IGF 2019 – Day 2 – Convention Hall I-C – OF #16 Collaborative Multistakeholder Approaches In Cybersecurity

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> GISA FUATAI PURCELL:  Good afternoon, everybody.  And welcome to the Commonwealth Coordination meeting this afternoon.  I was going to give another two minutes, but I think we should make a start.

Now, as we all know, cybersecurity is one of the global challenge, this global challenge needs everybody's efforts to make sure that our citizens and our people benefit from ICT development and also are aware of the dangers that come with it.

So we have among us honorable Pinky Kekana, deputy minister from ICT from South Africa.  May I call upon you honorable minister to open this session.  Thank you.

>> PINKY KEKANA:  Thank you very much Secretary‑General of the Commonwealth Telecommunications Organisation.  Gisa Fuatai Purcell but let me take this opportunity to acknowledge all the participants including our panelists who are here.  It gives us great pleasure on behalf of South Africa to be opening this session, and a very important theme and madam acting Secretary‑General.

Inclusive of the multi‑stakeholder approaches to policy making are not new.  They have been attested in a range of policy spaces including climate change, constructive industries, conflict prevention, and peace building amongst others.  In the Internet governance space, the Internet assigned numbers authority transition which in 2016 saw the US government transfer its critical and stewardship in the domain system to the multi‑stakeholder community was seen as proof that multi‑stakeholder approaches can address difficult and challenging policy issues and produce credible and working solutions.

One area with such approaches with obvious venue is in the development of national cybersecurity strategies, the NCSS, which are now widely seen as critical to our nations' economic and social well‑being.  To us the cybersecurity challenges that a nation faces are broad and interrelated.  This in turn necessitate an approach that leverages a broad set of expertise and engages a diverse set of stakeholders in the NCSS development process.  These high‑level commitments are reflected in a number of NCSS explored in this report.

For example, the Ghanaian government strategy which states there is a need to address fully all aspects of cybersecurity especially the multi‑stakeholder approach to fighting the cyber men ace.  The Mexican government cybersecurity strategy states that success of the strategy will depend on stakeholders' collaboration and that Mexico's national cybersecurity strategy is a live document that will set the road map for the development of cybersecurity in Mexico with an integral and holistic approach and with the collaboration of different stakeholders.

However, examples of implementing the approach remains scarce and practical guidance are lacking.  So throughout the CMM there is a mention of role of stakeholders and multi‑stakeholder engagement across the model levels although importance of stakeholders' engagement is highlighted in all three documents none offer any structured guidance to help design an NCSS development process in a multi‑stakeholder way.

So we take this engagement today in this gathering to really come with clear programs and approaches that will assist to us the practical implementation of multi‑stakeholder guidelines and as far as the issue of cybersecurity is concerned.  Thank you very much, madam acting Secretary‑General.

>> GISA FUATAI PURCELL:  Thank you, honorable.  It's a pleasure to have you here today.  I thank you for you availing your precious time to come and open this commonwealth coordination meeting.

Okay.  So I'm very happy that all our panelists are here with us today.  Now, let me introduce our panelists ‑‑ our panel.  Ms. Nayia Barmpaliou on my extreme right.  She's the head of public policy and initiatives center of cybersecurity, C for C, from the World Economic Forum.  And then on my left right next to me is Mr. Olaf Kolkman.  He's the chief internet technology officer from the Internet Society and commissioner of the Global Commission on the Stability of Cybersecurity.  Kevin, third from me, he's the head of strategic relations and integration Latin America and the Caribbean Network Information Center or LACNIC.

And Yuliya is the head of strategic relations and integration ‑‑ I'm sorry representative of TAC, together against cybersecurity which is a nonprofit Civil Society organization, and they are working against cybercrime.  Then right next to me on my right is my colleague from the commonwealth Secretariat Mr. Matthew Moorhead, he's the acting head of the office of civil and criminal justice reform of the commonwealth Secretariat.  Welcome.  Okay.

As we all know the Internet today is growing at incredible speed in ways that have enormously impacted the way we live, the way we work and the way we do everything.  Therefore, it is imperative for the international community to come together to strengthen communications and broadening consensus deepening cooperation and embrace extensive consultation.

So this is a very important topic very close to our hearts.  So first off, is I'll be going around our panelists asking questions give their perspective and after that we will give the floor to provide some questions and we go from there.

So on item one multi‑stakeholder cooperation and cybersecurity and cyberresilience capacity development.  Let me go to Nayia first.  If you would like to give us a brief of what the world economic forum is working on, the challenges of multi‑stakeholder approach and some of the models that you have worked with around the world.  Thank you very much.

>> NAYIA BARMPALIOU:  Thank you for the invitation.  I would maybe ‑‑ I wouldn't want to spend much time talking about the forum per se but deep dive on the key issue here on the multi‑stakeholder approach, good practices, bad practices, and, you know, the challenges.  I would say the a multi‑stakeholder platform.  It really brings leaders from industry, government, international organizations, Civil Society, and academia together.  In that context the work on the center for cybersecurity has been around being ‑‑ has been designed around being an impartial and leadership breach.  In that context we're working on building communities or on setting agenda and leadership on accelerating existing solutions that might be in a specific geography or specific industry and how to take that forward more globally into what we call architecture where we see the existing gaps or opportunities for building better public‑private cooperation.  Having that public‑private cooperation DNA, one of the areas that we are confronted with is the skills gap.

That actually per mutates which is on global cooperation and securing technologies and industry solutions.  In all three areas of broader communities that we have, the skills gap is quite striking and it is at all levels.  Therefore, what we find as capacity building which most is in the taxonomy, used in the taxonomy about institutional building and government capacity, we see that there is similar skills gap in industry and leadership, what we see we don't have policy makers that are prepared for the challenges of cybersecurity facing.  There's a matter of understanding the issues having ‑‑ people that can serve, I would say, we need ‑‑ the policy makers don't need to be technical experts, but they need to understand the policy implications of technological solutions that they are putting forward.

So in that context one of the ‑‑ the public‑private cooperation we find is critical.  One of the approaches that the world economic forum has put forward is putting a national and legal systems how the public‑private cooperation there when it's lead by government or when lead by industry, how there can be ‑‑ that can be a sustainable model for capacity building where you bring either the industry or in terms of government lead or academia lead, building those communities that they're not only tackling the skills gap, but they're also helping creating the local capabilities and not being brought in with expertise from abroad in an ad hoc training and so on, but creating also the market incentives locally and potentially even the letter states innovation once you have the local capability.

So this is one of the areas that we started to work some months ago by creating a community of industry leaders and public sector leaders.  It's more of, I would say, a framework that we want to share and design in a multi‑stakeholder way that could then be adopted in different contexts and geographies.  I believe given the challenge of both funding and also cooperation across sectors, there's a lot of silos amongst donors, implementing agencies, sometimes conflicting motivations and the lack of match making.  There are initiatives like the global forum expertise that are trying to help that end.

I believe the more we talk both like this but also talk to each other and recognize although we will not solve this kind of big elephant of a challenge, we want to move forward and in that context from our perspective, it's challenging to be a multi‑stakeholder ‑‑ to have a multi‑stakeholder approach, but it's the only way.

>> GISA FUATAI PURCELL:  Okay.  Thank you very much for your perspective and thank you for the work that you're doing with the world economic forum.  Two things I picked up is, one, capacity building, and the second one is motivation.

I think those are the two aspects that is really required when we try and build a multi‑stakeholder approach.  And then, of course, it comes communication, collaboration, and connectivity.

Okay.  Thank you very much for that.  So still keeping on the multi‑stakeholder organizations but looking at the practical approach on cybersecurity strategy.  So let me call on ISOC on Olaf.  I would love for you to give us a brief on the work ISOC has done in the African Union, especially in terms of the Malabo Convention.  And perhaps next steps to see if there were any concrete recommendations that was a result of the Malabo Convention.  Thank you.

>> OLAF KOLKMAN:  Thank you for that very good leading question and also thank you for having me here.  The Internet Society, our African bureau, I'm talking ‑‑ our African bureau has been approached a couple years ago by the African Union to help bring together the African community, the Internet community to create a second step in the implementation of the Malabo convention which is setting cybersecurity and privacy guidelines for the African region.  But those are recommendations that are at the highest political strategical level.  And as we all know when it comes to cybersecurity, cybersecurity is always implemented on the floor.  It's implemented close to users.  It is implemented in networks.  It's implemented in ‑‑ by thousands of people, by big companies as well as SMEs.  It's one of the things that needs to live in the hearts and minds of the people to actually implement the measures that make our environment secure.

And the only way you can get to that is through making things more concrete.  I think this is one of the things that we try to do.  We took upon us an implementation strategy and implementation framework specifically for Internet security.  So cybersecurity is a broad subject.  Privacy was also part of the convention, but we focused in this particular breakdown into working with the community, with the African community of C search of ISPs, of local network operator groups to get to that next level.

In a number of consultive rounds we came ‑‑ we finalized with the report that gives a number of recommendations going from a high level, actions that can be taken by ‑‑ at the regional level by the African Union to actions that can actually be taken by ISPs and operators.  To go down from the regional level, African‑wide cybersecurity collaboration and coordinator center committee, the ACS3C because we love our acronyms, was one of the recommendations.  And the goal of that committee would be a multi‑stakeholder group that would advise the policy makers on the AUC in the capacity building and strategy and facilitate information sharing across the region.

Capacity building and information sharing are both topics that come back throughout this whole recommendation.  Capacity, because people need to do the work.  They need to have the knowledge to do it but also capacity sharing and that means also information sharing.

At the national level there are recommendations for identifying critical infrastructure and creating the protections around that for internet structure.  We're talking about fibers, Internet exchange points and ccTLDs for INS.

Another recommendation is to have information exchange at the national level not only on the high level but also try to do that at the national level.  Because, again, that's where the work takes place.

Part of that is establishing and strengthening the security ‑‑ the computer security and incident response teams.  Those are the places where information exchanges happen between the various sectors and the information that is out there by security companies and so on and so forth and where concrete actions can be taken and where the trust is built in order to exchange that information because trust ‑‑ cybersecurity in the end is human work.

Obviously there are a bunch of other recommendations in the report which I will not all read, but we also have a number of what are the concrete recommendations for the ISPs.  In general in organizations when you connect to the internet, what should you do?  The name of the document is the internet infrastructure security guidelines for Africa, that is how you can find it when you Google it and see the recommendations.

Now recommendations can say empty ‑‑ that is always the risk of a recommendation.  But I'm actually happy to note that in a week time from now or two weeks' time from now, the first meeting of this African‑wide cybersecurity collaboration and coordination committee, again, there's the acronym, the ACS3C will meet.  It will announce its memberships.  This is the AU that ‑‑ the AUC who has the African Union that has organized this meeting.  I believe that announcement about memberships are forth coming.  But this is a first step that helps with the coordination of these issues.

Further, in national bodies and IGF's this work is being undertaken.

>> GISA FUATAI PURCELL:  Thank you very much for that perspective on the work that ISOC has done for the African Union.

>> OLAF KOLKMAN:  I would say the African community has done for Africa.  We have played a small facilitating role but this is the community that did it.

>> GISA FUATAI PURCELL:  That is excellent because it doesn't matter what we do at the national level, when it comes to the implementation this is where the citizens of our countries come in.  This is where government look at enhancing the way we do things and the way we collaborate.  So that means that we need to look at everybody.  We even look at Civil Society, and we look at women's group, women committees because I can tell you now that women are the best implementers of any public policy.

>> OLAF KOLKMAN:  Yes.

>> GISA FUATAI PURCELL:  Not because I'm a woman but I've been there.  At the CTO we also do the ‑‑ that's our role kindly funded by donors including the UK government.  But our role is we go out to countries that request assistance and help them develop cybersecurity strategies and policies.  But we know very well when it comes to the implementation, we work very, very closely with the governments.  And there are some very good examples or success stories of that collaboration.  But for me deep down my question is, I think my question here ‑‑ I better say it out now, it's not just for the panel but for everybody.

How can we increase the awareness of our citizens on cybersecurity?  Given the fact that coverage is not 100%, at least within the commonwealth countries, developing countries.  We at organization level and government level we develop strategies, and then we implement it.  But what can we do to increase this awareness?  If somebody in the rural areas was given a mobile phone as a gift and then immediately he's learning and then there comes a text.  If you pay 50 US dollars, we will then send you 900 million.  What happens there?  How can awareness be done because to me it's very important.

I'm from the rural village, and that is why one comes to mind.  I thought it best that I say it out now for the sake of everybody.

Okay.  So now, thank you Olaf.  I would like now to move on to Kevin.  I know you're from LACNIC what are the challenges with your work on cybersecurity?  Maybe if you can touch on the key elements of building a cohesive cybersecurity strategy and the role of multi‑stakeholder?  Thank you.

>> KEVIN SWIFT:  Thank you, madam chair and thanks for this opportunity to speak to you today.  I think in addressing these questions, I will just give a general overview as to what we at LACNIC do in this field.  We've been a wide engagement of public safety.  In recent times we started ramping this up.  By public safety actors we refer to law enforcement, police officers, public prosecutors, judiciary, and our intention is to not only establish relationships but also to build trust.  I think Olaf pointed to that.  It's really a human side element when it comes to collaborative approaches, build trust among the public safety actors like ourselves who are not just who are responsible for critical resources but other internet actors who operators of all kinds even as internet platforms and social media, and last but not least the info sec community.

And it's in this last grouping where LACNIC really got its foot in the door because we started with technical cooperation and C set building because of the demands of our community.  Our community noticed there were a lot of LACNIC resources implicated in global cyber incidents.  And  there was a need for us to strengthen our capacity to mitigate against these.

So framed in another way.  Our work in cybersecurity is on two fronts.  We support police investigations and prosecutions of cybercrime.  In this stead thinking about crimes that are mediated by political assistance.  Here you will know ‑‑ you can note that all of the RIRs are working cohesively on this front.  We have recently established something called the public safety coordination group where we exchange information on engagements with law enforcement and how we go about building knowledge and capacity across the world.  In addition to that, on a technical front, you will find that we support investigations and responses to offense and crimes against computer systems.

Here's where I talk about the LACNIC warp.  I'll break down warp in a minute.  The info sec professionals, some of them coming from Brazil, Mexico and Argentina began investigating cyberattacks in 2011 or so.  They published Spanish manuals to treat with internet response.  Between 2014 and 2015 we noticed there was a need to create a unit within LACNIC to provide an additional members in terms of proactive and interactive, in 2015 the LACNIC warp stands for.  Warning advice and reporting point.  It consists of three services.  A warning or bulleting system on rising cyberthreats and prominent incidents.  This is an observatory.  The second is advice brokering which allows technicians contact us with helping managing an ongoing incident and thereby reducing risks, reducing damage, and making contact with other support actors.  And third but not least our anonymous reporting function where through anonymous reports and confidential reports we're able to use aggregate data to publish stats on trends in cyber incident trends, types and numbers of incidents and each break down on particular types of incidents such as bot nets affecting our resources.

So these are activities on a technical front but of course they're not devoid of strategy because we also have with this a couple of other value added activities.  Since 2014 at a LACNIC event we have a recurring gathering of all the CCIDs across Latin American and the Caribbean.  It's among the two events we have.  It's a trusted space for the CCIDs of Latin America and the Caribbean to share experiences in identifying the ever evolving nature and profile of cybersecurity and skill sets because skill sets is one of the things where they realize we always have to keep revising continuously to keep up.

And we also forged strategic alliances with first which is a global grouping of sorts.  MMMAWG3, more acronyms forever, refers to mobile messaging and malware anti‑abuse working group.  We have strategic alliances, and through these agreements we have mini global symposia at the LACNIC events.  We have a mini symposia at a reduced costs for LACNIC persons participate in a LACNIC event.

We collaborate with the organization of (?) conferences within Cymru and other activities.  Last but not least we have an outreach and capacity building called Emparu where we work with local stakeholders and communities to strengthen their CCID capacities.  This would imply a basic assessment of each community's defense capacity.  We ideally will work with communities that already have other elements of cyber strategy in place meaning that they'll be working on policy and legislative imperatives, public education imperatives.  We're here to render assistance on a technical

It's not just a linear activity.  We've recognized over the years that there's a lot to be uncovered from local communities and understanding this range of what cybersecurity is.  For us as capacity building actors or actors that provide training, we do realize along with other actors there are so many silos involved.  We've started actively trying to reduce these silos by working with other actors in developing a strategy such as the ITU that are prominent in the Americas when it comes to building strategy.

In the long‑run what we're trying to do is to improve the trust among these communities (?) collective knowledge building.  This is because we recognize when we talk about cybersecurity and cyberattacks, these represent the new face of what is traditionally organized crime.  So here is where bad actors, they're highly educated, they're highly skilled, and they're highly organized.  We as well realize the need we have to be just as organized in order to build proper cyber defense.

So that leads on to the questions, the elements of good cyber strategy is understanding that there are various components at play.  It is an ongoing task.  It's not static in the least.  And, of course, that trust is a key element in showing that all the paths come together and work to have effective cyber defense.  I'll stick a pin there and come back to other questions later.

>> GISA FUATAI PURCELL:  Thank you very much.  It's very, very important that we make sure that users of the internet has trust all the time every time.  So this is why we come together and think of ways that we can do that, make sure the users of the internet has trust.  Thank you very much, Kevin.  It sounds like we're all on the same level when it comes to multi‑stakeholder approaches to ensuring that we looking after our people.  I'm talking about the six billion people in the world and especially I'm focusing on the 2.4 people within the commonwealth.  It's huge when you think about it, 2.4 billion, that's a third of the world's population.  So it's very, very important for us as commonwealth countries to come together and look at how we can collaborate and move this work forward.

Okay.  Yuliya, I'm so happy that we have among us a representative from a nonprofit Civil Society organization.  It takes me back in the days of the preparations and planning for the WSIS, the World Summit of the information society.  At the time I was representing my country Samoa and I was very, very vocal to make sure that in the declaration we do not use the word developing countries.  We did, but we have to make it state that as the World Summit of the information society, we should focus and pay attention to least developed countries, small island developing states and economies in transition.  I may have been from a small country, but, yes, I was asked to give the language for paragraph 16.

Now one of the biggest issues then was Civil Society.  They were given only seven minutes to provide.  When I say seven minutes, it's all the Civil Societies in the world they were given seven minutes.  But today my question for you, Yuliya, is what do you see as the critical role of Civil Society in cybersecurity?

>> YULIYA MORENETS:  Thank you so much, thank you, madam chair.  First of all, thank you for inviting.  The Civil Society is important.  So I feel myself being privileged to be here because first you mention the lack and role of women in the empowerment.  I feel myself being empowered because 12 years ago when I started to be in the field of cybersecurity, cybercrime, I was like alone on the panel or doing this work.  I'm happy you mentioned this as well.  Thank you.  And the role of Civil Society, indeed we don't have a lot of Civil Society working on cybersecurity from, you know, on the ground by doing things or we don't know them actually.  This is the problem.

Maybe a few words on what we do, as you just mentioned I do represent and I founded the Civil Society organization called TAC together against cybercrime international.  We work with the Africa and the cybercrime convention and et cetera, et cetera.  Three things today we do make assistance to victims of cybercrime.  It's a huge topic.  You mentioned the role of users, how we can be useful to them.  This is how we can be useful to them.  The assistance is very important.  Obviously we can't bring the assistance to victims of cybercrime concerning all threats, so we work in a very particular cases.

We do have actually as well the capacity building.  We work a lot with the specific tools we developed to raise and to Empleo specifically the law enforcement on how to collect the evidence, how to detect the evidence and how to bring the evidence to the core because this is a very critical issue as well in order to have the evidence be accepted by different courts if we take into account that the countries that already have the legislation in place and the third point we work on awareness raising.  You mentioned a few times the importance of having and how we can raise the awareness of users on online safety on the existence of different mechanisms.  So we try to work on this as well.

Specifically by involving the young population and young people with our project called youth IGF which is present in 345 countries today.  And our ambassadors who became young leaders.  I can mention a few of them, they are actually now ‑‑ have been involved as trainers, for example, by the African Union, if I take the ambassadors coming from the African region by training other young people and each leaders on how to establish internet governance, community and how to be effective in the cybersecurity field as well.

So with this project we try to involve them in order to raise the awareness of other young people, other young leaders as well as different target group as well.  So this is about what we do in order ‑‑ I would like to bring three main points from our point of view.

We think that would be, you know, useful to be part of the cybersecurity strategies.  I've read a lot of cybersecurity strategies as well as how to develop them as well.  And in a number of cases of course the role of Civil Society could be the implementation of these different points that I would like to bring to the table today.

First, I think there is a lack ‑‑ it was said already by the world economic forum, it's a lack of skills, the skill gaps.  But what I would like to call ‑‑ what was said actually by the Secretary‑General yesterday at the opening session, it's a lack of policy expertise on cybersecurity and specifically among the young leaders, the new generation of the coming leaders in this field.

I think there is a role of Civil Society in this as well.  A second point, this point is quite often missing from cybersecurity strategies to be very honest.  It's importance of reporting mechanism for ‑‑ of cybercrime cases.  This is very important for users.  If they are aware and if this mechanism will exist, then we will need to develop the work on the awareness to where our population and the users and citizens involve in this mechanism.  Afterwards well be able to assist the victims.  The third point you mentioned the awareness raising.

When we speak about how we can raise the awareness of our users of citizens and especially in rural areas, I think there are two points.  Awareness raising on online safety.  So how can we stay safer online, what are the threats?  But also the awareness raising, for example, on these reporting mechanisms.  Because when we will raise the awareness of these reporting mechanisms, automatically we will raise the awareness on the online safety as well.  These should be integrated into the cybersecurity strategy quite often.  It's not there yet.  But I hope it will be improved.  I think the Civil Society has a very concrete role in implementation of these points as well.  Thank you.

>> GISA FUATAI PURCELL:  Okay.  Thank you very much, Yuliya.  You raise some really important points which others have raised.  So the key thing here is capacity building.  I think that is one of the key element of developing ‑‑ of whatever we're doing with cybersecurity including raising awareness.  So that's really important.  And then you also brought up the fact about the other part of your job is collecting evidence.

As soon as you say evidence, I'm thinking data.  When we talk about artificial intelligence, we're talking about data here.  I have this thinking, okay, so while artificial intelligence is great, it has to have data.  Without data we can't really depend on artificial intelligence, especially to do with evidence in cybercrime and all those issues.  So thank you very much for that.

And then finally to my colleague from ‑‑ is it the parent organization or the sister organization?

>> Sister.

>> GISA FUATAI PURCELL:  Okay.  Matthew.  In 2018 during the commonwealth heads of governments or CHOGM, the cybercrime declaration as you know was endorsed in the heads of commonwealth governments communique.  So I just want you to tell us what has come sec been focusing on in the declaration and look at any international cooperation in cybersecurity that you have looked at especially in terms of investigation?  Sorry.

>> MATTHEW MOORHEAD:  I think I've got that.

>> GISA FUATAI PURCELL:  I've been preparing these questions.  We're all here to help each other.  (Laughing)

>> MATTHEW MOORHEAD:  Yes.  Thank you very much for having me to the Commonwealth Telecommunications Organisation.  I'm from the commonwealth Secretariat which, as you said, is a sister organization.  We're a partner organization in the commonwealth.  This is one of the areas where I think we can work closely together and do really good things.

The commonwealth Secretariat has really in the last 18 months become quite busy in the cybersecurity space.  This forum of course is about multi‑stakeholder approaches which caused me to have a think because the commonwealth Secretariat is a government organization which works for and through its members, which governments.  What we do is really focused at governments and assisting them.  However, within that function we've learned to listen as widely as possible to other voices, of course.  Because I think as everyone in the room will realize that's essential for any kind of development project to have any chance of success.

So we try to listen as much as we can.  But if I ‑‑ may I introduce you to the specifics of the particular cyber declaration.  It was endorsed by all commonwealth member countries, that's 53 countries.  The meeting of heads of government in London in April 2018.  And we believe it's an important expression of the desire of commonwealth heads of government to obtain a free, open, inclusive, and secure cyberspace.  It sets out for the first time quite significantly a common vision for ensuring the internet remains free, open, and inclusive across the commonwealth.  For many commonwealth countries, this was the first time at an international level that they made a commitment of that nature.

The declaration is a call to action by all commonwealth countries which seeks to build on the general commonality of official language in the commonwealth and similarity of public institutions.

I think most concretely the cyber declaration is a commitment to collaborate and help each other to address cyber infections and cybersecurity threats more generally.  It builds on the work both of the commonwealth Secretariat, the CTO, and of course member countries with a commitment to make cyberspace a safer place.

The cyber declaration intends to support economic and social developments and rights online.  It intends to build foundations for effective national cybersecurity response and promote the stability in cyberspace, the stability of cyberspace through international cooperation.

I was interested to hear the minister from South Africa mention Ghana's cybersecurity program.  That's one example that we have looked at from the commonwealth of a member country working in this space.  We've learned a lot from Ghana through our conversations with them.

So the declaration commits commonwealth countries to work closely to strengthen their cybersecurity framework.  So where they have an existing framework they're encouraged to review and upgrade them.  And if they don't have one, to get one pretty quickly.  To raise levels of cybersecurity and to increase their cooperation to counter cyber criminals.  The specific to combat hostile state actors to prevent cybersecurity risks.

The commonwealth cyber declaration is supported by an implementation plan which sets out a plan through a variety of programs to achieve certain things.  The commonwealth Secretariat itself is running four broad programs under the banner of the cyber declaration.

It's running a ‑‑ the first of those programs is Africa focused.  So I would love to talk to my fellow panelist about the work you're doing in Africa.  The advantage of going last, I get to hear what the panelists are doing and how we can incorporate.  We're focusing on Gambia, in Namibia and Kenya where we're conducting assessments with those countries investigating the legislative and criminal justice capabilities and the general cyber resilience.  We're working to identify key areas where they can make legislative changes or build capacity or indeed reach out to partners who might be able to offer assistance.

The second program is Caribbean focused.  Kevin, we might like to talk about this.  In the Caribbean we're aiming to build the capacity of judges, prosecutors, and investigators to share and work with electronic evidence to transmit is safely across borders and to deal with it in courts.  So we find, of course, a lot of judges, prosecutors, and so on lack familiarity with electronic evidence.  Electronic evidence seems to be coming up in almost every single criminal investigation these days.  So it's quite important that they develop there.

Thirdly, we are running a program to strengthen international cooperation in cybercrime investigations generally.  So we have set up a commonwealth‑wide network of contact points, people based in national prosecution agencies so they can have direct contact with each other, direct and formal contact with people in countries that they know so that electronic evidence can be swiftly, securely shared between countries.  There are big barriers at the moment to moving electronic evidence across borders through formal channels.  It can be very cumbersome, slow moving.  That's exactly what you don't want to be when you're addressing sophisticated cybercrime threats.  So we're working on building informal channels of communication.  And prosecutors are reacting well to that.  We think that program is a particular potential.

Finally, the program which I am most involved in myself is focusing on strengthening election cybersecurity.  So this is looking at the package of cyber threats to the integrity of elections throughout the commonwealth.  When we mention cybersecurity and elections, some people's minds go straight to electronic voting.  Electronic voting is actually very, very rare especially in the commonwealth.  But cybersecurity can, of course, threaten elections through many other ways.  It can attack voter rolls.  You can have data breach by political parties.  It can also involve malicious spread of misinformation.  And I think the whole world is finding that to be a more, more topical issue.

So we're developing with many country partners a guide to cybersecurity and elections.  We're also conducting a series of workshops based on this guide in various commonwealth regions.  Again, thank you very much for having me.  That's the ‑‑ what we're doing to implement the commonwealth cyber declaration.

>> GISA FUATAI PURCELL:  Thank you very much, Matthew.  And some key excellent work that you're doing at the moment.  And, of course, we can collaborate with also ISOC, WEF, and all the others on the panel here today.  We don't have much time left.

So can I ask for three questions from the floor, please.  It doesn't have to be a question or a comment to any of our panels.  When questions are asked, the floor can also help address the questions.

Please introduce yourself and the organization.

>> AUDIENCE:  Sure.  Hi, everyone my name is Nicole I'm from off come the communications regulations in the UK.  Thank you for such a rich panel.  I think there's a lot of information to digest but interesting areas of work.  I was wondering from the Civil Society perspective if there's been any sort of work done to let's just say incentivize maybe more governments to sign the Budapest convention on cybercrime or what are steps or challenges that you see on that?  Because I feel like we're talking about cybercrime.  As far as I know, that convention is only legally binding treaty that exists in this area.  I just wanted to find out that perspective.

And then maybe if I can extend my privilege here, for ISOC as well, really interested in your work.  I was wondering if part of the recommendations or the programs you have with ISPs or infrastructure companies, if you're conducting any sort of vulnerability testing, if there's any sort of vulnerability assessment?  I'm saying this mostly because in our organization we have developed a vulnerability test we've seen gain some traction in other countries that want to develop it.  I was wondering if that was an area you're already involved in.  Thank you.

>> GISA FUATAI PURCELL:  Is there another question?  Let's make it two because we have two minutes left.  Is there another question or another comment from the floor?  At the back there, please.

>> AUDIENCE:  Hi, there.  My name is Ano from the national cybersecurity center in Ghana.  You mentioned something that the commonwealth is looking at setting some guide for elections and cybersecurity.  I was wondering when these guidelines will be ready because Ghana's election year is next year, 2020, we have elections in that year.  I'm wondering when these guidelines will be ready and if it will be ready just in time for the election.  Thank you.

>> AUDIENCE:  Gisa, there's a comment from the ‑‑

>> GISA FUATAI PURCELL:  Vanuatu, please?

>> AUDIENCE:  Thank you very much.  My name is Jeff, I service the cybersecurity advisor to the government of Vanuatu.  Mine is not only a comment but a question ‑‑ there's a lot of questions around multi‑stakeholder approach.  I'm wondering if ‑‑ because of the rich panel if there's any assessment done on the process of how effective those various multi‑stakeholder approaches within the different regions.  I'm quite pleased to hear the LACNIC technical approach.  It sounds that strategies or policies have been driving the good work fast approach through addressing malicious activities around that area.  Does that mean that across the region legislations or strategies are similar to facilitate faster mechanisms in place?  Thank you.

>> GISA FUATAI PURCELL:  Thank you very much, Jackson.  Let's go to the first question and quickly, please, Yuliya, and then followed by Olaf.  Thank you.

>> YULIYA MORENETS:  Thank you for the question.  Well, our organization like Civil Society organization we don't focus on the promotion of the Budapest convention.  Now, I give you an expert answer on this because I've been working a lot with the cybercrime convention in different countries all over the world.  I think what's happening, when the country's interested in annexing the Budapest convention, of course the whole community is pushing for this and working for this.

Now what is true, it depends on the country.  Maybe it's one of the recommendations to take from here to the council of Europe to involve and work more closely with the Civil Society in the countries who express the view and the interest in accessing the Budapest convention.

>> OLAF KOLKMAN:  Very shortly, I was aware of an availability of scanning tools.  This is a good piece of information.  I think this is generally the case.  There are multiple initiatives across the world that improve our security.  I think it's a feature that sometimes something happens over there that you're not aware of over there, but this these type of forums where we come together and share information make us aware that can feed into the work of LACNIC or the work we're doing in Africa and across actually the whole ecosystem to create a better security system.  So I'm absolutely interested in your tool set.

>> GISA FUATAI PURCELL:  Thank you.

>> MATTHEW MOORHEAD:  Thank you.  I would like to address this to our colleague from Ghana.  I'm delighted to be able to say that we've worked very closely with Ghana in our election cybersecurity work.  We found them to be a very helpful partner indeed.  We've just spent a month in Ghana working with the Ghana electoral monitoring board.  They've been one of the key I puts into the guide actually.  So we are going to be working closely with Ghana leading up to their election.

>> GISA FUATAI PURCELL:  Thank you.  And, yes, Kevin, to answer the Vanuatu question.

>> KEVIN SWIFT:  Thanks from the comments from the colleague from Vanuatu.  Thank you for recognizing the good work that we are doing.  Similar to all of the ARs we're coordinating our messages when it comes to public education.  A couple of us are involved in face‑to‑face technical training and to help CCID capacity.  With that being said, unfortunately LACNIC like the other IARs we're bound by the mandate of our members.  So getting involved in policy making in legislation is not something we necessarily do because it's not within our competence to do so.  There are many others that can.  But one of the things that we do try to do is when we do have an intervention at a country level, that we do line up with other actors providing different training needs.  So if the actors are looking specifically at a policy level, we're make sure that there's a level of cohesion and we work with local communities to understand better the entire landscape to build effective strategy.

>> GISA FUATAI PURCELL:  Okay.  So is there anybody else that wants to raise any issue at all?  No?  What we have done today is very important.  We're going to have a look at all the information that was shared today and look at how the CTO and also the commonwealth can work together or separately, depending on the angle of the assistance.  But I want to say what's very important is for you to write for the commonwealth countries, let us know what your priority needs are because what has come out very clear in this panel is that with the challenge of cybersecurity come new skills as you have heard.  Everybody needs to learn how to tackle this, from judges, from the law enforcement, from citizens on how to ‑‑ in understanding how to deal with it if they are involved personally.

So with that, I would like to thank my distinguished panelists for this afternoon, this session.  It's been an excellent session, very informational and it will help the commonwealth countries.  I thank the honorable minister, deputy minister from South Africa for your presence.  Right now let's come to the center here and take a photograph, please.  Thank you again, everybody.

(Applause)