The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> Carina Birarda: Hello, everyone. Colleagues and participants, it is a pleasure to welcome to the IGF Best Practice Forum on Cybersecurity Capacity Building, part of the Internet Governance Forum here in Riyadh. Thank you. The session overview, introductions, past achievement and 2024 context, with the statement, the define key challenges in capacity building, expert panel, inside experiences and contribution from the room.
Ratifying the problem statement and identify the Best Practice Forum and actionable solutions, define next step to move from dialogue to action. Thank you for joining us. Your Board and the various matters. Thank you.
>> Wim Degezelle: Thank you, Carina for this introduction and welcome all to the session on IGF Best Practice Forum on Cybersecurity Capacity Building, can you move to the next slide? Please or do we have a remote? Okay. These are the session outline and objectives that Carina discussed with you already. I don't think it is necessary to go through them again. Just a second.
So also from my part, it is an interesting session. Let me present myself, my name is Wim Degezelle, I'm a consultant with the IGF Secretariat, supporting Best Practice Forum. I prefer to give the introduction and afterward give to the colleagues, co‑facilitator of the Best Practice Forum and distinguished panelists we invited for this meeting. Next slide, please. First of all, what is the Best Practice Forum, you might have seen in the Agenda or in the IGF website, that there is something called intercessional activities. These are a number of activities that start kickoff at the beginning of the year, and the Board have discussions during the year and function of the IGF meeting that comes at the end of the year. This allows us to do more preparation than a normal workshop, it allows us to collect information from different stakeholders that are combined and published in a report after the meeting and sent out for further work.
This is not the first Best Practice Forum on Cybersecurity.
As you can see on the screen, there have been BPFs on Cybersecurity for the last seven years, almost, between 2018 and 2023.
The Best Practice Forum on Cybersecurity have been with a different focus before that, but between 2018 and 2023, the IGF Best Practice Forum has focused on norms and norm agreements in Cybersecurity.
I'm not going to dive into detail, but I would like to list what we did in those years, because they are also based on discussions with the different stakeholders and the communities and these reports are still available on the IGF website.
They looked into norms and norms agreements from different aspects, amongst others how norms are developed, how norms are made into practice.
One year, there was a very interesting question that was dealt with. The question, if you look back to specific Cybersecurity events that happened in the past, before a specific norm was voted or agreed. Would it have made a difference? So that's ‑‑ that was a very interesting story.
Another interesting discussion or research we did in the past couple of years was looking outside the realm or outside of the Secretary of Cybersecurity and look into other fields where there are norms and norm agreements.
And see if lessons could be learned for Cybersecurity norms.
But this is the past work. The output, I invite you if you are interested, to look at them. They're very interesting and very good read.
Especially as background. They're still available on the website.
Now, today, the next slides, please. After all of the years talking about norms agreements, there was a feeling, well, maybe we have said enough or finished that topic.
And in the beginning of this year, the IGF always sends out a request for topics that should be on the Agenda, that is a request for topics that inform the general Agenda for the meeting, also have informed the choice of the different teams for this year.
In this call for input, Cybersecurity and trust came out as one of the paramount concerns in the community, with which was a clear indication that the IGF in its Programme should pay attention to it. But of course, Cybersecurity, Cybersecurity and trust is an enormous topic. Therefore, the people behind and people proposing this Best Practice Forum said it might be interesting to look into capacity building. Capacity building that helps to build Cybersecurity, helps to enhance Cybersecurity interests online.
So the proposal for the Best Practice Forum was submitted and agreed here in Riyadh in the beginning of the year, in February, where the IGF multistakeholder community ‑‑ IGF Multistakeholder Advisory Group met.
After that, the work plan, one of the first things the BPF did was to organize a meeting to discuss its own work plan to discuss this BPF.
I mention here because it was a very interesting and important step this year. The next slide. Please.
Because the fact that the BPF took its initial plan and moved and used that to organize its first meeting, it was very important to get input from the community on what it was planning to do. And it dramatically changed ‑‑ dramatically might sound too dramatic, but it changed the course of what was planned.
The initial idea was for the Best Practice Forum to look into Cybersecurity capacity building, what is available online, sorry, what is available in terms of specific training in terms of specific offers.
And do a general kind of mapping of training, mapping of resources available.
Mapping so that it would be possible to look for gaps, to look for opportunities and provide that to the community.
But very early, one of our first calls, one of our first meetings we had, we got push back coming from the community and community participants, saying this is already being done.
There is already a huge amount of information out there. There are mappings of Cybersecurity capacity initiatives, inventories, organisations providing this type of work already.
To that extent, that it might be difficult to find the specific information, it might be difficult for a Government, an organisation, or a person that says, well, I would need to build some capacity in my organisation on Cybersecurity, but I don't really know where to go, because there is too much information.
And this was a start for completely other discussion within the Best Practice Forum and a discussion that led to the session today. How do we deal with this exact situation? This lends to the formulation of problem statement that you see on the screen, and that will be the main topic or the start for the discussion today. I will read it out. So this discussion we had on the Programme for the BPF this year led to the Programme statement saying while various mappings, inventories, and initiatives provide a wealth of information on Cybersecurity capacity building, different offerings and this information may overlap and gaps in information may exist or do exist and at time the information may not reach the target audience effectively.
With this, I want to leave it there.
Go to the next slide, please.
Nice thing about an introduction is you can really come up with a problem statement and then you can hand it over to the panel to discuss and come up with conclusions, and a question to solve it. But for that, I give the floor to the two Moderators who are also co‑facilitators and the panel. I think easiest is everyone introduces himself or herself and that might be the best. Thank you from me, I'm looking forward to a very interesting discussion. >> JOSEPHINE MILIZA: Thank you, Wim for that great introduction to the discussion today. My name is Josephine Miliza. I’m a MAG and a co‑facilitator for the BPF Cybersecurity. I'm happy to be joined today by the great panel and we'll be going to the discussion shortly.
Before that, I want to welcome all the panelists and co‑Moderator to introduce themselves starting from the far left.
>> João Moreno Falcão: Hello, I'm João Moreno Falcão, I'm the lead facilitator from the youth Group, I'm a researcher.
>> Yao Amevi Sossou: I'm Yao Amevi Sossou, from Benin, I'm with the youth in Benin and part of the D.C. data‑driven technology from the intercessional works. I have also been work sometimes in the BPF. Nice to be here.
>> Tereza Horejsova: I'm Tereza Horejsova, senior outreach Manager and former MAG member.
>> Dino Cataldo Dell'Accio: I'm Dino Cataldo Dell'Accio, and I'm the Chief Information Officer from the BPF and pension fund. I represent the Intergovernmental organisation and multistakeholder Advisory Group. I'm a co‑facilitator on the Best Practice Forum and co‑lead on the Dynamic Coalition of blockchain assurance and standardization. Happy to be here.
>> Mevish Vaishnav: I'm Mevish Vaishnav, from India, President of Academy health sciences. I represent the Dynamic Coalition on health. Pleasure to be here.
>> Brendan Dowling: I'm Brendan Dowling, the Ambassador for cyber affairs and critical technology.
>> JOSEPHINE MILIZA: I would like the colleagues joining us online Oktavía and Hariniombonana to introduce yourselves, please.
>> Hariniombonana Andriamampionona: Hello, I'm Hariniombonana, it is the fourth year to work with IGF Cybersecurity and the BPF. I'm happy to moderate online. I would like to thank our panelists and welcome everyone who is joining this session. Thank you. I'm from Madagascar.
>> Oktavía Hrund Jóns: Oktavía Hrund Jóns calling in from Iceland. I sit on the MAG as well. This is my first year on the MAG. Although I'm a long‑term MAG ‑‑ IGF participant. I have had the absolute pleasure of also being a co‑chair of this Best Practice Forum on Cybersecurity. I'm excited and happy to spend the next hour with you all.
>> JOSEPHINE MILIZA: Thank you so much. Yes, getting into the conversation today, and our first question is how does the problem statement resonate with your own experiences or perspectives? Do you find that in your context, do you find it resonates with your context? Is there something missing or that we overlooked as well coming up with it. I will start with Brendan Dowling, please.
>> Brendan Dowling: Thank you. I think the problem statement is it valid. It captures that there is a huge proliferation of information about Cybersecurity capacity building. But it is often not bespoke. It is not targeted to recipients. And in our experience, that is the most important element.
We have seen cyber-attacks, cybercrime worsen substantially in our Region. Australia, New Zealand, Pacific Island Nations hit by disruptive cyberattacks. There is a huge amount of interest and drive to raise Cybersecurity and cyber resilience. We have implemented substantial capacity building Programmes in recent years. But we have often found that they can be untargeted, inappropriate, and we committed to doing better with our partners about working with them in dialogue to figure out what the right approach for that country, for that context, for that situation is.
What that means is in our capacity building work in the Pacific, it is very bespoke to that country. It can involve incident response work when it is a major disruptive cyberattack. It can involve upgrading hardware and software, to ensure that pirated software or out of date service are not in use. It can involve developing legal frameworks or national strategies or training to develop computer emergency response teams.
So every capacity building Programme that we roll out is designed in consultation with the recipient country, and is shaped according to their needs, interests, and their situation.
So I think it is a really positive thing that we have a much more substantial effort in Cybersecurity capacity building out there.
For me, the most important consideration is adjusting and tailoring to the particular circumstances of the country, organisation, or Partner that you are working with.
>> JOSEPHINE MILIZA: Fantastic, thank you so much.
>> Mevish Vaishnav: I think the healthcare data is the major important part of individuals. It is important information, we need to take care of it. The Best Practices are the ones to collaborate and work together on the Cybersecurity part.
>> JOSEPHINE MILIZA: Thank you and to Tereza Horejsova, I know when we started the conversation, you at GCFE has done amazing work. You pointed to us, yes, the resources exist. But we need to redesign the problems and what it is. What are your reflections based on the work that you do over this year? And also looking into next year?
>> Tereza Horejsova: Thank you, Josephine. Two things that resonated when we started this conversation. I think the IGF is the natural space to have discussions on capacity building. I feel that it hasn't been used, this space, as much as it could have. The fast that the Best Practice Forum decided to focus on capacity building is something to really applaud. And second, from an organisational point of view, from the Global Forum on cyber expertise, we try to make the overview of what is available, what capacity building projects are happening as easy to find, as easy to grasp as possible.
So that we can serve as a resource for donors, for implementers when they're planning their projects to kind of build on what has been done already.
To eliminate duplication of efforts. And to simply use resources as officially as possible. We also try to do it sensitively to tailor to each Region, what Ambassador has stressed through the Regional hubs, including in the Pacific, where we try to use the knowledge from the Regions themselves to provide even better overview.
Of all the capacity building projects and activities. Now, how we do it might not be perfect. That is why having a discussion on what is most useful and what is most efficient and comparing with other resources that are available, is extremely useful for us. The primary resource that the GFC uses is the so‑called Cybil portal which is available free online at the www.Cybilportal.org. And we try to engage the various actors to help us find and provide us information that we can put up on the portal in a very simple overview that anybody can use as a go‑to resource.
We hope the discussion we are having tonight, a discussion over the past months will help us fine tune it and make it more useful.
>> JOSEPHINE MILIZA: Fantastic. João Moreno Falcão.
>> João Moreno Falcão: Thank you for the floor. I concur with the previous discussions on the topic. The Dynamic Coalition and the data technology have been stressing this concern for years about cyber threats, especially when it comes to healthcare facilities and healthcare access.
We are moving toward a more e‑driven health access around the globe.
We need to make sure healthcare practitioners also have capacity building opportunities to have to strengthen the knowledge on how to prevent certain breeches during their practices.
Another aspect, we have also been stressing, is accessibility on those available capacity, especially when it comes to young people and underserved communities, especially in the African Region. In Africa we have thousands of languages, no way to mention that.
The thing is like, if you just stick to the common layman, like, we know today for example, the most common used tool to access Internet in Africa is mobile phone.
Our people, the population are not really educated on how to prevent those breaches, how to protect the information.
And one Best Practices I would say is that in terms of tailoring the capacity building already available would be addressing those issues in the spoken language people who understand like the native languages, what do capacity building mean in Swahili would not resonate to someone if you actually heard it in the mother language.
They would actually grasp the threat that they're supposed to. I think one key element regarding accessibility to capacity building is addressing those issues. From there, hopefully we will have a more inclusive training and capacity building. Thank you very much.
>> Yao Amevi Sossou: I have the tough Mission to be novel here.
The gap is to use the structures we have and attract people in the front line of education. And so I see here, a lot of representatives of strong organisations but we look the people that are teaching, the people that are really going there and explaining the content to these persons.
And we need to coordinate with them, because Cybersecurity is a very extensive area. And we really need to show that this is possible to the people that we have.
So this is very important to gather and show also that we have a multitude of tasks in Cybersecurity, and we can accommodate and train the workforce to work with this.
>> JOSEPHINE MILIZA: Great. And yeah, so I think we have a consensus in terms of the problem statement. Yes, capacity building initiatives we have spoken about some of the gaps in terms of the target audience. Now, we're getting into discussing how do we fix the issues.
I will hand over to my co‑Moderator Dino to take over the next round of questions.
>> Dino Cataldo Dell'Accio: Thank you, Josephine. As you alluded to, we looked at the problem. Now we would like to solicit from our distinguished speakers their experience. And how we can fix it or address the issue. Maybe I start with you, and given your point of view, in the research and Best Practices.
From your point of view, what can be done to avoid duplication and at the same time identify gaps that may exist in these resources?
>> Tereza Horejsova: Thank you, Dino. Have to have a conversation. That is the starting point. There are many portals and resources that could be similar but not exactly. Worst thing that will happen is everybody goes in tunnel vision and continue their work. That is not what we want.
One Best Practices to share from our experience is the cooperation and almost integration if you wish between the Cybil portal and unit or cyber policy portal. At CBL we try to map resources, tools and projects that are implemented or are currently being implemented in the field of Cybersecurity.
UNIDR, gives a one-stop shop of cyber situation in various Member States.
It is useful because you can filter and see what projects are implemented in the field of cybercrime in Cambodia, yes.
And then you would get this information. Wouldn't it be helpful to at the same time what is the situation in Cybersecurity, in this given country that maps.
This is common sense. This is why we wouldn't ahead and obviously there is the issue of the technical interoperability, that was solved and can be fixed. That is maybe the simplest part of the puzzle, I would say.
This was proceeded with months of conversations and exchanges, and one can benefit from another with the interoperability, so each user has the best experience possible.
>> Dino Cataldo Dell'Accio: Maybe if I can pass to the Ambassador. We saw the point of view of those creating the knowledge and facilitating. Maybe as the point of view as a potential user, how do you define, if I may qualify the question, how do you find the ability to share the information? Do you use the resources and think they're valuable or something that can still be improved?
>> We Brendan Dowling: We find it valuable information through the Regional hubs. That is useful. From the Government perspective, we have to commit to engaging effectively.
Recently, we saw a country ‑‑ I will not name them ‑‑ prepare a capacity building project, decide the terms of the project, decide when and how it would be implemented, and presented it water talking to the recipient country.
Now, if they had engaged with the mechanisms that have been established like GFCE they would have found it is duplicative. There has to be a purpose in the use of mechanisms.
In we have set up the partners in the Blue Pacific, which is expressly about donors comes together, talking to recipient countries and doing the deconfliction. Annually we hold the cyber coordination Conference, which brings everybody together for an open conversation. Including with the UN bodies and Private Sector.
For me, I don't think we need more mechanisms or processes. We need to commit to using the existing processes and to saying, when we find those points of misalignment or duplication that we will adjust our programming accordingly.
Sometimes donor countries can be focused on their own internal processes for budgeting and programming and not allow the flexibility to adjust as needed. It is incumbent to be flexible and willing to listen when we hear the response.
>> Dino Cataldo Dell'Accio: Thank you for the feedback. Maybe I can ask for your feedback, vis‑à‑vis your specific domain or your specific industry. You are talking about digital data health, related to health. How do you find the sharing of information be working and especially the identification of potential gaps in the capabilities.
>> Mevish Vaishnav: If there is no capacity, there is no security. We need to upskill in capacity building. It is very crucial because the healthcare workers need to know how to protect data. That is why Academy of digital health sciences, we are providing training to the healthcare front line workers so they are aware how to protect the data. And sharing information, we need to be careful, misinformation should not go out.
That is very crucial.
>> Dino Cataldo Dell'Accio: Thank you, misinformation definitely a hot topic. I pass to our speaker João Moreno Falcão. You talk about the issue of languages, what can you add from your side.
>> João Moreno Falcão: What I can add more apart from the language issue is most of the capacity building initiatives that I have seen, are at the budget constraints. They have simply a limited amount of budget and in time, they're limited. After the capacity building, what is the next step? I think in that direction we should find way for follow‑up of the initiatives so they in the mapping process, we find what should not be replicated and what should be strengthened.
From lesson learned we could be more equipped both the capacitors, and the people that are acquiring the capacities.
Also young people that are not vulnerable, the young people, they need to be addressed, the critical mass, because they're more vulnerable.
And we need to find the way they're specifically targeting their specific needs, and I want also to commend the work the GFCA is doing. And I want to commend the work in the IGF ISOC Benin is doing, with some online capacity awareness raising on Cybersecurity threats. Educating the young people, specifically young girls, how to secure their data for example.
And yes, one key element also, we need to prevent misinformation. How to combat that. We need collective effort.
We need to build trust on what is shared. And we need a mechanism to prove that the information that are out there are reliable and not posing a threat to anybody. Thank you.
>> Dino Cataldo Dell'Accio: Thank you very much, we see already complementing element from misinformation to lesson learned. Maybe João Moreno Falcão, would you like to share?
>> João Moreno Falcão: Something that made me into Cybersecurity is popular culture. We're having projects to bring people to capacity them into Cybersecurity and we can use the popular culture that is defined in our mind, what is Cybersecurity to invite people to participate. Because at the same time that the made a dream for a lot of people, they also created a barrier that people said okay. This is a move theme. I cannot be this person. We could work on demystifying that. And really working to be part of the Cybersecurity ecosystem.
The other thing that I ‑‑ we also need to acknowledge is learn Cybersecurity, you need a basic means to learn.
So it is most of the people that are now in the field are self‑taught.
But we have several projects that try to bring these people. What they need is had access to the content accident like a computer or Internet. Also sometimes physical access to devices.
Like in my example, I just ‑‑ the only thing that made me into Cybersecurity was that I went to an event and they had an industrial device. This was the first time I could try to interact with one. And learned my way into hacking it.
So this was a wonderful experience. I couldn't have an opportunity if I wasn't there. We need to think about this. The requirements are not as complex as other areas of knowledge. But we also need to acknowledge to offer this structure to the people learning.
>> Dino Cataldo Dell'Accio: Thank you, João Moreno Falcão, you anticipated the element of my next question, going back to starting with Tereza Horejsova. What can be done to ensure that the message, the resources are getting to the intended audience? Especially in those situations or that environment where there are less possibilities? Where there is a less mature infrastructure or less access, limitation I would say in accessing Internet, in accessing the necessary resources.
>> Tereza Horejsova: Yeah, maybe on the first part of the question, something we discovered when collecting information and trying to provide us resources. Online was ‑‑ sometimes we have faced a bit of reluctance to have information shared. It is maybe a natural instinct that everyone would like to receive the information but don't see a benefit in providing the information.
Is this sound okay? I hear an echo. Maybe I should remove this. Now my earring fell off. Starting great, sorry.
Natural instinct should say I shouldn't share too much about what I'm planning to do, because maybe it will cost me a project I could otherwise get. I shouldn't share that much about what I'm planning to do as a donor in the next three years, because I don't know, somebody else might do it.
I think we need to change the narrative a little bit by sharing information to the extent possible. Of course, I'm aware that is not always realistic. Everybody wins. Who wins ultimately, it is those we are trying to assist. The recipients.
It is not fair to them if the efforts are uncoordinated or the implementer comes and isn't aware that the same project was done by somebody else two years ago. Like the Ambassador gave the example, there are designs that are designed and I used the resources available, could the impact have been bigger? So I would like to challenge ourselves to really think, okay, if I share, I'm not going to lose. And that goes for all stakeholders involved.
One maybe another note I can add sometimes when we have had conversations with recipient countries.
We even sometimes it was really voicing concerns like please organize yourselves. We cannot handle. Our capacity is already limited. If we have everybody coming separately trying to do their project, we are overwhelmed as well. It would help tremendously if there is more coordination. One simple step closer is to have the resources available and anybody can consult them.
>> Dino Cataldo Dell'Accio: Thank you, Tereza Horejsova. Maybe just to jump immediately to João Moreno Falcão, what is your experience in the ability to coordinate.
>> Yao Amevi Sossou: I would say the key resources is the ability first as João Moreno Falcão mentioned to have action, for example, people have difficulty in access to hardware. That would bring them and be in contact with the information being shared. And I keep stressing it, it is how we convey the information to the recipients.
And the capacity building developed inclusive enough and are there as we mentioned, are there in a collaborative way, done. Each and every country have their own capacity building Programmes, sometimes.
I mentioned an area there, in most cases, their budget constraint and their limited time to process, how do we follow‑up is really key. I'm saying that again. We need to impact those with capacity building that we know from the key project, what are the different gaps to be addressed with the next round of trainings? And from there, we become ourself more resilient and people are more equipped and ready to face the challenge out there. Internet is free for everybody. And it also have challenges that not everybody can be able to face.
>> Dino Cataldo Dell'Accio: Thank you, I like the term you use. It is not much about quantity. Sometimes this initiative or measure between input and output. You talked about impact. Measuring impact. That is related to the last week, thank you for participating in this concept.
I will go back to the Ambassador and hear your perspective as a Government representative. What are the critical success factor maybe in your country have word in reaching the intended audience?
Brendan Dowling: We have very substantial experience in Australia. We have for many years prioritized cyber resilience as a core part of our economic Agenda and about our national security Agenda. We have many lessons learned, in what we adopted and the capacities we built, which we try to offer as experience for the positive or negative to share with countries, particularly in our Region.
I think we have found the most important lesson is this has to be a whole of nation approach. Talking about building cyber resilience and cyber capacity has to involved industry and the community. It has to be something that is bought into rather than just a Government Programme. Most infrastructure is engaged upon, and engaging the whole of the response is crucial.
When we engage in capacity building work, we talk not just to Government players, we talk to Private Sector operators that run civilian infrastructure. We talk to educational institutions, schools, Universities and try to engage across the breadth of society. Cyber is not a technical issue. It is not a Government issue, it is a whole of nation issue. Our lesson and experience is the criticality of engaging a broad range of actors when we try to build that cyber resilience.
>> Dino Cataldo Dell'Accio: Well noted the emphasis on partnership and collaboration. Thank you for noting it. Your experience from digital health Sector.
>> Mevish Vaishnav: In digital health, every country is trying to secure their data. There are challenges coming up. We need to be prepared through upskilling ourselves, that is why we are developing courses in it.
>> Dino Cataldo Dell'Accio: Thank you. Very good to know you are really working on it in a specific Sector.
So last question for each one of the participants and maybe just looking at the time to be as brief as possible, maybe a little more brief. Tereza Horejsova, starting with you. We alluded to what can be done. What should be done. What has been done. How can we measure it? What kind of indicators can be utilized to measure the impact of the Cybersecurity capability project initiatives and Programme.
>> Tereza Horejsova: It is simple, we can measure how many projects there, what is growing, what is the trend? And of course, the more comprehensive coverage we have, the more kind of thorough picture can be provided to anybody that uses the portal. I would use this opportunity to encourage everybody here, if you are working on a cyber capacity building project, check it out, if it is on Sybil. If it is not, we do a lot of our desk research and try to identify the missing projects, but we also rely and in particular we rely in the implementers and others to share with us the information. So this puzzle is bigger. If we internalize, if we are working on something, drop us an email, and that is good.
We have over 900 projects, and at this moment we have an interesting number.
>> Dino Cataldo Dell'Accio: Thank you, important to get feedback. João Moreno Falcão, what about your experience in measuring impacts. João Moreno Falcão: Cybersecurity is a unique field. Despite other knowledge fields we can teach and then see how much they learned, when we teach something, there is someone trying to overcome what it is. So this makes our lives much harder, because we can teach a technique or something. And then the next day, someone will create another one that will overcome what we teach.
So seeing this, I believe we can go to in strategy to understand like the necessities and needs of a specific community and what we teach them, really made the difference. What you established first, you can accomplish later.
>> Dino Cataldo Dell'Accio: Thank you. Yao Amevi Sossou, do you want to add your experience?
>> Yao Amevi Sossou: I think in this case, we need to combine efforts. Have different experience and efforts combined. One struggle with capacity building in another community could be lessons to be learned from an organisation in another part of the world. We need to find a way to collaboration so we have bigger impact and it is easier to have what may stress you so far.
>> Dino Cataldo Dell'Accio: I see the picture in the life cycle, lessons learned, impact, consolidation of Best Practices and details bases.
Ambassador, if you can share with us your experience in measuring impact.
>> Brendan Dowling: Sure, it is like we all struggle to measure our impact in Cybersecurity. How do we know our Programmes are working? We know cyber incidents are getting worse. We know in spite of all of our efforts and doing the right thing, we will see more incidents. Measurement can't be about fewer cyber incidents. I think in Cybersecurity, qualitative information is crucial. Testing through exercises is one of the most effective ways to qualitatively test whether the arrangements, capacity, preparedness have improved. Big advocates of getting everyone in a room, Government, private sector, Civil Society, running exercises, testing how the responses look like and how they operate. It is better to learn your failings in an exercise than a real incident. We consider ourselves a relatively mature cyber capable Nations, yet when we run exercises on our electricity system, we still find gaps and shortcomings.
The qualitative result is to test out what the responses are like. Rather than tell yourself we're good, prepared, and road tested. And say here's where our gaps are and what we need to address.
For me, that is the most important thing.
>> Dino Cataldo Dell'Accio: Another critical element of the life cycle, exercising and testing.
So Mevish Vaishnav, last but not least, what about your experience in the health industry? What can be used as an indicator that indeed the initiatives are producing or meeting expectations.
>> Mevish Vaishnav: I think we should have every six months auditing should be done. And training in Cybersecurity is something that will help us to understand from other countries we can learn. So Best Practices from other countries can be shared. And that is how collaboration is important.
The Best Practices of every country, like if you have recent issue, maybe I would learn from it, I would not face the same issue. That is how we should work and collaborate.
And this is the platform where we can collaborate and many countries come together.
This is where you can try to ‑‑ if you see the hackers are more organized than us. We need to be careful of that. If quantum computing is monopolized ‑‑
>> Dino Cataldo Dell'Accio: Thank you for the debate, as a former auditor, I really appreciate that acknowledgment.
With that, I would like to pass the floor to Oktavía, that is going to provide a summary and conclusion of this very interesting engaging session. Oktavía.
>> Oktavía Hrund Jóns: Thank you, Dino. Thank you, I would like to know if I am audible?
>> Dino Cataldo Dell'Accio: You are.
>> Oktavía Hrund Jóns: What an amazing Group of people and interesting discussion. I want to go over the things that came up and look at what we in the Best Practice Forum could be looking at after this IGF and going forward. In terms of the statement and sort of how our experts looked at that, one of the things that stood out is context and experience. It is important. Most of the experts did agree with the problem statement and the necessity of it, however a red thread throughout is that we have many platforms and we have many places, we have a lot of coordination and collaboration that exists. We have to commit to using that. One point that came up is the IGF should be used more as a venue for the capacity building.
We have to work together, trust, and share, which is extremely important on many aspects but also across sectors. Holistic approaches to security, particularly Cybersecurity, it is not a problem just for companies, Private Sector, Government, individuals.
We have to look at both reactive and proactive approaches on multiple levels.
I thought it was so interesting to get the health Sector perspective, critical infrastructure as well is made up of individuals. So that is one of the things that I think came out of the comments on the problem statement.
Accessibility and dare I say localization is of course key. We know this, and somehow we have to hold ourselves to a slightly higher standard than we are now. Accessibility comes in many forms as our experts on stage mentioned. It is not just about giving access or resources to youth.
One thing from the fix that I appreciated is accessibility does have to be a threshold or a high‑level. It simply can be access to information, knowledge and a device that allows you to become curious and understand your context and role in a much larger picture.
So the consistency and manner in which we treat programming and activities and projects in Cybersecurity is what makes it successful. That is one of the key elements to the fix, if you like.
All of these are guided by conversations. These conversations need to be done from a point of trust. It needs to be done across Sectors.
And it needs to include as many stakeholders as possible. The low‑hanging fruit. Interoperable is a low hanging fruit. It is where we can come together and hear as most or as many voices as possible.
Interesting for me as a Cybersecurity professional, is to hear a lot of things we heard relating to ecosystem and PDCA, for those that know the plan, do, check, act.
It is not enough to come in and do one thing. It is not enough to have a training as our colleagues mentioned, and we have to do training and we have to do follow‑up, we have to ensure that the ecosystem of knowledge continues regardless of one person, one community or even one specific Government in place. So we have to commit to the use of the mechanisms that are in place already. We have to implementers that come into context and also understand that we are depleting valuable and necessary resources by constantly going in and inventing the wheel when the wheel is probably already there, perhaps even at a really good bicycle or Ferrari. Understanding, it is us the community first is one thing that felt crucial to the implementation of the fix.
It is difficult to prioritize. Some things that came up is coordination and inclusivity and collaboration in a way that is consistent. Localization, not just of materials, it means accessibility understood from multiple levels. That has to do with equity, gender, age, and all of the other elements that we know so well from a lot of the work that we do. A lot of the things that guide us to spaces like the Internet Governance Forum.
Stakeholders, participatory approaches, I would like to end with something that I thought was very important when we talked about indicators.
Because it is not just numbers. We know that. The thing that we need to be very, very ‑‑ that we have to emphasize continuously is that it is a practice.
Whether that is allowing more funding or resources to making scenarios to training, whether that is allowing for follow‑up, allowing for more flexible ways in which that we treat people, all around the world in a different environment, how to understand their role.
If you are a healthcare worker, it is not enough to get a regulation or don't‑do list. It needs to be relatable to your role and it needs to be understood from the position where you are and what you have the Agency to effect to allow for us to be in slightly more secure or at least resilient as we together, tackle these huge and important foundational things that allow us all to be safer, not just online, but in reality.
I hope that sort of captured ‑‑ there are so many more things to mention and so many good points, including the demystification of Cybersecurity.
On that note, I would like to thank you all for allowing me to summarize these points together.
And give it back to my colleagues on stage.
>> Dino Cataldo Dell'Accio: Thank you, Oktavía for this real‑time summarization, comprehensive, and detailed. Thank you. Thank you to all the distinguished speakers that have shared with us their knowledge, experience and wisdom. Thank you to my colleagues, co‑facilitator, Josephine and Hariniombonana and thank you to the others, Wim and Carina Birarda.
Do you have closing remarks?
>> Wim Degezelle: No closing remarks. Thank you all for attending this session.