The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> MODERATOR: Okay. Are we ready? Okay.
All right. Good morning everyone. We are seated in Riyadh at the Internet Governance Forum. We'll start in two minutes, I've been told. Internet Governance Forum.
>> MODERATOR: Okay. We can start now. Thank you. Good morning everyone. From wherever or good afternoon or good evening from wherever in the world you're dialing in from.
Thank you for attending today's session on building universal standards for digital infrastructure resiliency. My name is Genie Gan. I'm your moderator for today.
We're here today to discuss the challenges and opportunities of securing the backbone of a modern digital economy. Our critical infrastructure, including data centres, cloud services, and other foundational digital efforts.
Of course, we all know that cybersecurity of critical infrastructure information, CIIs have become well established over the years. However, as the digital landscape evolves, we actually need to broaden our focus to include not only the security of information and data, but also the physical and operational resiliency of the digital infrastructure that house these information and data.
So when we started conceptualize this workshop earlier this year, we were using an example of how an outage of a major data centre in Singapore actually disrupted 2.5 million banking transactions across Singapore's largest cities. Citibank, DPS, to show how vulnerabilities and digital infrastructure can have far‑reaching consequences.
Even when it's not triggered by any cyber attacks. But, of course, it's close linkage to cybersecurity was not immediate obvious, as well. Yeah.
Then in July, everything changed when a software update by a U.S.‑based cybersecurity company lead to the crippling of up to 8.5 million computers worldwide, which were using Microsoft systems. Suddenly many people realized how residents requirements which apply the cybersecurity industry could apply to digital infrastructure. Governments around the world were beginning to recognise this. Even before the incident.
Singapore is studying the introduction of a Digital Infrastructure Act going beyond cybersecurity to address a broader set of risks, ranging from misconfigurations in technical architecture to physical hazards, such as fires, water leakages, and cooling system failures.
The UK government, from the other part of the world, also has launched a public consultation on enhancing the security and resiliency of the data infrastructure. These developments mark the beginning of a global shift towards more comprehensive frameworks for digital infrastructure resilience. Since conversations in this area are still pretty new, and early stages, I think we're in the early stages. Right. There's a chance for the IGF to sort of shape some Best Practices and common standards. That's our goal today.
To brainstorm ideas and, really, we have today with our speakers from around the world from different regions. We hope to brainstorm ideas that will help shape the future of digital infrastructure Best Practices. We have regulators, as well, industry leaders, and experts from academia to discuss these critical issues and collaborate on creating a white paper that we hope to produce at the end that will serve as a reference for countries developing laws and regulations to strengthen digital infrastructure resilience.
I'll quickly introduce our speakers. After this context setting.
First of all, I think I'll start from my right. On the far end we have Ms. Aderonke. Head of policy and process review. Corporate planning strategy and best management act. The Nigerian communications commission. To speak about the role of cybersecurity and digital infrastructure governance. And major junior Dr. Pawan Anand. And a Ph.D. guide and mentor at the national Defense College. Focusing on the challenges and threats to digital resilience. Particularly in rapidly‑developing countries.
And on my left, that's Alaa Abdulaal. She'll discuss the role of the VCO regional organization in shaping and enhancing digital infrastructure. Both in the Kingdom of Saudi Arabia and the international kingdom.
Right. So for today we'll explore several key topics throughout focusing on three main themes. First, threats to digital infrastructure. We'll discuss the latest threats to digital infrastructure. Their economic and social impact. And how different countries are responding with new standards and regulations. And, of course, the second theme will be multistakeholder collaboration, which I think is a running theme, as far as the U.N. and IGF context is.
We'll encourage the expertise among all stakeholders, government, academia, and all that. Lastly, we'll talk about the regulatory and standards development focusing on importance of international standards for digital infrastructure. Particularly examine how Best Practices from cybersecurity can be adapted to this domain.
All right. Let's kick off with some initial thoughts from our panelists. So, Aderonke Sola‑Ogunsola, is digital infrastructure a universally accepted term. Can you maybe give us a brief overview of the role of Nigeria's NCC in digital infrastructure resilience.
>> Aderonke SOLA‑OGUNSOLA: Thank you. This is timely. It has development of standards, corporations, and what have you.
[ Audio is fading in and out ]
what do they describe infrastructure as? It struck me. It says if infrastructure was described as something that remains invisible until it's broken down. So let's just look at a picture. We always have our e‑mails are not sending. We can't connect. People can't see all of our
[audio fading in and out]
we can't do any transactions. I'm sure everybody is like "what's happening here?" So there's a perspective. Infrastructure as the bedrock is the framework for digital connection.
[ Audio is fading in and out ]
Having said that, looking at universal digital infrastructure universally accepted? Yes. It's a universally accepted term. When you look at different organizations, the ITU as an enabler for functional digital access. For social economic development.
[ Audio fading in and out ]
>> MODERATOR: Give me a moment. I think we need some help here. Aderonke's audio is coming on and off. Can we maybe switch a mic for her, please. Maybe use that, first. It's not that.
[ Audio fading in and out ]
>> MODERATOR: Let me switch it out for you.
>> ADERONKE SOLA-OGUNSOLA: Can you hear me now?
>> MODERATOR: Yes. Now it's okay.
>> ADERONKE SOLA-OGUNSOLA: Okay.
>> MODERATOR: Now it's good. Yep.
>> ADERONKE SOLA-OGUNSOLA: All right. Do I start over again or continue?
>> MODERATOR: Yes.
>> ADERONKE SOLA-OGUNSOLA: As a regulator, I work for the Nigerian publication. We are the regulator for the telecom. Basically we have technical regulation of the industry. Coming from the perspective of digital infrastructure, the commission was established by an act of Parliament. We have amongst various powers of functions to facilitate and innovate the environment. One of the things we're looking at is promoting digital infrastructure.
We have various actions or interventions that we are taking. Such as providing licenses for infrastructure development on the professional spectrum. We also currently in Nigeria, we have our Cybersecurity Act 2025. Part of what was identified was the critical infrastructure and digital infrastructure was part of what was identified. I hope you can hear me.
>> MODERATOR: Yes.
>> ADERONKE SOLA-OGUNSOLA: Today is a critical information order was recently launched. What is it looking at? Because we're identified as a nation. The importance, the sensitivity of the infrastructure. I believe that we go beyond cybersecurity to infrastructure resilience. It's the ability for us to bounce back, if there's any attack. Genie may talk about this. But if you also cast your mind back, earlier in the year, the IGF mentioned about the
[audio fading in and out]
it's a lot of countries around the West African coast. But the good thing was, Nigeria and I'll give kudos
[ Audio is fading in and out ]
Resilience in the network. Risk management. It's something. And, also, we ensured that they had
[audio fading in and out]
How to survive if there's an attack. So we didn't really feel the impact, but West African have their internet connectivity shut off for awhile.
So you can imagine the amount of data infrastructure we have. We also acknowledge that 80 to 90% of data connectivity’s carried on the submarine cable connectivity on all of you. And because of this, the Commission in Nigeria is passionate about digital resiliency.
We are also part of the working group that was established by ITU. Nigeria is a Co‑Chair for the corporation to work on developing standards.
[ Audio fading in and out ]
Developing universal standards for digital infrastructure. For me, it's something that it's timely. It's expedient. And we have pockets, national, like I mentioned experience. We also have regional interventions.
[ Audio fading in and out]
I think this is a conversation that is timely. Thank you.
>> MODERATOR: Thank you, Aderonke. In your short statement, you have touched on all three themes. You've discussed the threats to the digital infrastructure. And I love the submarine cables example that affected the West Africa. That was a fantastic illustration, actually. So maybe I'll turn to Alaa. The DCO, as we know, plays a significant role in shaping and enhancing digital infrastructure internationally. So could you perhaps take a couple of minutes and share the goals of your organization in this area, and what efforts are being made in addressing digital infrastructure resilience.
>> ALAA ABDULAAL: Thank you very much. I'm honoured to be a part of this panel with you.
We are present in 16 states. Having an 800 million in population. And our goal, overall, to make sure that every person, business, and nation has a fair opportunity to participate.
As you said, Genie, we're in a world of a digital economy that is moving quickly. So our organization focuses on giving opportunity for everyone to be part of this global inclusive digital economy.
And for that, we have mentioned now, and even my colleague mentioned, how important it is to have the right infrastructure. And have access to that infrastructure from businesses, from governments. What we are doing at DCO is that we are promoting the use of having the development of resilience framework. Those, specifically, in the response of the increasing risk that is coming on the digital infrastructure. We are giving guides and advices to all of our member states. Putting all the stakeholders on one table. So what happened during... what you have mentioned in July. One of the fastest responses we have done, is that we gathered all of our member states on one table to discuss the issue that has happened with the faulty deployment and the outage.
And how did it impact each and every nation? What was their lesson learned? What can we do together? What are some of the missing regulations in some of the countries that can be shared? This is why we are the Digital Corporation Organization. We believe that, also, this is ‑‑ it should be in a multistakeholder approach. And, also, looking not only at infrastructure, because, again, infrastructure is one layer. But even as you have mentioned, we have services, operations running those infrastructures. do the people have the right skills? And capacity to be educated to run those infrastructures advancements of different technologies?
No one infrastructure is varying from super computer that are supporting AI. That is even bringing different layers of risks. So by focusing on providing the right information, by putting all the right stakeholders and bringing countries together, we are aimed and focused to really enhance the digital infrastructure of our member states. Even contribute globally to all countries.
>> MODERATOR: Excellent. Thank you. Thank you for that.
I like the point that you made about infrastructure being overlaid with systems. And then, of course, capacity. And then maybe we can talk a little bit about capacity building later. Because that's the human element.
So now I'll turn to Major General Pawan. From your experience, what are the main threats and challenges to digital resilience, particularly in India and other leading economies?
>> PAWAN ANAND: Yeah, thank you, Genie. Thank you for getting us together on this interesting subject.
Well, to my mind, the united services institution of India. We do a lot of emerging technologies work with the national cybersecurity coordinator, the national security council, the Ministry of Internal Affairs, and, of course, with the defense and the defense cyber regency. It's interesting. It's a conversation that takes place globally. On anything to do with digital. India has gone deeply digital.
And with the Honorable Prime Minister offering the DPI. It follows almost all the global countries. Literally India seeks to help in coming up. So that having been said, what is the main threats and challenges that we're looking at?
And I would start with the main thing. And that is data. And everything evolves, perhaps, around that. You might have all the infrastructure in place. You may have the transit points, you have the networks. You may have the processing infrastructure. But at the end of it, it's the data which really counts. That's the thing that makes the goal. It's data that makes the goal here.
[ Audio fading in and out ]
To my mind, it's something we need to keep in mind. And India is cognizant of that. We are, of course, we would like to have our data on show in India. Which, perhaps is not possible at this moment. We don't have the entire capacity to store that kind of data.
So, obviously, much of it is offshore. When it's offshore, and if you don't have the capacity to keep the data, we don't have the skills, as Alaa brought up. We would be looking at legal implications of keeping our data offshore. That's something we look into in 2023. I'll come to that later in the conversation.
The second important thing is integrity. We have to look at integrity of data in storage and transit. These are important to us, because wherever the interfaces happen, wherever there is a joining of networks, wherever there is a joining up with the storages. That is the way... that's the point where we find vulnerabilities involved.
So as your digital operation increases in India, the context increases and the attacks increase.
The final point I would like to make, quickly, is that when it comes to emerging tech, AI in cybersecurity begins to get more and more important for us. So the ethical use of AI and the responsible use of AI is so important. We would look at accountability. Wherever AI is used, whether it is for cyber or protecting infrastructure physically, or digitally. We would have to look at interpretability, as well. We should look at what is coming out of that and how it's protecting infrastructure.
I think, also, what we have to keep in mind is supply chains. And we will talk about that later. But supply chains could be comprised, and that is one huge threat that we need to keep in mind. Today, at the end of it, with the infrastructure that has come up in India, we have become the 10th most vulnerable country in the world. To digital, you know, assets. And I see that coming up further and further. You can make certain that is pretty obvious that the number of attacks are going up dramatically every year.
>> MODERATOR: What came to mind, this is the kind of ranking we don't want to top. Thank you for your thoughts. I think we ‑‑ it's time for us to turn to the moderator discussions. Yeah.
We do have a set of policy questions that we would like discussed today. And to explore with our speakers.
So, please, however, feel free to jump in, if you have thoughts to add on to whatever that other speakers are saying. But, of course, please help me to keep your interventions concise and short here. Not more than two minutes, maybe.
So, first, maybe, I'll get Aderonke to take the first question. Do we need universal standards of resilience? Or is it the case that every country's digital infrastructure has unique needs that require a customized approach? Right. How should we balance these two perspectives of having something universal versus something that is highly customized? What are your thoughts?
>> ADERONKE SOLA-OGUNSOLA: Okay. So, for me, universal standards is not negotiable. I think it's something that is meant to be open and something that needs to be adopted. Like I did say earlier, so what we've done in Nigeria, I'll use my national perspective. And maybe because we are the largest economy in Africa. Our numbers speak, especially our interventions when it comes to development of digital infrastructure in Africa.
So back to standards. Yes. We need one. What we've also done in Nigeria is to come up with a critical national infrastructure order. It outlines strategies, methods, or activities or actions by several stakeholders. When the General was speaking, he talked about the physical protection of infrastructure. We have our vulnerabilities back home. Issues regarding infrastructures. So from that perspective, you drill down. You need to look at how you protect that. And from the national to the regional. How do we come up with KPI standards? What works for Nigeria may not work for Ghana. You cannot undermine the reason we're here in this room is because the digital infrastructure matters to us. And we've identified the need to see how we can continuously sustain it. So that's a conversation around the room. Whether it's services or whatever that runs on the infrastructure.
So you move from regional, I would look at the universal perspective. We're already working on the submarine cable resiliency. Just because of what happened. Singapore will probably come up with their own solutions. And DCO, also, is sharing experiences. So, in summary, for me, it's home grown to regional and universal. And at the universal level, I would like to liken it to the SDG. It can be adopted amongst all the nations.
[ Audio fading in and out ]
You talked about does it require different approach? It may require a different approach. But the standards can be global. And this conversation will probably develop on white paper. And adopting and having stakeholders, especially policy level to look at it critical.
>> MODERATOR: I like that response. Thank you for putting it so eloquently. Because, really, standards can be universal and they need to be. It's like what we have at the U.N. with the SDGs. It's a pretty apt parallel you have drawn. Of course, drawing experiences at the regional level, and, also, having implementation localized. I think that's excellent. I think it helped us to set the stage. I'm not sure if other speakers have anything to add. Dr. Pawan.
>> PAWAN ANAND: I agree with what Aderonke has said. She built it up bottom‑to‑top. On the whole subject.
I want to add, when we talk about universal standards, standards would be something that we should all be able to take on. If we don't do that, we would be not able to connect globally. So those universal standards, I think, are so important.
At the same time, when it comes to bringing in regulation, I think we need to be a little careful. Why we set standards, we will have to be careful about compliances. And we need to differentiate between the two.
Because the moment you bring in compliances, and those compliances become too stringent, then there's a fear of stifle innovation. We need to find the balance between compliance and innovation. We need to differentiate between standards and compliances.
>> MODERATOR: Okay. Thank you. Thank you for those remarks. I am going to move ‑‑ I'm going to ask maybe Alaa the next question. What do you think are the biggest challenges in adopting universal resilience standards that we have been talking about, for the most part? Especially in developing regions. How can we make sure these standards are assessable and scalable in different parts of the world. If you can maybe draw some experiences from working in DCO. Thank you.
>> ALAA ABDULAAL: I think we have a lot of challenges. Several key challenges. From economic and technological disparities between our countries. Different countries. So let's look at it. Even it has been mentioned by my colleagues here. Different countries have different level of readiness. Some of them, even at a stage that they lack infrastructure by itself. Not only having resilience.
This goes to having lack of financial support and technological support. Another aspect is, also, we talked about it when I mentioned it in my key opening. Which was the capacity building. Again, for a country to start adopting standards. Are they ready for those standards? Do they have the right human capital to understand the standards? To apply them to make sure that they are customized in the right way?
Again, definitely, it's very universal to have a framework and standards for everyone to adopt. But, again, there will never be a one‑size‑fits‑all. It will be a need of cascading to the needs of the country, to their status. But it's very good to have that solid foundation that unifies everyone.
And this is why having those right human resources and experts is very crucial on a national level. Which will really make sure it's being adopted in the right way and implemented in the right way.
Another aspect, one of the challenges, is as I said, is those standards flexible enough to fit the current stages of the country? What is the flexibility of those standards? Maybe one ‑‑ another aspect, one of the challenges is currently every country is tackling this challenge by their own. Even from a government perspective. Not looking at, "okay, what can the private sector provide? What can academia provide?" Academia can provide a lot of research and understanding of those standards in coming up with the right ways. Are we putting all of those people on the same table? Are they having the conversations? Is it a government approach? Is it a multilateral approach? A multistakeholder approach?
I think all of those challenges is being in the way of us, first of all, having the right to standards in place to adopting them. And then even measuring their impact and the way they are executing.
>> MODERATOR: Thank you. You have covered several very good points. Again, I think we are seeing this reoccurring issue or question to do with the human capital and their ability to appreciate the issue, apply the standards, and, of course, to rightly implement them in a way that makes sense in their home countries.
>> ALAA ABDULAAL: Let me add.
>> MODERATOR: Yes.
>> ALAA ABDULAAL: That's a very important point. Until we all reach that universal standard. Okay. Things are accelerating very quickly. Are those standards ‑‑
>> MODERATOR: Too fast!
>> ALAA ABDULAAL: Exactly. We're talking about AI. We are even now talking about quantum computing. It's adding another layer of complexity from a security perspective, from an infrastructure perspective.
>> MODERATOR: Yes.
>> ALAA ABDULAAL: Until we reach that agreement on those are the universal standards, we will be in another point of error.
>> MODERATOR: I know.
>> ALAA ABDULAAL: We need to make sure. This is another layer of challenge that we need to start thinking of to move fast. Can we build something that is agile enough to take that very fast advances that we are moving.
>> MODERATOR: Yeah. It's great you point those out. Dr. Pawan and I were just having a chat yesterday after hearing some sessions in the opening segment of IGF. We were saying, you know, shortly after this whole global digital transformation movement. And then we have got AI and now, already, we're into quantum computing. It's like we're trying to play catch up all the time! And I think that is definitely a theme that we need to come back to about how we can seek to remain agile. And fast enough to respond to have standards or laws or policies that actually respond to real issues. Real questions. That are evolving faster than we would like. Yeah.
>> ALAA ABDULAAL: I agree.
>> MODERATOR: Yeah. Definitely.
>> PAWAN ANAND: I totally agree. You know, it's all the time a game of catch. And most of us would agree on some points. And we would have disagreements in some areas.
I think the solution lies in quickly reaching the places where we have consensus. Issue some sort of a guideline, or at times, a regulation where we all agree. And then we can keep resolving what we don't agree upon. So I think when we come together to put ‑‑ to talk about these issues. We need to be clear. Where is it we have quickly found consensus and start implementing that as quickly as possible. And the rest we'll work on. At the same time, when we are working on those, you know, difficult areas where consensus is a little more difficult. We need to bring in the new technologies, also, that start influencing. So perhapses that is the only way that we can remain in the picture. Otherwise compliances will always or consensus will always be so far behind.
>> ALAA ABDULAAL: And I like the word "we" we have to work together. We have to agree. Because, yes, it's not one person or one nation.
>> MODERATOR: Yes.
>> ALAA ABDULAAL: I think it's we're working together on this.
>> MODERATOR: I like how he says we need to get started. Let's stop talking about this and just do it!
[ Laughter ]
all right. So I just want to stay with Dr. Pawan. I would like to ask the next question. How can governments be equipped in digital resilience? What policies? Regulations? And codes of conduct, as you may like to put it, need to be adopted to ensure a secure infrastructure across health care, governments, finance, CIIs, and data centres. Yeah.
>> PAWAN ANAND: So that's a tough one. When you formulate policy, you have to take so much into consideration. Just to tell you how it's tough been in India. It's been a short‑footed move. We came up with the digital data protection act. We talked about it in 2016. They finally came out with drafts in 2022. But it was given out to the public. There was blowback. There was a lot of feedback. They went out at the second with six months later. There was a bigger blowback. And, finally you know, the Act came into existence in the middle of 2023. It may have been later, but it was there. It is yet to be fully operationalised. There are rules working out. So it gives you a sense as to how you go about making policies with keeping in mind various stakeholders throughout the country and abroad. Covid‑19 gave us a wake up call. We went digital. We realized we need to have certain policies in place. We are able to converse digitally. And, of course, transfer data digitally. We've seen how it's impacted public services. We've seen to the extent how it started impacting elections, as well. Different COVID there was elections that had to be postponed. Even U.S. and India elections were impacted somewhat by the digital interventions, which were happening and the influence it played. I think how you can strengthen the policy structure for this. You have a digital‑first approach for public services.
So this needs to be built up with almost all within the country and outside the country. We also need to enable a kind of structure in our policies. So everybody is able to work somewhat remotely. And it is controlled. Of course, everybody needs to give a higher priority to digital infrastructure. With these three in connectivity between various digital infrastructures would bring us into a complete picture. So policy around all of these.
Not to forget what we spoke earlier physical protection of our digital infrastructure. So we have to look at the housing of the infrastructure on the ground. The distributed infrastructure. How to protect it physically. How to ensure it's not disrupted.
And then, of course, during transit. And, finally, I think we need to look at port body risks and how these will be managed as technology innovations take place. So all in all, policies will have to be all that have.
Let me take two examples, and I'll bring out the difference. You know, the United States in health care has those guidelines for HIPAA. And these are stringent guidelines that have been brought in for various health care ‑‑ for protection of health care information.
On the other hand, they also have the SSA aiding. They have certain reports, where these are standards by which you would expect certain reporting to have in financial transactions. Now in India, we are very clear that we follow the SSA guidelines. And so our reporting in sub one, sub two, and sub three is fully in place. We expect all financial transactions to be fully transparent. To be fully controlled.
On the other hand, when it comes to health care, and the U.S. has the HIPAA. India has come out with its own standards. We call it Digital Infrastructure In Health Care. But it leaves a lot of space open for data to be utilized. So you can't have the universal standard, as for us, in that. But we would have ‑‑ we would be able to say we have left a lot of space open for data to be utilized. So we don't mind our data being used for research. But private data has to be kept in place. So it's a little more nuanced, if you ask me. And that is the kind of nuance we need to have, so that we are able to utilize digital infrastructure in data. And to its fullest innovation. Yeah. Back to you.
>> MODERATOR: Thank you. Thank you for that.
And I think just one point of clarification. When you talked about the risks, you are basically talking about different people in the ICT supply chain, right? Okay. Cool.
Now I think questions are coming. Yeah, please. I'm going to say questions are starting to come in. I think let's go with the flow. I like the flow, please. Aderonke?
>> ADERONKE SOLA-OGUNSOLA: I wanted to add one or two points when it comes to how governments need to be equipped with developing policies regarding digital resiliencies.
So for me, I look at it sometimes people may see resiliency as being subjective. Based on levels of development and the technology or infrastructure or vulnerability. In some cases, issues of topography data may also serve as a point of forecast for us to consider. Because you did talk about the physical protection on the ground. How do we solve this infrastructure? Some places it's nearly impossible for infrastructure to be protected or being resilient.
Also from the Nigerian perspective, because I'm a regulator. We have come up with various policies. We have Nigeria National Plan that helps us to fashion out stages, faces on how to ensure resiliency, standards for infrastructure and for us as a country. Like I said, the critical National Infrastructure Order did engage or gives plan for various stakeholders. It's the private sector, academia, all of those are included. It's a model maybe for our national label, regional, or other countries that may want to look at it. If we say we're looking at developing standards. We have been pro active. And I want to say, perhaps that's part of what gives us the resilience, so to speak, from the submarine cable breakdown.
So for regulations, we keep doing catch up. It's a cliche. But it's something I want to look at. How do we get to standards or policies or regulations that can be self‑regulated. Maybe we come up with soft laws, as regulators. Thinking outside the box to speak to this global standards or universal stands. We're looking at rather than putting laws or regulations like General the said. That stifle innovation.
>> MODERATOR: Okay.
>> ALAA ABDULAAL: I think there's one important point that I want to pick up on. It has been mentioned. Again, we cannot protect ourself and be 100% resilient. But we, as a country, and even specially. We always have to have, like, the right response plan for those such emergencies. Yes, every country they have their recovery plans, incident response plan. Even, I believe, from an international level, or even times on a regional level. We need to have that set up in the right away. To have that immediate exchange of experience. Immediate exchange of what did this country do to come back or recover from a specific incident? I think this is a very important point that we should consider. Specifically if we're talking about government being digital resilient.
>> MODERATOR: When you talk about the exchange. What you mean is the cross jurisdictional learning?
>> ALAA ABDULAAL: Exactly.
>> MODERATOR: And the communication that takes place. I presume, effectively through that forms such as DCO?
>> ALAA ABDULAAL: Yes and other organizations.
>> MODERATOR: Yes. Okay that's great. Thanks, Alaa.
And now there is, actually, I know I'm sort of messing up with the order a little bit. But it's really just to maintain that flow. Because we have a comment from a member of the audience. I'm going to read it. And then I have a small question.
Which I may want to the pose it to Alaa. So the comment comes from Vahan. From RIPE NCC. And he says, "coming from different sessions at IGF, there is a feeling that we still don't have an universal understanding of what is this DPI. " I think Dr. Pawan mentioned DPI. Yeah. Yeah. "Neither the universal approach to what is a core, technical core or public core of the internet. To develop standards, we should use the same language and have a universal agreed definition of these terms," let us start from internet and define what is important for us. What is a core and how we can protect it and ensure the resilience of it.
I think what he's really talking about it is to have a common language that we speak when it comes to this topic. So my question is, really, how can we begin to shape this common language? It any insights? Maybe Alaa can start.
>> ALAA ABDULAAL: Yes, definitely. I totally agree with his comment. And before I answer this question, let me give you our challenge at DCO when we started.
Our organization is focused on digital economy, and when we first started, okay. What is the definition of digital economy? There is a universal understanding of what does it mean? What does it encompass? So it's ‑‑ I totally agree with him. The first point is that to define and put in a framework what is the understanding of what we're trying to solve.
This is the first, let's say ABC in any research. When you start conducting a research, you really identify what is the question that you want to answer? What is the scope? In the scope, what is outside the scope? And for us to reach that, we need to stick together. As it's a we problem we need to solve.
>> MODERATOR: Yes.
>> ALAA ABDULAAL: I can come up with my own definition that you can come up with your own definition and understanding. But then what is the whole purpose?
>> MODERATOR: What is the ‑‑
>> ALAA ABDULAAL: ‑‑ right, exactly. We need to bring all the stakeholders from government, private sector, academia, different regions, different countries. I believe this is the role of our organization, for example, and other organizations. Where we can bring all of the stakeholders in one stable to start defining the definitions of what do we want to solve. And then putting an action plan to actually come up with different solutions.
>> PAWAN ANAND: Yeah. I wanted to add to this.
I think it's a fair point that has come from the person that made the comment. But when it comes to digital infrastructure, I think a reasonable amount of definition is in place. Especially the technical definitions. I think across the globe quite recently. Probably where the difference comes in, is when you talk about policy. And there the cultural difference begins to play. So there may be a few issues where the lexicon needs to be clarified with, in some cases, when it comes to policy. On the tech side, I think we're okay.
In any case, when it comes to AI and responsible AI, we're still working out the lexicon. When AI comes into digital infrastructure and cyber resilience, I think it gets more complicated. There is definitely a need for some of that lexicon to be firmly put into place.
>> MODERATOR: Please keep the mic, because I'm going to ask you a question.
[ Laughter ]
So what ‑‑
>> PAWAN ANAND: I hope it's not an interrogation.
>> MODERATOR: No. It's not. I'm a lawyer but I will not interrogate you. Not today!
What novel threats, actually, should public and private organizations? Because, obviously, Dr. Pawan, you have experience from both ends. What novel threats should public and private organizations be looking out for? And what strategies or technologies should be implemented to protect against these emerging threats?
>> PAWAN ANAND: So novel threats. Everybody knows about how ransom
[ Audio fading in and out ]
So the threats are ransom ware. There's a huge threat of attacks. So ransom‑ware, attacks, APTs. Residing in our computers ready to give information all the time. Back to whoever has placed them in our computers. And in our servers. So these are the standard threats we know about. I think what is novel about some of them. We're looking at crypto jacking that seems to be the more current threat that has come up. As more and more people get involved with, you know, crypto currencies. You look at more and more of these problems coming up.
And, god forbid, when we have quantum coming in. It will get comprised very easily. And crypto is going to face huge threats. By that time, hopefully crypto would have evolved and block chains would have evolved to take on the quantum threat. So there's the speed of compute that quantum will bring in. Will actually be a huge game‑changer. It's not coming now but coming in another five to 10 years. If the U.S. and China are involved. 1200 cue bits. India is struggling at the moment. I think we're working on it. I think we'll be there quickly. Especially as we get our cryogenics in place.
I think everybody country has their own protection for gateways. But these protocols need to be in place internationally. Otherwise they're bound to get comprised. And if that happens, then you'll have a lot of data and a lot of information, which either gets disrupted or gets diverted. Or is routed there else and therefore fully comprised.
Another threat I think is the watering hole attacks, which is very simple to understand. I mean, you just cleared there are the places where everybody visits. Those are the areas that need to be protected. Somehow or another, we need to make sure that the usual watering holes are well protected, and we have our policies in place for that.
I mean, there will be as many novel threats as there are brilliant minds on the net and the doc net. I won't be able to give you something comprehensive on that. It gives you a sense where we're heading.
>> MODERATOR: Thank you for the insights. I think they're very interesting. Yes, please, Aderonke.
>> ADERONKE SOLA-OGUNSOLA: So, General spoke from the technical side.
>> MODERATOR: Very technical. I like it.
>> ADERONKE SOLA-OGUNSOLA: So I look at threats.
[ Audio fading in and out ]
Human resources is usually the key with the organizations. Government nations. So another threat, based on the speed and advantage of technology would be humans itself. Like Alaa said, if you do not have adequate skills, you are vulnerable. No matter what technical structure we put in. You still have the human interface. So I believe at public level, private levels, and even organizational levels, your human capacity needs to be updated. And sensitization of cybersecurity or cyber protection needs to be consistent. It's not something you should leave open. Because once your human resource or capacities are vulnerable, you're as good as experts.
Then for the policy level, another threat I may see may be in flexibility and regulation and policies. So as governments, moving forward, it is expedient for us to rethink or reopen our minds to regulations. We know like Dr. Pawan said, we have to be careful so regulation will not stifle innovation. The advancement is unprecedented. The speed.
We should also come up and be responsive as policy makers to think outside the box. What kind of policies do we put in place? Yes, we put up different structures? How do we make sure it's not obsolete on arrival.
>> MODERATOR: Yeah. Obsolete on arrival.
>> PAWAN ANAND: Can I just add on.
>> MODERATOR: Please.
>> PAWAN ANAND: She's absolutely right. The policy itself, if you don't formulate policy, it's a threat. So in some ways, the focus is very narrow, at times. We tend to focus on protection. We tend to focus on disaster recovery. But there is little focus because it requires money, time, and skill at the initial stages to bring it in.
I would really recommend that most of us, even though it would require time and effort to invest in the initial protection, it's really important. That has to be prioritized by governments, by companies, by the key management personnel. It has to be prioritized by the financial guys.
>> MODERATOR: Thank you. Thank you for that.
I want to maybe ask Aderonke, from the prospective of a regulator, what metrics do you think should be used to evaluate the effectiveness of resilience standards? And how in organizations continuously improve their practices.
>> ADERONKE SOLA-OGUNSOLA: So I can hear myself now.
So what metrics? I think it should be home grown or industry grown for metrics. Because we've had conversations talking about uniqueness of different experience. For me, our metrics would be measuring the quality and experience and resiliency, recovery plan, or disaster ability or plans for different
[ Audio fading in and out ]
So develop the metrics, it needs to be analytical and scientific, so to speak. Because it has to be measurable. And it's something that needs to be adaptive. The technical people would play a huge role in developing this metric. As a policy regulator, we should also be open to providing guidelines, so to speak. Or coming up with a framework that can be easily adopted and adaptable. Metrics should not be cast in stone. It should be something that you can review from time to time, based on maybe advancement or change in technology or infrastructure. So these metrics, it's something that should be measurable. It needs to be something that is acceptable. Developed by stakeholders, so to speak. And have it on the role of multistakeholder in promoting common good.
>> MODERATOR: Thank you for that.
So, Alaa, how can we then ensure ‑‑ I'm tapping on your experience dealing with multi stakeholders, engagements, and all that. How can we ensure stakeholders, whether governments, private sector, or Civil Society, and so forth, so on. Are actively engaged in the development of digital resilient standards? What role does each play? Because it's hard to handle. Everyone has a different set of expectations or interests. And sometimes they don't agree. Oftentimes they disagree. Tough job.
>> ALAA ABDULAAL: So I just say, I think we have to touch upon this during our discussions.
Yes. Every group has its own role. Again, I think it's a shared responsibility between all groups. But governments are responsible for shaping and setting the regulations and policies. Making sure frameworks that need to be digitally resilient. And this responsibility of creating the roles and regulations, it shouldn't be only that governments should do. But they should involve the private sector in the process. The Civil Society, also, in the process, to make sure that whatever they are coming up with from a regulation and policy, it is impactful and, also, can be executed easily.
The private sector, when we look at the private sector, I think we know the private sector needs to have organization. They come up with the technologies. They are aware of the new technologies and advancements that are happening. They are shifting the gears on the AI, on the computing power, quantum computing. It's very important for them always to have that conversation with the government. It's very important for them to keep updating from a cybersecurity perspective. And, also, support in the capacity building. The capacity building of the human resources from a government perspective, also. To have that support to the government.
Again, also, private sector can help out from a partnership in providing the right funds with the cooperation of the government. Again, as I said, I believe, yes, every group has its role. But it's a shared responsibility. And then we come to Civil Society and International Organizations. The role of academia, the help of research, help of how to think of their new innovations. How we can come up with the right set of standards with all supported but with the right data. This all comes from the Civil Society. Last, but not least, international organizations. Let's say we're the connector.
We are the ones who can put everyone together. Try to find the common voice. Try to unify the effort. Try to find the synergies. Because, again, we need to look at where are the synergies in all ‑‑ in every group. In the government group, even the private sector group and the Civil Society group. From a research aspect, from a funding aspect, from a policy regulation aspect.
So for this to happen, it needs, really, an effective engagement between the stakeholders. It needs cooperation and collaboration. It means that we need a continuous dialogue. An open dialogue. We have mentioned this before, we are facing a new or a very quick era of things that are very developing and accelerating very quickly. So if we do not put our hands together, we cannot and will not be able to survive those challenges. Be agile enough and be prepared. We're looking at different building blocks, infrastructure as physical infrastructure. The doctor mentioned the data aspects of it. We mentioned human resource aspect. We mentioned services. It's a huge [?] connected to each other. We cannot look at one building block by itself. Or one group by itself. Rather we have to look at it as a whole.
>> MODERATOR: Yeah.
>> ALAA ABDULAAL: And really adopt that effective communication with those different groups.
>> MODERATOR: Thank you for that.
So everything from the definition of the problem to coming up with the resources, whether it's leadership, research, or financial supports. All the way to deriving at implementable solutions. We need that input from different segments of our ecosystem. Right. Okay. I got that.
If speakers have nothing else to add, I would like to move on to a next question. Dr. ‑‑ yes, please. No. Please jump in! Thank you.
>> ADERONKE SOLA-OGUNSOLA: I'm sorry!
>> MODERATOR: Don't be!
>> ADERONKE SOLA-OGUNSOLA: About effective engagements. Because that's been ‑‑
[ Audio fading in and out ]
That's been on my head for awhile. How do we move from talks? We keep having the conversations. IGF level, like you did say. GSMA, just naming. But how do we move it? And, also, need to start focusing on conversation and make sure we engage the right person. We did say we just need to move. How do we move? And move effectively?
>> ALAA ABDULAAL: I totally agree with you. I think it goes back to when we talked about let's have a definition of the problem.
>> MODERATOR: Yes.
>> ALAA ABDULAAL: Then let's put an action plan. What do we need to solve? Then let's all sit on the table and try to solve it. Conversation for the sake of conversation and dialogue will not take us anywhere. It needs, really, to be structured with a specific goal. With a specific outcome that we want to reach. And then, after that, also, a specific measurement. This conversation and outcome that we wanted is it the correct one? In the right way? With the acceleration and how things are changing quickly we need, always, to revise ourselves. And see how effective the current solution that we are doing are really impacting the progress that we are aiming to.
>> MODERATOR: Okay.
I think, also, today's workshop and this dialogue that we're having, I was hoping to produce a white paper that sort of captures our key highlights from today's discussion, learnings. Well, I definitely learned a lot! And I think we're learning from one another. And with this white paper, I'm hoping we can gain some traction, as well, from the international audience that we have. And from there, you know, work towards that common goal to find solutions that we can develop in order to galvanize the entire ‑‑ galvanize everyone. And then from there, with the universal standards, be able to find ways that individual countries can customize for their own needs. Right. So I think this is a good start!
I am mindful of time. I have only about 12 minutes left. I would like to ask a couple more questions before we do a summary of our discussions today. If I may, maybe turn to Dr. Pawan with this question. How can resilient standards be designed? Not just for immediate response, but also to support long‑term recovery after a disruption. What mechanisms should be in place in order to ensure our organizations can bounce back effectively?
>> PAWAN ANAND: So I think the most important point is have a risk‑based approach. If we're going by the discussion that just took place between Alaa and Aderonke. We need to have a framework that can be put in place. Which talks about the risk‑based approach in various sectors where we have our digital infrastructure and the resilience we need to bring into it.
So I mean going technically, of course, we have to have a backup strategy. So when problems happen, we're able to recover from whatever losses have taken place.
We have to have a constant update. We need to be, you know, much of the time we find that our softwares are outdated. Our systems are outdated. That's why there is loss of data. There is loss of ‑‑ there is outage time, so to say.
So we need to work around that. See that we are up to date when it comes to our technologies. You can't underestimate the skilling aspect. So, quite obviously, we have to bring people up to speed when it comes to the latest skills of this. So the main things, I would say, following a risk‑based approach, create a framework, make sure that you have your back ups, make sure you have a rehearsed strategy to bounce back, and that rehearsal part needs to be done very carefully. Because, most of the time, again, organizations tend to feel it's going to take time away from their real work. And, you know, therefore, they just give it a bit of a lip service.
And, of course, the human aspect is the final aspect. If people have to be trained, cyber hygiene has to be understood by everyone. We have to make sure there's controlled access. That everybody understands the risks that the whole organization runs. How they personally run risks. I think we would be able to be in a situation where we don't suffer from these threats.
>> MODERATOR: Okay.
>> ALAA ABDULAAL: If you allow me. You mentioned an important point. I think it's very important to think of the point of failures that every country and system have. And not only looking at it from a back up perspective, but also having diversity of technologies and systems. So not relying on a specific system. Not relying on one company by itself. You need to really think of having that diversity of systems. And even looking at open‑sources. Because this will really make you build a very solid back up plan, as mentioned. Because it's very critical. We need to think out of the box regarding regulatory plans we have. Just having a back up and disaster recovery from an infrastructure perspective. To really thinking of diversity, the systems, the technologies we're using. And even looking at open‑sources.
>> PAWAN ANAND: I think the best example I can give of something like this would be what happened in Denmark 2023. Right.
So about three months they had repeated cyber attacks on the Critical Information Infrastructure. To the extent some of the dams they were working on, came under threat. And they went immediately to island mode. And it took them a long time to get back on to the net. But they had their systems in place. And, literally, people drove down and started operating systems physically. So quite, obviously, they had worked it out well. But these are recovery plans which need to be very formally put in place so you don't suffer outages. Okay.
>> MODERATOR: We have two people from the audience pinging up to say we want to ask questions. So quick ones.
>> ADERONKE SOLA-OGUNSOLA: 10 seconds.
Also, ensure your infrastructure we have excess capacity. In addition to open‑source. [?] put in place. And also ensure that your infrastructure has enough capacity for redundancy. If one goes down, you have the space. The back up.
>> MODERATOR: Buffer. Yeah. Cool. Thank you. Thank you, speakers.
I'm going take a pause and take questions from the floor. I think some people pinged us in the Zoom chat to say. I think this gentleman. Can we pass him a mic? No mic? Or you can ‑‑ we can pass you a mic. Yeah. Please. Thank you. switch it on.
>> AUDIENCE: Can you hear me now? Thank you very much. Thank you for the great talk. I'm the Chief Officer of the U.N. Joint Staff Pension Fund. I'm here at the IGF and involved in the best practice for cybersecurity. And also leading the block chain standardization.
>> MODERATOR: Pleasure to meet you.
>> AUDIENCE: Like wise. I actually wanted to share a comment because in my specific role in block chain, what I'm facing is the lack of standards. And I wanted to be able to be provocative. I think we do have universal standards. The ISSA standards. For years, I'm also an auditor. Are well established. And it's presented by the national standards in the countries in the technical committee that is open to stakeholders. Is there a risk to duplicate something? And instead to focus on what already exists. Should we stay focused on threat models? Because the way to translate standards into the those alluded to before. Look at what risk each countries is exposed to. Not all countries are exposed to the same risk. And maybe focus on threat modeling and risk assessment rather than reinventing a new standard. Thank you.
>> MODERATOR: I think it's an excellent question. Any takers? Please, yes.
>> PAWAN ANAND: I totally agree with you. Everything you said made sense. So block chains, certainly, would require standards. And I think we need to get on to defining those.
You know, you talked about threat modding. That's what I meant by risk‑based framework, as well. So each one of these will have to ‑‑ whether you talk about infrastructure resilience, whether you talk about cybersecurity, you talk about AI. In each of these and across these domains, you have to create frameworks and they have to be risk‑based.
The threat models you talk of will come from scenarios. You need to keep building scenarios. From where the threats emerge. And based on those scenarios that you came up, you'll be able to actually see what kind of frameworks will be built around them. I totally agree with you on that. And the way to go about it, as I just said.
>> MODERATOR: Anything else to add, ladies? All good? All right. Thank you. Thank you, sir, for the question.
And those are good comments, as well. Anyone else have questions? Yes, please, sir. You need the mic. We can share the mic. Thank you.
>> AUDIENCE: Am I being heard? Just to follow up that was raised. And what Dr. Pawan said about a risk‑based approach to establishing standards. And we talk about universal standards here. The ISO standards came from somewhere. They were developed through some institutional framework. And the question would be, in taking the risk‑based framework, are we identifying the institutions or the departments, maybe, that have to come together to develop the universal standards for resiliency in various scenarios that we identify need, basically.
All right. I came in a bit late. I don't know if you talked about institutions or anything like that before. But maybe we can try to identify the ways forward. Who are the people that would like to take action on these things? Thanks.
>> ADERONKE SOLA-OGUNSOLA: All right. So thank you for your comment!
So I'll start with the last speaker. I recall one of the goals for this conversation is to come up with a white paper. We've identified, I believe that's why we're here. We have identified that perhaps we do need universal standards. How do we go about this? I'm told that Alaa did say that once we identify them, we need to move forward to practicality and the next phase. We look at who are all the stakeholders involved. It's not going to be lopsided conversation. But this is getting the conversation going.
Yes, we recognise the standards and like you did say you know, developed by institutions. So what are the roles of these various institutions? I recall, also, I did say earlier that we have different pockets, regional pockets, national pockets, industry pockets have universal standards to address their own actions. To address different issues regarding infrastructure resiliency.
The point for me, do we need to develop standards or framework or measurable actions that would ensure universal resiliency of the infrastructure? Yes. Have we seen trying to move from cybersecurity frameworks to cyber resiliency. Because this threat will continue to come. If the human capacity fails or human error occurs. But how do we ensure universally crowd strike or the submarine cable does not contribute.
>> MODERATOR: Thank you. Thank you for the remarks.
I will have ‑‑ I have one minute left before some people have to run off. I'll summarize our conversations in one minute. And then we'll call it a day. Okay.
So, basically, I think what we managed to discuss and agree on. We need universal standards, which will form ‑‑ which basically are a common language that we need to develop. And, of course, how do we do that? How do we do that would be we start by asking ourselves what exactly is the problem we're trying to solve. The why. Right.
And then with these universal standards, as galvanizing ‑‑ well, a galvanizer for everyone. We also will have to tap on shared experiences. That is where the multilateral network, regional and international cooperation from within the community, cross jurisdictional learnings will come into play. I think we could also benefit from some use cases. Learn from past experience. And then, also, coming down to the local level to make sure that we have localized implementation and solutions. Which will work for the individual countries in a customized manner.
And, of course, because ‑‑ that is simply because nothing is one‑size‑fits‑all. And we discussed some challenges we could possibly be faced with. And already are facing, which basically will be the very fast‑evolving threats that is facing the world today. From technical perspective or from a human element perspective, because humans can be the weak link. Which is why we also touched on capacity building. And, of course, lastly, the policy element, which basically the usual problem is that, like, Aderonke said, it usually becomes obsolete upon arrival. So we have to try to avoid that and make sure that the policies, the frameworks that we put in place are agile enough to respond or be an effective tool that can help us to respond better to evolving threats. Which are fast and furious. And, of course, lastly, I think a takeaway, again I'm saying this again. Dr. Pawan said we need to get started. We just need to get started!
So what we'll do, in terms of next steps, is that we will compile today's discussions into a white paper, and hopefully this will serve as a guiding reference for countries. For regions seeking to enhance their digital infrastructure resilience. And, of course, thank you everyone for being a part of this panel discussion! And important conversation. We look forward to continuing our work together to shape a more resilient digital future! Thank you.
[ Applause ]