Internet Governance Forum 31 October 2006 "Security" Panel Note: The following is the output of the real-time captioning taken during the The Inaugural Meeting of the IGF, in Athens. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record. >>CHAIRMAN TSOUKALAS: Ladies and gentlemen, the Secretary-General of research and technology from the Hellenic Ministry of Development. And as chairman of this afternoon's session, I would like to welcome you to the second day of the inaugural meeting of the Internet Governance Forum. Allow me to express my thanks to the U.N. Secretary-General, who convened this first forum on Internet governance following Tunis. And we're very happy that our country has hosted this meeting. For the first time, it's allowed the possibility for all of the partners involved to express their views on this issue of Internet governance. We've seen huge interest from the participants. And that shows that, really, this is going to be an exemplary forum for the expression -- or exchange of views and constructive ideas. Today, we will be concentrating in this afternoon's session on the question of security. And within that framework, we're going to look at questions relating to users, messages, the question of access, and we will bear in mind more general issues of Internet security. This is one of the more fundamental issues related to use of the Internet. And it's an essential cornerstone of its functioning. And the -- drawing on the full potential of the possibilities it provides for use. At this stage, then, I would like to invite the moderator, Mr. Kenneth Cukier from "the economist" to please take over in that role as moderator. Go ahead, please. >>KEN CUKIER: Thank you very much. Thank you very much, Mr. Chairman. Information security is something that we all rely on. It's probably something we all take for granted. But it's probably the most important aspect of the information society. Because unless the networks are secure, unless we have confidence in it, we don't have an information society. It might be important for you all to know that right now you're using a public Wi-Fi access node. Probably all of your data is unencrypted. So if anyone had a packet sniffer, they could identify what the traffic is, certainly what your password is, if you did electronic commerce, some of your personal information, maybe your credit card details would potentially be exposed. Of course, if the security of the infrastructure is strong, if you're using encryption, and 99% of all Web sites that do take your credit cards would be using that encryption, you'd be safe. But that 1% probably is intolerable, if you think about crime online, we wouldn't expect that -- sorry, offline why would we expect the same sort of thing online? If you're connecting to Appollon, then you are probably using the hotel's Wi-Fi. But if you're using the free public Wi-Fi or free Internet access, this is important, right now in this remove, there are two seemingly Wi-Fi nodes that aren't really a Wi-Fi node. You have a system on your computer, if it's open, that you would see whether it says the name of the hotel or if it says "free Internet access" or "free public Wi-Fi." Those two terms are actually computer-to-computer nodes. Someone has malicious code on their computer, two people do, presumably, and are broadcasting this. And for the unsuspecting user, they could be transmitting data to someone who is then passing it on to someone else. This is a good example of the fact that security is a big issue and that the security and the hardness of our infrastructure needs constant improvement. Luckily, on our panel today, we've got experts who are well suited to address this issue. What I'm going to do now is very similar to the last two sessions that we've had. The first thing I'm going to do is have them introduce themselves, their affiliation, but then also ask them one question concerning what is the most important issue facing security in your view. They'll all get a chance to say that. I'm then going to turn the mikes on to the audience. You can give us feedback. If you think that we're missing something, that's great. If you think we just need to amplify something else, don't say it. We probably know it. We want to get a survey in terms of what are the key issues to address if we don't mention them here. Then we're going to launch into the discussion. However, before I ask them the questions, let me just talk about a piece of housekeeping. To make your interest known to the people who are the assistants of the hotel that you would like to get the mike and to say something, just raise your hand and let your presence be known to the ladies in the back, and they will be the ones who can have you give either your name or your business card, if that's easy, bring it back up here, and then we will call on you. Okay. Is there anything else in terms of housekeeping that I may have forgotten before we start? No? Good. Remember that, of course, this is being blogged and I will -- and also being transmitted over the Internet. And I will be asking for comments from the cyberspace about what their reaction is to all of what we're doing here. Why don't we please start. >>DAVID BELANGER: I'm David Belanger, chief scientist of AT&T labs and head of information and software research. I'd like to take my kind of first place in line here to say what the issues are that we think we are trying to accomplish when we think of security. They're basically availability of the network, very basic. Integrity of the transmissions that are going over the network, so that middlemen can't add to it, detract from it. And, finally, confidentiality in the face of an intelligent adversary. And that brings up probably the most important issue, that the adversary will change what they do in reaction to what we do. It's an ongoing game. >>KEN CUKIER: Thank you. >>LAMIA CHAFFAI: Lamia Chaffai is my name. And I'm director general of the Tunisia electronic certification agency. A resolution came out of the Tunis summit to create an environment of confidence for electronic exchange. The development of services is something on which the development of a country depends. And to develop eGovernment, eCommerce services, et cetera, we need to foster this confidence, this environment of confidence also linked to the electronic signatures. So I feel that this is a very important aspect in the development of countries' economies for the future. Ilias Chantzos good afternoon, everybody. >>ILIAS CHANTZOS: My name is Ilias Chantzos. I am the head of government relations for Europe, Middle East, and Africa for Symantec corporation. What we try to do in Symantec is try to empower people so they can safely work and play in the connected world. So what I would perhaps try to discuss a bit with you today would be the way we see the evolution, the changes, in the information security, the threats and trends of the evolving threat landscape. Perhaps one of the key issues from our end would be to point out the fact that hacking is no longer for fame, but for fortune, that there's a financial motivation behind cybercrime, and that all stakeholders, both private sector, government, and civil society, have a role to play in addressing that. >>CHENGQING HUANG: Good afternoon, everybody. My name is Chengqing Huang. I'm from China NGO. I'm deputy director of CNCERT/CC. I'm also Secretary-General of Internet Society of China. I speak English only a little. Well, I don't speak very much English, so I will speak Chinese. And our society is a professional one. We have tried to promote the use and development of Internet, so we are delighted to have been given this opportunity to exchange views and ideas with you. Thank you. >>GUS HOSEIN: My name is Gus Hosein. I'm here today speaking from the London School of Economics and political science, from department of information systems there. I also speak on behalf of a number of nongovernmental organizations, including privacy international and the American Civil Liberties Union. I guess my main point is I'm a little perplexed by this emphasis on security the way it is defined here. And it's usually at the expense of other issues, such as privacy. And so just about two hours ago, we had a workshop on the nexus of the two, of privacy and security, being identity and the management of that. And when do you actually identify yourself online, how do you do that? Does it actually increase the problems of security or decrease them? So on and so forth. So I look forward to seeing how the IGF can actually take this issue forward into -- for more discussion. >>RIKKE FRANK JORGENSEN: Hello, everyone. My name is Rikke Frank Jorgensen. I'm from the Danish human rights institute. And I've been active in the business process through the human rights caucus of civil society and also the privacy group. In the WSIS process and also more generally, there is often a tendency to see privacy and security as two opposing issues. And I think it's really crucial that we understand that the protection, the privacy protection of the individual, it's a security measure. It's really a security of the individual freedom, and it's a very key component in a free and open society. So whenever we discuss security measures here, it's very important that we have privacy protection up-front in the way we deploy and design these measures. >>HENRIK KASPERSEN: My name is Henrik Kaspersen. I am here as a representative of the council of Europe. There is a microphone here, yes. >>KEN CUKIER: A little closer. >>HENRIK KASPERSEN: Again, Henrik Kaspersen. I'm here as a representative of the council of Europe. I was -- have co-responsibility for the development of the Council of Europe Cybercrime Convention in relation to security, technical security. And technical security measures are extremely important. But also legal security should be a very important element. And the basic importance of the cybercrime convention is that it sets rules for behavior of individuals in the Internet and cyber environment. >>ARCADY KREMER: Good morning. My name is Arkady Kremer. I come from Russia. I am the director of a private and public sector association, the Russian association of networks and services. I'm also the vice president from the world telecom standardization assembly. I would like to answer the moderator's question and explain what I think is the most important factor in guaranteeing security. I think that in order to achieve full security, we have to see security not just as our own objective, but as the means to defend the Net. This will allow us to work in a more precise and stable way. The issue of information security is not a service or a good that can be traded. It is a system which has to be set up and which is -- it is necessary also to manage. >>ANDREW MAURER: Andrew Maurer from the Australian department of communication I.T. and the arts. My area developed the Australian spam legislation as well as looking at various other eSecurity matters such as phishing and spyware, Botnets most recently. I would like us to have a look at security as a positive construct rather than just a reaction to the current crop of eSecurity threats that are out there. So in terms of capacity-building, considering more could be done in order to ensure that transactions are secure, that personal data is kept protected, and that computer resources are used the way that the users and owners of those resources want them to be used. >>MALCOLM HARBOUR: I'm Malcolm Harbour. I'm a British member of the European Parliament. In case you're wondering why I don't look like Margaret Moran, unfortunately, she is detained in England by what is known as a three line wit, which means she has to be there to vote. So she brings you her best wishes. She is chairman of a group of which I am also a director, called URAM, which is a U.K.-based Parliament-industry group. We submitted a paper to the IGF on the security issue. And it's something that we're particularly interested in. And you can read our paper there. And I think our views, very strongly, are that the issue about raising the confidence of users of the Internet in its security and in its integrity, which I think is an important word, is a crucial task for all of us, and it's a shared responsibility in every sense. It's a responsibility of the users themselves. Industry clearly has a crucial role. And, indeed, industry, I would argue, is putting more resources than anybody else into this. Governments have a role, but there is a crucial and vital role for intergovernmental collaboration. And I hope we can talk about some of those issues this afternoon. >>TERAYASU MURAKAMI: My name is Terayasu Murakami, from Nomura Research Institute. While usually I -- in this kind of international conference, talk about the ubiquitous network. But today, I am representing Keidanren, Japan Economic Federation, which is representing more than 1500 major Japanese companies. And Keidanren submitted proposals to the IGF. In that, we introduced one best practice and one worst practice. And basic message underlying those two cases is, we should pay more attention to the victimizer's side rather than victims' side. Most of the security measures concentrate how to educate or how to train victims, but we pay more attention to the victimizers' side. >>FREDERICO NEVES: My name is Frederico Neves. I am the CTO of the Brazilian registry. And because of my background in -- as a service provider on the network, I think the principal issue that we should try to address here is the network security on the edge of the networks and routing to. >>RICHARD SIMPSON: Good afternoon. My name is Richard Simpson. I'm director general, electronic commerce, at industry Canada, which is Canada's federal department of industry. Not surprisingly, we look at the subject of security from an economic growth and marketplace perspective. I think everyone in this audience is aware of the growth potential in the online marketplace internationally, which is now trillions of dollars in net worth, and nationally in billions of dollars, growing at a very significant rate. So looking at the subject of security, rather than focus on one key issue, I'd like to point out a key orientation that I think we can discuss this afternoon. And that is to look at a more proactive rather than a defensive and reactive posture to the subject of net security. In my view, we should be less focused on short-term threats and on cops-and-robbers approach to net security and more on longer-term, preventative measures which can deal with this issue of the -- protecting the online marketplace well into the future. And I think there are significant roles for government in terms of the legal and policy framework for that; and for the private sector in terms of network engineering and other aspects of the physical delivery of the Internet. >>CHRISTIAAN VAN DER VALK: Good afternoon. My name is Christiaan van der Valk, and I am a cofounder and vice president of a small Swedish security company and also co-chair of the International Chamber of Commerce task force on security and authentication. I have a long background in dealing both with policy issues and, more recently, also the business and technology aspects of security. And one of the things that has struck me in the past couple of years is the importance of the quality and quantity of legislation and its impact on businesses. We've heard already how business has to play a very, very important role in development of trust on the Internet. And if you look at this from an inside perspective within larger businesses, the amount of legislation that affects business security practices and their I.T. systems is growing every day. It is national legislation, usually impacting businesses in various areas. I can just mention corporate governance rules, privacy, electronic contracting, taxation, know your customer rules, and whole bunch of other types of laws that affect businesses. The matrix businesses are faced with is just enormous. And I actually believe that we're coming to a point where it is becoming counter productive and businesses are asked to take so many sometimes conflicting security measures that it is actually impacting security negatively. So I think the quantity and quality of legislation is an issue that business and government need to collaborate on quite seriously. >>KEN CUKIER: Good. Thank you very much. So we've heard generally, I think, big-picture themes on what some of the issues are for security. We've heard about privacy. We've heard that our adversary changes, the role of the business sector, the importance of the edge and the user in all of this. It seems to me that there's probably a lot more issues. If we were to come up with just an inventory, we would see issues like spam, phishing, viruses on the individual level. From the idea of critical information infrastructure protection, we would have big network security issues in terms of undergirding -- the security of the domain name system and other things. Let me ask, before I open up the panel to more questions, let me turn it to the audience and ask, granted, we didn't speak about specifics, but we looked at larger themes. Are there any few specific topics that you think in our inventory of identifying the important issues that really ought to be raised immediately rather than through the discussion? And if you have those questions, let them be known. And I will call on you, and then we'll go right directly into the panel. I see one person, the gentleman back there. I see a second person there. Okay. And two more. >> (inaudible) I would like to add to the agenda, if I may, a coordination between the certs around the world within the Internet. This was not mentioned in the panel. And I think this is importance in the governance of the Internet. >>KEN CUKIER: Thank you. . >> This is (saying name) from Swiss Internet user group. And I would like to add to the agenda the issue of how do we deal with complexity, how can we separate this vast amount of things that should be taken into consideration into manageable chunks of concerns so that we can actually, at least in small parts, understand what is really going on, and not just take measures that increase the complexity of the whole situation and thereby decrease the overall security? >>KEN CUKIER: Okay. Thank you. I see a gentleman there. Yeah, thank you. Yes. >> (saying name) from the government of Quebec. I think it's very important to put in place tools to make more aware and to educate rather than adopting measures. >>KEN CUKIER: I see a gentleman here in the third row. >> I am from Moscow University. I would like to ask or even request if we can look into the issue of whether it is correct not only to think about threats coming from criminals, but also threats from the state, from states which use information technology in order to settle accounts. So let's not just look into criminals, but also criminal action by governments. >>KEN CUKIER: Do I see anyone else? It looks like we have a good new inventory. There's -- Please. Stand up. And introduce yourself. >> I have a question. I have a question for at least some of the panelists here. Yes, I agree privacy is valuable. But a lot of the people who are actually working in the security field are also working with the aim of protecting the privacy of the users on whatever network they are responsible for. >>KEN CUKIER: Excuse me. Let me interrupt you for a second. >>KEN CUKIER: Excuse me, let me interrupt you for a second. Is this a new issue we are identifying or is this a comment about an issue that has already been raised? >> No. How do you reconcile the two so you have privacy and security co-existing without any conflicts? >>KEN CUKIER: Thank you. I see a gentleman there and two more there. So why don't we turn to this gentleman first, and then those two. >> My name is Radin from Sudan. I will talk in Arabic, excuse me. There's a question of security on the Internet that can only be decided through international cooperation. So what we need to find is an international framework where we could cooperate. >>KEN CUKIER: Please. >> Hello. My name is Tarek, I am with the Ministry of I.T., government of Pakistan. The issue I would like to add to the agenda is that of continuity of operations. It was embedded or sort of implied by the availability of networks which was the very first panelist had identified. But in terms of continuity, what I would like to specifically add to the agenda is the physical security of networks. For instance, we faced a breakage in our only Internet C-cable two or three years ago. Since then we added two or three more cables. But that one breakage by a very innocent fishing trawler or something, caused a blackout for two or three days for the entire country. Similarly, there are physical threats to the infrastructure, or even electricity blackouts can cause a tremendous loss of confidence in the use of I.T. So I would like that issue to be addressed, please. Thank you. >> The issue I would like to add involved authentication. Both routing authentication and address authentication, and then the derivative scaling problems of routing and tabling all the additional information. >>KEN CUKIER: Thank you. Please. >> I represent Tunisian civil society. I would like to first of all thank the people who organized the seminar who allowed us to find a path to dialogue. My question is to find if we can have universal legislation which will allow us to deal with this problem. I think other countries as well have raised these questions because sometimes we want to surf to sites which our governments find should be prohibited. So I don't know how the people deal with this. >>KEN CUKIER: I see another gentleman there. >> Hello, my name is Detrick from the metropolitan police and my question is regarding jurisdiction of basically international responses to critical instance. And how the different governments will deal with that. >>KEN CUKIER: In the back please, yes. >> Good morning. I am from the Prime Ministerial service on development of the media in France. There is a point I would also like to raise, is how we take into account the particular characteristics of linguistic diversity in the security, broader security issue, and also what is the protective technology which is used and how can we make it financially accessible to all. >>KEN CUKIER: I see another person here, and then one here, and I think then we will go right into the session. Please. >> Yes. I am from the Finnish parliament, from the Committee for the Future, and we have a very -- at the present there is a law, proposal for the law for the Finnish parliament which is called something, the National Health Data Bank. And there is a very international ethical problem. Who is the governor of the National Health Data Bank? There will be the whole history of all your medical treatment, your medicine, everything, the whole history. Who is the governor? Who gets the right to be the boss? The patient or professionals, doctors? Who is the main boss, the real governor? And that's a very ethical question, and it's on the table now. >>KEN CUKIER: Thank you. In fact I would expand it and say who owns personal information is a broader issue. Yes, please. >> Thank you. I am (saying name) from the province of Rome. Dear panelists, how is your opinion about the role of local governments? Do you think that local governments may be (inaudible) as a key actor in multistakeholders arena? We think so for a constant feedback from (inaudible) and from the civil society. And a last question. Is it important to discuss about ICANN and the role of ICANN in this delicate theme? >>KEN CUKIER: Okay. Thank you very much. Let me do this. I think that let me close off the comments right now. Let us go right into the panelists and here what the reaction is to some of this, and then we're going to open it up again. It strikes me that we now -- have a huge inventory of things, probably too long that we can possibly ever hope to deal with adequately in the time remaining. So the best we can do is try to think of a framework about how to think about this. My first question to the panelists would be we have been talking about information security in its myriad of forms, even with new issues that are coming up that we didn't expect before, for decades. Still, the problem is considered unsolved. Still, the problem seems to be that more can always and constantly be done. Are we forever stuck in the situation that we are never going to get it done or can we agree more can be done, we can identify what it is, and there will be a baseline degree of security that we can be comfortable with? Essentially the question is, why have we not resolved this problem? Who would like to take the first stab at that? >>TERAYASU MURAKAMI: Well, can I add a comment on the inventory of the security issues. We did a study in the process of developing the ubiquitous network paradigm. What will be the challenges of the network society now and in the future? Well, in that process, we identified ten different category of the issues, and ten different challenges in each ten categories. That makes 100 challenges we are facing with. Virus, Spam, phishing, and unauthorized access is only four of 100. We have another 96 source of headaches. So I think the important point of listing out the issues is that issues will change. The security issue will constantly evolve, changing the shape. So it is, perhaps, no use to specify the kind of security issues we tackle. >>KEN CUKIER: Malcolm, did you want to -- >>MALCOLM HARBOUR: Yes, I think in response to your question, because the level of security problems is growing faster than I think that we have the systems to cope with them. And that means that we have to talk about ways in which we're going to step up international cooperation, because that, I think, it at the heart of it. I am very wary, I have to say, one or two questions were raised about new international legal frameworks. I work in a political system where we're trying to reconcile 25, shortly to be 27 legal frameworks, and it's extremely difficult and takes a long time. But it seems to me that the big issue that we need to talk about is how we're going to step up our exchanges of information on a timely basis, and to present information to each other in such a way that you can actually do something with it quickly and effectively. Because surely the way to actually deal responsibly and quickly with these issues is to respond to alerts quickly, but above all actually to get that information flowing. Because so many incidents and problems with citizens I think go largely unreported. >>KEN CUKIER: It seems like we have institutions already to do that. There's the European network information here in Crete, I believe. Or Corfu? Yeah, ANESA {sp?}. We have our CERTs in the U.S. and in China and elsewhere. What is inadequate about the institutions that need to be reformed, first question. Second question, is there a role that collaboration among different stakeholders can do to play a role in this respect to remedy those deficiencies? I impose upon you to respond. >>MALCOLM HARBOUR: Well, I think you're right. There are good examples working within particular geographic regions. But as we know, the problem is not confined to those geographic regions. >>KEN CUKIER: It's not like we even have good network security here in Europe. >>MALCOLM HARBOUR: No, I agree. I think we still have a lot more to do than we are at the moment. ANESA is certainly intended to be a mechanism of exchanging information to be able to do that, but member governments still are doing a lot of collaboration among themselves. And from country to country we see things like the Internet Watch Foundation which show what could be done in specific areas. In the area of child pornography, for example. But it seems to me we ought to have a broader look at what is best practice and to use the power of this gathering for example to step up the work, and that can be the work of future summits of the IGF. >>KEN CUKIER: Let me first ask -- Ilias, please. >> ILIAS CHANTZOS: I'd like to -- I think we're getting a bit heavy on the fact that, well, maybe we're not doing that well. Maybe we should be doing more. So before we go there, I would like also to look a bit at the positive side. So let me begin by saying that the growth that we have experienced in the Information Society is there because we're actually doing quite well. On the other hand, we need to face a fact that the success of the Information Society means that there is money there, and the criminals will follow the money trail. That's how it works. People rob banks because that's where you put the money. So on that understanding, we need also to take into account that information security is not just a product. It's not about just the technology. Information security is a circle. It's a holistic approach around technology, obviously, people, and processes. And often the people are the weakest links. Moreover, we need to take into account that whilst we cannot have 100 percent security, security is an evolving target. Internet Society is involved, technology is involved, people get new technologies and so does the threatened landscape changes. The bad guys see the technology and see an opportunity. We're there. We're doing quite okay. We are covering up, we are protecting our technology. But since there is going to be another switch, there will be vulnerabilities found and they will move there. So it's an evolving target. It's a moving target. So that's why, perhaps, we need to see also, if you like, a more positive side it have. Obviously collaboration is key, coordination, international approach. >>KEN CUKIER: Yes, please. >>GUS HOSEIN: I'm amazed that everything everybody is saying so far makes so much sense, and there is a reason why. It's because we are speaking at an overly generalistic level. We say international cooperation but what does that actually mean? We say sharing of information. What kind of information are we talking about? Are we talking about people? Which people? Users or people working within companies? We need to get into the specifics to really understand how complex this field is. Let's use an example. We all agree to some extent that countries must cooperate to combat crime. It makes a lot of sense. But then let's say the U.S. puts in a request to a French ISP for information on a suspected criminal. You would expect the French to say absolutely because we all agree on combating crime, increasing security. But what if months later you find out that the U.S. was not investigating child pornography or terrorism. They were investigating gambling, which is illegal in the U.S. but not illegal in other countries around the world. When we get to the specifics that's where you see the richness of the problem and how complicated it is. >>KEN CUKIER: Thus, do you think because there is this conflict of law, that not every culture deems the same thing legal and illegal, that network security in this respect, the case of information sharing, is just impossible? >>GUS HOSEIN: I think it has to be done with great care. I think we can make a problem worse before we make it better. I think we are going to decrease confidence. When people heard during the European Union debates about data retention, that the data from ISPs across Europe could be sent to the U.S., people were concerned. That actually created a lack of confidence in European Internet policy, and that's a problem. >>KEN CUKIER: Mr. Huang. >>CHENGQING HUANG: Thank you. I support the views expressed by the experts just now. We must increase international cooperation for network security. We have experience in this area, especially when dealing with network emergency incidents, quick response through international cooperation is very effective. For instance, our organization, CNCERT/CC, we cooperated with the U.S., Australia, Japan, and other countries, and when dealing with network incidents, we have effective mechanisms. This July the 12th we received a report from Korea that an IP address falsified domain name and it spread virus. We found out this address and closed it. The 29th of August, the Australian authorities reported to us that we have IP address which is sending Spam. We found it and closed it. In early September, we cooperated with Internet law group, and we traced some Spam addresses. We think through such ways we can combat cyber crimes and Spams and other things. How to establish effective cooperative systems globe-wise, that's very important, I think. International cooperation is very important in this regard. Thank you. >>KEN CUKIER: Thank you very much. I see three of our panelists want to make remarks. Mr. Kaspersen. >>HENRIK KASPERSEN: I want to talk about the room. The wish was we should not complicate things more than necessary. And I have to think, we have different things here. First we are talking about security, what infrastructure security, that is a very important issue, how to protect the infrastructure. It's a dispensable tool, the Internet, and it should be protected. That's one thing. The second thing is that we protect users and their systems from misuse by other users of the system. And I would like to make a distinction there. Protecting the infrastructure is extremely important. Also in the room it was said that we might need to reverse the legislation to deal with it. I'm not sure about it, because when we want to have legislation in this field, we should first agree whether, is the Internet and maintaining of the infrastructure, is that something we can leave to the private sector, or is that something where a government or the government should interfere? That's also a very important debate. What is the need for such an intervention? And I will say we have so far seen that the Internet is organized by private industry, and we should maybe more emphasize, address the responsibilities of the actors in that field. And the actors in the field are providers, software industry, and so on. But also there is a responsibility for the individual people. Second point, when we're talking about misuse of the Internet facilities, then we might deal with a typical task for governments where they would like to criminalize or provide sanctions for that misuse. And there I see an extreme need for international negotiations about what the common standards, behavior standards should be. Otherwise, if we don't do that, any system would be without any effect in the end. >>KEN CUKIER: Okay. Thank you. Please. >>FREDERICO NEVES: We should take in account that the network is quite big today, but it's growing in a tremendous rate. Not in the development world but in the underdeveloped world. And actually what we should take into account is that new users should receive basic training about security. Especially in the -- a lot of panelists are talking about vectors and the change of the vectors. But most, most of the threats are imposed to the end user, because like -- things that you normally face when you receive a telephone call or things that you don't normally act the way in the real world, but in the network, a new user will take -- >>KEN CUKIER: Let me ask you about that, Frederico. In the Internet world so far, in the first billion users we have all been literate, we have all understood the ASCII character set so if we were Chinese or we were from somewhere else we would have to actually know the Roman alphabet with which to interact with information online. But if we're going to actually make the Information Society viable for everyone else, people who maybe are illiterate or simply don't want to go through the rigamarole of understanding the difference between a P and a Q, it seems maybe that we are setting too high an expectation about users would be able to take so much responsibility for themselves. Now, clearly, there has to be some responsibility, but maybe the networks, maybe the equipment providers, the software providers, hardware providers, need to take more of that on. In the telephone world, we have a degree of certainty about how transactions go on, but of course that's a centralized system, and we know that there's benefits to that but there are already drawbacks in the case of lack of innovation, et cetera. So, is it feasible to simply say that users need to just -- we need to educate the users? Or if we need to do more, what more should we do? >>FREDERICO NEVES: One of the key points one of the people in the audience pointed out is that we should simplify. But he talked about complex (inaudible) systems, but I will bring this to another level. I think the end-user software is too complex for the general user today, and we are failing in this area. And I think we should provide interface that are quite simpler to the end users. But besides that, basic training on security, basic security -- I'm not talking about high-level techniques. I am talking about not providing your credit card to the operator, to the marketing operator. So why you provide it in an unsafe way on the Internet? So that's what I am trying to point here. >>KEN CUKIER: Okay. Let me ask first Rikke, then Christiaan, then some other panelists, and then we will go to the blog. >>RIKKE FRANK JORGENSEN: Okay. Just a very short remark to what we just discussed now and then the point I originally wanted to make. I think there is a big problem that users are not interested in security, myself included, that I just want it to be there. I don't want to have to think much about it, and I think many people feel like that. But another point I wanted to make was to get back to the link between privacy and security. And to give a very concrete example on how we have tried to advance that link in Denmark where we have actually set up a task force by the Danish industry Association with industry people, I.T. company people sitting there together with privacy advocates and user groups. And over the last eight months we have tried to take the point of departure in the privacy principles in the OECD guidelines and the data protection law at E.U. level and then to transform these principles into guidelines and checklists that the I.T. companies can then deploy in their daily practices. And this has actually been driven by industry themselves, and it has been a very good and very practical initiative that has resulted in guidelines that are out there now and that go out to all member organizations. >>KEN CUKIER: Okay. Thank you. Christiaan. >>CHRISTIAAN VAN DER VALK: I just want to go back to your first question, Ken, and give my perspective of that. We heard international cooperation is a term, obviously, that we hear a lot in these kinds of settings. And one of the things I believe we do not stress enough is the fact that, and it's pretty obvious from the word complexity that we have heard as well, that security is a multi-disciplinary subject. In order to get to security you need to take into account the process, you need to take into account the network, the people, but also aspects of law and a number of other things that need to be merged into the same approach. And I think one of the things I have seen a lot is the different disciplines that are involved in issues around security, talk a lot among each other. There are plenty of groups of lawyers that talk about privacy and security, but the different groups don't talk to each other. And there is no common process within the Internet world whereby lawyers, technologists and business process people, for instance, get together and hammer out what needs to be done in order to actually beef up security. And I think that is one of the big problems we are facing today. We certainly don't have a lack, from my perspective, of international cooperation among governments. We certainly don't have a lack anymore, and this is huge progress that has been made in the last ten years, in terms of a lack of consultation between business and governments either. The problem is more cross-cutting. Technology people, policy people, regulatory experts and others talking to each other, sharing knowledge in order to get to a high level of security. >>KEN CUKIER: Well, interestingly, one of the points of this forum, in fact, and this session is looking at areas of collaboration. So let me ask David, when you respond, if you could do two things. Tell me your response firstly towards the issue of collaboration among stakeholders. Secondly, please try to tailor your response to the other theme of the Internet Governance Forum which is development issues for the developing world. I know I am putting you on the spot. If you would like to yield your time, you may, and think about these issues. >>DAVID BELANGER: I'll try to do something, but first make the point I was going to make when I raised my hand. I thought I'd add a little bit of historical perspective of similarities and differences from the telephony world, which was mentioned, to the Internet world. And in this context, in telephony world it's called fraud -- in the Internet world it's called security, but it's a whole lot broader -- they share the criminal, the intelligent adversary, and they also share money, the motivation. They also share the fact that they are growing, although at different rates, so that telephony fraud, which we think of probably as a solved problem, is growing at estimated double-digit rates every year. Fundamental new types of fraud come about approximately every month, that sort of thing. But what they don't share is an openness which is essential to the Internet. And they don't share a newness, which leaves us in the position of not having quite as structured ways of reacting to it. Probably most important, they don't share the intelligent edge, which means that when people talk about all the software, all the hardware that goes into the edge, there's the opportunity to do more thing on it if you are a perpetrator. But there's the problem of trying to manage something that, for most people, is a very complex beast, connected to a network which is an even more complex beast. >>KEN CUKIER: Is there a way to take those points and think of them in the framework of what different stakeholders can bring to the table? And also in terms of the developing world. What they may need to know and how they should prepare for the same issues that we in the west had faced by dint of having developed our infrastructure further. >>DAVID BELANGER: Let me try to address the collaboration and perhaps someone else can address the developing world better than I. One of the things that's happened over time is that there is enormous collaboration on these issues within industry, and I would say typically with governments, in the telephony world to the point where we would share what information we have that might help other companies protect themselves against fraud, rather than simply protecting ourselves. What I would say in the Internet, that that sharing is beginning to evolve over the major peering partners as they start to do what are actually very similar defenses and active defenses, actually predicting and anticipating security, at the network layer. Typically, the information of what's going on when you get all the way out past what might be a business enterprise's network, which can be controlled and watched very carefully, to an individual's PC, which may be being recruited as a botnet or its root may be attacked so it can be part of a sale to somebody who wants to attack us, that information isn't in the hands of a group who watches 7 by 24 what's happening. It typically is quite a bit richer information because every two people's PCs are quite a bit different. So I think that the approaches, both in collaboration and in technology and in operations that have been being used in the network are harder to apply at the web layer. >>KEN CUKIER: Okay. Thank you. I would like to ask Mrs. Lamia Chaffai a question, because on this question of the certification authority for Africa, we were talking about this beforehand. Can you tell us about your experience here? >>LAMIA CHAFFAI: Thank you for that question. The question of cooperation on development in particular is a very important one. In the African region today, there are quite a lot of countries which already have a regulatory framework for electronic commerce and signatures. Others are working on that now. And we have to ensure that all these countries have a framework of Harmonization for their legislation to ensure that they can participate and contribute to international exchange in order to bring about this development. So we must ensure that e-commerce carried out in a particular country should be recognized at international levels. So you need operator confidence for users in Africa, and that that is on the same footing as what exists at international level. So there are a lot of different areas of cooperation in terms of the legal framework standards, modus operandi among certification bodies, at the technical level, but also in terms of training of human resources, and awareness raising amongst decision takers in terms of the scope and the importance of this trust, this confidence in terms of development in this country. So that they genuinely can be concretely involved in this development of what we call the intelligence economy. Thank you. >>KEN CUKIER: In listening to your experience and some of the things that I have heard on the panel, I would still go back to an earlier question and pose in information security, the needs of different countries are so diverse and the cultures of different countries are so diverse that it makes sense to think of it not on an international level but actually maybe on a regional level instead. And that might be best we can hope for. Would anyone on the panel either like to agree with that or disagree with that? Please. >>HENRIK KASPERSEN: I would say in this respect, it's always difficult to choose the right approach. There are distinct two approaches, the bottom-up and the top-down approach. And I would think if so many countries and so many different states of development with different frequencies and occurrences of Internet in their countries, it would be extremely difficult to have the ambition that it should be done top-down. So I would be very much in favor to do it bottom-up. That means sector-wise, and, if possible, through more regional organizations that would benefit the whole process. But I would not have the ambition to do it top-down, because that is probably a very long-lasting process and probably not going to succeed in the end. That's a general remark on this issue. In the meantime, I also would favor, let's say, codes of good conduct of the actors in the field themselves. Actually, I think -- >>KEN CUKIER: Sounds like wishful thinking. Who would the code of good conduct apply to? >>HENRIK KASPERSEN: Well, to a certain group of actors in the field, where you have the network operators, where you have the access providers, or even where you have the Internet users as a group, that could be beneficial as well. It's all difficult. How do you start it? It should be the private initiative. But, nevertheless, it should be tried anyway. And this sitting here and saying, let's start, do something worldwide from top-down. >>KEN CUKIER: Richard. Did you want to? >>RICHARD SIMPSON: Yes. Yes, thank you. Just to pick up the point that's just been made about codes of good conduct and how you start to put together these cross-national or cross-jurisdictional solutions to some problems in the security area. What we underestimate in this area is the degree to which there is mutual benefit across industry and across countries to making the Internet work effectively and ensuring the online marketplace continues to grow. And the challenge, it seems, to us is to capture this mutual benefit in practical ways. One code of conduct that we were very successful in developing in Canada recently in response to the spam problem was a series of best practices for network management, which network service providers in Canada adopted. It later on became the basis for work at the OECD, and now there's a cross-OECD code of conduct along the same lines. We have figures to show that, actually, this network management best practices was greatly successful in Canada in cutting down the amount of spam initiated in our country through Botnets, primarily, because of certain technical arrangements that are made through this agreement. And if we had not put industry together to define their mutual interest in developing these standards and putting them into practice, we would not have had that success in dealing with spam, and the international community would not have had that model to work with. >>KEN CUKIER: Interesting. I want to ask one more panelist for a reply, and then I'd like to bring it to the blogosphere and comments from the Internet. Please. >>ANDREW MAURER: Just in terms of different countries, some developing, some slightly more developed in terms of security. There are some constructs, like the OECD spam tool kit, which acts as a starter set of some policies out there. It puts forward some legislation. It puts forward some advisories on things like industry collaboration that was mentioned just then, technical solutions, and educational material. Now, some of it's going to be very specific to countries that have been engaged with the Internet for a long time. But others of it, other elements of it can be taken away and built on or cut down or adapted. And it provides a bit of a kick start for almost any other country that wants to look at the problem and make some headway. Often it's very difficult to engage with these problems with no source material or no background to work from. So drawing on that sort of broader resource is actually quite useful. >>KEN CUKIER: The OECD spam tool kit, as you've described, it sounds very interesting, because it's a way for the developing world -- excuse me, the developed countries, who have so much experience with spam, to their annoyance, can take their learnings and codify it into the mechanisms of capacity-building in the developing world, if I understand you correctly. But the limitation of that is that it's only about spam. Might there be a way, a framework, an institution, to take other issues that the industrialized world has grappled with by dint of having dealt with it first, and then putting it forward in a way that developing countries can actually have a one stop shop on how to deal with this one particular issue of network security, information security across the wide, broad gamut of problems that they're going to face? >>ANDREW MAURER: It would be a lovely idea. But as someone pointed out, security is so multidisciplinary that we're not always talking about the same thing. So the spam approach, I think, works really well for that. In many other cases, you have people building basic capacity. And perhaps the third model is something that works better there, where the people who are actually putting together the infrastructure and the services themselves, if they get the knowledge and the information exchanged that certs provide, then they're building in security at the same time that they're building the basic capacity. Sorry. >>MALCOLM HARBOUR: I just wanted to make a short point which linked to something that came up this morning. It's on the question of wireless and wireless Internet. If you look at what someone with wireless Internet delivery, they've come in later and actually put in different mechanisms for dealing with spam and unauthorized content. Now, if, as I think -- and maybe this is a point for the floor. But if the next billion Internet connections, I think -- my hope, obviously, is that a much higher proportion of those will be wireless than the current connections. And so people putting in in developing countries where there will be a lot of wireless-enabled connections, I think they can very much learn from the sort of packages that have been put in to protection wireless consumers. But on the other hand, of course, the security and integrity of the wireless networks -- and these are points that were made by expert panelists down the table -- perhaps present more of a challenge than fixed lines. >>KEN CUKIER: Let me go right now to the comments that we have over the Internet. Please, Jeremy. >> Thanks very much. Well, there are two people who I have comments from. This is from the chat room on security on the IGF 2006.info Web site. The first of them is Allison Wheeler, who is the CEO of Wikipedia U.K. And although discussion has moved on, at the time, we were talking about training new users. And Allison said that the bottom-line problem is that the Internet has become a general population toy rather than a capable and trained person tool, and she mentions the fact that computers are now sold alongside televisions and cookers, and that that's the serious problem here. They're not all white boards, but end users think they are. The next point comes from Michael Nelson. Michael is from the Internet Society, based in Arlington, Virginia. And he has a question for the panel. He says, how important are open standards in development of better Internet security? How have patent fights over new technologies slowed rollout of better security technologies and techniques? For example, he says, we desperately need better authentication in cyberspace, but most proposed solutions are based upon proprietary solutions. And he suggests that the IGF, if the IGF wants to have a concrete impact, it could build ubiquitous, open standards-based authentication. >>KEN CUKIER: Very, very interesting. Let me do this. I think that Allison's point is very interesting, the notion of the generality that we need to have that affects how we treat information security. But let's treat that later on, because we're going to always come back to that, particularly as it concerns the developing world. Mike Nelson's point might be an area where we can drill down while we also ask the audience to come up with questions and to write it down, write their name or give their card so it comes up here, and we'll open it up to the audience for more questions. Let me drill down into Mike Nelson's question, which is the question of the development of standards. Clearly, listening to all of you so far, particularly in your opening summations, opening overview, there was -- you all noted that industry had a role to play and, in fact, was doing quite a lot. Yet you also noted that there were somehow problems and inefficiencies from realizing the robust enough security that we would feel confident with. To what degree do you believe that standards are a problem? How can we actually create these standards? And is there a role for something like the Internet governance Forum to help establish those standards? Or should we just say that they're for a technologist and for the private sector to come up with and we'll just wait until you do so? That's not a loaded question, of course. Feel free to challenge the question. All the other speakers have done so far. Please, Richard. >>RICHARD SIMPSON: Well, I think Michael Nelson's made a very good point in talking about the importance of electronic authentication to the problem of security. And I would generalize it to be an issue that is more about an effective means for identity management online. If you look at a lot of the emerging threats that we are talking about, that we will continue to talk about, they relate to areas that -- like identity theft, which really have to do with the problems of identity online, identity both of an individual as well as in a corporate sense. So I think he's raised a good question, one that we should look at. There are now many instruments available where we could look at strange electronic authentication specifically, but also identity management online. The thing is that it's not just the I.T. community that is involved in areas like this. The banking industry worldwide has a significant interest in how this whole area unfolds. I know they're working on areas of authentication. Just the final point I'd like to make here, without sort of choosing whether a single forum or body could deal with an as complex as this. I think often that the private sector responds to -- very much to public demand in the first instance, as it's reflected in their business, but, secondly, also to leadership as it may be reflected by governments in terms of responding to their clients, which is the voter for all of our countries. So, you know, I think that we really should take a look at what we can do in terms of underlining the importance of the area, pointing industry to the need to come up with something like an open approach, let's say, rather than open standards, which is kind of a loaded term, but an open approach, which allows for interoperability and flexibility in dealing with the problem of identity management. Thanks. >>KEN CUKIER: Let me ask, does government have a role to play in helping the -- the security industry to come up with these open approaches? Is there anything that the government can do? There's lots of tools that are available. Of course, the Internet was an example of a data networking protocol that was created in part because the government decided they didn't want to have a multiplicity of computer systems that didn't interact with each other. They had DARPA fund the idea and of course the government as a buyer of technology, through the DOD, was able to standardize around the TCP/IP protocol. That created a marketplace. Similarly, is there a role for government in this area for computer security and network security? I see a couple of questions. Indicate who -- the panelist who want to address this tissue issue. I see one, two, please, start from the -- Council of Europe, parliament of Europe. Sorry. >>HENRIK KASPERSEN: In general, I would say that governments should not interfere in the process of standard-setting. I think that's something that should be left to private industry. They are most capable of doing so. They are dealing with competition. So, in principle, I would say there is no influence needed there of governments. The influence, nevertheless, could be some pressure to do it, convincing pressure to bring parties that far. But most of the time, what helps is really if in the discussion, societal discussion, it's clear that standards are needed to achieve a certain quality. If that quality has not been reached, it could be the case that courts, for instance, may make parties accountable for not having implemented certain measures. That will help considerably, too. But that is a very tricky process. But I think, in principle, state parties should not interfere in the parties of standard-making. >>KEN CUKIER: Ilias, I see you have a comment. >>ILIAS CHANTZOS: Thank you. Well, being among the industry panelists, I think it's expected I would have a view on that one. So let's begin with a couple of points here. I think that, first of all, we can well argue that governments have already in their tool kit a number of tools which they could be using. However, the fact -- or which could be already applicable. However, the fact remains that if we don't want to be carving things in stone, it's very important that we understand and show that the market is there and able to innovate. And to do that, we need awesome standards and market-driven, bottom-up approach. Technology moves too quickly. We cannot afford to have a stifling in the innovation by not having a technological neutrality when we're getting things through the institutional democratic process. Having said that, yes, competition in the marketplace, openness, interoperability are key issues for information security. The fact that we're having right now a healthy market on information security, comparative market on information security, a diverse market, are key issues to ensure that we maintain a high level of information security. We cannot afford to have a security through obscurity. Now, having said that, I also need to point out that the fact that security and choosing security products, if you like, security solutions, should be based on the risk that we're dealing with and on the things that we want the product to do. That can be open source; that can be, if you like, proprietary. But that does not necessarily mean that just because open source is more secure. It's not the way that it's licensed; it's what it's made to do. >>KEN CUKIER: Okay. Well, open source is one issue, among many. But the issue of open either silicon standards or even open approaches doesn't necessarily have to be open source; right? So let me press you on this. In creating the Internet, the -- it took academia and government to not just benefit one firm, but to change the state of the entire industry so that many firms could benefit. Clearly, you might see, as having proprietary standards, et cetera, and technologies, that you could grow your market even more, sufficiently more, with an open approach than you could if you had many different proprietary approaches that would put a brake on companies and countries and individuals from investing more in information security. So, essentially, government could fuel industry for a socially optimal outcome. Do you think that this is a good idea? If so, how would we go about doing it? Would this forum be an appropriate forum? Or even would this forum be the right place to raise this sort of issue? And then develop it, allow the issue to ripen somewhat, and then hand it off to another institution to see through? And who would that institution be? Do you have any ideas on it? And then I invite the other panelists to respond. But I'm going to challenge you first. >>ILIAS CHANTZOS: You're going to challenge me with six questions or something. Let's try to tackle it in a constructive way. I think that the current marketplace is such that there are the drivers which would ensure that we see innovation and we maintain innovation. Certainly from our point of view, we aim to try and we aim to be interoperability. We aim to be operating across platforms, because that is what the market also needs. So as long as we understand that diversity, competition are key elements in the marketplace and we ensure and we strive that we maintain that, I think we're to start within the right path. Now, whether IGF is the best place to do this, quite frankly, I think that this is a very technical discussion. This is a discussion which is -- perhaps -- which runs the risk of perhaps boring the delegates to death. And I wouldn't want to see any people falling off their chairs while I'm speaking. So I think that though the IGF is a good place where we can kick the idea, hear the views of the different stakeholders, because that's the value of it, the diverse participation. We need, then, to make sure that the different bodies are, kind of like of the international community, which are following up standard work, continue to work together, continue to push these ideas, and see what comes out of the democratic process. >>KEN CUKIER: I see Gus and Rikke. >>GUS HOSEIN: I'm half excited and half terrified by this proposal. The part of me that's excited is saying that the current standards-making process, whether it's the de facto standards created by companies or the larger standards created by international institutions, are such a closed process already, it's impenetrable to most, very technical, as you say, but also very economically ex- -- well, very expensive to attend these meetings. And they're basically dominated by very powerful players. So Mike Nelson's idea of moving it to the IGF is a fantastic idea. At the same time, authentication and all these security issues are so delicate that I worry that what we'd come up would be unusable or even dangerous. So I'd actually recommend, instead of coming up with standards, why don't we follow the guidance of the Canadians when they created authentication principles that they're now working with the OECD. Why don't we look at what's coming out of the U.S. from companies like Microsoft and Liberty Alliance about principles of authentication, and look at what's going on in Europe and bring these ideas together and coming up with principles, not hard, cold standards, but principles. >>KEN CUKIER: Interesting. Please. >>RIKKE FRANK JORGENSEN: This was actually a short supplementary question to the issue of the standard committee's linking it to development issues, again. I'm just wondering, and this is a question, could be anyone on the panel answering, to which extent these rather close processes, these standard committees are in any way open to people from developing countries. They might be in principle. But in reality. And if they are not so, how can we by any means enhance that openness? >>KEN CUKIER: Yes, Mr. KREMER. >>ARCADY KREMER: I would also like to make a few comments on the importance of standardization, and to which degree these questions could be discussed and settled through collaboration. First of all, standards are a very important and useful means to guarantee interoperability. And standards are also a way to find the best possible solution. But we have thousands of standards and hundreds of pages of scribing them. So we should find -- we should see what true standards are. True standards are those which are used. And when we discuss if they are useful or not, first of all, we should see if there's any point in our discussion. And I'm not trying to make any allusions to the institutions which are writing standards, but I think that we should see it on -- from the viewpoint of the user. Of course, it's very important for the various forums to collaborate and cooperate in order not to exclude anyone. And we also need to work in parallel to find the right standards. But this work, I can say that at this time it's being undertaken by the World Telecom Standardization Assembly, which does hold regular seminars and has various committees which receive information and prepare texts. But the question is, how can we cooperate, how can we achieve cooperation between governments and the private sector, regulators and users. Well, I think the only way is through cooperation. And that's the way to achieve information security for the network. Because -- >>KEN CUKIER: (inaudible) on that as well, and the rest of the panelists. Because I think we've done a good job of identifying the problem in this respect. But it's not so clear we know what the appropriate institution is to drive this forward, even if one exists at all. Can you -- Does anyone have an idea of the way that this can actually be driven forward? I'll let you think about it. While you do, I'm going to call on Howard Williams of the university of Strathclyde to make some remarks -- offer some questions for the room, as well as for the panel, on the question of these issues of security and development. Howard. >> HOWARD WILLIAMS: Thank you. I'm starting in a position of just understanding some of the context where some recent data that I was shown showed that one in every 150 e-mails was a phishing or identity theft attempt. Something like 54% of all filtered e-mails was spam. And so from a developing country perspective, most of the issues of security are really about, from the end user perspective, just the denial of service, the cost of actually running your own or having access have become too high and so they're stopping to use the net. That's the sort of context where my comments and questions are coming. And we know that in many developing countries, bandwidth capacity's relatively limited and relatively expensive. And I'm sure in the session on access, we will talk about this much more. And so there's a question: We know that most of that Internet traffic is coming from outside of the country. So there is a question. Is there an obligation on the major tier-one peers or other peer agreements on the Internet exchanges or the ISPs in the more developed world and the OECD countries actually to manage the security and quality of the traffic that is being sent across the network, particularly to developing countries? Is there an obligation for some users? And then going through this question on the roles and obligations on sort of intermediaries in the marketplace, are there other obligations that we can place on ISPs? And there is some quite interesting data, I think, that shows that sometimes, in some markets, ISPs place less attention on security than they may do. And there may be a real role for public policy intervention here. And I think the two sort of related points on this one. One is we had some comments at the beginning that said, you know, security isn't about traded goods and services. But perhaps there is a case that, actually, you know, the latest security tools, the latest downloads should be provided as public goods if we're really generally interested in inclusive information society. Perhaps these are the very things that ought to be public goods and provided internationally. And then my last comment is really about how the IGF can play a role in this, and is there a role in which the IGF can really help the development and the coordination between certs in developing countries? Thank you. >>KEN CUKIER: Great. Thank you, Howard. Those are a rich variety of questions and issues for us to think about. What I'd like to do is ask the audience to think about some of these issues and give us some feedback in terms of what we should be asking. Do so. Let yourself be known to the women with the microphones, who will then get your card, your name, and then bring it up here. Then we will call on you. While you are doing that, let me turn to the panelists and focus on one of Howard's questions. And it's that issue of public goods. A principle of immunology is that the entire system is better the more that everyone in it is healthy. The idea that I may get a flu shot and you may not seems on one hand that it benefits me. But, of course, the fact if I get a flu shot, it benefits you, too, because there's less probability that you may catch the flu. Likewise, in information security, the more that the entire network is secure, and all its pieces are secure, so, too, everyone else rises. So we would have an incentive, say, that everyone in Moldova has extremely good security and there will be fewer Botnets that will attack me in London. These are same global issues that we're seeing in terms of communicable diseases, like we're seeing in terms of climate change. We have created institutions. We've created philanthropies. And we have a greater sense of awareness of the notion of the public good in health care, on one hand. We're gaining that awareness for climate change. What does it mean to have public goods accessible for all for network security on the Internet? Andrew, I invite you to respond. >>ANDREW MAURER: Blast. What it can mean is something a little bit difficult. Yes, it's good if we immunize against small pox or flu. It's not so good if we immunize against Bubonic plague because it's a sexy thing and it involves rats. So there has to be an approach to what security tools are being put in place, what security approaches are being put in place. I think -- well, I am, of course, speaking from a government perspective. I think that the role for government is to bring together the right players with the right ideas. And so bringing together civil society to bring forward the ideas about what is important to them, what interactions they particularly want is useful. Bringing together the private sector who can bring together perhaps a bit more detailed information of the economic choices, of the market choices that are there. Are people -- >>KEN CUKIER: Andrew, let me cut you off for a second. If we were to do that, we would talk about this, we would host more meetings, we would have lots more great receptions like we did last night, and we would still have the same problems. We need to cut this Gordian knot with one fell swoop of our sword. Let me ask Richard from Canada, maybe you can help us. Is it feasible to take a Gordian knot approach to this and just do it? >>RICHARD SIMPSON: I liked your first metaphor about public goods more than the Gordian knot metaphor. But just to answer the question about what role can public authorities play in tackling this issue in the first instance, and in the first instance, reflecting public demand, they can set some expectations which have to be met one way or the other. And I think this goes back to the early days when we started talking about the Internet. When many governments put forward expectations about how the private sector should introduce electronic commerce and e-business using the Internet. And the private sector, by and large, responded well to that once those goals were set. Now, these are much more complex in nature. But I think the same -- I would -- I would recommend the same starting point in terms of the role of government, private sector, and civil society. Government's first responsibility is set the benchmark, and ask the private sector to respond. And I think your analogy of the Internet as a public good and mutual benefit and mutual self-interest, the point I was making earlier being quite obvious here once people think about it for any period of time, will be the driving force behind the private sector responding. And just to give you a very specific example of how this is happening in the area of security, there are international groups organized by the private sector entirely on their own, like the messaging anti-abuse working group, MAAWG, that has been working rapidly adopting many standards practices and policies that are dealing with some of the issues that you mentioned. For example, standards of network management for ISPs, for example. I think your point about tier 1 network providers also an area for their attention, although this is primarily an ISP group. But the success of MAAWG shows that the private sector, if it is given a set of expectations based on the mutual benefit they gain from working together, will respond. But governments, individually and collectively, have to put these expectations clearly. >>KEN CUKIER: Richard, let me -- is my mike working? It's not working. Is it now working? My mike is still not working. May I have the microphone, please. Thanks. I can understand.... Of course I can empathize with the interests of the organizers to shut me up as much as possible but I think this is a horrible tactic to shut off my mike. Richard, that's true. I don't disagree with that whatsoever. However, for the developing world, the problem is cost. So we may actually see that we have spurred industry to act and it is still now inaccessible to the developing world and as a result, computer users in Britain are harmed by the inadequate security from botnets hundreds of thousands of miles away. How do we address that particular issue? Does anyone have a good answer to that? Malcolm. >>MALCOLM HARBOUR: I just want to refer back briefly to the earlier point about how we approach this issue. And I think one of the things that is actually, if you look at the European Commission's consultation paper on the current framework legislation in Europe, is to say is it time to say that we put a duty of care on network operators, a legal duty of care to operate a secure network. And they can be held liable for problems that will be caused by that. They have to demonstrate they have done everything possible to protect their network from security breaches. And maybe it's time to ramp that up. So I think there are a number of issues around that. And similarly in some countries, Finland is an example, where network providers also have to provide security tools for all their users. So there are things that could be done. But on the broad issue we are talking about, I think -- what I think is striking about the discussion so far is the number of ideas that have come forward. I mean, I don't think that there is going to be a single silver bullet or the sword to cut the Gordian knot, because everybody has got their own ideas. But equally, you know, criminals and people are evading the systems, so it's going to keep moving at a very fast pace. But I would have thought that we were in a position with the sort of expertise discovered here to put together, if you like, a digest of best practices. Because if we're talking about rolling out new networks, anybody who is in a developing country who is working with people to invest in new networks surely wants access to all the information and then they can decide what they want to put in place, which is best practice to do that. Maybe one of the ideas that my colleagues in parliament have suggested to the IGF is why don't -- when we meet in -- next year in Egypt that by that time we will have a whole series of best practice awards for security tools and techniques. So instead of having a big panel like this, perhaps we will have a little award ceremony and we will have some exciting ideas up there and you can moderate that as a change from having a big panel. >>KEN CUKIER: Malcolm, any chance for me to be a moderator, I'll accept it. Before I turn to you, Mr. Kaspersen, I want to turn to you, Ilias. You are the member from industry here. Symantec is the world's largest I.T. security company. Clearly, you might have an interest in how we are going to force to you either furnish products for the marketplace or tell your customers they must comply with our regulations. What do you think? >> ILIAS CHANTZOS: I think you don't have to force me. I think we are putting in the market very nominative products. I think that, in fact, the security marketplace is working and producing very nominative, very competitive solutions. Which is why I get uncomfortable when I hear statements about public goods. Does this mean we are taking out from the marketplace this dynamism, this innovation? Often we see, when it comes to public goods, also, what we see as the tragedy of the commons. i.e., if they are common, everybody has rights in it, nobody has obligations in it. Everybody enjoys it but nobody really cares for it. So to go out and say we're going to turn A or B into a public good, we need to make sure that at the same time we sustain a level of innovation. And I think that in this sphere, in this area, in the area of technology, we cannot sustain a level of innovation that we are right now having and we need anywhere else other than but the marketplace. Moreover, moreover, we need also to take one more thing into account. Even if we were to kind of like, I don't know, make -- Even if this concept of public good would go forward, there would be the fundamental point that I raised previously. People, processes, and technology. There's no point in me giving you a technology if you don't know how to use it. There is no point. It won't be able to protect you. There is no point in me giving you technology for which you don't have a process on how to use it. So I want to echo the points raised also by Malcolm whereby he talks about other approaches as well and what's happening in Europe about a multi-layer defense about the role of ISPs. >>KEN CUKIER: Wikipedia. Wikipedia is a great, great encyclopedia. It's created by users, by the people who actually use the Internet. It's all for free. Open source software. Absolutely fantastic. We know that Microsoft offers different products. Some of them are more successful than others, but we also know that in terms of server software, about 60% of all server software is from Apache and that is a free, downloadable, open-source product. The Linux kernel is secure. Large companies are using it for the most critical information infrastructure, yet it's done by the open-source community. Is it time that we have an open source security practice for network security? Is that what we need? Let me invite the man who I am going to pillar from industry first to respond and then others. >> ILIAS CHANTZOS: That's unfair because you are picking a second time on me, but I will take the challenge. So let me begin differently. If we see, for example, this (inaudible) in the security threat report, we see that on the latest reporting period, 47 new vulnerabilities were discovered affecting open source browsers, up to 17 in comparison to the previous period. And 32 which were proprietary. >>KEN CUKIER: What were the statistics? Say the numbers again. >> ILIAS CHANTZOS: 47 versus 38. >>KEN CUKIER: Statistically, that sounds quite simple. That sounds almost the same. >> ILIAS CHANTZOS: Actually, no, but in any case, the point I want to be making is this. I'm not standing here and I'm saying that the open source is something which is not good. No, not at all. Every kind of like technology has its uses. Every business model has its uses and its values. All I'm saying is that the key issue around what you want chooses when it has to do with information security has to be based not on how a solution is licensed, because ultimately that is the difference between open source and proprietary software, how to license, but actually what it's designed for and what it is supposedly doing. And also, at what risk environment it's going to be placed. >>KEN CUKIER: Okay. Let me first pick on Lamia Chaffai. Tell us, what do you think of our conversation? >>LAMIA CHAFFAI: About open source software and proprietary software? >>KEN CUKIER: (speaking French). >>LAMIA CHAFFAI: Open source software presents an opportunity for the countries in developing countries, but also the propriety software are complementary in some ways. I want to speak about the role of the government in the development of security. They have an important role as a catalyzer for the private sector. The public/private partnership is very important in the domain of security. For instance, for development of the industry, also to boost the human resource capacity building in terms of security, sensitizing the users of the -- for the security issue. And it is important that the government has a whole strategy and be aware of the security issue for all kinds of services. So the government has a role in this aspect. >>KEN CUKIER: Thank you. Mr. Kaspersen. Thank you. >>HENRIK KASPERSEN: I am moving with you to other topics, but backing up this role of the government, indeed I agree that the government really can play the role of a catalyst. That's not strange when we are talking about security in other areas. When we talk about the real world, we see it's the task of the government to seek that the citizens are secure in certain environments. If you build a house, we have prescriptions. If you do something else, you drive a car, you have prescriptions. It should also be normal that the government looks to Internet security. The only point is it's very difficult. How bad is the situation? What you see is initiatives from the government, when we talk about critical infrastructure, that they take clearly responsibility, at least in my country, and where it goes to user protection one is a bit more lenient to pick it up because it's extremely difficult. You can check, see if a house is built that the prescriptions are followed, but it's very difficult to do the same when you build a network or you use a network. >>KEN CUKIER: That's right. >>HENRIK KASPERSEN: So there is a problem. At least what I want to stress, and that's my role in this conference, at least the bottom line should be what kind of behavior should be criminalized, what should not be done, at least. And it's extremely important to have a clear idea what should be in criminal law, and also strong pressure on to prosecute and investigate those kind of crimes in order to make it clear what will be accepted and what will not. >>KEN CUKIER: Okay. Let me first turn to Frederico, and then.... >>FREDERICO NEVES: A role that governments can play is that normally most of the countries, the government is one of the biggest I.T. users in the country. And a role to set some standards is like to set up federal CERTs. Like to deal with security on the government networks. Some countries have set up this, and this one of the good roles that government could play in the security arena. And so this is one of the things that IGF could propagate to governments in the world. >>KEN CUKIER: That's right. Terayasu, please. >>TERAYASU MURAKAMI: Well, I would like to raise the point on the importance of the government function to coordinate the various measures to fight against the security issues. That is coming from our experience that best practice of decreasing the mobile phone Spam mails in the last two or three years. Well, since year 2003, in Japan we have a very well-coordinated actions occur, where government established the anti-spam law and expanded that function of that law. And the industry had a coordinated action to share the information on the spammers. And private sector reacted to that movement by, well, for instance, changing the address to a very long one. At one time, I had a mail address of more than thirty letters. Well, those coordinated actions occurred simultaneously with the -- the coordination of the government. And I'm a believer of broken window theory. Whenever we have an effective action to fight against the, for instance, spammers, we ought to have no broken windows at home. If you have a broken window in user side, well, that action would not work. And if you have a broken window in industry side, that action also doesn't work. >>KEN CUKIER: Let me do this. Let me turn to the audience for some of your questions. Let me have all -- a few questions add and then we will reply to them, trying to see what your -- getting your feedback to what we can get refer to. The first person I would like to ask the question is Elena Batueva. Please, thank you. >>ELENA BATUEVA: Thank you very much. Good afternoon to all experts. Good afternoon to everyone who is participating here today. I'm very glad to be here, and I'm very glad to be at this session, which is discussing the matter of security, because it is of great interest to us. And I'd like you to answer this question. Many experts today talk about cooperation and collaboration, and they said that security is a very complex issue, very complicated. So they all said that we should approach this from different positions and viewpoints, and we should be more systematic in our approach. What is the case in your view? Can Internet users be divided into three categories? For example, individuals, society, and state. So perhaps if we make this division, if we put them in categories, we can decide what their security needs are, because sometimes, if we are thinking of the individual as an Internet user, then his civil rights have to be protected. If it's society which is the user, then we have to see the commercial and trade aspect, and also the security of the transactions. And when we are talking about the state as an Internet user, then we should see it as a resource to be managed and also as a way to connect to your citizens. So when you talk about international cooperation today, I would like to give a concrete example. It's regional cooperation in the Shanghai Association. We have set an expert group from the member countries on information security. It has already started its work, and at the next forum I think we will be able to give you text on our successes. Thank you very much for listening to me. >>KEN CUKIER: Thank you. We have a question from Suresh Ramasubramanian. Suresh, I don't see you. >>SURESH RAMASUBRAMANIAN: Not really a question but I was pointing out that when you were saying what could developing countries do, and it takes money and all the things like that, (inaudible) does have (inaudible) in the tool kit and there is a problem of Spam in developing countries that covers a whole lot of what you ask for. Good reading, I guess. >>KEN CUKIER: Thank you. We have a comment from Vasilis Maglaris on the private sector and standards. Please. >>VASILIS MAGLARIS: Although my question was answered by the last positions put by the panel, I would like just to point out, just to ask how would third trusted party functions like authentication and authorization infrastructures could be influenced by the private sector and if it is really the function of the private sector to set standards and operate third trusted parties. It is my experience that it is sort of similar to like outsourcing for this function or other kinds of security functions down to -- over to the private sector. This is my question. >>KEN CUKIER: I didn't actually -- Say it again. Were you -- should it be for industry it do? I didn't fully get it. >>VASILIS MAGLARIS: Exactly. Is it for industry to do? Is it industry a third trusted party? Or is it something other government bodies, like the U.N. or like the IGF or civil society or whatever else should do it. >>KEN CUKIER: Thank you. There is a question by Sascha Welter. >>SASCHA WELTER: I would like to remind you to some of the points brought up by the audience in the beginning, especially to the things about the developing countries. We had the speaker from China tell us some examples of IPs that they blocked. Well, as a network administrator, I could open my mail locks and give him more IPs to block as fast as he could write them down. And the answer to this from some administrators, not many, is to shut down service from all IPs in China or other similar countries. And I think this is a terrible thing because developing countries are right now struggling to get on the net. And because of these security problems, we shut them down again. And, well, I see international law corporation is somehow more interested in shutting down bloggers like now in Greece or sometimes in China we have seen and not so much interested in getting after IPs of spammers or virus IPs because those are in the millions. >>KEN CUKIER: Interesting. Thank you. That goes back to Terayasu's point about we're doing so much to help the victims but we are not doing enough to actually go after the criminals. Let me use that as the starting point for questions to the panelists. SASCHA raises a very good point. What can we possibly do about the issue. On the one hand there is a question of fairness and justice. On the other hand, we need to take reasonable precautions if we are experiencing hacking or attacks or bad packets in terms of Spam from another destination. Is there any way around this, and can the IGF play a role in this respect? Please. >>CHENGQING HUANG: I'll answer the question from our experience. We deal with Spam. We have a coordinated working group of the society. In November 2002 we organized this agency. At that time, Spams were a very serious problem in China and affected the economic interests of operators, including taking up their space. And they requested the society of China Internet to issue this working group on this matter. And the first task of this agency is to establish principles of work. For instance, whether in the organization they should share information. If they find IP addresses of Spam, they should discuss this matter and we should assess whether the IP address sent a lot of Spams. And also we have the principle of coordinated action to make joint efforts. So after defining some principles, we received the reporting and denunciation from society and the relevant organs and received some addresses that sent Spam. If we determine that these IP addresses, indeed, sent Spams, we announced the list of such addresses. So such a list, we have WW.NT slash Spam Web site, you can see how many servers of Spam we have announced. If after three months they have not improved their behavior, we will organize resistance to such Spams. After several years of work, we also established a white list, so to -- so as to request self-discipline and build up trust among relevant parties. In this March, we also determined the guidelines for service. Before our spams were increasing from the first quarter of this year, the end of the first quarter and the second quarter, spams decreased by 1.8%. And for the second quarter, a drop of 2%. I think this is quite good. And we, with the Australian authorities and KISA in Korea, we established the administration to combat spams. I hope in the future we can cooperate further internationally, because this matter of spam is an international matter. I think cooperation is vital in this area. Thank you. >>KEN CUKIER: Thank you, Mr. Huang. Rikke, would you like to -- >>RIKKE FRANK JORGENSEN: Thank you. I would like us to also bring into this discussion a point that was raised from the audience earlier in the session, namely, that the threats come not only from criminals; they come also from the state, actually. And while we have -- we could set a government benchmark out of the themes from this forum and the business in general to develop the Internet as an open, secure, diverse, accessible space, at the same time, we have the strongest political pressure ever to expand surveillance all over. And in Europe, where I come from, we've had the debate over the last year on data retention, the systematic retaining of user data for the purpose of law enforcement, but not based on a concrete suspect. A general retention of data that might be nice to have at a later stage, where you might find a reason to persecute an individual. So, I mean, we have also a political dimension of this, where we have these systematic surveillance issues being implemented on many measures, on many levels, and with the participation of Internet service providers, not that they necessarily want to, but they are being mandated to, to participate. And I think we need to bring in this into the discussion also, although it's very difficult to address. >>KEN CUKIER: Hmm. It gets to the issue -- it gets to the issue that the other gentleman had raised as well. He framed it in the question of who should be the trusted third party, the PKI. And whether that role should be for industry or for government or for someone else,. And it raises the question of what are the respective roles and how we can find a way to work together, particularly considering we don't actually have institutions where we can actually exchange these views. In the case of, for example, the Council of Europe, they may come up with a cybercrime convention. But in the case of industry, they may have problems with the way that is being worded. In the case of civil society groups, they may have a problem with the very nature of some of the things they are recommending. And there's less of a chance to make those things known. Christiaan, from your perspective, how do you see reconciling these issues of how we can collaborate together as different stakeholders? >>CHRISTIAAN VAN DER VALK: I wanted to put it in the context specifically of the question on PKI certification authorities, because the issue of identification is, of course, very central to a lot of the things we're discussing here. How does one identify self, how can you identify someone else, whether that is a legal person, a natural person, or maybe an application or a machine on the Internet. All of these questions have been debated now in various forums and in various fora for at least the last ten years, possibly longer. And to answer the very specific question, can we leave the identification of these different entities to the private sector, my answer is, definitely yes. Even I would go further than that. We have to. And there is a simple reason for that. I mean, sometimes analogies are useful to explain things like, you know, public key certificate is like your apart on the Internet. Or an electronic signature is like the equivalent of a handwritten signature. These analogies, though, also tend to be sometimes a little bit tricky and sometimes even, I think, do damage to the reality of some of these matters. Interaction on the Internet is multifaceted, incredibly complex, impossible to define, and changing all the time. And all of these interactions are based on security credentials or identity in one form or another. And, yes, we would, of course, all benefit from a more standardized way of creating credentials and identities on the Internet, or validating them, of understanding them, and exchanging them between all of us. But because of all the different levels and because of all the complexity, it is impossible for a public authority to be the identifier of everything that transacts and is communicated over the Internet. This is something that has to be left to the various levels and the various types of entities themselves, and it needs to be worked out by the private sector. Obviously, within a regulatory framework. That regulatory framework has been put in place, I think, in various ways, both within the European Union and a number of other regions, but also within the U.N., there is another law on electronic signatures that was created by UNCITRAL already many, many years ago. I believe many of these frameworks today have to be revisited. And the way also in which people -- certification authorities and other issuers of credentials that are used on the Internet, the way in which they are used, many of these things have evolved tremendously. And I definitely believe that one of the things that the IGF might also look into is how -- the new way in which resources are identified on the Internet, how that works both legally and technically, but also, what is the overall regulatory framework. Because today, the framework that is in existence is definitely no longer up to the need from the marketplace. >>KEN CUKIER: Thank you, Christiaan. Lamia, since you're running a certificate authority in Tunisia, maybe you have some views, also expand it and look more broadly at other ways in which we can reconcile the tension between the roles of different stakeholders and how we can find ways to collaborate. Thanks. >>LAMIA CHAFFAI: Thank you. Well, there are various different models of hierarchies in terms of this. There is an open one where different public or private players can intervene. You've got a pyramid-shaped one. You've good a root, to give the case of Tunisia. And that can try and regulate the modus operandi to guarantee a certain level of confidence. Because we're talking about identity on the Internet. So there are economic stakes, transactions, legal issues involved as well. So, yes, there's an awful lot at stake. Are we going to have to give each player various different identities, for example, for ebanking they have one identity, egovernance, another one? There's also the cost issue as well. Could we allow one user to have various different means of authentification? Is it practical for them to have to present a different authentification each time? It's rather a complex issue. Are you going to have one single identifier? This comes back to the question of privacy as well. It's an issue which has been dealt with at international level at the current moment, and we're striving to find a consensus. Thank you. >>KEN CUKIER: It's true it is a very difficult issue and one where, on one hand, it's going to be difficult to find consensus. On the other hand, I'm sensitive to what Christiaan said. And it seems like the technology is moving so fast, that our attempts to define standards and rules become very, very thorny, indeed. Let me ask for three more questions from the audience and have our panelists respond to them, and then make some closing remarks. The first question comes from Juvenal Nshimiyimana from the African initiatives in Geneva. >> JUVENAL NSHIMIYIMANA: Thank you very much, indeed, for having given me the floor. I don't know whether this is a pertinent point, a pertinent question. Let's see. I'm not an Internet or an I.T. expert at all. But to get to my question now. We've been talking this afternoon about security, about broadband, is there enough of it in Africa or is it too expensive. You seem to be rushing ahead here. I'm not saying that what we're doing here is pointless. But if I may say so, I think we're rushing into this a little bit. You've got a large percentage of the world population not connected to the Internet, as we said yesterday. Now we've moved on to discussing security. So all these billions of people we were talking about yesterday are just left on the sideline are they? I was in a meeting in Geneva last week, talking about the environment. And somebody turned around and said, "Look, African countries are being forced to choose between dying at 23 years old of hunger, or dying of cancer at a later age. So the choice is clear." We are spending a lot of money in organizing meetings these days. For example, this type of meeting. You're planning another one for next year. And you are spending a lot -- you spent a lot of money in Tunisia as well, wasted a lot of money, if I can put it that way. But you're talking about broadband. You're saying it's possibly too expensive for poor countries. Couldn't we have put this money to better use in boosting the level of broadband? >>KEN CUKIER: Thank you. I've got a -- we've got a second question. We have Mr. Hill, I think, from Geneva. Richard hill from the ITU. Please. >>RICHARD HILL: Thank you, Ken. Richard Hill here from the ITU, the international telecommunications union. Ken, coming back to your question about the overall coordination of the activities and reaching out, -- Can you hear me? >>KEN CUKIER: Yep. >>RICHARD HILL: -- and reaching out to the developing world, I had the impression that this was pretty much settled in the Tunis agreement itself, because if you look at the annex to the Tunis Agenda, will you see that the ITU is the overall facilitator for C5, building confidence, which includes security. And we have undertaken a number of actions. Some of them are in the CD that was handed out today. And my colleague, Alex, could you stand up, Alexandra Antoko (phonetic), from the development sector, is, in fact, leading the effort, which is done in partnership with a number of companies, including Cisco. Art Reilly is sitting over there in the corner. So there are activities going on. Some are summarized in the CD. The rest you can find on our Web site. I guess the question for the panelists, how do you see that effort fitting into other things that are going on. Thank you, Ken. >>KEN CUKIER: Thank you. Let me invite Jean-Jacques Subrenat to -- please. Microphone here. >>JEAN-JACQUES SUBRENAT: Thank you. Jean-Jacques Subrenat is my name. I'm a retired ambassador and a consultant nowadays. This afternoon, I've heard some very interesting analyses being made, well, it going without saying, because we've got some real experts up there, all of whom are very -- in responsible positions in their own sectors. But I would like to give you my overall impression. Behind this expertise, nowadays, there is a little bit of timidness about the way we -- the tones we use to couch our ideas in. Now, we're meeting under the aegis of the United Nations Secretary-General, Kofi Annan, today, Nobel prize winners. And this means that we bear a high level of responsibility. We should bear that in mind. Our Greek hosts as well, I think, would like us to remember this inaugural IGF here in Athens, in Vouliagmeni, and remember it as something which wasn't just a high-level exchange of views at an academic university level, but, rather, I think what we should be thinking about is what is the actual added value of this first IGF conference. Look at the title. It includes the word "governance." This means that it should be a meeting point, a crossroads for concerns coming from the users, the private sector, the governments, international organizations, and so on and so forth. What I would now like to hear -- and we've got precisely half an hour left, Mr. Moderator -- as I was saying, what I would like to hear now are proposals which you, as moderator, could then broadcast out to the Internet community in general, and possibly, more particularly, to the organizers of this conference. Now, these recommendations may or may not be taken on board. That will be down to governments and other decision-taking participants finally. But I would like to make these proposals at least on two levels: Security amongst individual users, what ideas can you draw out of this debate, what would the ideas be that the members of the panel would like to repeat before 6:00. And then at international level, what are the best practices, the benchmarks which the various members of the panel would like to see transmitted to the organizers and people who are responsible for decision-taking? Richard Simpson put forward various ideas just now. And I think that that calls on governments to establish these benchmarks, these references. That is a very important task. So let me repeat my question: What is the added value from this conference? Thank you. >>KEN CUKIER: Before I ask the final question, this one from the Internet, let me give a -- let me amplify what the ambassador has challenged us to do and ask all of the members of the panel to try to think of one con- -- one thing that they've learned from this panel, something new that they thought was interesting that they can explore beyond this panel, and if they have one concrete recommendation or proposition that they'd like to put forward, either for their institution, their stakeholder, their group, or for another one, or just in general that needs to be done. It might be the same thing, but it might be different. So do think about that. What have we learned? And is there anything tangible that we can take beyond this particular setting that we can try to institute in practice? While you're thinking about that, I invite the comment from the Internet. >> Thanks very much. We've actually got two now, because another one came in after I raised my hand. But one of them is from the chat room, as before. And I'll perhaps relay that one first. It's Michael Nelson again, who says, what's the nightmare scenario? Do you worry that there could be a catastrophic security problem that would cause most Internet users to stop using the net? And we also have one that's come in by e-mail to the e-mail address comments@IGF2006 .info from Mel burns. It's quite short. He says, watching the security panel currently in progress, I'm interested in the panel's thoughts about the possibility that Internet users should eventually be required to take a form of virtual driving test, something that could be a requirement for future generations by the educational system. Since users could be located by their I.P. address, surely penalties for misuse could be issued in the same manner as they are for motor vehicle drivers. It should of course be some international code of conduct rather than nation-based. And I suppose that that raises, again, the issue that Allison brought up earlier, that we haven't gotten back to yet, about how most Internet users nowadays are treating computers like white boards rather than complex technical devices that they are. >>KEN CUKIER: That's true, although we don't have a driver's license to use our toaster in the morning. Would we want to do that for our PC if it becomes ubiquitous? Both of those questions were very, very good. Before I force you to reveal your hand in terms of what you think the future should look like -- and what I will do is go down one by one -- let me see if we can take a look at those two issues. One is the nightmare scenario. And the second one is, should we -- how do we reconcile the fact that as information technology becomes so ubiquitous, that security is going to be become even trickier? Should there be a driver's license for it? Does anyone have an idea of the nightmare scenario for information technology and how vulnerable we are? David, please. >>DAVID BELANGER: Well, I can give you one, and I suppose there are quite a few of them. It turns out that most national infrastructures -- water, electricity, nearly everything else -- is based on networking. Right now they're probably based on more classical networks, which are far more closed, in the main. But since nearly all communications networks are moving to I.P. over time, I think that we will have to be extraordinarily careful in trying to create nearly bullet-proof networks for the large national infrastructures. >>KEN CUKIER: Does anyone else have an idea of what the nightmare might be for information security? And how vulnerable we are? Andrew, please. >>ANDREW MAURER: I think the more practical thing is that transactions won't be trusted across the Net, so that the Net would actually fragment, so that people could create their own small network of trusted users and trusted providers. And I think that's probably in some ways a more near-term or more realistic threat to the Net with the various security threats that are out there. >>KEN CUKIER: What about the idea of a driver's license? Should we enforce some sort of requirement on users to be conscious of how they interact on the Internet? Sure, Henrik. >>HENRIK KASPERSEN: My answer to that would be no. The driver's license discussion is a very old one. I remember that from 25 years ago. Actually, why would you like to achieve that? You have to be sure that somebody is, indeed, a user. You would have to take such, let's say, severe measures that we are really endangering the privacy of the persons. That's the same for society. We walk around a lot of the streets. There is no need to put a sign on our hat who we are exactly. We may have been asked who we are to identify ourself, if necessary in certain situations. And I would say there must be a balance between is it really necessary to know at all times who is doing something or is it only necessary if something is -- somebody is doing something wrong. And I think that balance is still there that we do not need, for the time being now, clear identification at all times of a person who is active on the Net. >>KEN CUKIER: Good. Let me ask first Gus and then David. Gus. >>GUS HOSEIN: I just find it odd that throughout all of our statements today and throughout all of the statements generated, when we talk about users, we automatically assume that they're absolute idiots. Isn't that odd, that all these years later, despite all that talk about empowerment, we still presume that users are idiots? I think that, honestly, if we left it in the hands of the users, if you gave them the ability to decide over what transactions are permitted within their computer and what goes out and so on and so forth, they might very well make the right decisions. But we have always treated them like idiots. And we have given them stupid things to do, like, for example, one of the possible reasons why we have phishing is that at some point in time, somebody made the dumb idea that HTML messages was a good idea. And that's why we have users making mistakes, because they're being sent HTML messages saying, click here, log into your bank, so on and so forth. Honestly, if we let consumers be smart and not want flashing e-mails and all of that, they might actually make the right decisions for themselves. >>KEN CUKIER: Gus, what about in a world in which we don't have one person with one Internet connection, but that we have Internet connections in about 50 to 150 different devices that we carry with us that are in our car, that are in our home, where people who are using the Internet without even realizing that it's connecting over the Internet, how do we accommodate a world like that? How do a accommodate a world in which the people who might be using it actually do have really low skill sets, if you think my grandmother is bad on the Internet, you know, you can imagine that, countries that are just developing literacy and living standards in Africa and Asia are going to have also a difficult time in having to accommodate the windows browser. What do we do about that? >>GUS HOSEIN: I think there are a lot of grandmothers out there that we keep on using in our stories. I feel really bad for any grandmother out there who knows how to use the Internet. I think we're discriminating unfairly against grandmothers. I think there's a lot of practical solutions that can be offered. But I want to take the high-level approach for a change, for me, which is, users should be at the center. They should be in control. They shouldn't be using a device and not realizing it's not connected to the Internet. >>KEN CUKIER: That's just not realistic anymore. If the Internet is going to grow to accommodate not just one billion, but six billion people, you can't just say users have to decide how -- you just have to be in control. >>GUS HOSEIN: They should be let known. I don't want my mobile phone to be on the Internet unless I tell it to go on the Internet. Otherwise, I'm paying for it unnecessarily, so on and so forth. >>KEN CUKIER: In 15 years, that's like saying I don't want my camera to have a microchip on it. >>GUS HOSEIN: I want to know when it is. I want my camera to be linked to the Internet when I want to put up photos, when I want to do it. I don't want it to be ubiquitous and constant. I want to flip the switch on and off. Most people, if given the choice, I think want to be empowered. They don't want to have it always on. That's just a guess, but I'm an idiot who presumes that people aren't idiots. >>KEN CUKIER: Well, there you have it. Mr. Huang, please. >>CHENGQING HUANG: In my opinion, the nightmare of Net security will be in two forms: Firstly, the lax infrastructure for Internet security, when online, the user's information might be stolen or falsified. As a result, net users will be afraid of going online. So this would be a nightmare that would affect the use of network. Another nightmare is the excessive popularization. It's like an idea of house which has been locked with many padlocks. As a result, nobody can enter. So we have to find a balance between security and convenience. We should make it easier for users to go online and to ensure their security. Such a balance should be achieved through technical means on the one hand. This is a necessary condition we need to provide antivirus software, firewall, et cetera. On the other hand, Internet is a global network. Once attacked by virus, it will affect not only an individual machine, but the entire network. So we have to have a kind of a mechanism for coordinating emergency response. Without such a mechanism, such a problem, it will be difficult to handle. So the mechanism for coordinating responsibility will provide full condition for security. Thank you. >>KEN CUKIER: Rikke, and then Mr. Kremer. >>RIKKE FRANK JORGENSEN: To add to the list of worst scenarios, mine goes to a situation where we build and design in civilian structures in our societies that will take years to roll back again and which results in a situation where it's the citizen, the individual, that becomes the transparent party, rather than the state. >>KEN CUKIER: Interesting. Okay. >>ARCADY KREMER: I would also like to answer this question on how we can coordinate our efforts to guarantee a secure Net. We should see how we could implement the decisions taken by various summits. The ITU has been asked to coordinate this work, and we are following three directions. First of all, finding the methodology which would help us at the regional level to give a national solution in order to guarantee security, which means to have a basic principle which will be adapted to the concrete conditions in each country. The second direction is how to harmonize the work undertaken to guarantee that the legislation prepared will be coherent. Because there is no one institution which could offer a solution to all aspects. I think that what's being discussed here will be taken into account at the ITU level. And the third direction -- perhaps this is the most important one -- is to find a way to exchange best practices, comments, and find the equipment which will allow for rapid reaction and an adequate reaction to all kinds of threats. I think here, we should create an inventory where we will be offering solutions. There is an information portal at the ITU which does offer such information. And I think that everything that's been heard here today is extremely important, and it should be followed through in the future. I think that we look at the Internet and think that it's a kind of virtual world where we have virtual users. No, these are real people. And we have to guarantee a secure environment for them, because we don't want to limit the uses of the Internet because of security issues. >>KEN CUKIER: What I'd like to do is ask for one last question from the audience. That is Izumi Aizu. Izumi, are you there? >>IZUMI AIZU: Thank you, but I thought you said final three questions, and I thought it's gone. But, anyway -- >>KEN CUKIER: It's the role of -- the prerogative of the moderator to change the rules midway through the game. >>IZUMI AIZU: Thanks a lot. As a global citizen or global citizen viewpoint, and think in ten years' time or 20, perhaps, although this IGF will only continue five years, but we are given the mandate to be as innovative or creative as those who invented the Net, who sort of (inaudible), as I said yesterday as well, there's no -- the TCP/IP has no national border, unlike the telephone numbers; right? That's the difference. So to reflect that, as well as some other older communications and movement of the people, information, money, don't you think that we need to think more creatively, that some parts of -- not all -- national sovereignty be given more limitation or some, you know, less boundaries, or change some boundaries down the road? I say this in two ways. One is that when the E.U. was created, they put first, second, and third pillar. And you put some of the, you know, common areas, such as economic activities of marketplace, gradually, right, after taking all the lessons from the world -- they killed each other -- and you achieved the common currency. Although some countries, we don't have them, even in Europe. But we have a very interesting idea of having one side of a coin very much common; the other side in each country still has its own national identities. Likewise, if you come to the Olympics, we still see all the national competitions, but very peacefully, taking the lessons from the Olympic Games, where most police stopped cease fires. So I'm not just saying in abstract theory. But in the age of global citizens, how many people have the opportunity to talk to the other nationals for their lifetime, and you compare that with 50 years ago, 100 years ago, where the sovereignties concept was established. So 20 years from now, or 50 years from now, I think we need to really redefine the national sovereignties, especially in the law enforcement, where we're talking about security and the privacy or human rights. Then I think we will have more common, I think, sort of goal or direction to which we need to come up with really pragmatic, implementable solutions. If you have any comment, I will appreciate that. Thank you. >>KEN CUKIER: Thank you. Let me take up what Izumi has said, his challenge to us to understand a vision of the sort of society we want to create and how the Internet plays a role in terms of its security in 20 to 50 years. The idea of national sovereignty, of course, is one issue. We don't have institutions with which to drive forward some of our visions. But if that is the target that's far ahead of us, let me put it out there but maybe concentrate your focus a little bit more closely and the immediate space so we can figure out a way to get from here to there. I asked you earlier to take up the challenge by Ambassador Subrenat about either what we have learned or a proposition that we can drive forward. The IGF, obviously, is the beginning of something. Yesterday I actually said it wasn't the beginning of something. I said we were mid process. But clearly if we are in mid process, we are in the start of that middle process. Let me mention first that we don't have a lot of time. So we need about maybe 30 seconds, 60 seconds maximum from you and what you think is the most critical thing that you have learned and that you want to perhaps advance forward, and whether the IGF can be a mechanism to advance that forward. I'll start with the thing that I have learned the most. I thought the idea, maybe it was Frederico's, it's his point so maybe I am stealing his thunder. But the idea of taking the CERT, the computer emergency response teams that we have seen in the U.S. that exist in other countries, and expanding that out to other nations, trying to build that through capacity building and trying to forge links among them might be a way in which industry self-regulatory mechanisms can go forward, can get the blanket of antitrust immunity from government, so there is a role for the public sector as well. And therefore, we can see that better information security practices happen globally, not just nationally, through the coordinating role of government but through the activities of industry. That's one thing that maybe the Internet Governance Forum can take up and can be advanced through this mechanism. That's mine. I'm going to go down the list. Those at the end, like Christiaan, have time to think longer. David, you don't. Please start. >>DAVID BELANGER: Okay. I think what I took away from this most dominantly, and this will rephrase it a bit, is that information has actually become the good which we share in an economic sense as well as a social sense around the world. And actually, a little bit to my surprise, there was a discussion of regionalizing the net, for instance, when what I see is many companies who are global who have an absolute necessity for this net to look like it's one flat world. >>LAMIA CHAFFAI: There are two points that I would like to stress and which came up in this discussion. Security, and elaborating a strategy at the national level. And I'm thinking particularly of developing countries, because they have to take into account the security issue whilst preparing their strategies. There are various pillars which we have taken into account in Tunisia, and there is also awareness, partnership with the private sector, the citizens, and also international cooperation, harmonization of the legal framework. The second pillar, which is cooperation for development and which is absolutely vital, this perhaps could help us create an exchange platform in order to better cooperate in the future. >>KEN CUKIER: Ilias. Please. >> ILIAS CHANTZOS: This is my first IGF event. >>KEN CUKIER: It's all of our first IGF event. >> ILIAS CHANTZOS: Well, let me put it that way. And it's also, if you like, that I am attending from the point of the WSIS process, if you like, that started. So in that regard, I think that to hear the different -- the diverse views and the diverse cultures and the different points of view and perspectives of the different people is something, if you like, expected. On the other hand, I think that we come to the point where we all agree that security is important, information and identity, privacy of individuals or, if you like, parts of the currency of the modern digital lifestyle which we are living in and in that respect need to be protected. So I guess what I am taking from this event is the need, the importance for the private sector to be engaged. Certainly for the (inaudible) security industry to be engaged, and I think that's what would I like to bring back to my colleagues. And obviously to thank the United Nations for the opportunity to be here today. And the Greek government for hosting this. >>KEN CUKIER: Chengqing Huang from CERT in China. >>CHENGQING HUANG: I think the contribution from the forum is that here, through our discussion, we can inspire more ideas. Maybe we do not have a lot of conclusions in the short run, but we have brainstorming. And it will be conducive for further development of Internet in the future. For instance, today, we discussed the issue of security, which is very inspiring for me. That is, security, whether it's an issue of public service for the government. I think this is an issue that merits serious consideration. Internet security is a complex matter, and we need such discussion. Through our discussion and exchange of views, we can form good ideas and, in the future, we can further promote security for a global network. And maybe as the moderator pointed out, organizations as CERT, whether they can effectively facilitate mechanisms for emergency response, such ideas are important. I think the forum can play a part in this area. Thank you. >>KEN CUKIER: Thank you very much. Gus. >>GUS HOSEIN: I'm excited by all the confusion. That's what I'm taking away from this. I am excited by the fact that we still don't know the role of government. We still don't know the role of industry. We still don't quite know what international cooperation should be like. And we still have a very limited idea of what users are. I think that's exciting to be in a field where after all these years we're still so confused. As for the thing IGF can take forward and we can take forward, I really think we should build on Mike Nelson's idea of a for