>>MODIFIER:  Good evening.  Welcome to the session, what are the future scenarios for the global cooperation in cybersecurity field?  I'm sure you had a very interesting and long day with many interesting discussions and we will make sure that we have this relatively late hour of the day a very engaging and interesting discussion and it will be a relatively simple for me because the topic is extremely interesting. 

In addition, we have really competent speakers who will cover the question of cybersecurity and precisely the title of future scenarios for global cooperation in cybersecurity.  Very well.  We'll go immediately into discussion in the following order, and I will introduce now first speakers.  We have ambassador Frank, head of the division of security policy, federal department of foreign affairs Switzerland. 

Next to me is Catherine Ge it, ao, ICT secretary for ministry of information and communication and technology of Kenya, 20162017. 

Unfortunately, Elina couldn't sit at the table.  She's over there.  She's the director of foreign policy and security studies, institute of strategic and international studies of Malaysia. 

Next to Elina is Alexander Klimburg, cybersecurity expert and head of global commission on stability of cyber space.  And next to me is basically Sario Contreras, who is cybersecurity program manager of organization of American states. 

I will conclude this discussion with introducing professor Adrien Perrig and he will kick off the discussion with one question which amazed me when I met him for the first time 3 or 4 years ago.  He's the professor of the ETH in Zurich and the conceptualizer of the system which has been developed for the last seven years.  He will give us more information on that. 

But basically a system that addresses quite a few cybersecurity challenges.  And Adrien was kind enough to join us from Zurich today to give us technological perspective and compliment our policy discussion when indication if we can have technological solutions for cybersecurity problems and issues. 

And when I met Adrien, three years ago, four, I gave a usual spiel that internet is so robust that basically nobody can sublet the internet communication.  And his reaction was that's a bit ideal of you.  There's a kill switch on the internet.  And that's a great discussion with Adrien if you can share the explanation you gave me about kill switch and the major risks that exist for the internet and how society or any other system can address it.

>>PANELIST:  Thank you so much for inviting me and also for this interesting question. 

Kill switches are essentially ways to turn off the internet or a subset of the internet.  So for instance in a city or a country.  And we've actually already seen examples of these kill switches happening in reality where part of the internet becomes unavailable.  Unfortunately, it is easy to trigger such kill switches externally so an external entity can cut off the internet in some regions. 

A terrorist attack can be used to cutoff some of the links that lead into an area.  So researchers have shown that you can actually overload the links that go into a country or region in a way that region essentially cutoff from the rest of the internet. 

Another way is to use this little bit of technical term called a high Jacking attack, so using the routing protocols the internet is using in order to redirect traffic.  We've seen this often in reality there's in a lot of misconfigurations that can often times lead to this kind of outages.  For instance, this summer there was a mistake by Google a network administrator at Google made a mistake and half the internet in Japan was unavailable for 40 minutes.  So that shows the power of these type of kill switches as taken to occur on today's internet.

>>MODIFIER:  You also mentioned the user certificates as an important area and the back door for possible kill switches or security threats.  And how is the system that your team and you have developed.

>>PANELIST:  For nine years already, before this inner architecture to solve these kind of security problems.  Specifically, there is no more global root of trust.  We have separate domains so different networks in the world to organize within what we call isolation domains.  And they essentially create a router plane to enable communication locally, but these isolation domains then connect.  So one communicates with the whole world as we can do today. 

However, what is offered is to limit the scope of certificates.  So within an area, an area can define which certificates they want to mainly trust.  And in a way that no external certificate can then take over or be used to create attacks on entities inside that domain.  So it scopes the trust very cleanly and makes the internet very transparent.  So which roots of trust are used in which areas and essentially brings transparency and security as an effect.

>>MODIFIER:  And the system is deployed?  We started an experiment in one of the service but quite a few entities are using the system.  In a way, how I understood, a unified internet and given the possibility to to some geometry, that you create our domains to be trusted for whatever reasons.  And you mentioned at one point the terms of sovereignty, a question of individual sovereignty, group sovereignty.  While we know the sovereignty sometimes used in the national level, but there is that level of preserving the unified internet while also having the domains where you have trusted communication.

>>PANELIST:  That's exactly right.  Essentially, it gives control to the different entities on the internet and allow them to control how much trust they want to delegate and set up within an isolation domain, for instance. 

This started as a research prototype, but recently we've implemented this to a point where it is usual and within Switzerland already we have some banks that use it for production traffic, so it is use in production networks. 

So it gets to the point where it becomes usable today.  It's quite easy to set up and connect to other entities.  We're getting to the point where we have some countries that tell us they're interested in deploying this infrastructure in their country to achieve these type of benefits from a security perspective mainly.

>>MODIFIER:  The key words are trust, transparency.

>>PANELIST:  And isolation.

>>MODIFIER:  Isolation could be difficult term.

>>PANELIST:  Right.

>>MODIFIER:  You created a domain while you remain the part of the broader internet.

>>PANELIST:  Absolutely.  It's hard to censor a silent internet than it is to censor today's internet.

>>MODIFIER:  Thank you for this introduction, and I will invite you to stay alert and comment on our policy discussions and see where we can bring to other challenges. 

We'll move to the next presenter, ambassador Frank who will give us the survey, what are the new formats and societies?  And then we will be diving into chosing focus later. 

>>PANELIST:  Thank you very much.  And I have to say, I will focus on formats that are possible at the UN.  We know there are many other formats such as the commission on cyber stability. 

First of all, we're in a situation where cybersecurity gains importance and at the same time we do not have buddy at the moment, which is something unprecedented where we can discuss cybersecurity issues apart from conferences like the IGF. 

So this leaves us with the question of where should we discuss these issues?  At the moment and when we look at UN general assembly, what we did in October, it was putting the issue of cybersecurity just into the IGF of 2018 and 19.  That's what we did. 

What are the formats?  Maybe we should have another UN GGE.  That's a proven form at.  We know what they get.  And they've produced valuable reports in 2013 and 15.  Critics would say you haven't agreed on the report this year, so what would change in a year or two years time?  And GGE is not really a form at.  It's 25 experts and it's not an inclusive form at.  So it has some disadvantages. 

Another option would be to have just an expert committee which is also created under the UN general assembly.  Such a committee could have as a mandate for example to look at the implementation of the UN GGE reports and make recommendations how this implementation by member states can be improved.  It could be a body that is based on 20, 25 experts.  Could either by selected by secretary general or by being elected by the general assembly. 

Another option would be and that's what the chase 77 has suggested would be the creation of an open‑ended working group.  Has the advantage that of course every member state but also other stakeholders could take part in the discussions on cybersecurity.  Has a certain disadvantage that of course then you have 193, 94 UN member states sitting at the table with also different stakeholders that might be difficult to find area of common agreement. 

And you would need to make sure the experts sit at the table, and not just the interns at the missions in Geneva or New York. 

Then another option available would be the send cybersecurity issue to the conference on disarmament and have it discussed here in Geneva.  That's also a very good option for a Swiss dip lament.  And of course there's more exclusivity at 65 member states.  And we have being here in Geneva, we have already a lot of cyber knowledge.  We have many many diplomatic missions here which is good from a practical point of view.  A task of course the disadvantage that it's just governmentry presented tips and the CD has not been very successful in adopting a work program for quite sometime.  So that's the disadvantage. 

You could this morning of creating a special UN party for cybersecurity along the lines of what exists with the peaceful unity of outer space.  You could have the comity of peace use for cyber space where you can associate apart from governmental ‑‑ other stakeholders on a consensus basis and is ‑‑ which is an advantage on technical issues, such as this one. 

But of course setting up such a new body is an ambitious project. 

And then we have heard in some of the panels that the UN secretariat as well would like to strengthen its cyber capacities and capabilities and of course there you could nominate a special representative for cybersecurity for the UN secretary of general or you could have something that exists in the disarmament area that's an advisory board on ICT security.  So it exists already an advisory board on disarmament matters which make recommendations to the secretary general.  So you could also think of having something like that at the UN. 

So several options.  All have advantages and disadvantages and it will probably depend very much on demand you would like to give to such a body which will then define what exact formt you would like to choose.  One thing from the Swiss point of view that is clear, cybersecurity is a global issue, global concern.  Many states and stakeholders want to have a say and we think such discussions have to take place at the UN.

>>MODIFIER:  Thank you for the rich menu of the options that exist from the different fields.  We move to Alexander.

>>PANELIST:  From a technical perspective, we like to see our solutions.  We see everybody struggling with cybersecurity, so we hope a technical solution would help you do leap over a lot of issues. 

For instance, this architecture we're working on can be seen like penicillin.  You had back material infections.  Penicillin was invented, and a lot of problems went away.  And similarly, technical solutions can help to resolve a lot of issues that then become non‑issues and then we can make much more progress with the remaining issues.

>>MODIFIER:  This is one question, Frank.  In the work, have you had some sort of stress test with the people like Adrien and say here is the problem that we face and is the a technical solution that we can found, some sort of informal or more formal group of technical experts who can do the stress test on this question for Frank and later for Alex.

>>PANELIST:  Thank you.  As the group as a whole, we didn't have such a stress test.  We had interactions of course with stakeholders or lunch or in special briefings.  So there was a certain input from others.  It wasn't only governmental experts just working in a close environment and not getting any views from outside.  But not, at least not to my knowledge and not as a group as a whole technical stress test.

>>MODIFIER:  Thank you.  That could be possible solution for the sum of the options that you surveyed and I'm sure that we will hear quite a few ideas from Dr. Alexander who has been doing a lot of research and who will reflect on how we can fill the gaps in the current cybersecurity architecture.  And that would be great Alex if you can also reflect on the technical stress test for the policy solution. 

>>PANELIST:  Thank you for setting such a low bar for me to meet.  Well thanks first of all for the invitation to be here.  This is an incredibly pertinent topic and congratulations to the Swiss government. 

It's a reoccurring discussion on internet governance if we need policy processes to meet the new challenges.  And outside of internet governance, we have of course we in the global commission and stability for cyber space, we concentrate more on the UN first committee processes, the group of governmental experts.  And the UN GGE has not been particularly known for innovation or evolution.  GGE has helped to expand stakeholder engagement across many different dimensions. 

It also points to whatever comes next, as was pointed out previously.  Whatever comes next, after the GGE, be that new form at on its own or standing side by side.  Expand and multi‑stakeholder engagement is going to be key. 

We look back at the 2013 UN GGE report, one of the most important things about that report is it empowered regional organizations, OSE to develop not only norms but confidence building measures.  CBMs are a very important tool in international security.  Those are the technical fixes that are there to help alleviate tensions between states. 

The most famous example is a hot line between Washington DC and Moscow that was invented during the cold war.  And indeed the 2013 GGE report kicked loose a very wide debate within the OCE as well as other organizations to help develop ‑‑

But in the 2015 report was also well‑known.  It went out with very suggestions on norms.  They went off and had for instance that states should not sneer with the critical intersection of other states in peacetime or states should not attack computer emergency response teams.  And that is what the 2015 report is mostly known for.  But there's an overlooked part.  While states have a primary responsibility for maintaining a secure and ‑‑ would benefit from identifying mechanisms for the participation as appropriate of the private sector academia and civil society organizations. 

So the 2015 report also openly acknowledges when it needs to wring non‑stakeholders into the discussion.  This is one of the mandates as a global commission.  GCSE is a ‑‑ would just build around a host of thought leaders from the wider cyber ecosystem.  So Joseph and I want to describe this ecosystem as being effectively a regime complex. 

Many institutions working together on different pects of the problem, but more often working alone to solve their own individual problems.  Sometimes they work side by side and sometimes on top of each other.  Therefore, that are the issues we seek to address.  Namely, sometimes we have norm collision. 

One example, what I said beforehand about hot line communication.  Hot line communication is a great topic.  Everybody want a hot line.  The European union has a hot line.  Russia, the United States, the meridian group has a hot line.  The international watch and warning has a hot line.  All of these exist side by side.  Which are you going to use in a crisis? 

The original was called INOCDBA.  You might know it because it gave birth to something called Skype.  This is effectively what most people will use if something really burns down.  But we do have a lot of different CBMs out the that will purport to do the same thing.  That the a good thing.  It's better to have more lines of communication than too few.  We don't want to have working across purposes. 

This is what we mean by norm.  Collision.  And this is one reason why the GCSC in particular aims to subscribe a informal coherence and not try to ascribe norm conversions, one single solution, one single idea that will solve all of them.  We don't think that will really work.  We think there's a lot of work happening in many different communities and be aware of the work in those communities. 

It's going to have to understand the complexity of the issue alone and not go for begun single one shot solution.  I think that answers part of your question. 

>>MODIFIER:  One point on the interaction with Adrien.  I know that in new Delhi you made a call or announcement for protection of critical infrastructure.  This is an important break through in global cybersecurity discussion. 

Have you started conducting technical stress test?  What is the interaction with technical community and how does it function and what could be a possible input of community like Idrene's community on cybersecurity? 

>>PANELIST:  We've put together a call to protect the public on the internet.  Unfortunately, we've run out of printed copies, although I would be glad to give you some. 

This is not a complete novel invention.  The idea of protecting a public core or what has been defined as a public core or critical internet infrastructure has come up again and again.  And I believe you've spoken about similar issues in the past.  It's not a complete novel idea.  We were able to draw on research that was previously done.  As part of our process, we have a research advisory group that I would encourage all of you to be involved in, which has helped deliver not only a host of the commission papers that we'll be putting up on the website, but will also help supply us with liberations that were done in previous years.  Effectively, those papers include a stress test ‑‑ a part of our commission includes people ‑‑ a lot of people have deep technical backwards and teams to support them.  Within the relative working groups that were run within our commission, they were able to go into much more detail than is currently in our very short norm. 

Bill woodcock ran a group that looked at critical infrastructure and how we would rank certain parts of the infrastructure as particularly critical and less critical. 

But more importantly, to answer further questions is what the community can do here.  And that is take the norm, which is a very very small paragraph and interpret it for your means.  Tell us what you think it means.  Because it will mean one thing in the GGE environment and it will mean something else perhaps in the cyber crime environment.  We just had a meeting that was an interesting discussion that also connects to the wider discussion about core internet values.  And we think there's a possibility here to commute for instance the call to protective public core of internet into actual global principle. 

So those are the aspect that we hope to address in dealing with this community.  We both want to advocate our norm and more importantly want to get ‑‑ on how to develop further. 

>>MODIFIER:  Any suggestion on how to protect the core of the internet? 

>>PANELIST:  I'd love to talk to them and tell them about the ideas we've been working on and also I know very well what other researchers in this area are working on.  So I think we would like to also let the ideas flow into the policy space.

>>MODIFIER:  Thank you.

>>PANELIST:  I think they could come to fruition there. 

>>MODIFIER:  We have just two questions for Alex before he departs and then we continue with the other presenters.  Any question on the protection of public core and the question of global commission?  It seems that everything is clear.  Thank you Alex. 

>>AUDIENCE:  So specifically, the whole infrastructure has so many holes.  There are many vulnerabilities.  How possibly do you want to get to a point where you have all this crumbling infrastructure ‑‑ I don't see how you can with one magic wand, make it all secure somewhere.

>>PANELIST:  One magic wand, we don't believe will solve it other.  But just take two approaches.  Within our working document, we define the inner core and outer core.  The inner core is clear.  The outer core is less clear and could include ISPs and cable infrastructure or entire systems.  So those are less clear and less defined aspects that we are looking to the community to define in terms of the inner core that we consider absolutely clear, this is critical. 

The question is not so much ‑‑ my point doesn't have as many holes as a whole new layer of security problems that were not addressed and not with DNS.  That's nature of security, you close one door and open another.  BGP, I'm not so familiar with that many holes.  There's process problems, as there are with public key infrastructure. 

So I think it helps address a number of issues without doing, in our point of view, the most grievance thing, which is to have the fallacy of inventing something completely new, which surpasses everything else and introduces a whole new host of problems we haven't thought about before. 

The only thing we know about working with the internet, there are two issues that will come up again and again.  There are going to be security holes that are not to be considered.  People focused on rooting have a hard time understanding the human dimension.  If you look at for instance the roots on roll over procedures, for instance, there are things addressed there that work perfectly from one security standpoint and fail dismally at another security standpoint. 

So we will always be opening up new doors when we close one door, and I think it's important therefore that the system remains resilient and that means there are different formats in play and not a single form at. 

I'm very interested to hear about your work.  It sounds like a VPN overlay.  That sounds interesting. 

>>MODIFIER:  Thank you.  We can now go into direction of the detailed discussion.  I'm sure that all everybody in the room knows what is the BGP and acronyms starting to move very very fast.  And I think it is really really excellent initiative and for those of you knew in this community, Alex wrote a book, a quite impressive book back on the web.  Congratulations, Alec.  And that is an important book in the field of cybersecurity. 

We move to our next speaker who will answer the question, 2016‑2017, what is the inability to adopt the consensus report mean for international cybersecurity?  Simple question. 

>>PANELIST:  Not so simple or you wouldn't have asked it.  Thank you.  Good afternoon, colleagues.  Firstly, I want to say that I do believe the UNGG was a very valuable component of the global composition, and I hope this is a timeout and not the end of UN GG or at least that it is to be replaced by some similar process. 

And then the other two things I wanted to say as an introduction, cybersecurity is not just about the absence of conflict and crimism it's also about this focal existence and the reduction of ‑‑

And thirdly that governments are a very important part of the cybersecurity agenda because of their mandate, structures and resources. 

And of course they are also the issue of what somebody called earlier today fractured mandate because there are so many things about the internet and about this common resource that crossed borders and therefore we not only need individual governance to take part in the agenda, we also need forums where many governments come together to come up with a common policy.  And yes it needs technical support. 

But in UN GGE, we had many delegations had technical experts who were assisting them. 

We also had diplomats.  We had lawyers because there's a legal component.  There's a diplomatic component.  There's an organizational component and everyone needs to participate. 

What was some of the negative impacts of the break of the GGE?  For less powerful countries, we became increasing the answer because at least for us, the UN GGE was to better understand the international agenda and the postures of the most powerful actors.  We know who they are so I don't have to give them names.  I think there's also an increased possibility of divergence in state and regional cybersecurity agendas. 

The five sections of the UN GGE really helped to us come together and see what is important for all of us.  But when it's not there, each of us may choose for ourselves what our priorities are and what we're going to work on?  Another one, I expect I don't want to draw a dooms day scenario.  I don't think something so serious, I don't think there's an increase of texts from space.  I expect there will be increases from social ‑‑ and the aggressive ‑‑ related research and development in an increasing proportion of countries.  Because we are being set free to do what we like for some time. 

We are going to take advantage of that.  Some other impacts which I can't say whether they are positive or negative, but I believe one of the things at least I've seen IGF, we have quite a few topics on cybersecurity and I think Alex has just walked up.  But there's GCS, GFC, forums which are emerging in existing a new arenas.  And I think the developing countries and civil society are becoming increasingly vocal in the field of cybersecurity.  So this is giving them space. 

I think they're also emerging power shifts regarding who is the driver of the global cybersecurity as a result of maybe government taking our time out. 

And that this timeout should also give time to states to implement their 2013 and 2015 reports as well as other persuasive ideas which didn't make it into the report.  But we had them, we discussed them, and some of them are going to emerge in other documents, either at the level of individual countries or at the regional level because they percolated into the regional dialogue. 

>>MODIFIER:  Thank you for this.  What is very very interesting is that capacity development or building function of the UN GGE.  As you indicated through the UN GGE you said that you had the chance to better understand the position of the major mower and actors. 

You are concerned that possible anarchy in the system could damage the weakest part of it.  And growing awareness in developing countries in Africa and other developing countries, the cybersecurity is becoming essential development issues.  Those are a few takeaways from your excellent survey. 

Now we have a question of a potential anarchy, and I can see the few colleagues who are students of international relations I'm sure there will be inspiration for article or master appears that this is on this issue.  Elina, you will address the applicability of international law in cybersecurity.  Do we need more rules?  Is there anarchy or to what extent it exists?  Do we have a risk of a cyber anarchy or is it just perceived? 

>>PANELIST:  I think the question of whether there is an anarchy, the jury's still out.  I think you will see more insidious activities in cyber space.  We've already seen a number of examples of that.  It's hard to argue that all these activities are not existed beforehand, they're just made public now. 

I think there's been a lot of lamentation about the so‑called failure of the most recent GGE process, and I think some of that is ‑‑ a lot of that is unfair because if you go back to the 2015 GGE and the consensus document that was put out, it offered a lot of clarity on the applicability of international law.  And that, to my understanding, came at great concessions and compromised throughout the negotiation process on arriving at that conclusion. 

What is now debated is the applicability of the specifics of international law, and there are particularly troubling aspects of international law applying particularly to the less developed, less powerful countries. 

So for example you have contention on whether article 51 of the UN chart, the right to self‑defense, should apply, and how it should apply, if it should at all.  For example, some countries, the more powerful countries, for example, have argued that there should be almost strict liability type application of international law. 

And article 51 specifically so that if a third country is ‑‑ has an attack rooted through it, then it should be responsible, reliable for that attack being rooted through its systems and infrastructure.  Not all country that might play that role of the third country have the capability of even be aware of an attack being rooted through its infrastructure.  So there's concern about the technical aspects and also there's concern that there will be a politicization of interpretation of international law. 

And we've seen this time and time again in other domains in the more traditional domains, the use of preventive self‑defense for example which is contentious and international law, the use of preemptive self‑defense, how international law is going to be interpreted is a connect for concern of developing countries.  Also the fact that there are different priorities in the developing world.  So in my region, for example, southeast Asia, there is concern about content, about the information that is in cyber space, and how that might undermine political stability. 

In the past, I think what we've heard from more developed countries is that this is a freedom of expression issue.  And certainly it is, but it goes to a deeper sense of security and stability among the political elite because the idea that content can be manipulated, can be turned into misinformation or disinformation affects not only the regime stability of a country, but also affect the economic opportunities provided by cyber space for these developing countries.  So the idea of priorities and how international law might apply to these different priorities of developing countries is certainly in the forefront of regions like mine. 

Finally, I think what we'll see is that there will be a call for greater charity for the specific applicability of certain provisions of international law, particularly in the recourse to measures by states affected by cyber attacks.  But there will also I think be greater prominence on the issue of content or information security. 

How content may or may not be manipulated, what recourses are available to countries.  We're starting to see that play out now in countries like the U.S.  but this is always again been a concern for developing countries and it will be interesting for us to see how international law may or may not play a part on the issue of content in particular.  I'll just stop there.

>>MODIFIER:  Thank you and thank you the panelists for sticking to the time limit.  We'll come to the technical aspect later, but you blew the regional aspect and concerns in southeast Asia and I think this is an excellent introduction for our next speaker Bellasario from organization of America states who will tell us more on how can organization contribute to free open and secure cyber space.  Please. 

>>PANELIST:  Thank you.  There was a round table discussion a couple of months ago in New York sponsored by the terminal of Germany and the Netherlands where we discussed what's next for the organizations.  For us, it's more than the GGE. 

The internet or cybersecurity is more than just Europe and North America.  If you want just to deal this, let's use ‑‑ and define this among yourself.  But we need to start that, if we really want to discuss about the free open and secure internet, the internet, if you want to believe that it's help everyone, okay, let's bring everyone to the discussion, of course. 

The member states that were participating at the GGE process, they really wanted to have an outcome and they really can upset them about what happened.  And one of the initiatives actually that were taken at the regional level was established a working group on cooperation and confidence with measures that was ‑‑ and the general assembly of the OES and the recent ‑‑ 

The first meeting is going to happen at the end of February, which all of us member states are going to start discussing a proposed document of CBNs that will be applicable to the   system.  What the member states are working on that will basically try to harmonize access to CBMs and another regions.  Basically to avoid remaining the will. 

The beauty of the inter American process, which is the oldest of the world, is that it's a very inclusive process.  All members are able to participate.  They open the door to all states, you name it.  Of course civil society, a private sector that are participating ‑‑ to participate. 

Again, the free about the free open and security net is other than the CBMs.  And we always ask ourselves and our governments if there is enough regional awareness and if not, if there isn't ‑‑ enough readiness to face cybersecurity threats.  Because we sometimes go to a member state and there is not even a basic literally cybersecurity awareness campaign.  They are giving access to the internet but not communicating how to make use of the ICTs. 

There is not even law enforcement or forensic unit that can handle cybersecurity incidents or crimes.  They are not serving place. 

It's very nice to hear about hot lines, but there are countries that they don't even know what is critical infrastructure that they don't have the fine to critical infrastructure that they need to bottle inside to give resources either to a hospital or cybersecurity. 

So before going to more in‑depth countries, there are more fundamental issues that needs to be discussed.  There are basic issues that needs to be discussed from the organization perspective, we are making a lot of bring to war with our member states.  Fortunately, our region in socioeconomic development process of growth.  We are working, promoting national strategies.  We are working, making sure that there is certain level of easier response.  ‑‑ 34 member states and out of those 21, there is still a gap. 

We are providing training for law enforcement and information sharing.  There is more need.  And I am just I think 5 or 6 ‑‑ five countries have our administration campaigns in place.  So we actually actively trying to bring all member states to political consensus.  So there are sometimes resolutions and declarations that are adopted I think the American system.  These working that was established for example was a political decision.  At the same time, member states have give us the mandate to provide capacity building and assistance in order to foster that free open and secure cyber space. 

Because without the proper tools, without the proper capacities in country, they will not be able to maintain proper changes to make sure and to warranty this cyber space to American cities. 

>>MODIFIER:  Thank you for the news from one of the most advanced cybersecurity system in Americas.  And with this, I will open the floor for ten minutes.  We have about eight minutes for discussion.  I'm sure that you are quite keen to leave on time since it was a really long day.  In brief, while you're thinking about the questions, we have a electro mote participants question.  A few summary points. 

We started with Adrien with the kill switch and the infrastructure issues.  Then Frank gave us the survey of the menu of different options.  Then we have Alex input on the global commission.  And in particular interesting question of stress test which we should develop further about infrastructure because that could be one of the key issues.  Catherine giving us what the the life of the UN GGE. 

Then the next to speak has told us that there is quite an interesting life on regional level and there are some things that we can do in disposing the UN GGE dynamics.  And then we had Elina bringing international legal perspective states responsibility which is completely unclear and completely in the issue of the great controversies.  And then bringing Bellasario highlighted the need for capacity development, inclusive approach, and that's more or less what is the sort of zoom out here of our discussions so far. 

Now we will hear from our online participants who is a specialist for international relations.  And I was noticing when she was giving the indications about the risk of anarchy, that you got interesting.  Your dynamics was in your eyes.

>>AUDIENCE:  For now, I'm just going to focus on the questions that have been posted online.  Online we had an extremely rich discussion.  Trying to summarize it is not easy, but I think there were three main themes.  One theme was just kind of switching perspective from technical considerings to human considerations.  Here, the question was how do we address the human situation ‑‑ but people tend to mess things up.  So what do we do? 

Then another set of questions and comments focused on the remaining inequalities and the lack of capacities that we're still facing and it's specifically related to the UN GGE.  And here the comment and question was, the GGE has had over ‑‑ had 25 countries in the last year but in total over 35 countries have participated in the previous years.  Ten or more of those are developing countries.  Developed countries had big multi‑stakeholder litigations developing only a personal two.  To get other countries on board, we need more capacities of developing countries to level the playing field. 

And then the last set of questions and comments focused on the lack of coordination.  And here, the ideals that all countries have basic implemented measures that have a good rise to follow.  There's a lack of voluntarily accepted base line.  There are many agreements but still have countries that are not aligned.  Also, the response capabilities are not equal in these conditions. 

And then Gina Chark mentioned, the question remains, how do we get to this idea of coordination?  Capacity building?  New initiatives.

>>MODIFIER:  National or international level?  The first question, it was a very vibrant discussion.  Adrien, we had discussion in one of the digital talks.  Other technical solutions because there were two groups.  One all focus on the human errors and big human factors and you blew the conch argument that there are technical solution. 

>>PANELIST:  Right.  So definitely many people say that or believe that, you know, engineers and especially from the technical schools, we don't understand the humans behind the system.  And to large extent, that may be true. 

However, there is a lot of research on usability and security that has come up in the last decade to the point where also we're bringing in, designing technical solutions in a way that we are aware of the people behind and trying to create systems that are very easy to use and also tolerant and opposed to error. 

More recently, we started hooking at protocol verifications.  And a team has been modelling the whole system, including the people using it and creating automated systems to verify the whole system, including the humans.  So being able to show security of systems, even if the people make mistakes, if they lose their password or whatever happens, to ensure that the remaining system is actually secure. 

>>MODIFIER:  There is some hope from here.

>>PANELIST:  So we are thinking about that.

>>MODIFIER:  There is this question of even playing field of countries are equal but some countries are more equal.  How equal they are in cybersecurity.  When it comes to the practical issues of I'm sure that you didn't have a big delegation.  Maybe a few people or sometimes you're traveling alone for the meetings. 

>>PANELIST:  One person, but I think Frank can testify that I contributed. 

>>MODIFIER:  You didn't need to deal with the silos because you were the only person.

>>PANELIST:  Exactly.  It was great fun.  At some point, a used a legal expert from the German delegation, technical expert from the Swiss delegation.  So it was all a lot of fun and making use of global expertise, which I think was the whole point.

>>MODIFIER:  Sharing diplomacy.

>>PANELIST:  Thank you.

>>MODIFIER:  And next question, the problem of the equal playing field exists and but it could be sold to some solution that you used, but it exists as a fundamental problem in the cybersecurity.

>>PANELIST:  Yes.  The problem of inequality I think is not limited to cybersecurity.  I think here in the IGF I attended a session where they were saying that the developing, especially Africa, is in trouble because a lot of systems now are learning from big date and none of the data is from Africa. 

So even when you create your system that verifies humans, which humans?  Yeah.  And I think I heard a case of a tank that was created by the army of some powerful country and they guaranteed that it could not be overturned under any circumstance.  They brought it to Kenya and I think it took us only three days to overturn it. 

And they sent a very big delegation because they could not understand what happened.  So obviously their big data was not big enough. 

So I think the problem of inequality with a light touch is a problem for all of us.  Because if there are some people are excluded, then you cannot say you are cyber secure because for example in Kenya, we have just brought 1,000,006‑year‑olds into the digital conversation.  I have no idea what kind of cyber criminals will emerge in ten years ‑‑ or even maybe much sooner than that as a result of that intervention. 

And if we just create a world view which consists of I think Bellasario called it Europe and North America, you know, you won't have the whole picture.  So I think inequality is not just a matter of being nice and making sure everybody is not around the table.  I think it's a real issue of trying to get the complete picture so that we can really build robust products and services that take into account all human beings and what they're capable of as well as what they need.

>>MODIFIER:  Great.  I think we have five‑minute for the lovely comment.  I think the stress test, you'll have to be next IGF which could be multi regional.  We have a question over there, and then Peter.  Please.  Introduce yourself.

>>AUDIENCE:  From internet society.  And one of the future scenarios is the possibility that states could become offensive in the area of cyber security.  Like we're moving from defensive cyber security to a policy of considering offensive cyber security strategies.  And one thing that struck me as a participant in civil society is that when technology ‑‑ this could necessitate newer technologies and newer partnerships by governments with the private actors.  And new technologies for offenses are developed.  Those new technologies would invariably lay down or spread to ‑‑ spread outside government. 

For example, these technologies for offenses being doubled up could translate into scenarios where not only international offenses are done, but inter corporate cybersecurity offenses could become the norm.  And so rather than take a bleak picture and react offensively, is it possible that certain policies could be developed with a certain degree of goodness in spite of the provocations? 

>>MODIFIER:  Excellent point.  And I think Catherine has one point which is very important, moving from a reactive cybersecurity.  Absence of conflict over creating walls to ‑‑ which could address is social challenge.  Because as you indicated, we're so intertwined and dependent on cyber issues that creating the walls won't protect you.  Thank you for that comment. 

I will bring another question and then pass the floor to panelists to comment further.  Peter.

>>AUDIENCE:  I have a specific question concerning the options of creating new UN body or new UN mechanism.  We have a working group on inhouse cooperation which is basically a larger aspect of states cooperating on issues, not on the day‑to‑day operation of the internet, how they can really ‑‑ public policy issues on international level.  And one of the options which has been proposed is to create mechanism, and UN body or working ended working group eventually consultative.  Well, it turns out that probably redundancy, which is a buzz word in the UN system and which is to be avoided all the time somehow got into this discussion and we are almost doing the same work from a different aspect. 

And in the meantime, it just occurred to me that WSIS process itself created action laws and action laws C5 has nomated as action life facilitator on cybersecurity issues.  So I'm really perplexed that all of a sudden, this idea comes up to create something new whereas we do have existing mechanisms and the previous working group has already identified a lot of mechanisms which exist within the U.S. system which are dealing with issues including cyber security and of course it identifies gaps. 

But these gaps should be looked into.  So the real solution to me would be to make a big study of what should be expeneded and in case we find out we don't have anything, we can create something new.  So what is your view? 

>>MODIFIER:  Thank you Peter for this deep diplomatic inspection.  I feel there is good dynamics in the room.  I will circulate the paper.  You can like your e‑mail if you would like to hear in particular while I'm inviting your panel to answer the questions. 

Frank, would you like to start? 

>>PANELIST:  Thank you for a very good question.  I think we all try in international organizations to have ‑‑ well, to discuss issues and not to have like a duplication.  And I think this is always a goal.  You won't be able to say, there's 100 percent.  There are no over laps at all.  I think looking at the GGE, I think we really focused on cybersecurity in relation to threats to international peace and security and on state behavior in cyber space and how we can create more confidence and restraining measures. 

So it is only one aspect of cybersecurity and I'm not ‑‑ of course the must be places in the UN system where cybersecurity is discussed more from the internet use of terrorists, for example ‑‑ we didn't try to address these.  We said there are other fora which deal with those and it's really a state behavior which can have athet to international peace and security.  But I'm sure we had certain overlaps. 

I agree that before you create something new, you better look what the out there and say, okay, what the thing that we have that also served a purpose. 

>>MODIFIER:  Thank you Frank and thank you participants for patients.  We are seven minutes over the time.  Instead of the question of coordination, you have a lot of experience.  What can you tell us?  What can be done? 

>>PANELIST:  That's a million dollar question.  And it's not ‑‑

In terms of response, again, we have these platform for all the national certs.  It's called Americas.  We're trying to promote information sharing at the technical level.  Right now, we have 15 certs over there.  Actually, we're giving the lead technologies on incidents and we're trying to make sure that they share more information at a political level.  Actually, there is ‑‑ well, this working group was established.  We are working informally or sufficiently with all states, making sure that they change practices.  With inter pole, we also work very closely to capacity building projects or to trainings, make sure that there is a constant exchange of information and ‑‑ 

But this is still very difficult to have a constant and formal process for communication and information sharing.  If like everyone I think would like to have that sold very quickly and very easy, but both of the national level at the regional level, and at the international level is very difficult.  You will say that there are ‑‑ many photos would say they're doing great because we have the photo of the X, Y and Z and we have X number of certs and law enforcement or X number of crime sectors.

The reality is we participate in all of them and one thing is one thing and the other is a reality.

>>MODIFIER:  Thank you.  Everybody for the coordination and everybody want to be coordinated.  This is the problem in Geneva. 

That's common problem even in the most advanced cybersecurity region or Latin America.  Concluding comment on any of these issues?  Quick one.  We are testing patience of our audience.  They are already ten‑minute over.

>>PANELIST:  This idea of capacity building, that's a low hanging fruit in southeast Asia.  Technical capacity building is already happening.  What is missing is capacity building in the policy area.  By policy, I mean not technical policies, but strategic policies.  How international law can be applied for example where a course to law is available in cases that are below the threshold.  These are questions that are not currently being considered in southeast Asia because there's a lack of awareness first of all. 

Second, there's a lack of expertise to address these questions.  So if there's any offer of coordination, capacity building in that area, I think that is very much warranted and needed in southeast Asia.  Thank you.

>>PANELIST:  And this may be ‑‑ because you introduced this cybersecurity, not reactive, not just absence of conflict but also peaceful coexistence.  Quick comment on that, and then we'll ask Adrien to tell us what was his experience of the cyber policy discussion and what we can advise us.  Please. 

>>PANELIST:  Really, this is our chance to talk about peace and I'm glad to see there's really a stakeholder audience here.  Every weather has been a cybersecurity.  So I believe the question is already being answered that it's not going to be all about the development of offensive technology.  A lot of it is we're all dependent on this technology, and we want to work together to keep it peaceful. 

>>MODIFIER:  Thank you.  Adrien? 

>>PANELIST:  There's no silver bullet.  There's no single solution that will just solve everything.  However, we do have to realize that the internet is 30 to 40 years old.  The protocols are changing much slower than we think they're changing.  They may have different things displayed on the screen.  That changes quickly, but the fundamental underlying protocol change very very slowly. 

And so with the benefit of hindsight, we're able to use the last 30 years of research to really create something new that is fundamentally more secure and side steps a lot of these issues.  I'm hoping that people will look at our sound system and hopefully you'll see this is like penicillin that can actually kill the pugs and fundamentally change.

>>MODIFIER:  It's not placebo.

>>PANELIST:  We're hoping not.  If you have critical infractures that need to be protected, we have nuclear power plants that say let's use this for our security so we can plan against attacks.  I think you can really leap frog against a lot of the issues that have accumulated in the past resolve really fundamentally these issues.  So I'm hoping people look at it, maybe I'll be back next time.

>>MODIFIER:  Definitely.  This is my point.  We're now collecting e‑mails and we'll continue this debate, because especially everything technical and policy community.  It was really great to have you today with us.  I'm sure we'll manage to bring you after the first experience to the next IGF and the next IGF.  There are ten now.  Eight more agreed for the extension.  That's really a great concluding remarks.  I would like to invite you to give a great applause for our panelists and for all of you. 

[APPLAUSE]