IGF 2017 - Day 4 - Room XXV - OF67 Commonwealth Open Forum: Facilitating Investment in Cybersecurity as a Means of Achieving the Sustainable Development Goals

 

The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> SHOLA TAYLOR:  Good morning, everyone.  If it is possible, could you just move to the front.  In the meantime, we will be starting in a few minutes. 

Good morning.  For those who are just coming in, can you please move forward.  We want to have a close collaboration and practice.  If you could please move forward, we would appreciate that.

Thank you.

Can you come to the first second rows when you come in. 

Thank you.  Even the front row. 

Good morning everyone.  I'm sure you're all enjoying the good weather of Geneva.  This morning, we're starting a little bit late, but we'll try to make up for the time.

This morning I have a very interesting set of speakers and

Audience, this very special Commonwealth forum.

I've just put the agenda on the screen to work on, which is what I'm doing now, the welcoming, followed by the approach which we have adopted within the Commonwealth on developing cybersecurity, Gavin Willis’ work with the international team who will also be telling us about the experience in the UK and giving us best practices on cybersecurity, followed by my very good friend here, Tracy Hackshaw, who is an ICT digital economy strategist.  He has held several portfolios, including director of Trinidad Stakeholder Advisory Group.  And, then I have Robert Collett, who is the head of capacity building, prosperity at the UKF shield foreign Commonwealth office in the UK.  And, then we have an open discussion.  So, he has some very -- some input from you, the audience.

So, without much ado, let me welcome you formally to today's session.

On my right we have a -- on the far right we have Anita Sohan, the coordinator for security agenda and the CTO.  And, next to him is a UN official who is monitoring all the data.  We might also have one or two people join us online.  So, he is looking after all that.

So, Anita, can you please get the lights.  I hope you can all see.  Now, many of you are quite familiar with the Commonwealth.  We are very special breed.  We kind of close all the continents, main continents of the globe from Americas, Europe, Africa, Asia and the Pacific.

We do have 52 countries who are members of the Commonwealth, and the heads of states of all these countries meet every two years.  The next meeting being in London in April next year, where one of the agenda items will be on cybersecurity.  And, we want to appeal to you to help us to drive that objective by informing your colleagues back home at the highest level to ensure that the highest of states were prepared for this meeting.

We are also very familiar with the UN development goals.  Even those cybersecurity address, per se, was one of the goals.  You realize that for each of those goals there is some reference to how cybersecurity can affect all of these issues, food, gender equality, what is reducing inequalities, and so on.  That's why we have just put all these goals here. 

Cybersecurity runs across all these things.

We cannot over emphasize the importance of cybersecurity strategies.  Safety security and resilience are critical for cyberspace in all our countries.  National cybersecurity strategies provide the framework for countries to have an all-encompassing approach to protect cyberspace infrastructure, and every single Country is currently busy either ensuring the implementation of the strategies which they are implementing or fine tuning them, actually trying to build and establish a very resilient and secure cyberspace.

We are the City and quite actually assistant to facilitate countries who either wants to prepare the framework.  We ensure that (?) themselves, all we do is basically to provide supports to facilitate the process.  And, once countries adopt the strategies, they can leverage all the opportunities, which ICT brings for common developments.

Recently Minister said to me having big broadband project but I'm quite worried that I expand my broadband network and worry about cybersecurity networks.  It is something that comes across all the work that ministers have to undertake.

We adopted what you call a Commonwealth approach to developing national cybersecurity securities.  We did have a model which are ministers 2014.  The Commonwealth ICT Minister also meet every two years.  Since 2014 they adopted model, and based on that model, there are certain principles, which I encompassed in that model.  They also draw from the Commonwealth title.  Some of the prince pebbles with regards to cyberspace, one, that they all commit to a safe and effective global cyberspace.  Two, that all the actions taken in cyberspace are broad economy developments.  Thirdly, to act individually and collectively.  As you know, some of these cyber attacks are not just national, they cut across borders.  And, fourthly, that each Country decides their rights and responsibilities within cyberspace.

Next one.

When we assist countries to facilitate development of strategies the process that we go through, we do depth analysis in terms of preparing CMM, cybersecurity maturity assessments, that helps to understand where the countries, what are the issues, what are the gaps, where are the gaps, what do we do to address these gaps?

We look at the global context, because we all operate within the global village, if you like.

We look at the strategy goals for each Country, either from the (?) or the national planning.  We see how it is done to the civil security strategies.

We look at the risks, national risks, global and set up vision priorities, and all of these have been in all countries that have been active.

One more important thing is government involve stakeholders.  It has been a very interesting, sometimes frustrating exercise to convince Governments that stakeholder participation is essential, but I'm happy to report that most of the Governments you are dealing with have now begin to feel comfortable.  Without the stakeholder participation, they're not getting the buy-in themselves for once, but it is a concept that we did adopt.

I will not run through this.  We have done a lot of work, thanks to financial support from the UK government through the foreign and global office.  The countries either addressing cyber strategies or looking at cybercrime or standards.  Most of our countries, if you look at the economy, it's virtually de-limited by the SMEs enterprises, which you actually define it, because countries define SMEs differently.  But all in all, we find out that they contribute majority of the GDP, and it's important to really support these entities.  What they've done is to take a cue from a very successful experience in the UK where a UK addresses an issue of how do you encourage small business toes meet business standards.  Here is the ISO207000 has been adopted globally and cumbersome and too expensive for these small businesses.  So, there was a process in the UK where private sector government cooperation led to creating a consortium that will endorse that small businesses satisfy those five or six controls, which are identified.  So, we tried to see how we can use that experience and bring that experience to our countries, and countries are beginning to examine that and find it quite interesting.

Next slide.

These are the countries we've worked on, Rwanda (?) is also working on Pakistan, Bangladesh, and all in the process to ensure that every Country has a safe and secure cyberspace.

Well, basically, that's it.  We can interact for that either during discussions or during coffee breaks.  Without adieu, I would, if you can reserve your questions till late so we can take the presentations and then move on to open discussion.

So, with that I will move to gaff vin Williams who will talk about best practices on cybersecurity.  Thank you.

>> GAVIN WILLIS:  Thank you very much.  Good morning,

everybody. 

First of all, I would very much like to welcome Shola's very wise words on national security strategies and we strongly encourage our nations to have such thing.  I work for the national cybersecurity center and one of our roles is to develop and publish cybersecurity guidance.  Our documents are primarily aimed at government departments in industry, both large and small.  Some years ago, our publications were very different and were often mandatory for government.  Much of our put was actually classified information or was withheld from open publication.  Things have changed hugely in that respect, and these days we publish pretty much all our guidance on our website where it is available for anybody.

We try to make it very readable.  Some years ago, our documents were marvelous technical manuals and if only people who read them were those that had to.  These days we actually want to produce documents that people will want to read.

One of our clear intent is to enable industry to operate in a secure, stable, and free Internet, and we believe that this encourages commercial prosperity and encourages investment.  Much of our guidance has been developed in consultation with other parts of government and with industry.  While I'm talking about partnership, we also engage very heavily with academia, and we regard cybersecurity as very much a team sport.  The national cybersecurity center has unique role, but we also want to leverage expertise from all sectors and we encourage all other nations to do the same.

We have radically reviewed some of our thinking.  In some cases, the guidance that we publish is quite different to the guidance that we published some years ago.  Underlying all this, is the principle of risk management.  We want all our customers to assess the risks relevant to their business and make informed decisions suited to their own needs.  We do not do particular box guidance.

As on illustration of the changes to our thinking, we've rather changed our guidance on passwords.  The classical guidance on passwords was that they should belong, and they should be from a rich character set and they should be changed regularly.  We're finding that it was unmanageable, we called it password overload, and we have changed our guidance.  A lot of us have quite a number of passwords for various systems and services, so these days we are recommending the use of password managers or password vaults or whatever terminology you choose to hold your passwords.  The ones used in browser are quite often fine, perfectly okay, but our strong recommendation is that if you're using a browser for this, please use the very latest version of the browser.

A standalone password manager might be a better option, but there will be some master access mechanism for that.  You may have a choice of a password or a pass phrase.  We would recommend using a pass phrase, and that can be longer and is easily memorable and you're more likely to remember it.

When you do need a password these days, we suggest a combination of three short unrelated words.  Putting three unrelated things together makes them quite difficult to guess.

If there is an important account, we recommend it is secured by two factor authentications.  We do not recommend forcing passwords to expire.  They should be changed where there is a compromise.  And, just looking forward a little bit, we are starting to wonder if passwords have had their day and we should be looking for further authentication methods.

I've just dug a little way into our guidance on passwords.  My request is that you don't take my words out of context.  Please read our guidance.  We explain the risks and the pitfalls.  And, again, please make your own decision as to what password policy you support.

The guidance that I'm talking about here is really aimed at unclassified or lowly classified government networks or commercial systems and that is nearly all systems.  If, however, you are securing your most sensitive national systems, then the risks change, and the mitigations may be rather conservative.  Again, make a wise choice, please.

Our guidance that is available covers quite a range of subjects.  Certainly not going to list them all.  Our website does have the further details.  As an illustration of the range, and hopefully the currency of our guidance, some recent ones include document on managing the risk of Cloud enabled technologies, and behind that we've also published 14 principles of Cloud security.

We've published guidance on using TLS, which is trans fort security, which is a protocol for securing access to websites and mail service, and I will come back do that in a moment.

We've published a set of documents on risk management.  Before anybody groans, I think they're reasonably readable documents on risk management.

And we've also recently published a small business guide.  So, we do try to cover quite a range of subjects, but there is a whole lot more on our website.

Two of our most important publications are ten steps to cybersecurity, which gives an organization essential advice, and keeping with the wordy sensual, we also have a scheme called cyber essentials.  And, this is a package of guidance and organization Al assessment measures that's been widely adopted in the UK.

The guidance, all the documentation is freely available.  The guidance is there and may be useful to many organizations.  The certification end of cyber essentials is mostly focused on the UK, but there may be things in there you want to use, and organizations can do self-assessment. 

We are encouraging the take of cyber essentials as a way to help mitigate the risks of supply change.  Supply chain is a really difficult issue in cybersecurity.  The idea is that companies will become certified under the cyber essential scheme and that helps to give you a sure answer as to their fitness to be part of the supply chain for the customers or anybody buying product and services.  So, cyber essentials very widely available in the UK and details available.

We work closely with industry.  The flow of information is very much in both directions.  To increase capacity, because certainly my organization does not have anything like the capacity to provide the services that other (?) want.  We have licensed a whole set of industry partners to provide essential cybersecurity services, such Aspen testing, incident recovery, training consultancy.  So, there is a badge which we are behind, but it is an industry that will provide the service.

We recommend this is a way forward.  It is to the advantage of

 

industry and those who need help.  We see this as a win-win.  It helps both sides.

One of our other initiatives at the moment is called active cyber defense.  Now, before that scares anybody, that is not about hacking back.  It is trying to improve some of the underlying weaknesses that causes problems.  It is trying to improve the environment in which our customers are working.

There are a number of parts to our active cyber defense.  One of them is looking at hardening some of the protocols, such as SS7, which is a telephony system to take out some of the issues to do with unnecessary rerouting, and also BGP, border gateway protocol, which is to do with routers and where there are a number of issues that keep effecting us.

We are transmitting -- we are not transmitting.  We are transitioning most government Email systems to use a protocol called D Mark.  This is a tool which will assist in reducing Email spoofing, which is something of an issue.  So, we intend that all government Email systems will transition to using this D Mark system as an additional mitigation to anything else they're doing.

Also, we have engaged in Nominet, which is a company not only the UK registry, but it provides cybersecurity services to establish a DNS service for the UK public service, and this is to allow us to control or limit access to sites that we know to be harmful.

We're also developing a web tech service so the public-sector websites can easily be checked for vulnerabilities.  That is at an early stage, but we're getting some quite good feedback.

One of the reasons that we're doing these active cyber defense initiatives is to try to show that if we can make them work, then others may be able to use them, as well.  So, these are things which may be very widely applicable to the rest of the community.  So, please consider looking at these.

I mentioned D Mark, and our guidance on the use of TLS transmissionless security, but includes a whole set of parameters for enabling and suitably configuring the TLS to secure the Email server access.

Some of these things are quite complicated and advanced and technical.  Actually, the heart of our guidance is some very, very simple messages.  We wish we didn't keep doing this, but we have to repeat some of the very obvious stuff every year because lessons, I'm afraid, do not get learned and we keep coming back to some simple messages.  Those include, please patch your systems.  A number of the major events that we've seen in cyberspace have been because patching had gone wrong.

Please secure all your accounts with passwords.  It sounds obvious.  I'm afraid we come across a number of incidents where accounts were not secured.

And please have a backup regime.  If you get hit by ransomware, your best defense is to have a backup regime in place to go back a known stable state.

I think I've used up my time.  We have a lot of guidance on our website.  You're very welcome to look at that, and welcome to take any questions later in the session.

Thank you.

>> SHOLA TAYLOR:   Thank you very much, Gavin.  I'm sure you excited us with the guidelines from the UK and national cyber center.  It's great on your password analysis, and things that are yet to come.  I think that will stimulate everyone here to check your guidelines.

Now move to Tracy Hackshaw, who will be speaking to us about challenges faced by seeds analysis.

Tracy. 

>> TRACY HACKSHAW:   Thank you, Shola.  Thanks for the invitation to speak.

So, speaking here on the small and developing states and

least Developed Countries, SUs.  Not going to be technical. 

Today I'm just going to talk about the SUs related to the social

and economic side of it.

Basically, in these territories, in these countries, what we're seeing is happening a series of issues facing our states that relate to this location.  So, over the last, maybe, ten to 20 years we've had extreme cases of social economic dislocation, and through this we find a breeding ground for criminal tendencies.  Added to that, the impost of consultation.  In the real world of weapons and so on and the cyber world.  Seeing the importation of anything as skimming devices and fishing type tools, we identify hacking happening at airports and at other locations, as well as other more drastic importation from countries in the case of the Caribbean Latin America and other parts of from the Middle East and so on.

So, what we are seeing here are potential areas for cyber terrorism happening in these countries, and as you may have read or heard about, even possible exploitation of citizens and resources within these territories to other countries to conduct that business because of a lack of didn't tees that are happening within our territories.

Added to that, when you look into the least Developed Countries, we have a series of submerged and visible ethnic conflicts that are rice go to the surface and creating these situations where cybercrime and cyber terrorism are seen as outlets for bringing those conflicts to the surface and making those things real.

We also have what I call objectivity of security and we see security and it's (?) in the cyber world, cybersecurity being used as a means to protect and control.  So, what we have is an opportunity for potential cyber criminals to use those avenues that are emerging to win favor within their communities to become, so we have the emergence of gang and within the gang leader scenario you have cyber aspects of it.  So, if you're able to be a better hacker or able to prove that you can hack, you rise up in the community and you're given a level of status, and especially within countries like ourselves where those things are not very prevalent.  You are given a particular title status within that community and therefore you are looked up to, and that's an interesting scenario that is happening, as well, in these countries.

And, of course, to fight cybersecurity and cyber -- when, to fight cybercrime and encourage cybersecurity the extreme barriers within these territories.  So, limited resources, technical, financial and human.  And, of course our geographical and geopolitical advantages are very critical to that emergence of a particular class of any individual who are able to beat the system.  As you will see in many of these countries, skimming the

simple act of skimming is extraordinary prevalent and a huge market for credit cards exist within these countries.  So, you find that in the skimming world, those for skimming, you find the countries that are, let's say, I don't recall the Country names, but in other parts of the world who pictures of credit card numbers and that information higher out countries like small developing states and less Developed Countries to do that work both in Country, as well as remotely.  So, that's another emerging issue that is happening that we need to deal with.  Because the technological barriers exist within the protective agencies, it's very difficult to solve those criminal elements as quickly as you deal with one issue, another one emerges.  So, that's a very important issue to treat with.

I don't want to spend too much time, because I know time is running short, but in the cases in my Country I will just give an example where we have crime levels escalating unprecedented rates which I mentioned before leads to this emergence of cybercriminal fraction, and you have social networks literally social networks, meaning not just social networks online but social networks off line developing themselves as what I call safe harbors.  So, anybody from a Facebook group to what's up group, to real group developing safe harbor, developing those carriers of criminal activity from one gang to another, and boot camps.  So, again, having that situation emerge very quickly within the region.

So, I will stop there, just giving those issues for discussion, and willing to answer any questions here after.

Shola. 

>> SHOLA TAYLOR:   Thank you very much, Tracy.  Quite interesting to hear from your perspectives on how you're fighting cybercrimes.  Given your limited resources, and to see how you also recognize the hackers, and even them having some kind of competition.  That is a very interesting experience which has been well managed.

 

Let's now move to colleague and friend, Robert Collett, to talk to us about (?) and how cybersecurity will be discussed at the next head of state meeting in London.

Robert.

>> ROBERT COLLETT:  Thanks.  I am not used to these.

So, thank you very much for inviting me.  If I can start with a little bit about this sustainable development piece and then move on.

As somebody who works on capacity building day in/day out, which essentially means different countries helping other Governments to improve their cybersecurity capability or working with companies in Civil Society to support international projects, which help improve cybersecurity capacity building, we ask ourselves quite a lot, what is it that we're achieving?  We started out doing these projects because we wanted to protect the UK and we knew that the UK, its cybersecurity was in intrinsically lengthed to all of our partners around the world.  It is not a partner you can solve by building your walls higher.  You need to go out to the source of the problem and build up international community defenses and solution.  So, we started by looking at this about how we can make ourselves safe, but then we have gone on a journey that has made us realize that helping improve sign you are security around the world is contributing to the sustainable development goals.  It can do this by one, helping implement the do no harm principle in ICT for development projects, but it can also do it through maximizing good.  Those programs which think about cybersecurity from the very beginning tend to have better outcomes and there is lots of advantages you can get by working with your commercial sector partners who are aware of cybersecurity, and for your Civil Society partners who are aware of cybersecurity and thinking about security from the start of programs.

So, we are -- we are fully committed to this approach, and we think that it works.  If I had a request of the people in the room, it would be that first I'm going to come back to the second one.  The first would be we know it works, but being able to measure the impact is very challenging.  We've got a real data problem here about being able to draw the connect shuns between capacity building and harm reduction and then delivering specific SDGs.  There is a good narrative story, but being able to put that into numbers is quite challenging and that needs to be solved for a collaboration between companies, universities, Civil Society, and government.  So, that would be the first thing.

The second, which I'll come on to, is, well, we know it works.  How do we do more of it?  And that is where we come on to two things.  The global level, India has just hosted the cyberspace, which is global cyber expertise, and a group who wants to do more in this area launched a global agenda for cyber capacity building, which essentially says we all want to do more of this, let's agree to focus on a few areas, let's adopt good principles from the development community and the security community, and let's coordinate and work together to do this.  And, I was really pleased that that could be launched in Deli, it's up on the GSE website and something a lot of people around the world are going to get involved in and putting effort behind.  So, that is at the global level.

Now we come to what can the Commonwealth do?  Well, I think the Commonwealth is going to be one of those intergovernmental organizations and people to people organizations which respond to that global Al agenda, responds to the potential to use cybersecurity for the SDGEs and respond to that security challenge we face.  We are part of conversations every day in the Commonwealth and there is a huge number of projects going on already.  The question is how do we take it to the next level?  That is where the UK is host of the April 2018 heads of government meeting.  I'm delighted that the CTO and its council call on heads of government to address cybersecurity for the first time as a main issue on the agenda, and that was discussed in Dehli and in multistakeholder group around the Commonweath, and they said yep, we like that idea, thank you CTO council for recommending it, let's go forward to the next stage.  And, then, that led to this meeting here and a number of other meetings going on around the world on the subject.  And, what we really want to do is say, have we got the right list of project ideas coming out of these meetings?  Does what's up on the screen make sense to you?  Is it something that your company or your Civil Society group or your government or your university could contribute to?  And, we also want to make sure that we've got the political strand of this right as well, the political commitments and ambitions.  So, a document has been drawn up after that multistakeholder process of consultation, which has a list of ideas which are now in circulation, and the CTO can circulate the that to anyone in attendance here.  And, we'll be taking that forward through the good offices of the Commonwealth secretariat and with the help of the CTO to that heads of government meeting in April.

So, from my side, I've spoken a lot.  I think really what I wanted this meeting to be is a two-way discussion.  Or actually a chance for me to listen and to hear from the floor what do people want to see heads of government do in April to do more about cybersecurity?  Do these ideas look like good ideas?  And, what could you contribute and what would you ask from the Commonwealth heads of government if you're able to pass on those messages, which you can through this panel and the CTO?  So, thanks very much for the chance to speak. 

>> SHOLA TAYLOR:   Good.  That is great.  I think that message is very clear.  We need input.  We already have someone online who wants to ask a question.

Please be very, very brief, straight to the point.  Over to

you. 

>> Thank you, chair.  We have a question from Mr. Denis Doh Foncham from Camaroon.  A very good question.  He is asking what is the CTO doing to facilitate the training of cybersecurity experts in member countries, especially in Developing Countries where it is a serious problem.  Thank you. 

>> SHOLA TAYLOR:   Okay.  We'll take quite a few questions and address them.

Yes.  Please introduce yourself and who you're affiliated

with. 

>> Audience:  I'm (?) with India.  My question is, in this

 

particular list, I don't see anything about information

exchange.  It is basically about exchange of information about

 

private and public sector so whatever parts of (?) typically the

 

comments do seek information from private sector which is g but

 

at the same time, they should also see this whole thing as a tool

 

process that the government should also share back with the

 

industry or something.

 

>> SHOLA TAYLOR:   Thank you.  Please note the intent of this exercise is to get input for heads of government.  This is not a seminar where you ask questions.  Let's focus on what are the issues you want to bring before heads of state.

Yes, please, ma damn. 

>> Audience:  Hi.  My name is Alex, I'm from privacy international a charity based in the UK but works internationally.  My question for Governments is to see how the work they're doing on cybersecurity needs to be harmonized or how it contradicts some of the border work that we're seeing where they're actually making systems and services more vulnerable by expanding their surveillance capabilities when it comes to government hacking both undermining encryption.  So, we need to see some consistency in government policies on that with one aspect working on cybersecurity and the other actually undermining it.

Thank you.

>> SHOLA TAYLOR:   Thank you.

Yes, please. 

>> Audience:  My name is (?) from (?) and I want to congratulate you for the initiative.  Want to, well, make sure that everyone knows that the OAS and the CTO have an (?) on cybersecurity.  We work very well on Caribbean Commonwealth title 14 countries that are members of the Commonwealth.  One thing that I think would be very app propo to share with our member sheets, the Caribbean side, is the need to have a proper follow up of the initiatives.  At least in the Caribbean, Jamaica, Tobogo are the only member states that have a cybersecurity strategy.  Right now, Tobogo is the only Caribbean Country that have a national cert.

Many Caribbean countries, we have already seen many requests to be all or to have them with law enforcement units, but unfortunately, due to several issues, natural disasters, education, it's very difficult to prioritize sometimes cybersecurity, No. 1.

Second, sometimes ministry of security, ministries of telecommunications or ministries of education get involved and it's very difficult to understand who is the main leader, the main role.  Of course, this is something that was (?) organizations in one Country try to organize, but it's very difficult and if the heads of government can give more clarity on this it would be useful for all the countries.

It's very important that once those structures are defined and identified, there is a proper follow up and there is actually the proper allocation of both human and financial resources, because there is great rapport from Governments like the UK and the European Union and others, but without the proper allocation of human and financial resources, there would be nothing.  There would be just a strategy.  There would be just documents and the capacities will not be created.  So, this will be important to make sure those messages with member states.

Thank you very much. 

>> SHOLA TAYLOR:   Thank you very much.  Take one last before we now respond.

Yes, please. 

>> Audience:  Good morning.  My name is Abdul, I'm a commissioner on the global commission for the stability of cyberspace.  I'm also one of the founders of the organization of Islamic corporation computer emergency response team.  Three of the issues I would be very interested in our heads of states, and I'm from Nigeria.  Three of the issues I would be very interested in our heads of states putting on the agenda and possibly agreeing to is, first of all, agreeing on an initial set of norms.  Now, even if we can't get them because of the time to agree on some specific norms, at least let us get them to agree on the principle of the need for establishing certain norms in cyberspace and specifically with regards to cybersecurity.

The second issue I would want them to address, if possible, is basically the issues of cross jurisdictional efficiency.  How to improve and it what to do.

And then, basically, the third issue I would want for them to address is the issue of multi stake -- I mean multi-state standards.  So, that, for example, if somebody gets a capacity building certification in Nigeria, that certification should be acceptable in the Caribbean or across the Commonwealth, basically.  So, maybe something that even the CTO could drive, and one could discuss this later.

Thank you.

 

>> SHOLA TAYLOR:   Thank you very much.  We don't have to respond to all the questions.  The objective is to get inputs.

But, just to take the five questions that have been asked, what is training in Camaroon.  And, I can tell the guy from Camaroon that we did a lot of work currently, and SIK, which is the agency which the government has identified for cybersecurity, we are currently training that staff on cybersecurity.  So, there is a lot of work going on there.

Maybe I'll ask Robert to briefly talk about the harmonization and the norms which have been proposed from our friend from Nigeria, and also an issue on private exchange.

Yes.  Thank you.

>> ROBERT COLLETT:   So, discussing the standards and I think it's a really interesting idea. 

>> He can hear.

(Laughter)

>> ROBERT COLLETT: Oh, yes.  Sorry.  Internet age.  Got to remember that.

I think the only deal interoperability of standards is a really interesting one, and something we've heard through other feedback is that the Commonwealth really likes model approaches and it also likes that idea of efficiency.  Don't reinvent the wheel in different countries if you can have interoperability, do so.

I think it's from my initial conversations, through technical experts who I might turn to Gavin on this one, I think it's the sort of idea that we should be putting in now, but it would take quite a while to develop. 

Certainly, we have a number of standards in the UK which we're already working with CTO to help other Commonwealth countries adopt.  If you're suggesting new Commonwealth standards, that will take even longer to use to develop and get agreement to, but it's a good idea and one that we'll keep thinking about.

Then there was the idea of norms.  I think certainly it would be wonderful if the heads of government were to welcome the norms debate and encourage that to move forward.  Whether the Commonwealth is the right forum for agreeing new norms and for moving that forward and whether we would have time for April, I think that is different questions, but I certainly want to see norms being something which was discussed, and I think heads of government would want to discuss it.

And then, finally, on private sector, the information exchange, we didn't put it -- I didn't encourage it to be, like, a 13th item, because to me public-private partnership is something which should be enabler and run through every single project that is on that list.  In particular, incident response capabilities need to take into account the need for online information sharing platforms between certs and involving private companies.  Public awareness campaigns work best where they work with private companies and the customers they have.  And, securing the banking and finance system I think will absolutely need to involve industry at its heart.  So, it's something that, yeah, we were really passionate about already.  And, the same with Civil Society, actually.  I think that needs to run for all of these.

And, the final thing I would say is I really hope that individual companies and Civil Society groups and countries will kind of step up and say we are interested in really leading the conversation on particular ones of these really contributing to it and shaping where it goes.  So, that opportunity is still there.

 

>> SHOLA TAYLOR:   Thanks.  Can I ask Gavin to talk to about the harmonization?  We are running the center in the UK.  How do you collaborate with other countries?  Thank you.

>> GAVIN WILLIS:  Yes, thank you for the question.  It's a very good one.

In my agency, we are very keen on harmonization of standards.  A lot of our work is on the rather more technical product focused areas, and we're strong proponents of the things like the common criteria recognition arrangement, and we are very keen in any debates about international standards for product of the global picture has taken into account, and we are against small localized schemes wherever possible.

We have not been able to extend that as yet into the certification of schemes, in particular formal way.  There has been some progress in one or two things.  The crest pen testing scheme, I believe, is international, and that allows organizations from other countries to become certified as crest licensed pen testers.  But, it's certainly it's a very valid point, but these things do not necessarily come quickly and easily, but I can certainly see the desirability of it and it's a thing that we have in mind.

I'm sorry I can't give you a straightforward yes or no on that.  We are very keen on global certification for all kinds of things, and we would welcome any progress that was made in that direction.

Thank you.

>> SHOLA TAYLOR:   Thank you.  I saw one or two hands.  Yes, quickly, please.  Thank you. 

>> Audience:  I think we've touched on it, but it would be really good to see the heads of state establish a strong coordination mechanism for all the cybersecurity activity.  Sorry, I'm done can Macintosh from the Asia-Pacific network center, the Internet registry for the region.

So, to give you one example, Fiji.  At last count, the ITU, Australian government the New Zealand government, the World Bank, and the Asian development bank are all funding cybersecurity initiatives and training that will land in Fiji in the next 12 months.  And, if the Commonwealth office has a sixth initiative that will come into Fiji without any engage meant with the other five, Thomas probably the same, Samoa is probably the same, that is what I can think of of the Commonwealth in our region.  And, we certainly talk about coordination and engagement around it, but some sort of mechanism that would allow all those agencies to look at their different activities in particularly small island developing states would be really useful. 

>> SHOLA TAYLOR:   Thank you very much.  I can tell you we are currently engaged with Australia to see what we can help to do, and your collaboration would be essential.  If you can find some time to meet with us, that would be great.

Robert.

>> ROBERT COLLETT:   Yeah, I could not agree more.  And, that's why I'm really excited about the global agenda and what the global forum and cyber expertise could be.  And, so, I think having been on the panels which are discussing this before, I think the key would be to have two groups of community coordination.  One is thematic, along the different strands of activity, types of activity, and then the other is regional.  So, ideally, we would get to the point where we are having meetings in the region where all the stakeholders were attending to do that Deacon flick shun activity, and then if I can propose one step more.  I try to learn from our development colleagues on this and what I see in other sectors, and there each Country would normally have a health development strategy.  And, there would be a donor coordination meeting in the Country hosted by the government around the government's own strategy, and they begin to say, you're working in the same specs or you're not working to our priorities, or this is what we see coming down the road.  And, that's where I think, probably, we would like to get to as a community with ownership by the local government and everyone comes and delivers to that plan.  But I know that's going to be a while.  So, let's do the regional coordination first.

>> SHOLA TAYLOR:   Great.  I'm also happy to inform you that earlier this year I had a breakfast between the Pacific ministers and they (?) to govern them together, possibly in the Pacific to discuss cybersecurity.  Place it on a high agenda for them.  So, it's quite in line with what you said.

Any last-minute questions or inputs?

Online.  Okay.  Please. 

>> Thank you, chair.  We have a question from Bernice from Kenya.  What is the Commonwealth doing about encouraging the adoption of multistakeholder moldel in government institutions to fight cyberattacks since government institutions are the major vulnerable to cyber issues? 

>> SHOLA TAYLOR: Thank you, Bernice.  I know her quite well.

I said in my opening remarks that one of the challenges we faced is to convince certain Governments to involve stakeholders in the whole concept.  And, I said it's encouraging, we're now getting Governments who are now recognizing that without this (?) approach they will not achieve what they themselves intended to achieve from the very beginning.  We are prepared to talk to any Minister, foreign Minister, any level to research them, if you like to get them convinced.

I remember a case in Nigeria where national security just didn't want to talk to anyone and we said no, we need to talk together.  And, that process really has helped to get everyone wanting to talk to every other person, whether you had security against these operators, the ISPs.  I think it has happened and we are sure there is work in that area.

Yes, Tracy, please.

>> TRACY HACKSHAW:  I want to address the comment that OAS made, as well, because I think it is important to understand that in small developing states and these Developed Countries where many issues are being raised in the Commonwealth fled to be raised, the resources are in fact a challenge.  One of the things that one project on foreign cyber wealth crime initiative, one of the things we learned is treating cybercrime and cybersecurity is a separate issue on its own creates problems.  Governments do not treat us in the same way as crime and security.  So, one of the things that came out was perhaps there is a way to bring cybercrime and cybersecurity into the security e and crime discussions full stop, because that is where resources are going anyhow in regional discusss and discussions on border control, terrorism and those other issues.  So, why they need to keep it separate, it's important to ensure that where the resources are coming, they are mainstreamed into the other discussions and crime and security, and the point that is being raised about people coming in from all direction the cybersecurity because it's sexy.  Cyber sexy.  But you create a whole disconnect and disorder with things happening all over the place, and then it never gets the attention it deserves.  And, that is never good for anyone, including government.  Having worked with government I can tell you that.  So, it is important, I think, for everybody to understand that if we want to invest in cybersecurity and cybercrime, make sure it is mainstreamed to the overall security and crime discussions and where the resources lie.

>> SHOLA TAYLOR:   Thank you very much.  Any other questions?

Yeah, Madam, please. 

>> Audience:  Maybe not so much a question as a comment.  It's Alex from price international.  Actually, maybe from the last speaker's point, actually for us it is very problematic for cybercrime and cybersecurity to be brought together, because from a legal perspective and human rights perspective it generates, and triggers different actors involved, different legal mechanisms and different redress mechanisms as well.  So, what we're seeing actually is that states are combining the two as a way to be able to say to expand and to kind of fuel how big the problem and to allow for further expensive technologies being used, both legal mechanisms to address the two.  So, from our perspective, actually, it is quite important to separate the two.  So, yeah, just wanted to bring that to the table.  But we can discuss it afterwards (Laughter).

>> SHOLA TAYLOR:   That's a very interesting concept.  Combine.  As long as they are being addressed, fine.  That is the bottom line.

Any other inputs?

At this stage let me just ask for very short closing remarks from our presenters.

Is there anything that you want to add?  Yes, Robert,

please.

>> ROBERT COLLETT:  It's dangerous to put a microphone in front of me.

(Laughter)

>> ROBERT COLLETT:  I always feel a bit awkward in these things.  There are panelists and then audience listening, because this really has been a community effort.  The thing which makes the Commonwealth great is its people, and the Internet was built by people.  It is a people-based thing.  And, if this is going to work, it will only be done by forming those communities of people around the Commonwealth who have a passion for these issues and brings them together and uses governments resources to support them through this process.  So, I'm going to talk to a number of you afterwards to essentially say, thank you for your questions, and how can we work with you to build solutions which are going to work for the Commonwealth.  So, my apologies in advance.  I'm trying to collar you in the corridor, but we really are serious about this.  It needs to be something which is built by the people of the Commonwealth and involves companies, civil societies, and universities as much as we can achieve.

>> SHOLA TAYLOR:   Great.  So, we need (?) that is a

message.

Gavin.

>> GAVIN WILLIS:  Very briefly, please do things to secure your systems.  Many things we talk about at conferences like this will then go away.

Thank you. 

>> SHOLA TAYLOR:   Don't forget to go and check the password guidelines.  It is key, interesting, exciting.

Tracy, you have the last word. 

>> TRACY HACKSHAW:   Thank you. 

So, again, just want to ensure that the issues that face developing and least Developed Countries, somewhat different than issues that face Developed Countries.  Let's not conflate the issues.  Let's ensure we understand clearly what the issues really are in the countries, and if there is going to be an agenda that is being put forward, let's put some real attention to what the countries in the least developed states are saying as opposed to bringing prescriptive solutions that will simply not solve the problem.

So, I want to make sure that is important for the Commonwealth as a government and to listen carefully to what is being said.  We don't have five or six or seven or ten solutions coming for one single problem.

Thank you so much. 

>> SHOLA TAYLOR:   Well, thank you very much.

>> Audience:  Oh.  The transcript --

>> SHOLA TAYLOR:  Yeah.  Don't worry about that.  Don't

look at it. (Laughter) Again, the main reason why we call this

meeting is to get your input.  We will continue the process.

Don't look at it.  Look at me.  (Laughter)

We want to have your input, your dreams, as I said, in terms of what the heads of government should do.  We are going to be sharing this with the member states.  Stakeholders, private, and government.  Please feel free to get with us in the corridors, online.

Thank you very much, and have a good day.

(Applause)

(Panel concluded)