The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> MODERATOR: Good morning, everyone. I welcome you to the main session on enabling safety, security and accountability. I'm Sook‑Jung Dofel, facilitator and MAG member being responsible for this session. Before we start our discussion, I would like to introduce our distinguished guests and moderator to you. We have Peggy Hicks with us, Director of the thematic engagement Special Procedures and Right to Development Division of UN Human Rights Office.
Online we have David Koh, Chief Executive cybersecurity agency of Singapore, Abdul‑Hakeem Ajijola, Chair at Afghan Union cybersecurity group in Addis, Pilar Saenz, and Anastasiya Kazakova senior public affairs manager. We hope that the Director of community and capacity building at the firm of incident response and security teams will be with us later.
He is in a rural area and was not sure whether his Internet would be stable enough to join. And as moderator, I would like to introduce you to Anriette Esterhuysen, former MAG Chair and Executive Director of APC and part of the Internet Hall of Fame global connect.
We are grateful for having you all on this panel, and then over to you, Anriette.
>> ANRIETTE ESTERHUYSEN: Thank you very much. I'm no longer Executive Director of Association for Progressive Communications, but I still have the privilege of collaborating with APC.
I have actually just come from the parliamentary track which this year is focusing on cybersecurity, and I am really struck by how much progress we have made in talking about cybersecurity and cyber safety and accountability.
I think a few years, in fact at 2017 in the IGF when it was hosted in Geneva, there was a pre-event on a human rights‑based approach to cybersecurity. And at that time that seemed like a fairly outrageous concept for many people, people within the security establishment, people within Governments felt actually quite pressured by the notion that they had to consider human rights and transparency, and accountability, but in fact, I think we are in a very positive place at the moment.
We have had the second round of the group of governmental experts, the UN first Committee process where Governments come together to talk about international cybersecurity, reach a consensus report. We had the open‑ended Working Group, which is now in its second round, which is an open process also a United Nations first Committee process produce a report and come up with principles on cyber capacity building.
And so I think we have gone from closed cybersecurity specialists having a conversation about cybersecurity to a place where we are approaching it in a more whole of society, in a human centric manner, and when we are recognizing that without multistakeholder collaboration and without considering capacity of all sectors of society, and also looking at human rights, we are not really going to succeed in the goal of ensuring safety, security and stability.
So we have a fantastic panel at the moment. Apologies, I am working with my phone here of the and I want to thank everyone for being here and for Sook and colleagues on the MAG for organising this. We are going to focus on cyber capacity building and unpacking and talking about what it means.
My first question to the panel and I will start with Peggy because she is here and then we will move onto the online panelists, what do you feel are the most important milestones that we have achieved in terms of cyber capacity building? Do you feel we now have a common understanding of it? What's your understanding of cyber capacity building? We have the principles that the open‑ended Working Group developed. We also have the global presume on cyber expertise and the work they have done but from your perspective what do you feel are the milestones we have achieved and how do you understand cyber capacity building.
>> PEGGY HICKS: I'm happy to be here as part of this important discussion. I wanted to first start off by echoing as you said, I think we would agree that we have made some real progress in terms of working together on cyber issues and really looking at how human rights is integrated into these processes and obviously within the OEWD and the Programme of Action, there are specific references, and as you said, that wasn't something that was all assured a number of years ago.
And looking at the issues around cooperation and capacity building, you know, we agree is very important. For us, one of the key elements here that I wanted to stress is around the issues of participation, which is unfortunately one of those areas where I think we still have some space to go.
And I wanted to make the case again for why full and meaningful participation in the discussions and work around cybersecurity and in the capacity building efforts around cybersecurity is essential. I mean, the reality is that when we talk about the need for meaningful participation by, in a multistakeholder process, including by civil society, it's because we need for these efforts to really centre around people and the impacts on people of these processes.
And it is through the engagement of civil society that we are able to really bring in that experience and make sure that the processes really understand and reflect how people are being affected by the cybersecurity related issues. So we wanted to emphasize again the need for the capacity building processes to really incorporate the training needs and desires of those groups as the starting point.
So maybe I will close with that and wait for the next question.
>> ANRIETTE ESTERHUYSEN: Thanks a lot, Peggy. David, you have been working in the Singapore cybersecurity and various institutions, what is your perspective? What have we achieved in terms of how we think about, how we build cybersecurity capacity, and what is your understanding of it? How do you conceive of it?
>> DAVID KOH: Good afternoon from Singapore. Good to see you again. Well, on capacity building I will say a few things. At the top, the level of awareness globally has gone up tremendously. If you talk about cyber capacity building a few years ago, I think people weren't aware of it, they weren't aware of the need, et cetera. This has changed dramatically.
And part of the reason I would say is because of the efforts at the UNGFCE, they have established clearly common understanding on the need for capacity building and this has raised awareness level. On the level of understanding, I would say that somewhat, not quite at the full level that one would desire, but we have definitely made progress.
One of the key things I want to talk about is we have established some guiding principles of cyber capacity building. Singapore has been supporting cyber capacity building in the ASEAN region since 2016, and our ASEAN cyber capacity Center of Excellence recently opened last year to further consolidate and facilitate efforts.
I want to say that in the plan of our programmes we developed a four M framework so guide development of this curriculum. First, it multidisciplinary, second, multistakeholder, third, modular and measurable.
We believe that for cyber capacity building initiatives to be impactful, across the field of policy, operations technology, diplomacy need to be brought together holistically. Diverse expertise across disciplines is required to effectively understand and manage cybersecurity at the next level and to safeguard collective cyberspace.
Similarly, a multistakeholder approach is essential for the saying of perspective from different sectors, each of which plays a different but significant role in contributing to cyber resiliency. So multistakeholder platforms such as IGF also very important in bringing together state and non‑state stakeholders with the courage, conversations and collaboration. We firmly believe that countries don't have monopoly on the ideas so we need the multistakeholder approach. Lastly, I would say that we definitely need to recognize that cyber capacity building is a two‑way street.
It is not, for example, the rich providing cyber capacity building and providing the expertise for the less developed nations. I think both, it's a two‑way street and people can learn as well even as they are facilitating and providing cyber capacity building.
Thank you.
>> MODERATOR: Thanks very much, David, I wanted to ask a follow‑up question. In terms of the four M framework, what do you think, what kind of institutional arrangements do you feel one needs at national level to be able to apply that framework?
>> DAVID KOH: That's a good question. We have been preaching the 4M framework firstly because a lot of questions arise from whether capacity building is effective. One of the challenges is that it has to be measurable. Second, when we talk to the countries, the agencies who want to receive the capacity building, they are unable to commit for a long period of time.
So the other approach that it has to be modular. These are some of the elements of this. Now, when you provide, when you are partaking of this training, then there has to be vessels that you can keep the knowledge that you have received. So one of the challenges that we think is necessary there has to be repositories of information, knowledge, within the countries. So if I'm going to be part of a cyber capacity building program I have to make Thursday that they can practice what they heard, otherwise it is so much head knowledge, it doesn't translate into action within my country.
It is not possible to send every member of my organisation for cyber capacity training programmes. It's just not possible. So you can train some of my officers and then these then have to be on a basis of train‑the‑trainer. You come back to Singapore having benefited from the training and train other members of organisations, other stakeholders within Singapore so that they then can spread the message and we can all benefit. These are just some elements.
>> MODERATOR: You emphasize participation and participative processes really as a pragmatic way of really integrating cybersecurity practices, and I think Peggy you mentioned and emphasized participation from the perspective of being inclusive and respecting human rights. Next, can we go to Abdul‑Hakeem Ajijola, a colleague and a friend who is online with us. Are you there? What is your understanding of cyber capacity and what milestones do you think we have achieved?
>> ABDUL-HAKEEM AIJIOLA: Let's understand what a norm is. It's a principle of right action building upon members of a group, in this case Member States, serving to guide and control or regulate proper and acceptable behavior. In essence, a norm can be regarded as a soft voluntary law. Now, having said that we have seen norms of proliferation, norms which have evolved from soft laws into hard international law so that nation becomes a prior state.
In the African context we have seen I think in 1884 there was a Berlin Conference. We were not there, and that Conference sets the agenda for our state boundaries, but also our legislation of the type of legal philosophies we have. So I think Africa really needs a generation of cyber diplomats to engage in global conversations and the development of norms, confidence building measures and all of this has to be based on the evolution of requisite capacity building.
The Global South, and, again, especially Africa must seek to adopt common Democratic positions on things like Internet freedoms, African states have shared, need to have shared notions of democracy, access to information to start enhancing not just our diplomatic capital, but to ensure that our priorities are not ignored and they will form the core of some of these global norms that are being developed and more importantly currently being implemented.
So there is a case for Africa and the Global South to develop additional norms for us or by us, and we need to have these based on strategic conversations, based on sound academic research.
My key take away unfortunately is that we need to support our strategic decision makers to gain better insights into the issues that I would say more importantly what to ask for. And so part of what we need to ask for is capacity building so we gain a better understanding of the issues, but what kind of capacity building?
I think as David had eloquently put it, you cannot afford to send everybody out somewhere. How do you step down that capacity building locally? For example, do you say for every person the benefits from external capacity building on these issues, they must step down to a minimum of 10 or 15 people? What mechanisms do we need to put in place to make that effective, because at the end of the day, cost is a big factor, and we do have to husband our resources and convert our human resource into human capital.
I'll taken later. Thank you.
>> MODERATOR: Thank you. Pilar Saenz, can we go to you next. Coming from a civil society and perspective of working in human rights and digital rights, what is your understanding of capacity, cyber capacity building and what do you feel are the milestones that we have actually achieved so far?
>> PILAR SAENZ: So first, thank you for the invitation to be here. It’s great. And actually, when I was asking to be in this panel, I said that we are not ready to have this conversation yet in Colombia, for example. Our civil society organisations are not participating some this meetings and also in the open‑ended group in UN, but the conversation locally around how to build this capacity in cybersecurity is something that is just beginning.
And in my opinion, we need both things that the other panelists are talking about, fierce participation for many years we have this building of the policy on cybersecurity, but it was the last four years the participation of civil society was possible. And in this moment, for example, that we have a change in our Government, in our local Government it's not in this moment there is a lack of knowledge and lack of institutionality around who will take the decision in cybersecurity.
We are not sure how it is going to be. And I think that it's something that is creating and something that will happen in the next year, but in 24 moment we are in a very early point of this conversation, and as a civil society organisation, we participate in some of the global discussion scenarios and we are learning about that and I think this is something that for us is important to understand better how can we in the local as for capacity, as for participation, and as for institution to do that.
>> MODERATOR: Pilar, we do have interpretation, so you should feel free to speak in Spanish, if you wanted to. I think the final speaker we have on the panel now is Anastasiya Kazakova. You work in the private sector, and what is your perspective On cyber capacity building and the milestones we have achieved.
>> ANASTASIYA KAZAKOVA: Thank you very much for having me as well.
I'm representing the industry and the private sector. We are the global cybersecurity company and have a unique position in the cyber capacity building just because we are one of those companies that do have the resources to invest into the cyber capacity building and that's to help different communities including our partners, customers, users, but going far broader to also support many other stakeholders, relevant stakeholders in the community. So I will be happy to share the experience that we do have.
From our perspective as a participant and active contributor to the cybercrime activities at UN level and regional level in the past years, it's definitely well agreed with the others because you have seen that at the current stage we do have a lot of content and a lot of information to guide participations and guide also actions in the cyber capacity building.
Would you have principles, would you have quite successful in the 2021 report which also informs a lot of multistakeholder community on the impetus that the UN Member States have made, and at the same time will you also see activity coming from regional organisations which are a very important element in this common success, and we do also see the increase and the different status in the research to provide more qualitative and quantitative information about how major success in capacity building, and I have seen among participants today a number of representatives that have actually produced really great status on cyber capacity building, and we also believe that it is important work to continue to do to provide more metrics, frameworks to understand what is actually needed to provide in terms of cyber capacity building.
However, there are still challenges we continue to face, and those include I think coming from the top, from the UN level is challenges for true inclusive multistakeholder participation, for more transparent process, more formal process, we also understand that next year we will see a parallel process probably in terms of, in addition, so it would be the question how to meaningfully contribute, continue to contribute to different processes at the UN level.
At the national level, the challenges, of course, include sometimes the lack of clear progresses, institutional processes, legal processes and overall lack of initiative or impetus coming from the Government or from the, related to the Government, institutions to actually raise awareness more on the cyber capacity building.
But overall, we do believe that currently we are moving in the right direction in terms of the different meanings, different initiatives, and it is hoped that at the UN level the OWG will continue this path until 2025 and hopefully ideas will be brought from the broad multistakeholders as well.
>> MODERATOR: I think that's if for the panelists at the moment. Let's take questions from participants on how you feel we have ‑‑ are we reaching a point where there is a common understanding of what is meant by cybersecurity and safety, a common understanding of what capacities we need? Any questions for the panelists so far.
>> AUDIENCE: Thank you very much for giving me this opportunity again. I am from Australia. My research area is cryptocurrency and also cyber investigation in forensics. I want to ask one basic question for this this fora United Nations IGF 2022. Have the UN signatory countries, how do we achieve maximum capacity protection from cyber-attack to internationally like a United Nations unified body or and for each individual nation worldwide? And I have some suggestion if you give me, I'm a cybersecurity professional and trainer. And I will have some, I miss in the morning, if you give me a chance, I will do that, but I just want to answer that question. Thank you very much.
I will have suggestion on it but I want to hear from the other panelists.
>> MODERATOR: We have one more hand in the room. Go ahead.
>> AUDIENCE: I am Miodit from UNICEF Ethiopia country office. My question is about capacity building, changing human capital. So as you know it very well, most of the younger population in Africa living in suburb or outside of city area, how can we maximize security before we are assuring access? For most of our population even system will phone user application is a luxury let alone PC and tablet.
I want to hear how can we maximize cybersecurity without dealing with the access first? Thank you.
>> MODERATOR: That's always a question. Do you deal with the access first and then the security or do you try and introduce security into the access before you introduce it?
>> Not a question but a remark with a suggestion to solve problems we are facing with regard to accountability of states for misbehaviors, and it was stated that we should develop an internationally binding agreement on cybersecurity based on principles and establish a global framework and rules and norms and accountable behaviors of global digital platforms and service provider and data security illegal content competition law.
>> MODERATOR: You will be the last question at this point.
>> AUDIENCE: Thank you for this great presentation. I am from Tunisia. I want to ask the global conversation, is it related Microsoft for technical aspects?
>> MODERATOR: We didn't hear you clearly.
>> AUDIENCE: (Interference on audio).
>> MODERATOR: The question is the global conversation. Is it about technical security, about norms? One of the questions I think people often struggle with is the relationship between cybersecurity and cybercrime and the dimension of international cybersecurity which is what many of these UN processes focus on and cybersecurity as we experience it at home.
My experience is that it's becoming more and more difficult to separate those from one another. So actually, I would appreciate if the panelists can talk about that as well. Peggy over to you first.
>> PEGGY HICKS: Thanks for the questions. I think I inform them go to these issues around are we tackling issues of cybersecurity in the right way, in the right order, national versus international and I think that, and I agree with Anriette about the merging of topics between cybersecurity, cybercrime, digital policy. Generally we have been talking about how those pieces come together. I think it's important in answering that to say as we always do that ultimately we do need to address at all levels the question.
So there are issues at the national or even at the individual level related to cybersecurity but there are roles that the global processes can play and that's the framing for the discussion was around the OEWG and efforts going on at the UN level and their contribution including through the cybersecurity capacity building efforts that have been described.
But I think from a human rights perspective, we do need to bring that conversation back, as I said, to what are the real challenges that people face, and I want to be clear that one of the challenges from a human rights perspective is the fact that this area of discussion, cybersecurity and cybercrime are areas that are a double‑edged sword for human rights defenders, journalists and others. They are actually themselves under attack, and need protection and need cybersecurity and need digital security and capacity building and greater digital security tools given prevalent use of spyware, so we have written a report from the UN Human Rights Council released in September that really looks at what it would take to address those issues of surveillance technology.
And that, of course, then will give civil society the space that they need to meaningfully participate in the types of processes we are talking about. So to just say a few words about those efforts, on the spyware and surveillance side, I think we need to look at the fact that we don't have the proper controls in place, and the reality is that tools like Pegasus can tap into every aspect of not only the target's lives but the people around them.
So we need to take more steps. One is, of course, states need to be transparent about how they are using those tools. We are calling for a moratorium on the domestic and transnational sale and use of surveillance systems will in the properly human rights‑related safeguards are in place, and really calling states to only use such spyware as a measure of last resort for specific acts and serious threats related to national security in targeted ways with strong safeguards in place.
Finally, one of the things we are looking for there is at the international level talking about how we might need to look at a well-crafted export control regime.
>> MODERATOR: David, over to you. I would like to hear you react to the points Peggy has just made about the challenges to ensure the kind of oversight that we need to prevent abuses, human rights abuses taking place under the guise of generates or establishing cybersecurity.
>> DAVID KOH: Thanks very much. I like very much your framing when you talk about the challenges, the question about whether the global conversations about technology or whether it is about security, about crime, whether it's international, domestic. These are actually great questions, and these are in essence some of the challenges that we are facing at the operational level and in fact our citizens are facing on the ground.
We can talk about it at the UN process, for example, we are talking about it in the first and third Committee, but on the ground as far as the average citizen is concerned, there is very little distinction made between cybersecurity versus cybercrime versus personal data, information, et cetera.
So I think the reality is that the divisions that we make, whether within Governments or at international level sometimes are a bit Archean and less relevant than on the ground. So we do need in my view to view the entire issue holistically.
I recall, some Developed Countries might be very seized by the conversation at the international level about whether responsible state behavior to prevent escalations in the wartime scenario are important, but for the average person whether in Asia or Africa, I think the primary concern with respect to cybersecurity really is about cybercrime, and we need to deal with this.
Whether they are domestic or internationals that another great aspect to the question. I will say increasingly the view is that cybercrimes, cybersecurity issues are transported. The criminals are not coming from down the street, from other part of the country, they are coming from all over the world.
We see this very much so in Singapore. And a lot of it is, the crime is facilitated by cryptocurrency. So the issue is not just whether it's technical, whether it's norm, whether it's about national, international, it's also about whether it's operational, technical, or about money.
A lot of the motivation about ransomware and about cyber-criminal activity is about ultimately money. If we can control the movement of the money or at least put oversight safeguards on cryptocurrencies, illegal use of it, the abuse of cryptocurrencies, the regulations and oversights, antimoney laundering facilities know your customer oversight elements for cryptocurrencies and these would significantly curtail the abuse of these methods for criminal as well as national security concern.
So I think this requires very much an international effort. On the issue about whether the issue about rules, norms or responsible behavior should be binding or non‑binding, my view of this is that it's going to be a huge challenge, especially in today's geopolitical context to negotiate a treaty which will have binding norms or binding rules, but then the question rises of whether there is any value in non‑binding, non‑sort of responsible state behavior.
I recently attended a meeting and a good friend of mine from Kenya made an excellent point. She said that insofar as most of us are concerned, the commandments is not a binding law for the average person, but notwithstanding that it's not binding.
The fact that it exists is an aspiration, it's a norm of responsible personal behavior. It has inspired behavior of individuals, of countries, regulations, laws, and in that context, it does serve a purpose. So I would argue that non‑binding non‑sort of responsible state behavior in cybersecurity could have such an effect down street for us.
I want to ‑‑ downstream from us.
I want to address the question from the UNICEF colleague. I think it's a great question. It exists in my neck of the woods, we have 600 million people when want to connect, and the opportunities of digitalization, the opportunities of the Internet, information, education, social opportunity, economic opportunity are enormous and all countries, all citizens want to do this, but how can we do this safe?
If you don't get cybersecurity rights then there are 600 million people that will be exposed to cybercrimes around the world. My view is it's not an option. It shouldn't be a question of do I have this or the other. I think that's part of the problem that we are facing today. Cybersecurity is seen as an optional extra to connectivity to the Internet.
I think it should not be seen that way. It should be seen as an integrated whole. One should have secure access to the Internet. It should be baked in from the onset. Let me put it another way, use an analogy all of us are familiar already with. We have water in cities, et cetera, we have authorities which are providing water to the individuals. We are not asked to filter the water or purify the water in our own homes.
Instead the authority actually provides water which is treated to all citizens. In that kind of context, it is more specifically and efficiently done upstream. The same can and should be done for Internet access. We all access the Internet from the Internet Service Providers, the telecommunications companies. They are providing it at scale to us. In the same way they can secure it at scale to us.
This way all of us can get access to it, but it is safe, secure access. I think this is the way to go. We should view cybersecurity not as an optional extra, not as a drag to getting access to the Internet, we should deal cybersecurity as similar to the brakes on a car. If we want to good fast, we need good brakes. If we want access to digital future, we need good cybersecurity.
Thank you.
>> MODERATOR: Thanks, David. I would agree with that, but just as a caution I think as long as that does not come with those in authority deciding what content people have access to or not.
>> PEGGY HICKS: I appreciated the comments, David, about the usefulness of non‑binding norms, and I would like the comment from your Kenyan friend as well that aspirational norms can be powerful. I just wanted to throw in, of course, that that is part of why we emphasize the human rights framework so often. It is a universally agreed, it started with a huge participation from drafters based in Africa, and looks at over 75 years legally binding obligations that the world has agreed to all countries, all regions have endorsed this framework, and it does have incredible relevance when trying to address fundamental questions that we see in the digital space.
So that's the basis for answering some of the questions, we don't need to create new norms. We actually have some. What we need to talk about is how they can best be applied in this space. And just to support you on the side of the connectivity and its importance and the need for safe and secure access, I would add only that inclusivity. We need to make sure that that connectivity is done in a way that those most marginalized and most vulnerable are not those left behind in terms of how it happens, and, of course, when we have connectivity, we have to keep it on.
So there need to be firm commitments by Governments that they will keep the connection going, that they do not engage in Internet shutdowns such as we see currently here in Ethiopia. Thank you.
>> MODERATOR: Thanks. What is your response to the question, Abdul?
>> ABDUL‑HAKEEM AJIJOLA: On question one regarding cyber-attack, there are three key areas, one, awareness across a spectrum and various value chains. Taking cyber hygiene as a foundational defense and building cybersecurity or cyber culture. With regards to question number two in terms of maximizing security, I think we do need to discourage digital authoritarian tendencies through good governance. We certainly need freedom of speech, but I think many of us would argue that we also need more importantly freedom after the speech.
Having said that we do need to tackle fake news and hate speech. I would also like to echo David and Peggy. I think access and security go hand in hand because no security, no usage, then what's the point of the access if you don't use it. So, again, if you have water and its dirty, you are not going to drink it.
I also think we need to evolve initiatives that leverage civil society to foster good governance of both the public and the private sector because both organisations need to improve the governance structures, especially in the areas of cyber interception. Personally identifiable data management, you know, and privacy issues and really seek ways to enhance our own data sovereignty. On the question of the accountability of states, cybersecurity or cyber generally evolves very quickly, while laws or legislation whether they are international or domestic are slow.
Characters operate at the speed of light, and law enforcement goes at the speed of law. And one of the ways around this is to be proactive but to empower regulators so they can turn around much more quickly maybe to put in place regulations as opposed to legislation that takes quite a long time to do. A second component to this is to build cyber and digital trust stability and access through availability, predictability, reliability, resilience and positive value propositions.
I think Peggy had touched on this in terms of keeping the Internet on once you get it. And then in terms of the global conversations, I think we do have to appreciate that all of this is about people. It's really the combination of people, process and technology. And in terms of emphasis, I would say people, people, people, process, process, and technology.
Finally, I think especially the Global South and Africa in particular, we do need to still do a lot of work around changing misperceptions on not just African Governments but institutions that cybersecurity is not an African problem to solve.
I think this misunderstanding or misperception is compounded by the misunderstanding that increasing Internet access without trust based on cybersecurity, it will not increase utilization.
I think many Governments are actually quite worried on the one part empowering their people with requisite knowledge, but also quite legitimately when you look at the specter of hate speech and fake news, people getting the wrong kind of knowledge, and, Anriette, as you have asked, who amongst us is to make that judgment and decision? Thank you.
>> ANASTASIYA KAZAKOVA: I also wanted to address the very first question which is still very critical to address how more cybersecurity could be tried. And the first is education. Education for users, for relevant stakeholders, for diplomats, for Governments, for the industry as well to be more educated about the implications and notions of the international law and how could it be supplied from the framework that diplomats have already agreed within the previous iterations at the UN level.
And we do also portray our own experience in this regard. We try to bring more sort of expertise that we do possess about the technical attribution in particular to share more with the diverse community of the diplomats, academia, relevant technical community partners with DiploFoundation to develop the game to have different stakeholders to learn different notions of how the attributions could be done.
This is the second pillar is cooperation, ensuring cybersecurity is no doubt a team support. So even today in a problematic, geopolitical climate which does impact a lot, cybersecurity unfortunately is a challenge and it limits cooperation across different communities and here I refer to communities who traditionally try to stick together to change information in case of incidents to change information about vulnerabilities. Because all of this is critical, cybercrime, cyber incidents, cyber threats do not know borders. And lots of the different users and stakeholders could be impacted even though cyber criminals could target initially a limited scope.
It could be lowered to different territories, restrictions and sectors. To allow incident responders to continue information change. I would also address the question on the human rights abuses and I do agree with what has been said, but also from a technical perspective it's critical to look and also focus on, also focus on the problem of the vulnerabilities and probably to continue condemning the exploitation for criminal, political, and commercial purposes.
I think that could be one further solution to avoid incidents we had already.
>> MODERATOR: Thanks very much, David mentioned the importance of a holistic approach, and I think there is consensus that that is the right way to go, but it's not always easy to implement, Abdul‑Hakeem and myself participate in a process this year where we developed African cyber capacity priorities. One of the things we found was that the responders are completely unaware of the norms or of the international processes, that there is this disconnect between the people at national level who have responsibility for responding to threats and emergencies, and this conversation that takes place at the global level.
I know there are more hands. I just want to ask the panelists to ask one specific challenge that we have had, and that is to put this holistic approach in place at national level, but also at global level. One of the challenges with the open‑ended Working Group which was established with the intention of being a multistakeholder process has been the participation of non‑state actors.
I think the Chairs, the current Chair, Ambassador from Singapore has done his best to create space within the confines of the United Nations first Committee processes to create the opportunity for non‑state actors to be part of the conversation, but I think there is a sense that it's not enough. And I think that is often mirrored at national level. So my question so the panelists are how do we overcome this challenge of really institutionalizing this holistic participative process where non‑state actors collaborate, including human rights defenders with states, both within the UN and also at national level?
Thanks, Anriette, and it's good to go to that question. I think we need to do two things at the top. One is we need to build the understanding of why it's important. Once everybody agrees to its importance, then it's much easier to make sure it happens. So that means making the case for why multistakeholder processes, why having preserve at the table delivers better results. It's not something you do as an optional thing.
You do it both as a matter of right, people have a right to participate in the policy conversations that affect their lives, but also once we have those people at the table, what we get are better and more effective results. So build a case for way it needs to happen. The second thing we need to do is identify what are the real barriers. If it's not happening, what are the reasons why, and be quite critical and constructive in how we can overcome them.
Some of them that have emerges on the OEWG are political and that shouldn't get in the way of making progress that we need to hear. Sometimes it be a sense that civil society actors may be more critical or come in with disparate views that are not going to be helpful or supportive. I don't think that plays out in practice. When civil society comes in, they come in with expertise and knowledge of what's happening, that can be incredible helpful.
So I would encourage everybody to look at it and understand why civil society will be a much more effective actor at the table. But it's also, I think, looking at how, what are the barriers to that happening in terms of the accreditation processes, the resources, where these processes are happening, and trying to really open them up in a way that makes it much easier for people to be there.
And as I said, on the other side, we have to make it safe for them to be there as well, and that means we have to make sure that there are not possibilities of reprisals or responses, the use of spyware, surveillance technology, other things that actually interfere with the ability of civil society to have their voices heard in processes such like this. Thanks.
>> MODERATOR: David, your perspective?
>> DAVID KOH: Thank you. I agree with what both Anriette and Peggy have said. As you have said, Anriette, with have the open ended Working Group. It is Chaired by Singapore. It's a great honour to be leading this. It is led by our Permanent Representative in New York. And we are trying despite the current geopolitical tensions, et cetera, to try to continue to move this conversation forward.
We think it's essential that conversations about the stability, the security, the inclusiveness as well as interoperability of cyberspace continue, and continue in a platform like the United Nations which is an inclusive platform. All states have access to this. Unfortunately, the ideal would have been to have a multistakeholder approach as well and our Ambassador is trying its best to facilitate this, but as you have alluded to, there are objections that have been raised by some states and have the full access of some stakeholders.
As a matter of fact, just one week from now, there is going to be an informal OEWG intersessional meeting, and this is designed to be a multistakeholder meeting. It has allowed to actually include the accredited non‑steak stakeholders, sort of an ideal outcome, and I think there are others who haven't quite met the accredited criteria, but as I have said under the current constraints, this is at least a step forward.
I fully agree with what Peggy said. The question of why multistakeholder is important, we fully support this, and the reason is our cost because Governments do not have a monopoly on the ideas, the expertise, the capability or the technology associated with cyber and attendant challenges. Civil society, industry, other stakeholders all have real expertise, real capability and they understand the technology and they have perspectives which are important. So Government may have concerns about national security, but they are also equally multiple concern from a financial and economic perspective or way of life and how we choose to live our lives.
So these are important aspects, and it does demand that we have opportunities and move the conversation to be a multistakeholder approach.
>> MODERATOR: Thanks, David Koh. Pilar, I'm sorry, I left you out of the previous round. You have been at the end of civil society finding it challenging to be part of this process. What is your perspective on the non‑state actor participation in these processes?
>> PILAR SAENZ: I'm going to speak in Spanish.
I believe that there are several levels, things that must be approached to get civil society involvement in those fora, and the fact that the fora are multistakeholder fora is very important, but in order to participate we must create, we must do capacity building in civil society.
We have been working for a long time trying to be part of a discussion on cybersecurity with the Colombian Government and after a very short time ago, the relationship that might exist for different stakeholders to participate with the Government and the industry was quite limited. The chances were limited when we had the latest public policy discussion, we created the avenues for multistakeholders to be participating. We are doing a follow‑up here, but it's not so easy anyway because there is a lack of information and although some stakeholders are participating in the process, we always thought that many more actors should be involved.
There should be a wider discussion panel, and that's not the case currently. This is at the national level. If we talk about the global level, again, we have replicated some participation issues, though for us the global arenas having a much more open and welcoming, though it's true that we are not all, not all actors are invited in all cases.
It's not always easy to participate. So we might talk about barriers, there are technical barriers that are quite important. Usually when we think about regulations and proposals for regulations, many of them start when they start people don't know actually what technology does and how it works.
So it's difficult to have proper regulations. So we need regulators to know more about the technical issues to get good regulations in place. Besides, we have, there should be just self‑regulations. Companies set up frameworks to work in a safer environment, and this shouldn't just be something they should commit by themselves.
We need regulations passed by the national Parliament and this is influenced by what is happening elsewhere because the attacks are transborder attacks, cyber-attacks. There are connectivity issues that impact vulnerable groups. When we talk about connectivity barriers, we find scenarios that foster the dissemination of misinformation and disinformation.
This is related to connectivity because not everybody has access to the whole of Internet throughout the day, but they just have access to some parts of Internet, and this helps to the dissemination of disinformation.
These are barriers which we must overcome and tackle with creative solutions and the fora that are being opened up for multistakeholder discussions make it possible to share different opinions and points of view to listen to civil society.
This makes it easier to find approaches based on human rights and so that these conversations may expand and grow.
>> MODERATOR: Thank you, Pilar. (Captioner unable to hear speaker).
>> ABDUL‑HAKEEM AJIJOLA: I think it's important we understand why non‑stakeholders are needed of the education provides basic research and development upon which continued innovation relies. The financial sector basically they are a critical infrastructure and users of digital platforms, plus they are often a primary target of bad actors. You rob a bank because that's where the money is.
National security has the authority to defend national and sub national jurisdictions. The private sector by and large owns many or most of the platforms, and provides the supply chain and develops the needed solutions. The public sector has the authority to regulate players in national and sub national jurisdictions. We also have some specialized stakeholders, your international regulators, those who set standards, your multilateral partners.
If you take a loan from the World Bank, you are not going to shut them out of certain decision‑making processes, and in and of themselves they are critical infrastructure. And also you have the technology component. They build, manage, take care of your critical national information infrastructure, they are potential points of failure and certainly they are drivers of opportunities.
I also think that in terms of our capacity building, we really need to focus, we need to focus on three issues. One is governance, not just Government. And this needs civil society because civil society is very good at holding people accountable to governance issues. We also need the technical people who basically by and large manage infrastructure and platforms, and we need the innovators who basically identify and exploit the opportunities.
They answer the question what's in it for me or what's in it for society. I also believe we need safe reporting and discussion spaces both domestically and nationally that minimize the weaponization of interdependence, and try to minimize the negative impacts of geo politics which, you know, is the reality of life, unfortunately.
Across the Global South and Africa in particular, again, our decision makers need to gain a better insight into the issue, the problems and opportunities and specifically what is it that we need to ask for. In terms of issues such as funding, I think there is a need for funding to ensure constant or consistent participation.
As of now, this is not a priority for many across the Global South. There is also a need, especially within jurisdictions to spread implementation, especially capacity building to avoid single points of institutional failure. We have seen spats between foreign affairs, the IT groups within Government, and, of course, national security. We need to be able to harmonize these relationships a bit better.
And I think most importantly, essentially in Africa, we do need to develop our own cyber related philosophies, principles and ethics upon which our policies, strategies and implementation frameworks will be based. Thank you.
>> MODERATOR: Thank you.
>> ANASTASIYA KAZAKOVA: I strongly agree with Abdul and ethics is an interesting direction to explore. Speaking about different areas where we see we can contribute as a non‑state actor, private sector industry and representative, and IGF is one of the such areas it's not only the UN or OEWG that have multistakeholder initiatives, but we could contribute. But the OEWG there are different for non‑state actors to tribute. And we haven't been given accreditation. Nonetheless, we do see a lot of openness coming from them to engage meaningful stakeholders and it's really great. We look that coming informal as well.
From outside we call for more thematic process and for clear governance as Abdul mentioned. For sure not all stakeholders contribute to all aspect that diplomats are discussing and from us we have a little expertise to contribute on issues related to international, but nonetheless we do see where we could support Governments, where we could support intergovernmental discussions, academia, other communities and those areas for including implementation of some of the norms particularly including supply chain integrity.
So I think clear Conference, clear processes would be so much helpful to manage expectations and maybe to bring more efficiency and effectiveness to this process. Thank you.
>> MODERATOR: Thanks, Anastasiya Kazakova, and I want to stress I think Peggy made the point, and Abdul emphasized that we have to build a common understanding of the value of engagement with non‑state actors. I think we use the concept multistakeholder sometimes delinked from the very specific value that I can add to specific processes and we need to avoid that. Let's talk a round of questions and then the panel will make final comments.
I will give to the gentleman here who has been so impatient he sent me a note. Please introduce yourself and be brief.
>> AUDIENCE: I will be very brief, questions to the moderators and the organizers of the panel. What was the rationale behind you inviting to represent the private sector a corporation that has been deemed a major cybersecurity threat by jurisdictions started with AFFC in the United States, in Parliament and major Western European Government and the second related question is why you didn't make a disclosure and reference to it when you introduced the company?
>> MODERATOR: I will respond to that. I assume you referring to the person working for Kastewacy. That's one of the strengths of the IGF that participants here are not representatives of their Governments. They are not members of national Delegations. They come from different stakeholder groups, but they are here as individuals. Participant speakers, individuals.
>> AUDIENCE: Not the Government, the company.
>> MODERATOR: I'm talking about individuals also do not represent their companies. They are here as individuals with expertise from a particular stakeholder group. Can we have that hand over there?
>> AUDIENCE: Thank you very much. Africa security alliance. Just a few comments, number one, this is to allude to what David said that cybersecurity is highly, UNECA come up with a report on cybersecurity for development in the fourth industrial revolution, and that's indicated clearly that cybersecurity has correlation with Internet penetration in Africa. About 66% in Latin America, about 60% in Asia where he represents about 82%. Secondly, to Abdul, he emphasized the people to people. People need to be aware because they are the weakest point.
These two combined with more stakeholders committed to enlightenment, awareness creation and maybe apps that can provide tips on cybersecurity measures, and apps that correlate or collect information about hacks that are about. So that will help us to generate statistics concerning that.
Lastly, UNECA also launched a guideline yesterday on cybersecurity model law. I think this will help to provide a framework for those coming up with their cybersecurity framework and law, and also that do already have it, it can be a template for review mechanism they may commission.
Lastly, very strongly in that report is the emphasize of cyber management, cybersecurity management. So management has really got to compliance, with regard to what needs to be done, so just to provide that input.
Thank you.
>> MODERATOR: Thanks Jimson. We also have questions online. Can we take them before we come to you, please.
>> SOOK-JUNG DOFEL: How is it doable to implement what is needed for capacity building and the other issue was on getting also on social media such as Facebook involved, but, again, we are having this discussion on multistakeholder approaches and so on. This shows how important it is to get everyone on at the table to discuss this issue. So no specific question I think that was not touched upon during the inputs.
>> MODERATOR: Go ahead, introduce yourself. We have someone in the room now.
>> AUDIENCE: My hand is up. Hello?
>> SOOK-JUNG DOFEL: I'm sorry, but actually because it's a little bit confusing with this virtual thing and so on, I really ask all of the people in the chat to type the questions in the chat and not to switch on the Mic and the camera. Because either wise it's a little bit confusing. So this is also what I already indicated in the chat to all participants in the chat or in Zoom, please type your questions there.
>> AUDIENCE: Hi, my name is Michael Water from the association of the Internet in Germany. I just want to make a remark. All of the processes which were mentioned here I guess will have little success as long as Governments prevent updates for reasons of surveillance and law enforcement and so on, so forth. And I think this is something we should go in first, and secondly, the industry should be forced to deliver higher quality in their software products.
And then we can come with the processes and I think life could be much easier.
>> MODERATOR: I think that's a very, very good point and attaches on the relationship between Abdul talked about, if I remember correctly, governance, technical innovation, and I think Governments have a role in holding companies accountable to ensuring that those high standards are maintained.
Thanks for that intervention. And I think you will be the last speaker, and then we will go back to the panel.
>> AUDIENCE: Thanks very much, Internet Society. Kyrgyzstan chapter. I want to bring up two points in regard to capacity building of civil society. First if we want to reach out to civil society in Developing Countries, we should be using the language that people understand in rural areas in through the channels that they usually participate. So in Kyrgyzstan we have been using traditional storytellers to explain cybersecurity issues in simple terms in entertaining way. So that has been effective. Second point is the gender aspect, especially for Developing Countries.
We have set up a help desk for citizens, and we wanted to make it gender balanced so that women and girls can feel more safe approaching it, and when we announced the job, we put that women are encouraged to apply. The person that got the job said she would never have applied if there was no little line, but played an important role. So for Developing Countries, gender aspects are very important. Thank you.
>> MODERATOR: Thank you for mentioning that and we don't get participation or inclusion if we are not deliberately creating spaces for it.
>> AUDIENCE: Thank you. My name is Mohunti, I come from Tunisia. I would like to thank you for this she helpful and interesting panel on cybersecurity. But my question is maybe for all of the panelists, since we are in the 17th annual IGF, which is held in an African country, and since the latest cybersecurity experts report say that the African region is the most affected and the most let's say city and affected region in terms of cybersecurity and cybercrime.
So my question is what can IGF or UN IGF do for the African region for cybercrime mechanisms or architectures or frameworks or something like that?
>> MODERATOR: Thanks very much. I think you have had the floor so I will not give it to you again. We are running out of time.
>> AUDIENCE: Thank you. I am from Georgia country. I represent Georgia, and thank you panelists for interesting presentation and interesting topic. It is no question, it is only my comment is I represent academia sector, evidence, process, and research process is very important for cybersecurity as we know, and it is enrolled in national strategies and policies. In the academia, the academia has a very important role for this. And we don't forget about academia as one of the important stakeholders because academia can give very qualified, especially some process and technology and technical issues. Thank you.
>> MODERATOR: Thanks for pointing that out.
It's absolutely vital to have academic institutions and individual researchers involved in this process, not just at the level of training cybersecurity experts, but also a developing solutions for tracking attacks, tracing resources of attacks and I think some of the greatest breakthroughs in trying to source where cyber-attacks come from has come from the academic sector.
We now have to close. I think, Abdul‑Hakeem Ajijola, if you can answer that question specifically from the gentleman from Tunisia on Africa and what global institutions and processes like the IGF can do, and then I think the other panelist you can decide which questions you want to respond to. I would like to close with reflection on implementation.
We agree we need a holistic approach. We have agreed we do need states to take responsibility, but they need to collaborate and it needs to be participated. I think there is consensus that human centric concerns and concerns of human rights and transparency and governance have to be part of the cybersecurity process.
I would like to end just with one concrete proposal that you have for us to take this process forward. We’ll start with you, Peggy.
>> PEGGY HICKS: Thanks, everybody. Thanks for the conversation today, Anriette for putting up with some unruly panelists here. The questions were good and I want to complement the gentleman who raised the issues about how we talk about these questions at a local level and having to tailor our solutions to the people who are in need and particularly bringing in the gender aspect which frankly had been lacking from the conversation and I'm glad that you referenced it.
I also appreciate the question about what we expect from social media companies and the companies' role within this. Our language on that usually relates to the importance of this applying to UN Guiding Principles on Business and Human Rights, which really do require them to take an approach that contacts human rights due diligence. By that we mean they have to look at all of their activities, and assess how they could have an adverse impact on human rights.
And then once they figure that out, they have to take steps to prevent and mitigate those risks. So they do, and all of the major social media companies have said that they want to tailor their practices to comply with UN guiding principles and to respect human rights in that way. Governments, of course, also have an obligation under the guiding principles to regulate companies to ensure that they fulfill those responsibilities as well.
So that's sort of how that circle can be closed and the companies can be brought in more effectively from our perspective. I was also glad to hear about academia. I think it is a very important contributor to these conversations and it does bring us back to the participation question and what it means. One thing I wanted to mention is I brought up a point earlier about how we have seen that unfortunately some of the efforts that are taken by states to address cybercrime or cybersecurity issues end up having either intentionally or not an impact that has discouraged or even sanctioned people who want to engage in some of these activities, so cyber researchers have been affected by some of these laws as have human rights defenders and journalists.
So we need to be very careful that transnational crime and cybersecurity and cybercrime related regulation does not have those adverse impacts on those people we want to participate, and so you asked us for one concrete outcome. That could be mine, but basically the bottom line is we need to really invest in participation.
It won't just happen on its own. We need to take everything that's been said here and make sure that we provide the access and then the opportunity as well as sort of the resources and training and commitment necessary to make it happen through the capacity building we have talked about. Thank you.
>> MODERATOR: Anastasiya Kazakova I go to you next.
>> ANASTASIYA KAZAKOVA: Thank you very much. I would conclude on a similar note and say that it's important to provide the opportunities for different multistakeholders to contribute whatever they feel they have the expertise to contribute to bring more efficiency and effectiveness with the barriers and skills. As mentioned cybersecurity and dealing with the multispaces of the cyberspaces, one particular or one Government will be able to deal with completely, and still we are using technology that is globally produced, globally consumed and contributed. Therefore we can see the comment from the ICT of technology also have a global nature, super national nature.
So it's really inevitable to continue calling for greater cooperation between relevant stakeholders. Thank you.
>> MODERATOR: David.
>> DAVID KOH: Thanks very much. I echo the view from Peggy that this has been a great session. I want to end off picking up on your question about implementation, and on one of the themes that many of the speakers have talked about. Implementation and people. I think the question arises, I love the stories and, that the gentleman from Kyrgyzstan shared and I totally agree that we need to speak to people in a language and in a manner which they are used to and the gentleman from the African security alliance saying that there is a need to raise awareness, and suggestions of putting tips, for example, on cybersecurity in apps. I would say that the common theme for this is that people are doing this and we need to raise awareness.
I want to share my perspective, and that is that, yes, awareness is one step in this path. We have done that in Singapore, but our realization is that awareness does not necessarily translate to adoption. So when we first started we thought that people don't know that there is a threat, cyberspace, et cetera, so we put in a lot of efforts to raise awareness. Now, surveys show that people are aware that there are these threats.
Then we ask the next question, what have you done about it, and people realize they haven't done very much about it. So there is a gap between awareness which has come to be a very high level, and adoption. So just something I want to share. Why is there a gap between awareness and adoption, and I think this goes to Pilar's point that actually there is a lack of understanding. People don't understand the technology. They don't understand the threat or the potential threat that the technology can have on them.
They don't know what the technology does and they don't know what the implications are on themselves, on their privacy, on their rights, or on their own security.
So I think this is the challenge. And I think we, therefore, need to do something along these lines. I think the gentleman from Germany who said that perhaps Government should force industry to deliver better products might be on the right path. I think ultimately we need to make the adoption of digitalization, digital technologies much more easy and the on board security to be automatically included so that, as I said it becomes instinctive, intuitive, et cetera, not as an optional extra. This is the challenge that we are facing.
So perhaps if you want me to end off on something as actionable, the realization is perhaps there is market failure in this. We want additional products, we want opportunities for digitalization, all of this great technology, but we are not getting it delivered in a manner that is safe and secure. Perhaps we need Governments, civil society, academia, all of the stakeholders to come together to raise the awareness of people that they understand actually the opportunities that technology provides us, but also potential threats and then when you realize that there are these threats to privacy and human rights as well as security, then we can collectively pressure the people who deliver these products to us to deliver them to us in a safe and secure manner. Thank you.
>> MODERATOR: Very, very useful input. Pilar.
>> PILAR SAENZ: I'm going to catch a plane, so I will be brief. There is some input that has to do with security and safety, and mostly in security which is not impacting the same on everyone. There are digital risks concentrated on the vulnerable or women, so working so that standards we put in place the discussions we have to consider this differences, and I think that here is the civil society and the academia have contributed with research and their input, but still we do need those in charge of local cybersecurity organisations facilitate this implementation. And something I said before about surveillance, technologies do not have full regulation and we are having trouble with implementation of surveillance in many countries where there is no capacity for control and monitoring of this surveillance itself and this lends itself to other uses.
That is an issue that requires more work and international efforts are in place, but also we need local efforts.
>> ABDUL‑HAKEEM AJIJOLA: To the question, what can the IGF and the international community do for Africa? I don't have an answer, but what I would ask is what can Africa do? Number one, Africa needs to build a sustainable micro, small, and medium‑scale enterprises, cybersecurity ecosystem. Markets projects that the African cybersecurity market next year between 2023 and 2025 will hit anywhere between 3.6 and $4.5 billion. William McCanty in Nairobi estimates that over the next 10 years the African cybersecurity market, Africa alone will be valued at anywhere between 15 and $30 billion. So what percentage of that market will be for Tunisia, and, indeed for the Africans in the hall today? What percentage of that market will be yours?
Can we make cybersecurity a societal profit centre not simply a cost centre. We are going to have to spend the money on solutions anyway, so is cybersecurity going to be a foreign exchange gain or is it going to be a foreign exchange drain? It’s an opportunity in my opinion for job creation, wealth generation and as a byproduct governmental will get revenue generation through taxes.
We do need to look at the cybersecurity value chains because I believe strongly that we need to out‑recruit the bad actors, ISC squared carries out an annual cybersecurity workforce study, and their 2022 this year study indicates that there is a worldwide gap of 3.4 million cybersecurity workers.
Where there is opportunity, where there is shortage, rather, there is opportunity. We have young Africans, especially from Sub‑Saharan Africa dying crossing the desert, dying cross he is the Mediterranean and becoming second class citizens in destination countries. Why can we not empower them not to become a respected diaspora, but more importantly can we empower them so they can work from home and earn dollars and Euros while spending Schillings and Nira as the case may be.
And finally I think that whatever we are doing, we must factor the underserved, the unserved and the unborn, because they must live in the future with the decisions we make today.
Thank you.
>> MODERATOR: Thanks very much. And thank you to all of the people in the audience. I see one of our participants Amir Assain is saying can we use the Global Digital Compact the upcoming UN process to find a way of establishing principles and consensus on this holistic approach to cybersecurity.
So I just want to emphasize a few things because I think the panelists made good points.
The point about we will not get inclusion if we don't design for it. We won't have participative processes if we don't approach it deliberately. I think David's point about awareness is not enough. We need to go from awareness to adoption. And then I think the point about understanding, we, a multistakeholder approach, a collaborative approach still involves specific roles for specific stakeholders in that ecosystem, but it also involves us understanding one another's different roles and collaborating.
And then I think finally the issue of ownership, cybersecurity and safety is something that every individual, and every user on the Internet is entitled to, and should become part of through our own practice. I think just relying on others to create it for us will not work. And then we have to ultimately link it to transparency, to good governance, and to respect for information and communications and human rights. A system that is secure authoritarian means is not one that is secure in a sustainable way. So thank you so Sook and other MAG members and for organising this session, and to all of the panelists and all of the participants.