IGF 2022 Day 3 WS #283 Capacity Building for Safe & Secure Cyberspace: Making It Real

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.



>> CHAIR:  Thank you very much.  For the sake of time we will kick off.  And I want to welcome everyone to this session.  And this is session on capacity building.  And the session itself is capacity building for safe and cyberspace, making it real.  I think that word "real", you can put it in capital.  We need to make it real.  Welcome to this particular session.  We have a one hour session of this particular topic with me. 

Just before I introduce the participants we do have online participants and, of course, on site participants who are here in terms of the panelists.  And we also have our Moderator, that Kathleen Bei who will make sure we collect all the information and inputs that you will provide. 

    We also want it to be interactive.  So at any point if there are any issues or you have a question, we will give you ample time to ask your questions.  With the panel it is a very cross‑cutting panel.  We do have Sylvia Cadena who is head of programs and partnerships at APNIC Foundation.  Welcome. 

   >> SYLVIA CADENA:  Thank you very much for having me. 

   >> CHAIR:  Thank you.  And we also have on my left, we have Jacqueline Pateguana who is the clearinghouse coordinator at the GFCE.  Welcome.  And then we also have Kerry‑Ann Barrett, who is a service activity program with OAS.  Welcome.  I think you are muted there. 

    And then we also have Kaja Ciglie who is actually with Microsoft.  Welcome. 

    Thank you.  And then, of course, lastly but not least is my very good colleague, Andrea Calderaro from the European Institute.  And we just met last week.  Welcome.  Thank you.  So with that said and the panelists as we say we will give you time given that this is a walkup session, I have a red and yellow card in which you take too much time.  As we all know, it is important that we are able to assess the cyber capacity building, especially at a regional level in order to know what the discourse, especially when it comes to capacity building.  There are various factors that affect regional dynamics.  We know that countries do have different issues.  And it is important what culminates to these issues and how we are able to resolve that.  If you look at the speakers, they come from across the globe.  They have various experiences and varied experiences from working with them in some specific areas. 

    I'm sure you all benefit from their intellectual input.  And the plan for the panel and as I said earlier is to be very interactive and we should be able to cover this in good time. 

    So just to kick off, we do have at least three to five minutes for each of the panelists.  And I will start with you, Sylvia.  I am sure with the challenges in that particular region there are so many other experiences that you have within the region.  While you are very familiar with the global discussion on capacity building what would you put to point out as specific challenges for Asia and the Pacific region.  The floor is yours. 

   >> SYLVIA CADENA:  Thank you very much.  I hope that everyone can hear me.  And APNIC and we allocate ASSN numbers for the operator in the Asia Pacific, require to connect their customers to the Internet.  We have been around for around 30 years.  And since our beginning, capacity building is a part of the core of the DNA of APNIC.  The Foundation was established back in 2017 with the idea of expanding the footprint of the capacity building efforts in community building efforts that APNIC conducts both at the regional and global level.  As such, you know, besides this year, increase in the ‑‑ in growth in the number of users and the number of networks that exist in the region, that are in the demand of the Internet not only because of COVID, during COVID and now after COVID, we are still enduring it is this need of incorporating the Internet infrastructure as part of the development services in access for citizens around the region. 

    And that means that the 24/7 reliable accessible, affordable, stable, et cetera, that the Internet needs to be is gaining more and more pressure from the network operators that are working very hard to maintain and operate those networks in a stable and secure manner. 

    So that is the sheer growth is a really, really big challenge.  That in a region where multilingualism is everywhere you look, makes the maintenance and the training and the design of manuals, guides, and other techniques to be able to follow best practice.  It is a massive challenge because the technology continuously, continues to develop. 

    And it is very difficult for in many countries where English is not the main language, to maintain the level of engagement with a rapid change, especially the maintenance of security considerations around network operations. 

And then thirdly, the ‑‑ I think that probably one of the things that has changed very dramatically in the last few years and maybe my colleagues in other regions could share a little bit of their experience is that the reliance in terms of livelihoods in the delivery of Government services, especially during the pandemic, has also meant that something that was very useful and very important, especially in the cities and across the region became a much more critical resource for organizations and businesses that were in more remote areas where probably the infrastructure was not up to the expectations to be able to cope with that, with the growth and the needs of the community.  The number of people in Asia Pacific that move from city centers to work remotely in areas where they were able to live a life a little bit more freely outside of lockdowns, that also created additional challenges. 

    So I would leave it at that.  And I will pass on to the other panelists to see what their experiences are.  Thank you very much. 

   >> CHAIR:  Just before you go, I know you have touched about the need for infrastructure and you talked about the challenges, especially post‑COVID challenges or during COVID.  Can you come on the ‑‑ you touched a bit, lack of experience, and also the brain drain issue?  Could you touch on that as it affects the region quite a bit in terms of getting the expertise that you need in the region? 

   >> SYLVIA CADENA:  Absolutely.  I think that one of the most important things that I have learned in my 15 years living in Australia is I'm originally from Columbia.  So I don't know what they would say of the fact that I left.  So if that is brain drain or brain contributions in another part of the world, I don't know exactly how that works.  But I think that one of the issues in regards to immigration and development of capacity is that that ‑‑ the fact that someone leaves their country, it doesn't mean that they are never going to return. 

    And I think that that is something very special and very particular, especially in the Pacific Islands where there are a number of investments from ‑‑ especially from Governments that have supported high level education.  And are quite concerned of the fact that people go to do their University studies or, you know, master's, Ph.D.s and what have you and then they seem to believe that that talent goes and never returns. 

    I think what I have seen in the Pacific is that people do return and they return because they want to stay closer to family, to their traditions and to their own culture at some point in their career. 

    And that one of the issues that are super important to continue to develop is the pipeline to be able to attract the talent again.  Either through making sure that they can bring their pensions back in, so that they can afford to live in the places where they originally came from.  Or that they can, you know, slowly move to new ‑‑ other jobs and create jobs that will be attractive for people to come back.  And I think those pathways are still to be solved. 

One Government official from PNG that was visiting us tells something very interesting in a conversation where he said, you know, we just need to stop saying to people that if you train them they are going to leave.  Just ‑‑ you need to invest in them, otherwise nothing is going to change. 

    So I think that we need to stop being afraid of who is going to leave and just make things attractive for people to come back.  And for other people like myself that migrated from other parts of the world to serve a need in the economy where I live.  So I hope that I addressed your questions. 

   >> CHAIR:  Thank you so much.  And really want to thank you for being awake at this particular point in time.  I want to go to the OAS and Kerry‑Ann.  I know recently the GFCE and the Latin American and the Caribbean have organized a regional meeting which gives us more inputs on priorities of the region in cyber capacity building. 

    So Kerry, could you give us some of the specifics of that particular meeting?  I know this is somewhat of our domains.  And you are doing good work in that region. 

   >> KERRY‑ANN BARRETT:  Thank you for organizing this session.  I think I wanted to probably offer two perspectives.  One from the meeting and then to give some quick highlights from a report that we recently published with Cisco on workforce development.  And it was particularly geared towards identifying those gaps. 

    So for those who may not know who are in the session, the OAS cybersecurity program is the focal point for the GFCE hub for the Americas.  And in that capacity we organized the GFCE original meeting for the Americas a few weeks ago.  A part of that session focused on us bringing together Member States from across the region.  And during the session we presented the priorities for the GFCE coming out of the annual meeting and what the GFCE does in general.  And we challenged our Member States to actually identify some of the needs. 

Some interesting topics came out.  Member States did recognize more specifically that there is a gap between the decision makers and technical persons.  And the perspective that they provided was kind of unique because they identified it is not the technical lingo that's the gap.  But inasmuch as a lot of the decision makers are at the aging population and they can't identify with the information that's needed to make the decision. 

So oftentimes when I do present some of the technical challenges some of their bosses they don't even use a computer as often as they should.  The language is one challenge but identifying the challenges for bosses to be educated on why what they do is important and how it impacts the organization.  Another need that was identified during the session for our region was that there wasn't sufficient offerings on education concerning digital skills gap generally. 

    So cybersecurity being one thing but recognizing a lot of the degrees that came out of the Universities were not much in the skills needed for the employers when they go in to the actual jobs.  Some more general capacity building came out as a very strong theme.  And one of the things that we identified as the hub.  We are thinking to do a biannual call to the Member States to flag the growing needs.  We recognize that as we work with the GFCE the goal would be to continually have a rolling list of needs as they evolve.  Also wanted to just take a quick opportunity to flag that we published a report that actually did a desk research on workforce development in cybersecurity and the scarcity of talents and skills.  That's the English translation.  Recognizing there is an aging population in the region now.  Persons are now resigning because they recognize that there is a need to rethink what they do and to actually leave their jobs to find something more fulfilling.  The evolving technology there is a greater gap as Sylvia said she is off to another region.  May be more interesting for them. 

    And another thing that we noticed coming out of that research the pandemic reversed some of the gender parity that we had that was increasing in the workplace.  So while we started to see more women taking on roles in digital and cybersecurity we are seeing a reversal in that.  And because of that reversal we are now faced with context in the Americas where we have to be now focused on more concrete national strategies and policies geared towards including women again in to the narrative of employment. 

    And another thing that we saw was that there was a disparity between the offered demand in our region in the Americas.  Where you would have the job office being composed of those are just recent graduates and then you have the persons looking for experience.  We are encouraging so many students to go in to cybersecurity and get their skills, when they go out to the job market they don't have the technical background experience that the job market is requiring.  So there is a big gap in the Americas for that as well. 

And I think the final thing I wanted to highlight is that there is a lot of nonSTEM first graduate roots that students are taking.  There is still persons going in to nonSTEM jobs.  When they try to do a career change, figuring out what certification they need to pivot from having a degree in law, to now doing something that is more related to cybersecurity policy.  There is not a lot of guidance on that. 

    So I think in short, referencing the annual meeting what we were happy with is the needs identified during that meeting matched up with the research that we have done.  And I don't know if you have another question, but I will pause there just to see. 

   >> CHAIR:  Thank you very much.  She raises quite a number of issues, but what catches me is the mismatch.  In some regions you would find that that mismatch is always the language that is used.  And that is an experience that some of you in the room have seen whereby technical people do not necessarily understand what the point that decision makers want.  They will talk about money and elections.  That's what they want to hear.  But sometimes we talk about money.  (Off microphone).  It becomes lost in translation.  Before we leave you to go in terms of just pause a bit, are there any issues to do with duplication of effort, for example?  You have issues on duplicity of work and western resources.  Is that something you have experienced in the region during the study and during this particular meeting? 

   >> KERRY‑ANN BARRETT:  One of the things that came out from the Member States is there is increased interest by implementers and donors to provide technical capacity to the Americas.  So one of the things that we saw as a positive.  And if you have kind of flip duplication, is that we have offers, we have interest in the region to actually build capacity.  One of the things that we are hoping to do Member States did identify that sometimes many offers come at the same time about, for example, establishing a CERT.  So one of the things that we have been focused on with our Member States is to start to think about their different offers that could come, but you can take them at different stages of development of what you are doing.  So even as the GFCE hub in the Americas we have had last year something that was called a donors and implementers meeting where we actually had a virtual Round Table to start mapping some of the activities that they were doing and to just have a dialogue.  And we are hoping this will be an annual thing for the Americas. 

    We also worked really closely with Rob and our GFCE liaison to update the civil portal to start to map some of the different projects that are in the Americas.  So in short, there is some amount of duplication, but personally this is just me flipping my head to give a personal perspective on it, it is an opportunity and not a challenge.  Because what it means is that we can start to redirect the funds where we might say we are doing CERT development.  We might be able to redirect, if I have CERT in my project and five other people have it, we can say one person is focused on this skill set for this CERT. 

The next person could be focused on the provision of equipment.  The third person could be focused on building out subscriptions for them for the next two years or having a training program for the CERT.  So while some persons sees it as a challenge, I see it as an opportunity because we can genuinely look at seeing what the donors are bringing to the table and actually create a roadmap for the beneficiaries that are being offered there help. 

So in short, what we hope to do with working with the clearinghouse mechanism that the GFCE will have, and continuing to work with our donors and implementers, is to actually start to coordinate and using our role as a GFCE hub to start coordinating those efforts.  Has to be streamlined with IDB is doing and what Lackfor is doing which is one of the implementers in the region.  We could flip it to an opportunity. 

   >> CHAIR:  Thank you so much.  We appreciate the input.  Moving on we have covered quite a bit of the globe.  We have looked at the Asia Pacific and we had some insight.  And we have gone to the OIS side of work that is happening in Latin America and Caribbean region.  We want to focus in line with what Kerry has been alluding to in the clearinghouse process.  You have been looking at how you match requests and looking at how they can get their support from implementing partners or development partners.  Could you just give us some of the burning needs that are happening, especially in the region given post‑COVID and the priorities that have been changing? 

   >> JACQUELINE PATEGUANA:  Good afternoon.  First let me start by contextualizing what the GFCE does.  The GFCE is a platform for international collaboration for reducing overlap and for reducing duplication of efforts in the cyber capacity building ecosystem.  What that means is that we work within a community of over 170 members and partners.  We are ‑‑ our main mission is to push forward to ensure an open, secure free Internet.  And we do this by A, identifying what the resources are.  And who ‑‑ and who has the expertise in cyber capacity building.  And we have been doing this for the last seven years, since being founded in 2015.  A very young organization. 

    But for the last seven years we have been working on the supply side of CCB, which is like I said mapping who is who.  What they are doing.  And ensuring that those who are doing and are playing in this field are communicating with each other and are not duplicating efforts so that we can defend the agenda of making cyber resilience a reality for the globe. 

As a clearinghouse, this is one of the three tools that we have within the GFCE.  So the mapping is within civil portal which I think that Kerry‑Ann referred to.  You can see there in civil portal over 800 projects and over 750 resources.  And resources we are talking about frameworks, we are talking about best practices.  We are talking about reports on projects.  So if you want to be able to, you know, pinpoint what is going on, today you have an open resource.  This is a civil portal that is constantly updated by the members of the GFCE community and others. 

    And then we have the clearinghouse which is the tool that I am sitting with and responsible for.  The clearinghouse is a mechanism that allows for GFCE members to request support in terms of resources or expertise or knowledge from other GFCE members and partners.  So what we have seen is that many of the requests come from the Global South.  And as Martin referred here mostly from Africa.  And we have African members of the GFCE requesting support and sometimes most times I would say is orienting where to start the cyber journey.  And this is because many of the subregions within Africa are still under developed in terms of cybersecurity. 

    I think North Africa from the study that we did is the only one that is developing, but East Africa, Southern Africa, Central Africa, East Africa are underdeveloped.  So it is really about starting the cyber journey.  And realizing that is ‑‑ there is a wealth of ways to start and things to look at from technical capabilities to policy, to institutional frameworks. 

    So what do you attack first?  What is the recommended, best practices from those that have done it within the community?  And the clearinghouse is now in the process of facilitating these discussions in a south to south context, primarily.  But we do have implementers and funders and other technical expertise that sometimes comes from outside of the Global South as well. 

    And so we tap in to the resources that exist within the GFCE to make that come a reality for the requesting country.  To give a practical example, currently we are working with one country who wants to ‑‑ who worked with us in 2019 for the drafting developing of their national cybersecurity strategy in Sierra Leone.  We have identified funders and implementers, including consultants and development agencies that could support Sierra Leone with doing everything from assessments to developing draft of the actual strategy to socializing the strategy with Civil Society, academia, tech community, et cetera, within country until finally it was taken for approval from Government. 

    Today Sierra Leone is back with a clearinghouse and we are working some key items of strategy but also developing cybercrime capabilities and public outreach for society.  They already have the legal framework for cybercrime.  But now it is a question of informing society what is cybercrime.  Why is this important.  Why is it relevant.  What is within the scope of this instrument.  The act but then also creating capabilities within police and then judiciary to be able to tackle and, you know, this rising issue that they are having.  I will stop there. 

   >> CHAIR:  Thanks so much for that insight.  And I think for those of you who are wondering the civil portal it is quite an elaborate portal.  It has quite a lot of details there.  15,000 unique users.  You were talking about 820 projects that have been listed out there and roughly about 297 tools and other information that you can get from that civil portal.  Just before you relax a little bit I wanted to find out in the clearinghouse I know you have been there not more than a year, but I think you are getting there.  So the point is in the clearinghouse are you seeing more of the requests from specific aspects in terms of whether is it the CERTs that are being asked or is it just capacity building or strategies?  What's the sort of areas that you are seeing most being asked for? 

   >> JACQUELINE PATEGUANA:  I think within the clearinghouse because the needs have to be very clearly specified, so that we know how to best address and we can be concise in developing projects and mobilizing resources and expertise.  We see like I said, you know, it is really the beginning of the journey of a cyber capacity building. 

So usually countries are looking to define what their objectives are and what the roadmap is going to be for the next few years.  And part of the process, a strategy may be a deliverable given within so many months.  Part of the issue that we are hearing and especially from the community that we have created within Africa is that there is a need to sensitize and to get political endorsement for cyber. 

    So yes, you may have a department within a ministry that's responsible for it, but it is not clearly defined what they are going to do, resource they have and what are the deliverables they have to give on an annual basis.  And those ‑‑ when those same experts and people who have been assigned to cyber come to us, they want to be able to sit down with society and stakeholders that are relevant to define what is a roadmap.  Where do we want to go.  And once they have defined that roadmap, then the implementation begins on that. 

So it is I would say political endorsement would definitely be one.  And willingness buy‑in or getting that willingness from governments to see cybersecurity as a priority item.  Recently two days ago we had a meeting with African regional stakeholders, GFCE African regional stakeholders.  The second one was revision of legal frameworks.  So it goes in phases in terms of getting the buy‑in and then starting to develop the technical and institutional capabilities that are necessary to address what has been agreed at the top level with government. 

   >> CHAIR:  Okay.  Thank you so much for that insight and for any other information.  Clearinghouse I think most people can come to you.  There is no way we can development without partners.  Resources is critical.  If you have resources, finances, and having partners that's how we can be able to develop capacity.  So moving on, Kaja Ciglie I wanted you to give us a further specific role how the private sector in cyber capacity building.  And then if you can move just beyond that and how do you view the private sector in providing financial resources.  Over to you. 

   >> KAJA CIGLIE:  Sure.  Thank you.  I don't ‑‑ maybe I will start ‑‑ maybe I will start with some of ‑‑ like responding to some of Sylvia's point.  I would echo personally the need to ensure that individuals are able to go back home really resonates with me.  I am back home in Slovenia now.  Ensuring that you are able to ‑‑ your degree is valid in the country.  That you are able to get the pension like you said, I think are seen very straightforward but are actually massive barriers for people ‑‑ for people to move back home. 

    So I would wholeheartedly agree from my own experience.  In terms of private sector responsibility, responsibility and rolling capacity building, I really would not look at it at all as just a purse which is a little bit how you pointed that question.  So I wouldn't just look at it as a financial resource.  I would look at it more broader in terms of where the responsibility for the sector lies.  And I think that also for several reasons.  I think the ‑‑ the private sector, the technology industry is not just large companies.  It is, in fact, a majority of small companies.  And in particular those that operate domestically in smaller ‑‑ sort of not just transnationally but they operate in different countries around the world and implement a lot of the cybersecurity issues.  I think just don't necessarily have the resources.  But they are still an important partner. 

And I think I would think about this from a perspective of the private sector is responsible for a lot of the cybersecurity issues.  So there is a shared responsibility and I think we need to acknowledge it.  That means, you know, that is partly because we operate a lot of the technology.  Also means that we often see both threats and sort of trends both long term as well as sort of across different countries and environments that are not necessarily Ethiopia or Zambia or Slovenia but like across them.  And these can be really helpful inputs for defense. 

    I think the other thing as well sort of kind of the converse of it, we see a lot of the ‑‑ particularly the big multi‑national companies, see how countries are approaching cybersecurity resilience, capacity building.  And can sort of be a useful resource to be like maybe someone else has tried this idea and it didn't work.  And maybe someone else tried another idea and it worked really well.  Always need to take the local context in to account.  But I think it is important to think about not reinventing the wheel in this area as well. 

    And I think perhaps most importantly is, you know, we see ‑‑ we also see sort of the long term ‑‑ we drive and see a lot of the long‑term innovation in technology and sort of trends.  So we are able to ahead of time perhaps help with predictions and where investments would have to be made. 

    Sort of across a longer timescale.  Microsoft has tried and done a lot of these things.  I think in particularly over the last year just because we talked about scaling a fair amount, which is a really important aspect, in addition to sort of creating the structures and making sure the technology is available.  We've ‑‑ we have invested substantially across 23 different countries over the past year.  And we will expand it to more.  In terms of our cybersecurity scaling campaign and I will say it is important, it is important to think of us as a probably forced multiplier is a good word.  Someone that can instigate more quickly a particular process. 

In the U.S. we worked with community colleges to sort of really and really with a real focus on bringing in diverse communities, whether it is communities of color, whether it is women, just people from disadvantaged backgrounds overall, that in Colombia we are doing something completely different.  Figuring out how, you know, whether you can partner with someone like that to just kick start something.  And sort of then be able to build on it. 

    I think that's where industry can play a good role as well.  Some of it is making sure that we keep our own house in order but also make sure we make available tests, courses and not just for people who want to learn but also for educators, for teachers that they get to understand ‑‑ they get the skills that are the most useful on ‑‑ in our case the Microsoft platform.  So earlier it was mentioned a lot of times people go to ‑‑ go to schools and don't necessarily gather the skills that are required. 

    Hopefully, you know, our own effort to try and educate, raise awareness of what can be done and what should be done on cybersecurity when it comes to our own systems and make this freely available is a small contribution towards, you know, making sure that when people take the course they get the certificate.  They can then also get a job. 

   >> CHAIR:  Thank you so much.  I like the bit about the varied approach that Microsoft has to different countries.  But just, Kaja, before I let you go a little bit there, is it possible if you could just elaborate on the ‑‑ just the private sector's role beyond sales opportunities when you look at the global level, especially when you have demand and supply and bigger companies, taking more of the share, what's your comment on that, please? 

   >> KAJA CIGLIE:  I'm not entirely sure I understand the question.  I think a little bit like I said the role is as an operator of technology, as a ‑‑ as ‑‑ effectively as the ‑‑ I'm not going to say the main because I feel like that's a lot from a Microsoft perspective, but I think provider of services when it comes to, you know, whether it is critical infrastructure, whether it is school.  Whether it's other ‑‑ whether it is just, you know, conferences like this.  So I think the ‑‑ as sort of in that role, the companies need to ensure that what they are doing they are doing securely. 

    But ‑‑ and but ‑‑ I hope this answered your questions.  But I wasn't entirely sure about the sales angle. 

   >> CHAIR:  You have done very well.  You have answered it.  Thank you so much.  Of course, moving on to from the private sector there is also the component about the knowledge level from the University.  Andrea, I know you are a university person.  You have worked in capacity building.  What's your take on the concept of capacity building, purely from an academic perspective? 

   >> ANDREA CALDERARO:  Thank you.  Thank you, Martin, for loading me with the responsibility to represent the academic community.  I will do my best.  But it is a ‑‑ thank you also for the very timely questions, whether the concept of capacity building has changed over the last years.  It is timely because even in these days over the last few days here at IGF I was happy to hear many successful stories about capacity building issues and as kind of a good way to celebrate achievements over the last years, but as being a moment for celebration is also a moment that gives opportunity to reflect on what can be done even better, what still needs to be done. 

    And so you ask whether the concept of capacity building has changed over the last few years.  My straightforward answer is probably not enough.  Priorities have changed.  Moving back to the celebrations, it is true over the last years cyber capacity building is now at the center of international cooperation agenda.  Something that was not the case until a few years ago. 

    Now many support, a lot of support to countries, state actors to build their own establishing a Computer Emergency Response Team, drafting national security teams.  Even in the more recent years we start talk ‑‑ more than start talking, implementing kind of cyber diplomacy capacity which is another crucial component of capacity building and empowering companies to grow in international cooperation.  This is going pretty well but I think this is really not enough. 

    We really need to go beyond that.  I mean Kaja has also mentioned something that we all agree, protection of cyber regime is a shared responsibility between state actors, Civil Society industry.  But to make this real, I think this panel is called to make capacity building real, then we need to kind of translate this mantra in to concrete initiatives. 

    How to do that, we need to broaden up the concept of capacity building.  We need to move on beyond the state cybersecurity capacity.  We need to clearly engage more with initiatives that build capacity of industry.  I'm not talking Microsoft has a lot of capacities.  I'm talking about the industry that needs a lot of support in building capacity, not only their capacity how to manage the little industry but also capacity to engage with other stakeholders.  This in my experience is what is often lacking.  And the Civil Society ‑‑ academic represents Civil Society and there is a lot of capacity that is to be developed.  I'm not talking about the capacity.  We talk about developing cyber hygiene norm, but that's not enough to empower Civil Society to take an active role in this multi‑stakeholder approach to ‑‑ on cybersecurity. 

    How to do that again?  Well, it has been mentioned and it has been mentioned, Kerry mentioned that there has been identified as a gap, a knowledge gap.  And being a member of academia, I strongly believe in the role of science, of knowledge, production in fitting policy making processes.  This is already happening.  But this knowledge comes always most of the times from outside a country's context.  And this means that we need to invest more in developing master, Ph.D. programs but research.  To work more with academic communities in countries.  Also because when academic community will start to develop the knowledge that is required to build this national cyber capacity end point is going to be a bottom‑up approach and that context will take a stand on its own field. 

   >> CHAIR:  Thank you so much.  I think there are things there ‑‑ you mentioned there two things.  One is the multi‑stakeholder approach to capacity building.  And you also mentioned about the local ‑‑ going to the local level in order to build capacity.  Are you seeing that as a trend?  Especially in the communities who have built capacity or do you see going to the local level, meaning making sure that it is understandable? 

   >> ANDREA CALDERARO:  As I mentioned, make another comparison a few years ago.  And I remember the meeting we had here at the African Union, it was three years ago.  It was already difficult to engage with the data.  It was difficult to build cyber capacity building at the center of the national agenda.  And I think we are again at the moment where that's being done.  And we need to engage more with other actors in order to convince them that building on how important is their role in ‑‑ haptic role in contributing to cyber ‑‑ national cybersecurity framework. 

    So this is clearly something that needs to be done with other tools.  Building connection with a University is one of the ways to do that.  But also important to ‑‑ a way to know the need to engage with each other.  And not work in silos because this is what often happens.  Industry does industry.  Civil Society does other stuff.  It is the cooperation ‑‑ the cooperation is always very important. 

   >> CHAIR:  Thank you.  Some countries have to organize structures where they bring Civil Society.  There has to be some synergy across those silos.  We do have our online questions that are being asked.  I want to make sure that we are ‑‑ our Moderators are looking online.  Make sure you can let us know if there is specific questions happening. 

   >> SYLVIA CADENA:  I'm here. 

   >> CHAIR:  Thank you.  I wanted to catch your view on the issue of the approach, the neutral approach to capacity.  You are a big advocate for that.  If you can give us perspective for that or what you see as the pitfalls. 

   >> SYLVIA CADENA:  Yes, I think that some of the other panelists have mentioned a couple of things that are ‑‑ I would like to kind of piggyback on that and highlight also, about the importance of collaboration.  Collaboration that is meaningful and it is practical.  So trying to identify in what areas a particular organization is strong.  So that we don't have to reinvent the wheel as Kaja mentioned before I think is super important in looking at really concrete operational benefits of those collaborations are ‑‑ is something that is really important either I mean ‑‑ it could be ‑‑ just to give you an example, we are doing a really interesting project to increase capacity and visibility for women in LGBTQI technical members, staff of organizations in Asia, in Southeast Asia that are working on operations and security. 

And one of the more important aspects of this project is to ‑‑ has been to identify a vast number in the breadth of manuals, courses, webinars, experts that are out there.  And how they are ranked or valued in terms of the professional certifications that someone can achieve with them to identify which of those providers is the one that will give them more bang for their buck I would say. 

    So this project has been working with over 50 different training providers and APNIC academy and training don't need to know everything and how to deliver all those courses in all of those languages.  They can help to identify the needs for the person that is looking at improving their capacity.  Where do they have access to that learning and what is the best certificate that they can achieve, that, you know, will put them in the right track.  If the certification doesn't allow for them to have organizational experience, again that gap between being very theoretical and not having operational experience which is super important.  And I think that is one of the biggest assets that collaborating with the private sector can bring. 

    And instead the private sector can really welcome placements, support fellowships, internships to allow people not only from the Developing Countries but people that are acquiring high level skills to put them in to practice in a safe way with mentors and assistants and support.  So that whenever they go back to their countries of origin, they can deploy those skills in an appropriate manner without compromising anything that is already in use for the infrastructure of that particular economy. 

    I think that going back to the question about the neutrality, APNIC is a strong advocate that the Internet is for everyone.  And it is very important that we support an Internet for all, doesn't matter who is empowered and what's going on in politics, et cetera. 

    But I don't think the organizations in the region or anywhere in the world we can't be blind to the situations that are happening around the different regions. 

    Of course, the war in Ukraine is something front and center every time we open the news and we see what's going on.  And we worried about the future.  But I think the skills that people are learning in the various areas of network and security and operations are critical for peace and reconstruction and for stability. 

    And it is very important that the network engineers that are putting that expertise in use understand the power they have for a peace ‑‑ for peace to actually deliver and for benefits around the livelihoods to deliver for every single person in the planet.  So we need to, you know, a lot of the people that are working in this space do not see themselves as political animals.  And many of the technical voices in ‑‑ that do not come to the IGF because they think it is too much politics in the conversations, we need to encourage these folks to come to the IGF, the regional IGFs, to the national IGFs, to other spaces where the multi‑stakeholder collaboration and discussions will allow them to understand the importance of the whole. 

That is not only the little piece of code that they are working on or the little device they are taking care of or that cable that they are laying out is how it interconnects and they are part of what the Internet can or cannot facilitate for people in a particular place. 

    And we are ‑‑ we are what we build, right?  If we are ‑‑ sorry.  If we are just tools of aggression and how the expertise and security can be used, then we are defeating the purpose of making an Internet for all.  I hope that ‑‑ I'm sorry if it was too long.  Thank you very much for letting me put my two grains of sand here. 

   >> CHAIR:  Thank you.  So now we have heard about the perspective of the panelists.  I made sure we have some time for questions.  So most of the panelists have actually looked at issues.  Sylvia gave a lot of perspective, especially from APNIC's experiences in the Asia‑Pacific Region.  Jacqueline gave us a perspective of the clearinghouse.  Kerry‑Ann gave us a very, very interesting perspective on the studies that have been done in the Latin America and Caribbean region.  Andrea looked at the academic angle of cyber capacity building and multi‑stakeholder approach. 

I want to leave some space here for some questions.  We know there are questions online.  I have been informed.  If you can have the mic roving around yourself.  I don't know if they have a mic.  We will take a question from you.  Is that all right?  That's fine.  There is a mic there for you.  Please, if you can say who you are and organization, please. 

   >> AUDIENCE:  Thank you very much for the panelists and for everything you said, which is very important.  I understood that you are speaking more about capacity building for the decision makers, for project holders.  I confirm that those people need capacity building for safe cybersecurity because you know more ‑‑ a lot of them who don't care, don't ‑‑ who are even not aware of the threat.  But what about capacity building at the grassroots level?  Especially with the new technologies.  Everyone will be confronted with these kind of threats, these kind of risks.  And I think we have to perhaps address the capacity building at large for cybersecurity ‑‑ for safe cybersecurity, cyberspace, excuse me. 

   >> CHAIR:  That's a question for the panelists.  And then we can take one more.  And then we can come back for ‑‑ we can take three more.  Yeah, that's good.  So the panelists please note that one.  Capacity building at the grassroots.  That's an issue.  At the end there, please. 

   >> AUDIENCE:  Thank you.  Kenya ICT Action Network.  I'm interested to know about the type of courses that you have.  Whether they are accessible.  And by accessible I mean if someone was using a screen reader, can they access your content?  Thank you. 

   >> CHAIR:  That's a good question.  A question on how we can be able to access content.  I'm sure Kaja and probably somebody in the panel will answer that.  We also welcome any person in the audience to give us more information.  Another question there.  And then one in the back. 

   >> AUDIENCE:  Hello.  Thank you for the discussion.  What are the challenges that you face (Off microphone)? 

   >> CHAIR:  If you could hold the microphone close to you. 

   >> AUDIENCE:  Okay.  Cyber journey, what are the challenges that you face moving from one country to another? 

   >> CHAIR:  What sort of challenges do you get from one country to another?  Is that with respect how the country maturity in cybersecurity is?  That's a question for the panel.  Gentleman in the back, and then we can pause for the panel to take those questions. 

   >> AUDIENCE:  From Samoa.  Hi Sylvia.  I hope the APNIC team are doing well.  Just a few things I jotted down.  First of all, Sylvia's presentation about brain drain, I think it is a stigma we need to change.  I myself is a successful story from the Pacific APNIC, came in and that's the first time I heard this term cybersecurity.  I was part of the scoping mission for my country.  Enforcement of our CERT, Computer Emergency Response Team.  And then now I move to the private sector.  I moved to my own company.  We specialize in cybersecurity.  Getting educated is a good thing.  And there was a speaker on behalf of donors.  There was somebody said they were overlapping projects.  Just a comment on that.  I hope that the donors that are here at GFCE, APNIC and all the other donors they look in to the Pacific.  It might be true for other regions.  But we need as much funds that we can get for our little Pacific Islands.  And one more thing, Kaja said something about the private sector, private businesses, private sector. 

   >> CHAIR:  Yeah. 

   >> AUDIENCE:  She is saying that she said, instigate more quickly and I think that's very true.  That's part of the reason why I moved to private sector is that our Government was moving too slow.  And that's part of the reason why I moved out.  I did my own thing.  And now I'm trying to implement cybersecurity.  That's it from the things that I jotted down.  Thank you very much. 

   >> CHAIR:  Thank you for sharing with us some experience.  If I get it from you, that if you like your country that is a solution towards the brain drain, is that what you are saying?  Fair enough.  Pacific region.  That's good.  Okay.  Private.  So panelists, we have got something on the issue about grassroots.  Issue about access.  And issue about the journey.  So take it over. 

   >> ANDREA CALDERARO:  I can answer only two, two of the issues that are from the floor.  The grassroots, I mean that is exactly what I tried to emphasize with my ‑‑ in a few minutes the need to create a grassroots knowledge capacity to engage with either policy making process but also, of course, technical challenges and yeah, or develop also a local kind of industry that could take care of cybersecurity.  That is exactly what I referred to. 

    And engaging.  These actors need to engage.  This is something that is super important. 

    How to do that, I don't know whether you ask how to do that.  I have been discussing the role of academia, of research and actually this connects really well with the question on brain draining that I remember came from some ‑‑ okay.  Yes.  The brain draining, yeah, because in a moment in which ‑‑ a reason to stay, I mean Samoa, I'm sure it is a beautiful country but might be also other reasons to stay.  Economically sustainable in many ways.  And that's possible if only the people don't have a need to go away by creating infrastructure that make people stay and again University research and effort.  The brain is the home of many brains and that's where it is able to stay. 

   >> CHAIR:  Thank you for that.  Does any of the panelists want to take on the other issue? 

   >> KAJA CIGLIE:  Maybe I will talk to the accessibility question.  I would say I think in terms of ‑‑ I would say Microsoft has since 2016 made accessibility a priority.  So in a lot of our products and services whether it is Teams, with streaming the video service, Word, Powerpoint, Excel, et cetera, documents, they are accommodations that are available.  And we made it part of the product development lifecycle.  So it is a priority, but I will not say all of the trainings are accessible.  I think there is still a journey but definitely a priority.  And if there is anything if you ‑‑ if you explore them and you find that some of them are not, please feel free to e‑mail me.  And we'll take a look at it.  I will put the e‑mail down in the chat. 

   >> CHAIR:  Thank you so much for that.  There was also the issue around cybersecurity journey. 

   >> KERRY‑ANN BARRETT:  I will probably take that one, if possible.  Yeah, I think one of the things that is important is that term I have been trying to push a lot this year in to next year is intelligent capacity building.  There are certain common threads throughout the country.  There are some base commonalities between them starting up basic capacity.  You have to be intelligent enough and ensuring that industry which was going to vary from country to country.  Industries connected to education and connected to Governments to recognize that there needs to be that relationship and looking at supply and demand.  If I am hiring, requirements has these specific descriptions, but the degrees describe it differently, when there is a job advertised persons will be able to actually apply for it. 

    In terms of the journey from country to country, I think also looking at the fact that some countries may actually emphasize certain job skills more than others because of either the industry or how industrialized the country is or how digitized the country is.  Also recognizing that promoting career pathways within very specific lines of the country has to be tailored as well because I can't go to a country and be pushing a certain skill set in cyber if the technologies are not even available. 

Talking about 5G when the country is still using 3G.  And looking futuristically is one thing, but recognizing there are current gaps.  And the last thing I want to say about that is a continuous collection and evaluation of the labor market.  Recognizing that each country will have very specific workforce data that's available and start tailoring capacity building and workforce generally in terms of development towards that. 

    So I don't know if that helps answer the question or Sylvia, I don't know if you want to add. 

   >> SYLVIA CADENA:  Thanks.  Yeah.  Well, I would like to highlight something that you just said around the labor market inventory. 

   >> CHAIR:  One minute. 

   >> SYLVIA CADENA:  Yeah, because there are no inventories that tells us exactly how much network engineers and cybersecurity professionals are needed.  The STEM careers are bucketed in one go.  Trying to identify out of the different engineering is quite difficult.  The note on capacity building at different levels.  I think that the pathway is not only vertical.  It also needs to be horizontal when you want to learn and expand knowledge on a particular subject, but you became ‑‑ you can become more specialized.  I think that there are way too many generalists, especially in Developing Countries and that's where the challenges to deploy new services where they lack the more high level expertise.  So I hope that is helpful.  Thank you. 

   >> CHAIR:  Thank you so much.  We are actually running out of time.  I have just checked again, we don't have any questions online.  Some of you might have questions that you take the context or some of the speakers.  And you can be able to get in touch with them.  I know this is probably the last program for the day and everyone is a little bit tired.  So what we will do with those few remarks from the speakers that we have heard, especially from those of us online, we have heard quite a lot from Sylvia.  And thank you very much, Sylvia, for staying up all this time.  I think that part ‑‑ very late.  But thank you also, Jacqueline, for giving us an insight on issues to do with the clearinghouse, which we learned from the GFCE.  And how the clearinghouse works. 

And, of course, Kerry‑Ann gave us very insightful aspects of issues, especially in the Latin American and Caribbean regions on the challenges when it comes to capacity building.  And Kaja gave us an aspect that Microsoft is making.  And talked about different aspects of what Microsoft is doing in a project of capacity building.  Andrea gave us very, very good insightful aspects from academia and how we can do capacity building and involving other stakeholders.  With those few remarks allow me to thank our panelists and give them a clap, please. 


   >> CHAIR:  Thank you.  I also wanted to thank the Rapporteur, Elliott and also we have heard people behind the scenes, especially Kathleen who has been behind the scenes to make sure that everything runs smoothly. 

I know I didn't tell you who I was at the beginning.  My name is Dr. Martin.  And I was standing in for Marjo who had another appointment.  Thank you for giving us your time.  And I hope this has been helpful.  And I hope to see you at some point during this particular session.  Thank you.  Bye‑bye.