IGF 2018 - Day 2 - Salle I - CYBERSECURITY, TRUST & PRIVACY

The following are the outputs of the real-time captioning taken during the Thirteenth Annual Meeting of the Internet Governance Forum (IGF) in Paris, France, from 12 to 14 November 2018. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> CHAIR: Ladies and gentlemen, good morning.  Welcome to this morning's main session on cybersecurity.  This is day 2, Tuesday, the 13th of November.  We're in Salle 1.  First of all, would like to welcome all remote participants from all across the earth.  Latin America, Africa, Asia-Pacific and the Americas.  Welcome you.  You can imagine, the translations available for this particular session.  So you'll see little ear pieces which you can put on.

Some of our speakers will be speaking in different languages.  If you're an English speaker, you can go to channel 1, channel 2 for Spanish, channel 6 for Chinese.

With that, ladies and gentlemen, before we proceed, we'd also like to take a minute of silence to remember Stan Green.  He brought a whole lot of marvel into the world.  If for a minute, if we could have a moment of silence.  Thank you.

Thank you.  In case you were wonder, he brought us Marvel and spiderman and a whole other action animated figures.  I'm wearing my spiderman T-shirt.

Good morning, everybody, can you all hear me from the back?  How we'd like to facilitate this main session this morning is to keep the room engaged and to have a dialogue.  Rather than the panel talking down to the community, we'd like to engage in a very diverse, animated and interactive dialogue.  So to start off, let me please introduce the working title.  Which is cybersecurity and privacy practices that can build trust and ensure growth and prosperity for all.  We're pleased to have a distinguished lot of experts that are currently seated at the podium.

And if I could please introduce them.  We have Mr. Seth from the U.S. State Department.  If you could please stand so people see you.

We have ambassador Lonju, coordinator of psycho-- Mr. Mr. Long Zhou, Coordinator of Cyber Affairs, Ministry of Foreign Affairs of China.

We have Ms. Ms. Mallory Knodel, Head of Digital, ARTICLE 19.  We have Mr. Christoph Steck from Telephone ica.  Well known to the community.  Ms. Anahiby Becerril with us from Mexico.

My sincere apologies, ladies and gentlemen.  Yes, my name is Ashnah Kalemera and I work with the The Collaboration on International ICT Policy in East and Southern Africa, CIPESA.  We're based out.

>> CHAIR: That shouldn't have happened and I respectfully apologize to you for forgetting.  My apologies.  We would like to start off with setting the context of why we're here.

As you can imagine, cybersecurity is a critical thematic space.  There are lots of threats and vulnerabilities as government begins to collect data, as private sector collects data and we're all on the Internet and there's a lot of data evolved.  There are all kinds of issues that emerge in terms of privacy, in terms of security threats.  For instance, we have just several months ago there was an attack on the Ukraine power station, where there was an attack on the industrial control systems.  As governments push towards regulating the cyberspace and implementing strategies in this particular area, there's certain issues that surface in terms of privacy.

We see this in Pakistan.  Anyone from Pakistan in the room?  Digital rights foundation is heavily represented in this year's IGF.  We see the harvesting of data that's been abused both in Indiana and Pakistan in recent times.  So we have this distinguished lot of panelists who will be speaking about the countries' different cyber strategies.  From government, but at the same time, to sort of reach out to us in terms of how they deal with some of this dichotomies and some of these tensions.  First, if I could invite ambassador Martin to weigh in for two minutes.  Thank you.

>> DAVID MARTINON: Thank you for having me this morning to talk about cybersecurity and data protection.  Data privacy.  As president Macron said, stability in the cyberspace and the fact that stability -- sorry, I'm still out of the room in my head.

If we want to keep the Internet close to its promise at the origin of it, which is openness, universality, liberty, freedom, we need to make it a safe place.  We need to make it a place where confrontations are limited.  Conflicts are limited.  Where we can find some stability.

The difference between the kind of situation we've known for years in the real world, if I can say so.  And the current situation in the cyberspace, in the digital space, is that in a way every actor can play a positive and a negative role.

It's not only about states confronting themselves.  It's about states, it's about private actors, legitimate and illegitimate private actors.  It's about new practices that we don't want to see in the cyberspace, like hackback, reverse hacking.  Which is sort of priveatization of war.  We don't want the priveatization of war.  We want states to be in control of the law.

If we want to reach these goals -- by the way, I want to add another objective, which is the fact that if we want our democracies to work efficiently and transparently, we can't accept interferences during our electtorl processes.  These have been gathered in the Paris code for stability that president Macro n endorsed on behalf of -- endorsed on behalf of France.

These are the goals we need to reach, and for this, we need the cooperation of states, but also of every stakeholder.  This is why, by the way, so many companies have endorsed it in the previous days.  And we hope in the coming days.  This is why so many NGOs have endorsed it.

Many more than states, by the way.  Even if we have reached a large amount of states endorsing the Paris Code.  The idea is to work together to try and understand each other's positions and to engage in a discussion that needs to be fruitful.  If we want to reach these goals, we need to invent and work on the necessary cooperative measures that we absolutely need to implement.  So that would be my start.  Thank you very much.  Thank you, ambassador Martinon.  If we could call on Mr. Long Zhou from China.  If you would like to weigh in on your country's cyber strategy.  Translation is available.  He will be speaking in Chinese.  Thank you, Mr. Zhou.

>> LONG ZHOU: Ladies and gentlemen.  We are living in a digital era.  Ethics are changing.  Digital innovations continue to emerge.  The Internet is becoming one with a life of populations and bringing digital dividends to the people.  It's a new motor for economic and social development.  But at the same time, cyberspace has brought us challenges.  Internationally, Internet security is under threat.

Private life and copyright are under threat too.  Thanks to Internet.  Cyber attacks and cyber criminality are on the rise.  Cyber terrorism is an international threat.

And Internet governance is not keeping pace.  Which is a problem for Internet security.  In particular, fake news are spreading.  And users' data are subject to leakage and to abuse on a vast scale.  Enormous risks are appearing.

Faced with those threats and those risks, the international community must come together to ensure universal security and shared responsibility.  I think the following points are particularly point.  First of all, a win-win cooperation.  Because our interests are shared and are interdependent.  The Chinese president put forth the concept of a community of destiny in cyberspace.  That's a novative concept.

That concept amounts to people coming together and unifying in order to create a cyberspace.  The second point is development and security.  Cybersecurity and economic growth are interdependent.  Development must be the key to a cybersecurity.  When developing, we have to lessen the digital divide.  We should not sacrifice security to development, however.  The third point is that we must have rules.  This must be a rules-based system.  Without rules, there could be no peace or stability on the Internet, and there can be no trust.

Fourthly, there must be new working methodologies at several levels.  China has found its own path to Internet development, and I will expand upon that later on in the session.  Thank you.

>> CHAIR: Thank you.  So we'll go to Civil Society.  You'll note that the two representatives from governments, both France and China sort of mentioned this need for regulation and there's a need for global shared responsibility.  So before we jump to the U.S. State Department's representative, I thought this would be an opportune time for Ms. Ashnah Kalemera to weigh in in terms of Civil Society's perspective in relation to the current public policy issue.  Thank you.

>> ASHNAH KALEMERA: Thank you.  I'll speak from sub-Saharan perspective.  We're all aware that the content's got amongst the fastest growing Internet penetration rates.  Approximately a quarter of a population are Internet users.

And it's a huge driver in social economic development.  Unfortunately, that growth and penetration is being matched by criminal acts against government, private sector, and individual users.  We're seeing huge growth in gender-based balance online, in blackmail, extortion, fraud, harassment, and of course the theft of personal data, as well as extremism and hate speech online.

These threats are cross-border and committed across jurisdictions.  Ultimately, they undermine the confidence and trust of the use of the Internet for the few, the quarter that I mentioned, that are actually online.

Therefore, there's need to prioritize policy and practice and legislations that allow for efficient and effective stakeholder cooperation and prevention and repression of these criminal acts online.  However, and most importantly, these cybercrime or cybersecurity legislations, if put in place, should not be used to curtail Freedom of Expression and privacy.  I think we've all seen recently in Tanzania where the cybercrime act and legislation is used to curtail Freedom of Expression online and stifle critics.  Same in Uganda, used by the states to stifle descent and critics of the state.

For users, safety tools are just as important in securing their communications.  So it's critical to enhance use of digital security.  So there's a dire need for capacity building around digital security practices amongst users as well as private sector and government on the continent.  For the Internet to be the driver it is for social economic tempts in Africa, it's important that the -- developments in Africa, it's important that they are cognizant of violent extremism and threat to personal data.  Most importantly, that it has Human Rights safeguards in place so it's not used like it is in Tanzania and Uganda and other countries where cybercrime legislation is used to stifle Freedom of Expression and critics online.

>> CHAIR: Thank you.  I would like to invite ARTICLE 19's Ms. Mallory to weigh in on the issues of privacy and the dichotomies.

>> MALLORY KNODEL: Thanks.  I would just add as well there's a lot of focus in cybersecurity on conflict as we heard.  That came up.  And in other sorts of digital rights issues that are included in cybersecurity that maybe shouldn't be.  We see increasing securitization about these conversations, like fake news.  That's one trend we have to be very clear about.  These are related issues but they're not at the center.  What is at the center, I think is not just the risk to infrastructure, the risk to businesses and economies.  It really is people.  Because the reason why we care about the security of infrastructure for example, in cyber attacks, is because people are at risk.

The reason why we care about whether or not businesses and economies are sayable and safe is not just because -- viable and safe is not just because of those businesses existing.  It's because of the users, the workers that are involved in these systems.  Putting people at the center of cybersecurity is a really good approach and it means we have a basis for talking about cybersecurity.  It was said earlier that we need rules, but we already have a lot of rules.  We already have a lot of -- we have criminal codes, Human Rights frameworks.  There are already a lot of things we can cover with what we have already.  I think what is important is actually having conversations about cybersecurity that furthers this or adds something new, rather than just general blanket securitization of everything online.

Again, when we put people at the center, we can focus on things like Freedom of Expression and privacy and indeed policy doesn't go far enough.  So one way that we can make up for that policy falling behind is through technical standards and technical solutions.

So that is a focus of the work that my organization does along with many others, to look at technical standards and how the Internet is built from the ground up to be privacy respecting and secure for everyone.

I do agree with Ashnah that there is a lot of digital security training needed.  At the same time I think the most impactful changes we can make will change the Internet and make it mere secure and safe -- more secure and safe for everyone.  That can happen at the lower layers in setting technical standards.

So policy and technical standards kind of go hand in hand in my opinion.

>> CHAIR: Thank you Ms. Mallory.  If we could move to from U.S. State Department.  What are some of the best practices from where you sit.  That have enabled trust and facilitated sustainable economic development.  These questions are actually from the global community by the way.

>> Thank you.  Before I answer I did want to take a moment to thank you and to thank Ben who is not able to be here.  He's in Dubai and the other organizers for putting this together.  It's great to be here.

I did want to pause a moment and, I think the previous speakers have laid out clearly a lot of the threats that are in front of us and in our own ways.  I think everyone up here is trying to confront them.  I did just want to interject the idea that the way we confront them is important.  And that this has been brought up previously as well.  The way we address the threats are important and the reason is we risk sacrificing a lot of the benefits of the Internet.

So as we talk about the threats, I think it's critical that we talk about the benefits of the Internet as well and not lose sight of it.  I'm not sure why my mic keeps shutting off.  If that's something I'm doing, let me know.

The benefits, Human Rights, innovation, growth.  I think we all have them, but we need to keep those benefits front and center in our mind as we think about how we're going to confront the problems.  In terms of the best practices to get to the question.  One of the practices that really animated our work from the U.S. side has been the risk of state on state conflict.  David mentioned this as well.  I would harken back to President Macron's speech.  The ideas that as we work in the offline work to prevent conflict.  We also need to work in the online world to prevent any conflict there from stemming, spirling over to conflict in the real world.  That's what's animated our work on the stability framework.

These are kind of concrete measures.  I think we'll probably get to some of them later in the discussion.  Concrete measures meant to reduce the risk of activities in the online world resulting in conflict in the offline world.

I think maybe I'll leave it there.  But because we were talking about national strategies earlier, that was a question from some earlier panelists.  I did want to make people aware if they're not already, last month the White House in the U.S. released our national strategy and this outlines the steps that the U.S. Government is taking to advance in open interoperable and secure cyberspace.  It's a comprehensive document and covers a lot of ground.  I did want to highlight a couple items in there if that's appropriate.

A lot of it is focused in terms of our internal practices.  But much of the document as well is focused on the international cooperation that's needed around building capacity of third countries, around promoting Human Rights and Internet freedom, interoperable, economic practices and addressing malicious activity.  Those are some key concepts that maybe we can focus on later.  Thank you, Sal.

>> CHAIR: Thank you, Seth.  We would like to invite Christoph Steck from Telefonica.  How can the private sector and technical community address concerns about cybersecurity and privacy in a way that doesn't undermine the open and free and secure Internet?

>> CHRISTOPH STECK: Thanks, very much for inviting us and for being here.  Representing Telefonica and maybe the wider private sector.  First of all, I think we have to say that cybersecurity is one of the nice issues where all stakeholders agree.  We all want cybersecurity.  It's not one of the confrontational issues.  No one will raise their hands and say I don't want cybersecurity, I don't want to be safe on the Internet.  That's a good starting point.

At the same time we have to also say that unfortunately the Internet and the digital ecosystem is quite complex animal.  It's very interconnected.  It's got a lot of different layers.  If I just open an app on my mobile phone, you have the app developer, operating system underlying it, you have hardware in the phone.  Then it goes to a network.  Then it goes through some cables and ends up somewhere.  I mean, it is a long chain and there are many people involved.  Many private companies involved who are working in producing these services and the products.

So the problem with cyberrer security it's only as good as the weakest link in the whole security chain.

Of course bad people would always go to the weakest link.  We have to make sure this whole value chain is really secured.  And that's getting more complex by the day, because we're moving into an Internet of things where we connect a lot of things to the Internet.  That means the things we connect are getting more universal, cheaper also, so there's less money and less margins to include security measures.

I just want to picture here and lay out a picture which is really that things are getting rather more complex than easier.

The second issue?  I think we're not really prepared equally across the world for cybersecurity in the same way that countries are not equally prepared.  We have a big symmetry across countries, across companies, across the involved actors.

That's the challenges.  So what's the approach we could take?  Obviously, out of the challenges we immediately see also the approach needs to be horizontal, broad approach.  We need to include everyone who can help on that.

Just to give you a little kind of piece of information.  I mean 80% of the critical infrastructure in the world is owned by the private sector.  Government has a huge role to play, but business does as well.  These are infrastructure owned by the private sector.  We also need to have an international effort.  It's good that we have national efforts, regional efforts, but in the end, this is an international issue.

So we should think more about what can we do really internationally to keep it going.  And the approach, I suppose, should be something which includes self-regulation, it includes some form of policies, standards.  Very good way of doing something which might be kind of soft law in the sense that it's included automatically to a certain degree into products.

So I think we should have a whole range of approaches to tackle that.  And I think we might speak about best practices a bit later on.  So I'll keep that for later.

>> SALANIETA TAMANIKAIWAIMARO: Thank you, Christoph.  While we're there, I would like to ask Michael Ilishebo if there are any interventions from the remote participants before we go to the next speaker.

>> MICHAEL ILISHEBO: There is none at the moment.

>> SALANIETA TAMANIKAIWAIMARO: Thank you.  So with that, if we could ask Ms. Anahiby, a researcher from the Public Center for Research and Innovation in Information Technology in Mexico to weigh in on the current discussions.  Thank you.

>> ANAHIBY BECERRIL: Thank you.  Good morning.  I'll be speaking Spanish.  It's more comfortable for me.  Thank you very much for your invitation and for giving us an opportunity to share our ideas with you.

In Mexico, last year, we enacted a national cybersecurity strategy, not that we hadn't done anything prior to that, but this strategy amounted to us sitting down together and joining forces in order to get a clearer idea of what we're doing and how the different stakeholders could be involved.  The national cybersecurity strategy involved a group of many stakeholders.  There was even a public consultation so that any individual could express him or herself on this.

And on the situation of cybersecurity in Mexico.

It's very important to point out that Mexico is making a great effort to assist other countries in the region.  In order to spread the culture of cybersecurity so that countries will be prepared for this.

In our experience, Mexico's strategy is based on three principles.  First of all, Human Rights.  All of the matters that we have to implement in cybersecurity have to respect the principles of Human Rights.  Also a risk-based approach and a multi-stakeholder cooperation.  Not just multi-stakeholder, but multidisciplinary.  We involved these principles in our strategy, but the strategy is just a first step.  Now we are looking at the second step, implementation.  One of the things we discussed is there's going to be a change of government soon.  It's very important for countries for intercontinuity to programs.  We can't every time this new government, start from scratch.  Many times when a new government comes in in one of our countries, they tend to start from scratch.  It's very important to make sure that the documents are drawn up by many stakeholders, not just by the government.  Academics are involved, the private sector, Civil Society, that they are all involved.  The government acts as a coordinator, but all of the involved parties have an opportunity to speak and to create this document.  Thank you.

>> SALANIETA TAMANIKAIWAIMARO: Thank you Ms. Anahiby.  I would like us to go to something Seth mentioned, which is state on state war.  Bringing us to one of the other emerging policy questions that the community sort of raised when we were preparing for this main session.

The question is, and ask this to Mr. Seth and to them ambassador Martin.  What are some considerations for cyber diplomacy in global norms related to states organizations and individuals.  How can geopolitical intentions impact global norms and how can this be mitigated?  You each have two minutes.

>> PANELIST: There's a lot of ways to answer that question.  I guess the way I'll start and we can go from there is to talk about the diplomatic efforts that we've been involved in for many years at the United Nations.  The U.N. has been really central to these efforts to build consensus on international security concepts.  So we've promoted in the U.N. and elsewhere, what we call, we've thought of as a stability framework.  So the ideas, we're promoting this framework of stability to prevent state on state conflict.

It really has three pillars.  One is promoting the agreement that international law applies to state behavior online.  The other is promoting certain nonbinding norms of state behavior that apply during peace time.  And the third is promoting what we call confidence-building measures.  These are concrete measures that states can undertake to promote mutual understanding and prevent conflict.

So a lot of this work has taken place at the U.N.  Some has taken place in other fora, but this year, we actually had a cyber resolution to -- before I get to that, I'll mention the GGE, the group of governmental experts.  This has been a venue that's been very productive since 2009.

To build support for this framework.  And it's really been a productive and useful platform to talk about these issues, because it's consensus based, it's time limited, and it's expert driven.

And a lot of attention has been focused on the 2016-2017 round of discussions where there was a failure to find consensus.  But of course, that doesn't invalidate the existing GGE recommendations of the previous report, which were as I said, groundbreaking.

So to try to keep that momentum and progress going, we tabled a resolution at this year's UNGA first committee.  It really mirrors the previous consensus resolution, seeking to make progress.  And this happened last week.  We're pleased with the overwhelming support that it received.  We think this is going to enable, or we're hopeful anyway, that there will be a new GGE that will reach consensus and actually expand it's ability to consult more broadly during the process.

I'll leave it there.  That's the diplomatic effort I would kind of put into the discussion at this stage.  Of course, there are many others.

>> SALANIETA TAMANIKAIWAIMARO: Thank you, Seth.  Mr. Long Zhou or Martinon.

>> LONG ZHOU: Yes.  Thank you Madam Chairperson.  I should like to present China's view on the topic.  You see, in order to be able to maintain cybersecurity, all the while maintaining Internet openness.  Well, that's in the interests of us all.  But how can we achieve that objective?  What is cyberspace, after all?  There are different interpretations.  Different views on the topic.

From my vantage point, cyberspace differs greatly from the physical world we inhabit.  Having said that, cyberspace is not completely disconnected from the real world.  And it is for that reason that in the real world we have certain principles which are jointly recognized and jointly implemented by all of us.

Enshrined in the United Nations' charter.  In fact, these principles also apply in cyberspace.  They should.  I think that's the bedrock of global Internet governance.  However, unless those foundations are in place, Internet governance will be unsuccessful.

From our side, given the fact that cyberspace is special, it has its idiosyncrasies, given the pace of rapid technical development, we believe we need innovative ideas in order to be able to govern the Internet.

In light of this process, we're of the view that we need to uphold certain principles, specifically the principal that we all have a common destiny in cyberspace.  We need to focus on this idea of shared development.

After all, we're all inextricably LinkedIn cyberspace, and this is why we need -- linked in cyberspace, and this is why we all need to cooperate.

My colleague from the United States mentioned processes underway at the United Nations, and we're taking a very active part in these U.N.-led efforts.  We think this process needs to become even more inclusive, bring even more countries into the fold.

So as to be able to ensure fair and sustainable development in governance.

>> DAVID MARTINON: Thank you.  I just wanted to add to what Seth and Long Zhou said.  Seth referred to the work being done by the group of government experts under the auspices of the U.N.  Three of us were members of that committee last year.  Zhou as well.  We have made tremendous progress in that body.  We worked very hard on some of the conditions which seth mentioned.  This is an expert group with a very clear timetable.  Just a few people putting their heads together and negotiating.

And the outcomes we achieved were important and in fact very interesting.  This is something Zhou said.  It is widely accepted that international law and that the United Nations Charter do apply in cyberspace.  So in contrast to what was said a little earlier, we didn't come up with new rules and new norms, however, what we did work on successfully in fact, was the setting of certain voluntary behavioral standards for states.

And the English in the document states should or states should not.  That's how we worded it.  And this is this new cyberspace-driven grammar which we tried to craft.  I must say, we were quite successful.

Today, the state of play is such that during the last round of negotiations in 2017, we didn't manage to craft a consensus.  We spent about four weeks working very closely all together, but at the end of the day, we didn't manage to garner an agreement on all of the points we debated.

Therefore, we're going to continue working hand in hand, and Seth told us about the current United Nations context.  Two passed.  First by the Russian federation and the second by the United States of America.

Of course, it would be better to have one consensus-based texts.  We currently have two texts on our hands, and we have to live with that.  We want our efforts to be as productive as possible.  So we have once again, a group of governmental experts, which is going to work.  It's a small committee bringing together experts who are going to try to shed light on international public law and new behavioral standards, which we're trying to set.  We'll also have an open ended group.  That means that any U.N. member state which wishes to do so can take part in.  And this open-ended working group will not be time bound.  There's no deadline for them submitting some kind of solution.

Perhaps it's not the best idea not to set a deadline, but we are going to be part of that process.  The French Government is going to take an active part in that process.  During the last round of negotiations, what we noticed, I'm referring to the 2017 round, is that there are a number of new issues cropping up.  Which we've pinpointed.  When it comes to these new issues, interstate cooperation is by all means necessary, but we need to also go above and beyond.  When we do this work, this standard-setting work, we also need to include other stakeholders.  Specifically the private sector.  Especially software companies.  The software producers.

What are these new issues we have seen cropping up in cyberspace?  First of all, hackbacks.  That's reverse hacking.  Private counterattacks.  I mentioned this already, but I just wanted to underscore that.  We, the French Government, do not want the priveatization of law and order.  We want the states to retain the monopoly on maintaining public order in cyberspace.  That's the first thing.

Second, another issue, which we already set a standard at the interstate level, but we think we need to go one step further.  In fact, much further.

And here I'm referring to control of malevolent tools being deployed in cyberspace.  This is a very complex, very thorny issue.  And it calls in question whether these practice of these tools are tangsable, how tangible they are, but in fact this opens the door for companies in the world to destabilize the delicate balance that's being struck.

Interstate cooperation on this topic would of course, be beneficial and is beneficial, but we also need to work with industry, with the private sector so as to pinpoint which systemic players are responsible.

By systemic players, I mean all industries in which market share, including across different markets, especially the software development market, is distributed in such a fashion that certain players can affect the entire cyberspace.  Wanna cry is one example.  There are others.  In other words, we've seen malevolent, unscrupulous actors, public and private actors.  Sometimes private actors acting on behalf of public actors.  Using devices, using software and exploiting their weaknesses.  We believe that if we can bring cyberspace instability to a minimum, if that's what we want to do, we have to ensure the products being offered on the global market.  These products need to be secure so as to reduce vulnerability.  Unless we manage to make that effort.  Unless companies agree to shoulder their part of their responsibility burden, we won't be able to confront that challenge.  This is why we kickstarted this conversation with a number of companies.  Microsoft is aware, so is Zeimens.  They kickstarted the tether cord together with Microsoft.  We talked to other companies too.  They have a certain responsibility in the sphere and they're ready to take action.  So we've been working with our partners, because time is of the essence.

>> CHAIR: There were several things within the interventions by the three different government representatives from France, China and the U.S.  One of which we would like to pick up on is a comment earlier by Christoph when he said 80% of the global infrastructure is owned by private sector.  One of the things that ambassador Martinon raised is increasing accountability amongst corporations.  One of the things he raised, which I would like to put to the panel.  One of the things he sort of raised is whilst government and through the government experts that have been negotiating the text, consensus text, am I right?  You said two consensus texts?  Whilst the delicate balance -- two texts, but no consensus, all right.

Two votes.  But no consensus.  I hope that's been transcribed.  Yes.

So while that's happening once the delicate balance can be struck.  Because governments don't necessarily control the infrastructure.  Not control, but don't necessarily own.  80% of the infrastructure, they feel there's a need to insert some level of accountability mechanisms.  Earlier, we heard from Ms. Mallory from ARTICLE 19, as she was talking about them engaging in standards and throughout the week, we have heard of different workshops and different sessions talking about transparency, particularly in this particular area.  So with that, I'd like to ask Christoph to please weigh in.

>> CHRISTOPH STECK: Yes, thanks.  I think I would like to follow on where ambassador Martinon stopped.

Self-regulation is one of the key approaches you also have to take.  Due to the fact that business is so relevant in cybersecurity.  My company, we try to work together.  There are more than 60 companies already and a growing number of leading tech companies in the world who basically agreed to work together to make cyberspace safer.  I think that's a good example of a self-regulation, of an initiative, rather, to work on these issues.

There are many also.  I should say that very openly, countries from the United States and Europe.  We haven't seen that as a global initiative yet.  And the question would be why not?  Why can that not be expended.  Because as I said before, there's a common interest of making cyberspace safe.  That's one approach.  There other approach.  Just to mention the global network initiative, GNI, is working on privacy and Freedom of Expression.  We also are a member of that initiative.  That's actually a good initiative as well, because we are working also between companies to share experiences and to see what best practices are.

There are very thorny issues about access to data by governments, for example.  Where of course, Human Rights need to prevail, but we all know that this is always a difficult question.  Security and privacy and which right prevades in a certain circumstance.  We share experience and try to work together and try to work with governments to make them also aware of the work we do.  And I believe that as a collective, we can achieve much more in having a virtual dialogue there.  So I think these are issues.  I also have to say that apart from being prepared and aware of Human Rights aspects also in cybersecurity, you also have to think about what do we do when things go wrong.  At a certain point in time, things go wrong.  Wanna cry was mentioned and a good example.  Suddenly things went wrong.  I can share with you that I think my company, telefonica was the first to report that incident and was transparent about there was something that was going on that was unusual.  We did that through a system that the European Union established, which is national reaction centers.  Every country in Europe, by common policy in Europe is obliged to have a national cybersecurity reaction center.  And basically we, as companies, are obliged and have committed to inform these centers when something goes on.  In the measure of transparency.  And they communicate that immediately to the others.  So there's a kind of process of incidents, which then have to react fast.  We use that process when we were hit by wanna cry as well.  It was fruitful, because you could immediately connect to a lot of people working against this kind of attack.  My company, for example, published later on, to smaller companies how they can work regarding wanna cry and what they can do when they have been affected.  And we opened that to everyone and it was used by many companies.  Starting from the point of common objective of we would like to make things safe.  I think we can find a lot of ways to work together between governments and Civil Society and companies as well to get there.  I think we have a lot of common interests in making that happen.

I think we can find a lot of ways to do that.  We are just experimenting with these different instruments, which are not necessarily only policy-making.  They can be standards as we said before, and other needs.  But I think it's important to have this common idea of we are here to do that together.

>> SALANIETA TAMANIKAIWAIMARO: Thank you, Christoph.  Before we pose the next question to the Civil Society speakers who are currently on the panel.  To Ms. Ashnah and to Ms. Anahiby and Ms. Mallory.  We would like to open the floor and ask questions.  If there is anyone who would like to make an intervention.  Please keep it to a maximum of a minute.  Would you just like to stand so we can see?  Yes, Adam, please go ahead.  Is that Adam?  Sorry.  My apologies.  Please go ahead.

>> I'm from Georgia Tech and Princeton university.  I have a question from Ms. Mallory.  In this whole big discussion we're having here at IGF with the president of France giving the speech and all.  We're hearing a lot about Internet security and the need for government regulations and the dangers that are out there.  The word danger, danger, danger seems to be Omni present and I'm concerned this isn't in fact an approach that leads to greater state intervention and control over the Internet and a decline in Internet freedom.

So I'm concerned that constantly hearing that the Internet is dangerous, we need the government to save us, is in fact a way of perhaps scaring us into the arms of the government, if you will.

So my question to the panel, but perhaps to Ms. Mallory, because I regard her as the most independent person here, what do you think of this?  Are we being corralled into the arms of the government or not?

>> CHAIR: One minute please.  You're past.  Thank you.  Could the rest of those that put their hands up, could you please raise your hand up so we can see.  Can I take you?  Thank you.

>> My question go to the U.S. and Chinese government officials.  We heard a recent news report on the hacks of the infrastructure, which is -- this is kind of infrastructure program.  So my question is how can we build up the trust if one country accuse another country for conspire or security is attacked at the infrastructure level.  Thank you.

>> SALANIETA TAMANIKAIWAIMARO: Thank you.  Yes, can I take the middle speaker before I take the one on my extreme left?  Thank you.  Please introduce yourself.  State your name and then your question and keep it under a minute.  Or your intervention.  Thank you.

>> Thank you.  I'm Ethan sweet, IGF Internet fellow.  My question is mainly about what David said about the role of private companies in Internet security.  Obviously, 80% of global infrastructure is owned by private companies.  A lot seem to shake their responsibility until something terrible happens.  For example, in the Internet of things space now it appears security is quite an -- how do we go about encouraging companies to bake security as a default into their systems?  Thank you.

>> SALANIETA TAMANIKAIWAIMARO: Thank you.  We'll take three more questions.  Could you just stand up so we can see you?  The lighting is not too good.  Right at the back before the lady in front.

>> Hello.  I work at the organized crime and corruption reporting project and I'm responsible for security of a lot of journalists.  So I have a question.  I'm happy that the phrase wanna cry showed up.  I noticed that NSA has a budget two orders of magnitude higher than U.S. CERT, which is an interesting statistic.  Wanna cry used the blue exploit that was developed by NSA and then leaked.  My question to the honorable representative of the United States, are you inclined already to take responsibility for the wanna cry attack, which was using an exploit developed by the NSA?  Thank you very much.

>> SALANIETA TAMANIKAIWAIMARO: Could you please stand up?  Right.

>> I'm going to speak Spanish.  Ms. Maria from Venezuela, from NGO to defend journalists.  I have a question, Mr. Steck.  You spoke about resolving conflicts between state and non-state stakeholders.  Venezuela is in 19th place.  The freedom house rating of the countries that have most restrictions on the network.  Along with Uni, and Internet, open observatory on Internet interventions.  We see serious violations.

I'd like to ask how Telefonica solves these problems of conflict between state and non-state stakeholder.

>> SALANIETA TAMANIKAIWAIMARO: I'd like to ask the panelists to feel free to merge their responses.

>> Hi, I'm Muriel and work for communications and systems in cybersecurity.  We have in France, a lot of cybersecurity associations.  And my question is to Mr. Martinon.  I believe this is a major stakeholder, this community of association that have their sights on the cybersecurity subject.  I would like to know if it's possible.  We kind of know our counterparts within Europe.  So other cybersecurity associations within Europe.  And also abroad.  Thank you.

>> SALANIETA TAMANIKAIWAIMARO: One last intervention before we bring it back to the panelists.  Yes, please.  Introduce yourself.

>> Thank you.  I'm from Paraguay.  Just briefly for Mr. Martinon.  I heard his opening remarks and my question is are we not going from criticism of hate speech to criticism of fake news to fear of the Internet, of insecurity in cyberspace?

>> SALANIETA TAMANIKAIWAIMARO: Just before we bring it back to the panelists, if I could just ask Michael Ilishebo, the remote participants interventions.

>> MICHAEL ILISHEBO: There's one question.  Democratic and transparent law-based system in Internet governance.  In reality, we have only one school of Internet governance.  Does America face school of Internet governance allows Internet of trust and lose base system formed.  What is the meaning of when there's not Democratic and transparent of Internet governance model in (?) and U.S. jurisdiction.  The good test enemy of digital corporation and Internet of trust in brackets is digital unity.  And digital protectionism.  With this approach, that is clearly reflected in us, national cybersecurity, 2018.  How other countries can trust us.  Own and control Internet.

Nationalistic policy will soon lead to Internet fragmentation.  What must be done?

>> SALANIETA TAMANIKAIWAIMARO: Is that the only intervention?

>> MICHAEL ILISHEBO: Yes, that's the only one so far.

>> SALANIETA TAMANIKAIWAIMARO: With that, I would like to invite Christoph Steck to respond.

>> CHRISTOPH STECK: I will respond to all of them, but to me and the private sector.  There was one question about how we can encourage responsibility of the private sector and how can we make that happen.  First of all, I think a lot of companies are aware and doing something.  I gave some examples.  That's of course, not maybe -- I mean there are different intensities of responsibilities of companies who take it more serious than others.  Maybe who don't see it so much.

So, my little bit cynical answer to that would be, everyone gets responsible when you get hit by a cyber attack.  The moment you have experienced as a business, if you're big or small, an incident, you will be very much aware that there is a huge risk.

I have just read a report saying that the risk of cybersecurity incidents over the next four years will go up to something like $7 trillion or $8 trillion.  That makes it's the biggest risk for business in the world.  There's no bigger risk.  Even bigger than drug dealing and so on.  It is an amazing economic risk and also for companies.  I believe the pure fact of these risks will move companies to do something.  Of course governments can have of course, Civil Society can have also, too, and I think there are good initiatives around to also have this dialogue to make people aware.  As I said a lot of people, a lot of companies are already moving.

There was a question about Telefonica and Human Rights.  As I said, we are part of GNI.  GNI are companies who agree to defend Human Rights where they operate.  We operate in more than 20 countries in the world.  And we have global standards and global politics inside Telefonica.  We defend Human Rights.  And we have these dialogues with Civil Society on the ground and with governments.  Having said that, of course, it's a long-term process.  We cannot change political systems.  And we can also not do wonders in short term.  But I can tell you that there's a clear commitment from Telefonica and many other international companies to uphold Human Rights.

>> SALANIETA TAMANIKAIWAIMARO: Thank you.  If I could ask Seth to respond to the questions directed to him.

>> SETH: Sure.  I had a few I wanted to respond to.  The first in terms of infrastructure of vulnerabilities and compromises.  I think that's a topic that's of great concern for everyone in this room.

Governments included.  I would say this is an area of interest and priority for the U.S. Government.  The additional complication is that there are sometimes reports in the media which may or may not be accurate.  And I would suggest if people are interested, they listen to what the U.S. Government says about attribution for things or what we say about what we believe is happening.  I guess I'll just use that as an opportunity to segue to the wanna cry.  I think we've been very clear about who's behind that and who was responsible for that.  I don't think there's really any disagreement about that.

But I would use this as an opportunity to come back to what Christoph was talking about.  The certs around the world and the criticality of this particular function.  The U.S. has put a lot of time and resources into developing certs around the world so that we can better cooperate around incidents and vulnerabilities.  And another piece of this just to highlight is that we have begun using in the last couple years, using our diplomatic tools to augment the cert channel in using diplomats to approach foreign governments to give a little bit more context or a little bit, prioritize certain cert to cert communications for truly critical incidents, we can have a sort of quicker, better response.

I believe I had one more.  There was some reference to America first Internet governance.  I'm not sure exactly what that means.  But I would just point whoever asked that question to the national cyber strategy that was released by the White House last month.  I think if you look at it, you'll see that there's a pretty clear acknowledgment that the threats to the cyberspace are international.  Come in different forms.  And we have to coordinate and collaborate across governments, across sectors, across stakeholders to disrupt them.

There's the commitment to the multi-stakeholder model, it's as strong as ever.  And international collaboration is kind of the bedrock of how we have to confront these global challenges.  So I wouldn't call into question those principles.  Thank you.

>> SALANIETA TAMANIKAIWAIMARO: Thank you.  There are some questions directed at Civil Society.  Particularly to ARTICLE 19, Ms. Mallory.  Before that, I thought it would be a prudent time to pose one of the public policy questions related to that.  So that you can also just merge your interventions.

The question is how should policymaking approach accommodate the relationship between cybersecurity and privacy.  Are the two mutually exclusive.  Are there tensions between these concepts and are they mutually reinforcing.  Are there trade-offs that need to be made between the different elements to help engender trust.

>> MALLORY KNODEL: Thank you for your question.  I like the theme of the IGF is about trust and trust is in this panel, but we haven't talked about it much.  Hans pointed out a really good tension.  Back to what I said about securitization, if there is all this sort of fear, uncertainty and doubt that forces all these conversations into one about cybersecurity, then it is really counter to the idea that we have to build trust.  I don't know that they actually work together very well, but I like the attempt at framing this as an issue of trust.

And that is sort of what I prepared to talk about mostly today.  So I can just give you the very short version of what I was going to say.

Which is that I think that governments and private sector probably have trust between them.  They work a lot more closely on these issues.  That leads to some at times, unfortunate outcomes for people.  I'm going back to we need to have people at the center, so when governments and private sector work together closely, they mostly focus on things like intellectual property and preserving economic stability.  Things like law enforcement agency, access and things like that.  And lot of the concerns that people have and Human Rights are often not a priority and sort of those two stakeholders working together.  Relationship.  Another thing that can sometimes happen is that people are seen as the threats.

So in most cybercrime legislation I've read, a lot of cybersecurity strategies, if people are mentioned at all, they're often mentioned as the problem.  So either through malice.  Hackers are a problem.  Or through incompetence.  People don't know how to use their Internet of things, it's a huge problem.  But the people are the risk.  Instead of flipping that around, talking about that people are the people we need to protect.  The general population is seen as the unknown and the threat.  Technical expertise can sometimes see be seen as suspect.  There's an increase in criminalization of technical expertise.  Who are the ones who place trust in these institutions?  It is people.

And the institutions are the ones who must be trusted.

>> SALANIETA TAMANIKAIWAIMARO: Thank you.  We just need to rope it back in, because we're running short of time.

>> MALLORY KNODEL: I would just like to support what Seth said about multi-stakeholder models and multiple competencies of embeddedness.  There are two models for trust.

>> SALANIETA TAMANIKAIWAIMARO: Thank you.  If I could ask Ms. Anahiby to weigh in on the current discussions.

>> ANAHIBY BECERRIL: When it comes to the question of how to (?) through legislations.  For example, to require companies to report on data breaches.  But there are other legislations that don't provide for any such thing.  So there's no perfect formula.  There's many disparities between countries.

For example, in the United Nations framing, they're the guiding principles.  Companies in Human Rights.  Where it is said that multinational companies must refer to that framework for respect for Human Rights.

Another way that companies may participate is sharing information when an incident occurs.  Many companies don't share such information, because that could have an impact on their reputation.  I think that it's important to see all the different stakeholders have different but complementary responsibilities.  What we're after, common objectives.  Both the government and private sectors and final users need information from cyberspace.  Governments also suffer attacks.  So we have to work on this all together.  Thank you.

>> SALANIETA TAMANIKAIWAIMARO: Would like to ask Ms. Ashnah before we go to the government representatives.

>> ASHNAH KALEMERA: Obviously from Civil Society and southern African perspective.  The threats are real and they undermine privacy and trust and security and the use of the Internet.  The challenge is the use of cybercrime legislation to then curtail Freedom of Expression and privacy amongst other rights.  It's great to hear from the government representatives that there are a lot of efforts underway to ensure more efforts and commitments from states to up hold Human Rights while enforcing the law online.

In terms of the policy and balance that you mentioned, I think the challenge for African states is that there's little consultation of participatory policy development.  We've seen that in the case for Tanzania.  The key instruments used to undermine Human Rights was passed literally overnight with little consultation or stakeholder participation in its development.  It will be great if states and regional and global bodies holding some of these states to account in terms of their commitments to international standards.  For the private sector, Civil Society and other actors.  Again, it has been mentioned earlier on, digital security practices are not that great on the continent.  And there's need to adhere more on those.

And something that the representative from the private sector mentioned is hat the challenge for most of the actors on the continent is balancing Human Rights and other interests.  But ultimately, yes, the threats are important.  But policy development and holding states to account to international commitments, but also ensuring that any policy and legislations that passed are participatory and consulitative.

>> SALANIETA TAMANIKAIWAIMARO: I believe you have comments to make?

>> PANELIST: There have been a lot of discussions in this forum on regulation by governments, by authorities.  I would like to speak about the way we do things in China.

(Mr. Long Zhou speaking)

I said that China had found its own path.  Thanks to the efforts made by all the Chinese stakeholders regarding Internet governance.  In China, we say that only the wearer of the shoe knows that the shoe fits him.

If good-night Internet governance is well -- whether or not Internet governance is adopted.  We have seen a rapid development of the Internet in China.  Lot of innovations have occurred.  All of which have been to the benefit of economic and social development.  The Chinese people took great advantage of that.

During that process, the direction provided by government has been important.  But the efforts of the private sector and Civil Society, the participation of the population are just as important.  The government can't control everything nor does it want to.

The reform in China has entered a new era.  Everyone is innovating, everyone wants to be an entrepreneur.  To transform our productive capacity.  Companies played a major role in Internet governance such as the giants such as Ali Baba or other Internet giants, cosigned an initiative in the technological community, takes an ever greater role in Internet governance in China.  They organized lots of workshops to contribute to Internet governance.  Our exploration is continuing, and so is cooperation.

>> Thank you, we have no more time.

>> SALANIETA TAMANIKAIWAIMARO: Remarks before I make the last closing statement.

>> DAVID MARTINON: Thank you.  I didn't think that we would wrap up so soon, because I had lots of questions I would have liked to have answered.  Let me deliver some general conclusions.  For the first time I attended IGF five years ago.  And five years later, we're hosting the IGF in Paris.

I continue to see the same incredible distrust by Civil Society with respect to the state on any subject.  Five years ago, we were discussing cybersecurity, where today, it's on everyone's lips.  So what do I hear?  I hear -- with all due respect, reflections on cybersecurity, the people are not at the heart of our reflections.  Well, if not, then who is?

When we think about cybersecurity, it's to prevent people from having their life savings stolen online or their data stolen online.  When I hear my colleague from Georgia Tech say that cybersecurity risks might push us in the arms of the state.  Well, yes.  In my country, when it comes to peace and words, the state that decides.

We are in a situation where instability in cyberspace has not yet produced civilian or military victims.  No one has died from a cyber war, yet.  But with wanna cry, how many hospitals were put out of order for many hours?  There were no victims, at least not officially.  But when it main electricity suppliers in the Ukraine can't function for several days running, in the midst of the Ukrainian winter, well, maybe there hasn't been a death, but there will be deaths in the future due to cyber war.

And when that day comes, I can say that in France, the French citizens, the voters, will not turn to (?) and ask them to shed their responsibility.  Because they were hacked.  The French will turn to the government, and they will ask us what happened.  They will hold us to account.

So I would like to ask you, and I'm going to be leaving my job in two days.  You won't hear from my anywhere in the IGF.  I will be leaving the digital scene.

But I would like each of you to make an effort to overcome this absolute distrust.  I'm speaking on behalf of the French Government.  We've been a state on the rule of law for more than two centuries.  Laws on cybersecurity are subject to Democratic oversight.  It's not a question of our dominating anything.  We want to safeguard the common wheel.

Yesterday the president launched an appeal for cybersecurity amongst the stakeholders.  So let's build some trust.  Otherwise we won't get anywhere.

(Applause)

>> SALANIETA TAMANIKAIWAIMARO: Ladies and gentlemen, we started off with exploring building trust in the context of cybersecurity.  Particularly, exploring the dichotomies and the pull and push and the tension between privacy and cybersecurity.  And I have the pleasure of announcing that the best practice forum on cybersecurity representative of the BBF is here.  For cybersecurity.  Wind -- Marcus, could you please just give a one-minute plug-in of your draft report that's currently available online?

>> MARTIN:  Yes.  We have our best practice forum session tomorrow morning.  And I don't have the exact time and room on my hand.  I think it's 10-something.  The draft report is up, and this session will essentially look at the input we received and conclude then, the report.  Which will go forward to the community as a result of this year's best practice forum.

So I hope that many of you who are interested in this issue will join us tomorrow morning for the best practice forum.  Thank you.

>> SALANIETA TAMANIKAIWAIMARO: Thank you, Marcus.  The draft report is particularly interesting, because it explores the notion that privacy and cybersecurity are not mutually exclusive.  So with that, please join me in giving the distinguished panelists and experts a big round of applause.

(Applause)

>> SALANIETA TAMANIKAIWAIMARO: Thank you also to the remote moderator, Michael Ilishebo.  To the remote participants streaming in from all across the world.  The NRIs that participated into inputting into the public policy issues and the global community that contributed to the public policy issues discussed today.  With that, thank you very much for coming to our session, and that concludes this main session on cybersecurity.  If I could ask the panelists to go up to the front where we'll take a group picture.  And we're done.  Thank you.

>> And thank you to Sala, our marvelous moderator.