The following are the outputs of the real-time captioning taken during the Tenth Annual Meeting of the Internet Governance Forum (IGF) in João Pessoa, Brazil, from 10 to 13 November 2015. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record.
***
>> JULIA CORNWELL McKEAN: Okay. Good morning, everyone. Sorry for the late start, I thought it was a good to start a bit late due to security. Hopefully everybody who wants to be here is here. Thank you, everyone, for joining us for the session of the Best Practice Forum on the Regulation and Mitigation of Unsolicited Communications. I'm Julia McKean. I work for the Office of the Children's eSafety in Australia. That sounds weird, but I'll give you my background. Prior to July this year, I spent the last seven years regulating spam and doing training with regard to the security initiative and telemarketing in Australia. For seven years of dealing with the bad guys. I'm just saying to my colleague that seven years dealing with spammers, dealing with this is nothing which is what I'm doing now.
What that has shown to me over those seven years is that the issues are Internet safety and Internet security are very much key together and I think that's this Best Practice Forum.
We're going to keep the interventions short because I really would like us to focus on discussions in relation to our ‑‑ and we're going to deal with that in a slightly different way. What we're going to do is distribute what are called ID rating sheets. And I hope you all have a pen because these we will distribute as we go through each of the 11 recommendations, ask you to indicate what you think of each of them and give you an option to make some notes. If there are any special notes you have. So while you are absolutely welcome to put your hand up and make some comments, if you are not so inclined, please do write something down.
With 11 in this very short timeframe, I'm afraid we'll have to move those along very quickly. So having that opportunity will also mean that everyone gets the chance to say what they want to. And we'll make sure at the end if you need an outlet, you can do that.
So we're going to hear a few words from my colleagues on my left and right. On my left is Cristine Hoepers from certainty Brazil. We've ‑‑ CERT Brazil. And we have Tomas Lamanauskas, ITU coalition. We have Neil Schwartzman representing the M3AAWG Foundation and you have another title. Neil?
>> NEIL SCHWARTZMAN: I always wear many hats. I'm with the Coalition against Unsolicited Email.
>> JULIA CORNWELL McKEAN: We have Tomas. Trouble pronouncing your last name.
>> TOMAS LAMANAUSKAS: No one can.
>> JULIA CORNWELL McKEAN: From the ITU. And we have Makane Faye from IGF Africa who has made a contribution to this report, focusing very much on the issue of the connections to broadband Internet to African countries.
So first I'd like to hand over to Christine for a short intervention on the report.
>> CRISTINE HOEPERS: Good morning, everyone. One of the software report was the case of Brazil and how we worked for several years to come up with mitigations and solutions to spam problem.
So early on in this process, we decided to divide the efforts by areas. We created working groups with several people from different sectors of society. We involved the ISPs and telecom companies, consumer protection organizations, the minister of justice, some federal prosecutors that were involved. A lot of technical people. And really the objective was to try to divide the problem between what can be technically mitigated and what needs to be legally addressed.
And really the first thing that came very clear to us was that the major problem that we had address had to be addressed technically really was not passing a law that would stop people from abusing our computers and using Brazil as a stepping stone to the whole country. So we went to several efforts. These efforts are documented now in a book that's in Portuguese. So if anyone reads Portuguese if you go to the CGIGI booth, you can have the English version. We are still having problems with review and translation. We hope that will be ready by May next year. But there is a short description in the document.
And what I would say that while our dream would be to get our country ‑‑ our departments what, we did first was how do you at least stop some of the actions in all those machines compromised? And the first thing we did was okay, we need to implement 25 ‑‑ so that reduced the value of the botnets. That dropped us from all imaginable lists you can have in the world that says you have the most spam. And now we are more in par with countries that have the same size as us. We are at least on par with United States, with other countries that have the same amount of computers.
So it was very effective to reduce the amount of spam. But in Brazil specifically because of the regulation, how Internet is not regulated and telecom is regulated, these required a very big multistakeholder coordination and cooperation. And this is what we are documenting and that we are sharing is that really there is no one measure. We haven't stopped to committing chains and get it to stop at least we have done some stopping of some of the measures. I think we have to see what can be tackled in which way for the marketing messages. We created a group that is self‑regulation, email marketing code. So that is a code of what's acceptable to do marketing via email.
And there is also a draft of a law, but legislation process is much longer. And that draft that was recommended by the Brazilian Steering Committee is not to go for the criminal but go to the Civil law, to really put a lot of strain monetarily and try to do that like more of a class action, that you can have an ISP or someone to say that there is a spam, instead of having victim to going. So people from Roman law, you know more or less what I'm talking to.
And it was really to have end user awareness, we created portal. We have videos. We have a lot of material explaining what's spam, what can be bad about spam. So also in the booth it is important that we have a lot of booklets that we have schools using this material to teach children. So our take was really how to create material that creates license and how to get people to use that material freely to pass the message to people that will be using that material.
So this is a very short, brief summary on how we were dealing with the problem in Brazil. I wouldn't say it's solved, but it's much more manageable now. And we can now focus other areas. We can try to improve some other areas. And specifically we have statistics, we have some projects to measure how that is going, what are the techniques being used? Because if you don't have metrics, you are kind of in a loss what exactly you are doing and what you are finding to that point. So thank you.
>> JULIA CORNWELL McKEAN: Thank you, Cristine. I'll now hand it over to ‑‑
>> CHRISTIAN DAWSON: First of all, a couple of introductions. My name is Christian Dawson and I am Chairman of i2 Coalition, which stands for the Internet Infrastructure Coalition. It is a coalition of companies that make up the nuts and bolts of the Internet. We're talking about web hosting providers, some registries and registrars, but also data centers.
And in that capacity we do what we can to try to make sure that the Internet and its infrastructure survives and thrives. Before I move on how we have anything to do with this, I want to introduce the log ‑‑ because I get to speak before Neil, I get to steal a little bit of his. M3AAWG is the Messaging, Malware and Mobile Anti‑Abuse Working Group. They are a tremendously important organisation we're talking about here. They have been working for a number of years on an omnibus best practices document, which my understanding is serves as one of the cornerstones of this particular effort.
Through the creation of this omnibus document, there is one specific chapter that I2 coalition was brought in to assist, that of the hosting best practices, web hosting best practices.
The Web hosting community has, over the past few years, been an increasing ‑‑ I don't want to say community itself ‑‑ but we've seen an increasing amount of abuse and spam coming from this community. By our measure, around 60,000 organizations, companies or individuals that are hosting something, whether it is a large web hosting company or somebody who is hosting a server in their basement, there are around 60,000 people or organizations that are hosting something in their own locations throughout the world. And that's a lot of opportunities to get a server hacked and exploited and have a DNS taken over to be used for the propagation of spam.
So it tends to be a major problem.
M3AAWG thought to bring in the Internet construction coalition to assist them in building best practices that were going to be actionable. And what I wanted to basically take a moment this morning to talk to you about is that when you go through these documents, I want you to know that this is not a wish list from the abuse community that has not taken the time to vet these actions to make sure that they are operationalizable. These efforts that you will see have been the work of a deep collaboration with industry thought leaders, industry actors. And not just that, it has been ‑‑ there have been collaborations with organizations that are small businesses that are sole entrepreneurs. We haven't taken the perspective that in building a best practice, we should make sure that we set things to what a Google can do or what some large organisation can do; we have taken the time to say: Okay, these recommendations that we're going to make are the kinds of recommendations that can be applied for anybody, even a sole proprietor who is just starting out.
I myself ran a small web hosting company for years. And so that has informed my own involvement in this process. And one of the things I made sure to do at every step along the process in my own involvement was to make sure that we made it simple, easy to understand and actionable for small operators. I think we've achieved that. And so I wanted to thank this group for building a project that allowed my group to have some small opportunity to contribute. And I think you're moving in absolutely the right direction to really make a difference. Jewel July thank you, Christian ‑‑
>> JULIA CORNWELL McKEAN: Thank you. Christian. We will move on to Neil.
>> NEIL SCHWARTZMAN: Indeed, Christian has shortened my speech a little.
I want to thank you all, Ladies and Gentlemen, for allowing me to speak today, to participate particularly in this wonderful process. It has been a lot of fun, a lot of work. But I think that our outcome has been remarkable.
My name is Neil Schwartzman and I'm the Executive Director of the Coalition against Unsolicited Email, CAUCE. We are the largest end user advocacy group. I say end user intentionally because we do not view users of the Internet as consumers. They are participants and contributors to the overall ecosystem. And I believe they are vital. They are you. They are me. They are your mom and your colleagues. That's who we fight for.
Since Cristine mentioned some things happening in her country, lovely Brazil, I'm going to take this opportunity to mention Castle, which was actually the brainchild of myself and my colleagues at CAUCE, Canada's anti‑spam law. It came into effect in 2014 and it's the world's toughest cross‑border anti‑spam legislation. It carries with it fines of up to $10 million for commercial electronic message sent without permission of the recipient. There have been some cases filed. They have yet to go to court. This is all a trial and tribulation process for us at this point. Obviously there will be challenges along the way. But once the law clears those challenges and those hurdles, I think that we will begin to see a severe drop in Pam as a result of this law. Speaking of spam, it is conveyances. Unsolicited, unwanted email and SMSs, direct messages, they pour in daily. These are the largest and most frequent breach of individual privacy rights that exist. Phishing and data breaches, theft of money and identity are all predicated upon unsolicited commercial communications.
In the time that it took me to say that last phrase, 1.2 billion spam have been launched. Just those 10 seconds.
There are a few things to highlight about this. As Christian mentioned, the document provides a framework for another best practices document that was developed independently by anti abuse and industry experts. Project safety net is published by my organisation and the messaging mobile animal ware ‑‑ and the London Action Plan, simple law enforcement investigators and administrators that work in the area of anti‑spam. This global best practices document is one year in making. In fact, it was a renovation from a document that we presented in 2012. And this one, too, will be presented in the new year.
It is important to know that as Cybercrime changes, so, too, must the best practices that deal with it. So project safety net is actually an ongoing evolutionary process whereby every two or three years or so we publish a document and then we go back and look at what we previously published. Our work is never done.
The document was developed by the top experts and inventors of Internet technologies, DNS section was written by one of the inventors of the DNS. The email section involved one of the inventors of email. So I can't think of anybody better to speak to best practices than the people who actually invented them. By the way in both those cases, the inventors were not commercially motivated by companies or individuals; they were there as volunteers. Sole individual volunteer.
With the input of 125 experts and input by the industry, 270 member organizations themselves, this truly represents all stakeholders, from consumer advocates such as myself, to government and law enforcement, to industry.
Today, we discuss the encompassing document which strongly suggests training be an integral part of capacity building. As a trainer, I do not agree more. We need to get the word out. We need to be able to help all of us as a community.
I'd like to make another suggestion: That the IGF without fail convene a process to deal specifically with Cybercrime, a field that far outstrips mere spam, unsolicited communications is truly the main enemy of capacity building for the next billion and the billion after that. The bad guys are out there. They are coming. That is immutable.
The recommendations that came out of this process and the document that you have before you are well thought out and considered opinion of myself and my esteemed colleagues. I hope that you agree that these are also the very best that we as a community could come up with. Thank you.
>> JULIA CORNWELL McKEAN: Thank you, Neil. Christian is leaving us. Thank you, Christian.
>> TOMAS LAMANAUSKAS: Pleasure to be on this panel, as well. Thanks for the work. Very useful documents. I had some comments on that.
Before that, just in case there's some people who don't know, International Telecommunication Union, it's a UN agency. 193 Member States. And agencies that also have some 100 NGO and 100 academia members. Also our role in the broader spam and recall cyber security area is the world Information Society, building confidence and security for the use of ICTs. And we have the data for all that. Officially including UN agencies together to work on those issues.
In terms of ‑‑ and I think the way I would like to kind of train this, my intervention is basic also some aspects of the document. And first of all I think from our perspective, this emphasis of newly connected, how do protect newly connected, understanding their specific challenges is very good. Also capacity building as well as broadening issues. We discussed yesterday and discussing now. That spam is not just issues of broader you in terms of cyber security, even Cybercrime as the previous speaker also mentioned.
As also was mentioned here, it's important to measure. So if we don't measure, we don't know. So also how many ‑‑ how much of the traffic spam occupies. But also how well countries appear. So we have to know who or where the wide spots, whether we need to direct an action.
Also we are now revising what we call global cyber security index, which is a way we measure preparedness of the countries to tackle cyber security issues. And the new revised you will involve spam‑related, which we hope will lead to the broader community also understanding how the countries ‑‑ capacity building is of course important. And in terms of a broader spectrum, ITU has been doing ‑‑ we've been doing quite a bit on that. We've done 65 country cyber security assessments, help the countries implement 11 CERTs, still 4 in progress. Convened 100 countries and 11 cyber drills. And also doing regular capacity building/knowledge sharing work. For example, recently have earlier this year had a Forum on cyber security, Cybercrime for members ‑‑ African states.
Also have specific emphasis on the least developed countries in our project ‑‑ African countries as well as capacity building‑wise, doing that work what we call ‑‑
Another aspect that was mentioned, mentioned in the document I think is important is work on the best practices. And there are a few references in a few documents. It's important to see how people are doing and then to see how we can implement the specific countries.
So, again, from our work, we have the two in our development centre, which also works on the best practices for spam. And we have a document release of the 24 best practices and now it's in the 2014 cycle we are now working on the next cycle, 14‑18 best practices.
What's important about these best practices and I can't emphasize this more in terms of ITU work. It's not just experts doing best practices for someone but it's the countries coming together and discussing what works for them. Because a few study groups Member States come together to discuss what's best work for them. So that is a way to find best solutions work on the ground. We also have documents like international cyber security strategy guide. So countries can understand what needs to be covered. Also understanding Cybercrime.
In terms of the specific aspects also, again, in the context of broad issue, Childline protection activities come close to that. Because again that's Julia's kind of previous job. I'm sorry. New job. Moving in. But it's kind of closely related because a lot of that, especially messaging and all that could be again ‑‑ spam is not only defined by the purpose. It's commercial. But it's also for other purposes. So again in that regard, we have Childline protection guidelines, teaches parents, children and industry. And we have the last updated one was last year by IGF. And we're pretty happy with their collaboration with industry, with mobile operators, SMA, this has been implemented on the ground and again good industry practice to make sure these are safeguarded to implement.
One thing that's mentioned in the paper but maybe we could expand a bit more, the standards. Because again standards are important. And when you build capacity, it's not all about policy, it's also specifically what needs to be done on a technical measure. Again just marketing plug. So I do have 12 technical standards plus 6 being developed to look into.
Another topic that's mentioned in the document is regulation framework, legal framework. So once we have African Union convention on Cybercrime, talking about and encouraging communications, we should not forget that most of the African countries signed up from January 1st of this year ‑‑ (no audio).
Yes, good morning, from the country of Africa. Secretariat African commission. We participated in this survey on the best practices on unsolicited communication where we received includes administered by the Secretariat. And then we had a meeting on 7 September at the African IGF where we had four members of stakeholder groups discussing the results of the survey. And the meeting come up with the following recommendations. The main one was that the panel decided that there was need for an African safety for an emphasis on pan African collaboration and cooperation in the privation and effective and combating of spam. And then at the end of the panel, the participants took the following four recommendations. To encourage government the government and sector organizations to work together to raise public awareness on the risk of spam and what can be done to combat it. Develop capacity international cooperation in cyber security to enhance public protection and to promote more effective information sharing to address cyber crimes. Effective regulation. Training and awareness raising. Second one was the best practice, the most appropriate measures to combat spam. And one of those recommendations was to put in place unable to combat spam. Thank you for working ‑‑ spam.
>> JULIA CORNWELL McKEAN: I will try to the audience for any comments, but I think what I'll do is just cover any interventions you want to make. We're going to be passing around so if you have a pen, indicate what you think of each of the individual recommendations. It's quite self‑explanatory. And then if you've got any special comments, just write them on the sheet.
If you need any help, perhaps raise your hand and we will pop in and help someone if they need it. But I think you should be fine. So we've already suggested this in what we mentioned in each of our interventions and in putting together this Best Practice Forum this year. And I think in fact this has evolved from last year. So last year we had ‑‑ which had a number of recommendations in this particular Forum for 2015 arise out of that. It became clear ‑‑ and this is particularly as we were putting the report together that the topic of spam is actually quite small. And, in fact, we weren't just talking about spam, we were talking around a whole range of issues, cyber security, Cybercrime, cyber safety. And when we were talking about education, it wouldn't make much sense to educate technical people or citizens or children just about spam. It would be a very small discussion and one would think there's a whole bunch of other things to know about these issues. So with that in mind, our first recommendation is that it will be better for best practice forums to focus on broader cyber security, cyber safety, Cybercrime issues rather than specific symptoms such as spam. Might I add that the wording of each of these recommendations is entirely up for negotiation. We can nuance that and I think that we probably will nuance to make a stronger recommendation about the way forward because in our discussions yesterday it became clear that there needs to be a handout point. To assist in capacity building or whatever. You can't say it when you walk away when we leave Brazil and never do anything again. There needs to be a point where we reconvene and say okay, what happened in the last year? What's happening in the next year. So this is what the purpose of this recommendation really is, to develop a check in point that's better than the one that we've got right now.
I'll throw out there if there's anyone who would like to intervene, if they'd like to come up to the microphone. Please do so at any point, I might add, if you'd like to speak, just come up. But could I invite if anybody would like to come up now? And if you could please before you start, thank you.
>> Hello, everyone, I'm ‑‑ from Brazil. And my point is basically what you were mentioning about education. Especially of end‑users. And I think you're absolutely right there is no point in educating the technicians and technical people. But I think there is one thing that is very important to take into consideration is that when we try to educate people about spam or Cybercrime and everything involving to that, there's a deeper thing that you have to think of first that is the basis of everything is that most end users don't understand how Internet works. So I think that before we get to the point where we can explain them that they shouldn't be doing that, they should be careful with that and understand why they have to do that. And then that simply thinking of the way I learn things when I was at school and things that didn't work. Basically things that didn't work is sometimes they were throwing me things that they say okay, you have to use this to do this. But they would never explain you why. So instead of just telling people what they should and shouldn't do, maybe thinking of an education process where people can understand how Internet works and this will help not only in these problems of spam, Cybercrime but also about for them to understand better about privacy and everything that involves the problem you're having with Internet nowadays. So I think this is important point to keep in mind.
>> JULIA CORNWELL McKEAN: Thank you. I think it is, indeed. Just in my office we were having a discussion recently at the Children's eSafety Commission and that people at my age, people two or three generations younger than me, this is not second nature. We need to train children so that Internet safety, Internet security, privacy is just part of their language. It's just the way they live their lives that we don't actually need to have special classes. It's just like reading and writing and arithmetic and Internet safety and security. They just know how it works. So perhaps at the IGF in 30 years' time we'll be saying ‑‑ will it be in IGF? Because the kids will know it all by that point, I don't know. But that certainly should be the object.
Do any of the panelists have anything to say?
>> NEIL SCHWARTZMAN: I do. For the first 15 years that CAUC existed, we were focused very much on end user communications, how to protect themselves these days, with the level of sophistication of malevolent actions online. Compromises the new thing where they're working through attacking CEOs and stealing tens of millions of dollars at a time, I would say that end user is almost a waste of time and money because I defy anyone in this room. I'll show you examples in this session of stuff you couldn't tell me if it's legitimate or not. I can't even tell in some cases and I'm pretty good at it. So I'd say that absolutely as a as part of the school curriculum, absolutely. It needs to be don't trust everything you see. Double‑check. But we as technologists also have a responsibility to come up with much better ways to differentiate between what is false and what is not because right now there is no difference.
>> JULIA CORNWELL McKEAN: Thank you, Neil. We'll move to the second recommendation, which is around statistics. And Neil was responsible for putting together the statistical part of the report. Thank you, Neil, that was work that I didn't want to do.
[Laughter]
What we were looking for was data that would indicate the scale, the scope and the costs on industry and government. And we found a lot of data but we couldn't find a single data for logametrics, so with that in mind, our second recommendation is work could be done to pin down a set of reliable metrics that relate not only to spam but broader cyber security issues. Neil, did you want to add to that one at all? Given that was your baby?
>> NEIL SCHWARTZMAN: Sure. The only thing that comes to mind is there's lies, damned lies and that is the point.
Statistics are incredibly hard, particularly because everybody's viewpoint about a problem is like the blind man trying to describe an elephant.
I work for the world's largest company at this point. I can tell you that my view on malware and phishing and spam is drastically different from what Cristine would see in her position with Brazil CERT. Absolutely no ‑‑ it would be like two different animals.
So what is really needed is trust amongst the reporting entities, away of an none Ms.Ing the data so that we all throw our statistics into a single pot that would then allow us to have some sort of insight into the global, widespread phenomenon that is cyber abuse. At the moment, we don't have that. So when somebody says spam is down 50 percent or it's up 50 percent, take that with a lot of grains of salt. It doesn't mean anything.
>> JULIA CORNWELL McKEAN: Thanks, Neil. Again, if anyone wants to come up to say something, please do.
>> TOMAS LAMANAUSKAS: You'll get used to that. It's always me. I just wanted to add to the point that Neil said that I think is important. Even if I work with a company that deals with Cybercrime, we see that financial institutions is the main target and one of the main problems when we talk about phishing.
And on the other side, people don't really talk much about it. So I think that the approach the banks have towards that, we would need to try and change it a bit because the way I see it happens nowadays, for example, in Brazil I think most countries is if your credentials are stolen and ‑‑ sorry, your banking information is stolen and used, you call your bank. They will you back the money and nobody talks about it.
So how can you solve a problem that you don't know exists?
So we would need a change in the way of saying things because now the banks don't want to talk about it because they are afraid that their customers won't trust them anymore. Then we will not use them. But the problem is there and it's happening. And if we could try to invert and say the problem is that and that's what we do to try to protect you.
Because, again, talking about end user education somehow, if they are aware of the problem, it's easier for them to try and be more careful about it. But if the problem doesn't exist, how can you solve it?
>> CRISTINE HOEPERS: So talking about metrics, my experience the experience we have with in Brazil, one of the things that we tried to document and this is why we have like a book. The very first point where we started to talk to different stakeholders, to especially lawyers, policymakers and senior executives was: Do you have reliable metrics about what the problem is?
So you could have something to rely on. What's the method when people collected it? So that at the end, one of the first things that we did was actually to create a whole project to measure how Brazil was being abused by spam. So this was the key to convince the policymakers that oh, all those other statistics, they converge to what you were seeing with this methodology that I know what's being done. And it's not someone reporting spam because there was a lot of oh, people sometimes complain of things that are not spam. So we can go with that.
So we created ‑‑ so if anyone would like to talk a little bit with us, so we are talking now through the initiative with some census in Africa and maybe do something about that kind of metrics in there. And this now is a global project we have partnership with some CERTs. And really we are seeing parts of this problem that are complimentary to the auto metrics so that we saw that people were measuring some things and not all the places in all the ways that people are sending spam. And especially because we are seeing that depending upon where they go, we have our sensors, the problems are a little bit different. And this is one of the challenges. Because we would go to other countries to talk about the problem and everything is different. The environment, the culture, the legal system and even the way how your network is being abused.
So I think to have metrics is also to have this vision on where are you collecting the data and what it actually means and how can you normalise the data? But I think an anonymization is also a key. So in our case everything is anonymized so now we are sharing data with some people that are fighting spam in some other countries but it's all anonyms.Ed. So that's one of the things that was important. Everything is connected. And I go back to the number 1 that really we need to tackle abuse in a more bigger way and we need to involve fighting abuse and sometimes fighting crime because then you can go through the rabbit hole of I need to create a law first.
No, we are fighting abuse of the Internet infrastructure. Abuse of our connectivity. We are making it more difficult for people to use. So it doesn't matter if it is a crime or not, it's actually an abuse of the resources. And it's easier to talk about that than to go like "crime." So these are some of the things that maybe ‑‑ but metrics, we really need to have some.
>> JULIA CORNWELL McKEAN: Thank you, Cristine: I need to remind that before anybody speaks, you need to say your name for the purpose of the transcript. It's jewel why here again ‑‑ Julia here again. I'll move to the third to keep the ball rolling.
The report gave a number of best practices and it was a botnet mitigation centers was something that indicated positive outcomes in terms of mitigating unsolicited communications. So our third recommendation is that newly connected economies consider multilateral anti‑botnet efforts or botnet centers ‑‑ on end user devices. And just to give an example, I managed for a short time the Australian Internet security initiative, which was a partnership with Internet Service Providers, with data providers of malware infections. So we received information about compromised IP addresses. We received information from Internet Service Providers regarding their IP ranges. And we provided the details of the IPs on particular Internet service provider networks so that they could then follow up with their customers. That's the 30‑second version of that. If you're interested in that initiative, it's the AISI.
So I believe we've thrown all the recommendation sheets out, so you should be seeing those.
Any comments about botnet mitigation centers from anybody? Yes, we have one in the audience. You need to use the microphone, sorry. And if you could give your name, I think we are reminding you, also.
>> Hi, yeah, sure ‑‑ from the UK government. Just on that point, is that something, a role that maybe CERTs could play? I was just thinking, mindful of maybe we don't want to encourage the creation of too many different organizations that sort of overlap one another? So in the UK, for instance, where we're looking at this issue of mitigation of scale of low‑level threats just like this. And that sort of bring in together the people who already operate in this space, like law enforcement agencies and CERTs, rather than sort of creating a whole new organisation. I was just wondering whether maybe we could sort of recommend and support the work that we're doing to try to establish CERTs and say this is something that maybe CERTs can collaborate on because they already have those channels of engagement rather than maybe saying you need to set up something totally new and spoke just for this. We could actually recommend bringing that in to the realm of organizations that already exist in this space and avoid duplication.
>> CRISTINE HOEPERS: I think one of the things, I couldn't attend the panel. But I think one of the things that we are studying is really to recommend to the IGF to merge because other Best Practice Forum that's called establishing CERTs, that will be tomorrow. I will be chairing the session. But really if you go to most of the anti‑botnet centers, you see a CERT involved, especially in Europe.
So in the case of Brazil, the whole technical coordination was done by CERT BR that I'm a part of. And certainly in our metrics measurement, since ‑‑ (no audio).
‑‑ so I think this is why everyone would say so we need to get more, we need to get the I2 coalition, we get everyone ‑‑ ITU.
But CERTs are involved. But in the countries that are now creating CERTs, sometimes you need to have more people involved. Sometimes you have the CERT partner in both. But I think that in most countries, you have CERTs involved. Sometimes the CERT will not be ‑‑ some areas so for the local anti‑botnet centers.
>> NEIL SCHWARTZMAN: I think it's absolutely true. My name is Neil Schwartzman. That the CERTs are an integral part of this process. In other countries, we've seen industry‑led initiatives. The ABCs for ISPs, which was published by M3AAWG, there is some debate as to the effect of these initiatives. But ultimately what I saw was ‑‑ at the ISP level taking the initiatives, anti‑bot initiatives, almost all at the same time. And suddenly all of the bots moved to the hosting companies. I don't know if that was cause and effect. I'll leave that to greater minds than my own. But I will say this: All stakeholders need to be involved and cannot be just the CERTs.
I recall, well, my own Canada CERT was really 9 to 5 Monday to Friday until somebody really bad happened and then everybody was embarrassed. But some CERTs are really poorly organized, are underfunded, I think mine is, and a digital crimes consortium in Miami in March of this year, a young lady from NICERT who will go unnamed said "well last year we had four incidents." And it was like wow, that's really good for your country. She said, "I have 8 from your country on my laptop today." So, encouraging reporting to CERTs and also not overwhelming them with stuff that isn't an emergency because there's a difference between an incident that should be handled by a CERT and something that shouldn't. So there needs to be a process involved so that we don't overwhelm the CERTs so that they're dealing with stuff that is of true impact on critical. So all of this to say that the CERT should lead and take their position. But we need to help them coordinate this process.
>> JULIA CORNWELL McKEAN: Thanks, Neil. Julia here again. So I'm going to move on to recommendations 4 and 5 that relate to Cybercrime. I know it was discussed at yesterday's discussion about training, that it's not necessarily just those newly ‑‑ coming newly online, it's also in some of the countries that have been online for sometime that our investigators, that our law enforcers just don't have the necessary understanding and perhaps skill. And at the same time, citizens don't necessarily know what they're reporting. And all that comes to the fact that Cybercrime is vastly underreported. Some of that is through mere embarrassment. People have been scammed on the Internet and they don't want to tell anyone. In fact, I recall sometime ago there was some research that when someone had in fact been scammed on the Internet and he in fact reported it, they're in such denial even though they reported it that therm scammed again because they didn't want to in some way validate that what they did the first time actually wasn't wrong. So there is research to that effect.
In any event, draft recommendations 4 and 5 relate to this issue. The first one is that effort be taken by law enforcement to categorize crimes undertaken using the Internet. So instead of just saying it was fraud, indicate that it was fraud using the Internet because the treatment for fraud using the Internet are quite different to fraud, say, check fraud, for example.
Recommendation 5 is that governments and law enforcements take proactive steps to encourage the reporting of Cybercrime by all users, citizens and industry. And that goes to the point earlier relating to the banks and other industries who vastly underreport because they just don't want us to know. If we are all part of the problem, we can all become part of the solution.
Any comments from anyone in the audience in relation to the recommendations thus far or anything we said or any additions? Is there anyone online perhaps? No? Thank you. Any of the panelists? Tomas?
>> TOMAS LAMANAUSKAS: Just to say that when we bring on the spam and broader security issues, the best exercise is when you bring all the communities together. So for telecom industry, law enforcement and technical community. So that's when the information perpetrates and then also not only about capacity building for the people but also them understanding each other's needs and how they work as different communities together. And that's also the reason why we also very closely work with the united nation office on Internet crime and Interpol to issue our own mandates because we can complimentarily help countries tackle that issue.
>> I will be like my other friend from Brazil that comes up. On those points, brilliant, absolutely agree. I think they're great. The challenge I think often in terms of the reporting is that sort of law enforcement agencies are operating with kind of legislation that's maybe slightly outdated and so that's why they do have to sort of report these things as, yes, this was a fraud rather than this was a Cybercrime issue, which results in fraud of the but I'm totally agreeing with that. And then in terms of the encouraging of reporting, again, absolutely couldn't agree more. But I'm mindful of the sensitivities which are sort of a key element of this. One of the things we established in UK which follows up with the thing about the CERTs, in UK, we set up this cyber information sharing platform, which Cristine will know about. And it's a portal where sort of hosted by CERT UK where industry, businesses operating in the UK can securely communicate and discuss and share information about threats collaboratively to work on issues and solve problems. But it's kind of sort of a vetted thing. So there's that trust that the people that you are sharing your information with will treat it with the sensitivity to which you would expect. So therefore these issues can ‑‑ with that caveat.
And another challenge I think maybe from sort of a government side and law enforcement side, in many countries they simply don't have the infrastructure to be able to receive such reporting. So I don't know whether that's something that we could maybe fit in here at the risk of making it too broad. But for instance there are many law enforcement agencies around the world that don't have their own infrastructure that allows PGP Emails for instance. That's a major challenge. I know we've had the same problem historically on some government systems. And industry wants to be able to share information security, so they want that PGP capability. So it can be those small things that can make a massive difference at times. So I just want that in mind for those things. Thank you.
>> MAKANE FAYE: Makane Faye from African IGF. I just would like to agree that there needs to report and also I believe that this tackling of this problem can and should be done through the existing legislation. So we cannot just go bring spam alone. We have the African Union convention on cyber security, for example, which treated the unsourced messages clearly as spam because they don't want people to be bombarded by unsolicited messages.
But the main issue by several is that reporting is not always done, especially from the ISPs. And could they feel they lose their business if they say that number of unsolicited messages is going to my customers and so on. So they're considering it. And I think that is something to not also acceptable.
So using the CERTs also in Africa especially, you don't have CERTs everywhere, but we are having ISPs being put in place, especially during the last two years when the African Union put in place national ISPs and several ISPs in African countries. So that could be a place to use and discuss this. And in fact the practice I was referring to of putting a wall of shame was in the framework of ISPs into a country where then they share information. In any case, they know what is passing, what is good and what's not good because we know that ISPs are scanning mails of people. They can see mail coming from this person, they can know that the spam or unsolicited mail is coming or not coming. If they don't do that means they don't want to do it. But they know what is going on and what is going through.
And, finally, the need for capacity building is very important at the African level definitely. Because most of the law enforcement officers, they don't have any clue of cyber security. And they are the ones who are supposed to deal with it. So if they are not trained, then definitely nothing would happen.
>> JULIA CORNWELL McKEAN: Thank you, Makane. Julia again. I'm going to group together the next three recommendations because they are related, but firstly I'd like to thank Makane for helping us as part of this Best Practice Forum circulate a survey to members of the African IGF.
The survey, while it only had 15 responses, there were responses from many and varied countries. And they did begin to give us a flavor for what the needs of our colleagues in Africa are as they are becoming newly online. And not only the needs of those in Africa, but what maybe the needs for the next billion after that.
So draft recommendation seeks is that further attention ought to be given to surveying the needs of African and other developing nations but only in dealing with the problem of spam. To go to an earlier point. But the broader issues of cyber security and cyber safety.
So I guess the point of that is that we need to ask people what it is that they want. We shouldn't be telling people what it is that they want. It's a partnership. And to make a point that we made yesterday, spam is a global problem. Their problem is our problem. If spam is coming from any country in the world into our own countries, it's a shared problem. So we should all be part of the solution.
Recommendation 7 is around capacity building. And it's the recommendation that was the focus of our meeting yesterday. And that is that there's a need for basic cyber security training, including in relation to spam mitigation in the African region and perhaps other regions of the globe. And that meeting yesterday established that probably the needs are broader than that. It's not just cyber security. And indeed recommendation 8 goes a step further, which is that there's a need for education of citizens. And that's not only in Africa. We're talking everywhere. Including children. And that is relating to cyber security in economies.
So if anyone has any comment in relation to those, our survey of our colleagues in Africa and training initiatives both in cyber security and other matters, I'd ask you to come forward if you'd like. Any of the panelists? Thank you.
>> MAKANE FAYE: Makane Faye from the African IGF. In fact, when we started discussing the survey, well all the people in the room who did not participate asked if they can participate right away. And if the survey time could be extended. Of course that was not possible because it was already finished. So they were eager to participate, definitely. And so if you have any other survey dealing with unsolicited communication and other issues relating to cyber security, definitely the African communities would like to participate.
And during that meeting, we had, as I said, we had some police officers who took part in the session. In fact, one of them was a panelist. Unlike him, he indicated that most of his fellow officers do not really know what this is because he only started participating in the African IGF for the past three years. So he's aware. And they did some training also about the foundation and so on.
But most of the security officers, they don't have a clue, definitely.
And on cyber security in general, we believe that there is really a need more massive capacity building in Africa for the law enforcement officers. The Magistrates, some of them are going through some courses. But for the law enforcement officers, the police officers and so on, a lot to be desired. Thank you.
>> TOMAS LAMANAUSKAS: And also the context here I think it was before mentioned about this next generation already know what to do. So that's also important when we did the training. And again one of our experiences also not only to build capacity of children, build capacity of teachers and other stakeholders surrounding that. So we have a project again in Africa where we work together with Facebook posts, helping, training teachers in how to recognize cyber security issues including Childline protection but also spam and also building children awareness. So bringing all those stakeholder groups together.
>> JULIA CORNWELL McKEAN: Any other comments from the panelists at this point? No? Anyone else? No?
>> Hello, especially Julia, from Australia. CAN, Consumer Action Network. One we have been seeing a lot from lately, spam Emails which look like they come from your own domain. So it looks like it comes from your photocopier or the camera or some other device that's sitting on your network detecting things that are going wrong with your network. And here is this helpful message with a zip file that you only need to click and open and it will all be fixed and lo and behold apparently you then get crypter lock and lose all of your data which if it gets loose on your LAN, it locks up all your company's data.
So I even found that one particularly challenging after 20 years or so on the Internet myself. And I thought: One of my staff is bound to click on this real soon now. This is looking so obvious. It even threw me. Hey, is there a device here that one of my staff has installed and I don't know about it yet? And so that was one which I thought was a particularly good one.
And so turning that around, the type of material that we now need to produce for consumers generally to explain to them what this type of thing becomes more challenging. Building a good set of materials that helps people understand not only what not to click on, what not to open, but to understand what they've got connected to their networks and how that behaves. That problem, too, is becoming more and more complex because of the wonders of the Internet of Things.
We now have devices connected onto our networks that we just don't dough what they do or how they connect or who they're going to report to and using what protocol or how? Any comments from anybody?
>> NEIL SCHWARTZMAN: Oh the story could tell you about baby monitors. They fail. They do so poorly. And dare not block them.
Cryptolocking for those that don't know is basically when you click on a malicious link and the malware scrambles the content of your hard drive. There is nothing, there is no force in this world that will get between a user and a click and that malware. You can educate all you want. What we need to educate, I think what Julia alluded to earlier is actually a basic set of fundamental safety practices for the Internet.
For instance, the answer to cryptolocker is "where's your backup? When did you back up last?"
My computer backs up I think every hour. Does yours? Well, I see a whole bunch of yeses here. Thank you. They do. Get yourself backed up. That's the real answer to that malware.
That doesn't mean that there isn't going ‑‑ I mean, we know the current iteration. I know Cristine say the current iteration also scrambles your backups. But it doesn't go that far back. You can always go back to prior to your infection because it cannot ‑‑ it cannot get to stuff that is already backed up.
But there are solutions.
But, yes, this is a horribly ‑‑ I have a colleague, a friend, somebody I know peripherally, a journalist who would be writing a book for eight years and lost his stuff. And the only solution is: Pay the criminal. Get your stuff back. And they do give it back. We see police forces whose networks have been.
So, anyways, we don't want to spend too much time on this issue de jeur because it really is. It will go away. Eventually the guys will get arrested. That is going to happen. They've messed with far too many people to not happen.
But, anyways, Cristine, I'm sure you have ‑‑
>> CRISTINE HOEPERS: I'm just a little bit more towards litigating users ‑‑ because of the reasons they have. They imagine that the risk is far greater than it actually is estimates. So it's not really that you're getting users that don't even know what it is. "Oh, I will not use Internet anymore. It's too risky."
You don't have any idea what it is. You tell them. Oh, that for me is acceptable.
So I think that we need to have education. But for malware in this form, really a little bit further dedicated to professionals, and I would like to focus on professionals. We need to educate university professors to educate programmers, everyone. So all those are behaving badly, are being wide open and are using poor protocols because people don't know better. They are just doing a very bad, bad, bad work. So it's really a nightmare that you have all security cameras and botnets, that you have all the CPs participating in botnets all this mess going around because people were doing very, very dumb stuff when they were programming that. And they say "oh, really? That can happen?" so there is a lot of awareness that we need to do to professionals. Don't presume that they have a degree in a technical area, that they will understand what they are doing will have an impact in the long run. So educating professionals. We go for a lot of stuff. But this specifically I've been receiving ‑‑ in the form of that they have a message for me. So I'm receiving that, yeah, that you receive a message in your telephone. Click here and listen to it. And the cell phones actually send you those messages. So if you have a voice mail. So they are just mimicking like the idea that oh, this is great. And then we could go for all the technical stuff for spam that actually would provide more reputation for Emails. Maybe if all organizations moved to DMARC and all the devices would use it, they could still send an email but maybe I would not receive if it was not actually coming from device from my network.
So there's a lot of technology developed for spam that could be used for security in general, too. But then people never heard of it. So I think it's really one of the points that really we need to discuss best practice in a more broader way, yeah.
>> JULIA CORNWELL McKEAN: I'm conscious of the time, so I'm going to mention the last three recommendations and then look for people to make their final comments.
So recommendation 9, which is one that we focused on a little bit yesterday in our discussion about training, and that's that industries affected by spam, phishing, et cetera, must continue to evolve in order to protect their own reputations and to ensure that their own customers do not become victims.
What was provided yesterday to add was in fact they should be paying for training. They should be putting money into making sure that people know how to use the Internet properly. And we're not just talking about users. We're talking about technologists, we're talking about those who build infrastructure, those who write software, those who provide hardware.
Leading to recommendation 10, it need not be expensive, however, to give advice to those that are newly connected. And the report has provided a couple of short list, some simple things that can be done at low or no cost. Basically to very much start. And it's my personal recommendation that a few people could get around a table and could probably put together quite a number of 50 things, for example, that a newly online economy could do to help themselves out. So.
So recommendation 10 is that further consideration should be given to producing simple lists of low or no cost things that newly connected economies can do to protect their infrastructure.
Then I'll move to the last consideration. That consideration ought to be given by newly connected economies to a wide variety of multistakeholder arrangements, those that involve public and private partnerships and those that involve private and private initiatives in combating unsolicited communications and broader cyber security issues. And you'll see in the report if you've had an opportunity ‑‑ or do have an opportunity ‑‑ that we cover off a number of those sorts of arrangements and indicate some of the successes they've had there.
So that's our recommendations. Are there any final thoughts from our audience for our panelists?
>> Hello. Again. Just a couple thoughts. Going back to the education one, sorry, I can't remember which one it was now, where it mentioned sort of an education for Africa, the African region and possibly broader.
I was just thinking, I mean, I know through the African IGF they did their survey, which is really, really great, but it's a global problem. So would it be sort of better to maybe amend the text and make it sort of more global and less ‑‑ rather than Africa? Everyone needs to continuously sort of develop their sort of education awareness. So I'm wondering maybe if it's slightly fairer that it's fully inclusive rather than just sort of they say Africa. Because everyone needs to continue work on this. So just a thought on that one.
And then just a thought on sort of picking up on the previous points around education. Actually, yeah, we need to do everything that you are recommending in the report. But sort of picking up on the cryptolocker issue. These threats are very flexible and dynamic and there's simply no way that formal education and training can keep up to speed with the rates of development of some of these threats.
So I think what is also important, particularly for the wider public, is promoting channels of communication. Reliable channels, whether that be a CERT channel or whether that be sort of an industry partner like Team Cymru of the broader public of "this is where I go for my information."
So if we can develop that training, great. But also that awareness of just like when you get up in the morning you flick on the TV and you go to the newschannel so you can get your news. If we can sort of promote the ingraining of that "I'm just going to check the updates on Twitter so I know the latest threat. Okay. I need to watch out for that. "Promoting those channels of communication might also help with the flexible awareness that people need in such a flexible environment. That's it. Thank you very much.
>> Markus, I was the coordinator of both the communication at the CSUN session, but I didn't have to do much. So excellent. Congratulations to your excellent work.
I would like to pick up on something Cristine has already alluded to, as well, that is more on the way forward. I think the report, I think, work done is excellent. And we do have good conclusions. But on the way forward, we had this discussion yesterday, we maybe need to refocus the work and we also seem to be synergies with CCERT work and this session will happen tomorrow on CCERTs but I think the final report should also reflect this and look at ways of taking this work forward. Listening to the very good discussion, there seems to be appetite. There seems to be a need. And we have identified priorities for future work. But I think we will have to any about how to operationalize it in the IGF context. It doesn't just happen. And however good the report is, however good the recommendations are, unless we have concrete suggestions on how to take the work forward, nothing will happen.
So this is my suggestion as a final input into the report that will then go back to the community. We will have some time, two weeks for finalising the report after the meeting. And we will have the discussion also tomorrow at the CCERT session on how to create synergies between the two processes and what may be the best way forward. I don't have the answer, but I just put that on the table. Thank you so much.
>> JULIA CORNWELL McKEAN: So we have an online question.
"You can technically handle this (forged FROM header), but spammers are very creative. For instance, they can create a account "similar" a account from your domain on gmail or another free e‑mail provider. So I also believe that we need to educate everyone, our technical staff to provide a better support on the matter, and our users to be smart enough to detect those kind of phishing messages."
That's from Robson Eisinger of the University of São Paulo Brazil. That's a comment rather than a question.
I'm conscious of the time, so can we all have on the panel a quick 30 seconds?
>> NEIL SCHWARTZMAN: Okay. Actionable. I always thought computer viruses need an analog like the United Nations has, the WHO, a centralised organisation that deals with Cybercrime and stuff like that.
So when you talk about distribution of information, it needs to be international. It needs to be an NGO or an UberGO that does this, not a commercial entity. And Team Cymru, God love them, is a commercial entity. So I would like seeing WHO and taking that under serious advisement.
>> CRISTINE HOEPERS: That already said, there is already an NGO that is starting to try to work like a cyber health. That's the cyber green. So we are kind of involved with that project because it's more ‑‑ it's really about how to count infections and how reliable statistics on infection. So if anyone as a final note, we have a lot of things here. Maybe we should add as another of the projects that would be cyber green project, cybergreen.net. That is really a work on top of how is ‑‑ how the world manages to do the health, how to have people looking at the health of the Internet. And in the way, a lot of what national CERTs do these days ‑‑ a lot of the national CERTs don't work with critical infrastructure, we work really as the CDCs of the countries. We are trying to see where the infections are. How do you go? How do you disinfect? And how do you promote health of the network.?
So I really think a healthy ecosystem, instead of thinking about a more lock and block existence. So we should move forward into that mode. But it's really ‑‑ I think it all goes for moving a step further than just anti‑botnet initiatives, but how we can get our whole ecosystem more healthy, more cleaner, more trustworthy and really needs to involve everyone.
>> MAKANE FAYE: Yes, Makane Faye from African IGF. Yes I would just like to focus on the capacity building initiatives which were referred to several times in the report, especially for Africa developing countries. In fact, this is needed. This year we had a special capacity building programme for African ministers for ICTs and communication provided by ISOC and DiploFoundation in September, past September.
We have also the African school on Internet Governance which was holding its annual meeting and annual training the camp organized this year by the association of ‑‑ which is meeting the day after tomorrow. And they have cyber security component in their annual training programme. And they want to, in fact, step up the training several times per year. And they go from region to region taking all the stakeholders together.
We believe that we need to enhance the capacity building activities and strengthen them and take care of what you are referring to here. And the training of trainers also is very important. And at all levels. Because as you know, not only the users need it but the government also needs it, technical community needs it. So real needs capacity building programme should be stepped up and strengthened existing ones. Thank you.
>> NEIL SCHWARTZMAN: So just to reiterate ‑‑
>> TOMAS LAMANAUSKAS: What was already discussed, leading to the CERTs, seeing the spam as a broad issue. I think to kind of see that. And in that context. And then the other thing, again, not seeing the capacity building and training as something that we need to help someone to do, you know, but that's our joint issue if we don't tackle it together, we'll be worse off together. So we have to work together. So I think that's just some parting thoughts.
>> JULIA CORNWELL McKEAN: Well, I'll close the session by thanking all our panelists. Did you want to say something?
>> WOUT DE NATRIS: Thank the panelists. I'm consultant for the UN and IGF Secretariat to assist this group. And before we close, I would like to thank the lead expert and the experts, Julia, Cristine for a tremendous amount of work done. So on behalf of the IGF Secretariat thank you very much. But also the people who have not been in the room that have provided all the case studies that went into the report, have actually given the world a lot of best practices and are worthwhile studying and perhaps even following.
But first I would like a hand of applause for our lead experts that have done tremendous.
[Applause.]
>> JULIA CORNWELL McKEAN: Okay. Well that was what I was going to say.
[Laughter]
But I'll add my thanks to both Markus and their support throughout this process. And we'll reiterate that a number of people helped in putting this report together. It's been a project that's been ongoing and we still got a few weeks to go in finalising the draft. So thank you for your input today. I hope you've enjoyed filling in the ID rating sheets. I'm looking forward to reading what you've had to say on those and appreciate your feedback this morning. So thank you, everyone.
[Applause.]
[End of session.]