The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> MODERATOR: Welcome, everyone. I think we're ready to start. For those of you who are wondering if you're in the right room, this is workshop 103, forum on aligning strategies, protecting critical infrastructure. This is a work shop that we've convened together. And I will be moderating this session today.
So why have we chosen to put this topic forward for the IGF?
We've chosen it because we feel strongly that digital transformation is now part of every country's development. It creates opportunities, enables basically everything from distance learning to economic advances, manufacturing, guided culture, all societal divisions and all sectors of the economy. And that cybersecurity is central to making this space work.
But as we see the cyberspace evolving, the centrality that is has to everyday lives, it also poses a number of risks and it needs us all to work together to ensure trust in the digital economy through the protection of the availability, integrity, confidentiality of this most essential infrastructures that make the Internet and digital technologies work and the services that they provide to the DR.
So that's all I really wanted to say about the importance of the discussion that will happen today. My role here will be the easy one, I'm just going to ask the questions, but I have a number of experts both here in the room and online who will do the hard job in trying to provide some answers to why we need to talk about this where we are at and where we're heading towards.
So just for a quick introduction before I hand over, we will have with us and in order of which they will be speaking in, Mr. Rene Summer online who is director of government and industry relations at the Ericcson Group. He will be our keynote speaker today. Then we'll have a panel conversation with Julia Rodriguez Acosta online as well, hello, Julia, from Permanent Mission of El Salvador to the United Nations.
Mr. Mr. Wouter Kobes, standardization adviser from Netherlands. Ms. Chris Buckridge, Ms. Francesca, and Ms. Robyn Greene sitting in front of me who's director for privacy and public policy. So without further ado, I think we're ready to jump in and hear from Rene. We have a keynote address to kick us off and discuss a little bit about what is the current state of play in critical infrastructures and their supply chains and what has ICC done about all this in the recent past. Rene, I'm passing it over to you. I hope you can hear us and you're ready for your keynote.
Do we have Rene online? Seems like his screen might be frozen here. Rene, you hear us? Can we check -- hello? Rene, are you with us? Can you hear me? Can you try and speak? Can you message him to try to speak?
>> RENE SUMMER: Hello, can you hear me?
>> MODERATOR: Yes, we can.
>> RENE SUMMER: I can't hear you, in case you're talking to me.
>> MODERATOR: Yes, I'm talking to you. Can we make sure he has audio. My apologies for the technical confusion. Or just while we're trying to figure out maybe somebody can put in the chat that he can start his keynote.
My apologies for the technical difficulties.
>> FRANCESCA BOSCO: I sent him a message, let's see if he can see.
>> RENE SUMMER: Yes, I can hear now.
>> TIMEA SUTO: Perfect, okay. I was just saying we're ready for your keynote.
>> RENE SUMMER: Great. Thank you very much. And great to see that you always have the challenges of technology, today as well. So I guess that's the technology companies.
Thank you very how much for inviting me today. I'm Rene Summer, I'm with the ICC, and for those of us who don't know us, we're representing 45 million companies from about 170 countries, and we are advocating for solutions and for policy recommendations and bring a wealth of experts in our network.
So we do take a lot of effort and bringing a lot of expertise to make solid and insightful contributions.
So with this in mind, we took some steps in reflected on what is it that we see unfolding happening in our world today. And what is really at stake before we get into the more of the details of this discussion.
And if we move to the next slide, please, I think what we are really concerned with is the current development in our cyberspace. And this is really putting new challenges and risks to our companies, it goes beyond our companies and has significant impact both on public safety, economic stability and security, and national security.
And this, of course, means that more and more focus and emphasis is also put by national policymakers and regulators on the issue of cyber resilience and cybersecurity.
So this, of course, motivated us looking at the next slide, then, to think more harder on what does this really mean when we not only have this broader picture and context of cyberspace, but also that we see increased sophistication in cyberthreats.
So that means that we see more and more novel threat actors coming in and that is coupled with increased interconnectedness between what is ICT and other critical infrastructures.
So we see also an expanded threat service through this dependency. And that, of course, also means that there will be more and severe consequences if cyberattacks are successful.
So this means that with this development and the emphasis by policymakers on cybersecurity and resilience of critical infrastructures and the supply chain, there is, of course, more pressure also on the industry to do more. And this is, in many aspects, rightly to take place.
But it also means that we are facing a number of challenges, not only from a growing burden of compliance, speaking of particularly the operators of critical infrastructures, but also that these initiatives create challenges in terms of policy and regulation. This is why we also want to be part of this discussion.
So this really brings me to the purpose of why we took the steps we took and the detail that we are presenting here today. And if we move to the next slide, please, this is the contribution that we are making here today.
And we share the insights from our working paper on protecting cybersecurity of critical infrastructures and their supply chains.
And this really is what we want to convey as a message is that there is a need for a holistic approach. And I will delve into what that means in more detail. But also that we need all stakeholders to be involved, and particularly of course, the governments that have to fulfill their roles as well.
Many times we hear that cybersecurity is a team sport, which is, of course, largely true. But there is also distinct roles and responsibilities that each stakeholders need to take and that also includes governments and the policymakers.
So if we can then move to the next slide and think about what are the dilemmas that we on one hand industry, but other stakeholders and governments face in terms of doing more, we have enough paper and identified some of the key dilemmas that at least from our end we see limiting the effectiveness of what can be done more and better to increase the resilience of critical infrastructures.
And of course, starting from our policy perspective, then, one of the challenges we see is that many jurisdictions that have developed critical infrastructure frameworks, which is far from all countries, have taken quite different approaches in terms of definitions and so on and so forth.
And this creates at least two challenges. One is that the question of policy targets. And policy targeting differs between jurisdictions, of course. That means different objectives are ultimately being pursued.
But secondly, as these frameworks adventure in obligations and requirement there are brings complexity and fragmentation. And I would really like to underline and want all of us here to think about that fragmentation is, and complexity, is the number one issue of security. This is a security argument of fragmentation and complexity are Number 1 enemy of security posture.
Then of course some jurisdictions have moved beyond the question of critical infrastructures only and speak of actually the essential services that these critical infrastructures deliver and bring to the public sector, to the consumers, or to other industries.
And I think that is another important element, is that ultimately we are not only protecting the critical infrastructures as policymakers, but the essential services that these render. And it is both while to undermine that distinction as governments and nations move on to develop further frameworks.
I think also something which we are trying to address in this paper is the increase in interdependency between what has been seen as the telecom sector or the digital sector and had those get interlinked what previously were seen as separate industries be the energy, power distribution and so on and so forth. This interdependency also creates additional risks and threats that need to be considered and addressed.
Because of global supply chains and the suppliers that supply the equipment and solutions into the sectors, we also need to think about the global interconnectedness and the impacts that may come from these dependencies. So we don't only see a cascading risks or effects between the national critical sectors, but also from the national arena into the international space when we have also international supply chain.
And as all of you well know, cybersecurity does not know any borders, so this, of course, brings additional challenges.
I think it is also important to highlight the aspect of third-party suppliers in the supply chain that have been also increasing targeted by threat actors and become an entry point into impacting critical infrastructures.
And here, of course, a number of challenges that we will talk about later need to be addressed.
But also important to keep in mind that there are, of course, different type of suppliers and they have different level of maturity and making sure that we have sufficient capacities and capabilities in the supply chain to address these risks and exposures is extremely important.
Which brings me then to, well, how do you move beyond dilemmas. If you go to the next slide, please, we of course, took good time and effort to think about, well, what are the best -- industry best practices and what do we see on policy and regulatory side?
And by no means this is a unique insight by ICC and its members, because of course, there's a lot of good work done by others. And we have definitely stolen with pride where there are other entities or stakeholders that have put a lot of effort and thought into these questions.
And here you can see a number of examples that we have addressed in our paper, what we think is important to take onboard and how we can also make use of these best practices when I talk more about private-public partnership.
And some of these examples here, of course, such as having the comprehensive security measures or strong data backups and so on, fundamental considerations that we believe that industry needs to lead with and it's a necessary part of the solution.
But again, we also have policy and regulatory approaches that we need to take care about and consider how they impact the critical infrastructures and the operators of those.
And it is, of course, of any other industry we talk about the operators of critical infrastructures, they also face a number of constraints. That means when we look at the different regulations and approaches, it is important to think about how we make sure that those are affected, targeted, and achieved their objectives so that we can work with them in the most effective way. I think all are looking for protect your critical infrastructures in the supply chain.
So moving beyond this generic statement, if we go to the next slide, please, we do, of course, think that there is more to be done. And we believe from the industry side there are a number of priorities thinking about the constraint.
For instance, start with the baseline security requirements first to make sure what needs to be done first is really in play. We don't need to start with the perfection of Day 1, but really make sure that the bare minimum is in place and work from there.
Rather than trying to fix everything at the same time.
Secondly, I think what is important because of dependencies I touched upon earlier, it's important to think about what are the third parties, the supply chain actors doing in terms of contributing to or actually decreasing the security posture of critical infrastructures.
So please do keep that in mind. And of course, from a more commercial point of view, partnerships between the critical infrastructure operators is key and that needs to be incentivized to make sure that the bare minimum at least is achieved.
On the policy side, I would say that there are few things which we already see being developed in several jurisdictions. We see that there are now requirements on suppliers and third parties on how secure software development process should look like. This is something which I think should be expected. And as we see that more and more sectors are becoming more software driven and software rich, this is definitely an important aspect of security.
Speaking also of the supply chain and where not only resilience security but also trust is important, diversification is key. This is another element of policy making that we see is developing that you want to make sure that you have a resilience, secure, and trusted supply chain.
Lastly I think also or we think that an essential aspect of policy to make sure that on one hand side there are clear roles and responsibilities, but also that cooperation and coordination between stakeholders is happening. Because we don't want to see when it stops the behavior of sharing information, being proactive and sometimes even taking risks, especially when you talk about in the heat of the moment when incidents and threats are unfolding and measures need to be taken.
With that, if we can move to the next slide, if we put some of these examples in a kind of broader, bigger picture, what is it that we are really looking for?
And this, I think, needs repetition, repetition because it takes time from saying this and seeing this being implemented into policy action.
Number 1 again, there is no thing of silver bullet here. That's why we're advocating for holistic policy that's well balanced and targeted to ensure that the central service providers and critical infrastructures are working together towards a set of goals.
In the context of cooperation, it is also important that we see that there is both emphasis on enforcement, but also on incentivizing proper behavior. And this, I think, is particularly important to keep in mind, because cybersecurity is not an end in a sense that we come to a situation when everything is cyber secure. It's a continuous journey and state that's always on the move. So we will never be done. There is no final checkpoint. And that's why it's important to also have incentives for appropriate behavior.
Then I think, and this comes back to my initial call that also governments have a really important role. And while cybersecurity is a team sport, there is also clear role for governments.
And there are residual risks, even if you develop an appropriate security regulation framework and you take appropriate mitigating measures on board, there will always be residual risks. This is where governments in particular have a very important role to play.
And you see some examples on measures of how you can address these residual risks. This is something which the industry will not be able to fix. And there are no insurances for this to be -- to be taken. And even if so, doesn't mean that there are negative consequences will not happen just because you have an insurance.
So please do think about those as well, how to tackle the residual risk. It is very, very important.
If we move to the next slide, then, and here I think we have three more slides to kind of go a little bit more into some of the recommendations we have in this paper.
From our policy making perspective, it is absolutely necessary that nations do have an independent, competent cybersecurity agency. This is a competence area that needs to be developed, it needs to be created because as policymakers are not only developing laws, but you have protecting in real time and take action to teal with incidents.
Just having regulation and secure products doesn't mean that threats will go away.
And when developing these national frameworks, the reasons why we speak about holistic approach and coordination between national cybersecurity agencies and policies, is also because one thing is about having a clear framework that we, as industry, understand what is expected of us. But again, cybersecurity is also something that is happening in real time. We talk about incidents, vulnerabilities, mitigation, so on. And it is absolutely necessary that there's a clear understanding of who is doing what and when so that we can also take action when actually attacks are successful and we need to recover quickly and get back into cooperation with minimum damage.
And this requires cooperation. It's important it think about that, yes, we need enforcement, clear rules, but we also need good cooperation between the private sector and the governmental agencies.
And lastly, when we talk about supply chains, again, I think looking at national fragmentation of requirements that breathes complexity which is number one of security, international technical standard is necessary feature of good security posture.
If we move to the next slide, please, which brings me to the international cooperation. Again, it is so that what happens at national level will not be bound by cyber incidents and cyber events from a national perspective. So to address the issue, for example, of response or the complexity challenges through fragmentation, it is essential governments do what is achievable in terms of working with their peers and strive to take action internationally, globally, to make sure that we can have as much harmonization on the rules, requirements, and the standards so we can create a common platform for addressing challenges. But also work with the complexity and reduce the complexity through fragmentation.
Coming back to the residual risks, this is where, of course, governments and nation states play an enormous important role. This is coming back to the question, how to we address the residual risk. This is where the international norms against state-sponsored cyberattacks is very important. That may be thinking through more how can we make sure there's public attribution following incidents, that there is an implementation of reverse deterrent measures for cyberattacks, and that we promote cooperation.
If we go to the next slide then, it's maybe to emphasize and not to dwell so much on this, working with national stakeholder is key, you see examples of that mentioned here but doesn't bring anything new. In a matter of time maybe we can skip this slide and just finish off with that.
I hope that you found this information of interest and value. We do have paper available. You have the links both in English, Spanish, and in Mandarin. We hope it's going to be an interesting read. If you have any further questions or interest in this information, please feel free to also reach out to the secretariat of ICC where we can schedule more interactions.
And I hope that this intervention has inspired some of you and I look forward to the discussion after my speech. Thank you again for the opportunity and I hope you have fruitful discussion.
Thank you very much. Over to you, Timea.
>> TIMEA SUTO: Thank you so much, Rene. This was quite an introduction and I do hope it gives food for thought for the conversation that we have planned going forward.
Of course, a little advertisement here for the ICC paper. We -- if you come to our booth just outside this room here, we have a QR Code for where you can easily download not only this one, but all the other publications that ICC has on cyber issues.
But coming back to the conversation and picking up one of the last points that you mentioned here, Rene, the need for collaboration around the protection of cybersecurity, of critical infrastructures, and especially the collaboration in the international space. I'd like to turn to Julia and ask a little bit about how is this is going and how are we seeing any barriers that might impede some cross-border collaboration. And also what opportunities do you see in aligning national responses to security challenges with international and transnational agreements that we already have in place or are developing?
Over to you, Julia.
>> JULIA RODRIGUEZ ACOSTA: Thank you so much. Can you hear me okay?
>> TIMEA SUTO: Yes, we can.
>> JULIA RODRIGUEZ ACOSTA: Good morning, good afternoon and good evening to all. Thank you so much, Rene, for the thought-provoking presentation. It's a pleasure to join this important conversation from New York very early in the morning. I extend my gratitude to the national Chamber of Commerce for organizing such a timely and significant discussion. It is truly an honour to share views with Goble speakers.
So set the tone for today's discussions and in response to the main questions, I would like to begin by highlighting the work that we have been doing at the United Nations regarding the protection of critical infrastructure.
This is well developed within the framework of responsible behavior, which lay out voluntary forms for expected conduct in cyberspace, and the norms related to critical infrastructure emphasize to principles, the turn the framework that we have today, the protection of critical infrastructure and more kind of our restricted obligations in reference to what was just exposed by Rene.
Kind of like refrain from actions that damage or disrupt such infrastructure, particularly when they impact availability and integrity.
And these are normative framework where it's crucial, especially for those infrastructures that provide essential services, including the general availability of the Internet itself.
So it is worth noting that the importance of protecting critical infrastructure has long been recognized within the United Nations system. For over 20 years this discussion began primarily from a development perspective. But in recent years it evolved into national security and discussions now recognise that the protection of critical infrastructure is central to maintaining international business security, particularly in interconnected world.
Whereas, societal world being cannot be separated from society, economic, and human discussion. Right now the UN, United Nations open working group has made significant progress in advancing this agenda, and one of the recent developments is in the just published annual progress report in the category station of critical infrastructure sectors that require protection.
And now we have an inclusion on sectors that range from health care, aviation, financial services, and energy. And I think that this sectoral approach is a significant step forward because it acknowledges that protecting critical infrastructure involves cross-border challenges with global implications. And second, because adopting a sector specific approach allows for the development of target operational measures that reflect the unique characteristics and vulnerability of each sector.
However, we also must acknowledge those barriers of cross-border collaborations cybersecurity team. As it was mentioned, one key challenge in the lack of aligned definitions and standards, while the UN's voluntary norms are responsible provide a framework, differences in national interpretations and leading frameworks can hinder operational coordination.
Additionally, of course, there is gaps in trust. Misaligned priority, and the essence of unified approaches to identify and respond to tracks and these border complicates these efforts that we're trying to do at the multinational level.
Yet these challenges also present with opportunity aligning national responses with international agreement, for example. And not only the international level, but also at the regional level. The creation of understanding and coordinated responses, and of course that by fostering trust and promoting partnerships both public, private, and multilateral, we can enhance and address the global basic critical infrastructure. This directly address the first policy question on cross-border challenge that hinder operability and coordination. And for us, the role of public-private partnership in strengthening safety and security scheme.
So we have actively engaged in all the multimodal arena to advocate for implementation measure and we have emphasized importance of collaboration with service providers, for example, as these are essential to ensure critical -- the protection of critical infrastructure.
While we -- the understanding of the need for multi-stakeholder collaboration is well established, we still are first in challenges for bringing these into policies. So I will stop here and particularly let those colleagues that represent other stakeholders to share best industry practice. I think that Rene presented so very well recommendations for enhancing cyber resilience, and I remain eager to engage more during the Q&A session and comments.
And I thank you so very much.
>> TIMEA SUTO: Thank you, Julia. We're going to return to the room here from the online world and I'm going to talk to Wouter here in front of me. We mentioned the role of norms, mentioned the role of regulations, but I wanted to hear about standards and protocols that also need to work across jurisdictions. Sorry, I think I'm losing my microphone. To make sure that what is put in place are actually operational on the ground and we don't have the fragmentation that Rene was talking about in the beginning.
So how do you see that in the standardization?
>> WOUTER KOBES: Thank you very much. As part of the Dutch government, we're using standards as a vessel to achieve various goals. One of them is interoperability within government, but strategic independence from large vendors, and specifically on those standards that address cybersecurity, of course, the security of the government as well.
And we actually see that when we're pushing for adoption of these standards, this -- the result is that also other parts of critical infrastructure are positively affected by this because they start implementing certain standards as well.
And I think the interesting connection to the keynote of Rene is that the holistic approach to cybersecurity is also seen through security standards. You have really organizational standards, the well-knowns are the ISO 1 and standards which give your company a guideline to implement cybersecurity measures at an organizational level.
Then moving on, there are technical standards that, well, each of these standards really serve a goal in actually protecting your organization better or addressing a design flaw of the Internet itself in terms of cybersecurity. I think the benefit of those standards is that it's quite easy to measure if a standard is adopted or not.
When all that fails, there are also standardized methods to share information, for instance, between CCERTs, and organizations think about indicates of compromise, vulnerabilities that have been found within systems and in recent years even a standard has been developed where you basically can publish in a standardized way contact information this can be used by researchers or ethical hackers to contact you in case they find a security issue in your system or organization which was not found in any of your previous efforts to improve cybersecurity.
So these are very nice standards to have, but of course a standard needs to be adopted before it becomes effective. This is where our main challenges lie. And I think in our experience, one of the best methods to actually increase adoption is to show how well standards are adopted within the Dutch government. And we have developed a measuring tool for this -- for this purpose that actually can report for every website, every email domain how your -- how well the standards are adopted within a certain government organization.
And throughout presenting these measure results regularly, we see over time option of these important security standards, which will not solve all the challenges that Rene laid out with cybersecurity, because you are never done with cybersecurity. But it has in fact benefited the security of the Dutch government in that sense. And it's really nice also to have published this measuring tool for basically everyone in the world to use and to measure their adoption of these important security standards.
So that was my contribution. Thank you.
>> TIMEA SUTO: Thank you. So I'm going to turn to Chris here on my left, because we're talking here about holistic approach, making sure that things work across borders, making sure that we share information, we don't lose sight. That all takes me into this thinking about perhaps we need some capacity building to really enable this whole society approach that we need cybersecurity and to mainstream the conversations that we're having on the cybersecurity critical infrastructures into the general thinking around digital transformation.
So how does the GFCE see that and then where do you see it from where you're sitting?
>> CHRIS BUCKRIDGE: Thank you very much. I mean, Chris Buckridge, I'm here as senior strategy adviser with the global forum on cyber expertise. And based on what I already heard, based on listening to Rene's keynote there which was wonderful, I should apologize in advance because I'm going to good into full marketing mode for the GFCE here. But I mean, I think it all is really relevant and that idea of capacity building is so central to a lot of this.
I think Rene's comment really resonated me about fragmentation and complexity are the enemy of security.
Really it's at the kernel of what the GFCE is about. And so flipping that and saying, coordination and clarity are really the fundamentals of security.
And so the GFCE is an organization, it's the platform for international cooperation on strengthening cyber capacity building and expertise globally. And it was established in 2015. It's multi-stakeholder organization. We have around 250 members and partners. 88 of those states, state -- nation states. 16 international organizations. And then the remainder are private sector, academia, NGOs. So it is really quite a broad community, a lot of diverse expertise and awareness there.
And working together in really a number of ways to try and facilitate, essentially, that cyber capacity, CCB. And make sure that's happening in the best way.
We do that by connecting sort of the network of implementors, donors, and those who are in need, making sure that they are finding each other in the global sense. It's about identifying and developing best practices. So there are certain approaches that we know work well and there are other approaches that we try out from time to time and they maybe don't work as well. So that's a really important community activity, finding that out, learning together.
And then also I mean, highlighting the importance of cyber capacity building about the it was in Rene's presentation as well. That building capacity and building it at the global level, not just in, you know, Global North, but also into the Global South. Because the cybersecurity threats are global is really essential.
And so I can speak to a few of the different activity that the GFCE has been involved in in sort some of different aspects, different ways in which we're doing it.
The first one I'll mention, and Wouter spoke about standards there, so I won't say too much about this, but the triple-A initiative, the Internet infrastructure initiative something that GFCE has been doing for the last few years or facilitating for the last few years. And it's very much in line with that, with promoting and educating about standards like IPv6, DNC, TLS, so really looking at lots of different elements in the technological stack and standards and how they can be usefully employed and deployed for better security.
Turning to a slightly different aspect, it could be in terms of thinking about policy frameworks, the sort of alignment in what we're trying to achieve. And I think something useful to highlight there would be the article which came out in 2023 was an output of the global conference or cyber capacity building, the first one was in Ghana in 2023. GC3B we call it, which we regularly get wrong order there. Not sure if we've made it easier by calling it that. And we have another of those -- the second GC3B will take place in Geneva in May next year. But that's really about, again there are sort of coordination, it's connecting the cybersecurity and cyber capacity building communities with the development community, with what's going on in international development.
And it's got really four voluntary, nonbinding, but direction-setting actions that people can sign on and commit to and then report on. Strengthening role cyber resilience as an enabler for sustainable development.
Advancing the demand driven cyber capacity building.
Fostering stronger partnerships and better coordination. Very important.
And then the last one which is equally and perhaps even more important than any of them, unlocking the financial resources and implementation modalities. That's always the struggle here. There's governments, private sector, any of these stakeholders have priorities, have limited resources, so making the case that investing in cybersecurity, investing in capacity building is essential is a really fundamental element in all of this. That's, I think, where the acrical is important. And one more that's tying in to what Julia was talking about as well and what's going on in the open-ended working group. One of the projects that the GFCE has been thrilled to be involved in and coordinating is the women in cyber fellowships. And that's been working with donors, donor states from around the world.
At the most recent meeting which was just a couple weeks ago in New York, we actually had 47 fellows from different Global South Member States taking part. Traveling to New York, taking part in training, but also taking part actively in those negotiations. And so obviously this is wonderful in terms of taking some steps toward gender balance, which is important.
But I think also really importantly here is that without that funding, without that project, a lot of what you would have had there in those New York negotiations would not -- particularly from Global South countries would not be bringing in subject matter experts. They'd be using their staff in New York and firm representations, which is great. But to be able to have subject matter experts there in the room enriching the negotiation and discussion around the OEWG is almost, to my mind, the bigger achievement, the bigger important thing that we're doing there and having that expertise filter back to the national level when they go back to Capitol, they go back to their governments.
So that sort of level of coordination and capacity building is, I think, really fundamental in achieving, again, what Rene spoke about, the need for some coordination of approach and across different jurisdictions.
So I'll stop there. Thanks.
>> TIMEA SUTO: Thank you so much, Chris. A lot in a very short time from what -- from what the GFCE is doing and we know there's more. What you told me the last point I think was the most striking.
Because if we enable the participation of those who might otherwise not be at the table, it is really the way through which we benefit and can make sure that the policies that we're thinking about actually work in practice on the ground and they actually are implementable.
And I want to stick with that idea as I turn to Francesca online. You talked a little bit about what the Cyber Peace Institute is doing and also how you see the role of stakeholders in these conversations. Especially when we talked about radical discussions, we see quite a gap there. But we are here in the heart of multi-stakeholder at the heart of the IGF so how do we bring those two things together?
>> FRANCESCA BOSCO: Thank you so much. Can you hear me well?
>> TIMEA SUTO: Yes, we can.
>> FRANCESCA BOSCO: Thank you so much and thanks a lot for the invite and it's an honour to speak today. Very sorry not to be able to be there in person.
Maybe just let's say a quick remark on who the Cyber Peace Institute is and what we are doing. So the Cyber Peace Institute is an international nonprofit organization. We're based in Geneva but the mandate is global. And I would say that at the backbone of the expertise is really to analyse how evolving cyberthreats are harming society. And notably impacting critical infrastructure, specifically in the civilian domain.
We provided the cybersecurity assistance in cast building and we advocate for responsible behavior in cyberspace with driven insights. Thank you for the opportunity to intervene into this discussion.
It's difficult, I would say, to come after excellent previous interventions. So I would address maybe share a couple of thoughts when it comes to which are the challenges that we see when it comes to the international approach to protecting critical infrastructures.
And maybe sharing goals of a couple of, like, potential ideas on how to address this.
Indeed, as Rene very well highlighted in his remarks but also Julia mentioned specifically the -- the UN processes and specifically the open-ended working group discussions, a couple of significant obstacles we see are lack of consensus among the states when defining the critical infrastructure. The great sectors being identified, notably the health care sector. But clearly then there needs to be also one of the elements that Rene mentioned, which is moving, let's say, from policies into action.
So first of all, the definition of the critical infrastructure. And the second part that I would like to mention is the -- also the rapid evolution of cyberthreats that adds to these challenges.
It was hinted by Rene in his initial remarks, but indeed practical example, I mean, that comes to mind is the ransomware attacks on health care systems during the COVID-19 pandemic that exposed the technical vulnerabilities, but also the lack of preparedness basically to ensure the service continuity.
I mention the health care sector specifically, because it's a good example according to your question, Timea, where the multi-stakeholder community can bring an added value. I think that the progress that we saw at the open-ended working group level, so integrating the inputs and voices of the multi-stakeholders community brought to this, basically.
And I can tell you from a very practical standpoint, what we did was launch at the end of the 2019 well on time to start during the pandemic. Which was on one hand we transformed it in a way into an opportunity. Because the mission of the institute is to protect the most vulnerable in cyberspace. At the time, the most vulnerable was the health care sector, basically, widely identified from us because to labs, to citizens organizations that were working for example when it comes to developing countries, we're working basically to provide essential services.
So we took this comprehensive approach and tried to understand, okay, how the critical infrastructure are -- this critical sector is impacted by cyberattacks, not so much from the angle of, let's say, simply allow know say, collecting information about the damages, the cost, how many devices were infected. But try to understand what it really means for Civil Society. What is the real impact and the real harm that these attacks are causing to society.
Practical example is how many ambulances redirected. How many people could not get the vaccine. And showing this both with, as mentioned before, a very strong technical analysis to highlight the modus operandi of the malicious actors, to identify let's say the critical sectors that are targeted, in which countries and so on and so forth.
But also highlighting this harm aspect and how international laws and norms were violated.
So having this all-encompassing view, coming from a neutral independent Civil Society actor is how we can advance it in a concrete way. And the platform that we develop is publicly available. We use the same capability to develop the platform to monitor the attacks against civilian structure in the context of the Ukraine platform. It's developed but not in silo. Meaning that we've been working on this with other Civil Society partners, with academic partners, with the private sector that's providing key data, infrastructure, services, and expert views.
We've been socializing this and extensively worked on this via our engagement at the working group level. I think it's a very concrete example of how the multi-stakeholder collaboration can work.
Allow me maybe just to mention a couple of things when it comes to what we need to do, let's say, some sort of, like, actions that we can take when it comes to the challenges that we see in the international cooperation sectors. Building on the excellent remarks that Julia made, I think there is one point which is, again, as Rene was saying, not just having the norms and operationalize them.
We truly believe that transparency is the way to go. And again, the -- we need to have a concrete, actionable measures. And so for example, we've been consistently advocating for volunteer state reporting on what constitutes a critical infrastructure within national frameworks.
But also to basically to enhance predictability and enable collaborative risk management across borders.
Measuring the harms. I mentioned that, for example, in our work regarding the health care sector, regarding the infrastructure in the context of the Ukraine conflict, we mention the harms. And this is critical to understand how the input is going beyond the pure I would say financial monetary damages. But you really need to understand the impact the cyberattacks on society, especially those cyberattacks that are obviously targeting the critical services that are making our societies running.
Just a couple of points in terms of, like, key actions. Rene mentioned the emerging technologies. Allow me to say, indeed, it's a critical area where obviously I'm thinking about it artificial intelligence, quantum, are bringing amazing opportunities. But that the same time improper deployment could create a new vulnerabilities when we think about critical infrastructure. Because still important to remember that many critical infrastructure that we are still seeing today are running on legacy systems.
Meaning, that they were not conceived, basically, to be connected just to start with. So this is extremely important to have a sort of, like, responsible approach in deploying emerging technologies. And then I mean, I was smiling when Chris was talking about the GC3B because I worked with underresourced communities. And Julia mentioned the connection -- I would say the evolution between the understanding that cybersecurity is a key component of development as well.
And to this end, I was encouraging, basically, the audience as well to build on -- on existing initiatives like the excellent work done by the GFCE and the opportunity that we have with the global cyber capacity building confluence -- conference upcoming in May. And really cybersecurity is one of the key pillars. And maybe just to finish, we talk about multi-stakeholder collaborations, I gave practical examples and happy to dig into this more if I may, and it's sort of like personal mantra, it needs to be meaningful.
Multi-stakeholder collaboration means nothing if it's -- I mean from it's just on paper or just ticking a box. I like what Rene was mentioning at the very beginning in terms of, like, partnerships are working where -- when, basically, each partner is providing, let's say, his or her best, let's say, expertise to create, basically, the best solution possible, but according, let's say, to what they can bring at the table. And not simply because they want to be sitting at the table.
So I think we need to see more collaboration starting value much more, which is the impact on multi-stakeholder collaboration instead of just having it as a nice to have.
>> TIMEA SUTO: Thank you so much, Francesca. So we've covered quite a bit of ground from the -- that Rene started.
We've heard the importance of international norms and their implementation. We've heard about standards, multi-stakeholder build, partnerships. So I have one more element that I with like to throw at Robyn and hear a bit of insights on that. Which is what is the role of policies, national policies in this?
How do we make sure that policies are responsive to everything that we've heard here. What is out there that's helpful? What is it that we still need and how do we move towards perhaps a bit of interoperability or what's happening in national context going back to the initial thought of fragmentation being so harmful to cybersecurity? Several questions there for you if you can cover that.
>> ROBYN GREENE: I doll my best. Thank you so much for having me here. I'm really excited to talk about this critical issue.
One of the things that I think you're going to see throughout my comments is the things that I'm going to be recommending are not only applicable when you're thinking about critical infrastructure and cybersecurity. I think when we get into the policy space, we really have to confront the fact that critical infrastructure is no longer just critical infrastructure. It is something that intersects with commercial technologies, with everyday sort of technologies, and with the people who use those technologies.
And as a result of that, one of the first things that we need to do from a policy perspective is to really take a holistic assessment of the technological landscape as well as the thread landscape so that we can understand things like what are the kinds of devices that interact with what we consider to be core critical infrastructure.
This is especially important as private sector services increasingly intersecting with or actually building and providing that core critical infrastructure.
In addition to that, we need to make sure that policies around cybersecurity for critical infrastructure include security requirements that are technically compatible with the Internet infrastructure and consistent with the values of an open, interoperable and secure Internet. As I'm going to discuss in more detail later in my comments, this includes things like not mandating any legal or regulatory threats to, like, key security tools like encryption, such as requiring things of the private sector like building key escrow or other so-called backdoors into encrypted products and services. Content scanning and labeling requirements or traceability requirements that undermine encryption.
This also includes resisting and implementing mandates around private sector data localization. And restrictions on private sector data transfers.
The other thing that we really need to do is look to the future. What does the future of technology look like? What will future technologies require and how will they intersect with our critical infrastructure? How will the next generation of technologies replace today's critical infrastructure?
Partnerships with the private sector can be uniquely impactful in helping governments to do this kind of looking into the crystal ball, if you will.
And technology companies in particular, but also academia and multi-stakeholder experts are really at the Vanguard of these technological advancements and can be uniquely helpful in doing that kind of forecasting so that we can make sure that cybersecurity protections for critical infrastructure aren't only responding to the threats of yesterday and today, but also preparing for the threats of tomorrow.
In addition to that, this is one of the most important things, and I think one of the greatest challenges that we so in the policy landscape, make it easy for companies to want to work with and share information with governments. Cyberthreat indicators, that is.
And make sure that those relationships with companies are not, you know, the big don't is don't establish relationships with private sector on the basis of regulatory threats or threats to services to their license to operate. Legal frameworks that promote human rights norms, rule of law and legal predictability not only in the context of cybersecurity, but also in the context of other policy spaces are the ones that will promote willing collaborations and do ensure that relationships are reciprocal.
At the end of the day, the willing collaboration is one of the most important things for private sector partnership with the public sector and critical infrastructure protection, because of course you don't want companies in the position where they're only focused on checking boxes and they're, you know, only doing what they're absolutely obligated to do.
You want companies that are really looking at the holistic cybersecurity and threat landscape and proactively sharing information with governments that they think will really lift all boats, if you will.
And so this makes -- one of the most important elements of encouraging this willing collaboration beyond not having it be sort of like a mandatory or fear-base the mechanism is making sure these relationships are cyclical. Make sure they're sharing back with the private sector early and often. This not only helps to lift all boats by enabling companies to better protect their clients and users, but it builds trust and incentivizes these companies to come to the table in the first place.
Beyond just reciprocal information sharing, I think the other types of sort of reciprocal partnerships can also include skill building. And reciprocal access to technological tools and new technologies.
The next thing that I think is going to be really important in having a better policy space that is providing more robust protection for critical infrastructure is actually starting to track the broader policy landscape. This is something that, you know, I sort of touched upon a little earlier in my comments. But we need to really, you know, start to internalize the fact that regulatory debates and proposals that are not directly about cybersecurity or about critical infrastructure will inherently affect our ability to protect critical infrastructure in particular.
And so as I mentioned, you know, resisting the impulse to pursue policies that require data localization is, I think, one of the more important things that we can do. At the end of the day, data localization is actually one of the more harmful policies for cybersecurity not only in terms of, like, private sector protection of information and things like to, but also in terms of protection of critical infrastructure.
This is because it increases costs for companies and the government in many cases to actually apply state of the art cybersecurity solutions. It restricts access to and deployment of those state of the art cybersecurity measures and limits and disincentivizes updates. It also limits backups.
It's important to resist restrictions on international data transfers for the private sector. When we're thinking about protecting cybersecurity, information is absolutely essential. And because of how the private sector intersects with critical infrastructure so much and as I mentioned in many cases actually operates or owns critical infrastructure, it's really important that companies be able to have that global visibility into what the threat landscape is and be able to access information as quickly as possible.
One of the most limiting factors to that is restricting the flow of information. Because that's inherently going to limit your view to the domestic threat landscape rather than the global threat landscape. So encouraging data flows is actually encouraging cybersecurity in many ways.
And then finally, resisting the adoption -- resisting the impulse to undermine or show the adoption of end to end encryption and quantum resistant encryption. It's by far the most effective tool we have to protect privacy and cyber communications. It applies not only to private communications but also government communications and data. Any time you see policies that mandate weaknesses in encryption, even if they're meant only to apply to private sector tools and systems, they inherently wind up intersecting with government and critical infrastructure systems and so what you wind up doing is actually lowering the global security level of anything, you know, that's going to be touching those systems.
We actually have a very sort of, like, current, if you will, example that's also a very stark example, to be honest, of how important encryption is to protecting cybersecurity and critical infrastructure in particular. As folks may be aware of salt typhoon there is a major story in the U.S., but I imagine it's being followed throughout the world, where foreign spies have essentially taken advantage of vulnerabilities in telecommunications and ISP systems in order to infiltrate those systems.
And you know, while they may have access to the targeting lots of different people's communications and private data, there is that targeting government officials. So this is one of those examples of how we see the private sector intersecting with critical infrastructure and the government and the need for encryption.
The last thing is resisting the impulse to mandate data retention beyond what is necessary. You're just keeping data that could be useful to, you know, cybercriminals and other malicious actors unnecessarily if you're imposing mandates that go beyond what's necessary for business purposes or operational purposes depending on the kind of entity that's subject to these kinds of things.
The next thing that's important and this is the last issue, whether it comes to the policy environment and protecting critical infrastructure and cybersecurity of infrastructure is international cooperation. This is certainly not surprising as we've heard this many times throughout the panel already, but ultimately this does not just include the sort of traditional types of cooperation around cyberthreat information sharing and securing supply chains.
It also includes things like regulatory interoperability. Make sure that not only cybersecurity regulations are interoperable with other regulations from other, like, cybersecurity regulations from other governments, but make sure that noncyber, domestic, and foreign regulations are compatible with current cybersecurity best practices.
Too often we see regulatory proposals that are meant to address social concerns like, you know, online safety and things like that which are critically, critically important but that would wind up doing things like undermining encryption. This is of course, incompatible with cybersecurity and critical infrastructure cybersecurity best practices.
So I think as a global community, it's incumbent upon us not only to look at the policy landscape through the lens of what is directly affecting critical infrastructure because it literally regulating critical infrastructure, but what are the secondary and tertiary policies that we're considering and applying to government and the private sector that could actually still have significant ramifications for critical infrastructure and cybersecurity globally.
In addition to that, addressing cybercrime safe haven jurisdictions is critically important. We need to make it harder and more risky for malicious actors, whether they're working independently for criminal organizations or directly or indirectly for nation states to attack critical infrastructure. Particularly as, you know, we see the growing closeness between critical infrastructure and private sector technologies and stakeholders.
The UN cybercrime convention was originally proposed and promoted by several of these safe haven states. And that's ironic, perhaps, but we're in a place where the negotiation is complete and parts are going to move to the modalities for the protocol discussions and the protocols themselves and adoption and ratification of the treaty.
Rule of law governments need to prioritize ensuring that the protocols are not only providing for specific procedural and human rights safeguards that weren't included in the convention text, but also accountability mechanisms to ensure that all parties play by the same rules and that they work cooperatively towards investigating and preventing global cybercrime, not only when it serves their specific geopolitical or national interests.
Finally, capacity building is another really important element of international cooperation. And private sector-public sector collaboration. This is something that the cyber convention has potential to improve, not just as it applies to cybercrime investigation, but also to technically advance, to like advance the technical skills and practices of other parties to the convention.
The technically advance and well-resourced governments can and should provide material support and technical training to augment the cybersecurity capabilities and practices of the less resourced and technically advanced nation states that are party to the convention.
So I think, you know, there's just the policy landscape is something that we often think of as being very specific to critical infrastructure or to supply chain or something like that. But one of the things that I think we should really start to focus on as we think about cybersecurity and critical infrastructure is how the broader policy landscape and how relationships between governments and private sector entities can really impact that space too.
Thank you.
>> TIMEA SUTO: Thank you so much, Robyn. Quite a lot of information in that as well. And also bringing in this extra element of not just cybersecurity, but actively fighting cybercrime which in the UN is two separate practices but in real practices they go hand in hand.
We had a second round of questions prepared, but I don't think we will have time for that. We are 15 minutes away from the end of the session and I want to turn to the audience as well and hear a little bit if you have any questions or remarks on what we've heard from the speakers before I give them the last word.
So anybody from you have comments online, please put your hand up, we can turn to you. Or here in the room, likewise, put your hand up physically and we'll get you a microphone.
So are there any questions or comments?
Thank you, you were very comprehensive or very exhaustive, either or the other. If the audience has no questions or input, then I think I'll do a round robin and in the very end I'll get to Rene on the count of first and last words.
In the order that I've called you previously, perhaps I can turn to Julia and ask what are your takeaways from this discussion and what is the one element that you think we should take forward as a message from this discussion for the IGF and for the global multi-stakeholder community to ponder upon or perhaps act upon?
>> JULIA RODRIGUEZ ACOSTA: Yes, thank you. Thank you so much for a great conversation. It has been really interesting. I think that the panel is proof of way a stakeholder collaboration is crucial, because I thank each one of the speakers has contributed with insights on their [?]. I think it's impossible to summarize, but one of the main things that stuck with me is importance of standards, from my perspective, these directly address the definitions that make cooperation a challenge. Capacity building is key across the technical aspect, as network security, encryption, incident response, but also from the more social and economic and humanitarian perspective. And of course the impact of this type of diplomacy that we're trying to develop. And great comments on that.
I think that we need to incorporate more privacy by these concepts into the normative framework of the United Nations. I think that many of these cyber intrusions, at the end, affect individuals.
So I think this has been very well highlighted by the Cyber Peace Institute harms methodology. I think it's a great takeaway.
And my one-sentence takeaway, it would be multi-stakeholder collaboration is essential. And I will stop there. Thank you.
>> TIMEA SUTO: Thank you so much, Julia. Wouter.
>> WOUTER KOBES: Yes, thank you. Well, ending on the words Francesca said, I think the network information security directive Version 2 we have in the EU does a really nice attempt in defining critical infrastructure.
I think the point of Robyn where you have to involve your commercial sector as well because it extends to the supply chain of this critical infrastructure. I think that's a nice attempt at least by the EC to define that critical infrastructure.
I think my giveaway to the audience and panelists is also to lead by example in adopting Internet security standards. I invite you all to of that session navigate to our security adoption tool Internet.IL and measure your own organization and see where you have room to improve in leading by example in these Internet standards.
So with that, I would like to thank you all for this very interesting discussion.
>> TIMEA SUTO: Thank you.
Chris.
>> CHRIS BUCKRIDGE: Thanks, Timea and thanks for organizing this session and for a really interesting discuss and set of interventions.
I was happy not to be the first person here to mention AI. I think too often the conversations seem to be turning to that. But it is really interesting and a significant point, and I mean the EOWG the other week I really every meeting of the EOWG, more mistakes are highlighting AI as an area of real concern for them. Last year more than self of CISO security professionals enhanced attacks are what they have to defend against. It's not entirely clear what's actually happening in -- to what extent that's happening in real life at this stage, and I think there were some states that also made that point.
But I mean, they've done a study that highlights that arms race we're in, where AI is enhancing the abilities of attackers and defenders, but that centers back to the need for capacity building.
It's great the defense is sort of continuing to ratchet up along with the attack. But if you're in the Global South and if you're not really on that sort of arms race, you're becoming increasingly vulnerable that these attacks.
This is not something where we can leave people behind. If you get left behind, you're going to be a vulnerability and that's going to be a vulnerability for the entire system.
So we need to be ready to -- sorry. Invest, sorry, in cyber capacity building. And I mean to use another very overused term, we need to be agile about that. I think Robyn mentioned the changing landscape, the ever-moving landscape we have in terms of security, that cybersecurity building activity needs to reflect that and needs to be ready to engage with what the latest threats are, the latest vulnerabilities are and to be ready to mitigate that.
So it is as was also said, a constant, it's not something where we can say one and done. It's something we need to keep evolving and working on as time goes on.
Thanks.
>> TIMEA SUTO: Thank you, Chris.
Francesca.
>> FRANCESCA BOSCO: Thank you so much. So tread me is the clear articulation, so thank you so much for the excellent discussion, because I think there was a very good segue among the different -- the different speakers. And I think we all reiterated the fact that the dependency is not only from a technical standpoint, but the need to understand the complexity of the ecosystem when we talk about critical infrastructure. And I appreciated the last comment from Robyn, the last remarks from Robyn specifically on this, how the policies are kind of, like, intertwined.
I also very much appreciated that one of the things -- I mean, I spent all my life [?] in one of the key challenges is always information sharing. It's do-able, but it needs to go both ways. I think Robyn very well highlighted the fact that it cannot be just private sector vis-a-vis government, for example. But we need to create the ecosystem. That's super important to this trust.
We mention several time building capacity. Very well as Chris was mentioning for now and in the future. Interesting in these days I'm working on the potential of fully autonomous cyberattacks impacting, for example critical infrastructure. And indeed the idea is not only to conceive it, but to potentially build the capacity for being able to respond.
And let me finish maybe with some of the remarks that -- building on Rene and Julia were saying and going back to the idea of the meaningful stakeholder collaboration standards. That's key. Or for example international processes key. But let's be honest, not all of the actors that should be involved in the multi-stakeholder approach have the means, have the resources, have the understanding on even how to engage. I'm thinking about the Civil Society difficulties in engaging with the standards party, for example. Or I'm thinking about many companies that would like to engage, for example, in the open-ended working group and similar process because they didn't even know where to start, basically.
So kudos the ICC for organizing this panel, because I think it's also, I mean, helping in this direction. But I would say that more awareness raising and really knowledge building needs to be done in this sense.
>> TIMEA SUTO: Thank you, Francesca.
>> ROBYN GREENE: We just got the five-minute morning so I'm going to be extremely brief since I wasn't brief in my initial comments. I think I'll sum one three thoughts.
One, keep in mind how intersectional the technological landscape is and therefore how intersectional we need to think about the policy landscape. And how that will impact the ability for the private sector to partner with government in the protection of critical infrastructure.
Two, never underestimate the impact of encryption on cybersecurity and the importance of ensuring that all policies protect and promote the adoption of encryption rather than undermining it.
And three, also never, never, never underestimate the importance of data flows and the risk of data localization mandates especially as private sector entities and how that will ultimately lead to ramifications for critical infrastructure cybersecurity.
Thank you so much. This has been a great panel.
>> TIMEA SUTO: Thank you, Robyn. Rene, I gave you the first word, I'm going to give you the last word as well. From your keynote speech after hearing all our speakers, what has changed from what you said or what would you like to highlight to build on what you said?
>> RENE SUMMER: Thank you, Timea. A lot has been said, so maybe on the margin of what has been already mentioned, I was thinking about what to say and then a song came to mind, a little less conversation, ail little more action.
And I think it falls down that we see the need for more actionable progress. I would like to stress that many of the threats we see going are stemming from those residual risks where industry will not be able to defend itself. And how to address the residual risks I think is very, very important.
And the cost of inaction here is growing day by day. I think we have seen numbers that the global cost of cyber today is about 11 trillion U.S. dollars, that corresponds with 3G several countries from 22, I think, meaning Germany, UK, and Japan and we need to change the time of this development.
>> TIMEA SUTO: Concise as always. Thank you Rene, but it's quite powerful as well, as the last word to take away.
That only leaves me with one job is to thanking you all for being here, for accepting ICC's invitation for this conversation and sharing your expertise and insight with us and the audience here in the room and online.
There will be a report of this session on the IGF website, so we'll be coming to you with that. And of course, the ICC website is always there, so to please take a look at the publications not only on cybersecurity, but as Robyn highlighted, we also need to look into what we have done on data issues, especially on government access issues to data.
I'll leave you with that. Huge thanks to my panelists and huge round of applause to you will after you who have been here. Thank you.
(Applause)
>> RENE SUMMER: Thank you very much.