2015 11 13 WS 186 A Multistakeholder and Human Rights Approach to Cybersecurity Workshop Room 5 FINISHED (2023)

The following are the outputs of the real-time captioning taken during the Tenth Annual Meeting of the Internet Governance Forum (IGF) in João Pessoa, Brazil, from 10 to 13 November 2015. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record.


>> MATTHEW SHEARS: (background noise/voices) The background to this workshop that work together and cooperate on Internet freedoms has pulled together three working groups. Working group 1 is the internet free and secure. And these working group are multi‑stakeholder working groups. They represent governments, business, civil society and are the stakeholders. The work of working group 1 has really been focused on cybersecurity issues. In addition to the recommendations that we'll be looking at today, the working group has also issued a mapping of cybersecurity form and processes, which is incredibly interesting and you should go to the freedom online coalition. We also have is a series of blogs on cybersecurity issues, which I think would be very interesting to you. The focus today is about trialing with you, the participants of the IGFto set recommendations that the working group has been drafting and working on and deliberating over for the past, I would say 6 to 9 months or so. This has been an attempt to really try and deliver a next step on the many commitments and statements about the importance of human rights to cybersecurity that we witnessed in various resolutions, in various statements from governments and other stakeholders. So we're really trying to take this debate one step further. This is all about trying to find a way of insuring that human rights are built in cybersecurity and framework. Cybersecurity of rights respecting by design from the very inception. So these recommendations and there's a four pager circulating there. We'll make sure you have copes when we go to breakouts. How do we take that discussion forward? How do we make sure that when governments take human rights into account and how do we make sure that other stakeholders do the same when they put in place business practices or other things. We're looking at it from a holistic state. We've been drafting this from the past six months. We have developed them with the understanding that we done this in a very stakeholder way. Some of the recommendations you may find may seem a little general, but that's what we'd like you to discuss in the breakout sessions. We're very much interested in getting your feedback on those recommendations. We will start up and take the discussion up a level.

We're going to actually really talk about cybersecurity and human rights and in a broader, global broader policy context. We will do that with instead ever the three panelists at the end of the table and we will preface that by a review of the rationale recommendations themselves.

So I don't think I even introduced myself. I am Matthew Sheers with the center of democracy. And my panelists to introduce themselves. Eileen?

>> EILEEN DONAHOE: Eileen Donahoe and a member of the working group.

>> MISHI CHOUDHARY: Mishi Choudhary. (inaudible) and I am a part of the working group. Sorry.

>> AUDREY PLONK: Audrey Plonk. Internet security and cybersecurity at Intel Corporation.

>> MICHAEL WALMA: Michael Walma, Policy Coordinator with Department of Foreign Affairs in Canada. Canada is a part of the working group.

(Video) IGF 2015 Day 4 - WK 7 - WS 191 Engaging youth in multistakeholderism practicum

>> MATTHEW SHEARS: As you heard, some are part of the working group and some are not. When we talk about cybersecurity in this broader context, they gave their views, but they're also familiar with the working group so they can weave the recommendations in there. The dutch government is also part of the working group and there isn't a representative that's able to speak on the panel. So we actually do have a video welcome from the dutch cybersecurity specialists. I'm wondering if we can run that welcome, that video. This is from UriRosenthal, government of the Netherlands.

>> URI ROSENTHAL: I'm delighted to add to this section today especially since I was one of the founders of the freedom life coalition in 2011. The Netherlands founded this coalition because we saw the importance of a joint effort to support a free and open internet. In four years, the coalition has grown from 14 to 28 countries and it is great to see how the coalition has developed especially with the substantive work that's been done by working groups to tackle specific challenges we all face. The Netherlands is proud to be the co‑chair ever working from one on the Internet free and secure. And in the aim of the working group is to contribute to a more balanced debate on cybersecurity. Such a debate is in line with our policy goals. It also follows logically from the work we have done as organizers of the global (inaudible) from cyber space last April. There and then we promoted an Internet that is free, open and secure. We also had a debate on the importance of respect for recommend rights on the online domain including the right to privacy for individual citizen. It is important to have such a constructive debate since we have recently seen a bias towards the security I mentioned of cyber space. In the debate, we do need to take into account the importance of respect for human rights and the rights of the individual user. Unique recommendations developed by the working group provide a first step to help the balanced debate. The value applies in the context of which it is applied. The context of human rights are not always taken as a starting point. The definition of cybersecurity developed by the working group puts individual security at the center. And another great value of the working group is it is a successful example of the multi‑stakeholder corporation between governments, the corporate sector, academia and civil society. For (inaudible), the Netherlands does command the extensive efforts of all members of working group one. The Netherlands will continue to take this issue forward in the coming period. In order to advance a rights respecting cybersecurity policy. We are therefore looking forward to the results of the session today.

>> MATTHEW SHEARS: Thank you.

>> I'm delighted to add to this session today‑‑

[ Laughter ]

>> MATTHEW SHEARS: Okay. So the way we're going to do, this let me talk about the workshop structure. As I said before, there will be a core component of this where we will put you to work. Hope you have your pens and thinking caps on. But first, we will address, a line here to my left will walk us through the definition, the recommendations and the rationale behind them. And then we're going to go to Mishiand Audrey and Michael to talk about a broader content and then we will spend the 45 minutes in breakout sessions. If you don't have a copy of the paper copy, I will make sure you do have that. I apologize if we don't have enough chairs in the room for those of you here.

Eileen, if you can walk us through those, that will be wonderful.

>> EILEEN DONAHOE: First off, let me say I have to say outloud we are all in debt to the dutch government for really supporting to works group extensively and we are extremely appreciative of that. Also, thank you everybody for coming. It is wonderful to see the interest. I also am going to give you a warning. Yesterday I had one of these in my bag and it opened. And my computer is now gone. So be careful. I will start there.

First comment I'm going to make is all work on both of the products that the definition that's up on the screen and the recommendations that we're going to walk through rest on three concepts. All of which are very basic, but somehow seem to be‑‑ need to be reiterated all the time. Number 1, security is a human rights priority. It's not an opposition. These things are not an opposition. Article 3 of the universal declaration is security of persons and at the end of the day, human rights protection is about protection of people. Number two. Privacy is not only essential to the exercise of freedom. Privacy is an essential element of security. It is actually a linchpin in both directions. Any time you hear somebody pinning privacy to security, you can tell they don't get a very, very substantial piece of the security problems we face. And number 3. The concept that human rights are integral to national security and international peace and security. They are not‑‑ these are not concepts that are supposed to be intention. They are mutually reinforcing. So those concepts under lie work. I will walk through the definition that's on the first slide and I will term you that in coming up with this, we started with an awareness of the importance of terminology and the term cybersecurity itself has come to signify many different things to different people depending on where they sit and the expression being apparently where you stand depends on where you sit. You know? So we tried to address that. For example, many people understand the term cybersecurity solely through the lense of a limited concept of national security or counter terrorism. Others see it through international peace and security countering potential of cyber warfare and in both of these cases, the object of security is basically about critical infrastructure or ICTinfrastructure. These are very important even to the exercise of human rights, but they are not the whole picture. Another group or communitysees signer security through the lense of consume every protection or data protection. Protection of proprietary, color information or economic competitiveness. Our purpose was to find a working definition that would be comprehensible across all these different perspectives and policy silos, but also to reinforced human rights framework. So the first thing you will see in the preamble is we wanted to reinforce existing obligations under international human rights law where universal rights adhere in the individuals as well as obligations under international humanitarian law where concerns for civilians is paramount. These two concepts are grounded in existing international agreements so the first concept that rights apply online as offline came from the 2012 human rights counsel resolution and the concept that IHL international humanitarian law should be applicable in the digital realm comes from the U.N.governmental group of experts agreement. I know not 2013 was that urgent of it. Second. We wanted to underscore the idea that human rights protection entails optimization of both freedom and security. We wanted to propagate this view that they are mutually interdependent and reinforcing synergistic. They should have never pinned it against each other. Fourth concept. They wanted to convey technological information. And we wanted our definition to be technically informed. We were aware of many groups that have already come up with definitions of cybersecurity and we didn't want to reinvent the wheel, but we did want to help facilitate or propagate the human rights frame works, but in a way that's relevant and understandable to a technical community. So we turned to several key terms from the international organization of standardization ISO. And those concepts as you see in the actual definition are availability, certainty and integrity. So, there's the definition we work from. I am gonna now go to the next slide really quickly and it looks like they're all running together. Let me see. Okay. These are‑‑ we have 13 recommendations that we're going to ask you all to engage on. The first three that you see are fairly general and they relate to this idea that human rights and cybersecurity go together. And that they need to be fully integrated by design. So you see the basic idea of cybersecurity should protect and respect human rights. They should be rights respecting by design and the object of security is persons as a foundation. Those are the first three. Okay. Then the second three, two of which you can see and I will flip over, but let me go through are slightly more concrete in terms of what it would taking to be rights respecting by design and what cybersecurity policy should and should not do. So number 4 says cybersecurity policies laws, practices should be consistent with international law both internationally human rights law and international humanitarian law. Number 5 says cybersecurity laws and practice should not be used a pre‑text to violate human rights. Which unfortunately, it's a common experience. And the next one should be on this slide. Responses to cybersecurity incidents also should be rights respecting and not violate human rights. That's not a justification for a violation of human rights. The next bucket is recommendations that have a little bit more of a technical dimension to them. They're related to protecting infrastructure allowing encryption and not impeding innovation. So number 7 goes to the stability security of integrity of the infrastructure. Number 8 goes to the key role of encryption and anonymity and enabling human rights and number 9 is the basic assertion that cybersecurity practices should not be impeding technological information. And then the last‑‑ 4‑‑ I can't tell if they're misnumbered or it's just my eyes. Well, the last four are more about process capacity building, decision making processees, policy making processees. And number 10 says that cybersecurity related laws, policies and practices should be developed through open, inclusive transparent approaches that include all sting holders, the multi‑stakeholder concept. There should be a promotion of education and digital literacy as it relates to security, digital security, cybersecurity. Number 12 is that best practices should be shared and promoted with respect to cybersecurity policies. And there should be rights respecting approaches to capacity building. So those are the recommendations and I think‑‑ I think we're going to hear some commentary and all of you comment on them and work on them.

>> MATTHEW SHEARS: So probably facilitate things if people had a copy of the recommendations. They should have been along the tables along the end there. If not, raise your hand and we can get you a recommendation. This is a lot to make and we appreciate that, which is one of the reasons we will go to these breakouts in a couple of minutes.

(Video) IGF 2015 Day 4 - WK 7 - WS 201 Ensuring sustainability for IXPs in the developing world

What we're going to do now is really ask Mishiand Audrey and Michael to talk about a security setting and what are the developments, how is human rights accounted for and what recommendations sitting in the bigger picture and I'd like to start with Michael, please.

>> MICHAEL WALMA: Thank you, Matthew and thank you everyone for coming here today. I know we have a main session in the hall. So I appreciate the big turnout here. What I'd like to do, if I could, is talk a little bit about how these recommendations fit in with what we have been seeing internationally and how as Eileen says ‑‑

>> EILEEN DONAHOE: (inaudible)

>> MICHAEL WALMA: We will talk about some of things we have encountered internationally when we talk about the connections between human rights and security cybersecurity and how we think that these recommendations might help us in those discussions. The approach I'd like to take when I talk about this is myth busting. When we deal on these issues, we encounter a lot of individuals, myths I would characterize them that are proposed either unknowingly in the sense that it represents a misunderstanding or actually in some cases, quite deliberately is a way to advance particular aims. The first one I would like to tackle is a myth there is a tradeoff between human rights and secured. I wish I compared notes with Eileen because she did a really good job saying everything that I planned to say on this. I want to say and certainly from our perspective, there is no tradeoff. Security and human rights are naturally reinforcing. You can't exercise your human rights if you don't have security to do so. And at least in our country, our security is tightly linked to human rights in the sense that we are a democracy. We are guided by the rule of law. And this only functions in an environment where there's respect for rights and people are able to exercise their rights. So, you know, if what we're talking about as high up as national security, the security of the Canadian democracy depends on a respect for rights. So that is the first myth. And that's why the definition I think is so very important because it gets to that concept there is no tradeoff. The second myth that we deal with very regularly is that this is an issue that's just the business it states. We see this. We've been seeing this in a variety of different places and it's not only limited when we talk about cybersecurity. Those of you who follow as we do processees that's going to be taking place to the review of the (inaudible) and you would have heard discussions on the open session on zero day. There are some that want to make this a discussion among states and to exclude other stakeholders and this is where I think there are some people who are kind of promoting this myth a little bit for particular reasons of their own. But, of course, it is a myth. Everybody has a stake in this. In Canada, it is primarily in private hands. How can you talk about security if you're not talking about the private sector about this. The security we're aging at in this definition is a (inaudible). How can you talk about security without engaging the people you're trying to secure. This is something we contend with regularly when we discuss these issues internationally. Therefore, this recommendation, if adopted, number 10 it should be a multi‑stakeholder process is very important to us in that respect. Another myth that we contend with regularly is that the internet that cyber space is so entirely novel that everything we've learned about crime, about interaction, among states has to be thrown out the window when it comes to cyber space. You have to reexamine all these things that have served us for so well for so very long. Of course, that's not true. Human rights are the same online as they are offline. State behavior is constrained by international law whether it be online or offline. A crime is a crime whether you break a window and steal a neck lease from a jewelry store or whether you break into a server and steal somebody's credit card information. We want to reject the notion that somehow we wanted to start out fresh on these things. This is one that's promoted quite deliberately because there are a lot of people that would like to see the under pinnings that we relied on for so very long to get reexamined and redrawn more favorable to their interest. That's why for us, number 4 the recommendation is so critically important. And then the last myth I want to get to and this is very near and dear to my heard. Communication, content can be a threat. This is a very dangerous concept. And when you‑‑ if you accept that premise, then content becomes a legitimate object of security policy. That's when you start to get people saying, well, okay. So political speeches is a security threat. People exercises their rights becomes a security threat and therefore, it is very important we reject that notion. Number 5, cybersecurity related laws policy and practices cannot be used as a pretext is critically important. So just to sum up for us for Canada, this kind of work, this kind of approach is going to be very helpful and very important to us as we go forward on the international arena to promote both security and respect for human rights. Thanks.

>> MATTHEW SHEARS: Thank you, Michael. We'll go straight to Audrey and then Mishiand we'll take a couple of questions before we go into the breakouts. Audrey?

>> AUDREY PLONK: Thank you. Good morning. I also want to thank the freedom online coalition for these excellent recommendations and Eileen for breaking them into the four categories that she did. I think that really helps structure them in a way that we can understand. From more of a private sector perspective, I think I would like to focus on the more technical aspects, the section of the third one, but before I do that, I want to emphasize one of the myths and expand on it that my colleague from Canada mentioned, which is this idea that human rights related issues are only between states. I think it's something that we certainly as the industry that are building the technologies and deploying the technologies feel we certainly have a role in discussing the issues and, um, and as well as civil sightings other aspects of the multi‑stakeholder process. On top of that, the private sector doesn't care or that we don't‑‑ we're not conscious of it and we don't think of the human rights aspects of things and we build technologies. I think that is definitely a myth and there's information to point to efforts that companies and others take and that consider human rights aspects. But the challenges that it exists between different interpretations among states as to what is in this and what constitutes human rights and what constitutes security. I was very, very pleased to see the recognition of the key role of encryption technologies here and the recognition they enable a secure infrastructure or help to secure a more secure infrastructure. I think we see frequently cybersecurity laws that in an attempt and policies that in an attempt to make things more secure, they inadvertently or intentionally as the case sometimes may be may get difficult to try to innovate or dictate the types of innovations and how technologies come to the market. We think it's both probably bad for security and bad for human rights. And then finally, I just want to go back to the definition and the technical aspects of the definition and commended drafters on the thoughtfulness that I think went into this definition. I would say it's a good 10 to 12 years of batting around the cybersecurity term and trying to come to terms with what this allege means. So I think efforts like this to put some context around it is very helpful. And then‑‑ I think‑‑ I hope it's something that we discuss in the breakout sessions because I think it's very good, perhaps nothing is perfect, but I think it's a very good platform for discussing what's in. And then finally in terms of advancing the discussion, I think in preparing for this, I was looking back at what has been written on this issue recently and how things have evolved. I went back to the 2012 report from the OECDa survey of different countries cybersecurity policies and noted that they‑‑ they noted a consistent trend in cybersecurity policies. They didn't call it human rights, but they called it recognition ever fundamental rights which includes speech and privacy. And so we're seeing a trend, a positive trend, I think, in cybersecurity policies of recognizing those aspects of them. I think that the works here can actually push things more toward that direction. But I was happy to go back and note and see some countries that was only 10 countries surveys and Canada was one of them. It doesn't mean those are the ones in the word, but among all of them, there was at least a recognition for speech and privacy. So thank you.

>> MATTHEW SHEARS: Thank you, Audrey. I want to reemphasize this when you make the recommendations, these are designed to take that discussion to the next step. So we'll be looking for feedback from you on how we do that and where, which is of course an important issue. Mishi, if you wouldn't mind. Thanks.

>> MISHI CHOUHARY: Thank you. Those of you who do not know Dan Deer, please look him up. He gave a talk last year at blackhat and he said power exists to be used. Some of it for cyber safety, which they will not get. Others wish for cyber order, which they will not get. Some have the eye to discern cyber policies, but are the least worst thing. May they fill the vacuum of wishful thinking. Accept my expression of (inaudible) and excitement that you have taken this exercise. I see this as a change in the conversation of the cybersecurity dialogue to pass more of what Mozilla corporation calls cyber elephants. The oldest and most common topics of government, but to help the world see cybersecurity as any other form of human security. So I'm very excited that this is there. I'm also very excited. Everybody's excited about Canada, but for a very different reason, but the remarks our colleague made, they're extremely good from civil society point of view. I'm going to talk about four points as I see. I was not part of this coalition. This is just what I see as the feedback on this and those four points are insistent on transparency, rule of law, breaking down privacy into something more tangible and also the bottom‑up approach, the grass roots level approach to protect your own human rights, which is the responsibility of each of us in this room or the ones who are not in this room also, but what they can do to protect their human rights. I also understand that these principles are supposed to be very high level and that's why they're high level. And considering the names, objectives and various steak holders and what not. That's not the problem. They are great. One of the things which I find conspicuous by the‑‑ I see there is some big reference in point number 7 and 11, but that we can work on. I think from my perspective as I said from my clients and civil society people, the thing it is missing is transparency. That is the common feature and the center of real security. We all know that weaknesses and vulnerabilities hide in the dark. We know what's Snoden told us in 2013 and the importance of transparency is (inaudible). Every system becomes feel good entity with complicated computers and modules, which is deeply non‑transparent, that is the ground for cheating of all thoughts. So also we understand that because all cybersecurity technology is dual base technology. Transparency is something which we must insist on. There are two participation here. There are models by the proprietary software company that vulnerabilities are never easy to spot. They propose this is what cybersecurity should be and not for the user. Again, July of this year the Mozilla corporation put out something called the cybersecurity Delfi 1.0 research project. It delved into a panel of 32 cybersecurity experts reinforcing backgrounds. While they disagreed on multiple issues, one is increased funding to maintained security of free and open software. Now, free and open source software library are built into count commercial and non‑commercial products. The major security incidents around (inaudible) shell shock all centered around vulnerabilities and software. But they were out in the open because you can so it and find out the vulnerabilities, something which proprietary software companies do not allow for and it's a major part missing from here. The second part is playing both sides of the street from the cybersecurity experts in our government. There are listeners who are for whatever purposes simultaneously attacking and defending cyber secured. It's important for e‑Commerce. It's important to protect the critical infrastructure from malicious attacks from many other corners, but they want back doors for their own listening. This two side plain make its very difficult to have a consistent policy. We make the software transferring, introduce transparency in inspection of all these parts. Protection and security will need for all bits to be replaceable all the time. Many organizations that are part of in coalition as well as involved in it whether HRWCDT, all of you work for free speech expression, freedom of opinion, but they all must agree that transparency and use of free and open source software is crucial for cybersecurity.D other thing that we all at least (inaudible) work on these issues have agreed two more principles. First is that every government has a responsibility, a duty to protect the rights of its citizens by guiding them against the spying of outsiders. Every government has that responsibility. The responsibility to protect its citizens to be free from the intrusive spying of outsiders. No government can pretend to sovereignty and responsibility with respect to its citizens unless it makes every effort within its power. And the second part is inside at home every government around the world must subject its domestic listening to the rule of law. And those two protect us against out spying and inside subject to the rule ever law. These principles of our politics should be uniformly applicable so that we are all protected by law. Now, how, why this is all important is because how we choose to organize and regulate our digital societies and how these internet governance models will be developed, implemented is important for the fair and Democratic participation. It is in our hands and this is the last generation which gets that choice to make. No pressure. But the point I will make is that I really like privacy, but I have trouble understanding what it is. And unlike network neutrality, I don't want it to be glorious indefinite that everybody defines it. But I donnedfor breaking it down into three concepts. One is secrecy. The other is anonymity and I should be guaranteed the secrecy of the messages I sent to whoever I'm intending them to be sent. Anonymity the content of the message may not be secret, but at least my identity can be anonymous. I should be relieved from the pressure of anonymity and secrecy so I can exercise my autonomy. We agree on some principles and they're in our constitution and then we do it, but there is an aspect which we tend to overlook is that people say their own rights at the ground level. A lot of times they have to do something themselves at that time and nothing will come to their rescue or is some time before somebody comes to their rescue. And who are these people? And in these discussions, is the people's Republic of China involved? Are there other countries involved? That's why there are people right now at the grass roots level trying to do something for these things. There are developers all around the world. The tour project is the most important project anybody is working on and hats off to them anybody who is doing that project. The (inaudible) web free software, which is existing and is now going to offer you privacy in a box and we can all create commodities that are going to protect their freedom. So, free software is becoming something not free as in beer, but free as in protects your freedom. It is weaved into the 13 (inaudible) you all come up with. I think it will make everything look even better and the myth busting should continue and hey, Canadians, please lead us. Thank you.

>> MATTHEW SHEARS: Thank you, Mishi, that was great. In the of interest time, if you have questions related to the coalitions, hold them for the small breakout groups. If you have questions for the panelists, I will take three or four now, but they must be very quick. Okay? Does anyone have questions for the panelists?

>> ELSA SAADE: Yes. For the record, my name is Elsa. I am from Lebanon. Okay. So coaching the (inaudible) from Canada, human rights are naturally reinforcing. You can exercise your human rights if you don't have security. In our country, security is slightly linked to human rights in the sense that it has democracy. And also, reading this, reading through this, I can see that there is very, very little consideration about the region. Thank you for considering other regions as well. For example, what about a region where the rule of law sends two women to terrorism courts for driving or sentence a blogger to 1,000 lashes because he blogged about his own thoughts. And another question. What about all the tools being exported from the west to regions such as mine. Phisher and Gamma. All these tools they're exports from the west to my region (inaudible) and under the (inaudible) war against cyber terrorism. So cyber secured sometimes in regions such as hours should be consideredas well. You need to have someone from a region that has completely different definitions of terrorism and security in such a panel. I couldn't see this. I can see, for example, cybersecurity related laws privacy and practices should not be used as a pretext, but what kind of human rights are we talking about in the miss east and Saudia Arabia? Please take that into consideration and I would love to take this offline as well.

(Video) IGF 2015 Day 4 - WK 2 - WS 178 Beyond the tipping pouint: SID in the global south

>> MATTHEW SHEARS: Thank you, Elsa. Do we have another mic? Do we have another microphone back there? That way people don't have to run up front. We will take other questions, two or three more questions. Yep. And then I'll put these difficult questions to the panel.

>> ROGER MATTHEWS: Thank you. My name is Roger Matthews and I represent (inaudible) in India. Couple of questions and comments for one. On some of the other panels we have been talking about open Internet as opposed to free Internet if that can be something talked about and deliberated in the use of language. The second point is this whole issue of government involvement. Please remember that in India, all of our operators their ultimate responsibility for lots of these concepts you talk about forever security and so on and so forth. By definition, since we are subject to the laws of the land by specific inclusion in our licensed conditions, it is surprising that the governments are very fickle with regard to multi‑stakeholders. How does that play in the IGFcontent? We see that very little here. We make grand statements and that is missing because when we go home, the granularity of the implementation becomes a challenge. The final point is what Mishimade. From an operative perspective, I am surprised how much individuals give out voluntary in terms of their privacy, in terms of every time they say I agree. They don't read it and they don't understand. The Internet is bilateral. You are giving permission to open or initiate. So again, I think we need to take greater responsibility. These are good principles, but I do caution that added dimension. Thank you.

>> MATTHEW SHEARS: Thank you very much for important points. Any other questions? Okay. I'll put those questions to the panel. Anybody else? Okay. All right. Last question and then we get into moving chairs and things.

>> Thank you. I'll be short. I just want to applaud the recommendations as they stand out. I see some similarities and strategy from 2013. How do we move policy from practice. Perhaps all the links with the first question we have because, of course, practice looks very different in different parts of the world. When we come down to a practical level, of course, they don't have any human rights expertise. If you put freedom of expression to them, it doesn't mean they understand what implications the things that they do will have here on freedom of expression. Thank you.

>> MATTHEW SHEARS: Thank you. Panelists, you want to jump in on any of those questions?

>> Sure. I can try on a couple of them. The first question I think raised some really critical points about how we're going to proceed here today. At the root of them, these are principles that perhaps some find easier to subscribe or implement than others. How are we going to be able to get those for something that doesn't come naturally for some. How are we going to be able to get them to adopt it? That is absolutely essential, but if I can just offer a couple of thoughts on that. First off with respect to rule of law, it's interesting that we in Canada obviously pride ourselves on the rule of law and democracy. But the‑‑ but it's democracy and rule of law. If you have rule of law in the absence of democracy, then what kind of laws are you going to have and I think that's where we're going when we talk about Lebanon and other places, Syria perhaps. Not Syria. I apologize. Frankly, that was another myth I might have wanted to put into my list of myths. There are some who are promoting the idea that rule of law, national law has privacy which comes back, I think, to the fact that we have in our recommendations an acknowledgment of international law because states have responsibility to their own citizens to insure their rights. And that part in parcel of that is not to introduce national law or regulation that violates those laws. The myth that rule of law, national law overrides other considerations is one that needs to be busted. Thanks.

>> (inaudible) how do you move from policy to practice? I also want to know how do you move there. The only thing I have to offer is what our clients do, which is that on your own, you become more responsibility and you start working and there is a communitywho are hacking privacy and trying to make it one's own. And Roger's point about becoming more responsible. I do blame people like us when it is our job for lawyers to hide everything in legal leaves and a lot of work so you can just scroll and I accept. But that's their job and I have to do my job. And that's why Michael is correct. They're the ones who deal with it, but I do wonder when Saudi Arabia becomes the chair of the human rights counsel and congratulations, Flo. She thinks it's down to discuss cybersecurity issues, where do the human rights aspects go or disappear. I just wonder because I am not part of these conversations and do we ever‑‑ I'm sure as Michael says, they run into these issues. It's important and we wonder about these things and it must be there in conversations. They're not easy. They're difficult. I am glad Vladimir is not going to discuss it in such forms to what he is going to do to protect his citizens. These are important discussions and (inaudible) had in silos and that's why‑‑ they have to be comprehensive because you can't have one policy for some countries and not for others. I think the most important point‑‑ I'm sorry if I missed your name, but I'll get it later because I have to get it. Is the export of technologies which enables surveillance from the western states? It's so important about how you enable and provide that Eco system. You cannot say it's just business. Like the way you cannot say oh, I'm going to collect your data and it's only for (inaudible). It is always present as convenience. Roger's point about all operators that are responsible, it is so correct and that's also why it is important to see about how you get policy to practice. If I go to members of Roger's association, they say I cannot have a license in this country to operate if I don't do what the law requires. And that is either rule of law where it gets complicated. Some over arching principles which help us guide give us a little bit of negotiating power with our own places. And to say so many countries have agreed. Look at what is going on and that's why this exercise is extremely important. The realities look very, very different and much more complicated. I'm still very happy about the exercise and I don't know what is the future. Thank you.

>> MATTHEW SHEARS: Michael, you want to comment?

>> MICHAEL WALMA: With the exports of tools, this is a really important issue and one that needs to be tackled. There are ways internationally to do this. I think some of the people in the room will be familiar with us and our arrangement and some of the baby steps that are being taken to try to get a bit of a handle on this process. The same people are aware of that and are aware that it can be quite tricky to get it right. You can have unintended consequences of what it is you're trying to accomplish. A blanket prohibition of the transfer of hacking tools has a huge impact on researchers and others. So you need to be very, very careful about these sort of things. I would say yes. Very important. Yes there are some efforts being made in this direction, but that's not an easy one to fix. Thanks.

>> MATTHEW SHEARS: Okay. Okay. Thank you, panelists. We have 30 minutes to get a snap shot view of your recommendation. But what we this to be just the beginning. I would appreciate if you jot down this address because what we want is we're not going to have time to look at these in detail today. We're not going to be able to get all our view to understand what your comments are. How you think we can use these, how they need to be improved and we're interested in that feedback going forward. If you're interested in continuing to contribute to this exercise, please send your comments to this e‑mail address. Okay. So we have members in the room from the freedom online coalition work group. If they can just stand up so I can see where everybody is and then we will try and do a funny exercise of breakouts in this room to get your initial feedback. And tech team, can I have the questions that I gave you? We go 1, 2, 3, 4, 5, 6, 7. We will try to break this room down. So bear with me. You will take this group here. Can you take this group back there? Stephania, take this group here. So these two rows. How are we going to do this? Maybe the two of you can work your way and this is really informal. This is supposed to be a breakout session, but this table‑‑ format doesn't work very well. So here are the questions. Again, just to start the process, note the questions, remember the e‑mail and we'll keep this process going. We have about 25 minutes maximum. So looking at those questions, each one of them of the coalition members are going to sit with you or hand with you and just ask you for feedback. You can focus on one of the questions or you can give feedback on all of them. Just talk to the repetiteur, modulator and give them your impressions and I will work here in the front. Stephania, if you can work that way, I think we should have everything covered. You guys can jump in as well. Okay. Bear with us. It's a different way of doing this. We're looking for your immediate feedback. Is everybody okay with that? Has everybody got a copy of the recommendations? Yeah? Okay. All right.

(Video) IGF 2015 Day 4 - WK 4 - WS 154 Connect 2020 Agenda Implementation: Challenges/Opportunities

>> Are there any copies of the recommendation floating around for people who may need one? Who hasn't got a copy? Who has not got a copy of the recommendations? I will take this front group. You can take this group here. All right. If you want to just‑‑ I can sit here and we can try and‑‑ we can stay here and we will try and have a discussion length wise. Okay. Got them. Okay. So why don't you take‑‑

>> I think we're good.

(group conversations)

>> MATTHEW SHEARS: Everybody, I'm really sorry to have to interrupt this fabulous discussion. But we have to draw the workshop to a close. So, if I can‑‑ if whoever is going to report the top two reports and then just move the mic around. Yes. Another key point. Sorry. If you want to provide your business cards to the person who is leading the discussion, that would help the working group keep in touch with and you add you to a list that bee can work with in the future. Who wants to go first. all right. We will hear back from Rafik's group. Top two or three findings. Okay. So how do we get the attention of the people here.

>> RAFIK DAMMAK: How do we get the attention of the people here. For the top 3 ideas we get is first if we‑‑ how we can translate this and one of the ideas is to create kind of a checklist. Here we can track the practitioners. So we can (inaudible) and domains or area of having cybersecurity component like maybe (inaudible). So it is really for practitioners. Something they can use it and it is more easy for them. On the other hand in terms of how to share and in particular about sharing best practices or education is to create an alliance of kind of‑‑ democratic countries. And those (inaudible) companies. For a civil society in particular the civil society in non‑democratic sorts, they did use these tools for pressure and for (inaudible). Okay. The other point that was at the end, we talked about the checklist. This is for practitioners. We need to target law enforcement agencies, counter terrorism groups and so on. To bring that human rights discussion in what they are doing already in terms about cyber crime and counter terrorism because we need to find some balance here even if they may have some valid concern, but we need to create balance and to use that for that purpose.

>> MATTHEW SHEARS: Fantastic. Thank you, Rafik. Who's next?

>> Yeah. It works. So one of‑‑ I will point out that we raised in the discussion is those cybersecurity policies and recommendations to how they are sometimes implemented and used in the countries on the ground, which my background is I work in Egypt. Such policies they will be abused‑‑ they will not be used to protect citizens as they are recommended here which is‑‑ it sounds like the recommendations they sound nice and they sound like they go in the right direction. The way they're being implemented, the question that needs to be asked, security rights for who is the right object and states are not stupid. So they know that human rights and the language needs to be used so they can continue oppressing their own people. I'm not sure how that should be put into action because this is something that happens over and over and over again. It is something that we need to keep in mind. Right? This is also something that we see happening in Syria where the President says we're fighting terrorism and he makes sure that this reality comes true. And he turns the civil uprising and civil demonstration into a fight against terrorism and (inaudible) this happen. And cybersecurity by the nature and the terms and those discussions, it sometimes feeds into this and sees this coming true. It is not a practical recommendation, but something to keep in mind.

>> I think that's a very interesting concern and I'm thinking we may be able to somehow balance that with some of the recommendations. Thank you for that. It is very interesting. Stephania?

>> STEPHANIA: We have several interesting points raised in the group. So I want to thank everyone. So we were concerned that all of the recommendations are still a little vague. In terms of implementation, we're thinking about breaking down definition and privacy a little further and then coming up with a common code of conduct that could be given to stakeholders. And also a way to identify the responsibility of that community to offer appropriate tools as part ever this product to conduct. In terms of area to expand recommendations, we have to probably add that the security of people and not the security of governance is paramount importance and it's the starting point of the exercise. So, adding the idea that cybersecurity mechanism that‑‑ I'm sorry. I'm trying to make sense of something that was badly written down. We have to protect people against their own governments that may be and not just against intrusions from the outside. Integrations with the standards for sub‑security with the market place, somebody came up with the idea for ICTmarket place that has available and more secure products. Something else to be added. Encryptions should be legal to use for individuals and for their own purposes. For example, think about Brazil why this is not actually the case. And then we're affecting on the key role of education. The fact it is the responsibility of the individuals and the young people as well to protect themself. So we should probably help and encourage members of other countries to also generate education policies that educate both students and teachers in these matters.

>> MATTHEW SHEARS: Thank you very much.

(Video) IGF 2015-DAY 2- WK2- WS 225 Terms of Service as Cyber-Regulation

>> I will be really quick because I actually have to leave. We had some really rich discussions in our group. I personally learned a lot and I hope I can do some justice to them. One is building civil society and how important they are as advocates for human rights policy development. And the second was very in which relation to what a lot of people have been saying about how the law can be repressive in certain context and applying offline laws to online spaces. It is not necessarily going to be a good avenue or a good way of going forward and that's not necessarily a recommendation, but it is just again something to keep in mind. Yeah. That's a really, really brief summary, but again, they were really interesting points made. One, for example, it has come to my mind. We had input from someone from Zimbabwe. They bring awareness on the local level and avenues for engagement. We need to make sure the feedback loop is from national, regional to international.

>> Brief points also do not do justice to the rich conversation that we had. I think that we talked about this the importance of greater granularity and what it looks like. A couple steps forward. In terms of, you know, can there be case studies? Can there be a principle and unpack it into a checklist while stressing the importance of sensitivity around regional differences that these are much more aspirational for different parts of the world and these concepts have very different meanings in different parts of the world. It is hard to make a global standard and we also need to look at this if we want this to be practical and implemental. We need to have more attention to that. I think that we looked at the idea of could we get to, you know, particularly measuring criteria to someone whether it's a state or a corporation or another meeting these principles and then doing the potential for some meeting and shaming around that as a way to take them into action. Another sort of concrete step was to try and think through about whether there's an opportunity to take these principles into the various cybersecurity capacity centers and cybersecurity centers of excellence and having consultations and hopefully adoption by those institutions. And then like other groups have mention focus on more about how to supply from the individual level. And also particularly on recommendation 11. How do we make that real on a user level without placing undue obligation on the end user. And then finally, it was imagined there should be a point in the principles (no audio) (audio lost due to Internet/power outage)



What is the fifth step of the NIST cybersecurity framework? ›

The fifth and final function of the NIST CSF is focused on identifying activities that will help restore resilience and recover from a cybersecurity incident. This includes implementing measures to restore normal operations and mitigate the impact of the incident on the organization.

What is the Cybersecurity Act of 2015 DHS? ›

The Cybersecurity Act establishes a portal at the DHS and its National Cybersecurity & Communications Integration Center (NCCIC) to facilitate private-public cyber-threat information sharing and clarifies NCCIC's statutory role in evaluating and responding to cybersecurity risks and threat indicators.

What are the three 3 parts of the NIST cybersecurity framework list and describe? ›

The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles. The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand.

What are the 5 elements of security? ›

The U.S. Department of Defense has promulgated the Five Pillars of Information Assurance model that includes the protection of confidentiality, integrity, availability, authenticity, and non-repudiation of user data.

What are the 4 elements of NIST framework Core? ›

Framework core

The core is “a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.” It is further broken down into four elements: Functions, categories, subcategories and informative references.

What are the 6 steps of the NIST framework? ›

The NIST management framework is a culmination of multiple special publications (SP) produced by the National Institute for Standards and Technology (NIST) - as we'll see below, the 6 NIST RMF Steps; Step 1: Categorize/ Identify, Step 2: Select, Step 3: Implement, Step 4: Assess, Step 5: Authorize and Step 6: Monitor, ...

What are the seven 7 categories of nice cybersecurity? ›

The NICE Framework comprises seven categories (Securely Provision, Operate and Maintain, Oversee and Govern, Protect and Defend, Analyze, Operate and Collect, and Investigate); specialty areas; work roles; tasks; and knowledge, skills and abilities (KSAs).

What is Section 104 of the cybersecurity Act of 2015? ›

SEC. 104. AUTHORIZATIONS FOR PREVENTING, DETECTING, ANALYZING, AND MITIGATING CYBERSECURITY THREATS. (D) information that is stored on, processed by, or transiting an information system monitored by the private entity under this paragraph.

How many pillars are in the DHS cybersecurity strategy? ›

The DHS Cybersecurity Strategy sets out five pillars of a DHS-wide risk management approach and provides a framework for executing our cybersecurity responsibilities and leveraging the full range of the Department's capabilities to improve the security and resilience of cyberspace.

What types of information does the cybersecurity Act of 2015 allow companies to share? ›

The Guidance states that, “[e]ffectively, the only information that can be shared under the Act is information that is directly related to and necessary to identify or describe a cybersecurity threat.” Guidance at 5.

What are the three 3 goals of protecting in cybersecurity aspect? ›

The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability.

What are the three 3 information security and cybersecurity program controls? ›

These include management security, operational security, and physical security controls.

What are the 3 A's of cyber security? ›

Authentication, Authorization, and Accounting (AAA) is a three-process framework used to manage user access, enforce user policies and privileges, and measure the consumption of network resources.

What are the 4 P's in security? ›

In general, Information Security professionals suggest that protecting sensitive data requires a combination of people, processes, polices, and technologies.

What are the 7 P's in security? ›

To clearly demonstrate how each “P” in the 7Ps framework can be employed in security contexts, a definition of each P – product, price, promotion, place, physical evidence, processes, and people – was clearly explained to the participants.

What are the 4 C's in security? ›

Securing the 4 Cs of Cloud-Native Systems: Cloud, Cluster, Container, and Code.

What are the 7 phases of incident response? ›

In the event of a cybersecurity incident, best practice incident response guidelines follow a well-established seven step process: Prepare; Identify; Contain; Eradicate; Restore; Learn; Test and Repeat: Preparation matters: The key word in an incident plan is not 'incident'; preparation is everything.

What are the 5 core functions of NIST framework? ›

The core functions: identify, protect, detect, respond and recover; aid organizations in their effort to spot, manage and counter cybersecurity events promptly. The NIST control framework will help empower continuous compliance and support communication between technical and business-side stakeholders.

What is the difference between NIST and SANS incident response? ›

NIST views the process of containment, eradication, and recovery as a singular step with multiple components. SANS views them as their own independent steps. Containment aims to stop the bleeding.

What is the most common NIST framework? ›

NIST SP 800-53 is the information security benchmark for U.S. government agencies and is widely used in the private sector.

What is NIST control framework? ›

The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) organizes basic cybersecurity activities at their highest level. These highest levels are known as functions: Identify. Protect. Detect.

What is a NIST profile? ›

The US National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a policy framework of computer security guidance for how organizations can assess and improve their ability to prevent, detect, and respond to cyber-attacks.

What is NIST checklist? ›

NIST maintains the National Checklist Repository, which is a publicly available resource that contains information on a variety of security configuration checklists for specific IT products or categories of IT products.

What is the difference between NIST CSF and NIST RMF? ›

While both can be applied to private organizations, Ultimately, in the case of RMF vs CSF, the only main difference is that RMF is more stringent and harder to adopt, and will likely only apply if your organization works for the government (see here for more details).

What is the title 2 of the 2015 Cybersecurity Information Sharing Act CISA? ›

Title II (“Federal Cybersecurity Enhancement Act of 2015”) establishes new cybersecurity-related requirements for the federal government or amends existing laws focused on cybersecurity, including improving federal network security, advancing internal defenses, and establishing specific reporting requirements.

What is Article 26 of the cybersecurity law? ›

Article 26: Those carrying out cybersecurity certification, testing, risk assessment, or other such activities—or publicly publishing cybersecurity information such as system vulnerabilities, computer viruses, network attacks, or network incursions—shall comply with relevant national provisions.

What you need to know about the Cybersecurity Information Sharing Act of 2015? ›

Cybersecurity Information Sharing Act (CISA) is proposed legislation that will allow United States government agencies and non-government entities to share information with each other as they investigate cyberattacks. Sharing is voluntary for participating organizations outside the government.

What are the five pillars of NIST Cybersecurity Framework v1 1? ›

You can put the NIST Cybersecurity Framework to work in your business in these five areas: Identify, Protect, Detect, Respond, and Recover.

What is the cyber security strategy 2023? ›

The key aims of the Strategy are:

Securing the economy and fostering a thriving cyber ecosystem. Building resilient and secure critical infrastructure and government systems. Enhancing sovereign and building capability and capacity to counter cyber threats.

What are the two most common cyber security controls implemented in an organization? ›

Digital security controls include such things as usernames and passwords, two-factor authentication, antivirus software, and firewalls.

Do companies have to disclose cyber attacks? ›

All public companies are required by federal law to report and disclose security breaches and incidents to the Securities and Exchange Commission (SEC) as a matter of transparency.

What 4 things does cybersecurity protect? ›

Cyber security can be described as the collective methods, technologies, and processes to help protect the confidentiality, integrity, and availability of computer systems, networks and data, against cyber-attacks or unauthorized access.

What are the 3 key prevention measures of cyber attacks? ›

Common ways to prevent more advanced cyber attacks include: Developing a vulnerability management program. Conducting routine penetration testing. Implementing security information and event management (SIEM)

What are three 3 security techniques that can be used to protect data? ›

Access Control

This can be achieved through the use of passwords, multi-factor authentication, and role-based access control. These methods ensure that only those with the proper authorization can access sensitive data, reducing the risk of data breaches and unauthorized access.

What are the 3 levels of security? ›

The security features governing the security of an identity can be divided into three levels of security, i.e. Level 1 Security (L1S) (Overt), Level 2 Security (L2S) (Covert) and Level 3 Security (L3S) (Forensic).

What are the 5 pillars of cyber security? ›

The U.S. Department of Defense has promulgated the Five Pillars of Information Assurance model that includes the protection of confidentiality, integrity, availability, authenticity, and non-repudiation of user data.

What are the 5 C's of cyber security? ›

The five C's of cyber security are five areas that are of significant importance to all organizations. They are change, compliance, cost, continuity, and coverage.

What are the 6 Ds of cyber security? ›

In this article, we will discuss the 6 D's of cyber security and how you can implement them in your own cyber-defense strategy — Deter, Detect, Defend, Deflect, Document, and Delay. Creating a holistic approach to your cyber-security plan using these six references can drastically reduce your organization's risk.

What are the steps in the NIST framework? ›

It is broken down into five steps: Identify, Protect, Detect, Respond, and Monitor. It also has some basic practices you and your employees can take immediately to protect your data and information.

What are the 5 stages of the cybersecurity lifecycle list in order? ›

Phases of the Cybersecurity Lifecycle. As defined by the National Insitute of Standards and Technology (NIST), the Cybersecurity Framework's five Functions: Identify, Protect, Detect, Respond, and Recover, are built upon the components of the framework model.

What are the NIST key framework attributes? ›

Framework Core

The Core includes five high level functions: Identify, Protect, Detect, Respond, and Recover. These 5 functions are not only applicable to cybersecurity risk management, but also to risk management at large.

What is the NIST Framework Core? ›

A set of cybersecurity activities and references that are common across critical infrastructure sectors and are organized around particular outcomes. The Framework Core comprises four types of elements: Functions, Categories, Subcategories, and Informative References. Source(s): NIST Cybersecurity Framework Version 1.1.

What are the NIST framework categories? ›

Categories: Identity Management, Authentication and Access Control, Awareness & Training, Data Security, Info Protection & Procedures, Maintenance, Protective Technology.

What is NIST Tier 4? ›

Tier #4.

Adaptive information security incorporates high-tech solutions, including machine learning-powered detection and response capabilities and security incident and event management (SIEM) and adaptive policies and procedures.

How many types of NIST are there? ›

The 23 categories cover topics that are focused on business outcomes across physical environments, cyber environments, and personnel. There are 108 subcategories in the NIST cybersecurity framework. Subcategories are the third level of the NIST core framework—coming after functions and categories.

What is NIST lifecycle? ›

The NIST incident response lifecycle breaks incident response down into four main phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Event Activity.


1. IGF 2015 Day 4 - WK 4 - WS 132 Transnational Due Process: A Case Study in MS Cooperation
(Internet Governance Forum (IGF))
2. IGF 2015 Day 4 - WK 3 - Dynamic Coalition on Blockchain technologies
(Internet Governance Forum (IGF))
3. IGF 2015 -The Net Mundial Statement and the Evolution of the IG ecosystem -English
(Internet Governance Forum (IGF))
4. 2015 ACT IAC November Human Capital Public Meeting
5. IGF 2018 - Day 2 - Salle VI - WS 171 Multistakeholding cybersecurity in Africa
(Internet Governance Forum (IGF))
6. IGF 2022 - DAY 2 - CR5 - WS#341 Global youth engagement in IG successes and opportunities
(Internet Governance Forum (IGF))
Top Articles
Latest Posts
Article information

Author: Kareem Mueller DO

Last Updated: 15/05/2023

Views: 6379

Rating: 4.6 / 5 (66 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Kareem Mueller DO

Birthday: 1997-01-04

Address: Apt. 156 12935 Runolfsdottir Mission, Greenfort, MN 74384-6749

Phone: +16704982844747

Job: Corporate Administration Planner

Hobby: Mountain biking, Jewelry making, Stone skipping, Lacemaking, Knife making, Scrapbooking, Letterboxing

Introduction: My name is Kareem Mueller DO, I am a vivacious, super, thoughtful, excited, handsome, beautiful, combative person who loves writing and wants to share my knowledge and understanding with you.