IGF 2019 – Day 3 – Convention Hall I-D – OF #43 Open Forum on Conflict Prevention, Cooperation and Stability

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> Dear colleagues, we are about to start the next session.  So if you don't mind, you are more than welcome to join us, please.  If not, please take a conversation to a different place.  Thanks.  First of all, big welcome to everybody who is able to stay and participate in the next Open Forum on assistant and cooperation in cyberspace.  I warm welcome to everybody.  You will be able to ask questions more freely.

So without further adieu, let me open up this forum and the panel.  I have a really great set up of speakers for you today.  We have maybe starting with her (?) cochair and a former debut I national security advisor of India.  She also served as a commissioner on the global commission on Internet governance, the build commission and has experience on multi‑lateral negotiations.

I have also with me a head of cyber policy coordination stuff of the German Federal Foreign Office.  Member as well of German member of the group of governmental experts.  Previously, (?) held different positions such as research and policy planning stuff.  Specializing in cyber policy and cybersecurity as well as he served in numerous diplomatic positions in the world.

Next we have C2 who serves at the cybersecurity agency of Singapore.  In this role, he drives CSIs bilateral, regional and (?)  Prior to he has held positions in the parliament area.

Next we have Debra Brown who is the global policy efficacy lead for progressive communications, ABC.  He leads ABC's including in the UN general assemblies around responsible state behavior around cyberspace.  And last but not least, I have Matthew McDermott in access partnership.  He brought to the seas partnership over 10 years of experience working global technology policy issues and you work on advising as well across a range of sectors to help companies and trade associations and execute government strategies.

With that introduction, I would like to ask her excellency to give a short introduction.

>> Thank you, Victor.  I was particularly delighted at the subject of today's forum which is conflict prevention, cooperation and stability in cyberspace.  The reason is because our Global Commission, which is just published its report which I am the co‑chair has entitled its report itself advancing cyber disability because we feel without disability, they can be no peace, they can be no future.  So we would rank that way high.  We have reached the ride year‑long period.  Conflict has now taken new forms and cyber activities are now playing a leading role in the volatile environment.  And the number of sophistication of cyber attacks have increased.  Simply put people in organizations are no longer confident.  They no longer have trust that they can use cyberspace safely.  And they're not assured of the availability and integrity of services and information being put out.  Our Global Commission was convened against this background.  And we began by identifying a cyber stability framework which we got passed the main areas.  This framework included multi‑stakeholder engagement, cyber statement principles and voluntary norms, adherence to international law, confidence building measures, capacity building and the open and widespread use of technical standards.

After defining this framework, we then went into three elements which we define as principles.  First is multi‑stakeholder engagement.  Multi‑stakeholder engagement is called for in many international agreements yet it remains very contentious.  Some continue to believe that insuring international security and stability is exclusively the responsibility of states.  In practice, however, the bay cyberspace is signed, deployed and operated is primarily by‑state actors.  Without their, we believe we cannot achieve security and disability.  And non‑state actors would have to announce or recognize that there's been a cyber attack, not a government.  The government would then react to it.  The commission said that 100‑state actors have to be involved and what we said was everybody.  And principles are nons and recommendations address both parties states and non‑state.  And we wanted that bee.  Need to insure other things.  Responsibility, everybody is responsible.  Restrain, non‑state should take actions that impair the disability of cyberspace.  There's a requirement to act, not just refrain from acting.  We need to take the individual opinions to basically insure disability.  And there must be respect for human rights in cyberspace, online as there is draw ‑‑ one is we should not damage the public core of the Internet.  By that we mean the infrastructure on which the Internet runs.  Secondly, we must not allow the infrastructure relating to electoral processes to be disrupted.  And here we make no distinction between democratic systems and non‑democratic systems.  Every pros is has to be respected.  And the third which is really resonated is basic cyber hygiene.  You know?  If we puts the safe guards into place in psycher, in the cyber mechanisms, by the developers and producers, have a proper equity declaration process, vulnerabilities equity declaration process and if we skate the correct laws and executions, this will become increasingly important with the new challenges that are coming with 5G, with AI, with automated systems.  I think that we may think cyber now permeates every area of your life.  But believe me, this is going to be multiplied literally thousands of times over.  Those of us who are now connected to three or four devices will find us connected to hundreds of devices in the future.  And we're never stronger than the weakest link.  So making the system stable, making them safe remains a very big responsibility.  Our commission has made some recommendations.  We recognize we don't work in a vacuum.  We recognize we're building on the work of others who went before us.  I myself was in the build commission on Internet governance.  I worked in my government framing for cybersecurity policy.  I worked in national security.  I have seen things from inside government and outside government.  And I genuinely believe in the mill‑stakeholder model.  I do not think they have the capacity to do it on their own.  The weekend thing I would emphasize is we need to have those difficult conversations with those we perceive as adversaries.  It is easy to clicks of like‑minded people and talk to each other.  You are preaching to the converted.  The trick is how are you going to convince people who don't come from the same method of thinking about very fundamental issues as you.  How do you convince them that this is in a common global interest to adopt certain measures?  We are engaging in different Groups.  We're engaging in the IGF.  We will be engaging and having engaged already with open ended working group and the UNGG and the UN.  I just finished a meeting today with a group of parliamentarians who gathered here for the first time and law makers, leaders are realizing that this is something that has to be taken up at the highest level.  My own prime men ester in India has said that he does not have one single bilateral action with any leader where the question of signer is (?)  I think we have created awareness.  Notice the question is:  How do we bring in disability?  And, you know, I've enjoyed all my interactions with every single group on this.  So I'm hopeful.  I know we are all looking for the same thing.  The question is:  What is the right part to take to lead to it?  How do we coordinate all the many efforts, the very sin veer well meaning efforts that are going on around the world?  We hope that through our little report we have made some contribution to this effort.  Thank you.

>> CHAIRMAN:  Thank you very much.  I think I really liked your approach and what you described to (?) building.  Indeed, you know, there is responsibility for everybody, every part of the cyber, every actor of the cyberspace from the public sector, Private Sector or Civil Society has unique responsibilities and rights to do so.  Can I ask you to continue with a government perspective?

>> So yeah.  I would like to emphasize also the point that assistant in cyber ‑‑ stability in cyberspace (?) threw a unified model that we should work and make the individual patch stronger and also strengthens the seams between the patches.

So what are elements of stability in cyberspace.  We have two Groups and (?) open group and experts working for stability in cyberspace.  They do this on focusing identifying (?) to assistant in cyberspace by working on how international law applies in cyberspace on norms.  Voluntary norms for responsible (?) on capacity building and on confidence building measures.  The climate doesn't stop in cyberspace.  So the same confrontation we see and politics we also see in this area of politics.  But still I think some success has been achieved in the receipt years.  Maybe there's more progress in the upcoming deliberations of the Groups.  We have to see.  One of the biggest successes was achieved a couple of years ago.  That is an agreement the universal agreement that international law applies to cyberspace.  So cyberspace is no place in (?) somewhere in the no where.  It is a place on earth and the same international law including human rights, including the UN charter applies in cyberspace in the real world.  So that already sets the framework.  So we have already this framework.  Then another group that compliments the work of the UN Groupings is CE.  They may be focusing on European and North American, but basically it's the old east‑west confrontation.  If their is a conflict, limit it and prevent it from escalating.  So I think that's another important framework.  Then the stability is only as to the weakest link.  The e U set up a new framework for capacity building greatly supported by Germany and Estonia and a couple of other countries where you build up a network of experts that can help wherever a need is for increasing stability.  It is also an international group for cyber experts that tries to coordinate efforts.  All this is not only ‑‑ it is mainly state activities, but I think at least the countries in the European union are unified and (?) that we can't do this alone.  We need Civil Societies and private sectors.  95% of resources are owned by private companies.  Key factor of the Internet is that it enables user to use user communication.  So we have to enable the individual and companies who own the resources to play the part in stability.  They're the same country that have the open ended working group and then blocked it a wider and (?) community, but we will have next week in New York deliberations to get more voices into the process and to bring the process forward by that.  Germany also took over the task of implementing recommendation five of the report of high level (?) report of the UN secretary which deals with increasing global corporation to corporation.  Linking IGFs to a place where we are right now.  This basically making it more relevant for decision making.  So we're looking at it from that angle how we can increase corporation.  Last but not least, all these norms and guidelines and there are also I didn't talk about that because I did a lot of guideline and principles involving the Private Sector.  They're only as good as people and companies and individuals behave accordingly and so what do we do if countries don't respect these?  Another strong belief is that behavior in cyberspace must have consequences.  Otherwise we won't be able to create stability.  We created something that we can refer to as cyber diplomacy tool box which is a set of measures to use in case there is a cyber attack and we identify who is responsible for it.  We can take a couple of measures and (?) would be cyber sanctions.  Sanctions against individuals and entities responsible for that.  This is not a weak weapon.  This is a very strong weapon which you hope will have impact.  They (?) basically returns back to good behavior.  So it gives incentives to return to that.  Of course, for countries, measured has to be in accordance with national law and respect of human rights.  This is a key principle we have there.  I will stop there.

>> Thank you very much.  I take a strong plea and norm in itself has to be well respected.  Can I ask you to take the floor next and offer your perspective?

>> Thanks, vector.  I would like to offer a perspective where I come from.  Singapore is part of the association.  Essentially when we look at the terms cyber stability, we look at corporation and prevention.  The key way we look at all of this is that these are enablers.  They enable economic progress for region of 630 million people who live in countries which are very spread out in terms of capacity.  We should have diverse histories, diverse challenges and diverse cultural values.  When we have cyber assistant and cybersecurity access enabler which allows people in this vast region and across the world to access economic progress, but not just economic progress, it also allows many people to access better living, job opportunities ins digital future.  So this is how we look at the whole idea of cyber stability and the need for corporation.  The digital future is something that is with us today and many countries are reaching into it.  We like to use the imperfect analogy of spots car with breaks.  If you think about it, cyber stability or cybersecurity are the brakes.  Then there's a need to have good brakes.  It is self‑evident.  I think when we approach it from that perspective also, many of the things that my co‑panelists spoke before me international law applying to cyberspace, CVMs and building measures, capacity building, rules and principles of state behavior and cyberspace become important because they facilitate the trust that's needed to achieve this.  So from our perspective, we have moved forward as a region and this has to be done with political will, which is why we have discussions in the UN and also in the week in 2018.  The leaders issued a first statement, first ever statement in the cybersecurity corporation which brought together all these principles and strongly supported the idea of rules in cyberspace which would allow everyone, all stake holders to act with trusted confidence and reach the sort of potential that a digital future is holding for us.  This year in the men ester conference of cybersecurity that was held in Singapore, the ministers of the ICT and cyber confirmed last year's position to subscribe to 11 norms of state behavior recommended in 2015, UNGG report making it the only regional group to do so in a document like that.  And this year, they have made progress, we made a chart, a forms chart where we put together all 11 norms and then we picked out ways to build capacity with inputs and we're set up a working committee which will now develop a plan to build capacity.  So allow me to finish by making three points.  The three I would like to make in which countries and they'll need to work together I think the idea is we have all the agreements on paper.  Very good amendments on paper.  It is time to identify the gaps.  One of the things that Singapore is a small hardly network state is there will also be disagreements and they'll be 20%, perhaps 30% agreements.  But 70% we agree on and when we identify the gaps, we need to then work to build ‑‑ build capacity.  Norms are not assistant do not themselves implement themselves.  But there is a need to build coordinated to have a coordinated robust effort at capacity building and addressing the against.  ON is building and this will mean identifying the resources, the partners and also the metrics behind capacity building.  I think something that Singapore is looking at and we are working on this is how do you know if capacity building is successful?  Millions of dollars are being spent and we need to find out so that we know ourselves if we have reached a goal.  This is where we find and one of the key corner stones of capacity building efforts have set up there are 30 million for capacity building for Asian.  One of the key fundamental principles is none of the programs are run by government alone.  We work with companies and NGOs.  We work with Civil Society Groups to deliver training.  Why?  Because there's a lot of ‑‑ government does not have all the answers.  I look forward to this conversation.

>> CHAIRMAN:  Thank you very much.  I really liked your points on we need to follow up on political engagements.  Putting else and assessing results how we make that is important.  And also there's a space of building common denominators that we can agree on even better.  Debra, over to you for Civil Society perspective.

>> Debra:  Thanks very much and thanks for the invitation.  I will share something already and really appreciate the recognition.  I cyber statement and security are important for a number of reasons, but we don't believe they're important for the sake of the Internet.  It is to improve lives and exercise human rights.  It is important to come back to the centered approach and start.  I will speak about the role of civil southeast on some issues discussed already ‑‑ Civil Society on some issues discussed already.  This is the target of cybersecurity threats, but we have capacity.  When I talk about Civil Society, I mean the broad umbrella which can include the technical kind and academia.  It can be the first anter to play a role in that.  Civil Society can play a role in monitoring compliance or lack of compliance with agreed voluntary norms.  We can plan advocacy role towards both governments to address threats and comply with norms.  We also play a role in raising awareness amongst society and civil so the and citizens about the threats they face in Cyberspace.  And the fact there have been agreed to which I think isn't as commonly known in normal places outside the IGF, outside insurance government spaces which we tend to talk about these issues.  And capacity building has been mentioned before as well and sift society can play an important role in building capacity as was mentioned by the previous speaker and former initiatives and informally with other stakeholders who are at risk of signer attacks.  In many ways, it is broad and can include academia and Technical Community but NGOs in particular.  They play a specific role.  As I said, they are often attacked themselves or work with journalists and people and communities who are marginalized or impacted by discrimination who are either targeted boo cybersecurity threats or when there's a general threat, a data breach, have an acute experience because of their position in society.

We have a lot of good norms on paper and there's a need to implement them.  That's APC we have been thinking about how do we have more robust measures to monitor that?  One idea we have from our ‑‑ and that allows states to report on their implementation of norms and in that case also treaty obligations, but not the parallel we made, but we think we can use this mechanism to allow states to self‑report and also a role‑for‑civil Society in the IPR to do shadow reporting and continue to that discussion.  So an idea we're developing is see a similar mechanism can be in the context and for states to be reporting on how that's implementing and allow Civil Society to talk in a community private sector actors and others to also be part of that discussion.  And then have that as a baseline to report against to see how progress is being made.  There are quote a ‑‑ we advance foreign and there's also a possibility top have more norms adopted the global level.  If there's a way to monitor that, we feel there's lots of opportunity and little progress will be made.  Finally, I wanted to, you know, appreciate the fact we're having this conversation in IGF, which is multi‑stakeholder forum.  It's valuable to have it here, but also frust railing to talk multi‑stakeholder.  We go to New York, we find the conversation is limited.  That was alluded to maybe the number around theft and ‑‑ they weren't able to participate in the first substantive session in September of the working group in New York.S echo accredited NGOs were age to participate.  It was one of them and it was quite frustrating to talk about multi‑stage holder approaches and then go to the places where the actual discussions are happening and to be shut out of those discussions.  And also the importance of I think the lesson from us is good to share and exchange ideas, but we need a commitment in the other spaces to bring other stakeholders to the discussions.  So I think I'll stop there.

>> CHAIRMAN:  Thank you very much, Debra.  I liked the point you made about human centric, people centric approach that we very often engage in the discussion of state to state and big organization to big organization discussions.  We very often forget it's all about people in the end as well.  And your points about monitoring compliance and the role of similar systems as UPR can maybe be applied in cyberspace.  Matthew, we talked a let about cyber sector.  It is your time to give perspective from that angle.

>> Matthew Shears:  That is a plant form on which a wide range of businesses are able to address the needs of citizens and consumers.  A key reason for that success is the stability of the platform and make long‑term decisions about investment and sharing about entering new markets.  The rules and roads to the internet will best remain the same and at least be (?); however, the rise and importance of the life of citizens has made a big of a target.  It's decisions around (?) non‑intervention, but obligation to protect what is in the national space.  One fix to this is find forms of responsible behavior to generate trust and all members of the multi‑stage hold are community.  And talking.  Things like this one are an important opportunity for the community to discusses issues.  I always enjoy learning from IGF from geographically diverse.  However, currently much of the decision making is at the multi‑lateral level.  Steps have been taken to broaden participation, some of the groups more is required to show best practice is available to all communities.  As to again a network is a weakness ‑‑ it is able to be ‑‑ they can quickly move to high politics of international law.  One that should not detract would be just as crucial.  Certs should be set up and protected from the attack.  Mechanisms require to allow dial up between countries including forms where the Private Sector can participate to discuss experiences and work on improving cybersecurity best practice.  We need to recognize the transparency is a friend of cybersecurity.  By sharing experiences, we can learn from each other.  Only with continued confidence and capacity building can we so crest in the assistant of oh, the range of national views make it hard to reach consensus.  The discussions are shaped by complex associations and freedom of expression on the nature of signer attack.  And buy a lot of attention of universal values to address all of these will not be a quick process.  It is good news that more countries are concerned about cybersecurity and are engaging in these discussions.  This presents the challenge that future discussions will need to encompass a broader range.  Now the debate has evolved to accommodate new technologies and a broader group ever stakeholders.  To close out, the business like certainty.  In this evolving space, business is key to support the on‑‑ in doing so, we need to avoid outcomes with fragmentation and insure we have norms that can be operationalized.  Thank you.

>> CHAIRMAN:  Thank you very much.  My take away points for your presentation is if I can (?) the report, they can create mechanism that have that and academia and other representatives of Civil Society.

I would like to make the panelists internationalists as football.  I would like any questions from the floor?  And only in the case if there are no questions from the floor, I will have my list of questions to panelists.  Is there any brave person that wants to go and break the ice for the first time.

>> Um, I had a question following.  There was a suggestion of taking lessons first UPR, the universal periodic review process.  I was wondering how because we talk a lot about implementation of norms.  If panel members have any idea low exactly this self‑reporting work would we take specific norms, take all of them and maybe to start to brainstorm a bit on which forms this would be possible for and are which one we should maybe lean for a different process.

>> Yeah.  We had kind of exercise was in the framework of the G7 countries.  It's a very limited framework.  It's seven rich industrialized countries.  But nevertheless, under the French presidency, whether the idea came up of having a peer review on the seven countries implemented the norms.  We ended up basically with reporting how we did it so fair.  It was a huge effort because it involves multiple agencies of government, but also other actors with request all the agencies and actors who are involved with implementing norms.  So we came up with a report.  It's still in the hand of the 47 and the 47 ex‑President plans to publish and there would be an issue as to how advanced countries implement the norms.  It would put pressure on others to come up with reporting how they implemented and I've seen it to go forward.  They report five, not accessible, but I intend to race this motor and how we can we think it's better if all service come out at the same time or comprehensive form.  That is something to ask them how far the process is.  So it's not the universal periodic review, but it goes in the direction because this is important to implement the norms and also give an example.  Not only show up what we did and to point to give examples.  Norms ‑‑ because that thinking behind that sometimes it's just lack of capacities or lack of knowledge of how to do it.

>> From our experience ever working with the peer view mechanism, they have to be careful that it's a universal framework.  So we're not comparing one country to another, but comparing each country to its own commitments.  And the issue is we don't want to say there's no country that's perfect and some have more resources and more developed programs around these issues.  So it needs to be done in a way where it shows progress to be made where there's need for more capacity building and technical assistance needed.  So it's not a matter of reporting and scoring.  They have reached this level of implementation and other countries haven't.  I think it can be done in a way.  I don't know that you would pick some norms to address first and others later.  Review them as a whole and show where states are in implementing and a need for more technical assistance and capacity building.  So I think that's a way to approach it today.  It doesn't become a competition or finger pointing exercise between states, but to show where each one is on their own course of implementation.

>> CHAIRMAN:  Thanks.  That's a gate question.  That's the question we asked yourself when we subscribed to the 11 norms.  It was a question to subscribe to all of them.  And then it sounded good to subscribe and have your leaders to say that we are supportive or we will implement the norms and to implement the norms, so the simple tool of a chart which I was alluding to earlier, we left that out one by one and then we had a second column where we had a workshop with the members to say these are areas in which we have already done some work.  For example, mutual assistance there's eye mechanism where we can help each.  We had capacity needed.  And this is very poignant.  Their countries and I resonate with something about certs being protected.  The countries are not yet fully developed serves.  Which therapy is attack ‑‑ this is a tracking tool, but at the same time, the middle column says there are things we have already done, there is assistance and also is as important because the danger is that norms can seem upon.  This is how we can check our progress and share it with the international community and certainly having the G7 efforts will then become a sort of example that we can with look at and see what key can implement.  Thank you chairman.

>> CHAIRMAN:  Thank you very much.  Any more questions?  Please.

>> Thank you so much.  This is interesting and inspiring panel.  I am from the Swiss department of foreign affairs.  I wanted to share with you and echo some of these points that were made both from the business side and also from the Global Commission.  We want to start next year and we also assess that it is important to have more agree in this the global city and to implementing the norm.  So what we wanted to next year is start our Geneva dialogue where we want to have a really global exchange among different in the deal of signer security and for which are I was ‑‑ they can contribute to existing norms and how they see their world because we see there are a few roles currently in this, we want to build capacity and raise awareness about those norms that are not yet part of that discussion and come up with best practices on implementing the norms and at the end of the year.  That's what we want to contribute.  And then also a question I was participating this morning in another panel on questioning the signer making bond.  There was a weariness in the room of the technical crowd to say.  What are you doing at the policy level and if once the norms get implemented, are they interfering with our day to day work?  They were fearing they would be sort of growing awareness amongst governments that what they are doing is actually going against some of the norms.  They said we have crossed relationships among ourselves and now the governments would come in and stop these collaborations which are already taking place on the technical level.  How do you see this?  And how it is implemented at a technical level.  But still we have to be aware of this, I think.

>> CHAIRMAN:  Is there anybody who would take first the question?

>> I think, you know, I certainly have always seen this very delicate balance between the technology, innovators and (?)  I think some tend to feel they're responsible for maintaining law and order.  They're sponge for the lives of citizens also where there's a threat to life from a signer attack ‑‑ cyber attack.  So certs would argue they should in a sense have certain freedoms to act.  It's not just certs.  I would also include intelligence agencies.  I would include law enforcement agencies in this Grouping.  I think it is a very delicate balance.  I say one of the hardest things about discussing cybersecurity and the government is the need to maintain that balance which we have privacy and national security.  You have to respect citizens and many countries and the supreme court rule that previously is a fundamental right of the citizens.  So when it comes to then having to take certain measures and interests of national security to protect the life and property of citizens, are you then justified in waiting that privacy?  So I think the question is whether for certs, whether for any government agencies, they should clearly lay down legal and administrative procedure to be followed.  And provided that is rigidly implemented followed and people who deviate from that by using let's save not going through the proper procedure and simply engaging a company and saying do something that's illegal should then be held to account.  That's the real issue.  The issue is not that they're not solutions.  The issue is governments prepare to take the hard steps to implement and make sure that people who don't follow correct procedures are punished.

>> CHAIRMAN:  Thank you.

>> So this morning, I told a friend who is member of the Technical Community that I was going to speak on this panel and I couldn't shut him up.  He spent five minutes telling me at all fine.  Why are you having this session?  It's all under control.  And I sat on the policy side of the house.  I ‑‑ and I told him that the world has changed.  That the trust that a community has that enables relationships to function and the Internet to work in that way is positive and it has been crucial to how it is run.  But the debate has ‑‑ the increase number of people involved in the debate requires light to be shined in that discussion as well.  Requires transparency there.  But he can't move quickly.  We have a trusted series of trusted relationships now and you can't just tell this apart.  I think the building processes, both of the UN level and national level and regional level, the core goal of those is development to obtain that trust and allow it to continue.

>> So thank you.  I thought I would share a story in response to your question.  In our capacity building, we invite since 2016, we have been inviting three Groups of people from each government.  One is policy person.  One is the incident response person and the third is the foreign affairs person.  And what happened is the first year we had capacity building, table top exercise and we said all three of you would represent your country.  This is a scenario that is a state sponsored attack.  Now what do you do?  It's amazing because the response person jumped in and said well, this is what I will do.  This is what I'll do and the policy person looked mildly interested to foreign policy looked bored.  We said along at state sponsored attack.  It is any anonymous state and still this is what happened.  But what it showed us was the need to have such activity between the the technical policy and foreign policy person because it is not evident even within government.  So with the word mill‑stakeholder, we also understand cybersecurity to be multi‑disciplinary.  It is something.  And I live it every day because if you notice, I come from the cybersecurity agency much Singapore.  I need to explain to my colleagues that it is very wonderful to go to Berlin in the winter or during the cold weather why I'm relevant to their work.  So I think that is the nexus between we have to create and then we also have exercises where we work with the CII operators in the industry.  So I think this is where the dialogue happens, but it has to happen around real scenarios that we can understand each.  Because technical people have a lot to teach us and the industry have a lot to teach us about our blind spots.  Thank you.

>> Two points to make.  Come back in February.  You ain't seen nothing yet.  But I understand where you're coming from.  And second more important point on the question I want to remind us of something I think Debra said.  This is not about the internet.  This is about the people.  And I think this is the core element about it.  So I'm gladly welcome dialogue with private sector or companies, et cetera, but we can't leave the rural making and (?)  We have to it on balance it by 2.  We have to solve civil representatives are the users also sometimes the victims of policies and basically Civil Society as a whole.  And secondly, most important I think still that norm controls democratic control.  And it stays ‑‑ they have a specific role in that because they choose the government and represent the people, try to outbalance different conflicts of interest with themselves.  I think this is an important element to put into that.  It doesn't mean we shouldn't have the dialogue and I spend half of my time talking to Civil Society, but probably more to companies.  I think it is important.  Luckily, I think universally we come more and more to an agreement.  If I look back even a year or two years, it was a big drive in certain areas.  We need our own principals or Amazon guidelines or whatever.  Now sometimes I don't want to mention some companies, but they come to me and say it's fine with our guidelines, but no we run into difficulties because we are confronted with different norms in each different state.  If you look at that, we imagine the cars stop at the borders because they have different rules.  You know you have a unified area where you said the complicated processes and democratic process and the process was participation of all kind of actors, all can be improved, of course.  So not defending that.  It is even in the interest of companies to have basically others participating ins norm setting and in particular role with democratic elected institutions.

>> CHAIRMAN:  Thank you very much.  I have a space for one more question.  Are there any volunteers for last question?  If not, I would like to maybe ask each of you to have a snip it of a take away of concluding remarks before we wrap up.  Your excellence, you want to start?

>> My biggest take away is something that you said.  You said transparency is the friend of cybersecurity.  I think that's a great slogan because most people think cybersecurity is best served by secrecy, but I think the day you recognize the transparency is the friend of cybersecurity.  And thank you very much for that, Matthew.

>> It is complicated Bit is worth it.  Slightly longer version of it would be really appreciate the focus in this discussion of implementation.  I think it is promising avenue we should continue to go down.  If you implement things, if they are successful at implementing norms and the eagerness of about little new norms, would also increase.

>> I think my key away is what Debra said.  Front and center of what we're doing and I think as I was saying, you know, in our way of looking at it, it's all the people who need economic enablement, listening standards and lives and that I think crystallizes the need for us to work together.  It is a team sport.  Thank you.

>> I think I will build on Matthews take away key point which is human rights are the friend of cybersecurity because we need strong cybersecurity to enable human rights and it's through strong cybersecurity that we're able to do so.  And so I think we often look at them as putting it against one another, but there's a right to security.  There's a human right to security and we can't keep look think at them at odds because in the end, we need both.

>> I think I would channel my technical colleague and say don't blank what we have.  I think what we have now is trust.  We exam up the norms and look to develop, we can't forget what we're trying to achieve is a place of trust.

>> Thank you very much.  My main take away is the approach is not only enriching.  Is it is such a great learning time for me to enjoy your presentations.

We as the European union, of course, want to indeed, walk the walk and talk the talk.  So we are entrusted our friends in the European unions institutes for strategic studies to undertake engagement with multi‑stakeholder communities.  One of the very concrete take aways as well is we are going to bring a sponsor quite a vast number of participants for the next Intersessional meeting in New York.  So thank you very much to all my distinguished panelists and to you as the audience.  Hopefully see you next year.  Most likely in Poland, I guess, at the next IGF.  Thank you.