IGF 2019 – Day 1 – Estrel Saal C – NRI'S Collaborative Session On Cybersecurity

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> MODERATOR: Okay, time to start.  Good morning, everyone.  And the big thank you for the German organizers for providing free coffee at every single corner.  I think this is very important part of IGF and should be taken into notes for the next IGF.

I welcome all to this discussion session on cybersecurity.  So it's the National Regional Inter‑governance Forums which are going to exchange experiences on a couple of questions related to cybersecurity.  You can see quite a line of I would say contributors rather than speakers.  Which is okay for this kind of session.  I usually prefer to have as few as possible speakers, but actually here we want to hear what were the experiences from the national, on the national level.

I'm sure that many of you also have experiences on the national level, even if you are not part of the session.  So make sure that you interrupt us at any point in this questions that I will mention.  And jump in with comments and questions, which is equally relevant to the people that are joining us remotely.  So we will try to make sure that we are following closely if there are questions from the remote.

With me, another colleague, he will, as we agreed, play a little bit of a devil's advocate during the discussion today to try to see the important aspects of each of the national discussions.

Before I go to the panelists and present them or maybe I can start actually with that because it shows the diversity.  And we are even missing one of the participants, but that's not bad.

(Laughter)

>> MODERATOR:  They might show up and jump in from the background somewhere.  So we have the representative from Brazil, from Italy, from USA, from representative of Japan, and South Korea, sorry.  This is a big mistake.  Well, can we also have some of the North Korean friends as well join us in the future?  I'll save that question for later.  Thank you.

Again, I'm sure there are many of the friends over there that can contribute as well so, we hope to get your reflections.

What are the four policy questions?  There was a discussion in preparation of this session, what white be the policy questions.  We don't have much time.  So the focus is on four questions that are rather general but specific enough that we can get the experiences from the ground.  So I'll start naming them and we will go one by one.

The first policy question says, cybersecurity, how to bridge the gaps and make them work.  Even though norms are generally discussed many international regional setting, it's quite important to see what are the national standpoints with regards to the norms? And what are the experience, priority focuses on?

The second question is, how cybersecurity policy and regulation can address emerging technology challenges and upcoming threats.  So the focus will be also on the national framework, the policies and legislation on a national level, how are they being set up?  What are the main lessons and so on?  And I will encourage you to share the bad practices and lessons learned that didn't go the way you expected.

The third question is, how can corporation and collaboration on national, regional, global levels help to increase cybersecurity?  So that's basically that's some good examples of the cooperation in the region and hopefully we establish more cooperation among yourselves as well.

And the fourth one, what role can institution arrangements as well as difference stakeholders play in cybersecurity capacity‑building approaches?  So what are the roles of the stakeholders?  How do they interact on a national level?  And how does that contribute to developing the capacities?

Let's start with the first one.  We received a number of basic inputs from our colleagues here.  So in a way, assigned a quick role to each one of them for the questions, but I encourage you to jump in and if you want to add anything, you can do that at any time.  Focusing firstly from norms making and I will start with the colleague from Japan.  In your contribution, you had a particular interesting focus on or comment on the lack of presence of some of the stakeholders related or relevance for norm, but I leave it to you to share the thoughts and experiences

>> Thank you very much.  Good morning.  From Japan.  In response team.  So first things first, there are several ‑‑ there are cybersecurity norm-making process ongoing.  Which I myself participated.  And at the United Nations, we do have a ‑‑ some few norm discussion.  And next round, all starting in few weeks.

So and then it was yesterday, I'm very happy that I can witness the launch of contract.  So I have no doubt we all need these process.  And then among these norm-making processes, GGE, 2015 charter, GCSC, these three norms, agreements, mention about the partnering from technical point of view or instant responder point of view, Government stock piling is an emerging problem.  And we do understand, for example, Government, enforcement, military, they have ‑‑ they need to permission in their own environment and they have in some case, they need to use those (?) in tracking mobile phone, used by terrorists.

So with understanding the necessity or rationales, I still need for any norm‑making process, we need to listen to all stakeholders.  And all stakeholders are also emphasized that the community should also need to listen to the (?), because in this time, they're the one who has the most advanced offensive cyber capability.  They are the one who can develop and conduct these cyber-attacks or cyber operations.  And making without concept or without the consultation to them might not be, at least is very difficult to enforce, you know, those norms.

So to enforce norms, so I suggest all of these norm‑creating process consult with military.  Thank you very much.

>> MODERATOR:  Thank you.  That's very interesting and important comment.  I'm sure there would be reflections on the role of military intelligence in driving the norm process.  But maybe a quick reflection or question back to you, to what extent do you think the military and intelligence was actually involved already?  Maybe on the Japanese level, but in general in the process of norms making on a global level?  Do you have any sort of, well, even Japanese experience?

>> So for Japanese experience, we do not have offensive cyber capability.  That's for sure.  And then for the process, for example, the GCSC, we have commissioners who used to work as a legal adviser for operations.  So for GCSC, there was some communication between.

>> MODERATOR:  Thank you.

Looking at the European set of perspectives, one of the points that Europe comes up is also multi‑stakeholder and multi‑lateral involving different stake holds.  To what extent you thought about involving the military, but I know one of the positions is involving more of the tech sector

>> Yes, we didn't come to the level of discussion of involving the military.  So if you take us on the norm making process, well, first of all, I believe that there was a general agreement that with all these discussions and mushrooming, norm‑making processes, we as a community are turning into sort of norm‑making machine.  But we don't have mechanisms for the norm implementation.  And while it was largely agreed amongst stakeholders that norms should remain binding and voluntary, you know, as opposed to regulation.  But there are quite a few issues as to why they do not work actually.

So the participant, the community of EuroDIG agreed that norms should be developed in multi‑disciplinary way from the very first draft processing on the ground.  Because there was a strong belief that technical community does not contribute a lot in this process but not because they cannot but just because they are not invited frequently.  So of course, EuroDIG takes multi‑approaches.  So there was a strong ‑‑ then again, we recognized that we come to the point where when we talk about multi‑stakeholder process in the norm make, stakeholders will be involved on the different levels of this process.  But technical community, again, I will highlight should be involved from the very beginning.  There was also strong agreement and we wanted to send a strong message that multi‑stakeholder processes and multi‑lateral process are not the opposite to each other.  We should stop putting them into ‑‑ in this kind of contrast.  We should stop creating these kind of dichotomies and just agree that multi‑lateral process will exist and multi‑stakeholder process will exist, and they'll complement each other.

And the last very important point I want to highlight is the private and corporate environment.  We are talking a lot about state responsible behavior in cyber‑space.  But I believe we should start talking about corporate behavior in cyber‑space.  Can they also create norms?  Can they join existing norms for the responsible?  Because in cybersecurity, we have state actors and non‑state actors.  This issue is still to be resolved, the discussions just starting with processes recently.  So thank you very much.

>> MODERATOR:  Thank you.  And actually you raise an important question which you might get back to later.  And together with the Japanese experience, so mapped roles of the technical sector, military intelligence and private sector.  A good question, do they have capacities to actually get into the process and being in the shoes of the others?  Maybe a quick reflection that.

>> I think that if they have capacity to contribute to cybersecurity, if they have capacity to provide cybersecurity, they should be at the table.  They should have capacity to be in this negotiations process as well.  Because it concerns them.  And here I am speaking rather, you know, from I'm not representing EuroDIG here but as researcher and someone involved in process as subject matter expert.  So this message was not sent by Europe, but this is my opinion.  Thank you.

>> MODERATOR:  Thanks.  One of the messages can be trying to make sure that each of the stakeholders get the chance to be in the shoes of the others, to understand the process, to have the meaningful participation in the process.

And moving to the U.S., because the U.S. has kind of a focus on infrastructure layer.  But I guess one of the questions linked to that are what are the key stakeholders that should be part of the process?  And what are the key stakeholders targeted with this particular focus of the norms?

>> Thank you.  I'm very happy to report that in the United States, we have a vibrant multi‑stakeholder process.  I feel that it equally represents both the private sector, corporation, and the internet infrastructure companies themselves as well as the civil society sector and the Government.

We work collectively.  We tend to focus on specific issues.  One topic at a time.  Because especially with cybersecurity and safety, this is a continually evolving process.  We see that the types of threats expand on a, you know, sometimes daily or monthly basis.  The threats expand in complexity as well.  So it's not something that we can, you know, get into a room, talk about, and know we're going to be fine for the next four to five quarters.  We know the dialogue has to be consistent.  So we have several forums to work on those sorts of activities, both that are led by the public sector where Government will act as a convening body to help bring the appropriate parties together, and they play that role of ensuring that all of the appropriate voices are in the table, that you have enough technology companies that represent different layers of the internet, not just the internet infrastructure.  That you have a civil society or an end‑user perspective.  And can provide feedback to any potential legislative, regulatory action that might be happening.

>> MODERATOR:  Thanks.  I'll stop there.  And we will get back to the question.  I wanted to check, does any one of you want to share your experience or have any question on what you have heard so far?  You can just stand up next to the microphones at any point.  And in the meantime, I will use the first row, Carlos, any of the reflections or the questions that you might pose at this moment?  Quickly.

>> Perhaps a question which is general.  What I think is that most of these questions are in the complex situation that we live today in terms of cybersecurity, beyond the capacity of any Government to make sure that you have absolutely secure networks.  Every expert is screaming that.  There is no absolute security today.  Unless you disconnect from the network.

So I would like to emphasize the group of questions number three on the policy questions.  That is the corporation collaboration national, regional, and global levels which help or not to increase security.  How is that?  How are the national IGFs, for instance, talking to each other?  What are the opportunities we should try proactively to open, to dialogue with others who are confronting similar questions in the cybersecurity field?  I think that is a quick question.  Because if we have a huge group of national IGFs and regional IGFs, and they do not conform a network, they are not in a dialogue mood, no?  I remember that in Brazil, we had a national IGF.  And Argentina had theirs at practically the same time.  And we were unable to organize a dialogue, taking advantage of both being active at that moment.  Would be very interesting to have that dialogue.

So that's my worry that I would like you to, if possible, respond.

>> MODERATOR:  Thank you.  Thanks, Carlos.  We can save the second question to the next round.  But I don't know, on the first one, anyone wants to jump?

>> Sorry.  Perhaps I didn't get it, the one about the dialogues at regional level is the second question, right?  Okay.  I wanted to perhaps intervene on the first question.

And my name the Laura.  I work for the foreign affairs.  So I like to bring in international perspective here about the norm creating initiatives.

And there are a few processes going on at international level.  And especially the GGE, our Japanese colleague mentioned has managed to produce a set of responsible states behavior in cyber‑space in September, the first substantial session at the U.N. in New York.  The room with a mantra, there was international law applies online and offline.  So and then we have managed to create some confidence‑building measures at various regional levels and then I'll come back to that, because it connects to regional.

My point is that all these create a framework.  A framework that is important to continue building within.  Because one aspect of the proliferation of norms initiative, they might undermine or endanger the framework we have which is important too, otherwise, we run the risk to throw the baby out with the bath water at the same time.

And in terms of involving other stakeholders within these processes, especially the military at international level, usually foreign affairs or one state decides, makes the sentences and then sets the international.  And then internally and perhaps we come back later to that, the part of the national regulation processes then, I think it's Government and each state does that within.  Thank you.

>> MODERATOR:  Thank you.  And this again underlines the question or the need for capacities in country, actually not many are involved or understanding that the challenges of cyber‑space.  And that might be one of the questions in the last round.  I'll save you or if you want a quick one?  Okay.  Because we have only an hour, we have a lot of topics.  So thank you for keeping short in your interventions.

Jumping to the question number three first.  Because it's related to this.  It is a cooperation on the national, regional, and international level.  And our first start with ‑‑ now I have to be cautious, South Korea, right?  North, south.  I'll start with the Frederick.  In the contribution, many focused on the national framework.  But actually there is a loss there, the national corporation, particularly international organizations assisted you as a country, can you share a bit more with us

>> Yeah, of course.  First of all, good morning to everyone.  It's lovely to see huge audience first of all because it's early in the morning.  And usually early sessions are always less.  Everyone is still sleeping.

And yes, thanks for the organizers.  And I come from the North Macedonia and representing the IGF.  At that time, Macedonia since 2016, we have raised or we have been so behind other neighboring countries in the region, Bulgaria, and since 2016, we have done extensive support of international level such as NATO, OEC.  And we had very corporation, and many others international organizations.

And from 2016, now we are better than the others in the region.  In which sense, we have established a national cybersecurity center.  We have established an IGF.  We have established all or drafted a national cybersecurity strategy.  We have established now an academic national cybersecurity center.  And then also, we have established more educational systems, so we are getting educated, young generations.  And we also have established now at the moment, establishing ministry of defense or military as well.

So as we can see, in such a short period of time, which is three year, let's say four years now, we can see that with the national and international support, it's possible.  Of course, (?) but still it's really important that you have support.  On the one hand and on the other hand, of course, you have to be eager to achieve that something.

>> MODERATOR:  Thank you.  And it's very relevant because you come from a small country.

>> Indeed.

>> MODERATOR:  And this sort of international support and corporation probably also a regional boost and the regional competition who is going to be better is something that's relevant, right?

>> That's true.  And I want to address something very important that Carlos mentioned, how do we cooperate together with region?  And frankly speaking, we turn several international organization, for instance, Macedonia and other certs are grouping together, at least twice per year and they are doing advanced trainings, getting to know new technologies, new norm, and also they are getting more specialized in cyber‑crime, digital forensics or more details.

So it is possible but of course that possibility is only possible if you have and if you only are eager to do it.  And if you are not, it's of course not going to be happening unfortunately.

>> MODERATOR:  Thank you.  It's good to hear good news from the cooperation, even if cybersecurity.

>> And especially we were all together one country 30 years ago.  So if we don't cooperate, it's pointless because we do know each other.  We know each other's languages.  We understand each other.  And very much in the past 10 years even, 30 years since actually, and it's been going up and down, worse and many things changing and so on.  But that doesn't mean that we don't have to cooperate or make sure that you don't actually protect only on your borders of your cyberspace.

>> MODERATOR:  So a new meaning.

>> Indeed, yes.

>> MODERATOR:  On cooperation.  Thank you for doing that.  Moving on to South Korean position.

In the contribution that you shared on South Korea, you have the particular emphasis on bilateral and multi‑lateral cooperation but on the leadership on South Korea, can you elaborate a bit more on that?

>> Okay, I'm from South Korea, not the North.  And Macedonia tensions, south and North Korea's tension is much, more higher.  Even Kim Jong‑un discuss each other, actually there's a lot of things going on under the, yeah, under the North.  And just wondering, just stress one very big move from South Korea.

So South Korea released cyber‑security strategy at the end of last year.  I think it's inspired by (?)  And that strategy plan is very big and very important.  Because it is stressed that infrastructure safety and competence and establish cybersecurity.  And building obviously mentioned that the capacity of the industry very important because that means private sector cooperate with each other.

And in addition, international cooperation is very important.  We do  that.  But my take on here is I can say in two‑fold.  First of all, national level of norm making and international level.

Multi‑stakeholder is very important in terms of cyber rule making.  As you all know, some of multi‑stakeholder really does not demonstrate with the cybersecurity norm.  Because too much strict norm in cyber space is going to be very much pressing on some privacy issue.  But that's still a lot of gap between multi‑stake holder in South Korea.  And I organize some (?) in South Korea last summer.  Still kind of, really big.  It's still going on.

And in terms of the international operation.  IGF isn't easy.  You know that.  But I foresee I'm aware of that, there's a palpable understanding, mutual understanding that not going to make anything.  Because it's just bureaucratic process.  And then how can we make international law, really long way to go.  In practical term, as a lawyer I can put it in terms.  Too much to agree, literally make an agreement, but too much high.  That means I suggest that, it's like (?), so many practice, best practice cooperate officially, unofficially.  They cooperate each other to track down who (?) this kind of dividers.  And then that's why I'm asking that we can hope they're going to be international cooperation in terms of cybersecurity policy making, cooperation.  But in practice we need weight on cybersecurity (?) especially.  The instrumental tool going to be very hard.  And much more practically cooperate each other in practice, best practice.  Thank you.

>> MODERATOR:  Thank you.  I saw some of the faces around the table.  I'm not going to open the discussion from norms but a quick comment from the colleague from Brazil.

>> Thank you.  I'm here representing CGI.  A multi‑stakeholder committee that we have in Brazil.  And then establish the strategic directives for the internet in Brazil.

What I want to share about the cooperation is that, it's not the case that the cooperation needs to be only led by the Government.  And we have an example there in Brazil where the academic network of South America, Latina America, network for the academics in South America joined with (?), the academic network in Europe.  And in Chile, we have a couple of projects dealing with astronomy.  The same information to Europe.  And that information would have to be in Europe as fast as possible.

The connection we had in South America to the internet to Europe would go from northeast Brazil to Miami and then from U.S. to Europe or where we would connect with Europe.

And that would bring the concern of, let's suppose we miss this connection to the West.  And then very likely South America would be disconnected from the internet.  So there would be a need to have a direct connection from South America to Europe.  And with this project, there was lead between the academia from South America and the academia from Europe, we are now establishing a direct connection from Europe to Brazil.  And from Europe to South America.  And with that, the Brazilians, the internet in the South America and also in Europe when need to connect with South America, becomes higher but since we have the multi‑stakeholder processing the internet, it's important to say that sometimes this process may be lead for other stakeholders as well

>> MODERATOR:  And thank you for that.  Because we have him taking the notes, talking about cooperations, really needs to be all the levels.  I will get back to the Japanese experience or one of the things that you mention there had is the cooperation of the certs.  So the technical level of cooperation, quick reflection from you and then I think we have a comment from the remote or two.  All right.

>> Thank you.  So since I'm from Japan, let me briefly introduce how talk to each other.  Actually one guy sitting in this room, but we have a global association, organization called first, forum response team.  Like many others, it's a community by staff.  And upon, well, for example, in Japanese case, we do have 200 instant report each day, each business day.  And about half of them from United States.  And other 30% from China.  And the rest from other countries.

But to mediate the damage caused by instance, we need to coordinate with our counterpart in United States, our counterpart in China.  And it's really helpful through ‑‑ so at first, we do have a semi‑automated information sharing system among four members.  So those automated information sharing will help us a lot.  Thank you very much.

>> MODERATOR:  Thank you.  Okay.  Comments from the remote.  Well, who is remote?  We are remote or they're remote.  We're all together.  What are the questions.

>> These are comments.  We have Erik from North Macedonia.  And he's the coordinator of the national IGF.  He is saying that the national with original level as an active contributor and also EuroDIG and we have Tom in south Jeremy.  Many thanks to the great discussions.  I believe there's no doubt about the multi‑stake hold every approach to find norms for cybersecurity.  Nevertheless, there are major differences with the preference, especially when it comes to the offense and defense mindsets.  At the moment, there's a gap of an open dialogue about the pro and cons of the offense and defense approach and con text to build a common interest for global norm.  Without such dialogue, the risk of an internal consequence such as the weaponizing of zero days and vulnerabilities, though non‑state actors are increasing.

There's local and global norms, can they be effective if they are not binding?  I think that's a question

>> MODERATOR:  Well, thank you Tom.  It's a pity you're not with us here.  And thank you for jumping in with the remote comments.  And particularly for mentioning or underlying the IGF structures importance like as the southeastern European dialogue.  And that builds up on what Carlos mentioned the, value and power of the IGF infrastructure in the cooperation.

We will move to the second question on policies, but before that, I first wanted to check if any one of you wants to share a comment or thought or a question.  And you're still shy, you can also do it remotely if you wish.

(Laughter)

>> MODERATOR:  That's one of the topics.  And I'm passing the mic quickly to Carlos.

>> Thank you.  Interesting because again, question has a lot to do with international cooperation when transporting issues.  I would like that when you comment like EuroDIG, transparency and accountability, literacy, and awareness, a lot of things.  This is ‑‑ these are a set of themes, plenty for another conference, no?  But again, Korea expected to comment on role, principle, priorities, cybersecurity policy and regulation.

Again, I am very worried that most cybersecurity challenges that we are confronting today are transborder.  So if you can link these themes and these issues to that idea that there are not only national and big challenges coming from abroad into your country and vice versa, this is very helpful, I think.

>> MODERATOR:  And you actually gave me an idea for an appeal.  That for next year, this session should not last an hour, but probably two hours.  No, I'm serious.  You're right, this is the key, the cooperation.  And we have an hour to discuss this.  This is definitely not enough.  And the other appeal might be for the national regional IGFs, try to embed in your national regional IGFs on the agenda, the regional discussion as well.  So that at each of those places we have space for regional discussion at least.

Quick reflections and then we will get back to the question.

>> So if we continue to talk about regional approach, I really would like to thank Carlos, because he has not been to the devil's advocate in this case, but the gold advocate.  Because he really raised a key point.  Cybersecurity is a matter of trust.  Trust, it's true that within every regional group, there are competitions, and national states perspective.  But in the end, what we have observed at international level is that the best results in terms of confidence‑building measures have been reached at regional level.  Because it's ‑‑ you have to get a gradual approach in reaching the trust, especially when we deal with tough topics and very close character topics like security and the tendency to be very reserved and to keep the information by the agencies that are nationally involved.  So definitely dialogue at a regional level is key to achieve any result in this topic.  Thank you.

>> MODERATOR:  Let's pass the mic, next time we have to share.  The ladies there and the gentlemen there.  Let's go with the ladies first then.

>> We do have geographic diversity though.

>> MODERATOR:  And gender.  I wish to see more ladies at the table, but this say good start.

>> I want to go back to what Carlos mentioned and say the key to making this work is to get the private sector involved.  In addition to being co‑chair of IGF USA, I work for a technology company, an infrastructure company.  And it's important for companies in our sector to participate because just by the nature of the internet, we are all global.  We operate services.  We might be headquartered in one country, but we have offices and data centers and providing services throughout the world.

So we are an important sort of point for collaboration.  And we in addition to the NRI network and IGFs, we do also work with law enforcement.  We have relationships with Governments beyond just the certs, but as well as any sort of defense or cyber organizations where we're in ready‑contact and sharing information.

But this is something that's not ubiquitous ‑‑ and one of the ways of doing that in terms of when we talk about accountability, is really on the information sharing and reporting and disclosure side.  I think that's a great avenue to look at trying to encourage participation.  But what we can do is encourage people to come in and to report and to share base‑level of information, because we all get smarter and our systems can be a lot more secure the more that we all know.

>> Thank you very much, Carlos, for bringing this very important issue.  And as you pointed add EuroDIG, I'm going to address it briefly.  So first of all, EuroDIG per se is European dialogue.  So per se, it is collaborative initiative.  But if you look at this from the European perspective, Europe is collaborative as well, but we are mostly talking about European union.  This is where transborder cooperation is going quite well.  Of course, there are bumps on the road but much less than in other regions, because countries close like kind of culturally, economically, and so on.

But when we talk about EuroDIG, we talk about entire Europe.  So we include Georgia, including North Macedonia, Serbia and other countries.  And this is where we're trying to create and facilitate the dialogue.  EuroDIG walked a very long way, not even to force the corporation, but we face from the beginning that we have to build capacity for the stakeholders at least come to the same room and start talking.  Build capacity for civil society.  Or being engaged in the debate in cybersecurity at the EuroDIG level, for the individual users, for those who that thought cybersecurity would be for national agencies.

And now I am very proud to say that at EuroDIG, volunteer the same table.  Civil society, academic institution, the issue of course here is whether these dialogue can go then back to the national level and promote this cooperation on the level of the Governments, on this national, regional initiatives and.  Of course here we are trying to trace the issues which are common at the IGFs.  But they're more on the entire level of EuroDIG, not only on cybersecurity.

But I think that I am very proud to say that EuroDIG is doing pretty well in contributing to this dialogue and to foster this collaboration, into putting stake holders and the same table and making them discuss in very pressing issues and sometimes very controversial issues.  And we are getting better each year at least.  Thank you.

>> MODERATOR:  Thank you.

>> I would like to add on to the discussion in a sense that with the country, my name is Jeffrey.  I am cybersecurity adviser to (?) and the chair to our national IGF.  We do believe and highlight that collaboration is the key.  And information sharing.  As previously mentioned, cybersecurity and technologies evolve quite process which Pope Benedict says a challenge to our island states where at some point we tend to ask ourself where can we start in order to protect ourself?  Or are we able to protect ourself?  This gives us a challenge, therefore, we tend to look at it in three levels.  Basically international collaboration, national between the Government and private sector, doesn't work too well at that level, but we have a bigger ratio, percentage on the end‑user or the civilian communities.

And that provides a very big challenge.  So in order to enforce the multi‑stakeholder approach, we emphasize a lot of awareness and collaboration and information sharing but then, again, it can be difficult in a sense that the lack of technical experience and also lack in digital intelligence also in a way provides in all levels in terms of cybersecurity.  So that is something that we believe over time through our multi‑stake approach from especially (?) and the police, the IGF, as well as other stakeholders could approach and enhance in order to address cybersecurity.

>> MODERATOR:  Actually I want to stay in your region, not only because it's warm and much better than here and to repeat the call for the environmental protection, climate change and all these things.  But I want to stay in your region to check what is the status of the national policy, the national frameworks?  Well, in Vanuatu and in general in the islands and what is the cooperation among your states?

>> I am happy with that question because as a small island state where we lack technical capacity, one thing that is working is national policies.  We just released the national security strategy.  And in 2013, 12‑13, we had the national UAP, universal access policy.  And we have the national ICT policy and cybersecurity policy.  Inside those policy, steps or guides to actually work towards and without capacity, alongside international collaborations such as I.T. or (?) as well as lower agencies, we focus on that to achieve that first.  So in a way, we can say we are taking baby steps to address cybersecurity which is evolving every day as well.

>> MODERATOR:  Looking at the two gentlemen to your left, because again still the same region.  In the South Korean contribution, there was emphasis, I mentioned it before, on even on a foreign assistance, the question is to what extent ‑‑ for all three of you, to what extent there is cooperation basically from Japan, South Korea, the Pacific islands in this foreign assistance in relation to cybersecurity, in helping the Pacific states to establish the national frameworks and cooperate regionally?  Maybe we can start with the Korean and Japan and then back to you for your perspective.

>> My thought to what he said.  Cooperation is still variable, even though the multi‑cooperation (?) quite long way to go.  And then there's possible solutions there through enhancing security cooperation.

For example, Vanuatu connects in terms of technicians.  We can make a suggestion to cooperate with some kind of the ‑‑ very much brand-new threat that we exist several months ago.  Maybe.  Kind of the practical knowledge sharing is very important.  The information that the information sharing is very important, I believe.  Because sharing the collected information in terms of a cyber threat is very important.  You know, if you go to the gray market of cybersecurity, the threats we are aware several years ago is not anymore threat.  It's already gone cyber threat is evolving.  And in the scale, in severity, and the cyber-attack is kind of scaling.

That means just remain our holding each year's position with our cooperation without sharing the very information, very important threat, we can't, we cannot make a response to the cyber-attacks.  That means sharing practical terms to share the information of the cyber-attack, we don't need, you know, international agreement.  We just do this.  By practice.  Okay?

If several more countries do not agree, we can start bilateral and add one more and add one more.  And that means regionally establish the service cooperation practice going to make much more practical, global service I believe

>> MODERATOR:  I think an important note is usually we talk about the norms and stability, we talk on an international level between Russia, China, U.S., but actually the con flicks are not there.  The conflicts are the smaller regions and the escalation in the smaller region.  And in that sense, the regional bilateral cooperation is probably the key.  And if you want to comment on ‑‑ well, the Japanese perspective, but particularly the Pacific islands.

>> Yes.  So again, I want to contribute on capacity building in Asia Pacific and South Pacific region.  I myself have been visiting Fiji for few times to stir up regional cybersecurity response team called (?)  And that organization supposed to be shared, national for the region.  But the idea was not well received after few years.

So it does not exist anymore.  And right now, there are a couple efforts, one led by Australia Government.  So Australia, New Zealand, they are pretty active in the region.  It was really few weeks ago, they hosted a regional capacity seminar for the region.  And for Japan, I think since Australia and New Zealand, they are closer to the region, we can step back and relax.

>> Want to add to what he said that's mentioned, Australia and New Zealand are playing a proactive role in the region.  And also the establishment an existence through the Australia Government.  Which is the Pacific cybersecurity network organization.  That covers all the Pacific island states.  Whoever year several times a year they come together and communicate on cybersecurity stuff.  But I think the most active one at this stage is the collaboration and through best practices and conferences and workshops and stuff.  So that is what is drive, I think, in that region how we address cybersecurity issues.

>> MODERATOR:  Well, I'm sure you know we would all be happy to join you.  So invitation is welcome always.

I want to finally, quick one and then ‑‑

>> Member of the cert.

>> Asia Pacific, because we have just established our cert in 2018.  June 2018.  And this year, we established the national IGF.  And we are fortunate to have a director ‑‑

>> Sure.

>> But it was established last year.  And ‑‑

>> Okay.

>> And we are in this level of this state moving towards as we speak, we are looking to joining to first.

>> Yeah.

>> We have a couple of invitations through the other in the region.

>> If other small island country to join operation program, it's going to be useful.  And for South Korea, it's provided some ODA.

(Audio trouble)