FINISHED COPY
NINTH ANNUAL MEETING OF THE
INTERNET GOVERNANCE FORUM 2014
ISTANBUL, TURKEY
"CONNECTING CONTINENTS FOR ENHANCED
MULTI‑STAKEHOLDER INTERNET GOVERNANCE"
03 SEPTEMBER 2014
9:30
WS 43
POST SNOWDEN MULTISTAKEHOLDER CULTURES OF CYBERSECURITY
***
This is the output of the real-time captioning taken during the IGF 2014 Istanbul, Turkey, meetings. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
***
>> MICHAEL KAISER: We are just going to give it a minute or two because we hear people are filtering down from upstairs.
Good morning, thank you for arriving. I know it's hard on a second day for people to get here bright and early at 9:00, but I appreciate you all coming. I think we have a really interesting programme this morning, and let me start by introducing yourself, I'm your faithful moderator. My goal is not only to facilitate the presentations and commentary from folks around the table, but also to engage all of you in this discussion this morning. It's important for us to hear ideas from around the world. We do have to provide a report on this session. And so ideas for how we can make things better is something we would really like to report on, so I'm hoping that you all at some point can engage in this conversation.
The structure of this morning because we have a couple of presentations and then we have a couple of commentary from people around the world about some of the things they are doing in terms of multi‑stakeholder collaboration around cybersecurity awareness and then we will open it for discussion. I am Michael Kaiser. I am the executive Director of the National Cybersecurity Alliance in the United States. We are an NGO, we are a public‑private partnership, we are funded by Government, specifically the Department of Homeland Security as well as our corporate partners from all around the Internet, financial services, Internet service providers, banks, payment systems, to do education and awareness in cybersecurity. We have been around since 2001 and I'm not going to go into a lot of these tracks, I think Jacqueline will talk about them.
We created programs like National Cybersecurity Month in October. We are implementing Data Privacy Day from the EU and the United States. We have created a campaign which we will talk about which we think is global, and we also work on issues like educating boards and CEOs about their role in cybersecurity so we really work with everyone and we try to bring this to scale. We think that's the most important element is how we get everybody involved and use the resources and leverage everybody we can in the space. I will turn it over to Daria Catalui. I will let her have the first presentation. So take it away.
>> DARIA CATALUI: Good morning, everybody. I am Daria Catalui. I am dealing with eEducation. European Network Information Security Agency. It has headquarters in Crete and an office in Athens, I am part of the office in Athens. Basically our boss is Neelie Kroes that you all heard in the Opening Session yesterday and we are basically working for the European member countries. I have some slides to present, but I would like just to talk more.
You will see some basic graphs that we use in our work, and the talk will supplement those images. So first of all, I would like to say a few words about the ENISA. You see on your power point on the second slide that we are publishing recommendations in an area of CERTs, privacy, resilience, Cloud. These are only some of the topics that we deal with. Policy implementation. We are part of the policy with recommendations. The recommendation is doing the policy work and we are recommending, and hands on training basically for the CERT teams in Europe, and the cyber Europe, the cyber exercises.
I'm sure most of you heard about it. Here in front of you, you see a map that we are currently, it's not published so this is a launching event in the public. You are the first community that sees it. It's a Wiki work that it will be permanently updated with a few of the very important dates of awareness globally celebrated. You can see there cybersecurity month for October, which is celebrated in the U.S. for the first time. Afterward, Europeans took on that best practice and we also implemented since 2012. We see also the Safer Internet Day. Probably you also saw that the safer Internet theme has a booth on the first level and you can visit them to take material and talk with them.
Safer Internet Day is celebrated every year. There is also World Backup Day, Get Online Week, Girls in ICT Day, which is also very important because it's an ITU awareness day celebrated globally. Copyright Day, Password Day, and we also have a European celebrated worldwide, the Digital Agenda Day, which will be this September on the 29th.
So you are also invited to be there. But my work relates to the cybersecurity month. Related to this draft I just want to say we want to get the draft updated so if you have any other action data that is celebrated globally, please talk to me and we can make a new version of the graph. I will not get to this policy because it is just a policy, the cybersecurity strategy for the European Union which was published February 2013, and basically says that ENISA is involving the awareness and education of European user related to cybersecurity issues and in front of you on the screen in front of your eyes, you can see now some words about the cybersecurity month.
Basically it's an annual campaign that targets education for European users and we try to get all of the Member States on board. What I'm talking now, it's about an effort of more than 286 Member States because we also have U partners in this campaign too. It's a very large effort of sustaining the education in cybersecurity. ENISA's role in cybersecurity month is to brokerage. We are the ones that support with all of the materials and the website and the coordination of the partners, but the plain action and the grassroots are dealt by the partners.
Last year we had more than 60 private and public organisations involved. This year we hope we will have more or at least we will stay with a good number of partners. Next I would like to show you in a slide, I will not go through all of the milestones, but I just want to, for you to visualize that cybersecurity month is an annual campaign. So we start in January with the work and we finish in December. Even though the work you can ‑‑ most of the people see in October because October is the time when everybody hears about cybersecurity month in media or for the organisations with grassroots actions, we as a team or the team of cybersecurity month work from January to December. So they are very ‑‑ a lot of intermediary steps. There is preparation on the step. There is a coordination on the space. In the coordination space, I also proudly say that we have a very good coordination with the U.S. part. So thank you for that.
We at European level we have a coordinators' course. Imagine calls on line, calms with 28 Member States. We had four of them for this year. And I would also like to say a few words about the coordination model that we use. Since EU we like to have all Member States involved on an equal footing, we use a model centred on the commission in the middle since we are the ones who coordinate the whole campaign and we try to involve the national liaison of ENISA which is a network that we work with. Networks of multipliers. We also try to involve them. Here, I would like to emphasize on the fact that networks of multipliers are one of the main partners in cybersecurity at the European level.
We use network of multipliers like Europe Direct, maybe most of you are aware of them, networks of multipliers like associations platforms of universities, platforms from capitals. We use CERTs also because some of them they also have the educational portfolio for their teams and we also use and have a good communication for the presentation of the commission in each capital and member state.
They are crucial for the deployment of the cybersecurity month at European level, and that's why the networks of multipliers are one our main partners. As a matter of fact, we also, we as ENISA, we will offer them for their support and their work, a training day by our CERT team, part of our collaboration. The next main actors are the public actors, like authorities, ministries. Personally I work very well with ministries of education and CERT teams since they are the ones that implement and deploy cybersecurity actions in Member States. And those with private actors like companies that are interested in training their users and participate in the overall education of digital users.
Mainly I will go again here on the main time line just saying that for the October month, we plan the key event on the 1st of October in Brussels. Those that would like to be present can write to us to get an invitation. It's based on invitation. And each of the week of October, we will have a new report published, new activities, and also a lot of interactions with the U.S. and globally. So thank you for that too.
I will finish with the Twitter account which we use a lot, and we also created quite a big community on Twitter. We use these hashtags, cybersecurity month, October, and you can also visit the website that we have updated with all of the information from Member States. Thank you. And I am waiting for questions at the end.
>> MICHAEL KAISER: Thank you, Daria Catalui. That's great. I love your network of multipliers. I usually call them partners, but that's a much better phrase. Let me say I have worked with Jacqueline a long time. She is the chief online safety officer at Microsoft which is an awesome title that somebody actually has that title, I think it's great, but more importantly she is long‑time partner but also Chair of the board of the National Security Alliance. So thank you, Jacqueline.
>> JACQUELINE BEAUCHERE: Thank you, Michael. Thank you for inviting me to participate in this panel and thank you to the IGF for bringing this important discussion to life. I want to speak about a particular experience with regard to cybersecurity awareness raising and the multi‑stakeholder approach, specifically in the form of a public‑private partnership. But I would first like to briefly explain why in my view I think it's important that we have such collaborative efforts in place.
At the end of the day when we talk about public awareness raising in cybersecurity and educating individuals and families about staying safer online, it's all for a specific purpose. And that purpose is that we are trying to effect behavioral change. We want individuals to be better digital citizens, to exercise safer online habits and practices and we want them to be protected because we want them to do their part to protect the overall ecosystem. We want them to influence and encourage others to behave appropriately and responsibly online as well, but as we know, behavioral change is difficult, it takes time and it doesn't happen at Internet speed.
I view this progression as sort of moving people along a behavioral change continuum. It starts with awareness raising and we need to raise people's awareness, make them aware of what is happening and what could potentially happen with certain risks online. Then we need to do what we can to change attitudes, then change beliefs and ultimately change behavior hopefully for the better. So along the continuum, the first step is awareness raising. Back in 2009, the U.S. National Cybersecurity Alliance teamed with APWG. Organisation known as the AntiPhishing Working Group.
And the very purpose of their effort of teaming together was to raise awareness about online safety and security. They set out to agree a single actionable unifying message that many groups across the United States could use with consumers. And certainly in the United States and now globally, there is no shortage of consumer education and awareness raising efforts and messages. For that very reason, the two organisations got together and they thought it would be so much more impactful if there was a singular actionable message that could be repeated by numerous players in the ecosystem about online safety and security, all that were in the consumer's gambit of online safety and security as opposed to these less powerful potentially diluted messages having to break through concerns in a consumer's everyday life.
So the NCSA brought together 25 companies from the United States, from the private sector and various U.S. Government agencies and departments. And they wanted to see if they could really come up with this kind of a singular actionable message that would first of all resonate with consumers and second of all drive them to action.
And that brings me one of my first key learnings in this process. When we are pursuing this kind of behavioral change along this continuum, it's important to know what drives consumers to action. And I think we all know that unfortunately it's typically something bad happening to them. They are not necessarily very engaged proactively, see what they could do to better their situation or to improve themselves. Instead they wait for something bad to happen to them and then they try to take action. So we wanted to make sure that the message was simple, that it was easily understood, and that it was not going to tax or deter people in any way. So NCSA and APWG brought this group together on several occasions. They set out a road map for achieving this goal, and one step in that process was to ground the effort in research.
And indeed, all of our efforts, we really need to insure that raising awareness about real risks and genuine potential harm. So that brings us to key learning number two, which is to make sure that the efforts are data driven, to respond to a true need as opposed to a perceived one, and then to recognize and distinguish between risk and harm, and possibility and probability.
Next key learning, to really cast a wide net, to be inclusive, to invite stakeholders big and small to part in the dialogue. Members of this group included not only the National Cybersecurity Alliance and APWG and Microsoft but Facebook, Google, AT&T, Verizon, Semantic, McAfee, Intel, Cosco, smaller U.S. companies and technology providers as well, and there is a long list of U.S. Government agencies and departments.
So I will share just a few of the high level research findings that helped to frame this group's work. Americans were asked to gauge their level of being informed and being interested in online safety and security. 90% of them said that they were interested, 84% said they were informed. This is dating back again to 2009. 38% said they were very interested and only 18% said they were very informed.
Of the 90% who said that they were interested, 99% said that they feel vulnerable online. 96% said that online threats were a top concern, and finally, 95% said that they don't take enough action when it comes to being proactive about these issues because they need more information and guidance. So all of these data points and many others that came out of the NCSA research confirmed the need for cybersecurity awareness campaign in the U.S.
The next step in the process was message testing. So if the research indicated a need for the campaign, the group sort of had ideas as to what that potential message might look like and what that campaign might look like so it took the opportunity to test some of those messages.
Another key learning was that certain types of messages or their tone and tenor, I think we have to realize, they just don't work. So these are very adverse issues we are talking so humor is probably not the way to go and too fear‑based messaging or fear mongering in that approach is also ineffective. What we found at Microsoft and through this effort is to play it straight is probably the best approach, and thus "Stop, Think, Connect", was more. "Stop, Think, Connect" is that simple actionable message that's used by all of these organisations that I mentioned, and various entities as they work to keep consumers safer online.
Of the 30 or so founding members of the organisation, of "Stop, Think, Connect" and it's now a messaging Convention. That's how it's become known. Different members have embraced "Stop, Think, Connect" in different ways. At Microsoft we use the message in all of the educational and public awareness raising collateral that we produce, whether it's a brochure or a video or a fact sheet or a power point presentation or a tip card, "Stop, Think, Connect" is always mentioned.
At the time, we also made what we like to call a gift to the messaging Convention. We created a series of videos that could be used by any organisation for various stages of the "Stop, Think, Connect" process, whether they are thinking about online activity on the go or at home or at work. We created these videos and donated them to the messaging Convention and we donated power presentation templates and Word document templates so we could look uniform and together and speaking as one voice about these issues. We also highlight "Stop, Think, Connect" at Microsoft in our policy makers A Guide to Online Safety and we regularly participate in stop, think, connect events athe board meetings, Twitter chats, so forth.
Other founding members of the messaging Convention donating collateral and materials as well, and they could be an STC materials can be licensed by anybody who asks. There has certain been tremendous growth in the number of users of the "Stop, Think, Connect" message, so in addition to the founding members, there are now adopters in academia, in the retail and transportation and energy sectors, in aerospace, in social media and elsewhere. And since it's 2010 launch, almost four years ago next month, "Stop, Think, Connect" has been recreated or adopted by nearly 150 organisations either for their internal use, typically to educate their employees or to share consumers.
And I like to think like any good idea, "Stop, Think, Connect" has gone global. International efforts began on a rather ad hoc basis and there was particular interest from some countries or some geographies, but is it has since expanded to 13 countries, Chile just signed last week, in fact, and then it rose to a new level of international cooperation in May of this year when NCSA and APWG got together and Microsoft hosted in our Paris offices a meeting of 40 different individuals representing Governments and technology companies and NonGovernmental Organizations, Civil Society, child safety advocates from 13 different geographies.
We assembled for what we believe to be a two‑day working session where we said where can we do even more to participate on a global basis? How can we galvanize around a particular message whether that be "Stop, Think, Connect" hopefully or something else that we could, again, work through what consumers are hearing and seeing on a regular basis to get them more energized about online safety and security issues.
The group said that we would seek to coordinate around key dates, some of the dates that Daria mentioned in her presentation, cybersecurity month in October and International Safer Internet day in February. We are also welcoming new members to that group that assembled the first time in Paris and everyone was energized and we hope to meet again within a year or so. So you all are maybe wondering why Microsoft would take on such an active role in something like "Stop, Think, Connect".
At the end of the day, we are a technology company, and we see that we have a shared responsibility in that notion of helping to protect consumers, educating them about online risks that are out there. We also believe that together as Government and industry and NGOs and child safety organisations and law enforcement and others, that we can accomplish more in public awareness raising and education than any one of these single entities can do on its own.
And much like the initial NCSA research showed, when one organisation or person is safer and more secure online or all others benefit from that state of being as well, and that was a secondary message that was devised from the NCSA research. We have our umbrella message which is "Stop, Think, Connect" and gain either further ground moving forward. If you are more interested in Microsoft's participation in "Stop, Think, Connect" or work in online safety and security generally, our site is Microsoft.com/safety and to find more information about "Stop, Think, Connect" that website is StopThinkConnect.org so thank you and I look forward to the remainder of the dialogue.
>> MICHAEL KAISER: We have a few discussants and I want to add one little piece. It dove tails off the network multiplier that Daria raised which is when we created this, we created this in concert with industry and Government, and the Department of Homeland Security took this campaign and they have their own "Stop, Think, Connect" campaign dove tails with industries campaign, dove tails with the NGO campaign and it's really important that it gives validity and legitimacy to the message when multiple partners adopt it. You can't underestimate that.
It might be different in other places how important that role is that Government plays. In the United States it may be different, in the United States the Government has a long history of doing education for people about safety, whether it's cybersafety or car seats or seat belts or drunk driving or any number of public health issues, the Government plays a very important role as an educator and they have played an incredibly important role here so it's important to call that out and note that for everyone. I think that's part of what we are trying to talk here is about the multi‑stakeholder approach.
Speaking of which, we have a few people in the audience who have specific experiences around the multi‑stakeholder approach in education awareness. I will go to them and then go to the large audience. I will start with Subi Chaturvedi on my left. She has a specific experience from India working education awareness.
>> SUBI CHATURVEDI: Thank you so much, Michael. I will take it forward. Some of the ideas and key thoughts that Jacqueline and Michael have shared with you today. It has been a story that I'm proud and happy to tell, as someone who worked in India with young members of the Internet Governance community I like to see them in this room today and in other rooms speaking and sharing experiences. But what we did in India was a key message in three quick, easy steps, how is it that you can maximize the value of this amazing empowering, enabling medium which is the Internet? So "Stop, Think, Connect" and then what is it that you do then? How is it you can engage with these key messages and make them your own?
I am particularly delighted to be here because we are discussing multi‑stakeholder perspectives in cybersecurity and very often I have been told that there is no place on the table for people like us in these conversations because Governments know how to protect you. They know how to keep you safe and they know what's good for you. So we turned this around and we brought Governments to the table and we said if you are not on the table, you are going to be on the menu.
This is the story that I want to tell today. So as someone who makes films and shoots photography, we took these wonderful ideas that came to us, and I want to turn the screen around and walk you through some of these images that have been created by 12‑year‑olds, 14‑year‑olds, and their expression of how they would like to see the world responding to some of the key threats and experiences that they have online. This is from Facebook page of "Stop, Think, Connect". So in India, Jacqueline mentioned about 25 companies we had Facebook, Microsoft, Google and Kaspersky coming together under the roof umbrella of the data Security Council of India and Change which is a foundation that I represent of collectives, academics and journalists, and very often we forget the media.
The Internet remains one of the largest medias we have today, and in this acronym written world of the Internet Governance space we forget that we have to speak, if you want advocacy, if you want to disseminate these key messages, you have to speak in their language. They may not come to you, but you have to go to them. So we took senior Government officials from CERT which is the central emergency response team. We took Government offices from the department of IT and security, we took global leaders from Microsoft, Google and Kaspersky and we brought them together in large open spaces using radio as a very powerful medium which connects a lot of us. I remember Internet penetration according to the ITU figures and which is fairly reliable is only 11.4% in a country like India.
We hope that with 840 million mobile phones we have more people who have access to mobile phones than toilets. A lot of them are going to be coming online through this medium. So what we wanted to do is create an Internet safety movement, a celebration of the Internet as a platform for good. So we took them partnering with the leading radio channel and we did street theater performances and competitions across some of the largest universities in four major metros across India.
The Facebook page, the Twitter integration, the mainstream media integration happened to make this an ecosystem that belonged to all of us. Here there was no podium, there was no talking down to people. Remember, their digital natives, they are online, and traditional institutions of socialization have really been turned on their heads. So they are the ones who getting their parents online with simple messages like if you don't have it on a T‑shirt, remember, you don't want to have it online because there will be a digital footprint. If you look left, look right, when you cross the road, remember you will do that when you are online. When you create a safer community, all of us grow together, all of us use the Internet for better experiences for maximizing value.
So here is what happened and this is a really brief snapshot of what we achieved in India. So these are just some of the images that I will very quickly walk you through. And they have all been created by young students who are about 8 years old, 10 years old. There are cartoons, there are really simple messages that you can take home and make your own.
This is a story that we want to tell because when you have messages which are important and that affect all of us, it is equally important to locate them culturally, to locate them in their own spaces in their own comfort zone and as you very rightly pointed out, make them force multipliers. I think when we are looking at cybersecurity, let us not look at a one size fits all. Let us not look at a blanket approach to cybersecurity, so when I teach young girls at a women's college in Delhi University, their mothers come to me and I teach media technology, they are always on Facebook. What is it they are doing? We are worried. You have to tell them it's part of their academic engagement.
A mother is worried about her daughter not getting harassed. There are stories about 6‑year‑olds who are committing suicide because they are being bullied online. These are engagements that we will have to make engaging families, engaging stakeholder communities and redefining our ideas of cybersecurity because they mean different things to different people. I think "Stop, Think, Connect" is one of the most powerful mediums and a fantastic force mobilizer where you could get people to go online and look at Microsoft's resources and tools. We have to empower people and this is just the last bit about my intervention.
A professor, someone who writes about Developing Countries and powering the media talks about the capabilities approach. When we want people to use the Internet as an engine for growth and development, it is important to empower them, build capacity and give them a skill set that will make sure that they are able to use the full potential of this powerful medium. So I thank everybody who has initiated this movement. You really mean a lot to a developing country and an emerging economy. Thank you so much for your time and patience and I will be happy to respond to questions, observations or comments.
>> MICHAEL KAISER: Thank you for sharing that. When we learned about it, again, this is that organic approach. It was so powerful to us as well the way you took this and made it for your community and the way they acted on it and brought it to life. It's fantastic. We have a couple of other discussants. Adli Wahid, do you want to talk about how CERTs are working in your part of the world?
>> ADLI WAHID: Good morning, everyone. All right. So I'm going to be looking at the issue from the perspective of CERTs or Computer Emergency Response Team, CERT or some people call it CCERT. My name is Adli Wahid, I work for APNIC as a security specialist. I also am a board member of FIRST, the Forum of Incident Security Response Team, and I was working with the national CERT in Malaysia and had worked with a few regional CERT organisations like APCERT.
Today I will look at the perspective of when you have cybersecurity and programs, where does the story come from? Who tells you? So if you talk about phishing, people in a certain location will wonder whether or not this kind of incident could affect me? Banks in our region or our country are affected by it or not? When you hear media hyping about certain incidences about leakages of current provider X or Y, is this happening locally or not?
The story comes from CERTs and this is so because they look at incidents on a day‑to‑day basis. It's local incidents, incidents affecting the local constituents. When you talk about many kinds of CCERTs, I will be focusing a bit more on the national CCERT because they are funded by governments and they have good resources as well as they see a lot of incidents escalating, being escalated to them.
And I would like to highlight that in the past many of the national security response team or CERTs in the region where I work at the Asia‑Pacific has been very critical in providing this input for a lot of the security awareness programs. So messages on things like phishing or best security practices and how to secure your computer, laptop, how to avoid identity theft and things like that are being provided or being contributed by the CCERT simply because they see this on a day‑to‑day basis. And the security incident response team are important in two forms. One, like I said earlier, that they are able to contextualize the information, so, for example, if you are talking about malware incident, maybe they could provide an example of a local malware affecting the public at large. They are also able to translate awareness into action, so, for example, now that you are infected by this particular malware, where do you get help and where do you get help is an important component because this is where we can teach more and encourage behavioral changes mentioned by Jacqueline earlier.
So you are infected by malware but in the future you should consider doing this, this, that, so on, so forth. From other perspective, the security information incident response team are able to also collect information on what's happening locally in the constituencies, and get this information and record it and maybe take this to a different level in terms of influencing policies and different sectors in a particular country, or work with other organisations such as the educational sector or law enforcement agencies, in making a more meaningful or impactful message so because we all know sometimes the problem with a lot of the security messaging is that you only promote fear and uncertainty and doubt.
People are afraid, but you don't really provide technical solutions. And sometimes the information that you are trying to sell to people who do not reach out to the public at large. So this is the challenges and CERTs are able to work with a lot of these organisations in a particular country to make it more effective. In countries like Malaysia or Indonesia, Thailand, Sri Lanka, India, a lot of the CERTs were behind the scenes in building in of the messaging programs and you can see in some places they have icons and they use cartoon characters and they get on TVs and things like that and they are able to provide contextual information, and also the importance of CERT in this respect is being able to keep the information about threats current.
So maybe in the last ten years in a particular country, you know, the more threatening security incident could be phishing or web defacement, but today you have things like cryptolocker and things like that.
So CERTs are able to provide what's current, what is the latest, are we seeing this in our consistency or not, so on, so forth. And then use that information to be built into cybersecurity awareness programs.
Now, I'm going to talk about one more thing. Although there are CERTs working at the national level, many organisations also have CCERTs, banks, so son, so forth. And they also have this role of looking at incidents and translating them into lessons learned so that this could be shared with top management in terms of what needs to be done, or how we failed, what happened, you know, or what kind of resources we need to actually make ourself more secure. So the CERTs not only have a role at the national level, but also at an enterprise level. And finally, many of the CERTs actually work together in terms of sharing information. So this is also a form of awareness creation. So maybe an incident, maybe there is a very advanced attack in Brazil.
I haven't seen it yet, but in some Forums, like APCERT or OIC CERT or FIRST, this information could be shared first so the technical community is prepared in case it occurs to them in the future. So that security awareness, not a typical one you see with phishing and things like that, but what we saw, how it worked, what we are aware of and what things you put in place to make sure when it happens to you it will not have as much impact as it did to us.
So that sort of information sharing takes place among the CCERT community as well. Just to conclude, I want to highlight my point was to highlight the role of the technical community, the CCERT so if they are around in your location, approach them, get stories from them to build a more current or localized information security awareness programs.
Thank you very much.
>> MICHAEL KAISER: Thank you, Jayantha Fernando. I don't know where did you end up sitting. We are going to get a little Government, slightly different perspective on the multi‑stakeholder approach from the Government perspective so please introduce yourself.
>> JAYANTHA FERNANDO: I am Jayantha Fernando from the Sri Lankan Government. I was involved in leading the cybercrime initiatives in Sri Lanka and I would like to share some of the multi‑stakeholder best practices. So what I would like to state, we in Sri Lanka followed a combined strategy implementing legal reform strategy coupled with a comprehensive information security strategy and that was the Government focus. It was combined at the outset between strategies coupled in the early days of legislative drafting, we had extensive public consultations and engaged the private sector in those consultations.
The private sector stakeholders who were involved in the legislative drafting processes, the public consultations advocated strongly about the need for the country to adopt globally accepted regime and not just a regime that will stand by itself in our own country. The result of this logging or recommendations conveyed with one voice by the private sector in Sri Lanka along with the user community resulted in Sri Lanka making an option to adopt legal adoption based on the Budapest cybercrime.
This framework supported an environment where the private sector, stakeholder and the user community felt comfortable to report cybercrime incidents because of the checks and balances included in the Sri Lankan computer crimes law which was entirely based on Budapest Convention on Cybercrime. So a key message I want to convey with the multi‑stakeholder engagement in the form of legislative even law and policy regimes can contribute immensely towards adopting globally accepted regime even in a small country like Sri Lanka and as a result Sri Lanka is now posing an option of even making a request to join the Budapest Convention.
Another area where the multi‑stakeholder approach is followed by the government was in the creation of institutional framework. One example I want to cite based on what I believe was said earlier was the establishment of Sri Lanka's own CERT. In 2006 multiple options were on the table, the fully owned Government option or they have a public‑private partner. Fortunately for us due to, again, the early engagement of the use of community in the private sector what followed was to have a public‑private partnership and the national CERT that was created was not a fully owned Government run CERT.
It combined with the banking community, the private sector, and we got certainly support from global resources available at Microsoft, Google and now have been part of the full capacity CERT community for some time. They engage in the CERT actively and work collaboratively with them. So that's another example I want to cite and end there with some thoughts that early engagement with multiple stakeholders helps and that's where the concept of multi‑stakeholderism can add value both in the area of drafting a law and policy framework as well as establishing an institution of framework to decide the whole cybersecurity strategy for the country. Thank you.
>> MICHAEL KAISER: Thank you so much. Finally I want to go one last and then we will open this up to broader questions, discussions and ideas from all of you. I want to go over to Uri. I think this is quite interesting. It will be interesting.
>> YURIE ITO: Good morning, thank you for inviting me to this panel. My name is Yurie Ito. I am from JP CERT, Japan's National Computer Response Team, director of global coordination. I am also a Chair of AP CERT which is the Asia‑Pacific Regional Coalition for National CERTs in Asia‑Pacific. So we have 22 teams from 19 economies, countries working together assisting each other for the cybersecurity incidents, coordinating incidents, helping and assisting each other for remediating threats. Adli mentioned a bit about the national CERT rules. We work together in Asia‑Pacific.
But what I would like to talk today is not about cybersecurity awareness, but we started awareness raising about Internet healthiness, and then raising cyber hygiene, which means the importance about clean up activities, and then identifying the root problems, root cause of that, and then fix that to improve the technical ecosystem in the region.
And so APCERT, we have been working together over ten years, but I think 2011 was a turning point. We had our vision, we changed our vision and were saying our mission is not only responding to instant response with cybersecurity issues, but our mission is to improve the Internet environment, cyberspace environment by cleaning up the ecosystem and then improving the hygiene. This is really changing of the mindset. Security is always you, and you draw the border and the rest of the world. And you, security is about protecting you, defending you.
But changing that mindset from the security to this is a global environmental problem and what we are cleaning up and changing hygiene, is not only you. So the other hygiene, healthcare analogy is you washing your hands. As an example, you have a fever, that symptom. The hospital is providing you, can provide you the medicine to protect you or the medicine to solve that fever. That's what CERTs do, typical cybersecurity approach, working with the security operations.
But at the same times not to get infected, you wash your hands and that's something raising the hygiene, the health hygiene. Now, we can use that analogy to the cybersecurity as well to prevent you from being infected, you can do a couple of basic cyber hygiene, and that's something really important like awareness raising, but at the same time, what we start promoting is washing hands is not only protecting you. It is to protect the others to be infected.
So in a cyber world, protecting your machine is not only protecting your identity or your intellectual property, but avoiding your cyber resource, the divide to be part of the infrastructure being used by the adversaries. So that type of mindset is something like we need to develop among the CERTs, but not only the CERTs, but this is the multi‑stakeholder approach. Not only the technical community, but with the Government so we reach out to the APEC, the Government, the policy makers, making sure this is important, not only the emergency response capability. We need to have this mindset about clean up and raising hygiene. This is good for you. Good for the others.
This is long‑term good, raising resiliency about Internet. So that’s really helps the international collaboration keep the very different picture and authority teams, national teams to work together. So that was, that wasn't really good, and then this type of health and hygiene and improving the underlying environment. That type of global environmental approach is great because you need the grassroots approach.
It's a multi‑stakeholder approach just like we work together to clean the water and have reduced CO2, it needs a grassroots approach participation to the policy level, participation from the technical community to education and NPO, NGO, business sector needs to be involved.
So clean up and hygiene, environmental approach, that type of mindset, you know, development is something that we focused and in the result, we really keep our regional CERT collaboration tight and bonded. So we created this sort of approach under the name of cyber green, and then we are working with the Brazilian CERT, U.S., we are trying to extend the mindset, the green mindset to the global approach. It just needs to be a global starting from small success stories in Asia‑Pacific. We are trying to make it global level of green, cyber green approach and try to keep continue this awareness raising.
>> MICHAEL KAISER: Great, thank you. I want to open it up a little bit and I will give you a couple of frames to think about. First of all, thank you for that and we sometimes think lately more and more that really security is about enabling people to do more things. That's what it should be at the end of the day. It's not about stopping people from doing things. It's about creating an environment where you can do more.
When you are safe and secure and in a trusted environment, you will do more online than you did in the past. And that's the focus we had. I will throw it out to all of you, you can raise your hand, say who you are and where you are from so people will know. Speak into the microphone so people can hear you. There seems to be a lot of background noise from the other rooms so break through that noise.
But a couple of things to think about, you can ask questions or say what you want, but I would like to know from you all what's working where you are in the multi‑stakeholder approach and also are there ways that on education awareness that we could be working together that we should be thinking about. When Jacqueline referenced the meeting we had in Paris this year, it was about trying to create in cybersecurity education awareness.
We have all of these things like CERTs that work together and they have all of these multi‑stakeholder people from around the world, but in education awareness, we work more siloed and we want to recreate what works in cyber in other education awareness. Say who you are and speak into the microphone.
>> CHRISTINE HOEPERS: Good morning, my name is Christine Hoepers I am the general manager of CERT the Brazilian CERT. We are maintained by the Brazilian steering committee. That is the stakeholder for Internet Governance in Brazil. We have been working for awareness with end users since 2000, so this is 14 years that we have materials in there. And the decision we had when we decided to create our own material instead of translating or leveraging is, has a lot to do with what Adli said that most of the material that was international was not applicable for local threats.
So this is one of the challenges. We have been partnering since the very beginning. We saw the "Stop, Think, Connect" being created but didn't apply for us at that time because the tracks, the local tracks were two different. People were still talking about like traditional phishing, we were seeing 100% malware so there was no message for that.
There was the landing page for users when they would go for phishing, that would not apply for the phishing that was happening in Brazil. Most of the threats have local flavor. They are very different because you have different criminals going on, but then you have a whole other aspect, as you said, about how do you prevent the user from doing harm to others and how do you actually convince them that protecting themselves, they are actually protecting the whole ecosystem because they have the mindset, but there is not importance in my computer.
In these 14 years we developed a lot of materials, characters, cartoons, videos, booklets, power point, slides, we have this whole set of materials and it's being used in a multi‑stakeholder manner because part of the material is a books being used in legal courses in universities. We have a lot of people from the legal system because they want the right concept, but they want it in not a technical manner. Although we are a CERT and we come from a technical background, we try to do our best to have a correct material, but with a more approachable language. We have a lot of illustrations so we have illustrators doing a lot of work to try to put in just one image the whole tract, how to defend, how to protect.
And we have been thinking about how to, for example, we could leverage maybe "Stop, Think, Connect" message, but the whole thing is we have been talking for years with them, and they say, oh, no, you have to use our materials. That's not going to happen. We have the material. We could use the message. We could have something to help spread, but we have a lot of material with different threats, with different message.
So not necessarily you see the same threat going everywhere in the world. So we should be more flexible into sharing material. For example, all of our material is being translated to Spanish by Internet Societies. So we have, and it is a lot of material, so we have a lot, some of the material already in Spanish. The idea is not really to translate everything and put online. So everything that gets ready is already there. So there is already material about behavior and social networks, behavior online. Privacy, we started with privacy issues with what you were doing that you were harming your own privacy. So there was material in several areas not necessarily only thinking about consumers and phishing and threats so we are starting to think. And since the beginning our goal is to have material that can be used by multipliers. We use the same word in Brazil.
So really the idea is how to have material all in creative commons and they can use that material and digital inclusion. We have a lot of NGOs that work with digital inclusion. We have only around 50% of Brazil population using the Internet, so there is a lot of people coming online. And as these people didn't have too many years to learn, they will face the threats without the technology. So I think this is something to be considered for developing countries that you have people just getting online, and they didn't have the time to learn the technology. They are already facing threat.
And for the whole idea of the clean ecosystem, we have been talking with Yurie, we know people from Austria, Hong Kong, they are talking about this, that the problem is going to get worse if we don't think instead of creating this barrier and saying I want to protect myself and the world. You cannot create a barrier in the water, in the air, and it's the same thing in the Internet. It's really much more fluid. So I think the whole traditional material for awareness used to be valid a long time, but we need to think about how to better explain to people that really everything that happens to them will have an impact in the whole society. And to everyone.
So I think this is some of the challenges for the future that we have to face. This is my mission.
>> MICHAEL KAISER: Thank you. We will go over here.
>> VINT CERF: Vint Cerf my name is. I am Vice President of Google and I wanted to first of all endorse what Yurie said. The public health metaphor is a compelling model. It may not be exact but it fits the situation pretty well. There are aspects of Internet insecurity that are not like traffic, for example. You can see the cars coming when you look left and right, and sometimes you can't see the virus coming.
So that's a problem with other metaphors. The heart of the matter, really, is that software has bugs, configurations are not put together properly. They have errors, and we have poor security practices, and all of those get exploited. That's the heart of the matter. So the problem that we have is to answer a set of really hard questions in order to reduce our vulnerability due to those weaknesses.
One of them is what can I do to protect myself? What should I do if I'm infected? How should the private sector behave? These are the people that make the software and the services that we are all relying on. We don't actually have control over that software. So even if we know there is a bug in it, there isn't much we can do except maybe download the latest update and hope that that fixes the problem.
What should the Government be doing? What should the tech sector be doing? And so if we don't have answers to all of those questions, then we will not have a very successful campaign against the vulnerabilities that we are facing. I'm not going to go on and on. There are lots and lots of specific things that we could be doing, and in some cases we are doing, but this has to be seen as a multisector campaign where we insist that every member of every sector see this problem as a shared responsibility. There isn't someplace to point the finger. It's you. And it's each of us in our various capacities. Thank you, Mr. Chairman.
>> MICHAEL KAISER: Thank you. I just point out that the United States, one of our weeks for October, one of the themes this year for the first time is secure development. So we are trying to get that into the public's mind as well that they understand that is an important port of what goes on. We have a comment here and then here and then in the middle over here we have two or three. Let's go back here. We will try to be quick now. We have 15 minutes left. I know a lot of people want to speak. So we will go through. Go ahead.
>> AUDIENCE: I myself agree with many persons about important role of the CERT team. We have to accept limitations of the capacity building of the CERT team also because they know about technical expertise about when they would like to have programs because in a technical manner, in simple language sometimes is very difficult to understand. And CERT team around the world may have a strategy for policy making decision. So we have to be aware about this. In order to apprise people, I think, the role or the responsibility of everyone.
>> MARCIN DE KAMINSKI: My name is Marcin de Kaminski. I work for a Swedish Development Agency. SEDA. I think this is an interesting discussion especially since SEDA has a tradition of supporting security measures in Human Rights activism in repressive regimes especially and we have a tradition of working with IXPs and regional CERTs or NICs, especially. But where we see a major gap currently is in the legislative and regulatory actions especially in countries where these kinds of frameworks covering security or cybersecurity is not really in place yet where legislation is taken from other frameworks.
For instance, like an example, in Sri Lanka and Budapest declaration, but also other frameworks which are maybe not satisfactory taking Human Rights into consideration, but mainly with security issues from both from a state level. And I think some cooperation would really be needed in that sector in order to make this appliance of legislative frameworks also covering Human Rights and other aspects. Thank you.
>> MICHAEL KAISER: Two people in the middle right next to each other then over here and over here.
>> AUDIENCE: My name is Trambert, I work in the Danish Government trying to make privacy. Thank you very much for sharing your learnings from your campaign. It's very interesting for us. I also have one thing. How do you justify working together with data brokers and big multinational companies, tracking everybody, collecting our data, and when you are working with them?
I know Microsoft is trying to use privacy as a reader, but in India you are telling people that Facebook is completely safe and you can use that without a problem. You work with cofounder it's data broker and they are accused of not respecting the safe harbor. How do you balance this? Because I understand the multi‑stakeholder approach, but you are also giving these companies a trust stand. Do you understand what I mean?
>> JACQUELINE BEAUCHERE: I'm not sure what the question is, but privacy is always a balance. I work in the safety field and there is always a balance between safety and privacy, security and privacy, but basically we look at these things as two sides of the same coin. You can't have security if you don't have privacy. You can't have privacy if you don't have security, but it is a very delicate balance for sure.
>> AUDIENCE: Experian has been accused of not respecting safe harbor principles and they are one of the companies saying, well, we do have to be very safe with your data. That's what I don't understand.
>> MICHAEL KAISER: Let me just take and I the answer quickly, from my perspective in multi‑stakeholder approaches there are some issues you have to narrowly, in other words, if you want to try and reach an agreement and reach a consensus to move forward at all, sometimes you have to narrow your focus and start there. And that means sometimes there are going to be people sitting around the table who you don't always agree about everything, and, you know what, that's the way it's always going to be.
In the United States we do have people who have business models of collecting data about people. That can't be solved in the work that we do. We can't solve that issue, but we can try to still build a safer, more trusted Internet together, even knowing that those issues have to be addressed maybe through a different model, maybe it's, you know, regulatory, maybe it's public opinion, maybe it's the way things grow out, but in multi‑stakeholder from our perspective, you start with a narrow focus.
But the problem everybody agrees they can solve together. If you aren't all sitting around the table believe that to start with as a group, then it's not going to happen. We have a couple more ‑‑ we had another comment from the gentleman next to you, then this side of the room we have two comments. Sir, you can go. Say who you are?
>> AUDIENCE: Good morning, everyone. My name is Amati and I am from United Arab Emirates. We are experts in information security constancy and I used to work for the UAE CERT, national CERT for four years. I was working on many awareness campaigns for the public and different sectors within UAE, and we always face the problem in the CERT to reach every individual. Definitely CERT has a certain capacity and they cannot reach everybody. So what we are doing now, we have started something new last year. I initiated a new national committee that brings together law enforcement, private, public schools, universities, everybody in the UAE to actually go and educate every individual because at the end of the day we cannot reach everyone and everybody has a limited resources.
And something else that we have done is we have created different Working Groups, so we do different projects, and we are also involving information security students to use them to go and educate families and parents. And we are also working on bringing on some members from the public to give their view what they would like to know, what are their problems to collect some data. So this is something we are doing and we have been receiving so much positive feedback so far. It's something new, but I think it will work because we are bringing everybody together including the CERT. The CERT is also part of it. The law enforcement is part of it, Minister of Interior and all of these schools, university, everybody come together to do something for the UAE as a whole as a country. Thank you.
>> MICHAEL KAISER: Thank you. We will come over here.
>> AUDIENCE: Good morning. My name is Betsy Broder, I'm with the U.S. Federal Trade Commission. In addition to being a law enforcement agency which addresses privacy and data security issues, we also are major promoters and supporters in all of the initiatives. I wanted to say initially that what a wonderful session this is this morning because you look around the table and by and large people are nodding as they hear the other people speak and they are writing down ideas so I applaud the leaders of this discussion.
I actually have a question, a general question, and that is a lot of the discussion has to do with end users on their computers, and how they can secure themselves and save and protect the environment, but we also are dealing with lots of small businesses, those who are not around the table with the larger corporations but may themselves be the sources of a lot of personal identifying information that may not be secure.
So my question generally, and I guess not for answer now, but consideration, is what efforts are being made to address those concerns for small businesses, and is the message any different or is this something that just needs to be disseminated in that community? So that's just a point I'd like to share.
>> MICHAEL KAISER: Thanks. That's a great question. We need to take that up in greater depth. The FTC's website onguardonline.gov is one of the great consumer websites out there and it has a lot of business information as well. I encourage people to look at that.
>> AUDIENCE: I'm Jordana Siegel, U.S. Department of Homeland Security and NCSA and Microsoft and many around the table have been partners with us in related initiatives for many years. I have been involved with the efforts in the United States for almost ten years and I want to thank you for bringing this discussion to the IGF, because I think that a fundamental aspect of this, these activities is shared responsibility, and it really transcends all of the different stakeholder around this table that come to the IGF, and I know we are short on time and I think my colleagues have done a great job around the table talking about many of the things that we are doing and the things we are concerned about.
But I just hope that we can continue this discussion because I think it's really ripe for the community from the CCERT community, the technical community, private sector large and small, Civil Society, et cetera, and so, and other Governments, of course, and I hope we can continue the discussion. And I would also point people to the DHS.gov website where there is a lot of material as well that we developed in cooperation with NCSA and our private sector partners, other Government agencies like the FTC that is available for your review.
>> MICHAEL KAISER: Thanks. There is somebody from remote has a question. There was somebody over here. Let's do the remote. And we will come to you afterward.
>> REMOTE MODERATOR: This comment comes from David Tate cybercrime in CHU London has been highlighted by a number of participants. The trust deficit is a major barrier to cooperation between entities. We have found there is a key role to be played by an honest broker to drive cooperation and build strategies between partners with potentially competing agents and interests.
>> MICHAEL KAISER: Yes, we agree with that too. We believe that having trusted party in the middle of all of this is actually an important role in a multi‑stakeholder work. We have a comment over here. Here first then over here then back.
>> AUDIENCE: I'm Gary from Zambia from the Regulator. The Regulator is the one running the national CERT and our CERT has been running since 2012, mainly we have been carrying out awareness on the legal people, the judges and the lawyers and law enforcement. We built a computer lab, forensics lab which was opened last month by the ITU Deputy Secretary‑General and we are hosting a cyber drill for Africa the end of this month.
Our biggest challenge has been imparting awareness to the legal people and having a strong legal framework to work on to. So my question so ENISA, I have seen a lot of information about cybersecurity on the ENISA website. If we have many programs within African countries in capacity building on the legal framework site. Thank you.
>> DARIA CATALUI: We don't have specific programs. In 2013 we had African countries participating and sharing materials and getting the best practices from Europe, so we had that in cybersecurity, but we can always share best practices in education. And if you have something concrete, please come back to me and we can look at this.
>> MICHAEL KAISER: We have time for the last couple of comments, one here and one over there. If I can ask you to be relatively quick. That would be great.
>> AUDIENCE: I'm Alex Hornsby, Government of Canada. It's to responds to the question in terms of getting small and medium enterprises, raising awareness with them on cybersecurity issues. Last year in doing cybersecurity awareness month the Government of Canada released a small, medium cybersecurity guide for small and medium businesses. If anyone is here interested in that you can go to the website. WWW.getcybersafe.CA, and it's there in English and French. If you are interested and if you want to talk more about it, come see me after. Thank you.
>> MICHAEL KAISER: I didn't realize that our friends from Canada are here. We work very close with public safety Canada as well.
>> AUDIENCE: Good morning, everyone. My name is Katia I work for electronic transaction development agency in Thailand and I just would like to update multi‑stakeholder issues in Thailand that we also set up a group of making online better, we call in short MOB. This mandate of the group to make the online environment secure and safe in Thailand and also be capacity building and also advantage for people. For example, in case the regulation is not clear enough we will set a code of conduct and we review together like between private sector, that includes Thailand and eBay and ISB association. We review together, and draw up code of conduct for the industry sector as self‑regulation. And for this project, we think that we can help environment, we will do it together between private and Government sector, we make it better for the environment, and also, of course, in Thailand we also have the Thai CERT and we call that Malaysia CERT and other countries and we are willing to cooperate more in the future. Thank you.
>> MICHAEL KAISER: So that's all we have to time for this morning. Obviously this is the beginning of a conversation, not the end of a conversation. So I want to thank everybody and first of all, thank everybody for their active participation this morning and the thoughtful comments they have made and just a couple of thoughts for me at the very end. One is as we go around the table and we hear what people are doing, we realize and we should all remember that a lot of people are doing really good work.
And I think our goal, at least my goal personally and whether this becomes part of IGF that's a whole other, you know, is that we all work together more. It's only, I mean, that's what the Internet is. The Internet is all of us connecting and I want us, so if anybody is interested in continuing to connect, finding ways, I mean, we hear about all of these great materials created in other places in the world. We do not want to reinvent the wheel here. We want to use the best that people are creating. There are a lot of smart people working on these issues everywhere.
So in a way we can work together, I'm opening that door to all of you to come to us if we can help or vice versa, we will come to you now that we hear about some of the things you have. You can contact me easily, I am [email protected] . You are more than welcome to email me at any time. I'm hoping we can continue this conversation and make this part of the dialogue ongoing because if we are going to have a digital world we need every single digital system to be able to use the Internet safely and securely and we need to build a platform we all trust so we can do that and grow it in more ways to date. So I look forward to hearing from you all and working with many of you in the time ahead. So thank you very much. Thanks for coming this morning.
(Applause).
(Concluded at 10:27)
***
This is the output of the real-time captioning taken during the IGF 2014 Istanbul, Turkey, meetings. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
***