programs and then fellowships to bring people to the IGF for GFC and so on and so forth.  Thanks. 

>> BELISARIO CONTRERAS: Thank you.  Be careful with passion, huh?  It can be problematic sometimes.  I can tell.  Any other comments or questions?  Please. 

>> AUDIENCE: Thank you.  I'm Patrick from Brussels.  And we are currently conducting a project for the European commission on operational guidelines on cybersecurity capacity building.  So a lot of things that you have mentioned are really very close to what we're trying to figure out.  And I would like to throw on the table one issue that didn't come up with this panel but I have heard in many other discussions here during the IGF, which is the principle of do no harm, which is the very basic principle in development community and when we talk about capacity building, it is exactly development work that we're talking about. 

And I'm wondering if this, you know, what your view is on that.  But where do we actually draw the line when we talk about cybersecurity capacity building?  One of the things that was raised in many of the panels on encryption, for instance, this contradiction between encryption and law enforcement access to evidence cannot be really reconciled from the technology perspective.  So it seems to me that the technology community and policy community are completely at odds when it comes to what can be done and what is possible to be done. 

At the same time, law enforcement capacity building and as they're doing trainings in different countries is actually one of the most common activities that is implemented.  It's the lowest hanging fruit, I think, of all possible initiatives that you have out there.  So I'm just wondering to what extent can we go and, you know, do projects that actually tackle issues to which we ourselves do not have answers yet.  So when we go and engage in building law enforcement capacity building in Africa or Asia or even Latin America and, you know, provide tools to law enforcement agencies on how to access the evidence from private companies and so on, are we actually creating more problems down the road?  How can we then go and start answering those policy questions in those countries to which we actually have not answered ourselves?  Where is this line in which maybe we should say, you know what?  Actually, maybe this is not such a bad idea.  We haven't figured it out ourselves.  Let's take a step back.  Try to kind of create a very safe environment around a specific issue and engage.  How to build those safeguards that would actually make the final outcome and impact actually much more positively than create negative spillovers. 

>> BELISARIO CONTRERAS: That will be a topic for the next IGF.  I will let the panelists ‑‑

>> CHRIS PAINTER: I'll start.  That is a real challenge.  And the challenge comes when you have regimes who could use these capabilities to, for instance, monitor their own citizens and suppress dissent.  And that's a constant issue.  And I think you have to look at who the recipient is of the services in the capacity building you want to do to the best of your ability make sure that it's not being used for that. 

At the same time, I don't think we just sit back and wait in terms of building capacity to fight cyber crime or deal with cybersecurity because the weakest link problem, that that actually will hurt all of us if we don't do that.  So it's a balance.  I think if we wait till we settle the encryption debate, that will be well after I die, I think.  Because it's almost intractable.  There are really good arguments on both sides. 

We have done ‑‑ there has been some efforts made, for instance, sometimes export licenses are required for certain kinds of things.  And sometimes those are denied for countries who are going to be using services for that kind of suppression or monitoring of citizens.  But there's a lot of vendors out there who do it anyway.  One way that was tried to be dealt with, not very successfully, is through Wassenaar a while ago.  For people that don't know, this is sort of the loose group of a number of countries who look at export issues and export control issues and try to come up with some controls dealing with cyber tools.  The problem was there was a lot of problems during that because these are dual use tools and you don't want to penalize the ability to have cybersecurity products shipped.  But the purpose of it was to keep, you know, tools that would be used either to attack other countries or to monitor citizens that go out.  And that's been a very difficult issue to deal with.  And I don't think there's an easy answer. 

>> BELISARIO CONTRERAS: Anybody else? 

>> PANELIST: I think I'd just like to go back to the point I made on the attempt to make an approach of whole of government approach to capacity building.  So that the cyber crime training for prosecutors or for law enforcement officials has some infused content from sort of the policy side or the human rights side, you know, folks dealing with other aspects of cybersecurity.  Now, I'm not saying we have this perfect at all.  But we do have sort of existing mechanisms for having those conversations, not only because sometimes we use the cyber crime office state department's money to do some of our capacity building.  So that ‑‑ and that cost multidisciplinary way of approaching capacity building is one way to think about it. 

Also I think one important part about capacity building is to say, you know, we don't have this resolved yet because these are such tricky, sticky issues, and we're having a very robust debate about it back here at home.  And, you know, maybe you should, too, before you put in place any policies that could break it one way or the other. 


>> KAJA CIGLICA: So I think I would agree with both what Chris and Liesyl said.  Also, thank you, Chris, for mentioning the one process that's completely close to multistakeholders.  With Wassenaar.  But I think in terms of, you know, it's a challenging issue.  And I think to be honest probably across cybersecurity, you can say to Liesyl's point earlier, you can't say it's been solved.  It's a continuous ‑‑ technology develops so fast.  It's a continuous push for improvement.  And, you know, if you look at pretty much any country that has sort of early on adopted whether strategies, whether different frameworks or created institutions to manage cybersecurity, they have evolved over time, right?  They have looked at them every two, three years and they're, like, oh, this didn't work.  Let's change it.  There are some questions that we'll have to muddle through, I guess. 

But if you think about how quickly countries, communities everywhere are connecting and connecting to an increasingly different ways and how quickly the threat landscape is expanding, I think just stopping and not doing anything is really not an option. 

>> CHRIS PAINTER: Let me just add, on the Wassenaar thing, I think that was really well intended because of the second order of consequences, there were challenges, sort of a blunt ‑‑ it didn't work as well as people thought it would, so that was the challenge.  We need to find creative solutions on ‑‑ and I agree with what Liesyl said, in a lot of the capacity building I've seen, you know, the ones that the state department has done, there's someone from our democracy and human rights group, our countries, not mine, who would actually ‑‑ who would actually be there and would give a talk about rule of law and, you know, human rights online.  That was part of it. 

And then I remember at the IGF a couple years ago a number of Civil Society people who were concerned that these national strategies that we were all promoting were being done in a way that was not including the human rights community and it was trying to actually to proxy for suppressing human rights.  And I think that's why I think it's important as we do these outreach things to make sure that the processes for creating these sort of documents include all the different sectors.  So you at least have some attempt to that end. 


>> LEA KASPAR: Maybe just briefly.  One thing that you could consider as well is thinking about redefining cybersecurity in a way that's focused on people from the outside.  People centric.  A lot of the definitions of cybersecurity that you have at the moment focus on the security of systems and networks, which is fine.  But what you often ‑‑ what often gets lost is the fact that in the end, you want to protect the systems and the data and the networks in order to protect people.  And, you know, there's a definition on cybersecurity that was developed in a multistakeholder way by a working group called the freedom online coalition which does define cybersecurity in that way.  If you underpin the understanding of cybersecurity as being something that's people centric, that's kind of my go‑away in what Patrick was talking about. 

>> PANELIST: Be sure that our capacity building initiatives at the level of European countries and American countries with the association of American states always we educate a very important portion to preserve questions about democracy, civil liberties, free enterprise, all the questions related to democracy in the practice of day‑by‑day of professionals in cybersecurity.  So in other international forums, there is a discretion about the offices of defensive actions or attitudes, when you are facing threats.  But in any case, be sure on our programs are educated to enhance to the technical understanding the importance to keep the democracy good practices in the daily life. 

>> BELISARIO CONTRERAS: Thank you, Patrick, for the spicy conversation.  I don't know if there is any other question from the floor?  Comment?  Otherwise, if not, I will let the opportunity to the panelists to see if you have any final comments to wrap up the session.  We know we are very close to lunch.  You're very, very hungry.  So I don't know if you have any final questions, please feel free. 

>> AUDIENCE: I would like to add one thing because it wasn't mentioned.  The benefit of regional approaches and having focus on reach and getting those capacity building on a regional level but also knowledge transfer, awareness building on a regional level because there is a lot of cultural aspects in these approaches but also assessing cybersecurity capacity and developing solutions and it must come from the regions because it's also where already relationships exist and a certain kind of trust already exists.  And it probably ‑‑ yeah.  Maybe decreases a little bit of the effort in the beginning to start certain things because there are already existing efforts. 

>> BELISARIO CONTRERAS: Perfect.  With that I would like to thank you, all of you, for your participation.  We will definitely try to share the report of the session with all of you, and hopefully we'll see you at the next IGF, with the help of the OAS.  I want to thank the speakers today and all of you.  Thank you very much. 

[ Applause ]


(The session concluded at 13:10.)