IGF 2025 - Day 2 - Workshop Room 1 - Open Forum #45 Advancing Cyber Resilience of Critical Infrastructure

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> Thank you. Welcome to our open forum. We want to discuss with you how to advance cyber resilience of critical infrastructure. In an ever more connected word, not only people more connected, but as the critical infrastructure we rely on. The resilience of critical infrastructure that are increasingly targets of actors is key. A robust cyber resilience measures is therefore vital. In an environment where incidents could have overspilling effect on national peace and security, the risk of escalation, we need to look at overcoming the silos between diplomatic and technical communities, strengthening national cooperation and fostering multistakeholder engagement. The idea of the discussion came from the discussion that different communities have an important role to play, but then they need to be offered more opportunities to share expertise and knowledge. To get better informed and to get a greater understanding of what each community is doing and how we can support one another in our work to build a resilient space. We will explore all of this with our distinguished panel today. My name is Madi and I will be your moderator today. I'm happy to introduce to our cross community panel. On my right is Floreta Faber Director of national development coordinator of national cybersecurity at the national cyber authority of Albania, on my left is Laz, professor and architect. Online I also have three panellives, Mr. Pavlon a cybersecurity researcher, Caroline cybersecurity at ITU, and our global director and policy lead at interin addition chamber of commerce. To facilitate my work and reporting, I also ask Akhil Thomas at global forum for cyber expertise to summarize at the end of the session. We also look for your active peangs to please look forward to the Q&A session. Because it's a rich issue I'm going to stop talking and raise the question to my panelists. I will start with really looking at the threat landscape and national experience on how to really build a efficient critical infrastructure protection, and for this I will start with asking Pavel Mraz the first question. What does cyber resilience look like for critical infrastructure and where are the biggest vulnerabilities emerging.

>> PAVEL MRAZ: Thank you for the floor and good day to everyone and those connecting online. To your question, the UN Institute will have a research coming out summarizing the main threats of 2024 in Cyberspace, and let me give you a few highlights specifically focusing on critical infrastructure. When it comes to critical infrastructure, the cyber threat landscape in 2024 has grown increasingly come flex. It was clear that critical infrastructure remains both an attractive target for financially motivated actors and strategic target for state affiliated actors. In 2024 alarmingly nearly 40% of all documented cyber operations by states have focused on critical infrastructure, including targeting sectors such as energy, health care, finance, water, and telecommunications, and of course these sectors are foundational to both national security and the daily functioning of our societies. Health care and water systems were especially hard hit, targeted by ranSomeware actress that exploit outdated IT and mean to exploit the services 24/7. Also the service models have industrialized access to advanced cyberattack tools and lowered barriers to entry for even less‑skilled criminal actors to attack criminal ‑‑ to attack critical infrastructure. As a result, we have seen last year a surge in ransomware attacks by 275%, and a global financial losses from cybercrime disruptions exceeds 10‑trillion U.S. dollars last year. To put it in other words, if cybercrime was a country measured by a GDP, it would have ‑‑ it would be the third's world largest economy. We of course also see attacks on digital supply chains, these are becoming more prominent and leveraging the principle target one, compromise many, malicious cyber acting use supply chain attacks to target downstream customers including critical infrastructure operators.

Importantly, Internet infrastructure which includes satellites, undersea cables and data centers are also increasingly vulnerable and targeted by cyberattacks, and these type of threats raise concerns about widespread interruption of critical digital services, particularly in times of heightened geopolitical tensions. Even the UN system itself and humanitarian operations are not exempt from cyberattacks. According to the UN latest reporting, over 50% of cyber threats targeting the UN in 2024 came from advanced persistent threat actors which include states and these attacks have disrupted critical aid. These trends show these attacks are becoming a question of when for many organizations, not a question of if, and no sector or state can contain cyber risks alone. As infrastructure becomes more digital, interconnected, securing these types of infrastructure will require both a multi‑level, multistakeholder cooperation but as resilience planning and preparing for when cyberattacks hit. Positively the UN Member States have acknowledged these risks, with states calling for greater pro tx of critical infrastructure, particularly those that deliver essential services across borders and also states have called for reinforcing international taboo against targeting these types of systems but of course a number of states also indicated there is a gap between the commitments made at the UN level and the actual capacities required for practical protection of our vital critical systems and bridging this gap will require strong cross‑sectoral and cross‑border cooperation and also practical tools, including adopting national frameworks, using cyber drills, and stepping up capacity building to translate approximate shared global principles into real‑world protection on the ground. I'm happy to talk about these in more details later on, but I will leave it at that for now and over back to you, Marie.

>> MARIE HUMEAU: Thank you very much, Pavel. Thank you very much for the scene setter. Now that we have looked at the threats and more of the scary things, I will think we will also look at the resilience and how to strengthen really our Cyberspace, but Temea first ‑‑ maybe on your side, Timea from private sector lens, who are the main threat actors targeting critical infrastructure and how is the industry adapting, but as what is needed to strengthen resilience of the private sector, so Timea, over to you.

>> TIMEA SUTO: Thanks, very much, Marie. I would just like to propose that everything I say here today is written in much more detail in a report that ICC has published at the IGF last year on the protection of critical infrastructure and their supply chains and that's available in English, Spanish, and Chinese as well as Arabic, so if you want to hear more about what I tried to cram into my short interventions, please take a look at the report and I'll put the link in the chat later on.

To answer your question, Marie, from private sector perspective, the threat landscape facing critical infrastructure has never been more serious or diverse. We are seeing a broad range of actors, each with their disat this particular time motivations and capabilities that target essential services that underpin our economies and societies.

On one end of the spectrum, we have the state nexus actors, advanced per sit apt threats or APTs, they are typically well funded highly skilled and capable of complex long‑term operations and varies from interrupting services and accessing information to advancing geopolitical interests or undermining public trust and institutions, they can target both public and private sector. At the same time, the private sector must contend with increasingly criminal, often distributed and strengthened in way that makes them resilient to takedowns and prosecution. Also ran somewae as a service has made it difficult for unsophisticated to make disruptions. There are also threats that are a concern, these are individuals that are malicious or simply neglect that could be employees or third‑party contractors to critical infrastructure services who omp have privileged access, and fewer security checks and even a small mistake on their part or intentional sabotage can have a big cascading real‑world consequences.

What makes all of these threats more dangerous is the interconnected nature of our infrastructure systems, a compromise in one sector, say electricity, can ripple into others like health care, telecommunications or transportation. And these aren't just IT risks, these are national and global security concerns. Cyberattacks on critical infrastructure can lead to service outages, physical disruption, or even endanger life, and it's not just about keeping these systems online, it's about making sure that these attacks don't compromise the confidentiality and integrity of data that can lead to long‑lasting consequences like identity theft or misinformation which can cause ‑‑ have a long after the incident has been dealt with, right.

How is the private sector responding to this? It is actually stepping up, making significant investment in cybersecurity resilience, zero adoption of trust architecture continuous patching, vulnerability management, strong data backup, supply chain risk assessments, companies are building robust incident response programs and security by design into their systems. So there is a lot the private sector does but it's clear to be about the limits what the private sector can do on its own. Even the best funded private sectors knlt deter state funded actors or take down global criminals on their own. Cybersecurity spebl in the context of critical infrastructures is a shared responsibility between government and industry.

So to strengthen the resilience, I think there are four things that are critical. First, governments must play a more active role in disrupting threat actors, enforcing laws, and creating accountability in Cyberspace. In includes strengthening national capabilities, supporting law enforcement across borders and formally implementing the existing national norms and frameworks in Cyberspace.

Secondly, we need more stronger and operational public private partnerships, not just during the crisis themselves, but in the ongoing governance and design of security measures, this includes realtime threat intelligence, sharing joint exercises, collaborative development of standards and guidelines and many more.

Third, we need to include or invest in capacity brg and resilience, especially in sectors or regions where cybersecurity maturity is still developing, and last but not least, we need to try to arrive balance between regulatory obligations and sustainability of security controls. Regulation should be clear, spaced and consistent across borders, at the same time voluntary standards and flexible frameworks can allow companies to adapt quickly to emerging threats and invest in the most protective invest the. It requires continuous investment, cooperation, the provide variate sector is deeply committed to strengthening defenses and ensures business continuity but without government action and deep ongoing collaboration we will not be able to keep pace with the threat environment that Pavel talked about earlier. Thanks be Marie.

>> MARIE HUMEAU: Thanks, Timea, I think you importanted out the importance of what we have to do together and no one can achieve anything on their own and really the stakeholder need to work together. So, now I'm going to go to Floreta and unfortunately Albania suffered a recent cyberattack so can you maybe share best practices, because that's how it works, shares best practices, and resilience, can you give us an idea how the diplomatic and technical community collaborated during the response. Floreta, the floor is yours.

>> FLORETA FABER: Thank you very much. This is a great opportunity to be here in this very honored panel and speak about the case of Albania. Yes, it is true, in mid 2022 we had a big cyberattack on the E Golf services and Albania is a government who ‑‑ which has to do over 1200 services, E services to the Albanian citizens, over 95% of all of our citizens to citizens are online so hitting that system was really something which was aiming to disrupt our work to the citizens, to disrupt their trust of the government, and it was long and very important process for us because we were fighting krution, we were bringing more efficiency to citizens, and we were really focused on doing our best, but then this was kind of a wake‑up call for us because as we focused so much on having a technological advancement on responding to cybersecurity, in 2022 when we did have a law on cybersecurity, according to the Neise1 directive by then, we did have an authority on cybersecurity and we thought we had it covered. We understood talking about cybersecurity is not talking about technology, it's talking about a mindset, it's talking ‑‑ involving more people from the top management to the simple employee insight every organization that cybersecurity is something that everyone needs to focus on. The investments need to be in technology but capacity building is also important for training people and also people who are not technical have the right mindset and awareness that even one mistake in one person inside a big organization can allow the ‑‑ that simple attack become a big incident on cybersecurity. These are the main lessons in 2022. We made big changes in the country, really big reforms legally on making a new law on cybersecurity on 2024, according to the Neise 2 directive and as we talk about the critical infrastructures, this week actually, we're expecting the government to approve the new list of critical and important infrastructure which we build according to the new procedures, new methodology according to the Neise2 directive and a big change is not only working with all of the critical infrastructures and their technical employees but as going beyond that and looking at the procedures, looking at how people are trained, looking at every employee inside organizations, public or private sector to really have a focus on why they need to be focused and understanding that on cybersecurity and the cyberattacks, it's not simply a password which needs to be more secure. It's people who need to look at every email, at every message that they get if it's, you know to, make sure that the links that they're opening, they're safe, and it can ‑‑ they can continue their business or private life really in a secured manner. There have been big changes inside the authority. We have ‑‑ we had about 20 people, now we're going to 85 people inside the authority. The list of critical infrastructures is increased by 50% with a new methodology. We have ‑‑ we work really on daily basis with all the critical and important infrastructures with the being state sponsor cyberattack of 2022 was not one and alone. It has continuously ‑‑ we have been continuously under those attacks. The last one practically happened last week which was really a severe attack on a municipality, and our technical teams are like the big changes in 2022, it was difficult to have a group, a good group of experts to work on the case, but in cases like today in over one and a half years now, we have only the team that goes from the authority on cybersecurity working closely with the team, the cybersecurity teams inside the organizations, in trying first of all what's important to bring back the services, and also go back and do the reverse engineering and find out what happened, where the attack came from, and this is where the important part is, what do we do with the attribution. When we find out at the end where the attack came from, which is not at least in the last cases, it has happened, we have had about over 80 attempts last year and 32 attacks became incidents, and we dealt with all the cases successfully, but what we fear as in every country I believe is that if the attacks are severe, if the attacks go more than in one infrastructures, how our capacities are to respond to those, and then how we work with the diplomatic community actually to deal with the cases.

Now, I've been part of many UN, in a number of UN open‑ enended working group which give us a good understanding of how countries in the world actually act or react in case of big cyberattacks and big incidents and we are as much as we can share in big rooms and sharing with each other, but we also work in smaller regions. For example, Albania and the Western Balkan countries have tried to really xiewn Kate and especially with the technical teams, there is a point where they can really all communicate with each other and every week we share the indicators of compromise. There is a system where every country can do that. Maybe some countries need to be more active, but at least from the Albanian side in the last over a year now, every Friday, we send all the information that we can make public and share with the other ‑‑ with the other SIRTs and those are practices which we need to enforce also with the diplomatic community. Different regions have different experiences, like in Asia or other countries, but we all came with our own difficulties sometimes in talking to each other when it comes to political level or diplomatic level and that is of course we important, the technical side. So, first we need to make everyone aware that all those groups need to communicate with each other in a ‑‑ in all the kind of preparation time that we do in order to be able to protect ourselves, but as know how to communicate when there is a cyber incident, first because we want to share what happened, be able to share what happened, be able to protect other critical infrastructure on the same field or on the same category. As we know, cyberattacks can go across borders sometimes very easily, so it can happen to us but it can happen to, unfortunately, to every other country. We need to be prepared and have very, very clear how we communicate in cases of cyberattacks.

So, through UN or through OSCE or different regions in the world and different types of groups, we have agreed on confidential building measures where protecting critical infrastructures is really one of the key pillars on which we always look at.

So maybe I'll stop here and if you have more questions I'll come back.

>> MARIE HUMEAU: Thank you very much, Floreta. I think you already pointed out to some of the points. Welcome back to you at a later stage on the cooperation and the framework and the way ahead. Before we jump into, this I still have two speakers for the first part. So you mentioned the need for political commitment, for clarity, you mentioned the growing number of critical infrastructure, and actually the feed to invest in tech and capacity building, so talking about capacity building, I will now give the floor to Caroline because the ITU does a lot of capacity building with national CIRTS so maybe can you explain to us how that works and how does the role of the cross sectoral cooperation works and the importance of some simulation exercise, for example and also maybe you can tell us about a bit of a request that the ITU receive and how actually you address those requests efficiency protect critical infrastructure.

>> CAROLINE spm TROEIN: I would like to start on a positive note we heard a lot of challenges countries are face. According to the ITU, cybersecurity index, countries actually now have more cybersecurity measures in place than ever before, that means there are more law, more technical capabilities, more strategies, more trainings, more cooperation. Great.

The challenge and echoing what others have said is that now countries really need to think about how do I enhance my maturity, sharpen my responsiveness, adopt to the new challenges that for example AI brings, and even maybe prepare for things like what would a quantum future look like.

As Marie mentioned, we work in part on national CIRTS and we really see them as foundational to cyber resilience because they serve as that first line of defense against ICT threats targeting critical infrastructure in particular.

Now, as countries evolve, they may develop like a cybersecurity agency, but the core of responsibilities for incident response is still with that CIRT. Going to the point made earlier, cyber capacity building should not just be to technical then. While CIRTs are key and frontline they need to have a legal mandate, they need to have clear operational structures, they need to have sustainable funding, all of these form part of what makes a successful CIRT and they also need the continuous training and the ability to adapt to what comes next and that's where things like cyber drills, which are cyber exercises that ITU does, can be a really vital tool because they aim to simulate real‑world attacks, test national response mechanisms, and then foster cross‑sectoral coordinations.

Ideally also they help bridge the gap between the technical audience and non‑technical communities which is a big challenge in protecting critical infrastructure. I want to bring in an example here. I was recently in a country where we ran some exercises, specifically focused around critical information infrastructure, so a subset there. Through this we had some trainings, what they should be aware of in tmples terms of their national regulations that were relatively new, understanding what roles the different actors were and different dependencies that existed, and it was interesting to see the shift of mentality that started with many of the participants, who firstly, while it was a relatively small country, most of the stakeholders there had not interacted before and had not interacted around these topics particularly.

The mentality shift then started to build trust because they saw how they had connections to each other and how they could help each other and how they could move from a ticking the box exercise that the regulator might have been putting if place to thinking proactively about what can they build as methods and pathways of sharing the information, how do you actually share that information in a timely way, what structures do we need in place, and what are the vulnerabilities that we haven't, that may be uncomfortable to talk about. Only when you have trust can you actually begin to talk about those limations.

Of course these kind of exercises bring a bit of a renewed energy, everybody on the same page sees an alignment to move forward. Now this is just one of the types of interventions that we do. We receive a will the of requests from Member States, especially now we have a list, I think it's the latest count is 46 countries that have requested some sort of support with ITU in terms of cybersecurity. We work with them in terms of establishing or enhancing a national CIRT, developing or updating national cybersecurity strategies. We do quite a few different tailored trainings around topics from everything to try to bolster the number of women in cybersecurity, to talk around child online protection, critical infrastructure, of course, and we also try to do a lot of train the train programs because our ultimate goal is to build local capacity. We're not that big of a UN agency and our team is small within that, I think one of the things that we very much recognize and the reason I like working with a lot of people in this room is that there is a mutual recognition of you have to work together but you also have to make sure that the country itself that you're helping is empowered to start on their own journey, they need to be own the process going forward. It won't be ITU doing cybersecurity of a country, it will be the country doing it. We need to then look at things what we do ‑‑ how can we actually then make sure that we're developing practices for the country that can build that trust between stakeholders as trust is particularly vulnerable when there is political or economic challenges. And with this, I do want to make or take a sidenote to say this is not a developing, developed country issue. Many of the issues that developing countries are facing are ones that developed countries are facing. Are you being agile, do you have the right people in the right places, are the stakeholders actually coordinating? And for the least‑developed countries they have the extra added issue and small island developing states I would like to add in that they lack the capacity let alone the technical tools.

As countries are facing these competing priorities, exercises can be a useful way to help identify where the areas for prioritization lie, where they can work more effectively together, and where they should go next. Thanks I.

>> MARIE HUMEAU: Caroline. You mentioned Bridging the Gap so I'm going to move to the non‑technical person on the pabl. Lars, you are trying to bridge the gap as well between the tech inside the company and the nonprofit‑technical people, the operational, so which is really crucial, but from your perspective in the sector, what does resilience look like in practice and how is it evolving, based on your experience, what concrete action and processes help strengthening cyber resilience?

>> LARS: Thank you for having me on the panel, Marie. I appreciate that a lot. What strikes me in the discussions we are sitting here is that having the ability, that is our definitely part of our front of our heads because we are running a critical infrastructure, like hydro plants, solar, wind, batteries, stabilizers, everything that keeps electricity grids in different countries around the globe up and running.

For us the resilience part is kind of like the we need to introduce the ability to anticipate, prepare for, respond to, recover from, and learn from disruptions that happens, and to make these happens, we need to have the people in the sharp end, they need to get a betternding to get operations, managers, policymakers, at least, and to actually how can we make these operationalized. The processes are very good, the policies are good, but we need to adapt and keep in meaned that security and cybersecurity, we are actually adapting in the cyber physical systems, and this cyber physical systems need to be taking good care of. And it's the not like we can purity any type of security measures into any type of system because that system will affect another type of system that can get consequences and em pact maybe you not want to have, so you need to build a better understanding of what you actually try to achieve.

So for us it's like the resiliency part is a lot of physical, what kind of spare parts do we have stored in case of emergency. We are highly educated and trained to handle. We are to handle a lots of cybersecurity part, attacks and understanding.

From our part we have actually done drills the last couple of years directly to our power stations and the people outside there, and they love that we actually came down to them, tacked to them, make us understand how they day by day work and life is, and also how that will affect them and their family if a cyberattack happens. One thing is the sieb are attack in itself, but if that is combined with other type of physical attacks at the same time, how do we handle that, and how do we together with the national security authorities, the regulators for our sector, dhow we work together to actually achieve our end goal to actually keep the availability of these critical infrastructure that we actually are working on.

So for our parties also, at the same time, we need to adopt to the climate changes that we have already felt and work and get closer with other authorities, both in Norwegian countries, because the electricity grids, both in Nordiks and Europe we are highly connected and we need to have understanding.

Also from experience back in 2015, 2016 the Nordik transmission system operators responsible for the highways in the electricity grids in each and every country actually did the drims together to actually see what affected us together with the national security authorities, the national regulators, and also with the different CIRT teams in the countries, and what we actually achieved from that type of exercise was actually a better understanding of what is needed of knowledge and not only for the cyber sciewrlt and IT but you also need a goodnding from each and every type of from electricity, to telecom, to water and water sewage, and other critical infrastructure that are in this mixture to actually do the right decisions at the right time.

So from my perspective it's definitely the goal together, collaborate, and then make the people in the sharp end able to do their work and get a better understanding. Yeah, that's kind of it for now.

>> MARIE HUMEAU: Thank you very much, Lars. The time is flying fast because we have a lot to say. Actually based on your point on the importance of working, talking together, cross sectoral, cross regional, between the authorities at national level and regional lesm you mentioned Floreta I would like to look at cooperation frameworks and path ahead. For this I will give you a bit of a shorter time so we can also have a bit of time for questions. But I will start with you Timea online. So you mentioned the challenges of the private sector, for to protect critical infrastructure, so what support you would need from policymaker and also why do you think that business should care about discussions that are happening at the international level in international foras such as the UN, and please keep it short so we can have time for questions from the audience. Thaption.

>> TIMEA SUTO: Thank you, Marie. I'll try to be brief. For business protecting critical infrastructure today, it is an increasingly difficult, not because of lack of willingness by fragmentation that surrounds this, so we have challenges like many essential services we rely on today were not originally conceived as critical so not designed to operate with the resilience and security that we now require. At the same time, these infrastructures are highly interdependent not just with each other but with suppliers, contractors, digital service providers whom I know themselves be classified as critical. Then we have a huge issue of experimentation, not a shared global understanding of what constitutes critical infrastructure with definitions and frameworks differing widely between countries and in some cases missing all together. Then the question of maturity of critical infrastructure operators that vary enormously from those companies that have the resources to invest in security measures to those especially SMEs who have the tools, fufnedding, and expertise but just as krit dal in the supply chains.

So, how do we ensure security for essential services without overbushedden the companies that we actually rely on to operate and innovate. I won't talk about what the private sector could do, please read the report posted in the cha the we say a lot. I'll focus on the policymakers that you asked about. There I have a short answer. It's not more regulation but smarter policy. Focus less on control and more on creating the right incentives for cybersecurity investment. Also a need to rebalance between private and public sectors. Governments must realize security is not solely a private burden particularly empty infrastructure is necessary for public well‑being, national security and economic stability. Instead of desphawlting to near regulatory obstacle gaigs we need public investment, physical support, and policy environments that enable businesses to design and employ secure systems from the ground up. This includes adopting interflash nal standards, aligning risk manage am frameworks and clarifying roles and responsibilities is across the value chain but doing so in a way that reduces fragmentation and focuses effort on what actually improves security outcomes that's where forums like the United Nations come in, norm setting, capacity building, cross‑border cooperation are only possible to platforms like the UN. Business has a vital interest in the discussions because the outcomes directly affect our ability to operate securely, to trean across borders and serve the public, but international cooperation will only work if it's grounded in shared understanding, common standards and real‑world experience for that reason businesses must have a seat at the table in these UN discussions. This is the only way that which can make sure that the people who build, operate, and secure critical infrastructure actually contribute to shaping the frameworks that will define its protection, so if there is one lean that I would like to leave you with today, it's this. If we want effective cybersecurity outcomes, we need inclusive policymaking processes. I hope I was brief if you have.

>> MARIE HUMEAU: Thank you. I think you point out to the complexity and challenges. I guess there are also some challenges within the technical community, so Lars, maybe you can tell us a bit more about how the technical community cooperations together. You touched upon this a bit and how at the cross‑sectoral level as well and also international level. But as, from your per spct I have, should the technical community engage more with the diplomats? I think you pointed out, you started pointing it out but if you can dig it a bit further, that would be great. And also how can the industry better engage or has an incentive to engage actually in the multilateral processes where governments are sitting and discussing the protection of critical infrastructure.

>> LARS: Yeah, from my perspective and our perspective, it's definitely important to collaborate more with dip mats and diplomacy tolgt a better common understanding of what is actually needed and what is actually, what type of resources are needed and how much time things, and what's actually take to do. Because so to have a type of cross ‑‑ some arenas that we can actually meet, talk, not that formal in a way, I will say, because that makes it more easier and comfortable to speak out in a better way.

Today I brought my white shirt. I try to adapt to Floreta, I think that is a start. Maybe sometimes I will shortly invite Floreta and others to be part on the trip for our sake, for some of our maybe some plants or some that are available. Talk to our specialists and technician because that will definitely help you and others to understand. At the same time, the other way around. What is your work going on, what can we help with you on your way? Because as he'll mention before the arenas that we can actually meet and get a better actual understanding of what critical infrastructure are is very, very important. Because sometimes there are so fl a high‑level discussions, so the people down ‑‑ sorry on the ground, they do not feel any ‑‑ does not hit me actually or does it. So the arenas, across ‑‑ cross sectional with dip mats and also internally in the countries cross‑sectoral‑wise, and also over borders because in the electricity compliewnt we have the NCE and in Europe the interest group for TSOs but you also have Sea gray a global interest organization and also cybersecurity on topic, but these different arenas, maybe we sometimes from the cybersecurity technical pefer spective can go to these arenas and talk more and the same from the diplomacy and the IT community also to get a better understanding of electricity, water, all of those.

>> MARIE HUMEAU: Thank you very much, Lars. Thankfully I have a white and blue shirt so I can sit in between the two of you. And also I'm wearing sneakers, you can't see but I'm not that formal. So I think one of the important things is exactly this, that one understand the other but it's not only for one side to come to the dip emptyic arena and also for the dip mats to understand bha your needs are and how you operate on a daily basis, and actually to create this environment of trust and to be down to earth.

Pavel I'm going to jump to you to maybe look at how the UN framework can actually be more practical and protect critical infrastructure, how can we actually follow what just Lars said and be more practical and down to earth and to better understand each other to make sure that we create this trusted environment. Pavel over to you.

>> PAVEL MRAZ: Thank you so much. The UN framework for Cyberspace is mentioned by Floreta and Caroline and provides a strong foundation for protecting critical infrastructure. At the core of the framework are agreed voluntary cyber norms, something that all states committed to do, notably norm F which affirms that states should not conduct or support any ICT activity that intentionally damages critical infrastructure of others, and norm G that encouraging states to take appropriate measures to protect their own infrastructure, and there is another norm, norm H which goes one step further and calls on all states to assist each other in m it gaiting malicious cyber activity targeting critical infrastructure and other essential services.

Of course the devil is in the details of implementation. We must ensure the global framework is not a nice commitment that remains on paper, that it's practical where implemented, some things currently being done at the UN and global lesm is countries are designating points of contact globally for crisis communication in recognition that you cannot exchange business cards in a hurricane when a real cyber crisis hits and you need assistance from abroad whether it's assistance from the private sector or another Member State if the malicious activity is emanating from outside of your own territory, you need to have all of these channels, the trust, and the network already in place to know where to reach out. Of course, there is another challenge here and that is when we do capacity building in developing countries, we omp see this mindset of cybersecurity being an IT department problem or national cybersecurity agency problem and here is where the table top exercise is simulating real crisis, really come into focus because bringing in the decision makers and demonstrating that when critical services are down, whether it's energy, water, or healthcare, it is far broader as a problem than a problem for national cybersecurity agency so that really helps to bring people together as Caroline said, and we have seen this on the ground.

In order for the UN framework to have a real‑world impact and not remain just on paper, it must be operationalized nationally through legislation, institutional cord r coordination, but as sustained investment if cybersecurity that insides to be support r supported not only by the technical community but as by the political decision‑makers in a country, and it must be inclusive, involving also technical experts, Civil Society, and the private sector. And in other words, all the stakeholders that have a role to play in protecting critical infrastructure, and of course it should be backed for practical capacity building. I will leave it at that in the interest of time. Over back to you.

>> MARIE HUMEAU: Thank you. So I think Floreta I'll give you the floor, and I would like to keep a few minutes for a question if there are any, and also for Akhill at the end to wrap up all the nfltion information that we gathered. You're the per fct link to dip mat and technical, you're a dib mat, sitting in technical organization, part of the umple N organization, also part of UN Women if cyber fellowship. Maybe very quickly give us your view on how to bridge the indigenous communities and ensure each community understands and engages with one another.

>> FLORETA FABER: As it was said here it is absolutely crucial that those communities talk to each other. As I mentioned, Albania has taken a number of reforms on trying to bring the best what you can do in a country in the cyber ecosystem Ford to reach the best results. Unfortunately, only the countries that have had big attacks kind of have learned the lesson, but as we always try to say in cybersecurity it's like a football match. You can be the best team in the world, you awms at a try and make the training in order when there is a game you don't have a goil, but sometimes even if you are the best and you have the best players, you still have the goal from the other side. Same with cybersecurity, you prepare, you believe you have the best team in protecting you, but sometimes there are circumstances when the attacks can hit you. So this is the moment where we all train, when we all talk in peacetime, when there is not a hurricane in order to be responsive.S that why the community need to talk to ooch other because the crisis can be internal to the organization that can be big, spill out in the society, tbu can also become an international issue, and especially when it becomes an international issue it's the diplomatic community that does the talks. The UN is one of the best examples and OECE and other organizations, that can bring together always diplomat and technical communities, and that's actually one way to talk to each other. There are fellowships like the Women in Cyber fellowship which I have been part but there was a UN Singapore fellowship and numerous fellowships from the UN where you see the communities be together for one week, two weeks, in the same room that obviously you kind of start to build that trust on talking to each other, the point of contact directly, the UN based, it's another step of how countries talk to each other. But on the daily basis as you said, it's really important that we all speak with critical and important infrastructure. We maybe have the luxury of being a small country, we have over only 200 critical and important infrastructures. In some countries there are a few thousand, but we all have to find a way either through clusters or sectors that they talk to each other, talk to the national center on cybersecurity and understand why it's not only important local but national connections are also very important.

We have put together a new strategy on cybersecurity which is also one of the sublaws which needs to be passed, you know in a matter of a week or two, and in Albania, there are for many points where we focus, supporting the critical and important infrastructure and also awareness and support for children being safe online but awareness to every level of society. Underrepresented groups, SMEs, all groups who otherwise do not hear about cybersecurity. But one of the five pillars of the strategy, it is the international cooperation. In some countries, international cooperation is important because we do not have the means and the opportunities and the money to really invest in cybersecurity, and the international support is very important in this case but we also need the international support because we need to be connected. It is a world where we need to speak freely to each other and when it comes to cybersecurity, there is no border. You know, the attack can have an effect in one country, go to other countries, you know, it can be a Europe own or I don't know U.S. organization or a company who has branches around a number of countries and one can hit several countries all in one. That's why it is important.

Another thing we have tried is exactly this, bring experienced diplomat inside technical organization. It was for me to understand first what would I do in an organization like this if I come with, you know, at least two years of experience working on cyber diplomacy but anyway I understand that Singapore maybe has example. They have a team that works, they have one leadership, two groups, one with ministry of foreign affairs or communication as they call it and one with the technical group understanding that there should be a very strong link between the organizations. We kind of started doing this and it works perfectly because the translation is very important with the internationals, with the diplomatic community, but as everything the technical groups have done, you translate it in the way that you present it to your bosses, to the government, to the prime men ster, to people who want to know what happened, because if you go too technical, they won't ‑‑ it's normally, you know, it's a different language but the point is people need to understand in their own language what is going on and how they should be prepared. So this link is very important and I believe every country one way or another is trying to take steps in this direction.

>> MARIE HUMEAU: Thank you, Floreta, so Caroline I give you the floor to one minute and then I keep two minutes for a question from the audience here and then two minutes to Akhill to wrap up. Floreta you mention international cooperation, it is key. Me Caroline maybe shortly share some of maybe some cooperation modelses proven to be very effective that could be the basis for best practice practices and how to like provide some ideas for future discussion in the UN.

>> CAROLINE: Thanks. For the second time I won't share stories, we did a table top exercise for the point of contacts directly that Pavel mentioned. I'll just summarize and say that omp omp felt like the technical and others were operating from completely different playbooks so more coordination is definitely needed here and I want to note that coordination needs to have national, regional, and global levels because that a lot of coordination efforts are either concentrated on the diplomatic or the technical levels and we need the cross‑cutting aspects. So to just quickly mention be a few models, of course, there is the Azian maturity framework, the Neise, the OES is a very successful model, OIC, driving coordination, maturity, sharing best practices, there is of course also first that has been instrumental to CIRT.

I do want to note that critical infrastructure in particular, we do here from operators in the private sector is it's not always clear which of these different frameworks that we should be trying to engage with as there are so many and in some of them state takes the first step rather than the operator, so more clarity there is definitely something that is needed, and just to echo Timea's recommendation that these models only work and then they're part of a bigger ecosystem that has the coordination, but I'll leave it there given we're running short on time.

>> MARIE HUMEAU: Thank you very much, Caroline. I want to check with the audience if there is a very burning question. If not I do have one but in the sake of time. Yes, please.

>> Hello. I work for the IT company of Norway. Just interest of sharing more sensitive data across borders because when you're a technical person, you sometimes get technical information and you don't necessarily want to go public but you still want to share it with other technical people so that they can depend their systems better. How can we make areigningments for that.

>> FLORETA FABER: This is part of building trust with the people that you work with. In the Western Balkan there is a region where technical communities and different ways and different formats try to be in contact with each other either starting with WhatsApp, groups of females, with the platforms that we're using to share weekly the information and we are also trying another way of ‑‑ it's a long‑term investment we believe. We have started cyber camp of young people in the region, and we are building an alumni group of people who go in cybersecurity, so for the first time they met when they were 20, 21, and we believe that in each country since they come together on the same cyber camps every year and they still meet in alumni group with who is the first year, second year, for the first time we did the alumni last year online, we're going to do this in person, and we try to build the trust really from the young age because we believe those are things which take time and sometimes they prevept you not talking to each other for different trust reasons that are not only cybersecurity. I mean over ‑‑ to overcome those, we're trying all the best way possible practically how to really build the communities regionally all together.

>> Very good.

>> MARIE HUMEAU: Good question. I think we could talk about this for 20 minutes. I think Lars was willing to answer. But I will give like 30 seconds, nearly 1 minute but I think we're cut short of time. But very, very briefly, Akhill if you can wrap up the entire hour of discussion that we had. Thank you. And you will have the last word.

>> AKHIL THOMAS: Thank you, Marie. As you said, I will have the last word which is a slightly unfair advantage of going last which means that I get to sound smart by summarizing all the great points. Thank you very much for that. Thank you for the panelists both on site and online. Key takeaways from today's session is that collaboration is nonnegotiable, whether bridging technical divides, strengthening kr. IRT to CIRT or public private partnerships, silos are luxury we cannot afford. We heard that resilience is mindset and systemic effort, rooted in govern angs, funding, international cooperation. Lars highlighted energy sector on cross border teamwork and ‑‑ Timea, the private sector with zero trust and what's now to reduce fragmentation is smarter policy and not necessarily more regulation. Caroli, in e stressing resilience requires legal mandates and cross‑cutting at all levels, national too lower and Pavel the threats of ran somewear and urge enter need to turn, POCs and inclusive capacity‑building. Three themes came through very clearly, preparation, through exercises, clear protocols and strong leadership, and inclusivity, making sure that governments, industry, and Civil Society all have a seat at the table. And shared responsibility recognizing that threats cascade across borders and no single actor can secure critical infrastructure alone. As we conclude, I encourage everyone to carry forward today's calls to action, concrete, sustained dialogue. Thank you and wishing you productive time at IGF. Over to you, Marie.

>> MARIE HUMEAU: Thank you. I'm just like closing. Thank you very much. We are running out of time. It has been very ‑‑ I would like to thank the panelists and I'll give the floor back to the next panel.

(Applause).