IGF 2024-Day 3-Workshop Room 4- WS190 Securing critical infrastructure in cyber- Who and how

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> VLADIMIR RADUNOVIC: Okay, let's start. I hope you all got the headphones. It's channel Number 4. So Number 4 is the room.

Welcome to the session securing critical infrastructure, who and how. My name is Vladimir Radunovic, I'm leading cybersecurity programs for international building capacity institution. I'm here on behalf of Melanie Kolbe-Guyot. But there will be a number of distinguished experts also joining us both here and online. And there I count all of you as well.

Now critical infrastructure has become a buzzword, and we have seen it everywhere. Popping up in the norm setting, policy setting frameworks, but also popping up among the professionals dealing with cybersecurity. But rarely we see how these two connect.

Typically the discussions are in silos. When we're trying to do with the Geneva Dialogue and you'll hear about that in second, is to connect the frameworks with a practical critical infrastructure. But before we dive into the session, let me welcome on behalf of Switzerland who is the main supporter of this session, maybe put welcome words and to set the stage. Thomas, the floor is yours. 

>> Thomas SCHNEIDER: Thank you. This is an initiative of the foreign ministry, and but we partner with them in many ways. So they've asked me to say a few things about the Geneva Dialogue and the motivation behind this. So it was established by the foreign ministry six years ago. It's led by our friends at the DiploFoundation by the Republic state of Geneva. They're a state to themselves. We felt Swiss Comm and UBS. The aim is to analyse and map the roles and responsibility of the various actors ensuring -- in ensuring the security and stability of cyberspace. And the Geneva Dialogue is a global dialogue building on Geneva tradition of bringing the world together and engages one hundred companies, institutions, and expert. And in 2023 and 4 more than 50 representatives and independent experts have contributed to the drafting of the Geneva manual.

In this context, the dialogue stems from the principle of shared responsibility, and particularly asks how the agreed cyber norms can be best implemented by relevant stakeholders together as a means to contribute to international security and peace.

Concretely, the Geneva Dialogue investigates the consequences of agreed upon norms for the relevant stakeholders. It does not try to find consensus, but to document existing views of such stakeholders on their roles and responsibilities in the Geneva manual, as well as give good practices that should inspire others and promote responsible behavior in cyberspace.

So this inaugural edition of the manual focuses on two norms related to supply chain security and reporting of ICT vulnerabilities. This year the Geneva Dialogue discusses the operationalization of the critical infrastructure related norms and the sessions at the SICW is another important opportunity to gather international feedback from various experts for the next chapter of the Geneva manual.

So I'm looking forward to an interesting discussion and hope you all enjoy it. Thank you very much.

>> VLADIMIR RADUNOVIC: Thank you, Thomas.

So briefly, what the outline of the session will look like, we'll start with a short overview of what is the main challenge that we try to address. And what is the Geneva Dialogue all about?

My colleague Anastasiya remotely will run us through that. And then we'll play a little bit. And I think that's the point of making most sessions useful but also interesting. So we have a scenario again with the cards, and we'll break up in groups and try to step into shoes of governments, operators of critical infrastructures, researchers, and then after that, we'll get back to a plenary discussion to reflect a little bit on main issues that were raised.

I'll pass the floor now to Anastasiya to lead us through the main issues and the Geneva Dialogue, and then to drive us into the scenario exercise that we'll play.

Anastasiya, over to you.

>> ANASTASIYA KAZAKOVA: Thank you, Vladi. I hope you can hear me all good?

>> VLADIMIR RADUNOVIC: Loud and clear.

>> ANASTASIYA KAZAKOVA: Happy to be here, everyone. I'm sorry it's only my face, but it's real. I am a fellow and part of the team and within my ten minutes I'm going to brief thrill the story of what -- briefly tell my story of what we do within the Geneva Dialogue.

This story was inspired by real events, so let's imagine a large logistics company identified as critical infrastructure data which was hid by [?] because the attackers managed to target the security at the service provider. And the service provider provided cloud services and manages the cloud infrastructure of that logistics company.

Imagine a part of a whole infrastructure of your company being frozen, just because you're interdependent with other companies across supply chains. But of course you have little control over the security of other actors across supply chains.

The challenge that you are inevitably affect and your infrastructure might be at risk.

And that's, I think, one of the default scenarios across different actors across supply chains for different products, infrastructure have been interconnected with inherent vulnerabilities and a potential for malicious actors to target this.

One of the main questions for us that we'll look at in this story provides us the example, who is responsible for taking action to mitigate cyber risks and protect critical infrastructure across borders and supply chains.

Fortunately there's some guidance. Almost ten years ago states agreed on a set of norms for responsible state behavior at the UN and some of the norms specifically agreed on to ensure supply chain security, report ICT vulnerabilities and also to protect critical infrastructure.

There are questions, though, how these norms guide actors in protecting critical infrastructure.

And how can specifically non-state stakeholders, which is the private sector, academia, Civil Society, technical community can prevent the norms and state's efforts.

This is the questions that will look at the Geneva Dialogue and we discuss the world's responsibilities of different actors in cyberspace to facilitate responsible behavior, implement and address cyber risks.

The initiative has been running since 2018, and there was a lot of work been done since then. In 2023, was exclusively looking at the implementation of the norms, and the since then you can see that more than 60 contributors which represent organizations, businesses, and also individual experts who participate on a personal capacity have contributed to the Geneva Dialogue.

All of these contributors come from more than 20 countries from different regions and that highlights the Geneva Dialogue is about the community, connecting different people in different parts of the world.

In our community, we look at the four main stakeholder groups. As I mentioned, this includes the private sector, industry. Academia, Civil Society, and technical community which is represented by open source community, cybersecurity researchers and incident response experts.

As the 11 norms that we need to look at, we started to discuss them step by step and in 2023, we started first with the two norms related to vulnerabilities and supply chain security. So that was the first step of our work. The outcomes were published in the Geneva manual. The comprehensive guidance on how the stakeholders can help support the state's efforts, other efforts in the community and implement the norms.

This year, we expanded the scope and started looking at the three norms which we grouped as the norms related to the protection of the critical infrastructure of protection.

We did quite a lot of work. And here's just some of the examples. In 2020 we already discussed different practices which the private sector implements to build the secure by design products and reduce vulnerabilities in them. In 2021 there are was a study where we looked at the different governance approaches of selected countries to regulate the security of additional products. Essentially, that was a solid basis for us to more actively look into the implementation of the relevant norms and produce the first chapter of the manual in 2023.

Structurally speaking, the manual, Geneva manual, provides different inputs and we intentionally want to keep this document user friendly for different stakeholders with different backgrounds. So when we discuss responsibilities, there's a first element, when we identify a particular role which is important to implement the norm. Then we also look at the responsibilities, the incentives, this is the why element, different challenges which stakeholders might have which serve as barriers for them to implement the norms, and the group practices. Hopefully that might be helpful for those who are not part of the Geneva Dialogue, but who might be interested to make contributions and find different useful experiences from Geneva Dialogue experts.

And specifically, when we discuss the norms related to vulnerabilities and supply chain security, we identified five flaws. You see them on the right side. And specifically I just want to highlight that Civil Society was also highlighted as one of the roles by our experts, because we believe that and we heard the feedback from our experts that Civil Society, especially those involved in policy and research might be an important implement putting pressure on the state actors and facilitate the norms and facilitate implementation of the relevant security practices.

Today's session is one of the first step for us to collect international feedback which is increasingly important for us to produce the final chapter of our work this year with the focus on the critical infrastructure protections. Early next year we'll announce the second chapter with a focus on critical infrastructure reduction.

Just to give you a brief example of the level of discussions that we have in the Geneva Dialogue, there are some preliminary findings that we're able to hear from our experts. Not going to read all of them, and we would be actually happy to share the finalist version early next year, as I just said. But just to give you some of the examples of what we discussed.

So when we unpack those norms, which are the result of the diplomatic agreements between states at the UN, our non-stakeholders and experts highlighted different concerns.

One of them is the lack of international efforts to understand and protect cross-jurisdictional interdependences in some critical infrastructure sectors that might have regional international impact.

They other point that we heard is that critical infrastructure is secured by frameworks and some states like to keep security due to security reasons. A lack of transparency with stakeholders was highlighted for them to support the effort in critical infrastructure protection, therefore different experts have highlighted that transparency by how states see the approach to protect critical assets is important element to make sure the stakeholders are aware of those efforts.

The -- in that example, what we so far have heard from our experts and that's -- would be the topic about tabletop exercise. Lack of universal baseline, minimum cybersecurity requirements to have a clear infrastructure. The suggestion came from the discussion that, again, there's acknowledgement that critical infrastructure is governed by national legal frameworks, however, there are connections between different critical infrastructure facilities through transnational essential services or other types of the infrastructure. And that actually raised different more or less universal questions about the security across the supply chains for critical infrastructure freedoms.

The then further, how to make the different legal systems which govern critical infrastructure and the security in them more or less about operable. So the actors who face the same security issues might already have a common basis, at least baseline understanding on how to address those security issues.

I'd like to stop here and just make a code that as mentioned we build a community and we also welcome the input of our interested stakeholders to support our work and contribute with the expertise. The first chapter of the manual that we produced last year is published and you can see the link on the website.

That's open to the feedback. You can get in touch with us directly. And at the same link, we are going to announce the next chapter of the Geneva manual, and ultimately we would welcome other stakeholders who are interested who have time and passion, please join us to discuss these important topics.

Thank you very much. I'd like to go to the next segment, as Vlad mentioned. We have the tabletop exercise which will be the main focus on discussing possible universal minimum baseline security measures for critical infrastructure protection. And before we explain the rules for participants on-site and virtually, we prepared the fictional scenario and to explain it perfectly, we prepared also the video and hope that will be a little bit entertainment today.

So I'm going to launch the video and please let me know if you can hear perfectly.

>> VLADIMIR RADUNOVIC: We don't hear the sound. It's not necessary. You can see if you can put the sound on, but we have the script.

>> ANASTASIYA KAZAKOVA: Okay, on my side the sound is the maximum. So let me know if --

>> VLADIMIR RADUNOVIC: Is the sound also shared?

>> ANASTASIYA KAZAKOVA: I hope so.

>> VLADIMIR RADUNOVIC: If not, it's very visual and it's in sight, so it's fine.

>> ANASTASIYA KAZAKOVA: Okay, so I'll continue.

>> VLADIMIR RADUNOVIC: Yeah.

>> ANASTASIYA KAZAKOVA: Okay.

>> Something significant has happened. Mr. Martin.

>> Come in, I've been waiting for you. We'll skip the formalities. Global flow logistics has a big security problem. I.T. will handle that. We need your services to deal with a different type of problem. Needless to say, I expect absolute discretion.

>> Wasn't even us they targeted directly.

>> The breach had come through nimble tech solutions.

>> Could you explain what happened?

>> The attackers exploited weak access controls and outdated patches. Once inside, they mutual fund in the infrastructure of the cloud service provider on the cloud, eventually further slipping into, among other clients, GFL I.T. systems. I assumed something similar to this scenario happened.

>> All systems are blocked. The key infrastructure is offline.

>> What happened? We need answers now.

>> I'm working as fast as I can. They threat actors attacked our supply chains across the region.

>> Get the global flowy line and fast. Their infrastructure goes offline and put the entire critical infrastructure in our country at risk.

>> Great, now all systems are blocked.

>> I just had a call from the government, they're asking for answers. Ms. Wong.

>> This was no ordinary cyberattack. It was a full-scale assault on the networks that kept modern society moving.

>> It seems that it had all started with a simple, preventable breach in a small company. The consequences would echo for weeks. But at that moment, she only had a few hours to figure out how to stop the bleeding before the entire structure crumbled.

>> ANASTASIYA KAZAKOVA: So that was the scenario that happened. And it was an attack targeting a large logistics company who executed the service provider.

And that affected multiple critical infrastructure industries in the country. So currently, at this moment, we'd like to proceed discussing this scenario in several groups, and I just want to briefly explain the rules. The main goal would be for this scenario and the three questions that we prepare in small groups to discuss what could be possible for the minimum cybersecurity requirements for critical infrastructure operators and relevant stakeholders and service providers. There would be three roles, so we want to look at this problem for different perspectives for different lens. Government, critical infrastructure industry, and cybersecurity research stakeholder roles. And we will have also team captains for each group on-site and virtually.

And as I mentioned, we will have three questions for each group. Those questions you can see on the slide. So basically one of the first questions, what universal baseline cybersecurity should be mandated for the operators.

The next question with a focus on the same security requirements but for the service providers. If you see the difference between them, will you believe that might be actually a closer approach to define those security measures for service providers as for the critical infrastructure operators.

And the third question little bit optional if you still have the time, which steps are required at a regional or international level to ensure these requirements are effectively implemented across different sectors and jurisdictions?

The question mostly targets different national efforts. If you see the necessity, especially in currently complex, geopolitically complex environment.

We mentioned we also have team captains, so on-site we'll have several groups. The group which will be playing on behalf of government will be led the speakers Dr. Bushra AlBlooshi from Dubai electronic security center, joined by Melanie Kolbe-Guyot from center for digital trust at EPFL.

The next group will be looking at the same problem but through the lens of the critical infrastructure facility will be led by Maria Pericas Riera from German council and foreign relations. And my colleague Vladimir Radunovic from DiploFoundation. And hopefully the co-host on-site will let us also to let our participants virtually to speak, so we will have the third group virtually with the team captains Kaleem Usmani, and Nicolas Grunder from EDP. Klee Aiken from FIRST, and Kazuo Noguchi from Hitachi America.

Vlad, if you would like to add something before we proceed to the groups.

>> VLADIMIR RADUNOVIC: Thank you, Anastasiya. As you can see, we have quite some ladies, which is a nice surprise in cybersecurity area, not so often.

What we're going to do now, we're going to break into -- I'll add another group because there's a huge number of people in the room. On this side of the room, I invite everyone who wants to play a role of the government to just move there slowly. There will be led by the Bushra AlBlooshi and medically. On this side of the room, we will have the critical truck  -- structure operators. Think about it however you want, hospital, energy, in this case we have a transportation issue. Maria will lead that group. I'll take the third group which is the cybersecurity researchers, incident responders, and techies in a way in this part of the room. My colleagues will give us the scenario. This video you saw you get in a comic book format. We'll have a few minutes to go through the comic book to remind ourselves. Then we'll get the cards. Each group will have the cards which will make us -- enable us to discuss the options.

To choose couple of cards that are priority options based on three questions that Anastasiya looked at.

Now, important thing, the scenario shows something that happened, an incident. We're not responding to an incident. We are rolling the time backwards and saying, what should we have done so that this doesn't happen?

So think about rolling backwards and say, if we have done this measure which says maintain an up to date all critical assets of the infrastructure, this might not have happened and so on. Do not tie so much to the incident, get into the shoes, but don't go into the details of the incident. We're trying to see how the global norms and these practical issues are connected.

Okay. Those that want to play the government, move to that side. Those that want to play the critical infrastructure move here. And techies, that side of the room. Stretch a little bit and we start in a few minutes. We'll have about 20, 25 minutes to discuss in groups. And the colleagues will tell us what do. Thank you.

>> ANASTASIYA KAZAKOVA: All right. So we will proceed virtually. I hope the participants on-site can hear us. Kaleem, the floor to you. And I will start sharing the screen with the mural board where we have the questions and the cards as well. Just a moment. And if you allow me, I will briefly explain what we'll have at the mural before you will take the floor.

So hopefully you can see this. Perfect. So we have the story, we watched the video and we have three questions. We will be playing on behalf of the cybersecurity researchers.

These are the three questions which are already announced. The only thing that is that the third question that we have is a bit different from other groups. So the third question's about thinking what steps could be proposed at the regional or international level to overcome restrictions that hinder the sharing of critical vulnerability information among relevant stakeholders. I just wanted to highlight if we still have the time to discuss this.

So this is the mural board. I will be listening to all of you and the discussion will be led by our team captains. And basically with the sticky notes I will put the main tag words and the main ideas that you have.

We also on this board we have cards which are sort of the ideas to support your answers to the questions. So if you wish, I can give you also the access to the boards so you could also collaboratively check all the suggestions here. You just need to send me your email directly in the chat and I will be able to add you so you will be able to play with the board as well while we all discuss.

That's all I wanted to tell right now. Let me know if you have any questions about it.

>> Just a question, so our role is researchers, right?

>> ANASTASIYA KAZAKOVA: Right.

>> And then what type of baseline security measures should be mandated for CI operators to protect their infrastructure? From the point of view of researchers? You see what I mean?

>> ANASTASIYA KAZAKOVA: Yeah, yeah, that's correct. The researchers are the part of the supply chains. The idea is to look from their lens what are the requirements should be mandated for the operators and then for the service providers.

>> Okay, thanks.

>> ANASTASIYA KAZAKOVA: Thank you very much.

So if there nor further questions, I don't see anything in the chat, then I'll stop speaking and Kaleem, the floor is yours.

>> KALEEM USMANI: Thank you very much, Anastasiya. And good afternoon, everyone. As Anastasiya has said, (garbled audio) cybersecurity research stakeholder group, and then as ground just starting this scenario we are having some 20, 25 minutes we are having some around. One, what universal baseline cybersecurity measures should be mandated for CI operators. And in terms of the operators and service providers. We're trying to encouraging the participants to come up with their suggestions and then we will be opening the floor soon, but we will also be having our lead Nicolas who will be talking about the first question on the site operators. We will wait a little bit on that and then maybe we can start.

>> Nicolas Grunder: I would not add to many words, as we only have 25 minutes, I would  suggest we get started. Anastasiya, it's probably difficult to pull up the cards with suggestions, right? So maybe we -- so I suggest that we may be just start with -- with someone from the participants considering what should be -- what should be some baseline security measures and suggestions.

I think we should just open the discussion of anyone who would propose a suggestion and why you would have such a suggestion.

>> KALEEM USMANI: So I think we're having one hand raised. Imad, please go ahead.

>> IMAD: One thing that comes to mind is first understand the critical infrastructure. It's not clear what's is an infrastructure even in their own country.

Second thing, they don't know  what is the supply chain of this critical infrastructure. Here is the big question of should the critical infrastructure make it transparent how they depend, what are their providers, there some pros and some cons, I guess.

>> KALEEM USMANI: All right. Maybe also another aspect of it is that we're trying to focus on the organization and the technical majors. So maybe say that what are the organizational issues that these CI operators should be putting in place as well as technical operators putting in place. It's important for us to understand that what are the critical infrastructure, what it is, how do we identify that, how do we care the assessment.

So these are the aspects and I think we'll be another hand raised. Paula, please go ahead. Thank you.

>> Paula: Thank you. Just adding on to what the previous contribution was, understanding what critical infrastructure is. For instance, if the nation deems that maybe the health sector is critical infrastructure, what the health sector need to do is define what assets they are in charge of, what assets they have, that way they'll be able to know what needs to be protected, what should be classified as high risk, what should be classified as low risk. And this is maybe more on-site. So they should be able to understand what assets they have as the health sector, what's critical for the nation to have as critical infrastructure, what should be protected best.

If the health sector was attacked, what would be -- what would cause the biggest challenge to the health sector?

So basic understanding of what the assets are or sort of like an asset inventory.

>> KALEEM USMANI: All right. Thank you, Paula. I think again the question which is coming here is that how do we identify infrastructures and what are the means of doing it. So maybe we're having Nicolas, would you be able to share a little bit of experience with what DB is and what are the sort of baseline impressions, what kind of a checklist which that helps the organization identify their infrastructures. Absolutely in different countries, critical infrastructures vary a little bit as compared to other countries.

But as per your experience, Nicolas, would you tell us a little bit how to identify and how to get the identification around so that later they're able to identify which sectors could be considered as critical?

>> Nicolas Grunder: I think, Kaleem, you mentioned it may vary between the countries, depending on the -- on the industries they're actually having. But I think what is something common is looking at the impact. So what impact does it have if a certain company or a certain type of providers of infrastructure would be taken out of service either partially or completely.

And what impact does it have on individuals, on the functioning of certain services. And it's basically about defining the services that are critical for functioning of society, right?

And so of course it's very, very high level, but I think that that would be something important as we have heard, if there is at least some sort of a common understanding. I think now looking at from -- also from a provider of product and services into critical infrastructure, so basically looking at the supply chain, that's of course is important for the providers of products to critical infrastructure. Because we will have to -- to actually employ and deploy and develop cybersecurity measures for the products that are then secure to be used in these critical infrastructures.

So looking at the question, what is the universal baseline, I think that this probably is difficult to formulate conclusively what is critical infrastructure but giving some of the criteria based on the impact it can have. I think that -- that would be certainly helpful.

>> KALEEM USMANI: Thank you, Nicolas and also with this particular group we're having two experts and maybe we can also hear from Klee. Klee, do you have sort of the expiration around what Nicolas has added, the how. And what are the best practices for identifying particular infrastructures because normally we see that as Nicolas mentioned, that's sticky. That's sticky. Once we have.

And then also some reflection on the part of the governance and risk management, how this government is of this critical information structure that has to happen in the country. And then we move on to the next level of understanding. So Klee, the floor is yours.

>> KLEE AIKEN: Hi, everyone, thanks, Kaleem. I hope everyone can hear me okay.

Yeah, I think, you know, in terms of the basic baseline cybersecurity measures and things like that, obviously there's the normal level that you'd expect from any type of organization. But by being critical infrastructure, you do have these additional requirements that are placed upon your organization.

In terms of determining which organizations fall into that category, it's very much determined by each individual government and their approach and their perspective. You know, we've had conversations with folks in the Pacific, for example, where, you know, certain cultural aspects or assets or tourism-related assets that wouldn't necessarily be critical infrastructure in other countries were deemed critical infrastructure. At least in the exercises that we were doing.

So it's really important as Nicolas said, to look at what is that impact on the individual economy. So that's national security perspective, that's an economic perspective, and most importantly as Anastasiya as was hinted at in the beginning is looking at the human impact both directly in terms of Health and Human Services and that impact on people's health and their ability to get treatment and emergency care, but also kind of the flow-on impact that can have effects on individuals.

Last or two weeks ago we were on a panel and one of the speakers was speak about the ransomware incident in Australia last year. And one of thing things they faced was finding means to coordinate between the Federal Government and state government and being able to reach from a cyber sector about reaching in women's shelter. So you have to focus on those flow-on things that wouldn't come to mind. Critical infrastructure can get complicated to define. Just important to focus on that impact on individual, national security, and economy.

>> KALEEM USMANI: Thank you. Thank you very much, Klee. And another aspect also is like in terms of organization, we have been talking about. And then also the other important aspect is the technical measures. Both are a combination. If you want to protect your [?] technical measures are important, because they normally govern the whole implementation.

So we're having a hand and then maybe we'll get back to Kazuo.

>> IMAD: Here I am again, regarding the impact. It's very complicated to measure the impact of a flow in a given infrastructure because of the dependencies. Let's say if you are cutting water, okay, water is critical infrastructure. And then how long will the society survive just because of the lack of water, but it's also for cooling, for instance, for cooling generators or for cooling whatever.

Then electricity might depend on the water. Everything else depends on the electricity and trying to measure how much dependent water is on electricity or vice-versa there is super hard, right?

What may help in this for the researchers, for each critical infrastructure service, they can define what they depend on and what other stuff depend on them. So input and output dependencies.

This may be helpful for  researchers in order to assess the impact of attacks.

>> KALEEM USMANI: I think interdependency is the key I agree. And this is one of the area to be discussed as the thought process on to that.

Imad, you want to add on?

>> IMAD: It's inward and outward. If I'm electricity provider, it's not only what I depend on, but I can list what other services depend on me. You see what I mean?

>> KALEEM USMANI: Sure.

>> Nicolas Grunder: I just seen the comment that Paula made and he mentioned continuing planning. And I think it's a very important baseline that -- so what's the goal of protecting critical infrastructures or the goal is that it actually -- it can continue to operate and having the business continuity and the recovery planning in place. Having played that, I think that is also an important requirement. That actually should -- should be applicable across the board regardless of jurisdiction, right, because you want to keep it running.

>> KALEEM USMANI: Thanks, Nicolas. Again, that's a very good point. Continuity and business continuity is important and especially here we are talking about (garbled audio).

So maybe even Kazuo is with us, and Kazuo I'll get back to --

>> KAZUO NOGUCHI: Great to be here. For critical infrastructure to are sustainable or resilient, any attacks can be correlated. So how long it can be sustained regardless of attacks.

The -- how to create not to be kind of down. So that's one thought, resilience is major. But impact analysis, I totally agree. The consequences as well as the risks major particularly to the human life. And from that, investment on the priorities and resources should be allocated appropriately.

But critical infrastructure based on the country's 15 or 13 or 18, so those are based on the risks and human lives these days for the technical advancement. In addition, this new additional things such as AI can be impacted quite well, positively, and negatively how to make those majors or risks for consequences human lives should be properly put into the context.

So let me stop here.

>> KALEEM USMANI: Thank you. And so obviously the discussion is moving to how do we identify, how to identify the services and what is the importance of interdependencies inward and outward. This is also something what we need have once we're talk about the baseline security measures, which we need to have.

And we move on accordingly. So still I think we're having three to four minutes for us to discuss round. And any other questions from the floor maybe that we can take up and then we can have a last round with the experts here and then maybe then we can wrap up this part of the discussion.

So any questions from the floor? Yeah, Paula. You have the floor now, Paula.

>> Paula: Thanks. Maybe not a question per se, but I think there should also be an aspect of training for the employees and awareness. Because of the industry or because of how quickly cybersecurity changes and things are moving, this constant need to be up to date with how to protect critical infrastructure, so this need for training, for staff that are working on that critical infrastructure about, but also the general awareness for staff that interact with the infrastructure.

>> KALEEM USMANI: Thank you. Thank you very much, Paula. And coming back one more thing, we just connecting speakers, even our training is very important. And another aspect once we're talking about the technical measures here is compliance and standards. And I think that connects a part of very much as a cybersecurity measure on the site operator.

So maybe I can open the floor to the experts around compliance standards for this cybersecurity, for the CI operators, and maybe we can wrap up this session here. So I start with Nicolas and then Klee and then to Kazuo. And if there is any final question which we have, we can take it up and then we can close.

Over to you, Nicolas.

>> Nicolas Grunder: Thank you, Kaleem. Standards is absolutely essential, especially if you look at the Trump perspective of a globally operating company. That's where the big benefit of cooperation or global cooperation is essential that.

There are certain standards that you can also rely upon, and that you know they apply in country A and in country B and in country C and that would then be actually the regular baseline.

I'm a lawyer, not a researcher, so trying to look at it from a researcher's perspective, that's where researchers can play a huge, huge role in defining these standards, right? Because that's something when you look at it from a technical perspective, that's something very much where the researchers will provide input.

>> KALEEM USMANI: Thank you, Nicolas. Over to you, Klee, for your final thoughts around compliance and standards for critical infrastructure operators for them to implement at a cybersecurity measure.

>> KLEE AIKEN: Yeah, definitely.

So with standards and compliance, there's obviously the clear value to help teams uplift their cybersecurity. But there's the responsibility on government when you're defining certain industries and organizations to create certainty of the expectations that you have on -- on companies.

So that's a pretty critical role that can be played. And you can look not only at the technical standard and technical expectations and policies that need to be in place, but also the responsibility around reporting as well as communications. Because again, we're looking at critical infrastructure because of the flow on impact that is it has on the wider economy and individuals.

Thinking about other aspects beyond just technical expectations when you're developing these types of standards is quite important.

>> KALEEM USMANI: Thank you very much, Klee.

He comes from the research community and I think (garbled audio).

>> KAZUO NOGUCHI: So ultimately global supply chains are really complex and including small companies and the small nations and build on to the supply chain software, hardware, IoT, and the people in the supply chain.

And how to make sure that the end-to-end is working well and all the service providers, to protect the doors, including the databases, as well as those chains. And the hardware chains which is part of this exercise that are software supply chain areas also, and the database are all connected.

So all the researchers to analyse those and some vulnerabilities to get to know and protect constantly, those are part of the measures. Particularly automated things are coming up and all connected physical as well as the virtual things. This case is cloud, which is a new type of, perhaps, critical infrastructure category, perhaps.

So how we can make sure that all connected things can be protected well. So those are going forward.

>> KALEEM USMANI: Thank you very much, Kazuo.

We argued the shape of understanding that what should be the basic baseline cybersecurity measures should be managed for CI operators. And the discussion which has come up here is how do you identify, what it is identifying, and understanding the structure of the CI, I think this is another aspect we've been talking about. Interdependencies that has to be seen in order for us to look at the complete visibility of the supply chain attacks in order to identify the CI. And they put measures in place.

We have been talking about the impact analysis because it's important to identify whether it's critical or not. This is what we are talking about. And in their discussion which came up as a baseline cybersecurity is also a business continuity and even though incident response plans is an important aspect of having that baseline cybersecurity measure in place for the CI operators.

Also we have been -- (background noise).

And then obviously implement vulnerability management. That's the data protection. That's the important aspect, again, it's finely I think --

>> VLADIMIR RADUNOVIC: Should we start?

>> ANASTASIYA KAZAKOVA: Yes, I think we just finished. Thank you very much, Kaleem. I guess we're wrapping up this part and if anyone has any better comments, we will keep the chat open. But thank you so much. I'll put the slides back.

>> VLADIMIR RADUNOVIC: Thank you. (Broken audio).

>> ANASTASIYA KAZAKOVA: Vlad, I apologize. We can't hear you properly. You are disappearing from time to time.

I didn't sing enough, if I sang enough I would know how to mic up.

We move to the last part of our session to discuss a little bit couple of questions that we had at the roundtable. And we start with a question on -- well, you can probably show the questions. We start with a practical aspect and try to connect with cyber norms and confidence building measures. I'll go to Melanie to lead. But we want to interact, right?

Melanie, over to you.

>> MELANIE KOLBE-GUYOT: Fantastic. To please now we're starting out with our discussion rounds. And I really invite everyone to also report from their group what they found was most interesting, speaking also from which perspective you were talking about.

And also what your reasoning was.

So the first question we want to discuss is how can we effectively protect critical infrastructure facilities and assets that do have national, regional, or international impact. In particular, what practical measures should be implemented. And importantly, which stakeholders need to be engaged in this?

So we're trying to kind of go between our online audience and the in-room audience. I'd like to start quickly with our Zoom people. Nicolas, would you start out.

>> Nicolas Grunder: Thank you very much. I'm reporting a little bit of what we discussed in the group and we were the researchers group and interestingly the first questions from the perspective of the researchers is what is critical infrastructure. And so we delved a bit into that topic and I'm seeing that critical infrastructure might be -- might be defined differently from jurisdiction to jurisdictions.

But essentially, what we see important to discuss that there is some sort of a baseline -- what is developed based on the impact that the incident can  have.

And very quickly we started talking it about standards as well, which I think we all think can be very beneficial. And standards not only be technical standards, yes, that's an important part of it. But also organizational standards, incident response notifications, et cetera, et cetera.

So -- so it's that kind of broad array. But let me open the discussion again to the group -- to the group of people as well.

>> MELANIE KOLBE-GUYOT: Fantastic. Someone else, what practical measures to you think are really important? Anyone in the room who would like to give it a go? Dr. Bushra, go ahead.

>> BUSHRA ALBLOOSHI: Thank you so much for the invitation and the very nice interaction that we've had so far.

Just to reflect on a few practices that we've been doing in united Emirates or in Dubai and a few of the practices that we were doing also internationally with the World Economic Forum.

Reaching to an agreement what is critical infrastructure and reaching to an agreement as regional or national level might be challenging. But reaching to unified agreement to the policies, regulations that we can all deploy on our service providers, whether those service providers are cloud providers, or even critical infrastructure operators themselves, I think we are all doing common things. But we need to come together in order to say those are common things, let's agree on them internationally.

And we published a report with the World Economic Forum in 2021 where we were calling for harmonized certification for individuals, professionals, service providers, and even products.

You can find the report in website, it's called for certification report with the World Economic Forum.

Out of that report, actually there was an action that was taken forward. So there's an international regulation that was created for cybersecurity proficient certification where more countries came together and we met last November and we came out with agreed let's say set of certifications with a proficient domain.

If that can be done for cybersecurity professionals, why not for other domains? Why not for cloud providers? Why not for operators. And there's devices it's called common criteria. Multiple countries came together and agreeing on requirements for hardware devices and ICT hardware devices that the can be also done and was done and was proven to be effective. Then we can do something at providers level or even [?] level.

Priority one is to agree internationally or nationally on the minimal requirements that can be done for service provider. Why I need to certify cloud provider in multiple countries with the same regulations or same requirements.

>> MELANIE KOLBE-GUYOT: Thank you. This is what we were talking about in our group, which is the government group, some sort of credential, check up system and management of the service providers especially those core critical providers.

Let me revert back to our Zoom. Kazuo, could you chime in, please?

>> KAZUO NOGUCHI: Thank you, Melanie. So it was a really interesting scenario case that we had. Remind myself on the question that was mentioned, how to make it better before it happens.

One of the critical things for the infrastructure provider is that the backup, backup, backup. And backup system in a different geography, in the country, region, that is spread their risks. That's one thing that we can do. The difficult part here of that scenario is a new one. Global cloud provider.

Sometimes difficult to know when I think about single point of [?]. It's great to have. And the data prospective for the supply chain, including people, so that's integrity. Also the hardware, software, supply chain's integrity should make properly.

And zero trust [?] and development also the -- good for security by design [?]

So we talked in this whole line discussions, how to make the good consequences, risk assessment, and all interdependent to the business as well as people, how to make that impact analysis to clarify how critical it is based on those critical infrastructures level and to make prepared investment and prepare not to happen and the resilience perspective.

Although cloud maybe not working but there are maybe a way to get around. And for the United Nations GGE and OEWG 11 norms, those are great starting point for the operationalization, as Anastasiya mentioned this one is a good guide. And good [?] for that is the confidence building and also the confidence building meaning that communicate well and then the UN opened a working group and started the point of contacts globally, more than hundreds communicated through those for the private stakeholders are good through all the channels of information jurisdictions.

Finally, in the prevention and resilience coming up, some are identified [?] prevention have made the better use of AI to detect and attach well and progress [?] what's happened ultimately for the operators to be sustainable, that's critical for life.

Thank you for this opportunity.

>> MELANIE KOLBE-GUYOT: Thank you. You packed a bunch of operationalizations. Thank you very much to also put this a little bit in the global perspective. In the interdependence between service provider critical infrastructures and of course the governments.

I would like to see one more person from our live audience. Yes, we have someone. Fantastic!

Thank you.

>> Thank you. I'm assuming that the hacker and the country that has been hacked are in -- between two countries. However there's a probability that both countries are in war. And believing that there should be a framework under the United Nations with a (away from mic). Now? Shall I repeat?

With listed infrastructure, you know, items. And should be agreed between everywhere around the world that those elements should not be touched in peace or war by cybercrimes.

For example, even if there is a war, electricity, water, and transportation shouldn't be touched. Or affected even in those circumstances.

I think this is one of the agreements that should be in place these days. You know, in order to avoid such future problems.

>> MELANIE KOLBE-GUYOT: Thank you, fantastic. You kind of skipped a bit to question Number 3 already because that's exactly an important point. So we will come back to this, thank you.

So let's move to the second question now. We looked at the practical measures. We kind of want to come back to what the roles of cyber norms is, right? The roles of cyber norms and especially FGNH that have been discussed. So when it comes to the projection of critical infrastructure so they are voluntary in nature, right?

Do you think they have an impact on the protection of critical infrastructure, although they're clearly voluntary? Vlad, go ahead.

>> VLADIMIR RADUNOVIC: I wanted to connect what our colleague mentioned. The context that we are discussing, this is the UN agreement within the General Assembly ultimately before by all the states of the UN about these cyber norms and confidence-building measures.

And exactly as you said, one of the norms is do not attack each other's critical infrastructure. And boost the resilience of each other's infrastructure. And some of the confident building measures that the countries have agreed include something that we have in the cards and we have discussed in the groups, such as work on understanding how each country defines the critical infrastructure.

Sorry, probably will never be able to (broken audio). Agreement of what is critical infrastructure everywhere.

But this is one of the CBMs to try to exchange it and understand.

And then the other one is capacity building. Which is we mentioned in our group, I guess in ours, and others, capacity building across the board of the government, but also, for instance there are was a good point of training of the suppliers towards their customers in critical infrastructure. What are the risks?

So I want to say, even if these norms are voluntary, all the states have agreed. Even if they would be binding, it's a good question if states would be adhering to them. We see breaking the international law every day. But I think the measures that we discussed are practical ones that implement to the CBMs.

My question back is what the government understands, and this is back to you, Melanie.

>> MELANIE KOLBE-GUYOT: Kaleem, we're calling you as head of CERT.

>> KALEEM USMANI: This is a good question, the rule of sign are norms and confidence building measures when it comes to the protection of CI. Does it have impact on the CI. I think the answer is very much yes. This is what has been talked about. There are a few things around quickly how they're going to help.

All these 11 months, this is what we have ascertained. What they do and how they help and what they do is they try to reduce the risk of cyberattacks and I think that's the point which we are talking about, because -- and why they do that, because they have not established a prohibition of cyberattacks on critical infrastructure during peace time.

Examples are like even very much mentioned the DG report of 2021 and the report of 2021 as well as what we're talking right now through the OWG, which is going on currently and that it could be in July 2025.

So yes, and then also one of the concrete here is that they act as a [?] in fact against state sponsored [?] including accountability.

I think that's another aspect which again, we want to treat nonbinding, non[?] the help into predicting effective infrastructures. Because there are some three, four norms specifically around CIIs if you look at the innovative norms and curing those supply chain vulnerabilities. Of course they all connect.

Now also data foster international cooperation if the talk aligns and especially sharing the threat intelligence against contributing CIIs.

And also the states calibrate and in this instance was to grow global cyber [?]. That's how they launch the help into protecting CIIs.

And also they enhance the incident reporting mechanism in the is coming from the technical community. That's important aspect because we're talking about the incident, handling the resolution of the critical infrastructure especially, for example, into this data system and technology environment.

And maybe also in the last thing I want to add here is promoting this and there has to be some sort of argument where the states should not be attacking to the services, for example, and water supply.

So that's another aspect and this is what it's in response to that comes to measures. I'm going to stop here. Thank you very much.

>> MELANIE KOLBE-GUYOT: Thank you, Kaleem. Thank you very much. We have one more intervention from the audience.

>> So this intervention is in the two consequent manuals that have been released.

There has been international consensus on the fact that you cannot attack cyber critical infrastructure, but the problem lies in identifying those infrastructures.

And a potential solution for this could be regional cooperation, for example, where we are the Middle East could agree on any infrastructure relating to oil could be critical to them and it could be established and there could be regional cooperation setting up a body of its own for the region.

And this could be done globally focusing on their own vulnerabilities and it could pave the way forward for international cooperation.

>> MELANIE KOLBE-GUYOT: All right before the we move to the last question, any more assessments on the impact that you think cyber norms and CBMs can have?

All right. Then let's move to the last question. We kind of had these little nuggets of this conversation already in the previous minutes. So the question is, like, is it reasonable to expect cyber operations to avoid targeting critical infrastructures, and we're talking here particularly about in context of peace times, right? Or is this an unrealistic expectation?

And how do we establish this kind of accountability for harm that is caused by threats to critical infrastructure, especially when the agreed upon norms are being violated.

So these were to kind of questions in one, but you are free to only answer to one of them. Maria, please go ahead.

>> MARIA PERICAS RIERA: Thank you for giving me the opportunity to be here today. I would like to talk briefly about what has been mentioned about the identification of critical infrastructure at the nation level. So I would like to introduce the project that we have done at the DGAB, temperatures called German council foreign relations. You can come to me and I'll talk more with you about it.

What we have tried to see is to look at every country in the world of the 190 plus something nations worldwide and see what each country considers as critical infrastructure.

And one of our main takeaways is that it's very different worldwide. So for example, even when you check energy sector, this can mean very different things across the globe. And yeah, during our study we're not trying to say you should see this and this and this as critical but rather how diverse and complicated it can be. So we're acknowledging this is a huge task.

Our second takeaway would be that there is still many, many countries all over the world, over 40% of country worldwide that haven't publicly announced what is critical for them.

So when I was doing this research, I was checking that (garbled audio) what is critical for them. (Garbled audio).

Is it better now?

Thank you.

So if you try the data, you see that some countries that you know they have defined it have been omitted, please let me know and we would love to introduce this.

And regarding the accountability of these norms, I'm not the person I can say they're going to help or not in avoiding attacks on critical infrastructure during peace time. But I think at least the first time of a country saying okay this is critical for me and that respective country trying to create some type of critical infrastructure resilience, and then getting in contact with the service providers and going to be a great step in order to promote the resilience of the provider. Because for example, our group, we were the -- the critical infrastructure operator and then we saw how many things can go wrong in one second and how interconnected we are.

So these are my thoughts on this. But also some people from our group wants to contribute or say or mention something, please feel free to do so.

>> Yeah, I can pick up on this? This is one of the issues we also in the Geneva Dialogue had the questions like we can endlessly talk about what is critical infrastructure and what is not. And it's actually complicated because there's a diversity across context. But yes, at some point there might be some exchange necessary to understand this.

Any same time, we can go very simple and say electricity grids. It's probably -- probably in all context we would agree that's critical infrastructure, right? Okay. Or nuclear power plants, right? Okay.

So let's assume we have one definition in mind. Is it reasonable to expect in pursuing norm violations for targeting electricity grids during peace times? Is this a reality? Is this something that's reasonable to expect? Are we like, yeah, well probably not.

I just we had typhoon attack in the U.S. where exactly these kind of things were prepared -- prepared for.

Vlad, go ahead.

>> VLADIMIR RADUNOVIC: Thank you. This one is probably better. Based on this, I'm thinking one thing is whether the states are going to avoid attacking each other, particularly in peace time. Which I guess, I don't see anyone from the defense sector. I would suppose the defense sector would say we have a conflict, there are no borders. And peace time, I'm not sure they would avoid doing that.

But I have another concern, is that sometimes it can be an attack against the only cloud. And the attackers do not know that they will cause the spill overeffect. On one or more critical infrastructures.

So we are better to that question not only how we define critical infrastructure, but do we know the dependencies on the cloud and so on.

>> MELANIE KOLBE-GUYOT: Go ahead, please.

>> I think from a nation -- a nation perspective, it's very important to define critical infrastructure. Then define also the assets related to each sector and the sectorally and who's doing what. This is the first step and this is what we did in Dubai. It took us a while, till we came out with that model. What is a critical services from a business point of view should be done from business point of view and then you define from I.T. point of view.

And then we did one more important exercise, what are the interdependencies from those critical infrastructure? What is the interdependency between the power sector and transportation sector? What if the power sector goes down, how the transportation will react. How all other sectors will react. And what are the countermeasures or the agreements that we need to take at the national level.

So I think the starting from the national level is very important, and then building up the other types of collaboration at the regional level or international level are considered as next steps.

>> MELANIE KOLBE-GUYOT: Thank you very much for this good illustration of how to identify these questions and interdependencies. And I'll hand back to Anastasiya to give us our last closing remarks.

>> ANASTASIYA KAZAKOVA: Before that, if you allow it, probably just a quick follow-up question to Dr. Bushra because that was really important aspect for the second term. Dr. Bushra, if you could quickly share, is there also defined approach? How does Dubai approach the [?] which are by foreign countries and overseas actors?

>> BUSHRA ALBLOOSHI: Just briefly, because for the sake of time I think we are limited in time here. So we have plans for each interdependency. By the way, our infrastructure sectors is already on our website. You can find the security sectors and each sector we defined what are the interdependency. And if one sector goes down, what to expect from the other sector. Public sector said if our systems go down, we're expecting that the critical infrastructure on the other side, transportation, for example, they can react and they can operate for four hours till we bring up the service up.

And in that case, transportation, they should make sure that they have generator that can operate if the power goes down in Dubai.

>> MELANIE KOLBE-GUYOT: Thank you so much. Anastasiya, back to you.

>> ANASTASIYA KAZAKOVA: Thank you very much. That was really helpful. Finalizing I just wanted to briefly share the key insights of what we discussed virtually in our groups and we hope that might be also helpful, maybe some thought-provoking information for the audience on-site.

So we from the cybersecurity research perspective discussed the measures. So we should be mandated for critical infrastructure created to protect the infrastructure and some of the key insights, definitely most of the inputs were about understanding of the -- what actual critical is and understanding the asset inventory, what asset need to be protect and dependencies. Inward, outward, securing those dependencies and looking also more comprehensively at the supply chain.

The participants we also discussed the importance of conducting impact analysis and threat assessment given the regional and local specifics the facilities and infrastructure.

And you also probably see that we specifically pointed out the necessity to control the compliance with applicable standards and laws in implementing management and securing the data.

That was some of the insights that we discussed so far.

I will open the floor if anyone has any further comments from the virtual group. Yes, please Kaleem.

>> KALEEM USMANI: Thank you very much. We have been talking about the interdependencies and how overseas foreign actors come into the picture. Normally what we did is we had a clear guideline which talks about it, how the interdependencies have to be dealt with. And we have the CI framework and that's connected with the national critical information infrastructure guideline. And which innovates the limitation of the CII. That has a very clear baseline how both overseas and the local CI operators they have [?]. So this is what we are basically trying to -- to really [?] so there's a clear cut actions required in order for them to carry out their risk assessment and then look at in terms of vulnerabilities and the [?] so the CII operators are in a position to guide their operators in order to [?]. Thank you very much. That's the point I wanted to make.

>> VLADIMIR RADUNOVIC: Probably time to wrap up. Thank you so much for the online group there. I hope you also had fun. Thank you all for being with us. I want to just few lines close this.

The next steps we are working on is trying to finalize the Geneva manual like this from the vulnerability disclosure and supply chain about critical infrastructure. The game within it is not finalized. We'll have the games as well, more cards and scenarios, everything will be open for the audience. What's critical for us, in this process of shaping final documents, we get as many voices around the world from developing countries. If any of you know someone from the technical community, Civil Society that want to get involved in Geneva Dialogue and provide their feedbacks and experiences, please do. You'll find us around the booth over there today and tomorrow. Still you can always (broken audio).

And then with this, we close this discussion. We haven't mentioned much the Civil Society in this discussion. You'll notice that in discussions about vulnerability disclosure, we did have a particular actor on Civil Society. We should reflect on that more, but in the meantime, the next session here in this room is connecting to that. And the question is, how do we make sure that the global Civil Society get more engaged in these sometimes rather technical discussions with standards, security Internet Governance and so on. So stay in the room for the next session. We'll be back in ten minutes. With that, we'll see you around.

>> ANASTASIYA KAZAKOVA: Thank you very much for everyone who joined online.