The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> AMUND KVALBEIN: So I know everyone, my name is Asmund Grover Aukrust from Analysys Mason. It is my pleasure to welcome you to this panel discussion on securing basic infinite infrastructure. This Internet is resilient in a range of challenges in operations. There are many reasons for this. The Internet protocols were designed from ceilings from beginning, have been able to scale and adapt as the Internet has grown.
Today it is the dominant platform for communication and information sharing. The Internet is often referred to as a network of networks. On this distributed model of operations for the Internet has proven to work very well. Today I think it is fair to say this network of networks is also a network of data centers and subsea cables. The move to the cloud and advent of AI has made this core physical building blocks of the Internet immensely important. We all rely on them every day, as a society and as individuals.
So with this dependency, becomes all the more important to understand about vulnerabilities of this basic infrastructure. That is the ambition of this workshop today. So warm welcome to all of you. To discuss this important matter, I have been so lucky to gather a prominent set of panellists here. What we will do now is I will just briefly introduce these panellists. Then we will talk a little more about how you in the audience and both here and in Oslo and also online can participate in this workshop.
So with me on the stage here today we have first, Dr. Olaf Kolkman, an astronomer by training. I don't know about his training but know he has a long and active career in infinite technology and policy developments. Today Olaf is Olaf is the Principal for Internet Technology, Policy and Advocacy with the Internet Society.
Next I have Petra Arts, an experienced public policy professional. She has experience from the European Parliament and several private companies. The last five years she's worked for Cloudflare and Director of Public Policy at Cloudflare.
Jumping in online is Johannes Theiss, an Internet advisor and Head of Secretary for the E.U.'s Directorate General Technology.
Here we have Elise Lindeberg. Elise has worked for the Norwegian Authority for Telecoms and Director for Security and Resilience and active in ICANN. Many years and years ago, she made a career change from the regulatory side. Today she is the CEO of Skygard, a data center hosting company in Oslo.
Last but not least, we have with us Erica Moret, a former diplomat and scholar with education from France and PhD from Oxford, where she studied sanctions on Cuba's economy, very interestingly. She's had a long, distinguished career in international policy development. Today she is based in Geneva, where she is the director for United Nations and International Organisations at Microsoft. Warm welcome to the panellists.
Soon we will have an introduction from the panellists, but before that I want to introduce Michael Kende, online, and will monitor the chat and take questions you might post in the chat and bring them here to the audience in due time.
We also have another way for you in the audience online and in Oslo to interact with this workshop. Mentimeter is a tool. You can scan this QR with your camera or type in this code written on the screen. We will use this a couple of times during the workshop for you to voice your opinion. As a starter to warm you up to this tool, come in click where you are originally from. Many are in Oslo, just to show a little of the breadth of the audience we have with us today.
Okay. With that introduction, and without further adieu, we will run this now so each of the panellists will get a few minutes to introduce themselves and where they are coming from and thoughts on today's topic then a discussion in the panel. I will have questions, you might ask each other and we will open from this so prepare your questions. Olaf, can you comment on this?
>> OLAF KOLKMAN: I'm not a doctor. I never wrote a thesis. I found the Internet more interesting than gazing at stars, so basically during the PhD research, moved careers.
Let's talk a little about resiliency and the Internet, what is important to that. I want to do that on the basis of an example. Namely, the cable cuts on 14 March near the West Coast near Africa. There were four cables cut because of tectonic shift or something. That had an enormous impact on the region. What that impact was basically connectivity, ability to connect from the outside has disappeared.
The Internet has always been reliant on subsea cables, subsea networks. When the first networks were laid the U.S. as part of ARPA, always that is terrestrial; but as soon as Europe is connected, we needed subsea cables. After that, there have been a hallmark of connectivity across the globe.
Anyway, four cables were cut. There were still a number of uncut cables in that region. What happened is that the West African Internet community collaborated together. That is what you do when you collaborate, to find alternative routes. The Internet itself routes around problems by a protocol called the border gateway, a system called routing, but you have to ensure connections were there. That was work done way in advance of the cable cuts.
Parts of that are having the policy, the infrastructure, the capacities all in house to deal with the things you cannot predict, or that you can predict and that you need to be ready for. At the Internet society we have a platform called PULSE.InternetSociety.org.
There is a good story about this West African cable cut. If you look for Internet Society and West African cable cut, you will find sort of an analysis. What we also feature is an Internet resiliency index for each country -- we have calculated for each country. In that are parameters, the right parameters about infrastructure. What are the number of IXs, exchange points, because these keep traffic local. If you keep traffic local and external connectivity and a subsea cable breaks, you are more resilient. What is amount of networks in the country, what is the hegemony, one major transit provider or telco that handles traffic with a few pieces around that or is it a nicely volunteer environment?
We look at security. Security is a proxy for capability of the local community. We look at the performance of the networks, because also those are you know, if you have more capacity in country, you might be able to deal more with breakages. We look at market readiness and includes about the openness of the regulation. The ability to establish new networks, the abilities to lay cables, terrestrial cables. What we have seen. What we have seen in African continent, we have seen enormous ability to deal with those important tables but the impact, in the end, was significant but it with was still Internet and people could still function and still reach.
Of course I'm talking about the lower layers of the Internet, but what we also saw were higher layers, people saw they were otherwise dependent on Microsoft infrastructure to do their work. And there again, having infrastructure in form of existing cables, of existing operator networks that people know how to find each other and having the context available to route around the problems, those problems were solved later in the day on 14 March.
So resiliency is about readiness, is about preparedness, is about understanding what can go wrong. If you have that all in place, the Internet itself will do a lot of magic to give it to you.
>> AMUND KVALBEIN: Thank you, interesting. This interplay between physical structure and the protocols is an important topic. I'm sure we will come back to that as well. I would like to move on to our next panellist, Petra Arts. You work for a company that doesn't own that much of the basic infrastructure but that is still very dependent on it, so please give us your perspective on this.
>> PETRA ARTS: Thank you for having me on this panel. A lot of what Olaf said are my speaking points and we will repeat ourselves on the topic of resilience, I think. From Cloudflare's perspective, we run a global network, which provides a number of services, including cyber security services for web properties, which basically meets very interconnected network and very resilient network. To that end, we depend a lot on interconnection. That is really the kind of like cover of how our company operates. We connect with 13,000 networks, so probably one of the most well connected networks in the world. That is to make sure our data centers, our presence all over the world, can run our software with low latency, securely and very reliably.
All those interconnections, as Olaf was explaining, is to be prepared for unexpected events that happen daily, physically on a global scale. Of course, the Internet was made to be resilient. Of course, things can happen. Cable cuts can happen. Other events can happen. From our perspective as a service provider, it is important our network stays up, regardless of what happens.
So interconnection and finding different path that our network can actually route around the issues is very, very important. It is also something that obviously our engineers are working on on a daily basis to ensure that is the case.
So this is one of the most important aspects, I think for us. Is that interconnection is not disincentivised. We see that sometimes from a regulator point of view, or a government's approach point of view that is not often thought of.
Peering in transit can waste interconnect are essential for companies, for governments, anybody connected to the Internet to make sure there are as many paths to follow as possible, which leads to more redundancy, more resilience, to faster connections as well and lower latency. You know, some of the discussions we see are mostly from work in Europe. So I work in Brussels, so we talk a lot about the regulatory environment there. There are sometimes ideas being brought forward in debates in the policy space that are talking about, for example, paid pairing, or introducing payments in a system usually based on trust and settlement free kind of relationships.
Explain it is based on preparedness. Engineers making sure connections are there that need to be there. So if, you know, some parts of the ecosystem, in this case large ISPs mostly in the European area, are trying to say there needs to be a contract, needs to be payment, needs to meet conditional costs for all networks to connect to each other, that obviously is problematic, from our point of view; from a resilience point of view as well because it can lead to disinsentivization and would have to bear a lot of costs and goes against the nature of Internet, network of networks and an organic way to connect and we all have an interest to connect to each other.
So that, from my perspective, is one of the main issues to the topic of today.
>> AMUND KVALBEIN: Thank you, I think we will also return to this point about the Internet being built borderless and with incentivising maximum connectivity and connections, how that how that can continue to be the case while catering to other worries people have about the Internet.
I would like now to move to our next panellist, which is Johannes Theiss. He is not on stage but will come up on the screen. Johannes, you work with the E.U., who obviously shows a lot of interest in the Internet and has been showing particular interest in the topic of subsea cables, which is a very important part of the basic Internet infrastructure so Johannes can introduce us a little to the work you are doing there.
>> JOHANNES THEISS: Hello, hear me well? Thanks for inviting me to this panel discussion. Perhaps before I go into some of the overview, one comment, now the topic was slacked a bit and of course not the core topic of pairing and those issues. But as ongoing consultation on upcoming regulation at the end of the year called the Digital Networks Act, so if you have views you would like to contribute, now would be a good time to talk about that specific issue. So I will not touch about this later, as it is not perhaps the core of this panel. Just since it was brought up.
What we are doing in the unit I work on is we contribute to something the E.U. Publish at beginning, a joint commission on a security action plan. What Olaf said in beginning, its resilience is a cycle. There are several elements to it.
As policymakers we try to have these elements on the radar. Not least because there has been some incidents in particular in the Baltic sea that rose the political limelight on topic and resilience of the cable infrastructures. When I talk about the resilience cycle, I go into various elements, described in the action plan, you would have basically four to five points that cover the cycle from prevention over detection, response and recovery up to deter residence. The action plan tries to really tackle or propose some ideas and action on all these points.
The part my unit is working most on is the pillar of prevention. Here there are, of course, several issues transposing on going legislation, developing new technologies, but in particular I'm happy later to dive into some of these elements more in detail. We have formed an expert group with E.U. Member State Authorities, done after already publishing a recommendation last year. This expert group is supposed to deliver by the end of this year a mapping existing planned cable infrastructures, a coordinated risk assessment based on an overview of what are existing threat, vulnerabilities and dependencies. Also tackling economic security aspects. Then come up with a set of mitigating measures. We call that a Cable Security Toolbox. Some may know that have worked in the field of 5G, might know the toolbox, so we try to narrow that approach.
Also when I talk about risks, some of these risks could be combined into scenarios that could be stress tested. There may be funding for that made available from the E. U. Budget. Last but not least, we are funding already cables that have a difficult case, difficult economic viability. We have a programme called Connecting Europe Facility, and there's already hundreds of millions of euros and more coming up. What the expert group will deliver on by the end of the year is a so called list of priority areas of interest, cable Projects of Europe Interests. Without going into too much detail, it is how can we integrate more surveillance mechanisms that exist, connect more data that is available, because there is a lot of data available. It is rather a question of how to bring it together and how to make sure it receives the right addresses.
Also how technology can help with that. What about the role of drones, the role of sensors. So there's a lot we could discuss there. When we discuss response and recovery, it is a lot about repairing and maintaining the cables, so we have the issue of are there enough ships available, how good are these ships. We might touch on that. Who finances these ships, how profitable is it to work with them. Also general crisis response frameworks, which are very important. Finally the whole deterrence, proactive cable diplomacy. Sometimes difficult on incidents because it is not always clear. It is important to respect international rule book, if in place, to make sure some of these incidents can be attributed, the actors are held responsible. To prevent future incidents on these types of infrastructures. But I probably stop here. Happy to dive into details later on during the panel, thanks again.
>> AMUND KVALBEIN: Excellent, thanks Johannes. I think this topic of what the E.U. or governments, often private, and how they work together is a key issue we will probably touch more upon.
Elise, you have spent lot of your life working on resilience of the security of Internet infrastructure in various capacities. Can you gives your introduction to this.
>> ELISE LINDEBERG: Yes, thank you. Talking about, as you said, the important discussion about cooperation between the regulators and regulating side and who have to do this and live by it and also has to provide the security that we need to have the trust in Internet services that we are going to have. Going from the regulation, that I work a lot of the year, the regulatory side, was always fascinating to see how this was something that was taken for granted, or not even considered a problem in beginning when I started about this, working with resiliency. Then suddenly the main topic. The Internet is a solid structure and also it is a net of networks. We talk about this and how it is not physical. It is not in the sky or on your phone, in driving around, it is linked to a data center, critical, fiber, network, undersea cables and what have you.
What we have seen is, when we talk about the Internet and use of Internet and all the fantastic things we can do on the top layer, developing Internet services and building another critical functions in the community and in the societies, that there is now, as I experienced it from a bit of an aside when something happened, it is zero tolerance for failure. Not only because we have critical services on top but also because people are used to these services always being. So you have zero tolerance for the services going down and you have layers and layers of layers of all private companies and everyone relying on each other. In the end, relying on the physical layer, bottom line. That is both power and it is physical infrastructure, data centers.
I think it is interesting when we talk about the development of the Internet and possibilities we have, basically the backbone of this IGF and stakeholder community discussions, we should also have thorough discussion on the physical infrastructure layer. And it needs to be cooperation between the one who builds it, not only the regulating side but the one who builds it and the one who uses it and to not lose that perspective.
It is also a question about payment, someone spoke about. Because it is going to be in this in the world today there is no insecurity about how secure the Internet connections are, fiber and undersea cables and everything. And if we are going to secure it even more and have more redundancy on it, it is going to cost money. It is also going to cost money to build secure Internet data centers that's going to keep and have enough power and enough redundancy. So that has to do something with the whole cost picture.
So maybe we need to realise that to build trust in Internet services, we should have the infrastructure layer more into the debate also in IGF forums, like we do today. But that has been somewhere missed in the past, because we have discussed modern Internet and not the infrastructure around it.
>> AMUND KVALBEIN: Great, thank you, Elise. Erica, you represent one of the biggest players on the Internet, I would say, who owns and operates a lot of this infrastructure and invested heavily in this and subsea cables. You built this together with others. What is your perspective?
>> ERICA MORET: Well, thank you, first of all, for the kind invitation to join me today. You hear me okay? The last time I had a system I was saying to the organizers with headphones it was in a cryptocurrency conference and loud music playing at the same time so glad this is slightly more manageable.
Microsoft operators one of the largest global networks of fiber and subsea cables and owns and operates a vast network of data centers around the world. We jointly own major submarine cable systems like Marea (?) to ensure high-capacity connectivity between continent, designed to increase geographical diversity of landings and reducing single points of failure and enhancing network resistance.
Likewise, Microsoft spans 60 or more cloud regions in over 140 countries, which houses data in over 100 highly secure facilities, which is scaled underpins responsibility in safeguarding reliable and Internet infrastructure. So you ask me to talk about responsibilities and risks. Your panellists have already outlined this eloquently. I will focus on data centers on the Internet, which face their own distinct set of challenges. They require enormous stable power supplies and cooling and power grid failures for extreme weather include heat waves, catastrophes, sabotage, (?) And critical acts from criminals and even a fire disaster can knock out power for millions. Also geographical clustering. If many cloud facilities are in one region, a single regional event, a white area blackout or earthquake could affect them all simultaneously.
Turning to submarine, they are prone to fishing, diversities, phishing, sabotage... in some, single points of failure in the digital economy and for users worldwide, if not made users of the Internet, if not made resilient against these various threats. These challenges really underscore why this discussion today is so vital and paramount.
At Microsoft we have comprehensive approach to mitigating risk at layers and build extensive redundancies, deployed cable pathways and diverse landing points so if one link is lost, traffic can be re-routed to other alternative routes. Internally, we continuously monitor all network links, performance degradation, outages using advanced telemetry tools and allows instant re routing if a cable fails. In table center, redundancy is critical, designed with availability zones, physically separate data centers with independent power cooling systems to sustain operations even if one facility goes down. Microsoft data center architecture equally seeks to ensure critical services, failure on sites and high availability in diversity recovery capabilities.
I was going to talk about our collaboration of government stakeholders, but maybe save that for the next round of questions.
>> AMUND KVALBEIN: Excellent. We have gotten interesting introductions and perspectives on this topic from our panellists. Before we move on, I would now just like us to move on, if we can get this out. For the audience... yes. So we have a question for you, which is simple but open question and several panellists have touched on several threats or challenges to the basic Internet infrastructure. We would just like to hear from you, what do you think are the most important or challenging threats to against the basic Internet infrastructure?
So if you go here you can get the form and get a thumbs up, if there is a consensus of whether there are opinions in all directions, which there might be. Excellent. So a lot of challenges, several mentioned power outages, which are a source. There are answers on attacks, MGVP specifically, more general cyberattacks. Malicious actors. Several mentioned topics having to do with governance, politics, regulatory fragmentation and foreign legislation. All very good and interests perspectives. Now we will go into some discussion, some topics. I have a few topics for the panellists, I assume you do as well. If you want you can post some in the chat. Or in a few minutes you can do it here in the room or in the microphone. If you are with us online you will not be able to speak but the moderator can convey to the audience.
We see from the topics brought up on the wall here, and several of you mentioned it, is interdependancy between basic Internet infrastructure, kind of and other infrastructure that supports it in terms of power, repair networks and protocols that must work together. One of you mentioned, when we talked before this, you mentioned the notion of hidden correlation of risks. What do you mean by that?
>> OLAF KOLKMAN: When I say that sometimes diversities happen at same time, power outage or software problem, something that relies on the Internet in the power center, things that are related that at some direct point you do not see as related. For instance, a lot of people will make a risk diagram, likely costs and put crosses on that. Sometimes things might be a low risk, high cost but almost always happen together. I don't have an example in this context, but this is something to think about when you are thinking about resiliencies and risks that you have within the system you operate.
I want to go back and say something about things we identified on the slide as being risk to infrastructure. As far as I can tell, all those things are relatively isolated geographically. A power outage is almost always with a geographic scope. The Iberian Peninsula as example. The Internet as a global system has never seen an outage. I think that very critical services should think about, for instance, that geographical spread that was talked about, because that allows for catching up your backup services, at least. So always think about protecting against and what are the things that are in risk based approach, what are things that cause real harm and high impact. Let's say an anchor may take out both a power and Internet cable at the same time. That would be sort of hidden correlation, an example.
>> AMUND KVALBEIN: So this is more open question and I think I will start with you, Erica and others feel free to add to it. We discussed a bit earlier about the division of labour between the governments or regulatory authorities on one side. And the large Internet actors on the other side, owns, builds and operates. How do you work with these governments to secure this infrastructure? On the tail of that, do you have a wish? Would you like to ask something from these governments? What would they do?
>> ERICA MORET: Thanks, that is a great question. We work very actively and proactively around the world in different types of partnerships, with governments and other stakeholders and in local context with national governments. That is a difficult one, but I will say for governments to continue and perhaps do even more in terms of actively partnering with industry and with other stakeholders, as the cornerstone of resilience, I really think that public private partnerships should be embraced and are incredibly important here. I think there's a number of key elements to that. Again, the panellists have done such a good job outlining some of these areas already. But sharing the threat is important. As part of industry coalitions, Microsoft contributes to joint risk assessments and adheres to best practice for critical infrastructures. So I think working together with governments to get that right is very important. Have a kind of constant conversation and a trusted feedback loop is vital as well.
I think second would be investing in redundancy, such as forwarding back up subsea cables or extra capacity to eliminate single points of failure is a really important area. The third is need for coordinating internationally so cross border issues, like undersea cable repairs or common security standards are handled securely and swiftly. That of course is a big challenge in today's geopolitical climate and important for fostering trust and building those relations.
Then I think a final one would be policy support. In the case of Microsoft or also other company, we have joined efforts to designate and treat key data centers as critical national infrastructure, which can help to facilitate better government support during incidents.
>> AMUND KVALBEIN: Excellent. I think Elise, you want to comment on that? I know this is right up your alley?
>> ELISE LINDEBERG: Yes, it is. We have been discussing this in Norway for years, you know. How to share the nature between the governments, who sits on a lot of information and been kind of a silo thinking in the past. This is something intelligence keep close. They don't want to spread it. Then again, you miss out, then, on using all the power that sits on the companies and their infrastructure owners to dive in and actually help in the situation where communication is cut off, which is one of the basics we need in every critical situation. As Ukraine also shows this morning how it really matters, to trust each other and make some sort of formalized discussion between parties and government from outside as needed. I think basically all governments are working on this. At least as I know Europe this is an issue. So this cannot be said enough times we need this cooperation to be more thorough and even be like baseline for (?) In society. So that I very much agree on, so yes.
>> AMUND KVALBEIN: Any others in the panel have a Johannes, you represent not a government but E.U. Is important regulator, player here. What role does infrastructure owners play in interaction with you?
>> JOHANNES THEISS: Yes, can you still hear me well? Seems to be the case. So, indeed, first of all, when I think about the Mentimeter question and government or regulators mentioned with a negative connotation, I hope as E.U. -- I hope we make a positive contribution to the regulatory landscape, especially when comes to improving coordination between governments. So cross border was mentioned but between governments and private entities. Perhaps a couple of points that I would like to make, first of all, some of these exchanges are already formalized. In particular through recent legislation that came enforce. To mention one critical, signer security approach but broader, also attaching critical and resilience directive. These directives really formalize the exchange, especially when comes to incident reporting between private and public entities. So in the E.U., these are really though they are directives, they have to be transposed but seek to trade a more harmonized situational awareness.
Then, of course, when it comes to the funding side, there's also regular exchanges. I mentioned before the CEF programmes, connecting Europe facility, we see there is a concentration. The market goes where it makes sense and where there's already a lot happening. If there is an Internet exchange point, if the latency is short, that is where you go. Those are at times not necessarily creating increased resilience, no, because for that you need more redundancy and nor necessarily more of the same.
So it is important to strike there a good balance between the two. That is why we have been investing under CEF for quite sometime and currently there is a funding round, we call those calls ongoing, where evaluations are taking place. You will see some results in the next coming weeks and months where, again, submarine cables will be supported, especially in areas where business case is not straightforward. Some of you mentioned this, these are consortia that come together and propose a certain project then co funded so it is not entirely from the public purse. But when private sector is going somewhere, they might need a bit of abridging, bit of support to bridge the viability gap. That is what these funding programmes are for.
Last but not least, we are in regular exchange with companies when it comes to any types of threat analysis and potential mitigating measures. I think Erica mentioned some of the faults that may be related to submarine cable incidents that. Is precisely information we are interested in and learn with exchanges with private companies, who, by the way, are regularly invited sometimes to speak with our experts in the expert group. It is true there's always then a certain realm of sensitivity, which makes it a bit harder to be let's say too forthcoming in what is being made public or not. But in any event, we try, at least as much as possible, to facilitate these exchanges.
So far, it seems we have been on the right track with the proposals that we have put forward. When you read through the cable action plan and the recommendation last year, you will see many of the things mentioned are reflected quite well. Last point, because Olaf mentioned it, the accumulation of things that can happen. Take the power and Telecom's cable cut, that actually did happen, beginning of year. So these are things that are not in theory; they are happening in practice. It is important to mitigate those types of situations, thanks.
>> AMUND KVALBEIN: Thank you, Johannes. So I would like for us to turn -- quickly turn to Mentimeter. We have another question. Moving from challenge, threats, what are the most important actions that governments and private companies and/or private companies can take to strengthen Internet resilience. Not simple but we'd love to hear your thoughts on that. While you are typing, I would again like to encourage those to participate online to post in the chat. Michael will convey them.
I, of course, have many questions I would like to get answers from this panel. I'm sure you do as well. I very much hope that you in the audience will also raise your hand and take this opportunity to ask our colleagues. Just seeing what comes up here. That is an interesting one. Avoid national autonomy. That is an interesting topic. Some of the panellists might have words to say on that. Adversity is mentioned by several. Partnerships, collaborations, contribute to redistributed Internet. Implying that it is not as (?) Anymore as it once was. Might agree or disagree in that. So I think I will leave the microphone open now, in case anyone has a question to pose.
While you prepare your question, maybe one of you will have a comment on exactly this sorry, Erica the first question on this.
>> Thank you, my name is Henri from South Africa, affected by undersea cable outages. I'm from Civil Society. None of you have touched on this specific topic. Whose responsibility is it to communicate to end user there is an outage and attempt to work around it? For an Internet exchange point, the pairing points will let their members know. Data centers will let their clients know. If you, in the case of power outage, you usually would be informed by the power utility or you would have an app, like my country, where the power goes down every other day. There is an app that tells you what the schedule is. But when comes to Internet outages you essentially need a newspaper subscription to business newspaper, which is not available to the public at large. Most people get Internets not from ISP but mobile data providers and pay as you go and not even contracted. You are completely in the dark as to what the status is. And if you have fibre to the home your provider might update you, but they actually often don't. That is my question. In this partnership, you talk about regulators, government and private sector to try and centralize in some way that there is active communication and interaction with the end user, thanks.
>> AMUND KVALBEIN: So Elise?
>> ELISE LINDEBERG: So it is critical. That is the government's role to alert. It will always be like that. So if it is severe enough, you will hopefully have systems in place so the government will react and also send out and communicate with what is available for the users. But it is also service provider, the one who gives the services, they also have, you know, a clearer they also need to alert their users, but also the government probably. So in my experience if it is strong enough for individuals or companies whatever that is affected, these are systems that should be put in place that. Is why we should have, you know, coordination and coordination between governments and private companies and put in place as a system up front. Because it is both, it is not one or the other.
>> OLAF KOLKMAN: This is not a question to punt. I think it is an important question. But I will return the question a little bit. Are you aware of any best practices that are executed anywhere on the globe because there seems to be a thing through IGFs, regional ICFs, something might percolate and become common practice. You are not aware. I see you shaking your head.
>> No, not Internet outages. For schedules, to some point Civil Societies that monitor Internet channels, they will communicate that fairly widely. I think for power outages, you have it at national level and much more structured approach. But I think for outages and undersea there isn't a lot of redundancy so doesn't affect everyone in the same way. If you are in an academic network you might have access to different cables than those who get it through mobile. I'm not aware of good practices and governments are not certain. I think many countries don't have centralized communication about ransomware or cyber attacks. Regulators are getting better at making alerts about data breaches public but infrastructure outages I'm not aware of but maybe someone is.
>> AMUND KVALBEIN: Thank you. Michael, I think there is a question from the chat.
>> MICHAEL KENDE: There is. 20 are waiting. (?)asked, should we create a tool for government and regulators to check how resilient is their Internet infrastructure. Some of those tools he said -- Olaf mentioned would be IXPs, regulation, interconnection, so I think some would be ways to strengthen so I think tools and you can fill in how that might look to help governments and regulators to determine how resilient everything is, thank you.
>> OLAF KOLKMAN: I don't want to steal thunder, but PulseInternet.org as a resiliency index. Which maybe not measures but gives index about resiliency in country. I don't want to flatten the discussion because resiliency has to do with complexity of the world we live in. Even if we have a very resilient Internet or network, we might rely on say one provider of a specific application interface in order to get our work done. If that interface is down, a lot breaks. Resiliency is for everybody and complexities involved are very important. So I think if you go into resiliency for your systems, be that as a country, be that as a me or a company or even for you at home, have to go and do sort of the analysis, the risk assessment and the tabletop exercises to deal with it.
>> AMUND KVALBEIN: Unless there is a question, I wanted to pick up. I think maybe this is for you start on but always figured it would be one of the statements a couple of the statements from (?) So avoid national autonomy. You in Cloudflare are not particularly national. You are international. Would you agree with this statement, or is there more complexity to it?
>> PETRA ARTS: I say that question. Not sure what that person meant. Not sure if they are in the room or online. But more generally and also to the point of collaboration and cooperation that was mentioned, I think that is exactly where we need to go and where I think this discussion has kind of led us already to say. Collaboration between governments, between private sector governments, between all actors responsible for making the Internet, you know, work and being resilient as it is, I think that is where we need to go. Like national autonomy. I think obviously in European context we talk about digital sovereignty and discussions on data localization and things like that that are all kind of related to it. I think from (?) point of view and Internet resilience point of view, fragmentation is the way we should go to make sure that resilience kind of stays as it is and is improved.
I think fragmentation can lead to, you know, a lot of negative consequences from a resilience point of view. So I would not necessarily agree that we I would agree with the fact that is one of the threats, as mentioned, different decisions by different parts of government and different parts of the world I think can lead to fragmentation. I think we need more forums to collaborate and discuss and to also come to kind of common solutions and share best practices. I think that is where we need to go. Your point on Pulse that collaborates with (?) and Internet side and maybe radar (?) which gives you knowledge and information from what we see from an Internet shutdown and disruption point of law from that, which can also help you, Civil Society, in order to help us find of maybe more about what is going on in these cases.
>> JOHANNES THEISS: Can I come on this one as well?
>> AMUND KVALBEIN: Absolutely.
>> JOHANNES THEISS: When I was seeing the Mentimeter replies come in, I was always thinking, okay, the toolbox writes itself and looks quite good. Jokes aside, those are precisely the point we are currently working on in greater detail, of course. Without interpreting too much in avoiding national autonomy, I think the point that can be made is the Internet is such but submarine cables, this is not a one way, not a silo. There are always at least two parties connected to a cable, often more. There are a consortia of various players come together. They connect them to other types of players in a data center. This is not a side of business. I think that is something to keep in mind. Other points I felt important to highlight is use of technology. I mentioned in beginning, some of these new systems can help with monitoring and detection. For example, distributed acoustic sensing, which can be applied to submarine cables can help here. We are actually putting together, or would like to put together, a road map at the European Commission to scope a bit what are these cutting edge technologies that one should keep in mind. There will be some research funding available made for this.
So have a look at the current Horizon Europe Work Programme and action related to submarine cables. That is something we will precisely look into more in detail. Lastly, what also popped up on the overview was investment incentives. It is important to keep those incentives high but strike balance not to crowd out private investment. There is a lot of private investment happening. We welcome that very much. That is essential. Without that, things wouldn't work. There are some gaps here and there. Especially when things get more in areas that are a bit less viable and still gaps here, public authorities and the public first can play an important role. This is something we have been doing and continue to do so, thanks.
>> AMUND KVALBEIN: We are approaching the end of this session. There is still time and room for a question from the audience, if you have one, but you have to be quick.
No? So if there is not, then I would just like to round this up, go a quick round, again, with our panellists to very briefly, in 30 seconds, what is your takeaway or your message from this discussion? Is there an action? Is there as (?) Said, what needs to be done. Olaf, do you want to start?
>> OLAF KOLKMAN: I think awareness building is one part of it. Understanding your dependencies. I think that's the parties at the left of me have a quite well understanding of their dependencies. Although sometimes things break. Also looking at the left of me, one of the things that I I am very "for", so to speak, when things break, you tell the world. You tell in it a very transparent way, where you disclose or you tell a story about what were my dependencies, what didn't I know about those dependencies and how can you, “random other person who builds infrastructure,” figure out whether you have the same dependencies that I had that broke and I didn't know about.
So it's about sharing information. It is about understanding your risks and the dependencies that risk matrix building that out, but also about practicing. Again, this is not only the large corporations, the Cloudflares and Microsofts but also the data center in Oslo or small data center maintained by an SME that might have services running for, say, a hospital or another service logistical service we may all depend upon for getting our groceries in the store the next day.
>> PETRA ARTS: Yeah, not so much to add from my side. I think Olaf, you are very right on transparency point of view and hope Cloudflare is doing good job and rare instances we have to stay about outages, there is a learning you take from everything that happens to you and to your network. And sharing it, making sure others can learn and also prevent things from happening on their own side is really key. I think from our perspective I think the kind of diversity of connections of the Internet and preventing of fragmentation is I think two key points from our side. When comes to making sure infrastructure and the Internet both operate, I think as it should and to benefit of everybody in the whole ecosystem, businesses, end users, everybody who uses our services on a day to day basis, we all rely on that physical infrastructure and all play a part in the chain.
So that's I think the most important thing, and resilience really is a job that everybody kind of has to work together on continuously. I think that is also something that became clear from this panel that we all do.
>> ELISE LINDEBERG: 30 seconds, I will be very brief then. I would just want to mention that national sovereignty or national autonomy and international cooperation isn't in conflict with each other. They have to be side by side. I think everyone want cooperate and we will continue to do that. But when we are so dependent on the Internet in Civil Society it is naive to not think of them together. I think it is very possible.
>> ERICA MORET: Thank you, 30 seconds. I would end up by saying there are tremendous geopolitical challenges and the E.U. as important as ever in this context. When we think about the needs for partnership, trust, collaboration, cross border, I would emphasizing working for like in UN and bringing in relevant stakeholders is vital. In doing so we can, of course, be thinking about all the types of agreements, monitoring and information sharing and so on.
I just also want to end with an announcement that was made by our Vice Chair and President, Brad Smith,s a month ago outlining Microsoft's commitments. One of the pillars, if you haven't seen it, upholds Europe's resilience even when there is geo-issues, and I think that is important in these commitments across the border, thank you.
>> AMUND KVALBEIN: Johannes, we haven't forgotten, you but only 20 seconds.
>> JOHANNES THEISS: That is fair. I have a feeling from the discussion, from what we are doing in E.U., we seem to be on the right track. I could give you flavours of what we have in store but more will be coming. We hope to make some of these points public in the autumn. Stay tuned, I will leave you with that. Thanks again for inviting me.
>> AMUND KVALBEIN: Thank you. That concludes our workshops. Thank you all for coming. It's been a pleasure. Please join me in giving our panellists the last round of applause.
(Applause)
