IGF 2022 Day 3 BPF Cybersecurity

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.



>> MARKUS KUMER:  The meeting today is the culmination of a year's work, it's the result of a lot of hard work that went into it.  This intersessional work goes on all year long.  We are in a new phase where we talk about invigorating the IGF, we talk about IGF+.  There is also the Global Digital Compact, and we heard what the Tech Envoy had to say about the preparation and ask for input, and I think also this Best Practice Forum is well placed to provide input into the process that will lead to the Global Digital Compact.  But without that much further ado, I will hand over to Sheetal Kumar who will be the moderator of this session and we will give the substantive discussion.

>> SHEETAL KUMAR: Thank you, Markus.  And welcome, everyone, to this session on the Best Practice Forum's work this year at the IGF.  I think you should be able to see on the screen our agenda.  We wanted to share with you first a bit of context to the work this year because it does build on the work of previous years, and then as you can see, as you may already know, the work of this BPF is divided.

Three work streams and actually with Markus I colead the third.  First, we will start with work stream one, a mapping of cyber norm agreements, some of the analysis on that and findings from the analysis.  Then I will turn to my colleague here, Malorie Nodal and we will be joined by someone online to take us through some cyber incidents that we have analyzed but also story banking so bringing the human element and impact to the discussion.

And then this year we have done, you may have already seen, a myth busting paper on cybersecurity and cybercrime, so often cybersecurity and cybercrime are conflated or not easily understood, and so we wanted to provide some clarity and demystify those two terms and really keen to hear from you about that.

We also joined online by members of the Best Practice Forum, and by experts as well who I will introduce to you as we go through the discussion.  Okay.  So we will get started with the introduction.  I think we is just move onto the slide.  Great.  So as I mentioned, the work this year really builds on a number of previous years where we have been considering cyber norms, so the agreements, the collective agreements whether industry or state agreements like those at the UN that shape how stakeholders behave in cyberspace that prescribe certain types of behavior but should be acceptable or that are acceptable and those that are not.

And what we as the Best Practice Forum is intended to do is provide a multistakeholder perspective and analysis and research and address the question of what are best practices when it comes to cyber norms.  So in 2018 we analyzed a norms development mechanisms and in 2019 we specifically looked at how norms were being operationalized and good practice with regards to that.

We also did a mapping of the many norms agreements that exist, whether they are developed by industry actors, or by state or even by civil society to assess whether there were commonalities amongst those, to really still what was agreed.

And then in 2020, we did some analysis on other areas of global governance where normative agreements have been successful or normative efforts have been successful, whether they relate to, for example, trade or other issues, and I drew from that key lessons that could be applied to cybersecurity normative agreements as well.

And finally last year we looked at, well, not finally because we are here to discuss this year, but last year we looked at, again, what are the drivers within normative agreements that commonalities, and specifically we looked at cyber incidents that have happened, major cyber incidents and I'm sure many of you will be familiar with and asked whether or not the application of cyber norms may have changed the course of what happened or significantly impacted what happened.

So there are some lessons learned from that which we will bring back to the discussion later on.  As you can see, the work of the Best Practice Forum has been taking what has been agreed in spaces outside of the IGF and bringing an expert‑driven, multistakeholder perspective to that to try and help support implementation of those important agreements from an evidence basis.

So I hope you find the discussion interesting, and we will now be moving into the work streams themselves.  So the three work streams as I mentioned earlier focus on different areas of our work, but they are also led by different people, and so I want to welcome John Hering, and I think Pablo is also here ‑‑ no, just John, who I hope is online to take us through the analysis and the findings that this work stream has done this year on cyber norms.

>> JOHN HERING:  Hi all.  I'm very sorry I can't join you in person, Ethiopia this year, and I hope everyone is having a successful IGF.

As Sheetal said I helped coordinate the work of work stream 1 and have for the last couple of years which begins with capturing what are the norms agreements that exist, just sort of the grunt work of maintaining an ever growing list, a proliferating cybersecurity norms agreements.  We can proceed to the next slide.

And we are up to 38, so 38 total international cybersecurity norms agreements we include in the scope of our work.  There is a fairly specified set of criteria in terms of what agreements can be included or are to be included in this.  If you haven't discussed work stream 1 and the agreements we talked about in the past, these need to be agreements that include not binding legal commitments but just cybersecurity non‑binding voluntary norms.  They can apply to any stakeholder groups and indeed some of them are strictly for a Government multilateral community and others for a broader multistakeholder community.

This includes the UN group of experts reports, the recent open‑ended Working Group report, as well as norms and principled commitments that exist in single stakeholder commitments like the industry commitments in the Siemens Charter of Trust or the cybersecurity tech accord as well as multistakeholder commitments in the Paris Agreement.

After working wither community of experts in work stream 1 we were able to identify two new agreements from the past 12 months that would fit the criteria for the norms agreements that we look at.  Those include the Copenhagen pledge on tech for democracy launched last November by the Danish Foreign Ministry which is a multilateral agreement, or a multistakeholder agreement, and then the U.S. State Department's Declaration for the Future of the Internet, which was released last April with Government signatory.  So it was an intergovernmental agreement, but both included principled cyber norms, commitments for those who are supporting those agreements.

So this gives you an idea of then once we have the list of agreements to break down what are the actual norms, elements that we break out, and we have six different norms categories here in terms of norms for rights and freedoms, information, security, and resilience norms, reliability of products, cooperation and assistance that large fifth category is restraint on the development and use of cyber capabilities so commitments to things that states or other actors would not do in a world of escalating cybersecurity challenges and escalating risk and then finally our technical and operational cyber norms.

I won't break out each of the subcategories there, but there are obviously respective elements for each.  So a dizzying heat map of what this looks like from a data perspective and it grows, this is our third year applying this same kind of analysis, although the actual norms elements we have been looking for have been evolving over time, but just indicating for each of the 38 agreements where do we see in each of our community of experts goes through the agreements themselves to identify when each of those norms elements are present to let us see where the commonalities are over time.

A much less dizzying way to look at it is the subsequent slide.  So just quick frequency table to highlight for each of the norms categories and then each of the norms elements how frequently are they existing across all of the 38 agreements, and some just big highlights looking at it overall are that human rights and general cooperation norms are far and away at this point the most commonly seen norms elements across agreements.

The general cooperation and human rights elements I think probably unsurprising given increasing focus on making sure that our freedoms and liberties online are as protected as they are offline, and agreements themselves have an element of general cooperation to them.

What have been less frequent, although are becoming more frequent, are any norms that relate to express restraint on what either Government actors, private sector actors or other actors will not do as it relates to normative behavior.  So, again, with just two new agreements, these general trajectories and trends have not changed dramatically this year.  If you joined us for the discussion last year, you would hear similar discussion.  What has been interesting digging deeper into the data and looking at this over time, and so you see the 2008‑2011 period in the upper left‑hand corner and then the recent period of agreements, those from 2020‑2022 or perhaps 2019 ‑‑ 2020.  Yes.

Seeing which norms elements are increasing.  What are our rising norms that over time are becoming more commonplace and which are declining?  Human rights interestingly has become much more prominent.  Nearly universally common any norms agreements that we have seen in the most recent time persons with disabilities, but were much less common elements reflected in earlier norms agreements dating back to the earliest we found in 2008 to 2011 period.  Focus on elections, both security for your own election systems and then also for swearing attacks on other electoral processes of other nation states have become much more common as normative expectations and agreements recently.

Then we have seen while there is still the least common category of norms to be present, we have seen a dramatic rise in all of those restraint category norms with Governments and other actors committing to what they will not do in various circumstances.  You can see that in the top section of each of these agreements, each of these sort of time panels to see that rising over time.

The declining norms, there was much more focus in normative agreements on personal data as well as on the behavior of non‑state actors, both of which have become less common to see in normative agreements in recent years.  So, again, those trends are fairly static from last year, and just an iterative update on the report we have been doing adding in the newest agreements we have seen.  There is something interesting, I think, in the new norms agreements we have included just in the past year.  Those two that I mentioned, first the Copenhagen pledge on technical for democracy and the Declaration for the Future of the Internet.  They have overlapping qualities as well as norms elements that set them apart, they are both independently led committed by two Foreign Ministries, the United States and Denmark respectively.

While one is multistakeholder and the other is intergovernmental as an agreement, they both have emphasis on protecting democracy and trying to work to build democratic coalitions, both of Governments in the one case, and then for a broader multistakeholder community in the other case.  And certainly given escalating geopolitical tensions overall, and obviously escalating conflict online between adversarial nation states in particular over the past year, it is interesting to see agreements continue to crop up that are a bit more focused on that political identity as part of the normative space.

There is also a focus in both of these agreements on disinformation, misinformation, and influence operations as it relates to the security of democracies.  And then finally beyond these agreements there is a growing interest in combating ransomware as an action element of agreements we have looked at.  This includes express recognition within the Declaration for the Future of the Internet, concerns about ransomware as a national security threat and collective efforts under the Paris Call for Trust and Security in Cyberspace as they start to action the commitments within that agreement to focus expressly on ransomware as an area of priority concern.

I will leave it there in terms of update from work stream one.

>> SHEETAL KUMAR: Thank you, John.  I should have mentioned that you are in the digital diplomacy team at Microsoft as well.  So thank you for that.  Unfortunately, the speaker or, person who was going to come in to comment is unable to join us online at the moment, but this provides us with an opportunity to open up the floor a bit to you.  If you have any questions for John about the analysis, about those findings, which are very interesting, and whether they reflect your understanding as well of normative agreements at the moment, or if you want to share your own perspectives.

I'm also looking at the chat online so I can take and field questions there.  I don't see any at the moment there does anyone in the room want to ask questions.  Please introduce yourself if you don't mind.

>> AUDIENCE: Thank you so much for this great presentation.  I am from Tunisia.  I have another question related to child online protection if Mr. John Herring has suggestion or exclusion or is there any agreement.  Thank you.

>> JOHN HERING: Thank you so much.  So child and online sexual exploitation is not something that has come up in the context of this analysis because most of the norms we look at has to do with corruption of technology itself as part of the cybersecurity norms as opposed to being focused on content related crimes or either elicit activity that abuses technology in that way.

And so those conversations have been tangential and not directly as part of the sort of cyber norms commitment which has been a bit more focused on, and more traditional cyber-attack settings what are either Governments or industry or other actors committing themselves to doing or not doing.  So most of the agreements related to child online sexual exploitation or any number of other content crimes are generally dealt with in presumes that are not addressed directly by this work stream, but it certainly is related.

>> SHEETAL KUMAR: Thank you, John.  I see a couple other, well, one hand at the moment.

>> AUDIENCE: My question is cyber-attack, I'm health professional.  We have antidote for every drug, poison, even if it is a poison, so for the cyber-attack with advancement of technology, is there any strong mechanism in place to early detection and deprivation of cyber-attack?  Again, I'm using the medical terms, early detection of cancer prevent and preserve lives.  So is there any advancement technology in early detection of cyber-attack, because now it is, we are sitting a lot of cyber-attacks causing economic and national safety, interpersonal crime, a lot of things damaging the national, even more importantly it is security risk at a national level, and safety risk at personal level.

Is there any mechanism in place as antidote, anti-attack and early detection?

>> JOHN HERING: Thank you for the question.  I think that certainly where conversations have been trending, okay, these are the commitments we have made to what responsible behavior would look like but what does information look like.  I will put on my Microsoft hat to answer with three things.  The first in terms of the what are structures for early detection and awareness.  We along with most others would say that an approach to security architecture that focuses on what's called a zero trust framework such that you are assuming there is a breach within your systems and then looking for evidence of that breach to triage it is I think the current gold standard of security architecture.

That winds up being a bit more of a complicated implementation process for technical teams, but what can be a priority for every Government around the globe is the second element here, which is improved cyber hygiene.  Even things as simple as implementing multifactor authentication which is still even as a best practice something that is I think dishearteningly low in terms of adoption around the world.

We are talking in the very low percentages of people choosing to toggle on and enable multifactor authentication across their systems and devices, and from Microsoft's internal research, the vast majority in terms of the upper 90 percentile of successful attacks are still gaining access in ways that could be interrupted through the adoption of multifactor authentication.

So if there is one thing to take back as a high priority, I think it is inoculating your society by promoting the adoption of multifactor authentication.  Once those rates jump to 50, 60, 70, 80% adoption, you have a much lower success rate for attackers and you just raised the bar for ability to intrude systems.

And then finally, and this is from an industry perspective, obviously security is easier to help provide and support when things are based in Cloud Services because you are just able to see a problem across a larger landscape and inoculate more quickly.

>> SHEETAL KUMAR: I see a couple of questions.  We will have to move to the next section soon.  Please do keep them and we can try to come back later.  I think there was one here.

>> AUDIENCE: Thank you very much, I'm Tulio from Brazil, and for us the realities that we see cybersecurity as a global issue that requires global institutions while obviously not leaving no one behind, no individual, no country.  And one thing we have with declaration of the Internet is not inclusive, it was not an initiative that was open to engagement by all countries, especially countries from the Global South who are the most vulnerable in terms of cybersecurity.

And so my question would be on responses that are truly multilateral supported by multistakeholder and I would be very interested to hear more about the role of the ITU in this regard in terms of norms.  Thank you.

>> SHEETAL KUMAR: Okay.  That question, and then we will go back to John if you want to respond, John, and then we will move onto the second part.

>> AUDIENCE: Thank you.  It was indicated that there are a number of cybersecurity norms agreements, however, in the establishment and implementation of this different security, cybersecurity agreements, the global community do not engage in a uniform way.  There might be some certain part of the world where even not aware about this agreement and norms, and it was also said that in rising, in rising norms this agreements are used to promote and protect human rights dealing with elections, all restrained norms.

When these are used under the pretext of human rights, under the prehumanitarian concerns and elections and promoting democracy, the outcome on the other side happens to be interference under these pretexts in the internal affairs of those countries, and also in position of values than really promoting the true nature of human rights, democracy and humanitarian concerns.

And the consequence would be devastation and resulting in antidemocratic outcomes.  How do you see this?

>> SHEETAL KUMAR: John, do you want to speak to that around the implementation and awareness of the norms.

>> JOHN HERING: Yes, absolutely, I think both certainly valid and interesting, both points and questions to raise here.  On the sort of inclusiveness of agreements themselves as the first speaker mentioned, we were not privy obviously to the negotiations behind any of the agreements of the 38 in the list including the two most recent from the past year.

I do think it seems as a trend that cybersecurity norms, dialogues are becoming more inclusive over time as we look across the breadth of agreements that we look at the original UN group of governmental experts I think was just among 15 states and that grew to 25 over a number of years.  Of course, that's been replaced effectively by the UN open‑ended Working Group on information security, which is open to all UN Member States and I think has a much higher rate of participation.

So in that sense, I think things are growing at least in that space.  And, of course, we see a growing number of multistakeholder cybersecurity norms, dreams, which would reflect a broader community at least engaged in supporting the agreements whether or not they were involved in the crafting of the agreements themselves, I certainly couldn't speak to.

I think it is at least the trend we are seeing towards things being more inclusive there.  And then in terms of having the global community then more engaged even when the doors are open to that community, I think that continues to be just from my own personal experience of observing these processes a learning process that is still taking place.  One thing to flag is that next week in New York, and I think, perhaps virtually as well, so it may be a hybrid engagement that the open‑ended Working Group that I mentioned previously, the current iteration of that security dialogue is having their intersessional meeting which will have a heavy multistakeholder consultation component to it.  So I know Microsoft will be showing up to participate and provide guidance for those dialogues there, along with a number of other multistakeholder partners that will be using it as an opportunity to engage directly with Governments who are obviously the ones who will vote and make decisions in those dialogues at the UN.

If folks are looking for a place to receive input, to provide their thoughts and opinions on the dialogue, that might be the most approximate opportunity next week.

>> SHEETAL KUMAR: We are going to move now to the second part of the presentation, which is about taking the norms from where they are agreed and putting them in the so called real world.  And analyzing cyber incidents, what happened, the impact and how were the norms related to them.  We are calling it story banking and I'm happy to introduce Malorie Nodal, Center for democracy in technology to take us through the session.

>> Thanks, Sheetal.  I'm joined by Gabriel Rodriguez.  Let me frame a little bit the work stream 2.  It's complementary to work stream 1.  Rather than starting with the norms, analyzing those, we actually are investigating the last couple of years the events themselves, the cybersecurity incidents to gain insights about whether or not norms have had an effect.  That was essentially what we looked at last year.

We took key cybersecurity events, we analyzed them to varying degrees.  Three of them we actually used qualitative methods on, so we interviewed and we asked questions to those who were actually most affected in the cybersecurity incidents or people who were first responders to solving the cybersecurity incident.

As we did that qualitative review and sort of tried to draw some conclusions on the question have high level norms had an effect on cybersecurity events or vice versa, have some very high level notable cybersecurity events had an effect on norms.  We have wanted to then continue this work and to build on that.

I think one of the big insights last year, and this converges a bit with some of the norm setting that is, that happened this year and that is ongoing is that the IGF, the global UN multistakeholder IGF is in a really good position to bring the voices of those most affected by cybersecurity incidents and those who are in the field mitigating cybersecurity incidents into these norms, discussions and debates.

So that's the real aim at the end of the day of the work stream 2.  So to that end, what we are talking about then with story banking is a way of capturing that, both incidents that have happened in the past, but as very unfold to make sure we are actually understanding what's happened in these events and how norms might better meet the moment.  I think this also speaks to the question we had in the last portion around representation.

Are the norms properly representing all around the world, all kinds of incidents or are there gaps?  So this kind of exercise might be able to uncover those if we continue it in the future.  I wanted to pause there before I describe what's on the slide right now.  Actually, as Gabriel, if you would mind coming in and telling folks a little bit about the value of story banking, what it is as a strategic communications mechanism, and how it can affect change in the way that we are hoping that it will.

>> Gabriel Rodriguez:  Any name, I'm a strategic communicator and strategist based in the U.S.  I will talk very briefly about storytelling, story banking the way they are used and the considerations that that go into thinking about before we actually engage in storytelling and make sure it's going to be effective and achieve the goals.

Like we said, storytelling is an incredibly important strategy.  You see history of social movements the world over focused on and centred around stories and the narratives that grow out of stories.

It's one of the reasons that stories and control of stories and information is such a high priority if I'm talking here in the U.S. context, people in power, people who are seeking to create order or create kind of conformity of a response.  And so I want to talk about considerations, some specific strategy considerations for the how storytelling and examples and guidance that might serve as a bit of a starting point, but I really want to start by saying at a high level we always, and what we have seen again and again is story banking, storytelling in and of itself without a strategy usually isn't very effective.

If the goal is to bear witness, that is a legitimate use of storytelling, but particularly in a form like this or when have you multistakeholder engagement like we are seeing here.  It falls a little below the standard and the hopes and the goals.  So those who trust and trust institutions with their stories obviously might be putting themselves in personal risk.  They clearly have invested time and effort and there should be expectation of this being meaningful.

It helps us be more clear about the intended outcomes.  If we hope our stories are going to guide to specific change, we need to be clear about that, because we need to be clear about those changes we are seeking as well.  I think that ties into the conversation Malorie said about representation.  It also ties into the conversation we saw about the work streams and work stream one and about agreements and kind of consensus around what are we trying to do with these stories.

So the second part of that that's really important before we dig into the actual storytelling component is talking about audiences, decision makers, and I know, and I don't want to call out examples but there are tons of examples of powerful stories that have been beautifully rendered that actually affect change.

>> SHEETAL KUMAR: Gabriel, we cannot hear you.  With tech support maybe we have had the audio cut out.

>> Gabriel Rodriguez:  Can you hear me now?  It seems online we can hear.  Malorie, can you give me a cue of where you lost me?

>> I think you were getting into actually some examples of the stories.

>> Gabriel Rodriguez:  What I was saying we have seen a lot of beautifully rendered stories, things that have taken a lot of time that have failed to drive consensus, failed to really build a coalition and failed to achieve the goals they were setting out.  And part of that is because we are talking about who are we trying to actually reach with these stories, and when you are talking about something like this it's very technical, thinking about making sure that the stories meet the standards we need to actually give us the information to shape a response, to actually address certain specifics.  What I saw in some of the materials was that there was, some of the standards and some of the agreements got a long way, but there was a lot of nuanced missed that could be valuable.

So thinking about that and putting that at the front of the conversation, but putting the considerations of who ultimately will be held responsible for implementing changes and making sure that the story is connecting with them and not simply creating an emotive moment for us.  That is, you know, that's going to be the difference between something that sits on the shelf and something that actually is effective.

So now talking about the how of storytelling, and I think that this is one of the areas I want to spend a few minutes, Malorie, before I pass it back to you, and that's thinking about stories as being relationship and consent driven, and I think this goes to the conversation we had and some of the questions we had earlier.  The hope and the goal while we might have a goal about what we want to achieve and where we want to learn, that can't override the importance and the decisions that the people need to make to actually participate in this process.

We need to operate with a level of trust and mutual respect and understanding about what is the story going to be used for, and really what are the limitations around that, and also getting beyond that, talking about safety at the forefront.  And I think you can see a lot of organisations that work on international human rights issues and particularly observations around violence, war crimes, that sort of thing focused on proactively giving people opportunities to understand what are the risks, what are the challenges, and how can we help support them in that process.

Not just here are some risks, but what are some of the considerations we can help you with.  What are the things we can do there?  So putting safety at the forefront and I think of organisations like Witness, and those areas where they are looking at the standards of holding storytelling to the standard of actual evidence as one of the places where we can learn a lot from that kind of work.

Now, that also kind of ties back into intentions, ramifications, uses and being clear about where is this going to go, how is it going to be used?  And also being clear about the fact that maybe we can't control all of the ways a story is going to be used, particularly if we are talking about open source stories or stories being shared publicly.

We can't have 100% guarantee that we know all of the ways that it's going to be used.  We need to be honest about this too so that whether or not people decide to participate is an informed and consensual decision.  And that kind of leads me into the conversation about where and how have we historically found stories.  And I think, Malorie, I would love to give you space to talk about this more, but I see this in two ways.

One is building relationships with those who are closest to the issue.  So rather than seeking to sort of open up a net and hope to catch people as they come, that is possible, and especially with a platform as big as IGF, that is something that can happen, but to really get to the level of detail, the level of clarity that we need from stories to be successful, we need relationships and we need to lean into organisations whether that's Government, whether that's civil society, whether that's companies in the for‑profit sector that have the level of trust and leveraging that rather than seeking to necessarily always build our own collection mechanisms from whole cloth.

The second part is open source and I know there is a lot of interest in open source particularly in video and people are excited to tell their story to highlight the impact of these things on platforms, but, again, that doesn't necessarily mean that they are aware of what their story can be, how their story can be used and the ramifications of that in a different, you know, when it actually is brought into a formal process like this.

So when we are talking about open source leaning into organisations and best practices from organisations that know and have really built those structures to make it as safe as possible, and as high quality as possible because it's not helpful if it doesn't give us the information it needs.  That's why I like to bring up a couple of examples where we talk about one of the ones I think of that comes to mind for me is witness, which is a global nonprofit that helps people use technology to protect and defend human rights.

They take what I call a bottom up approach.  They empower through a lot of training and we talked about digital hygiene, giving people the training and security to protect themselves but also to create stories and content, that is discoverable and that is of the standard that we need to actually learn something from it.  So that is one avenue that has been highly successful from that more open, bottom up or grassroots perspective.

The other side is something like citizen lab and other research labs where you have seen work focused on specific issues around spyware and things like that, and that's a more centralizes and more public approach, but, again, when we are talking about trying to drive consensus, trying to drive, pull information in to help us advance a response, there is some pluses and minuses to both of those.

So I don't want to spend too much time because I know you have a lot to say but I want to talk about what I want to focus on is the stories here are powerful tools.  They are not magic.  It really requires clarity about goals and about who we are trying, where we are trying to use this, what kind of information we need to gather and build, because there is a lot of stories we are going to hear that high be very compelling, very, they might be emotive, they may make us feel something, but if they are not helping us get the work done then that's doing us a disservice.

It's also doing a disservice to everybody invited into the process because they will see it fall short of what they hope to achieve.  I'll pause there because I put a lot out into the world and I want to make space for others to chime in and for you to talk more about what's going on.

>> Thanks a lot.  Yes, this is really helpful.  And I think it also speaks to how all of the work streams in the Best Practice Forum are connected and this one is also not just connected to the first work stream but to the outreach third work stream in that work.

So I did want to just comment on a couple of ways to make this more practical for folks, what have we done this year, because hadn't gotten to that yet.  What we had done is we built on our methodology last year of when we collected cybersecurity event stories, how did we do that?  How did we decide in what kind of information did we want?

So we turned that into essentially a form that helps us track events in the past, but also going forward as they would occur.  So you mentioned, I think, a good point about how we relied a lot on stories that had been told in the media.  We had primary sources available, and then for the connections and the personal connections or professional connections we had, we would sometimes follow those up with qualitative interviews.

One of them, and I encourage folks to go back to the 2021 report and read it was a citizen lab on discovery around Pegasus which continues to unfold.  And that was done by Evan Summers who was a great contributor and great researcher on that and set a good example for how this could work in the future.

We wanted to create mechanisms to essentially do that for more incidents going forward.  We could actually stop there because I think we might have been over time a little bit.  So why don't we progress the slide.  I want to give folks an example of real world incident and how we would look at this.  It's actually one we didn't do last year, but we tracked for this year because it just happened.

So this was the log 4J vulnerability if folks saw that in the news cycle at all.  There are a few slides related to this.  I will not go over all of them, but the first slide gives you a picture of the timeline, how a researcher came about the vulnerability, and then how it played out in terms of response and mainstream coverage of the vulnerability and how that sort of created a bit of a cycle.

And so then what we would do after sort of understanding and covering all of the different steps in what actually occurred is we just try to create a narrative around it, and especially we are focused in on how norms might have prevented this, what are some of the relevant norms packages that would have addressed the things that went wrong in the log 4J vulnerability, because it's not that the vulnerability that existed that was the problem, it was the response fell down in a lot of key ways so how would improving cybersecurity norms prevent poor response and improve the future.

So that's where the story of story banking and the complexity comes in, so sometimes you have to ask people involved and why did that not work out?  What was the challenge at this particular point?

Then the real thing we were suggesting last year, and I think continues to be part of this best practice forums's work is relating that story then to the norms either that could have potentially improved the situation or in some cases such as some of the norms, some of the incidents we have researched in the past actually led to the creation of norms.  It could be one of the reasons, one of the explanations for what John's Working Group or work stream one has uncovered in terms of trends.

Why are cyber norms changing in certain ways.  It may be based on incidents that have happened recently, such as elections, for example.  So the text is tiny, but we have seen two norms in log 4J, coming from the UNGGE, and I apologize for the distance of this.  It's related to states' responsibility in creating confidence in products and due diligence for export and things like that.

And then also I think there is another norm in the same document from the GGE2015 report on remedy of vulnerabilities and the way they are disclosed and actions.  So those, the nuances, I think, could be improved there.  That was the sort of conclusion, just from this very short analysis, again, it was not something that the work stream actually focused on this particular one.

I just wanted to give you a feel for how the story banking leads to some learnings for Best Practice Forum.

>> SHEETAL KUMAR: Thanks Malorie.  I find this fascinating and I think it's helpful, but I hope that you do too and unfortunately we don't have much time for questions on this aspect because Malorie, I understand you have to go in ten minutes.  25 minutes.  Okay.  Great.

So we could take some questions at this point on this, and if anyone online wants to come in, please raise your hand, and then I think we will go straight to the myth busting paper before we discuss work stream three, which is about outreach.  I see a hand here.  I will go to you, sir, if you could introduce yourself, and then ‑‑ thank you.

>> AUDIENCE: My name is Robert Ford from Rwanda.  I have two questions briefly, in the discussions we just added to parts of the discussion we have had, I didn't capture very well the international framework on global cybersecurity incident.  I know that nations, countries have their own mitigation mechanisms against cybercrime, but I didn't capture very well how this is linked to form a global set.  And two, I think you mentioned about the research you have been doing in the recent past, but I also didn't capture very well what are the main categories of incidents you have seen and which you think should be of global concern for nations around the world.

Then last, can you confirm or deny that some of these breaches have politically motivated origins, especially when it comes to nations against nations as you would confirm for cyber wars.

>> Taking those in turn, it's not so much that we have created a framework for enforcement of any kind.  One of the hallmarks of cybersecurity and efforts to set norms around cybersecurity is that it's very much a multistakeholder, multistrategic effort.  Many, many different methods and many, many different actors are needed in order to prevent, mitigate, right.

So it's more about capturing what actually occurred, and so that kind of speaks to your second point.  One of the things we did capture, of course, when we were welcoming at past incidents was what was the incident?  Was it a vulnerability?  A breach?  Was is a persistent attack?  There were several categories.  If you go back to last year's report, you will find our methods and you will see which categories we have assigned to all of the incidents we have looked at.

The last piece around are some of, it's a question of attribution.  So I think, and maybe this would be a larger question for other cybersecurity experts in the room.  I think what we are really concerned about is end results protecting people, and really focusing here on prevention, mitigation, so on and not so much attribution, it can sometimes make costly to be an attacker because it's a reputational damage.

But I don't think that that's the end goal.  It's not something we focus on very much, and I couldn't tell you, for example, any specific attribution because we didn't study it in that way last year.  Others feel free to chime in if you feel like that is not the right analysis for this group.

>> SHEETAL KUMAR: We have very quickly, Wolfgang, if you can.

>> AUDIENCE: Thank you very much.  My name is Wolfgang.  I'm a retired Professor.  My question is a more procedural one.  The Best Practice Forum on cybersecurity is an excellent multistakeholder platform for discussion for collection of cases and data, but the negotiation as you have mentioned are taking place in an intergovernmental setting in the United Nations, and we know how to figure this that non‑state actors can raise their voice in the augmented Working Group.  So it bridge the gap between discussion and decision making.  The IGF has now a new Leadership Panel which could help to bring the messages from this place into the negotiations hall.  So one of the members of the new panel is Toomas Hendrik Iives, former President of Estonia and recognized cybersecurity expert.

Any question to the forum is how to make use of this, bring is messages from here to the negotiation table.  Thank you.

>> SHEETAL KUMAR: Thanks Wolfgang.  I think that's a good point and our work stream, the Best Practice Forum does have a work stream and outreach which Markus and I have been working on, so I will be on OEWG intersessional John mentioned next week to present or and to share findings.

Also, I think you are right.  I think there are changes within the IGF and opportunities that we can leverage, and that's a very good one.  As we have said, this is research that has taken the decision that is happening at the UN and unpacked it from different angles, and brought some key findings, I think, that need to then be fed back to that space, and the Leadership Panel may be one way of doing that.

Malorie, did you want to add anything to that.  Okay.  Agreement, which is also a nice thing to have.  Okay.  So we are going to move onto the third part, which is a paper that was, as I said earlier, a lot of the work we have presented builds on previous work, but this year we did something a bit new.  And it responds to what we have heard and we experience and see happening in discussion spaces around the issues related to cybercrime and cybersecurity which is often a conflation between the two what can have real world impact.

We wanted to provide a discussion paper to help elucidate the differences between the two.  Malorie, you  kindly offered to present this as well.

>> Thanks, this was a group effort.  And it was in responses to the ongoing parallel progresses, the ad hoc Committee on cybercrime that is ongoing and the ongoing cybersecurity work.  So does the Best Practice Forum work on the cybercrime treaty?  Not so much.

That was the response, but why?  How could we use this opportunity of these two parallel processes to talk about differences, and also to, I think, really taught the benefits of taking a cybersecurity approach to things.  We encourage you to take a look.  So if you could go to the next slide I will get into the myths we uncover in the paper, again, which is still in draft form and we would welcome feedback on it.

One of the prominent myths that cybercrime and cybersecurity are the same, maybe that cybercrime, I'm sorry, cybersecurity is policy and is proactive whereas cybercrime policy is reactive.  This is false in fact, we feel that ‑‑ if I can't read it, you probably also can't, so I apologize.  Cybersecurity is a bit more of a collaborative approach, of course, whereas cases handling criminal law enforcement are mostly out of the hands of stakeholders other than the state.

Cybersecurity sort of takes a holistic approach recognizing vulnerabilities in systems and doesn't take only punitive means to mitigating them and that also feeds into, I think, the next myth.  So I'm going to ask for the next slide.  So the considerations then for human rights are equally compatible with cybercrime and cybersecurity policy.  That is not the case because, again, of this sort of more punitive carceral securitization framing of cybercrime.  It means that human rights are not part of the conversation.  They are not being balanced.

It's not the job of law enforcement or criminal investigations or criminal prosecutions to weigh privacy concerns, for example.  So with cybersecurity we have had historically a lot of opportunity because it's a more multistakeholder broad approach to really infuse human rights perspectives and to remember that humans at the end of the day are at the centre of why we are focused on improving cybersecurity for everyone.

So the next myth that we uncover is the security of information is a consideration for both cybercrime and cybersecurity.  So that is also not true.  Well, it's controversial.  So information security is sometimes interchanged with cybersecurity, but they mean actually quite different things.

So within the context of the engineering practice of cybersecurity, it's really about processes, systems, stability, protocols, things like that, whereas information tends to be a bit controversial as something to be included as a threat because that really fringes upon ideas of free expression, right to information.

So we don't tend to want to include information security within a cybersecurity framework because of those risks to human rights.  So next myth that we uncover is that countering cybercrime is an important tactic for cybersecurity.  So this is actually a really important myth to talk about why that is not the case.  And it is because cybercrime laws often the way they are written explicitly outlaw security research or uncovering code exploits, and that can really negatively impact really important approaches in cybersecurity.

So security research is incredibly important in cybersecurity.  It helps to prevent incidents.  So when you create, when you create a law that outlaws the ability to investigate code, to research code, that sort of thing, you are taking away a key tactic that we use in cybersecurity.

Next myth is that enforcement improved, so cybercrime and cybersecurity improve with enforcement.  We have touched on this already, but it's worth creating its own specific point around.

The myth there centers around the fact that what I think was my response to the speaker already, which is the enforcement is really around laws, and so that's a cybercrime realm where as in cybersecurity, the equivalence is compliance rather than enforcement.

So it includes sometimes detrimental, you know, detrimental consequences, but it also can include incentivizing compliance with cybersecurity best practice.  So it's a more about an ecosystem approach and less about sort of the stick approach versus the carrot approach that is cybercrime.

And I think that's it.  So, again, would encourage you to go to our Best Practice Forum on cybersecurity page of the IGF where you can find that paper uploaded, and we have been accepting comments and we will have a final version shortly after this event.  So thanks.

>> SHEETAL KUMAR: Thanks Malorie.  Thanks for taking us through the paper, which as you have said is online, so perhaps you have had a chance to look at it on your device.

But you have been here for the presentation anyway, so if you have any questions about the myth busting paper and it's very much a discussion.  It's meant to inspire us to ask the difficult questions and engage on this topic by providing some clarity as well.  So you may disagree.  You may agree.  It will be interesting to hear from you.

I'm also looking at the online participants to see if they have any thoughts to share.  Anyone want to react to some of the presentation?  I know I missed people earlier, so we can come back.  There is one here, and then someone at the back there, and then someone at the front here.  If you could introduce yourself.

>> AUDIENCE: Thank you.  I am from Ethiopia.  As we all know security is something that we do.  (Captioner unable to hear the speaker).

These technologies depend on affordability of the country whenever they can.  So whenever the prices are less, most of the time it is vulnerable.  So what types of policy or what types of strategy would help us to find these kinds of problems.  Number two, the best strategy to defend our cyber is educating users.  End users are the most important.  Whatever technology we use unless we educate our users, there will not be a cyber defend.

>> SHEETAL KUMAR: I think the first question spoke to a point you made earlier about the need for a holistic or ecosystem approach cybersecurity because of vulnerability in one place will affect others elsewhere.  So thank you for those questions.

>> AUDIENCE: My name is Saeed from Ethiopia.  My question is in the previous which says there is no enforcement for both cybercrime and cybersecurity, but why we can't enforce the service providers and have the actors secure their service or their materials by following the best practice to give their servers or to make their servers secure for the users.  Maybe, for example, to use sophisticated crypto system or to protect the data or software or to gap the vulnerability, why we can't enforce the service providers and the manufacturers to secure their servers or their hardware.

>> SHEETAL KUMAR: That's a very live question including at the UN discussions that we have been discussing here.  Thank you.  So we will take a question there and we will go back to Malorie and any of the other panelists.

>> AUDIENCE: My name is Kareem Mohammed.  I am a MAG member as I am finished my term this year.  I have a small question linked with the first presentation on agreement.  I would like to know when we talk about agreement on how to consider, how to define what is a cybercrime, do we, are we on agreement on disagreement?  Because we can consider in the point of view from one country in the global era or in one region that can consider a cybercrime, and on the other side, other country's origin do not consider it.

How do we reconsider the agreements that we should have in a global era where Internet recommendation becomes a reality, and I don't judge is it good or bad, but the reality now linked with the global multilateral governing the world, how we are going to evaluate in this era by defining what is a crime, what is a cybercrime, and to fight it together.  Thank you very much?

>> SHEETAL KUMAR: I can take that one if you want.  Did you want to respond to the first?  Okay.  So I think in response to that question, it's very important to coordinate spaces like the IGF provide that opportunity to understand better what different measures different actors are taking to address similar issues and to provide a common understanding, for example, what threats there are and with regards to the discussions at the UN or the ad hoc Committee on cybercrime.

It's very important the discussions are inclusive of stakeholders who can then make sure and support states to ensure that there is consistency between legal frameworks and that the framework adopted is practical and implementable.  So I think the IGF is one space, but it's also important for states and other stakeholders to go and meet with others in other relevant forums and ensure that this information sharing coordination is happening.

So I hope that helps a little bit, but Malorie, I will turn to you for the first couple of questions.

>> Apologies, I will just speak to the question about why enforcement is maybe not the only one or why it may be a controversial approach.  I think in general it's not actually particularly beneficial to encode in law that one must comply with certain security protocols or so on because they change.

So there is potentially a better approach is to think of outputs, what are the outcomes, what are the consequences, for example, if you lose millions of users' data?  And there are consequences for that.  So that would be considered enforcement.  If you are irresponsible with the data given to you, there will be consequences.  You can't provide a market or service unless you check these boxes, that's much harder to do, much harder to define what that looks like, and it also can lead to negative consequences because we have to rely on places like standards fora and others to really define what is the standard and then allow for a gap in implementation, innovation, and products and services that are adaptable.

Also that are speaking to the last question, that are global in their nature as much as possible so that we don't actually end up defining certain standards across different jurisdictions.  Maybe there are others from the Best Practice Forum or other cybersecurity experts in the audience that would have additional answers for you, but its typically not the sole approach of cybersecurity to do enforcement.

>> SHEETAL KUMAR: Thank you, Malorie for staying despite having other engagements.  Does anyone have any other questions on this particular topic before we move on?

>> AUDIENCE: Thank you very much.  Chair of the Advisory Council of Africa alliance.  Just two comments.  The first is with regard to laws cybersecurity law or guidelines, I'm happy to let us know that yesterday UNECA launched guidelines on the model cybersecurity law to protect their website.  It really talks about compliance and that.  Secondly, UNECA also commissioned research that brought out an outcome which says 0.66% is the GDP increase if we apply 10% maturity in cybersecurity.

So 10% majority will be about 0.6% and 5.4%.  So the question is have you seen relationship that is Best Practice Forum, you also consider relationship between cybersecurity majority and GDP.  Thank you.

>> SHEETAL KUMAR: Can I clarify the end of the end of the question, between cybersecurity, maturity and?  You said have we seen a relationship between cybersecurity maturity and.


>> SHEETAL KUMAR: Yes, so with development.  We haven't really looked into that in great detail at the BPF, but I think that there have been discussions happening elsewhere within multistakeholder spaces that have seen that depending on how much resources you have, as you say, the placement of cybersecurity on an agenda, on a governmental agenda will have to compete with a lot of other issues.

That often means that the requisite capacity and resources to do even as John was mentioning earlier, basic cyber hygiene, like multi‑ factor authentication within Government and supporting that within wider society becomes a difficult or is not prioritized.

So there is that correlation that we have heard others speak to and other spaces we particularly here at the BPF haven't done that analysis or research.  What I'm speaking to is actually a multistakeholder event that happened on the sidelines of the Africa IGF in Malawi earlier this year.

My organisation and others and including with support of the AU got together a multistakeholder convening which included CERTs, law enforcement, civil society and Government to discuss cyber capacity building needs and we intended to feed that in the open‑ended Working Group at the UN.  One area we uncovered is certainly the prioritization of cybersecurity is an issue for many states and particularly smaller states on the continent who do not have the capacity or the resources to contribute to not even just implementing the UN norms, but basic cyber resilience as you mentioned.

Happy to share more about that, but that's not part of the Best Practice Forum.  I should mention, but it is in the spirit of multistakeholder convenings and how important it is to understand cyber capacity needs by bringing the discussion to people who are affected by poor cybersecurity.

I see a question here.  Is there anyone else who wants to add anything before we move to the final part.  Okay.  I see two questions.  We'll go to those.  Thank you.

>> AUDIENCE: Thank you.  My issue was for the previous presenters.  I really want to know how the storytelling approach to generate of the norms works?  Who is the initiator?  Is it the victim that is going to develop the events?  I can see the log 4J approach from the initiation up to the patching and dispatching and creating, I mean distributing of the norms to the others make create a lesson for similar events, but as we see the cybersecurity event is instant and it can be disseminated in a global way.  It will not give us time to take a lesson from certain events until the other is going to be prevented.

If there is any way that it makes it more interactive from starting point and we created of the norms if you get my point.

>> SHEETAL KUMAR: So I know Malorie has left.  I will try to respond it that quickly.  The aim is to, we see this as spaces evolving.  Will implementation of the norms is ongoing.  It is inconsistent and not always well understood what needs to be done.

So what we were hoping to provide with this research is a real, an understanding of what is really happening and the gaps in terms of norms so that they can be implemented from an evidence basis, and there is an ongoing interpretation of the norms within the UNOEWG, there is an ongoing discussion there about what, how to implement the norms, what factors to consider.  So this is certainly still possible to take these findings and feed that in, have the discussion and shape and continue to evolve the understanding of the norms and how to implement them so they can be effectively implemented.

And so please do check out the paper and, of course, get in touch with us if you want to understand more about the process, which I think Malorie and Gabriel can speak to.  Fortunately we don't have much time to do that, so we will need to move on.  We will take that point and then move on.  Okay.

>> AUDIENCE: Thank you, my name is Michelle Fagong, I work in Cameroon.  I prefer to speak in French.  This is a very complex topic and considering its complex nature, I wish to know if we have thought of a mechanism or a global consultative Council which may meet on a regular basis to share information because cybercriminals do not sleep.  They are like a virus.  Once you understand their strategy in the days ahead, you can come up with counter strategies.

So in this fight, you cannot sleep.  So have you thought of having a focal point mechanism in the various or if there are other mechanisms put in place to ensure permanent consultations among the various stakeholders.  Thank you.

>> SHEETAL KUMAR: (Captioner unable to hear the speaker).  There is an ongoing discussion on the ad hoc Committee on cybercrime has been set up to negotiate a treaty there, and there are other instruments as well including what is known as the Budapest Convention, other multilateral instruments with their own mechanisms for implementation.

Greater coordination is needed is what I would say to that.  I hope that's helpful.  We will move onto the third part of this session, which is outreach.  So this is, as I think a participant who has left now mentioned, there are a number of lessons learned and information that we come across, and analysis that we do that should be shared more widely even beyond the IGF.

So we have a work stream focused on outreach, and this year we wanted to share with you what we have done in terms of outreach.  We had a session at Rights Con, where we shared our work, and I don't know if you can speak on that if you can come in, John.  I know you were there.

>> JOHN HERING: It's a fairly unique and seminal event put on by access now focused on human rights in the digital age and speaking about the community and sharing a bit about the work much of which we presented and shared today, I have got a lot of great inputs from folks that have a good focus on the implications of these challenges and in particular escalating nation state activity online as it relates to vulnerable populations in different contexts around the globe.

So there was a real focus from those we sought input from on things that don't necessarily always come up in our norms conversations otherwise as it relates to things like Internet shutdowns or other types of activities that may be taken by a Government on a domestic level so not receiving the same international attention but highlighting them as security interests that have responded with increasing violence as something that has been absent from those norms conversations.

There was also a lot of discussion around cybermercenary groups that was brought to the fore.  This is, you might think of as the NSO groups of the world, other organisations that might list their services as private sector offensive actors where they are creating the offensive tool or service and then selling it to a Government for purposes for which there has been some tracking of abuse by researching communities.

So there was a lot of good and helpful context provided and necessary focus on that given by those communities.

>> SHEETAL KUMAR: We have also been present at the open‑ended Working Group in July, the open‑ended Working Group and ICTs that the UN had a meeting, and we presented our work there.  As I said, next week we will be present as well at an intersessional being held to share findings as well.  We also presented on the Best Practice Forum's findings at the new African parliamentary track, APNIC as it's called this week, and I think that's a very important channel as well to share from this multidisciplinary and multistakeholder group to parliamentarians what we are finding and what they can do.

So I know that Chokasani who is from the Malawi regulatory, let me just make sure I have it right, Malawi Communications Regulatory Authority.  I think you were trying to come in earlier.  I just want to make sure you have time.

>> ZANI CHIMBE:  About I'm the Director for ecoservices at Malawi communications regulation authority.  I think one of the things I wanted to be especially on the cybercrimes and the relationship between cybercrimes and cybersecurity have been addressed already.  I won't take much of the time, bust just to emphasize that it is very important to actually realize the distinction between the two whenever anyone is considering policies that there might be some differences in the way the policy considerations should be actually taken.  And one other thing that I really, that I was glad that was already emphasized was the issue of enforcement being something that is key to cybercrimes, not just enforcement, but it's actually one area where it is a must if there is supposed to be effective enforcement for laws to be harmonized, and as much as it is just not as broad as cybersecurity, but there is need to actually have some harmonized law so that enforcement processes would be easier when it comes to enforcement of cybercrime.

And, again, I also would like to agree that, yes, there have actually been a lot of changes that I personally have observed in terms of involvement of stakeholders, especially on cybersecurity issues where private sector is also being involved more and more each day, and you can actually see the changes and the way the policies are coming out.  So I won't say much, but just to say that, yes, I like the conclusions that we have drawn in terms of making the distinction of countries that are making policies.  We should realize that as much as these issues are interrelated, somehow the policy considerations might differ in one way or the other depending on the outcome and the real distinctions between the two in terms of cybersecurity being holistic, broader, and sometimes I also say that sometimes cybercrimes is part of cybersecurity.

Why cybersecurity is broad and includes many things, awareness and other things we are talking about, so we need to understand that there is a distinction, and recognize this when we are taking any statement or making my policy considerations.  Thank you so much.

>> SHEETAL KUMAR: Thank you for being with us and for the important points.  As you know, this work is ongoing and we hope that you can remain engaged and the same goes for everyone in the room and online.  Thank you all for coming.  I now will turn over to Imboana to wrap up.  Thank you.

>> This is the end of our session.  I would like to address my special thanks to our lead experts who worked hard this year.  I would like to thank as well the people who joined the three work streams.  I hope you will find it useful and helpful, and it will help you ‑‑ we encourage you to check out our papers and to download them on the website of the IGF.

It will help you, they will help you a lot for cyber maturity and for your goals.  So thank you very much.  The session is now closed.