IGF 2016 - Day 3 - Room 3 - WS153: Lets break down silos in cyber security and cyber crime

 

The following are the outputs of the real-time captioning taken during the Eleventh Annual Meeting of the Internet Governance Forum (IGF) in Jalisco, Mexico, from 5 to 9 December 2016. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

  

>> WOUT DE NATRIS:  Hello, I think we're going to start.  Someone said we don't need to break down silos.  We just need places to meet and discuss points.  That is we have invited organizations around the world that are actually cooperating in a successful or near successful way or perhaps in a less successful way and striving to be better.  And hopefully we will have people who want to learn from our experiences.  We're going to try to extract in this 90 minutes some best practices and incorporation.  They will be questions that people can answer.  You can see that we have no panel, no presentation. 

And I'm going to start with a couple of questions.  And everybody is allowed to answer, but of course, I have organized people from the technical community, civil society, and they will be here.  And the only thing I've asked them is not to present on who they are or what they are.  We're going to try to find their best practices.  I'm going to cut someone short on a long answer because we only have 90 minutes to come up with the best practices.  Think of something new to the idea.  No one on the stage, no presentation.  We will see how this works, and we will put online these results.  So the first question is who represents government in this room?  A show of hands please? 

   

 

>> MAARTEN SIMON: I see seven people representing government. 

>> WOUT DE NATRIS: Who represents civil society? 

>> MAARTEN SIMON: 11 people. 

>> WOUT DE NATRIS: And who is here representing the technical community? 

>> MAARTEN SIMON: I see 11 people representing the technical community. 

>> WOUT DE NATRIS: And who is representing something I haven't mentioned yet?  NGO or international? 

>> MAARTEN SIMON: Five people are representing something else. 

[ Laughter ]

>> WOUT DE NATRIS: That sounds very good.  So we have something else in the room, and that is also very diverse.  If I go from there, you all started out somewhere.  A longer time ago, at the beginning of the internet, when it was commercialized, others perhaps more recently with more regular or newer problems that we run into overtime.  I'm just going to ask some people to reflect on what was the cause that your organization came into being and who would like to start?  Please raise your hand and the microphone will be walked up to you.  Every time please state your name and affiliation, please. 

>> AUDIENCE MEMBER: Hi.  I'm Barry, and I'm here talking about an organization called MMMAB working group.  We started out with just messaging, trying to do something about all the spam that you got in your inbox and expanding that out to the malware and then things that if you click on them they take over your computer.  It was a bunch of companies who provide e‑mail services and software and use e‑mail services who needed this problem fixed, and that's where we came from. 

>> WOUT DE NATRIS: And you're around since? 

>> AUDIENCE MEMBER: Since about 2003 or 2004. 

>> WOUT DE NATRIS: Thank you. 

>> AUDIENCE MEMBER: And I represent...  I'm not quite sure I like the term represent.  We're all associated.  I'm with the ITF, and that, of course, is the standardization organization for core internet technologies, and we've been around 30 years now.  Some of our documents have been around even longer.  So basically formed around documenting the technical solutions around the core of the internet. 

>> AUDIENCE MEMBER: Hi.  I'm president of In Hope, the international help lines for child sexual abuse online.  The reason we came to be was the fact that when the internet became bigger, we saw the problem of child sexual abuse material being on the internet.  And mainly the industry said we don't want this on our networks.  How can we deal with it? 

>> WOUT DE NATRIS: Please.  Ma'am? 

>> AUDIENCE MEMBER: I have to stand up.  Sorry.  My name is Christine.  I'm here, could be wearing several hats.  I'm from Brazil.  Around since 1997: I have active roles on teams.  I'm trying to create a team in Latin America.  I think Martin could talk more. 

>> AUDIENCE MEMBER: I'm Martin.  We have existed since 1989 and brings together internet response and security teams from all stakeholder communities. 

>> AUDIENCE MEMBER: Hello, everybody.  My name is Paul.  I'm here for internet jurisdiction policy network.  You asked a question why we were created, it was born in 2012 out of the need.  There was a need for a space that not only bridges the different stakeholders, but also the policies of human rights and cybersecurity in order to find solutions to the jurisdictional province on the internet. 

>> AUDIENCE MEMBER: The state department has been around for hundreds of years but my office has only been around for five and a half.  We were created to help implement something called the international strategy for cyber space that was put forward in the early days of the Obama administration.  It covers not only cybersecurity and also cyber-crime, internet security in cyber space, internet governance, internet freedom, development issues, and defense.  We realized that we had a lot of excellence in dealing with the strategies.  And the office was created to help coordinate those efforts from a policy perspective, not a particularly technical one.  To coordinate them across the U.S. government, how we were addressing these issues in global communities, but also be a belly button, shall we say, for coordinating the efforts with our international partners. 

>> AUDIENCE MEMBER: I'm with the Dutch registry.  I'm not going to explain why we were created and when, but there's an initiative that we have been involved in called abuse hub.  In short what it does is it collects abuse information and processes it and distributes it to parties concerned who are mostly ISPs and hosting companies.  Why?  The individual ISP and hosting companies made huge costs to collect the information but it was not specifically for them only.  A huge amount of information that they had to sift through and get the information that was relevant to their customers, the effected PCs and other equipment.  It cleans up the information and sends it to the specific ISP or hosting company.  There was a common problem that was...  that could only be solved by a collaboration and it was created about three years ago. 

>> AUDIENCE MEMBER: Hello.  I'm David, from the global expertise.  It was launched in 2015 at the global conference on cyber space.  The goal or the reason why it was launched is because on the global level, best practices on cyber capacity building, to bring them to the global level to make them available and accessible.  We're a very young platform, for now, like 1.5 years.  There's a lot to do in this area. 

>> AUDIENCE MEMBER: Hi.  We are the oldest regulatory organization in the world.  Capacity building through the western hemisphere.  Member states are from Canada to Chile.  We will promote national strategies, national exercises.  We had an excellent panel on awareness raising campaigns.  Working on research and expertise.  And of course, actually, our presence here, the idea of our presence of other firms and working with other partners.  Our member states recognize importance of working with other actors, private sector, technical community, academia in order to break the silos issues. 

>> AUDIENCE MEMBER: Hello, my name is Juan Gonzalez, department of homeland security, office of cybersecurity.  They work closely with the state department as the lead.  We do a lot of the internal domestic U.S. operations in response to cyber incidents. 

>> AUDIENCE MEMBER: Hi.  Michael Kaiser.  We're founded in 2001, actually directly after the 9/11 attack in New York because, by industry to work with our partners in government, because they realized there were infrastructure elements to that attack.  They were forward‑thinking people who looked ahead and said we've got to do things to educate people to protect cybersecurity and we have to do it by working together in collaboration, because that's a major silo that has to be addressed in our area of education awareness and there are many other areas that can be addressed in that way. 

>> AUDIENCE MEMBER: Hello.  Where do we come from?  Our community started back in 1989 kind of as a group exchanging experience building in the internet in Europe.  And yeah, we've...  well, I don't think we've been breaking down silos.  We started off as one big family so the silo is being built around us. 

>> AUDIENCE MEMBER: Hi.  My name is Carlos, and I represent the government.  And I am engineer and lawyer.  I'm interested in collaborations around the world.  To promote a culture of security and preventions. 

>> WOUT DE NATRIS: Anybody else like to join in?  Okay.  Then I think it's time to do our first identification of what leads to best practices.  I think what we saw here is that everybody has responded to some sort of a problem or some sort of a cause to start changing things.  And somebody took ownership of that problem.  I think we've identified that also.  Organizations in this room have taken ownership of that challenge in front of us.  And my next question is going towards that challenge.  Because nothing becomes a success out of itself.  So you basically often have to get through barriers to get people to cooperate.  And I would like some of you to reflect on the challenges that you have run into and how did you get over them to make cooperational success?  That may lead to insight for others if we know how to name them and put them in the role of best practices.  Who would like to start with the challenge?  Michael? 

>> AUDIENCE MEMBER: I think the biggest challenge coming from the technical community and communicating with people and what you would call other silos or other stakeholders as we normally refer to them is understanding that they might have a different perspective on the worlds you live in and that's really a start.  Realizing that somebody might see things differently.  Once you've got depth covered, you start building the dialogue.  But first of all realize who you are talking to and where they are coming from. 

>> WOUT DE NATRIS: So an open ear and open mind.  Who else? 

>> AUDIENCE MEMBER: I think that many of the challenges are very common to any kind of collaboration.  So there is trust or lack of trust in the beginning, so that's one of the challenges that you have to solve.  How do we get the different parties to trust each other?  Most of us will recognize that in the end, that's an individual process.  Trust is between people not organizations.  So you need some time to develop relationships between the people who are at the table.  There has to be a shared sense of urgency and responsibility.  At a certain time there has to be a division of roles and tasks and responsibilities.  And I think the challenge of all challenges in many of these cases is you need means, money.  We see all of these good intentions, but the willingness to pay is difficult to find.  I agree with you.  That is one responsibility that very often an individual organization has to take this first step in.  Okay.  We find it important.  And very often another organization or a few step in.  And then what just mentioned, there's a good example of that.  It started with us, the registrar.   So members pay a fee and now it finances itself.  But you need a few people that really believe in the cause and are willing to stick out their neck and risk some money and get things going. 

>> WOUT DE NATRIS: Thank you.  Before we respond, who recognizes what he is saying?  That at first it's about trusting one another as people and not as organizations?  Who recognizes that in their projects?  Nearly everybody agrees with that.  What about the financing?

Not everybody agrees.  What's your experience? 

>> AUDIENCE MEMBER: Of course, different organizations work in different ways.  For us, for instance, it's about like the implementers coming together and trying to do something.  They have their jobs and they have their ways of building software.  For those people to be interested in making a fix or making an improvement. 

>> AUDIENCE MEMBER: But somebody has to finance that in the end.

>> AUDIENCE MEMBER: Yeah, but it's indirect.  It's not that our organization, for instance, needs money to do some particular improvement.  The vendors who build a browser, they feel that they need to serve the customers better.  And that's why they come together to make standards.  I  it's not a direct, it's an indirect situation.

>> AUDIENCE MEMBER: Maybe it's more direct than you think.  We believe in your cause so we send people and we pay them salary, hotel costs and the trip.  So I think you proved my point. 

>> WOUT DE NATRIS: Do others want to go back to the first question?  Okay.  We'll start up front and go to the second row. 

>> AUDIENCE MEMBER: When we're talking about cooperation, the point that I want to make will touch on the cost.  What we usually see are people...  and overcomplicating how much you need a very big budget.  And of course you need budgets.  Usually people ask for someone to make something.  And in a national avenue, most of our projects are voluntary in basis.  You have people volunteering their time.  You have them volunteering a little bit.  But you don't need like a big project for people to cooperate.  It's much more willingness and this is more project of cooperation to create trust.  We have been running a specific project in Brazil for 13 years now.  We just have our time.  It's all volunteers.  We engage people from private sector, universities, operators, ISPs, and it's a project that has been creating a community of trust in the technical capacity.  You slowly create trust.  We also see a lot of people that want the recipe or they want to sign an MOU and cooperate.  And that's not really how it happens.  So I think it goes for trust, but it also goes for everyone putting in a little bit of money and not necessarily like huge costs. 

>> WOUT DE NATRIS: Please state your name. 

>> AUDIENCE MEMBER: Sorry.  Christine. 

>> AUDIENCE MEMBER: Um, Martin.  One thing that I wanted to add is outside of cost, there's also scope.  So when First got started initially, it was five members and those five members could work together very easily because they knew each other and they could do anything.  They had very big goals.  Today First is over 350 members across the world, and there are many governments there that may not want to share a lot of information with each other or those organizations that don't really see sharing with each other as a primary goal.  So one of the things that we see we have to do now is we have to build smaller groups within First, which we call special interest groups, where people actually get together in a smaller group to solve one specific problem.  And quite often that problem isn't contested.  As they work on the smaller problem, they get to know each other and trust each other better.  So that's growth and something that we have seen be very successful. 

>> WOUT DE NATRIS: Thank you. 

>> AUDIENCE MEMBER: I want to pull on the able to share.  That is a part that I have been thinking about a lot.  Everything has to be discussed openly and I'm wondering how much we're losing?

Occasionally I hear rumors that there are people who don't want to talk about this because they would have to do so openly.  And how can we solve that?  That would be an interesting.

>> AUDIENCE MEMBER: Is that the technical community?  Is that people chip in a little bit each and every one on commonly perceived technical problems that make the internet run?  And what the last person was talking about is something that expands normal boundaries of corporations like competitors exchanging information that may harm each other where one is unwilling to cooperate.  That takes more effort to get together than where everybody agrees on the common problem.  Is that something that this room recognizes in any sort of cooperation that you've had?  Or is it just coincidence? 

>> AUDIENCE MEMBER: I'm from InHope, the Dutch Hotline.  Actually, it is who owns the problem, actually.  If we look at child sexual abuse material, in the beginning, ISPs said we don't want this on our networks, but we also don't want to be the judge of material.  So they established the Dutch Hotline, which was the first in the world to deal with this material, to check it out.  Then we engaged the problem that the police thought it was their job to do it.  The fact that we do it anonymously made us more desired than the police.  Now we see the problem that the internet service providers look at it like hmm, is it still a problem?  So we're also in regard to funding looking at a situation, which I think is a common problem of the whole society, and we should deal with that.  But we find it very hard to get funding because everybody is pointing at everybody like okay, why should I pay that much?  Why can't he?  So we hear internet service providers or mobile providers say ask apple for money.  It's their computers.  So it's still hard to break down those silos when it concerns that. 

>> AUDIENCE MEMBER: Hi from the state department.  Trying to pick up on a few things that people have said and hope that what I say has some applicability not just for governments for the six of us or whatever are in the room with governments but is applicable to others as welt.  We found it was difficult to move very, very far ahead in programmatic efforts to combat cybersecurity from the technical or policy side.  When there was competition or concern about turf or concern about resources and money and there seemed to be not common cause, necessarily.  People didn't feel like they were moving towards a common goal.  And so, you know, unfortunately, we've had several incidents in the last ten years that have given us more to common cause, which isn't good, but we have used it to find a way to have higher level attention in the government.  But I think that applies businesses or organizations as well who might not have thought that the cybersecurity thing was a problem for them.  So for higher level attention, also creating a mechanism for collaboration that takes the coordinating role out of any of the vested interests and creates a neutral party to help bring the parties together and be more of a team.  So the international strategy was not written by any one particular agency in the U.S. government.  It was coordinated by a neutral party, the White House still.  And brought all the players together so they all had buy‑in and input from the very beginning.  I think while it was a very government thing to say, I hope there's some applicability for other kinds of organizations. 

>> AUDIENCE MEMBER: Barry Lemi talking about MMMOG, talking about whether the IETF is missing something by being as open, the IETF has a different focus than an organization such as MMMOG.  We need the standards to be open and we need the work to make the standards open.  MMMOG is looking at best practices.  And when you're building protocols to secure the networks, you do that in an open process.  When you're trying to develop best practices, you need to be Frank about what the problems in your own networks are, and what the problems on your own networks is.  And companies are not too willing to be open about that publicly.  So we have a more closed environment where the deal is that you're open about it within the organization, and then that's used to develop best practices to recommend to other organizations about what to do in their networks. 

>> AUDIENCE MEMBER: I think that common cause is another word that we had to put down.  I see Michael Kaiser and Marco and others.  So everybody wants to talk.  Very good. 

>> AUDIENCE MEMBER: I will be really quick.  I want to reinforce a couple of points.  We act as a neutral third party and we see other neutral third parties.  It dove tails into another issue around anonymity.  In order to break down their silo, they were able to scrub data coming from one place and give it to another place because they knew the other place really needed that data.  Here is all the credit cards that got lost in a recent data breach, we're not going to tell you which one, but they're your credit card owners and you should have it.  You don't know where it came from but now you have it and you can act on it.  And having an intermediary is important. 

Let me say about the common cause, I think it's absolutely critical that we work in a public private partnership.  We start with a narrow focus.  All work and trying to educate people going off like spokes on a wheel, right?  Come together, work together.  Share the IP that comes out of that process.  Share the expense of delivering the message out so you don't have to give money to one place.  People can use all of their resources to do the things.  So there's a lot in the common cause.  And the neutrality, there has to be an expert in the middle. 

>> WOUT DE NATRIS: Thank you.  They are a great example of such neutral organizations.  When abuse hub was in its incubation, the ministry of economic affairs asked ECB to be the Secretariat and provide the neutral table where everybody could sit down and discuss the common goals.  And there they built the trust to do it a couple of years later.  That is something that we need to do have many times.  I'm putting my hat back on. 

>> AUDIENCE MEMBER: Just about cost.  We had a session on capacity building projects.  And one of the things that we have, I identify with them is that the funds are decreasing.  There are actually key organizations and donors like the United States and Canada that have to actually be the response to especially developing countries, and they need to recognize that actually they need to chip in.  And what we have seen in the region, the funds are there.  There is a need to coordinate and see how they coordinate spending on cybersecurity issues.  Many agencies just spend money on the same things.  They just don't go making the expenditures.  Trying to reinforce what Michael was saying, the importance of partnerships, we recognize that within our countries, for example, in Brazil.  It's a nonprofit organizations, and it's a successful model.  It's excellent service.  That model could be replicated in other countries.  So that's not another example of how developing countries take advantage of that common cost.  At the end, it's who is going to pay the bill, and where is it going to come from?  And the answer is the funds aren't there. 

>> WOUT DE NATRIS: Next?  Here and then here. 

>> AUDIENCE MEMBER: I will keep it short.  I think besides the common goal there are two elements that would add for being corporation successful, and that's some sort of equality between the people who are cooperating with each other, and getting resales.  That is also very important element to make it work. 

>> AUDIENCE MEMBER: Thank you very much.  The internet by and large is privately owned.  The infrastructure is privately owned.  The place that we're looking at, cybersecurity and cyber-crime is largely commercialized.  So I want to challenge your notion of the comments is that some people will have a commercial advantage over others by having certain information about vulnerabilities because they need to outperform the others whether that's a virus or firewall company.  As much as I want to share it, I wonder how far the sharing is worked against by commercial interests.  We all want to make the internet a better place but some people want a large sum of money, and I think that's knowledge about cybersecurity. 

>> AUDIENCE MEMBER: This is Paul from internet and jurisdiction again.  I wanted to add one nuance to this notion of having a common cause.  Especially in the context where we talk about multi‑stakeholder cooperation, one element that is often underestimated is the importance of framing the issues and framing in a way that transforms the issues that the actors have with each other into a common problem.  Very often this is something that is overlooked and where not enough time is allocated.  One of the reasons for efficiency in multi‑stakeholder cooperation in bridging groups is precisely taking the time to find common framing, defined shared vernacular so we all talk about the same thing.  And this is the prerequisite to have a shared vision of what can be achieved.  So this, I think, is something that is often overlooked. 

>> WOUT DE NATRIS: One example...  I'm asking a question to Paul.  Can you give one example where you noticed that it didn't work?  And another one where you said okay.  We discussed it and then it went forward from your experience? 

>> AUDIENCE MEMBER: We are addressing the jurisdiction issue, right?  I think for addition, historically, the problems is that the companies or the governments promised the companies, Civil Society had problems with how the companies were dealing with those issues.  So if you have the triangular relationship between the categories of actors, each was in a confrontational mode and most happened on a bilateral thing.  Through dialogue it has become clear that they have problems in common.  And if we want to preserve the nature of the internet, we need to find solutions.  So I think our experience was that there was a real transformation and we had the global internet and jurisdictional conference two weeks ago.  There was a key message basically that the actors understood that they have a problem together that can only be addressed through cooperation. 

>> WOUT DE NATRIS: Thank you.  Okay. 

>> AUDIENCE MEMBER: I wanted to jump in and give a concrete example.  The work we did in Brazil was not easy.  It was to implement the very technical thing that was board certified management.  There were a lot of problems and people who didn't want to implement because of cost.  They were afraid that the telecom regulator would find them if they would do something.  There were some consumer protection organizations that were thinking that someone was taking out their liberty of choosing what port they wanted to send mail on.  As a framing, we participating coordinating technically.  The one who implements all of the direction that is the most stakeholders.  It's formed by civil society, academia, technical community, government, non‑government members who are elected, and we usually are the ones that people look for to be the neutral ground.  You have all of the stakeholders in that ground.  It is helpful.  So at the end, at the end of those years, we talked with judges, with prosecutors, with consumer protection organizations, the government organizations so the consumer protection gave official statements saying that that would not be a problem and we have other people working with the technical community.  We have some other organizations that join in because you want to understand what were you doing?  So it was a very fruitful work.  It is difficult.  Usually the technical community thinks it takes too long and is not worth it, but it is.  After we had this discussion, now is when you have to discuss other topics, they point to the model of seven years but now it didn't take seven years.  It takes like a year or less.  So I think it's worth the time to get to stakeholders, which means getting everyone to understand and really having the discussion to discuss okay, We have a common goal.  Everyone has an angle.  The businesses don't want to spend money.  The civil society thinks that someone is doing. 

>> AUDIENCE MEMBER: And it's a process of years, but it does pay off.

>> AUDIENCE MEMBER: Yes. 

>> AUDIENCE MEMBER: Maybe, well, I think one of the major components of many of the examples we have heard is the sharing of information.  The larger the group, the smaller the willingness to share.  Michael mentioned an example and gave maybe the impression that commercial interests are bad but I don't think he meant that.  I think he gave an example that there is a chance that the...  there are possibilities where security information is being shared.  I love the phrase if you have to be secret about your security, your security probably sucks.  So when there's a security incident, people are very unwilling to share that information with a larger group.  As a vulnerability, we want to fix it first.  But then there's a low willingness to share the information because there was a hmmm‑up.  We don't want anyone to know that we did something wrong.  We fixed it but don't want to talk about it.  I think one of the obstructions in this kind of collaboration where it's about sharing sensitive information is that first, maybe damage can be done to your organization, and after that, the risk is taken away, damage can be done to your reputation. 

Another typical example where there is sometimes a possibility to share information is in the relationship between governments and private organizations.  We have our national cybersecurity center.  We collaborate with them as many other they are limited by law and other factors, most of the time by the simple fact that they are not supposed to share information.  But they have to act upon it. 

>> WOUT DE NATRIS: We have a remote comment or question. 

>> MAARTEN SIMON: It is a question for Michael.  How can we assure the security on a private network? 

>> WOUT DE NATRIS: It's a question for Marco.  Raise your hand to get the microphone. 

>> AUDIENCE MEMBER: I got distracted. 

>> WOUT DE NATRIS: Repeat the question, please? 

>> MAARTEN SIMON: How can we assure the security on private networks? 

>> AUDIENCE MEMBER: How can we secure the security of private networks?  If it's truly private, then the part of securing it is mostly physical.  But a private network, is in essence, by design, secure, until somebody breaks in because then it's no longer private. 

[ Laughter ]

>> WOUT DE NATRIS: Okay.  I hope that answers your question.  I'm going to go to the next question I have, and I would like to ask you to reply in one sentence.  I think on this topic we could be here until tomorrow morning and probably still not stop talking.  What was the major break‑through in becoming a success?  What was the biggest hurdle you had to take?  I will start with Barry.  Looking back, what did you have to breakthrough to become a success? 

>> AUDIENCE MEMBER: A success in sharing...  I don't know that I would call it a breakthrough, but it was realizing that allowing people to share freely within the organization and trust each other to keep it within the organization and using that to make recommendations that benefit outside was the key for us of not acquiring people to share information publicly, but to feel free to do it within us. 

>> WOUT DE NATRIS: So trust and making sure that it doesn't escape from the organization?  Okay. 

>> AUDIENCE MEMBER: So I'm not sure these are break‑throughs either, but where we're being mostly successful is where we can get the different parties together that it's not just say the browser window and someone that does things and runs networks under and who build, you know, devices that operate on the traffic in the middle and so on and so forth.  So that's the really crucial thing for us, at least.  In doing anything that you get different parties in there. 

>> WOUT DE NATRIS: Making sure people come to the place where it's at. 

>> AUDIENCE MEMBER: I think that would be the moment that we had an agreement with Dutch police law enforcement about handling the material and analyzing it.  The police felt threatened in their position.  Now we have a protocol in place that is legal.  We have a protocol in place with the public prosecutor that they will not prosecute us until we follow certain protocol and regulations. 

>> WOUT DE NATRIS: So establish protocol when necessary. 

>> AUDIENCE MEMBER: I think in the case, it's a difficult question to ask.  My observation is it is probably.  If you organize this, we will finance the starting of it.  That was kind of recognition that gave the conviction that they were on the right track and should really get this thing on. 

>> WOUT DE NATRIS: So some support at the right moment in time by a key actor. 

>> AUDIENCE MEMBER: I think that issues such as trust and recognition are very important.  This is an ongoing process is being able to involve a critical mass of actor s that agree on a framing of an issue and are willing to work together.  I think this is really important to reach this sort of critical mass of actors. 

>> WOUT DE NATRIS: Thank you.  >> AUDIENCE MEMBER: I would say in the case of what I would call successes, the common vulnerability successes are where we created the framework, the opportunity, and the location, and someone really passionate stepped in and used the stools because we were the best place to get the job done.  That is what led to success for us. 

>> WOUT DE NATRIS: Thank you. 

>> AUDIENCE MEMBER: In the case of this, number one is to gain trust, not to break the trust, and learn how to share information and foster people sharing the information.  Another key was as we are tied into or perceived as a neutral organization, multi‑stakeholder, that helped a lot too gain the trust.  But you cannot betray that trust.  You need to do hard work to maintain that. 

>> WOUT DE NATRIS: So an anonymization of data.

>> AUDIENCE MEMBER: We act as a place where people share data with us.  We anonymize sensitive parts and share when needed.  People know we will not break that trust.  We share data that we collect in some projects that we have, but we help other people when they have data breaches or other problems with security and we act as a neutral point. 

>> AUDIENCE MEMBER: I want to touch on maybe an example in the cyber-crime area more.  And utilize the creation of the 24 by 7 network of law enforcement counterparts who...  we utilize an existing framework within the G8 for connecting law enforcement representatives and encouraging them to voluntarily share information, but using the framework of the G8 and the Budapest convention as an overarching frame.  But then saying this...  we're joining this network is voluntary.  But B, here is the incentive for doing so.  There's a reason you might want to join because not only can you come get assistance from others but you also get information from others when, you know, you might need it for something.  So the incentive is close collaboration.  An overarching framework, voluntary, and incentive for getting...  you get something back for your participation in this network or organization or whatever it may be. 

So that's one example, perhaps, from the cyber-crime world.  Sorry to do this, but I feel like we have sort of organically created a panel here, the non‑panel here.  And I want to encourage our friends in the back half of the room to join the conversation and provide some examples that we might not know about. 

>> WOUT DE NATRIS: That was my next question, but thank you for putting it up.  Also thank you for mentioning law enforcement, because that hasn't been mentioned yet.  And the G8 is another way that information is shared. 

>> AUDIENCE MEMBER: I just want to add in case it's not known to folks that it's not now just the G8.  The goal is to build it out in the 100‑some countries participating in a voluntary collaborative basis. 

>> WOUT DE NATRIS: Do we have more questions?  Please pass the microphone. 

>> AUDIENCE MEMBER: I have a question for the GFC.  What role do funds play in the breaking down tales on cybersecurity and cyber-crime? 

>> AUDIENCE MEMBER: Okay.  What is mentioned is there are several elements that are important, and I think what is important the most key elements I think is what we try to facilitate is knowing what the needs are of members, and also to be flexible.  It's a dynamic area.  In the end, it is true that funds are a scarcity.  So I think it's really important, and that's why we...  one of the ambitions is to put cyber capacity building higher on the political agenda from private organizations, from governments, to make more funds available.  And the second thing is if you have funds, you also have to beware that you don't have any overlaps.  So another thing that we do is to try to get some sort of overview of who's doing what on what topic, and maybe in the future, we can make better use of funds.  That would be one of the goals.  But yes, funds are really important and they will be more and more important in the future, and I hope we will have more from the global level. 

>> AUDIENCE MEMBER: Maybe other ideas.  The recognition that our member states have given the empowerment of private and Civil Society actors.  Of course, funds are important, but you reduce a lot of the cost, especially on capacity‑building projects, you reduce a lot of the costs when you work together. 

>> AUDIENCE MEMBER: I want to jump quickly back to something that was said.  You have to create value if you want to incentivize people to take part in anything, there has to be value to them.  Obviously, funds do play a role.  But I also want to link back a bit.  And I have another question.  When it comes to incentivize people, then the old rule of thumb is "Stimulate where you can; regulate where you must."  How far would you say is sort of having the involvement of a ministry in funding also might be perceived as soft regulation?  The ministry is stimulating knowing that the next step would be regulating.  I wonder if that played a role there? 

>> AUDIENCE MEMBER: I'm very willing to answer that question.  It's true.  Maybe not in this particular case, but I think we're from the same country.  This is a policy that our ministry very often applies, and I think it's a good policy.  They're reluctant to...  what's the word?  To regulate.  So they stimulate.  So if the private sector doesn't react, then they will regulate.  And they know and the private sector knows that regulation is always less effective than if we solve the problems ourselves and this is less effective than solving the problem together.  So I think it's the right approach.  So okay, let's try to solve the problem together.  We're willing to contribute by providing information, providing funds, providing staff, whatever.  The problem will have to go away and there will probably be collateral damage.  It's a recognizable approach.  Sometimes I find it a pity that such light pressure from the government is necessary to get the private sector moving.  But it seems to be a fact of life in certain cases. 

>> WOUT DE NATRIS: Now I'm going to turn to the back.  Who is here actually to learn from this discussion and to bring this home?  What is it that you would like to learn?  Anybody?  The panelists would like to learn, but we knew that from all the comments.  Who would like to share their experience or question to this natural‑born panel? 

>> MAARTEN SIMON: Maybe refresh.  Who heard something new and said hey, I'm going to try this? 

>> AUDIENCE MEMBER: Nick from the UK government wanted to government.  Nick is going to come in anyway.  See you tomorrow. 

>> NICK: Nick, UK government.  I have heard some interesting stuff.  What I've picked up is the importance of recognizing the value to your partner when you're trying to sort of stimulate an initiative and collaboration.  The importance of trust.  And that certainly is something I know myself when I used to do investigations and you're trying to engage with, you know, sort of industry players, ISPs, sort of cybersecurity professionals and developing that trust.  I understand that you may need to step outside your own comfort zone.  I think the only thing the UK government has probably learnt in the last four or five years or so is the importance of transparency about what you're trying to achieve, and I think someone mentioned that earlier.  Transparency about what you're truly trying to achieve and how you're doing that as well.  If you're transparent and open and sometimes those are very difficult things for governments.  If you're transparent and open as far as possible, people will be more willing to come on board and except the occasions when you can't be truly open. 

So I certainly picked up on sort of those things.  And those are things that we will take back and consider when we do our multi‑stakeholder outreach, our policy development processes and initiatives. 

>> WOUT DE NATRIS: Thank you, Nick.  The word transparency from the government point of view.  Another response? 

>> AUDIENCE MEMBER: You're absolutely right.  If I look at my line of work, we also work together with organizations like Facebook, and they have, like has been said before, big risk in their name being damaged.  So it's not only transparency, it's also integrity.  So every time when we report through either Facebook or another platform, we have to make absolutely sure that the image is unlawful or they might get the blame for taking down the material.  So we need to be really transparent about what we're doing so they can trust us. 

>> WOUT DE NATRIS: Thank you.  Just to come back somewhat jokingly so we can go to the pub and have a beer.  When we announced this workshop and fed it through several channels, we got a lot of responses from Pacific island states, Africa, south America, from Asia, and all of these people said I can't afford to the IGF.  And actually, they were very much interested to learn what to do because they were facing these sort of challenges that we're discussing at this moment.  That's why we've got to try to make some best practices based on your input and see how we can share that or perhaps expand on it in some way in the future.  So something will be done, and it will reach the right channels that we started out with. 

So it is not just us discussing it here because we can afford to be here and it does not mean that everybody else can. 

I have a final question, we will try to do a wrap‑up.  And I'm looking for help.  What is the thing that you would really like to achieve at this moment, which you are at this moment not able or not able enough to do.  I'm going to start with Michael, because you still like to tackle a challenge right now.  And what do you need to achieve that?  Raise your hand and get the microphone. 

>> AUDIENCE MEMBER: I think a challenge in the education awareness space, and I'm sure people have challenges in other spaces but the continued connectivity between all of us doing the work.  And how do we work together on a global scale that builds on the successes that we have had in many countries around the world not just the United States?  How do we share that information in ways?  And how do we build a community together?  Even with this fantastic internet, it's still hard to learn who everybody is, to develop relationships over long distances and to have the opportunities, IGF being one of them, to come together and share in an open way and find ways to partner and collaborate.  Maybe it's part of human nature, so that's part of it, too.  I think that's a challenge that we would love to continue to work on.  We're open to working on.  And do it in open, neutral, sharing, collaborative, towards the best end for everyone kind of way. 

>> WOUT DE NATRIS: Just one question.  You're involved with stop think connect and I understand you're reaching out to as much countries as possible to adopt that approach? 

>> AUDIENCE MEMBER: Not just adopt the approach to really make...  you know, the simple like what's a problem you have to solve?  The problem you have to solve is every single person who uses the internet needs to know how to use it safely and securely.  And not one of us will do it on our own.  We have to do this together.  So that's the challenge we always face. 

>> WOUT DE NATRIS: That's an important thing to note.  That's an important challenge.  I'm going to Marco.  You work with law enforcement, I know from experience, from my past life.  Are there challenges there that you still need to breakthrough?  Or are you happy with where you are? 

>> AUDIENCE MEMBER: There is always more to wish for and always more to build on.  I think we have come a long way, especially with law enforcement in managing the perception and expectations and actually get them to participate.  Law enforcement now sees RDRs as a partnership and the communities as a group that can actually make a change and participate to drive the change.  So that's an important part. 

To come back to more easier, earlier overarching question is like what would you sort of put back on your wish list?  And this is really for people to keep sharing and make sure that people can learn from our mistakes.  It was brought up very early in the past.  It's often security incidents.  A lot of these things just happen by sheer stupidity.  And it's really hard to sort of admit that you're stupid, but please do so, and please share that for other peoples to learn from so that would be the top of my wish list.  Keep learning. 

>> WOUT DE NATRIS: Thank you.  Who would like to be next? 

>> AUDIENCE MEMBER: I'm sure that there are many challenges that I could answer, but I will pick one.  We have as governments in our infinite wisdom over the course of years have instituted laws for very good reasons at the time to...  in the case I'm using to stop information sharing, essentially, or prohibit it.  And it has become a legal impediment to information sharing between companies or between companies and government or between government and the public.  And so what I would say is rather than finding laws that would continue to...  that would restrict or regulate, finding ways to either create laws or adjust existing laws to enable information sharing.  That's a challenge we have. 

>> WOUT DE NATRIS: Thank you. 

>> AUDIENCE MEMBER: Actually, I can add to that.  We see enormous amounts of material on the internet and we cannot do it by human resource alone.  We know we have a lot of techniques to solve the problem, but there are laws against it because it can also be abused, these techniques.  I would love to use the techniques to get the material from the internet, but then again, you have the privacy laws.  So here's a challenge. 

>> WOUT DE NATRIS: Is there a challenge for the oldest organization in this room, the IETF, that you still would like to conquer?  Or are you totally happy? 

>> AUDIENCE MEMBER: No, there's still work to be done in the internet security area, for some reason.  One challenge that is in my mind right now is it's easy when you have clearly separated things that we will provide you guys this and some other people something else and they're not going to conflict.  But many things that we develop have sort of consequences elsewhere.  As an example, we have been...  the work has been progressing further on more encrypted communication.  We worked on more efficient communication also.  And that has impacted network operators and their ability to do traffic management.  And trying to deal with the changes as we improve technology is sometimes challenging.  So that's an ongoing thing for us. 

>> WOUT DE NATRIS: Real world found you, in other words.  As a question, who thinks in your own private silo, you have open doors that are easily accessed by other organizations?

Who thinks that is working right? 

Okay.  Maybe I have to rephrase.  Your work within your silo because that's what we're talking about here.  Do you have your front door open?  And do other organizations walk in to discuss the tough topics with you?  Now can I see your hands please?  Okay.  How many?  Two? 

>> MODERATOR: I have seen 13 hands. 

>> WOUT DE NATRIS: Don't name names, just raise hands.  So that's a fairly sufficient. 

>> MODERATOR: Six hands on that side. 

>> WOUT DE NATRIS: So the others are happy with where they are.  I think we reached sort of a natural conclusion and within time.  I will ask for help in trying to define the best practices and scoring topics and specific definitions and names and bullets.  So I'm going to see if we can come up with something which will undoubtedly need a lot of improvement.  Because I don't have the assumption that we can do it all here, but I think it's the start of a discussion that may help move forward in those places where they're still struggle, what have you found? 

>> MODERATOR: I have written down a lot of keywords.  Let's start with trust.  I think that's the one that came up most.  It was set that for trust you need perspectives about each other.  You need to know each other's perspective.  You need equality.  Yep.  You want transparency and transparency is also sometimes hard because it might fight your commercial interests.  That's why integrity is also important.  You need anonymization.  And it's important to check if you're not threatening positions of, for example, law enforcement, but other organizations to make sure that they are willing to trust you and to work together.  And therefore it's important to step out of your comfort zone. 

It's important sometimes to have neutral bodies between organizations that need to work together.  And of course it's important to have aligned goals and a common cause.  And it's important to show to all different parties how value is created for everyone and to make sure that everyone gets something out of collaboration.  Apart from that, money is important, and to get money sometimes it's important to have an overview of everything that's happening and make sure that no one is doing the same work in different ways for the same amount of money.  And next to money it's also important to get recognition and a little push sometimes.  So, I think what's important is that, you know, transparency is also a big risk.  And not only for the reputation, so there's a risk by being transparent for your reputation, but there's also a risk for the damage of the organization.

And if you don't share, the loss might be the bigger risk of that part. 

So what else is if companies are convinced to work...  organizations to work together voluntarily.  It's important to realize how sensitive the issues are.  What was also said is it's important to stimulate before regulate.  So a quote was stimulate where you can, regulate where you must.  And also it was clear that stimulation was often the first step by, for example, when a government funds something that might indicate that if there's nothing going to be done, regulation is going to follow.  I think the last thing I heard which I found interesting was that we need critical mass to make something a success.  So I think that's some of the things that I heard that sort of came back by different comments. 

>> WOUT DE NATRIS: Thank you very much.  And I think he deserves applause for this. 

[ Applause ]

We've got final remote participant question. 

>> GERARDO PEREZ: For the record, it was the first question. 

>> WOUT DE NATRIS: I think we did something here which may have never happened before nowhere on the panels, no presentations, no slides, did you think this set‑up worked?  That we actually pulled out information which is valuable to the rest of the world?  Or should we do it in a different way if ever next time?  Were you comfortable in this setting?  And did you hear the things you were hoping to hear or expecting to hear?  So I think we did something right.  So with that, I would like to thank you very much for your participation.  I would like to thank everyone for making notes.  Our remote assistance, even the camera man and everybody doing the transcript.  And I hope you have a great IGF and stay here and a safe trip home.  With that I thank you again for your participation in this. 

[ Applause ]