IGF 2022 Day 0 Event #85 Assessing National Cyber Maturity

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> SAM HALL: Great, Wallace and Chris, would you like to come up? I think we're ready to kick off. And it looks like the translators are ready as well, which is great.

OK. Good morning, everyone, and thank you for coming. I would like to start with thanking our various hosts for this event, so the Government of Ethiopia, the Economic Mission for Africa, and, of course, the IGF Secretariat for allowing us to go ahead with our event today on the CMM. So my name is Sam Hall, I work in the UK's Office of the African Union on Cyber Policy, and with me today we have Professor Wallace Chigona, who is a professor in Information Systems at the University of Cape Town, as well as the codirector of the Cybersecurity Capacity Centre for Southern Africa. Wallace's research focuses on ICT and ICT development, and he's been widely published in the area and holds a PhD, an MSc, and a bachelor’s in computer science.

And then to my immediate right we have Chris Banda, who is the head of Malawi's Computer Emergency Response Team, or CERT. Chris has a long career in technical cybersecurity, 14 years in government, and has been at the center of a lot of major cybersecurity developments within Malawi, this includes the development of Malawi's cybersecurity strategy, as well as the design and management of the CERT, which he currently heads up. He's also been involved in many international policy groups such as the ITU, COMESA (phonetic), and SADC, and is the vice rapporteur, or at least has been, of at least two ITU study groups. And then finally, not with us at the moment, but a colleague who will be joining on the screen later, is Colonel Augusto Barros, from Brazil. He holds a BA and an MSc in Electrical Engineering from the British Military Institute of Engineering, studied Business Management in Brasilia as well, and is Deputy Director of Information Security Department in the Brazilian Presidency's Office.

And with that done, I'll quickly say a few words about the session today before handing over to Professor Chigona, who will kick us off with an overview of the CMM. I should say what the CMM is. It stands for the Cybersecurity Maturity Model for Nations, and it's essentially a tool that countries can use to benchmark their cybersecurity progress, to assess where their greatest needs are when it comes to cybersecurity development, and use these outcomes to set national plans for development, as well as inform national cybersecurity strategies.

I think something like 88 countries have completed a CMM to date, with a majority undergoing a second, including Malawi, and Chris will tell us a bit about that today.

So, as I say, Professor Wallace Chigona will kick us off with an overview of the CMM is, as well as his organization, C3SA, and then we'll hand over to Chris, who will talk about Malawi's experience of conducting a CMM, both in 2016 and again in 2020, I believe, and then we'll hear from Colonel Barros in Brazil through a translator, who will talk about Brazil's experience of conducting a CMM, before handing over to the audience for a Q&A segment.

With that, I'll hand over to Wallace.

>> WALLACE CHIGONA: I stand when teaching, I'm used to standing when I'm speaking. So, once again, thanks for this opportunity, and good morning, everybody, here in the venue and those online.

My name is Wallace Chigona, and I work for the University of Cape Town and also a director for C3SA. If we can put up the slides?

So, just an overview of C3SA before I talk about CMM. So C3SA, the Cybersecurity Capacity Centre for Southern Africa, is the center of University of Cape Town whose focus is to do research on cybersecurity capacity in Africa. So we are focusing on the African continent.

There are a lot of other people who do cybersecurity capacity research in other parts of the globe, but we believe that other issues are contextual, and we, being in Africa, are better positioned to understand them and to engage them in much more holistic ways, so that's what we do.

We've been around for about three years. So even though we are physically at UCT, our group is made up of four institutions. So the University of Cape Town, where we sit, Researcher City Africa (phonetic), which is a think tank on ICT policies also placed Cape Town, the Global Center for Capacity on Cybersecurity based in Oxford, and the Norwegian Institute of international Research and Affairs, NUPI. So the four of us make up the C3SA.

We are part of a global constellation, right? So there are other people also doing something similar. So there is a group in Oxford (?) looks at the rest of the world, so to say. We're focusing on Africa, Southern Africa, but actually, we cover the whole of Africa. And we have colleagues in Melbourne who cover the Oceania Region, right?

So our aim is to be the main, or the entry point for anybody doing research on cybersecurity capacity in Africa, and also to coordinate and collaborate with other people working in that space.

So I think that's just basically what I'm talking about, that we do a number of things. We do research. We do capacity building. We hold webinars and so on. And we do CMM, which is the focus for today. So today I'm not going to talk about our other efforts in capacity building and research; our focus is on talking about the CMM. So, having said that, now I can talk about the CMM, which is the focus of the panel today.

CMM, the Cybersecurity Maturity Model for Nations, is a model for assessing the maturity of a country in terms of cybersecurity, right?

So we'll go to country and we say, "Hmm, this country, you are this mature." It's kind of like a benchmark. It's a benchmarking exercise. So using one instrument, you can go to different countries and then you can provide level of maturity for that country.

So the way this instrument works is one that will come to a country and then say, "Ethiopia, you are 80%? No. We are going to give you maturity on five dimensions," so five dimensions which we measure on. I'll talk about those five dimensions. So, on dimension 1, you're doing OK; on dimension 2, you're great. But this dimension, maybe have to do some more work, so that's what we do.

So I say we've got five dimensions, right? So those are the five dimensions. It's a bit tricky, because the other ones are covered. So the top one is -- I'll begin with dimension 1, which is cybersecurity policies and strategies. So we assess how far a country has gone in terms of cybersecurity policies and strategies.

Second dimension is about society and cultural awareness in cybersecurity. Dimension 3 is on capacity of building and knowledge. Dimension 4 is legal and regulatory frameworks on cybersecurity. And dimension 5 is on standards and technologies. So we do assess the maturity along those five dimensions.

So I guess you could be thinking, "Those are still, like, high level. They are high level." So what we do is for each dimension, we break it down into, like, a sub‑level, what we call factors.

So, for example, if you look at dimension 1, the cybersecurity policy and strategies, which focuses on whether a country ‑‑ kind of look at the readiness, and the availability, and the quality of the policies in the country. So that splits into four factors, right? So I think what we label into 1.1, 1.2 and so on.

So, for example, look at national cybersecurity strategy. So ideal strategy in the country, at what phase is it? How good is it, right? So then we look at the instant response crisis. We know in cybersecurity, the aim is to prevent, but what if things happen? Are you able to respond to that?

Look at the critical infrastructure. So this is looking at things which, if they broke down, the country would be on its knees. So do you have a list of those things? Do you have measures in place to protect those things?

And then the defense, national security, is another dimension, is another factor.

All right. So I've got dimensions. The dimensions are split into factors, but the factors are still at a higher level.

So we take a factor and split it into what we call aspects. So as you can see, so, like, if I take critical infrastructure protection, for example, so this identification, has a country been able to identify that this is our critical infrastructures?

Have they done some kind of measures to keep themselves? And what's there in practice? So each factor we split into the aspects.

So I will not go through all the factors of the dimensions in the interest of time.

Dimension 2 focuses on the society and the culture. So are people aware of the security risks? What's their mindset? Are people taking precaution? What's the media like? So we focus on that aspect and then we give you a score on that.

Dimension 3 is more on knowledge and capacity‑building, right? So assessing, are people in the country getting trained? So we're looking at the civil servants, the military, the universities. What kind of courses are there? Are they up to standards? And so on.

Dimension 4 is on the legal and regulatory frameworks. So I know that some kind of ‑‑ be careful here, because lawyers say there's lockup in the laws. But we're kind of saying, "OK, you can use any law to do anything, nut have you gone a step ahead and had specific laws and regulations pertaining to cybersecurity?" We've got things about child protection online, scams online, so we are assessing whether we have moved past, and are the people in that justice system equipped with the skills? So that's what we assess on this one.

The last dimension, dimension 5, is about standards, right? So we know there are international standards on cybersecurity, so we're assessing whether a country is abiding to those. Are they aware of those? Is the national kind of bureau of standards also monitoring cybersecurity like software and hardware? Are there some controls? So we do assess on those maturities.

So, to recap, we've said the dimensions, the five dimensions; the dimensions are split into factors; and the factors are split into aspects. So when we assess the maturity, we engage with aspects, to say how far have you gone with each aspect, right?

So we could score you, we could score a country at either start‑up. Maybe they're in the embryonic stage, or if is there, they are at different stages. And if you are fully compliant, then you'll be scored on dynamic stage.

So this is basically the same thing. Kind of like a table. If a country is doing this, then ‑‑ kind of like a checklist which we use to determine this code were to place a country.

This is an important part, because we do assess different countries and different people with assessments. So if you're using one benchmark, it's much more uniform and much more consistent.

I'm not going to talk about this, but just an example for the indicators we use to assess.

OK. So what's a process like? So the process is often instituted by the country. So a country say, "We need a CMM assessment for our country." So we would then begin looking at that country. Kind of look at what you can find online or can find in books about the country. And then the next stage is for us to go to the country and have a discussion in the country.

So this would be done through focus groups. So it would be meeting people from different sectors to gather information about the country and based on that information, now, I mean, there would be a report to say, "This country is on this level."

And further to that, now once we know where the country is, and we know where they're doing strong or not doing strong, we're going to provide recommendations to say, for this factor, if you can do A, B, C, D, you could improve to the next level.

So I'm conscious of time. So the important thing is that the assessment is not overall, but is per factor. So we know for dimension 1, factor 1, this is where you are, so don't give you one overall score.

So I think I can close up. So I think important to say that CMM has been done by different people, has been for many countries, and the numbers are growing. We do many in Africa; our colleagues do in other parts of the world.

I should mention that the CMM itself kind of gets improved all the time. We engage with people, stakeholders, to gather feedback on what's working, what's not working, and how this can be improved. I think we can stop there, and then we can engage in further questions later. Thank you.

>> SAM HALL: OK. Thank you, Wallace. I think we'll move over to Chris. And those controlling the slides, it should just come up next.

>> CHRIS BANDA: Thank you. Yes, my name is Christopher Banda, and I'm from Malawi. I work with the national CERT. So I'll make a presentation on the case of Malawi in terms of conducting the CMM, which, as some say, we have done twice, in 2016 and also in 2020.

Basically, the presentation will go through those points.

Now, first, we did the same in the 2016. This one was facilitated by CTO, that's Commonwealth Telecommunications Organization, and that's also sponsored by Foreign Commonwealth Office to Government of Malawi.

Basically, the key objective was to determine the current cybersecurity posture of Malawi, and also highlighting a series of challenges and opportunities in the country, and further to develop the national cybersecurity strategy aimed at addressing the challenges.

It was a consultive process through workshop and questionnaire. And this one, the major output was the development of the national cybersecurity strategy, because, at that time, we didn't have any strategy in place, so the issues, as he explained on those five pillars, and a strategy was developed to address those challenges.

And also, it was to look at to finalize and adopt the national cybersecurity strategy for Malawi, of course to operationalize the national CERT and improve cyber security awareness and also operationalize and implement of E‑transactions and cybersecurity bill. And deploy cybersecurity certification programs in public universities and colleges.

Basically, at this time, when we were doing the strategy, I mean, the CMM, we had a bill in place for electronic transaction and cybersecurity. However, it took time to be approved. So, I would say, within the process, it was also a way of trying to communicate to the policymakers and also members of Parliament to look at this bill critically so that it can be quickly passed in Parliament.

Well, I think the top one, the heading is not really being seen. But now, in terms of stakeholders who were consulted, they were all the private sector, public sector, academia, and also finance sector.

You target a specific group to look at, there may be other comments and also listen to them, for all of those pillars which he has presented. So this is the sectors which were consulted when they were doing the CMM.

Now, this is the second CMM, which we did in 2020. It was funded by World Bank. Of course, we have a digital Malawi project, a bank-funded project, and also echoes from the World Bank facilitated the assessment.

Main objective of the exercise was to enable the country to understand its cybersecurity capacity posture, as indicated previous, also; to strategically prioritize investment in cybersecurity capacities; and also, outcome was a report with recommendations.

Again, it was a consultive process and online, due to COVID. This one, we did in 2020, when there was COVID, so mainly, the consultations were online. And I remember we had about 15 sessions, different sessions targeting different sectors and the institutions.

Those were some of the institutions which were consulted in this second exercise: public sector, private, finance, academia, and others.

Basically, the finding of the second one on cybersecurity, policy and strategy. This strategy dimension of Malawi was assessed as start‑up to established.

Basically, this was looking from the previous assessment, which we did in 2016.

Culture and society. This one was judged to range between the start-up and also formative stages. Because there are different stages where you can be graded depending on activities or the issues which you could be penalized.

On cybersecurity education training and skills, this one, training and skills capacity in Malawi, they're just from start-up to established again. The point is to look at the trainings, maybe the courses, programs done in universities and colleges on cybersecurity, so this is how we assessed.

Legal and regulatory frameworks. Overall, legal capacity of Malawi was assessed from formative to established. Formative to established means we are stronger on that one compared to the other areas.

And also standards, organization, and technologies. Malawi's capacity in standards, and organization, and technologies was assessed to range from still start‑up to the formative stages.

Basically, this is maybe just graphically how we were rated in 2020 on all of those pillars.

The recommendations which were made. One was reviewing the legislation and the current strategy; improve cybersecurity awareness introducing cyber‑training courses in higher education, strengthening the domestic law enforcement capacity on cybercrime, improving international cooperation, mechanisms to combat cybercrime.

Basically, that's what I will share. And mainly, what I would say, that the second assessment which was done pointed at a lot of things, and one of the issues as a country is now to come up with a different legislation to address the cybercrime, data protection and other things.

Some are maybe just waiting for Parliament to pass, but it's in response to the report produced in 2020. Basically, that's what I would say. Thank you very much.

>> SAM HALL: Thanks very much, Chris. We'll move to our remote colleague joining from Brazil, incredibly early there, so a big thanks to him. Just checking: Luiz and Colonel Barros, can you hear us OK? Are you ready to come in?

>> Perfect.

>> SAM HALL: Do we need to enable the microphone to be able to talk in the room? There we go. We've got you on the screen, colonel, I think we're just trying to get you hooked up to the mic here in the room.

And team in the back, if you wouldn't mind putting the slides back up where they were, and then Luiz, or colonel, if you could just tell me when to go to the next slide, I've got the clicker here, and I'll do it whenever you indicate. And with that, we're ready for you to kick off. Please go ahead.

>> Colonel Joao Augusto: (Speaking in Portuguese).

>> SAM HALL: Sorry to interrupt. I think we should have a translator. Can you please enable that translation function so Luiz, we should be hearing you. Please jump in.

>> Colonel Joao Augusto: (Speaking in Portuguese).

>> SAM HALL: Sorry, everyone. We might need to give it a couple minutes while we figure out how to get the Colonel's remarks translated from Portuguese into English for this audience.

>> Colonel Joao Augusto: (Speaking in Portuguese).

... the Department of Institutional Security Office at the President's Office. I'll talk about our experience, our challenges here in Brazil in the area of cybersecurity.

Next slide, please. Next.

>> SAM HALL: Are you going along with the map of Brazil on, Luiz? We've currently got the map outlining the Internet penetration and size of Brazil. Is that the same for you?

>> Colonel Joao Augusto: (Speaking in Portuguese).

>> SAM HALL: Can't see the chat room, but perhaps you're on mute?

>> COLONEL JOAO AUGUSTO: I understand that Brazil is an interesting ‑‑

>> Colonel Joao Augusto: (Speaking in Portuguese).

>> SAM HALL: Luiz, your remarks aren't quite coming through OK. Maybe it's a connection issue. Can I just check that you got the same slide up in front of you and, as far as you're aware, everything is OK? Because if so, then it's probably just a connection issue, and you're not coming through properly.

>> LUIZ HARGREAVES: Sam, this is Luiz, can you hear me?

>> SAM HALL: I can now, yes.

>> LUIZ HARGREAVES: OK, so.

>> Colonel Joao Augusto: So Brazil is an interesting case study. In addition to the district, Brazil has 26 states spread over more than 8 million square kilometers. And each of these federal units has its peculiarities in terms of climate and infrastructure. The Brazilian population is over two hundred million people, and 81% of Brazilian households are connected to the Internet.

This is a very relevant piece of information, because we understand that social media are some of the most important tools identified in Brazil as a source or a tool for crimes in Brazil. Next slide, please.

When you think about the government, there are nearly 9,000 autonomous systems, but we also have ‑‑ previous slide, please. It seems that some participants cannot see the slides.

>> SAM HALL: OK. That's probably an issue with the online room. If, Colonel Augusto, you have the slides up in front of you, then perhaps share your scream on the ZOOM call. We've got the slides up currently here, and if you're able to enable, Augusto, to share both the slides on the call and in the room, you can do that. Then please go ahead.

Can we get --

>> Colonel Joao Augusto: (Speaking in Portuguese).

>> SAM HALL: Colonel Augusto permission rights to share his slides with the room.

(Overlapping speakers)

>> Colonel Joao Augusto: (Speaking in Portuguese).

The Brazilian government has over one million civil and military servants, and this creates a particularly favorable aspect to address cyber incidents in Brazil. Next slide, please.

>> SAM HALL: So we've moved to the next slide. It's the organogram of the Information Security Department.

>> Colonel Joao Augusto: (Speaking in Portuguese).

>> COLONEL JOAO AUGUSTO: GSI is the focal point within the government regarding cybersecurity and cyber -- and information security. So it's divided into three general coordination offices. The first one is called CTI Gov, that coordinates cyber protection, and plays an important role on addressing alerts and providing timely action, and it's also a point of attention for Brazilian society.

The General Coordination Office for Information Security and Management is the one that develops standards and regulation and the one who deals with security and clearance, addresses and treats confidential information and provides for secure exchange of information. Next slide, please.

So, this type of structure enables us to provide one of the main outputs of GSI, and this is linked to each of the CMM mentions. And the recommendations included in the Oxford report, they were clear and concise, and enabled us to develop actions to address and meet those recommendations, and CMM has proved to be a very effective tool to address the issues that were identified in Brazil for each of the dimensions. Thank you. Next slide, please.

My screen is disabled for me, OK?

>> SAM HALL: We're now on the slides with lots of organizations and institutions pointing towards Brazil. I think there might be a slight lag with them loading online.

>> Colonel Joao Augusto: (Speaking in Portuguese).

I'll talk about some actions that we took based on the Oxford report. The government, through our office, the GSI, has expanded its dealings and its collaborations with international organizations. They also deal with the same aspects, usually through NOUs. An example is, for example, the OAS and a number of different organizations.

And our collaboration work with all these international organizations and countries has added significant value to the work that we do in our department and has enabled us to progress significantly not only at CTIR Gov, and also the other coordination offices. Next slide, please.

>> SAM HALL: We now have the one with the National Policy on Information Security at the top pointing down.

>> Colonel Joao Augusto: (Speaking in Portuguese).

GSI has done significant work at a high-level, legal framework. We have also produced proposals and national plans to manage cyber incidents and also to provide security for critical infrastructure, in line with our CMM.

And this is now at the final stages of approval within the Brazilian government. Thank you. Next slide, please.

>> SAM HALL: So now the slide with the strategic actions from the normative baseline.

>> COLONEL JOAO AUGUSTO: In addition to the national plans that I cited, the National Policy for Cyber Security is included in the bill of law that's going to be submitted to the Brazilian Congress. And it's also in line with what is proposed under the CMM.

And some of these actions or some of the goals of this new legislation are to strengthen cyber governance actions, establish the centralized governance model, promote a participatory, collaborative environment, involving or engaging the public sector, the private sector and society, raising the level of government protection, raising the level of protection for national critical infrastructure, enhancing the partnerships between academia, private and public sectors and society, and, of course, raising the level of maturity for society as a whole in terms of cybersecurity. And this is, of course, our main challenge. Next slide, please.

Another initiative in the case of Brazil that had significant impact was the creation of the Federal Cyber Incident Management Network, which is a sectoral coordination instance to address specific threats to these specific sectors, and to provide a response through this organization in more timely and appropriate response.

And this might be able to provide a safer and faster service to society. It also had a very positive outcome in terms of the efficiency of communications of cyber incidents. Next slide, please.

Still, regarding regulatory issues at a lower level, we have started updating all normative instructions, taken into account emerging technologies. And it's important to bear in mind, if we want to be state of the art, we need to take into account these emerging technologies so that we can face specific threats to each sector. And that's why I said earlier that the federal network is providing significant support to these actions. Next slide, please.

Well, we can say that there have been significant advances over the past three years, but there's still a lot to do and many challenges to face. In order to do that, it's important to understand that these actions are taken with the view to expanding our national, international partnerships, keep our regulations and laws always up-to-date, and address emerging or specific technologies, launch campaigns that enable us to provide increased awareness on this topic at different levels, and build capacity in our human resources, and try to establish processes and systems that are aimed at providing greater security.

And this would increase our maturity and the resilience of our networks not only for the government, but for society as a whole. In particular, essential and critical areas and infrastructure, and this would benefit the whole of Brazilian society. Next slide, please.

That's it. I tried to present a very brief overview in the time that I was allotted. And I hope that during the debate, during the Q&A session, I can clarify any issues that have not been clear.

And CMM has been a very important partner for us, helping us to develop tools and systems so that we can put our action plans into action and consequently reach our cybersecurity and expanded maturity in our cybersecurity.

We want to have a safe, reliable, inclusive and resilient cyberspace, not only for the government, but for the whole of Brazilian society. Thank you very much.

>> SAM HALL: Thank you so much, Colonel Barros, and thank you, Luiz and Chris for your translation services today. I will now move to the question-and-answer segment. I'll start with the room, and then if we have any questions come through on the chat, I have a colleague who will forward them to me on here.

But does anyone have any questions for any of our panelists on what you've heard today?

>> DIANA: Good morning and thank you very much for everything you've shared with us. My name is Diana, I am from Jordan. I have a couple of questions, but I'll be brief. First, it's open to anybody to answer, but what do you do when the governments that you work with are in disagreement with your findings, when they don't find something that they agree with?

And then the second one, I noticed in the map that you shared of the countries that the only Arab state present was Tunisia, so I was wondering if you could share more on your experience with that. Thank you.

>> SAM HALL: Thanks very much. We'll take one more and then move to the panelists. I think that one was for you, Wallace.

>> MOHAMMED: Good morning. My name is Mohammed, from Nigeria. My question is to Professor Wallace. Thank you so much for the presentation. What are the factors in your experience in terms of the countries that are ranking high in the maturity index that they are doing right? You know, is it that the buy‑in from the highest stakeholders, is their coordination central? Because it looks complex in terms of managing the cybersecurity for a country. Is there a coordination that made them successful? Because some of the countries that are really ranking low, maybe they need to learn out of that experience from the countries that are ranking high. Thank you.

>> DAUDA: Can I go ahead for my question? All right, thank you. I'm Dauda, from Senegal. I just have two questions. You talk about the Cybersecurity Center for South Africa. Are there any steps or requirements to set up one in West Africa? No, we don't have any in West Africa.

And the other question is, yeah, knowing that cybersecurity maturity assessment is very important and is a key point on cybersecurity, can, like us, Civil Society organization or private company, can move forward and implement that part? So, I mean, the cyber security maturity assessment.

>> SAM HALL: Thank you. I think we'll leave it there and then do another round of questions after. Wallace, most of those are for you, so I'll let you start.

>> WALLACE CHIGONA: OK. Those are all interesting, but difficult questions. So what do you do when a country doesn't agree with you? The important thing to notice is that the CMM is owned by the country, not by the C3SA or other people who do it. So we are doing it as a service to the country.

So, I mean, sure, some other website, you can find lots of reports, but our reports are not there, so come countries choose not to put up there, so maybe they're not comfortable with the outcome yet or there are other political issues going on.

So, before we finalize the reports, we engage with the country and say, "OK, this is our report, what do you think?" So we go through that engagement and we try to stick with the truth.

So, I mean, we're not going to change to suit a country. So I think what happens in most cases that the reports are not published, so the report is there, but the country just says, "We'll keep from publishing it."

In terms of the Arab States, I got no answer to that. What I have to say is that CMM is often initiated in the country. So when a country wants to do a CMM, then they approach a service provider, and then we'll do it.

So it will mean that there's been no uptake from the Arab countries to do the CMM. Again, I should emphasize that CMM is just one of many tools. There are other tools which people use, so it's possible that the other countries are opting for different assessment tools, so maybe they're not opting for this one for whatever reason.

Sometimes, CMM is initiated by donor, so a bank would say, "For us to engage with you further, can you have a CMM or whatever assessment?" Some of it may depend on the other factors, which may not be pushing the Arab world into these.

The other question was about the -- can one set up another center in other parts of Africa? I think so, I think one could. I mean, so far, we've got three centers -- in Oxford, in Cape Town, and in Melbourne.

I think what we realized, doing CMMs north of Africa, was the cultural difference with south of Africa. So I guess maybe people in specific areas could set up a similar center to deal with contextual issues.

The Civil Society one. So CMM covers different bits. Even Civil Society is part of the assessment. I think Chris was mentioning that, in Malawi, they have Civil Society as part of the people participating in this.

In terms of doing the CMM, I think you're looking for an independent person outside the normal structure, so I think I've missed your question. I didn't get it.

Did I answer it? What is your question?

>> My question is what is it that they're doing ‑‑

(Off mic)

>> WALLACE CHIGONA: OK. Yes, yes. Some ‑‑ So this is a tricky statement to make. If you look at the CMM, you see that there is a correlation between economic development and maturity. In most cases, I think the richer countries do better than the ‑‑ but if I would have to pick a lesson, looking at what we've done, it's the political will which makes a difference.

If people at the top are willing to invest ‑‑ because, I mean, it requires money to set up research, to do this policy. So if you've got political will, things have been working well.

>> CHRIS BANDA: Just to add on the first question, in terms of what should you do. Basically, the CMM is bringing just a debate within the country, because the views that are coming from (?) who have been consulted. And then the looks at the country. So it's up to the country to look at what has been said, and any moves or steps. One issue which I would say is, I think CMM, the report, further helps to bring awareness, especially to the policymakers, because you bet on the findings to look at what the report is saying, and as a country, what should we do.

So it's a report that can be used to negotiate with the policymakers to implement certain issues so that the country moves on. So, mainly, a country can look at it. Thank you.

>> SAM HALL: Thanks very much, Chris. Thank you, Wallace. OK, we have two, three more questions in the room. And remember, the translators can relay any questions to Colonel Barros as well, if you have any questions for him.

>> OK, thank you. I'm from Nigeria. My question goes to either the brigadier general or prof. It's around an experience of sub-nationals running the CMM in any way, just learn from that. Any sub-national, whether from Brazil, because Brazil shares very similar experience with Nigeria in terms of the country's output and the federal and state system, all being almost different from each other.

So just to learn from that experience, any sub‑national. Thank you.

>> Thank you very much, colleagues, for the feedback, and I particularly appreciate the model that you shared with us and all the different factors that are involved in it in terms of assessing national cybersecurity maturity.

My question, one of the questions that I meant to ask, related also the question that you raised with regards to Civil Society. Because when Chris mentioned the stakeholders, that they engaged with in 2020, there was no mention of Civil Society. So I wanted to find out if there was a specific reason why Civil Society was not included, or maybe it was just omitted in the slide.

But also to ask, because also there were links to your area aspect that, as part of the assessment, you engage stakeholders as part of focus group discussions. I also meant to ask which stakeholders also involved as part of their assessment.

But also to ask for both of you, in terms of what's your position with regards to mainstreaming human rights and a human‑centric approach to cyber security. I'm asking this because I've noted that most states, particularly in Southern Africa -- I work with the media in Southern Africa, so I work strongly with countries in Southern Africa -- that when engaging on conversations relating to cybersecurity and cybercrime, more emphasis is focused on cybersecurity and not on the human‑centric approach.

So what is your position in terms of mainstreaming that human-centric approach and mainstreaming human rights? And for you, Chris, is that reflected also maybe in Malawi's national strategy? Thanks.

>> SAM HALL: I think we have one from back here.

>> Thank you very much. Insightful presentations from Mr. Banda, Professor. Mine is on reforms for legislation. So I note that most of the times, especially in our jurisdiction, I'm from Zambia, in that region, our focus is on legislation. But I feel there's a critical stakeholder that is left out when we're doing these assessments or when these assessments are being conducted, and that is a judiciary.

I say so because we've been talking about the other arms of government. The executive, which sets up administrative processes. You talk about the legislature, which the lawmakers, essentially. But, constitutionally speaking, the body task for administration of justice, as well as interpretation of the same laws you're speaking about, is the judiciary. Where are they in the picture in relations to capacity‑building, in relations to cybersecurity awareness, and in interpretation of the laws coming up? Thank you.

>> SAM HALL: Thanks very much. I think we'll leave it there for this round and then come back and do one more. Wallace, if you want to kick off?

>> WALLACE CHIGONA: Yeah. OK, so thank you for the question. So I think for the sub‑national one, as far as I know, we haven't had ‑‑ our colleagues haven't done sub‑national assessments. I think they've all been at national level, so that's what -- But there's been -- I think there's no reason why not to do it at sub‑national.

The way the framework is designed, one could do this at sub‑national level. We have used the framework process in the SADC region, for example, so I think it could be used at a lower level of government.

Which stakeholders? So the way the stakeholder engagement works is that we have got a recommended list of stakeholders to say, for this dimension, we are looking to talk to these people.

And I mean that includes a judiciary, by the way. So, the country will engage with the stakeholders to invite them to come to the meetings.

So I think what we've seen, that the participation is generally good, especially from the civil servants. The other factors which reflect participation, but I think participation has been generally good.

We don't have many Civil Society attending, but they're included on there. And some of them attending and engaging.

In talking about human rights, administering human rights. So if you look at the dimension 2, dimension 2 talks about society and those issues. So that attaches on human rights, and human rights issues. Also, on the dimension 4, the legal frameworks, that again speaks to human rights, we have seen in Africa, where we have experience, I think one of the human rights issues is the Internet shut down. Governments, when they notice somebody, they shut down the Internet.

So that pops up in our conversations. We've seen I think lots of variations by online or the opposition being shut down online.

So all those things pop up in the ‑‑ maybe dimension 2 and dimension 4. So those things pop up in the ‑‑ so I think, my colleague from Zambia, so dimension 4 focuses on the judiciary and covers the aspect of the judiciary where they were trained, what laws are there in place and so on.

From experience, we don't have many judges or magistrates coming to the discussion, but we do invite them. But maybe there are other ways we have to engage with them. But we get lots of lawyers coming, and they're often very vocal in most of the dimensions.

>> CHRIS BANDA: Thank you very much. Maybe on my presentation I just put like a general, like OK, it was a consultive process, but, specifically, I would say yes, Civil Society is very key, especially on the pillar number 2, on awareness.

So we also engage them, and especially, as I say, we had some sessions for the 2020, which even the 2016 we had this specific session for Civil Society again to have an input on the issue. So yes, that issue was considered and even the report, things are being looked at from that angle. And some, even Civil Society, have taken interest for all the issue on cybersecurity.

From Zambia, I would say, yes, as Professor Chigona said, judicial, law enforcement is a key issue. I'll give you one example from our strategy.

One issue that has been put in place is to train this as an action point. Judicial law enforcement. And even the previous assessment also looked at that, and have planned some specific training for these categories like judges, prosecutors, and even the law enforcement.

So it's trying to address that. But I know it's an ongoing issue. I think the major challenge comes now in terms of the capacity within the institutions locally. You find that, normally, maybe will go to train someone, maybe will go abroad. Maybe developed countries that are more advanced in these areas, but it's an issue indeed which needs special interest.

I'll give an example. Maybe, I think, you made issue on Malawi election, and the other issue was on the evidence -- on the digital evidence.

You find that, in most recent, the whole case, but when come to this issue, all lawyers from the defense and ‑‑ said, "I will not comment anything," meaning they don't understand anything, and other views, even the judges.

It's a challenge that require special interest on this area. That's why, as I say, there's an action point and we'll plan some activities to address the issue. But it's a long‑time issue and it requires much stakeholder approach to address this. Thank you.

>> SAM HALL: Thank you, Chris. I just wanted to check if Colonel Barros has anything he would like to come back on that he heard since de Q&A started. So do come in, Colonel, if so. If not, I have one question from the room, and a question at the back there, and then a third one. And the one from the room, in fact, I think he's going to speak, is from Dr. Martin Koyabe, from the Global Forum on Cyber Expertise. Martin, can you hear me?

>> MARTIN KOYABE: Yes, I can. I don't know if you can hear me, but thank you.

>> SAM HALL: Yeah, we can definitely hear you. Go ahead.

>> MARTIN KOYABE: First of all, thank you, Sam, of course, for chairing this conversation. The panelists, whom I know very well. Christopher, Professor, and the colonel. Mine is to give a perspective, but, at the same time, also to ask the panelists whether that perspective is valid.

We have been working tirelessly within the AU and GFCE project on assessing the needs of each of the 55 countries in Africa, but, at the same time, looking at where we can be able to improve the gaps that we've identified.

And one of the areas that we've seen is the issue around the UN open‑ended working group process and how countries can be able to be involved in that process when it comes to issues cyber diplomacy and also issues on cyber (?).

So, the question really would be, would that particular requirement be a metric that could be measured within the CMM structure? And what the panel thinks of this particular issue? Because that's one gap that we've identified within the study that you had in the last two years.

The other aspect is also the issue around building the south-to-south capacity. Because, as you have mentioned, we do need experts who understand CMM, we need experts who can be able to help countries, to forge ahead with the CMM, and what we're seeing increasingly is how we can get some certification of those assessments.

So the question really would be, have we reached a point where we can have a certification process so we can conduct this process whether in Brazil, whether in Japan, whether in the Pacific or anywhere within the world, so we can be able to get CMM more popular, especially in undeveloped countries, as mentioned in the room?

And then, finally, it is the issue around the way we need to progress the ways the assessments are done. Here, we have countries that are doing the second assessment, some of them are planning for the third, but I think, right now, Malawi is one country that has had two assessments so far.

And the question is when you conduct these assessments, then that means you're trying to review your posture for the last four years. There is also the issue around taking the impact of that particular process. Now, the question that I ought to ask the panel is whether we should be able to include impact assessment as part of our assessment criteria. Because when you come to the four‑year review period, you would want to see what was the impact of the cybersecurity implementation process that you had previously.

And I give you an example. In Uganda, for example, in 2014, I was involved in the fast CMM assessment in the country, and when we did an assessment four years later, it was possible to see that the interpretation of some of the laws has actually improved prosecution of people with digital misdemeanors and so forth. So therefore, impact assessment is a very important measure, and, Professor, we've discussed this before, is where that can be done.

But thank you again for this particular opportunity, and I also want to thank the panel, and also Sam for your very good chairmanship. Thank you, bye.

>> SAM HALL: Can you hear me? There you go. Thank you very much for your question, Dr. Koyabe. And we now got another from the room, then we'll take one more and go back to the panelists.

>> Thank you very much. We will now move on the next question, looking forward to the future of a post-COVID world. What lessons can be retained from the --

>> OK, thank you. I'm an artificial intelligence researcher for policy. I come from Tunisia, and I have a comment regarding my country.

As you know, there are -- kudeta happened in Tunisia last year. And since that kudeta, it comes with a lot of political instability, human rights abuse, and the cybersecurity, it was somehow used kind of protects by Tunisian governments to unlock our access to government's data.

So since the kudeta until now, we cannot access to government's data, and we cannot do any kind of activity. In general, there are not any public participations on the Civil Society engagements due to the kudeta and due to the new dictator regime happens in Tunisia. I hope you can consider this in your presentations. Thank you, sir.

>> SAM HALL: Thank you very much. And then we had one more question from the room. Where was it?

>> Good morning. I'm from Nigeria. My question is for the Professor. You mentioned the other time that some countries are not comfortable with having the assessments being public. In this instance, when such countries exist, and as a Civil Society organization or probably as private sectors, what rules can you do to accept these CMM assessments and probably advocate to get the governments to do the needful, when they are ranking low in this instance? Thank you.

>> SAM HALL: Thank you. I'll hand over again, first, to Professor Wallace Chigona, and then to Chris, and then move to colonel Barros, and then I suggest we leave it there as we are running out of time.

>> WALLACE CHIGONE: Ok, so we may begin with the Civil Society question. So the question is more what happens after the CMM. So, after the CMM, I've got the report, I give to the government, and government then decides what to do with the report. We have got no powers beyond that. We may recommend or link government with other training agencies to provide training, but we cannot influence what happens in the country.

But moving back, before we do the report, there's the whole consultation, and often Civil Society is involved. So I guess Civil Society can hold the government to account. "There was an assessment; what happened to that report?"

Because usually, I think after an assessment, it's about two months or so that the report should be ready with the government. So it's not coming out, I think Civil Society, maybe should take it up with the governments to do this. That would be useful as part of the contribution of holding a government to account.

So another thing, which happens, I think partly answering to Martin's question, and maybe the Tunisia question. After the report, often people have another assessment, so why do people have another assessment? Sometimes I think it's governments change. Often, got a case where a government order the same memo or asked for the same memo. You did it.

A memo that was given to the government. But meanwhile, the government has changed. Mow the new government says "we cannot use that report by the previous government. We want our own." And then from that, OK, they can present and move, but have another report.

So if you check the two reports, maybe four years apart, you find the same things which are recommended previously as still happening. So sometimes, there are other political issues which come into play.

So maybe having this review, this assessment, may help to force governments to act before the next one.

So I do agree. We need ways of, not forcing, of nudging governments to act on the recommendations, or to engage on the recommendations. I do agree. I think we need much more collaboration on training. I think that would improve capacity.

So the issue, back to my colleague here about which countries are doing better, I think it's where people have got the training and capacity. So if I've got training locally on south‑south collaboration, I think that would help with many things.

>> CHRIS BANDA: Thank you very much. I want to also make a comment on the Civil Society. I think we are coming from different countries. One issue I've noted within my country is lack of Civil Society of being advocacy on cybersecurity. It could be due to knowledge or whatever. But I think we don't have such strong Civil Society who can take government to test on certain issues, especially cybersecurity.

Maybe it's a new issue, but it's something that need to be considered and then maybe things can be looked at from that angle. Thank you.

>> SAM HALL: Thank you, Chris. Colonel Barros, do you want to comment on anything we've discussed so far? If not, then we probably do have time for a couple more questions.

But I'll pause for a few seconds, just to let you jump in.

>> COLONEL JOAO AUGUSTO: (Speaking Portuguese).

>> LUIZ HARGREAVES: He said "I'd like to comment on some of the questions."

>> SAM HALL: Please go ahead.

>> COLONEL JOAO AUGUSTO: They were all very interesting, and perhaps I could add some information about the Brazilian case, based on the Brazilian reality. Regarding the idea of involving all different spheres of the government, considering the size of Brazil, for example, we have been making efforts towards that, working more closely together with local governments.

And during my presentation, I commented on the sectoral approach and the fact that our sectoral organizations or agencies engage with the states in Brazil. And considering the recommendations that we have received from CMM through the Oxford Report, we expect to be able to share that information and that knowledge with the states and apply those recommendations to the specific realities of each state in Brazil.

And as a mentioned earlier, each state in Brazil has its own cultural peculiarities, has its own infrastructure issues, including, for example, access to the Internet, and the challenges may change as a result of that, and confirming what has been presented here today.

These studies take into account all different scenarios not only from a government perspective, but also from the perspective of Civil Society and academia. And in this context, the information that we receive is very rich in terms of completeness. And as I mentioned, I mentioned that the bill of law that is currently being reviewed, the idea is that we'll have a national law that will apply to all different sectors in the country and all different branches of parliament, and the idea is to make sure that all these intentions and all these recommendations reach all different levels of power, and this would, of course, have an impact on society.

Here in Brazil, we have been making efforts to get closer and work more closely together with Civil Society, because we are aware and we are suffering the impacts of cyber frauds, and cybercrime.

And this has been on the radar for the government and for a number of different organizations in Brazil. So we believe that these recommendations proposed by CMM. This is very important, and we are considering how to make sure this applies to people's day to day lives.

And also to raise awareness among the population and educating the population so that when they use the Internet or a number of different services online, that citizens themselves, they seek, let's say, a more secure approach, and they adopt secure behaviors. Thank you.

>> SAM HALL: Thank you very much, Colonel. So we do have time probably for a couple more questions. One there. Fantastic.

>> Hi. Firstly, thanks to the panel for everything so far. Just one question on sensitive information. I wonder how you work with countries who have concerns over sharing information with you and how you sort of mitigate that.

>> SAM HALL: Wallace, you want to take that?

>> WALLACE CHIGONA: OK, yeah, so -- so that's a big concern of many countries, the fear that sensitive information will go in wrong hands, especially, I think, on dimension 4, on security and those kinds of issues. I mean, we've had countries begging, "Can you do the assessment on the three dimensions only? I don't like this dimension."

So the first step is that the consultations are heard in a closed room, and the recordings are secured, like, so that means they don't leak out. So that's one step that we do.

I should also emphasize that we don't accurately assess the actual hardware or software in the country, so all the information we are gathering is based on the information the country is providing to us, so the risk of us touching something too sensitive is a bit minimal in the first place.

So the other part is that whatever we gather. Colonel, if you go to the country, and say country, we have had this information, this is our report, and they could say maybe these parts, could you not put it in the panel report, which is going to go public. So I think we can engage with countries on those sensitive issues.

We are aware that other things may be too sensitive to be in the public domain. But we are not touching any hardware or any software. We are assessing based on the feedback from the participants.

>> SAM HALL: Thank you. Chris or Colonel Barros, do you have any thoughts that you'd like to share on how Malawi or Brazil addressed information sharing concerns?

>> CHRIS BANDA: We didn't have that issue, as many explained. Maybe people asking questions on those five dimensions. Basically, we didn't have an issue. However, arranging maybe the sessions, let's say we are dealing with law enforcement and secret agencies, and that means we're put in a group, then we address the issues that get into that.

So we're approaching sector-based, maybe interest-based, maybe the general, local parameters, again, group them, we ask them. So the debate was in that kind of issue, whereby everybody would be able to share information within the sector. Thank you.

>> SAM HALL: Thank you, Chris. And finally, Colonel Barros, we're going to wrap up now, so if you have any remarks on that or anything else, then please do jump in.

>> COLONEL JOAO AUGUSTO: (Speaking Portuguese).

I will be brief.

>> SAM HALL: Sorry. Go ahead.

>> COLONEL JOAO AUGUSTO: I agree with what my colleagues have said. In the case of Brazil, the work of this CMM team was exemplary, and we did not face any issues of any sensitive information being compromised.

And just adding to what was said, in our partnerships, in addition to signing MOUs and seeking partnerships, we also sign specific agreements on sharing classified information so that we can have a common understanding of how classified information is treated. And consequently, this will enable us to try to process this information based on experience and on best practices regarding how this type of information should be treated. Without compromising Brazil or putting our partners at risk.

>> SAM HALL: OK. Thank you, Colonel Barros. I think we will leave it there for today. Just to say a huge thank you to everyone for joining. I hope you found it a useful session. If you have any follow‑up questions or something you would like to discuss in more detail, then Professor Chigona, Chris, and myself will be around, I can also put you in touch with Colonel Barros, as well.

But please join me and give our panelists a round of applause, and thank you for their presentations today.

(Applause)

>> COLONEL JOAO AUGUSTO: (Speaking Portuguese).

Thank you, Sam, thank you, everyone.