Building a Global Partnership for Responsible Cyber Behavior | IGF 2023 Launch / Award Event #69

12 Oct 2023 05:00h - 06:00h UTC

Table of contents

Disclaimer: It should be noted that the reporting, analysis and chatbot answers are generated automatically by DiploGPT from the official UN transcripts and, in case of just-in-time reporting, the audiovisual recordings on UN Web TV. The accuracy and completeness of the resources and results can therefore not be guaranteed.

Knowledge Graph of Debate

Session report

Full session report

Pablo Castro

Chile’s new national cybersecurity policy places a strong emphasis on promoting international norms and applying international law in cyberspace. This commitment is vital for achieving the goals outlined in SDG 9 (Industry, Innovation and Infrastructure) and SDG 16 (Peace and Justice). The policy reflects Chile’s dedication to upholding principles that respect human rights and international law in cybersecurity operations. Chile began working on cybersecurity in 2017 and released its cyberdefense policy in 2018, which stated that cyber operations would be conducted with respect for international law and human rights. The upcoming national cybersecurity policy reaffirms Chile’s commitment to promoting international norms and law in cyberspace.

In Latin America, there is a need for further discussion on attribution in cyber attacks. Unlike other regions, there is little dialogue about responsibility for cyber attacks. Governments in Latin America must decide whether publicly attributing an attack to a foreign power is beneficial. This highlights the need for comprehensive conversations and analysis on attribution in the region.

Capacity building and international cooperation are crucial for cybersecurity in Latin America. A lack of national cybersecurity agencies is often seen, with governance falling under committees. However, training courses offered by countries such as the US, Canada, Estonia, and the UK are helping enhance capacity building efforts. These courses focus on applying international law in cybersecurity and play a critical role in equipping Latin American countries with the necessary skills and knowledge to combat cyber threats effectively.

It is stressed that Chile needs to develop a national position on international law in cyberspace. The new cybersecurity policy mandates the establishment of this position. Defining Chile’s stance and approach towards international law in cyberspace is essential to ensure consistency and effectiveness in its cybersecurity efforts.

Regarding cyber attack response, a collective approach in the region is recommended as an effective way to express condemnation without attributing the attack directly to a specific actor. This approach allows for a unified stance against cyber attacks, maintaining diplomatic relations and avoiding unnecessary conflicts.

Pablo Castro, an expert in cybersecurity and related areas, supports discussions taking place in United Nations working groups on emerging threats and technologies such as artificial intelligence and cyber mercenaries. His previous experience in dealing with these issues, particularly in the field of cyber mercenaries, further underscores the importance of these discussions. However, caution is expressed regarding potential difficulties and disagreements in reaching a consensus within the working group. Maintaining a good working relationship among members is prioritised to ensure the effectiveness of the discussions.

In conclusion, Chile’s new national cybersecurity policy highlights the importance of promoting international norms and applying international law in cyberspace. This commitment aligns with the goals of SDG 9 and SDG 16, aiming to foster innovation, ensure infrastructure security, and promote peace and justice. Latin America faces challenges in attributing cyber attacks and requires further discussion. Capacity building and international cooperation are crucial for the region, with training opportunities provided by the US, Canada, Estonia, and the UK. Chile is encouraged to develop a national position on international law in cyberspace to enhance consistency and effectiveness. Furthermore, a collective response to cyber attacks in the region is recommended to express condemnation without directly attributing the attack to a specific actor. Discussions in the United Nations working groups, supported by Pablo Castro, are of vital importance in addressing emerging threats and technologies, while maintaining a good working relationship within the group.

John Hering

The Cybersecurity Tech Accord is a coalition of 168 tech companies from around the world committed to upholding foundational cybersecurity principles. It was established in 2018 with 34 companies and has grown quickly in size and influence. The primary objective of the accord is to give the tech industry a voice on matters of peace and security in the online realm.

One of the driving forces behind the growing interest in joining the Cybersecurity Tech Accord is the pressure from customers, as cyberspace has become an emerging domain of conflict. Companies feel the need to clarify their stance on not weaponising their products and services. This pressure compels companies to actively participate in initiatives like the accord to demonstrate their commitment to cybersecurity principles.

However, a challenge for the accord is getting companies with different capacities on the same page. While some are large multinational corporations with significant resources, others may not have the same level of resources. Bridging this gap is an ongoing challenge.

The accord advocates for coordinated vulnerability disclosure policies. It encourages companies to have these policies in place to address and disclose potential vulnerabilities in a timely and responsible manner. Over 100 coordinated vulnerability disclosure policies from the accord’s signatory base can be reviewed online.

Microsoft, a prominent member of the accord, has played a significant role in the context of the war in Ukraine. The company has prioritised strengthening security for its customers in the region and has responded to multiple generations of wiper malware used in operations targeting Ukrainian data. Microsoft also actively reports its findings in the context of the conflict, providing insights into the activities of broad threat actor groups aligned with military campaigns.

The importance of a robust multi-stakeholder coalition is highlighted, particularly in the context of hybrid warfare. The accord, which includes both private sector companies and public agencies, can provide asymmetric benefits to defenders as hybrid warfare becomes a domain of conflict. The collaborative efforts of the Ukrainian CERT, which had the necessary authorisations and coordinated efforts effectively, have been crucial in thwarting cyber operations in the Ukraine conflict.

Policymakers are urged to carefully consider the impact of their regulations on the security research community. John Hering, a cybersecurity expert, raises concerns about potential negative consequences if regulations do not prioritise fixing vulnerabilities and ensuring customer and user security. Poorly considered policies may inadvertently compromise product security and data safety by creating a race to the bottom.

On a positive note, accountability in cybersecurity is improving. Governments are taking steps to include norms violations in public attribution statements, and the International Criminal Court (ICC) has declared its intention to investigate potential cyber-enabled war crimes. These developments demonstrate progress in holding actors accountable for their actions in the cyber realm.

Overall, the Cybersecurity Tech Accord has garnered significant support and interest from tech companies worldwide. Its commitment to foundational cybersecurity principles and efforts to give the industry a voice in online peace and security are noteworthy. Challenges remain in bringing companies with different capacities together, but the focus on coordinated vulnerability disclosure policies and the active role of Microsoft in securing customer data in the Ukraine conflict show the practical impact of such collaborative initiatives. Policymakers must be cautious in crafting regulations that consider the impact on the security research community. Nevertheless, positive strides in accountability in cybersecurity, with government actions and ICC involvement, indicate progress in creating a safer and more secure online environment.

Koichiro Komiyama

The analysis reveals several important points regarding cybersecurity incident reporting and vulnerability information sharing. In Japan’s case, it is highlighted that sharing information with JP CERT (Japan Computer Emergency Response Team) or the National Cybersecurity Centre is crucial for effective incident handling. On the other hand, the US Securities and Exchange Commission has introduced a new regulation that requires financial institutions to disclose any cybersecurity incidents they experience.

However, it is noted that the role of CSERT has slightly changed. The specific details of this change are not provided, but it suggests that there may be some adjustments or updates in the way CSERT operates in handling cybersecurity incidents.

JP CERT, being a key player in incident reporting and response in Japan, receives around 20,000 incidents per year. This indicates the scale of the cybersecurity challenges faced by the country. Furthermore, JP CERT predominantly communicates with entities in the United States and China, indicating the importance of international cooperation in dealing with cybersecurity issues.

One of the supporting facts provided highlights a negative incident involving a Chinese security researcher. After identifying a vulnerability issue, the researcher promptly shared the information with Log4j developers. However, the researcher was subsequently summoned by Chinese authorities. This incident raises concerns about the potential hindrance to global information sharing and collaboration on cybersecurity matters.

The analysis also suggests that cyberspace is not as global as imagined, with over 80% of JP CERT’s incident engagements involving the US and China. This indicates that despite the interconnected nature of the internet, there are still significant gaps in global information sharing and cooperation in the realm of cybersecurity.

Another significant point raised is the localization of data and vulnerability information. This localization hinders global information sharing and collaboration, resulting in a chilling effect among Chinese security researchers. The introduction of regulations in China has had an impact on the willingness of researchers to share valuable vulnerability information due to potential legal repercussions.

The speakers argue that regulations should not hinder international information sharing and that vulnerability information should not be localized. They emphasize the importance of global cooperation and partnership in addressing cybersecurity challenges effectively. By overcoming barriers to information sharing and collaboration, the international community can collectively work towards a more secure cyberspace.

In conclusion, the analysis highlights the need for effective incident reporting and vulnerability information sharing in cybersecurity. It underscores the significance of international cooperation and the potential implications of regulations on global information sharing. The argument is made for regulations that foster collaboration rather than hinder it, ensuring that vulnerability information is not localized and that the global community can work together to address cybersecurity threats.

Charlotte Lindsey

The Cyber Peace Institute is an organisation dedicated to studying the impact and harms caused by cyber attacks. They recognise the importance of having evidence and data-driven understandings of the harm inflicted by these attacks. They emphasise the need for a context-aware approach to accurately calculate the harms and impacts.

One of the main concerns highlighted by the institute is the increasing targeting of vulnerable communities, specifically humanitarian, human rights, and development organisations, by cyber attacks. To help these organisations respond and enhance their capabilities, the institute has established a humanitarian cybersecurity centre and a cyber peace builders programme. This initiative aims to support these organisations in preventing and responding to cyber attacks effectively.

Understanding the impacts of cyber attacks on vulnerable communities is crucial for policy-makers. The institute believes that lessons learned from data analysis can be injected into policy discussions to develop efficient strategies and measures to address the issue.

During the height of the pandemic, attacks on healthcare infrastructure became a significant concern. Critical healthcare infrastructure experienced an alarming increase in cyber attacks. In response, the Cyber Peace Institute collaborated with the government of the Czech Republic and Microsoft to develop a compendium of best practices aimed at protecting the healthcare sector from cyber harm. This initiative provides guidance and recommendations for safeguarding healthcare facilities and systems from cyber threats and vulnerabilities.

The institute also stresses the need for clear accountability for breaching cybersecurity laws and norms. They are actively monitoring 112 different threat actors related to the Ukraine and Russian conflict. By holding these actors accountable, the institute aims to deter future cyber attacks and ensure a safer cyber environment.

In conclusion, the Cyber Peace Institute’s work revolves around deepening the understanding of cyber attack impacts and harms. They actively support vulnerable communities through their humanitarian cybersecurity centre and cyber peace builders programme. Their collaboration with the government and industry partners highlights the importance of protecting critical healthcare infrastructure from cyber threats. Additionally, the institute advocates for clear accountability to prevent future breaches of cybersecurity laws and norms. Overall, their efforts contribute to creating a more secure and peaceful digital space.

Regine Grienberger

Germany is actively taking steps to strengthen the normative framework for cyber behaviour. They are dedicated to implementing, monitoring, capacitating, and attributing cyber incidents. To protect critical infrastructure, Germany is developing national legislation in alignment with the EU directive. This signifies their commitment to safeguard essential systems and services from cyber threats.

In order to promote transparency and the sharing of best practices, Germany intends to document its progress in implementing cyber norms. By doing so, they hope to contribute to an international dialogue on cybersecurity and encourage other nations to adopt similar measures.

Germany has also established a national attribution procedure, which is coordinated by the Foreign Ministry. This procedure involves conducting comprehensive analyses and making informed political judgments regarding cyber incidents. By attributing cyber attacks, Germany aims to hold perpetrators accountable and deter future malicious activities.

Moreover, Germany recognises the importance of attributing cyber incidents as an essential practice. They believe that it is both achievable and necessary to respond effectively. Germany’s attribution procedure involves extensive analysis and political judgment, demonstrating their commitment to accurately identify and assign responsibility for cyber attacks.

Furthermore, within the context of the European Union diplomatic toolbox, sanctions are considered an instrument for responding to cyber incidents. This highlights Germany’s support for using sanctions as a means to deter and punish those responsible for cyber attacks. By leveraging sanctions, the EU aims to send a strong message that cyber aggression will not be tolerated.

In conclusion, Germany is actively working towards strengthening the normative framework of cyber behaviour through various means. Their efforts include developing national legislation, establishing a national attribution procedure, documenting progress in implementing cyber norms, and supporting the use of sanctions as a response to cyber incidents. These initiatives showcase Germany’s commitment to promoting cybersecurity, accountability, and international cooperation in tackling cyber threats.

Eugene EG Tan

This comprehensive analysis examines the viewpoints presented by Eugene EG Tan on various aspects of cybersecurity research and responsible behavior. Eugene expresses genuine excitement about a project that takes a broad perspective on cybersecurity, inclusive of diverse stakeholders such as states, industry, civil society, and academia. He believes that the project’s wide consultation and intersectionality greatly contribute to the richness of insights generated.

In terms of academic research in cybersecurity, Eugene argues that it has historically been limited to documenting state actions on an individual or regional level. He identifies a critical need for the development of universal measures of responsibility that can be applied across different contexts. Eugene suggests that this lack of common measurement has impeded progress in defining responsibility in the field of cybersecurity.

Furthermore, Eugene advocates for a collaborative and region-interactive approach within the academic community to enrich cybersecurity research. He highlights that academics often tend to focus on individual contexts or specific topics, but funding opportunities are now emerging, enabling cross-regional interactions. By broadening the conversation and understanding different contexts, this inclusive approach can greatly enhance the overall quality of cybersecurity research.

Controlling for cultural and contextual variables across different regions and states in a global study proves to be a significant challenge. Eugene acknowledges the difficulty in establishing a baseline definition of responsible behavior when conducting research on such a broad scale.

To address this challenge, Eugene suggests that it would be reasonable to identify common aspects of responsible behavior while also acknowledging deviations from the norm. This approach would help establish a baseline definition of responsible behavior and provide valuable insights into how the concept of responsibility varies across different states or businesses.

Eugene also emphasizes the crucial importance of implementing additional measures to ensure responsible behavior in cybersecurity. He believes that it is of utmost importance to determine how these measures can be effectively implemented to mitigate irresponsible behavior, subsequently benefiting the entire cybersecurity community.

Accountability and transparency are highlighted as key concerns in the use of commercial spyware. Eugene points out the lack of transparency surrounding the utilization of such tools and the pressing demand for a systematic focus on providing redress for victims. He argues for a coordinated response that effectively shapes the political and normative environment related to spyware. Furthermore, the ability to attribute responsibility becomes crucial in holding individuals accountable for their actions.

Eugene also supports the notion of state responsibility in protecting human rights and holding violators accountable. He emphasizes that states have a legal obligation to protect and promote human rights. Eugene fervently advocates for individual and collective action by states in bringing perpetrators of abuses, such as abusive surveillance technology, to account. He emphasizes the importance of relying on legal avenues, such as formal investigations and subsequent legal cases against the financiers and commissioners of abusive surveillance technology.

In conclusion, Eugene EG Tan highlights the need for a comprehensive perspective in cybersecurity research, the development of universal measures of responsibility, and a collaborative approach within the academic community. He emphasizes the challenges of controlling cultural and contextual variables in global studies, the critical importance of implementing additional measures to ensure responsible behavior, and the urgent need for accountability and transparency in the use of commercial spyware. Furthermore, Eugene supports state responsibility in protecting human rights and holding violators accountable.

Louise Marie Hurel

The analysis explores various perspectives on responsible cyber behavior and the challenges associated with its implementation. It highlights the importance of understanding different interpretations of responsibility in cyberspace, especially in different contexts. The global partnership, which involves over 70 scholars, aims to map practical understandings of responsible cyber behavior and how it is interpreted by different stakeholders. It emphasizes the need to give a voice to less dominant countries, as their interpretations of responsibility are often overshadowed by larger powers.

In promoting responsible state behavior, capacity building and proper implementation of cyber norms are seen as crucial. Germany, for example, has established a national attribution procedure to hold malicious actors accountable, while Regine Grienberger emphasizes the importance of monitoring and sharing information on the implementation process. However, it is also noted that attribution should be a political decision based on effect-based and responsible analysis, rather than an automatic step towards sanctions. There is a growing desire for sanctions in response to malicious behavior, with the EU having the instrument of sanctions in its diplomatic toolkit.

The analysis also stresses the involvement of other actors, such as the private sector, academia, and civil society, in promoting responsible cyber behavior. Louise Marie Hurel argues for more space to be given to less dominant countries in the debate, including private sector companies like Microsoft. She also highlights the role of academia and research in the global cybersecurity landscape, emphasizing the need to connect researchers with the realities on the ground. Hurel acknowledges the multifaceted aspect of cybersecurity, which encompasses statecraft, private sector involvement in conflict situations, and civil society engagement.

Trust-building and better interregional channels are also deemed essential for advancing responsible cyber behavior. Hurel mentions the Point of Contact directory within the Confidence Building Measures at the Organization of American States as an area for development. Furthermore, the analysis highlights the importance of creating a common understanding of responsible behavior in different states and regions, as well as identifying deviating elements in norms across different states to better understand variations in perceptions of responsibility.

The analysis also explores the nuanced implications of state regulations on cybersecurity. While regulations are necessary to ensure vulnerability disclosures and establish necessary procedures, there are concerns about whether these regulations hinder communication channels that are already established. Hurel advocates for careful contemplation and assessment when developing regulations to ensure effective communication channels and feasible job roles.

In conclusion, the analysis underscores the need for understanding different interpretations of responsibility in cyberspace, providing a voice to less dominant countries, capacity building, proper implementation of cyber norms, the role of sanctions and attribution in promoting responsible state behavior, the involvement of the private sector, academia, and civil society, trust-building and interregional communication, and the nuanced implications of state regulations on cybersecurity. It highlights the multifaceted aspect of cybersecurity and the importance of research and academia in connecting with real-world issues. The significance of creating a common understanding of responsible behavior and identifying variations in norms across different states is also emphasized.

Session transcript

Louise Marie Hurel:
Thank you so much for being here. We’re starting the session just in case you’re checking the room is building a global partnership for responsible cyber behavior. My name is Louise Marie Rell, I am a research fellow over at the Royal United Services Institute, which is a think tank based in London. So we work with security and defense and we have a cyber security program over there. And I’m leading a project that’s on responsible cyber behavior. And today I’m very happy to welcome you all to what is the regional launch of initiative as part of this project, which is called the global partnership for responsible cyber behavior. So what is then the global partnership and why is this important before I turn to our great speakers both here and online. So the focus of the global partnership is really to map practical understandings of what responsible cyber behavior means, how it’s interpreted by different stakeholders. And for this first year, we’re looking specifically at how states see responsibility in practice, what are the regional nuances, what are the contextual and cultural elements that shape the understanding of responsibility. And we have, as part of this global partnership, we have a structure. So we have an advisory board and I see that Chris is over here in the room representing the advisory board. Thank you, Chris. We also have members. So the global partnership consists mostly of researchers and research institutions from across different regions. So we have over 70 scholars and researchers involved. And the idea is that we have working streams for each of the regions and we’ll be producing regional papers out of that, which will be a global compendium on responsible cyber behavior throughout this next year. So it’s quite exciting. Stay tuned. But as part of thinking about the global partnership, I think there’s a bigger question of why is this important, why is this relevant and why now. So for those that have been following closely the UN negotiations, the open-ended working group, there are increasing tensions and there are things and tough questions that sometimes it’s very hard to deal from, let’s say, a diplomacy or a geopolitical kind of standpoint. But as a research community, this is something that we can do. We can ask tough questions. We can come together and look at our differences and our commonalities as researchers from across different regions. And I think there are other some challenges that are, let’s say, in the background of this conversation. So first, there’s a lot of understanding or, let’s say, even publication around big powers that often dominate the debate, and that’s fine, I mean, but that leaves little space for other regions and other countries to kind of vocalize their own kind of like understandings and interpretations. So I think it’s important to think about, you know, how do we think the research agenda around that. Second is that international peace and security discussions are the highest level of conversation that one can have when it comes to, let’s say, responsibility in cyberspace, right? And obviously, in the context of the UN, we’re talking about negotiating a document, right? So it’s a place where you actually have an output, which is a consensus document, and you don’t necessarily see the regional nuances in those particular documents. And perhaps you’re just focusing on the highest political angle. So responsibility is potentially not just that. There are other layers that we need to consider. And finally, that there is, you know, of course, a need for a greater, let’s say, contextual or cultural understanding of where the values that come into each country’s way of seeing and perceiving responsibility, in addition to these norms that have been agreed at the international level. So to think about that and to reflect, I think there’s nothing better to do this over at the IGF where we can actually have a multi-stakeholder perspective. So that’s the objective of our conversation here today, is to bring stakeholders from each stakeholder group to reflect on how they see responsibility in cyberspace in practice, to have their views. So we’re going to pick a bit. So it’s a snapshot of each of them because we only have an hour, but definitely and hopefully this is a trigger for food for thought and for future, let’s say, conversations that we can have around each of these topics. So today with me, we have two people online, but I’ll present all of them right now. So we have Regine Greenberger, which is joining us online. She was here. Some of you might have seen her, but she unfortunately had to leave, but she’s very kindly agreed to join us and committed to being online. So thanks, Regine. Regine is the Cyber Ambassador at the German Federal Foreign Office. We also have Pablo Castro over here on my side. He’s the Cybersecurity Coordinator at the Chilean MFA. And you have a crowd cheering for you over there as well. We have on my other side, John Herring, which is the Senior Government Affairs Manager at Microsoft. We also have Charlotte Lindsey, which is joining us online. She is the Chief Public Policy Officer at the Cyber Peace Institute. And we also have Eugene Tan. He is an Associate Research Fellow at the Nanjaratnam School of International Studies. And hopefully I pronounced that correctly, which is the shorthand for ISIS. And we also have Koichi Rokomiyama, which is the Director of Global Coordination Division at JPCert. So as you see, we have a lineup of government representatives, private sector, academia, and technical community here. But I’ll stop talking now because I think the most interesting bit is for us to have this kind of back and forth. And Regine, I hope you’re here with us in cyberspace and we can see you at any point. Is she online? Can you confirm with… Is she online, Regine? Yes? Wonderful. So Regine… I am. I am. Hi. Wonderful. Hi, Regine. Thanks for joining us. So Regine, the idea of this conver… Is really to be a conversation, right? So it’s supposed to be dynamic. Regine, I wanted to start with you for us to unpack some of the layers when it comes to what responsible cyber behavior means in practice, right? So while the discussion at the UN has really provided this framework for responsible state behavior, there’s still many nuances that we are kind of exploring, right? For some states, for example, responsibility might be seen as calling out bad behavior or irresponsible behavior through public attribution, right? Or sanctions, let’s say. So how has Germany been positioning itself with regards to that? Could you elaborate a bit?

Regine Grienberger:
Thank you, Louise. First of all, congratulations on the creation of this global platform. I think both the past OEWG and the current OEWG and also the attack committee negotiations on cybercrime show that the era when cyber norms were only negotiated by few capable states is definitely over. We have now the whole UN member states, the members involved in these negotiations. And also a lot more of non-governmental stakeholders, which is a good sign. But still, we need more smart people to sort out the complex issues that we have here. So I’m really grateful that you established this platform. Now for your question, I wouldn’t start with attribution. The first thing that I would like to mention, how states can strengthen the normative framework is, of course, implemented. It sounds a little bit trivial, but it is not. I mean, we in Germany have no problem with the negative norms. So refrain from, we would never attack critical infrastructure. But the positive norms, so like protect critical infrastructure, are much more difficult to implement. We have, for example, at the moment, negotiations about a national law that is going to implement a new directive on the European level. It’s the NIS directive, which is a legislation to protect critical infrastructure. It sets benchmarks and standards for entities of critical infrastructure. And it will request a lot more of cybersecurity experts to actually do this. I mean, to do all the jobs that are mentioned in this legislation. So where do we find them? So this is very difficult to implement. The second thing that states can do is, of course, monitor their own implementation and share it with others. In the last OEWG, we had discussions about a national survey. I think it was a Mexican proposal. And I think it’s a very good thing to document also what you are going or what you are doing in order to implement cyber norms. It’s also a way to share best practices and get others on board. And as we all know, it’s a cross-border endeavor to implement the cyber norms. So this is also a possibility to define the interfaces between national jurisdictions. Then the third element I would like to mention, still before attribution, is capacity building. And this has been defined in the last negotiation round as a two-way street. We had a very nice panel also during IGF describing the challenges to coordination for cyber capacity building measures. And I think we all have to do a lot more work to get this really going. It’s not only a question of money. It’s also a question of, again, human resources that have to be invested, but also coordination to get the right things done. And then the last thing is attribution. Attribution is holding malicious actors accountable. It’s very difficult in practice, but it’s doable. We reject this notion that you cannot properly attribute. I think we can. We have technical possibilities, and we have to use, of course, also political judgment to put this in the international, the observations that we do on a technical level to put these into an international context. So, we have established in Germany a national attribution procedure. The foreign ministry is the penholder of this procedure, and it works together with other ministries and agencies and intelligence services who might have intelligence or other effects to contribute to this procedure. And we do it in a very thorough, responsible way, so that when we go out with an attribution decision, you can be sure that we have the necessary background information collected and that this is something that is not done. It’s a political attribution because it’s a political decision, but in the basis, there is a really effect-based and responsible analysis of what has happened. So, sanctions still is something else. It doesn’t require attribution, and attribution doesn’t require automatically sanctions, but in the European Union, within the diplomatic toolbox, we have also the instrument of sanctions to use it together. And this is something that we will probably see more often in the future. There’s a lot of appetite for sanctions out there because malicious behavior is really increasing from different sides. So, I’ll leave it with that.

Louise Marie Hurel:
Thank you. Wonderful. Thank you. Thank you very much, Regine. And I think what we see from your, let’s say, points is that there are positive levers to thinking about responsibility, right? So, a positive understanding of responsibility where you build capacities, where you think about the development of national laws and how do you connect that with the regional level when it comes to the EU, right? I mean, implementing things like the NIS Directive, and also monitoring implementation. But there are also, let’s say, negative, not in the sense of a judgment call on it, but negative in the sense of what it proposes, right? There are also levers such as attribution and then sanctions that are within, let’s say, the statecraft toolbox to think about responsibility as something that’s external, right? So, there’s the internal responsibility of the state to necessarily have the capabilities and the capacities to be held accountable when it comes to its own citizens, but there’s also the external responsibility over there when thinking about if another state is acting or a non-state actor that’s within another state and vice versa that applies that vision of responsibility externally. So, Regine, thanks a lot. Given our time, I’m going to try to do a first round of questions, and if we have time, I’ll do the second round of questions just because I’m mindful of that. So, Pablo, so passing over to you, I know that over in Chile there’s a lot of discussions about the development of national policy right now, and also a national law, right? I mean, focusing on cyber security. How does it work then, and I know that one of the components is trying to connect, let’s say, the domestic institutions development, the principles with, let’s say, the framework for responsible state behavior and the implementation of international law in cyberspace. So, how, can you explain a little bit more and give us a little bit of an insight into that process because, as I know, it’s still underway, right?

Pablo Castro:
Thank you, Luis, with the timing to be very on time. Well, thanks very much for this invitation. It’s a very important, fascinating topic, and also congratulations on the global partnership. Well, it’s still a challenge because, basically, in Chile we started back in 2017 when we released our first national cybersecurity policy, and that policy, well, we tried to cover many things in cybers, you know, but we set up, I mean, five goals, and one of them was related with foreign policy, which is very important because, for the first time, the Minister of Foreign Affairs was really engaged in this process. And we basically, what we did was, okay, our foreign policy has a lot of, you know, principles, and we basically said those principles also apply to cyberspace, you know, respect of international law, promotion of human rights, you know, restraining multilateralism, and so on. So, we said those principles are there, part of the foreign policy, and also a part of our view and policy in cyberspace. That’s very important for us because it was quite easy at that moment to start, I mean, this work. There’s still, I think, and then our cyberdefense policy was released back in 2018, was also very important because it was, I think, one of the first times with the, we basically set a statement like the, for example, cyber operation will be conducted under the respect of international law, IHLs, and international human rights, and it was actually initiatives coming from the Ministry of Defense, part of the whole this process, you know. But even before that, the Ministry of Foreign Affairs started, I mean, to make those sort of statements. So, of course, in coordination with the Ministry of Foreign Affairs, unfortunately, maybe this policy is not, maybe too well known because it was released, I think, one week before the new administration was coming in 2018, but it is in English, so if everyone wants a copy of it, I’m really happy to share it with you. And I think it’s still a lot of challenge that we would like to address in the new national cybersecurity policy, which is the text is ready. It was approved by Inter-Ministerial Committee on Cybersecurity in May this year, and with respect to it, it can be released, you know, during 2023. The new policy is actually, I mean, a commitment to promoting, you know, international norms, the application of the international law in cyberspace, CBS, which is a very important component in our foreign policy. There’s been a lot of work we’re doing at the level of the U.S. with the establishment of 11 CBMs in cyberspace. And also, we will have a commitment to work in international cooperation strategy, you know, in cyberspace, and also on a national position, international law in cyberspace. I mean, it doesn’t mean we are not trying, I mean, to work on this, but now it’s going to be part of the mandate of the new policy, and I think this is going to be very important because it’s basically a commitment, you know, it’s coming from the president, and so we have a mandate, and so we have to be composed to work on this. But I think this is still a challenge when it comes to responsible state behavior in our regions, because, I mean, Regime 1’s measure of attribution, there’s not going to be too much discussion about attribution right now in our regions to see, I mean, what other states think about it. In my own experience, it’s sometimes been complicated when you speak and talk with your authorities, say, we were maybe under attack for some foreign power or something, and the question is, what is the benefit of making this attribution? I mean, is it something necessary to do, or made a press release? But I think there are some benefits, and it’s something we still need to discuss more internally at the level of the government, other ministries. As you know, in Latin America, you have this problem of governance of cybersecurity, where you don’t have, sometimes, national cybersecurity agencies are in charge of this. You have committees, et cetera. So that discussion is something we still need to improve more, and exchange view with other states, you know. We’ve been trying, I mean, to promote this sort of dialogue, I mean, what other states think about the application to national law. What is your experience on implementing the 11-0s law? I would like to mention what Serene said about capacity building, which is now a region that’s critical. It’s very important. The U.S. has been playing a very important role with a lot of training courses regarding application of international law. Because basically, if you want to take some important decision on this, and just develop a national position, you need people that could really understand what we’re talking about. So I think that could be, I mean, the only, I think, lawyer we have right now, Mr. Ford, which is really good, and it’s thanks to the training that we have, thanks to the U.S. And I want to actually, in that case, highlight the, I mean, outstanding work that’s been done for some states, like Canada, the United States, Estonia, the U.K., that have been actually helping to access these training courses. I cannot also mention the Global Emerging Leaders Program on cybersecurity. Thanks to that program right now on the Internet Global Forum, because basically, one of the main focus is to promote responsible state behavior. So I think it’s something that’s quite important in terms to promote this sort of dialogue. And I think global partnerships can play a very good role in our regions to try to, you know, create a sort of space for a state and come together, exchange point of view. But as I said before, it’s still a challenge. There’s a lot of things we can do. My aim is the next time there could be an attack to one state in our region, as Costa Rica, we can maybe come together and make a collective response to say we’re really condemning this attack. Not maybe necessarily to say who was behind it, but as the leaks have showed, it’s sort of condemnation. And I think it’s something that can be done, you know. Thank you. No, thank you very much. And I think it’s interesting to have two government representatives kind of in this panel, because then you have kind of two ways of thinking about, right, or the nuances already of thinking about that internal dimension.

Louise Marie Hurel:
And Pablo, you mentioned, you know, the whole development and the history of how Chile arrived where it is right now and what it needs to kind of like, it’s important to have the policy right now, because then the whole conversation of how to better connect the, you know, the domestic side of things and how the policies have been developed with the international kind of law and how to advance and to have that mandate, as you said, to be able to do that, which is quite important. And we know that in terms of policymaking. in the region, it’s really always about that. And I think your point and attribution is also quite interesting, right? It’s not necessarily that there’s a political interest in NME and shaming, but that on the other hand, this external responsibility is something that, you know, there needs to be a further trust building within the region to think about what are the channels, how can we make the POC directory within the CBMs at the OAS kind of advance in that way and be more implementable. So now I wanted to shift to you, John, because we talked a lot about states, but I think, you know, a huge part of the whole conversation about responsible cyber behavior goes through the private sector, right? It’s thinking specifically like big companies like Microsoft, right, as we’ve been seeing its engagement. So I wanted to do a very, very quick kind of question, and I think I’ll do a sandwich already with the second question that I was gonna ask you because I’m quite excited about that one. So the first one is really kind of, so as I said, responsible cyber behavior is broader than just thinking about state behavior. So what are the main lessons learned and perhaps the challenges of bringing together the private sector within the tech accord? I mean, many people, I imagine some might be familiar, but others might not. So do you wanna just do like a quick reply on that, and then I’ll just go for my second question because I’m very excited about it. Sure, yeah, thank you so much for having us and thanks to IGF for putting on this session.

John Hering:
For those who are unfamiliar, the Cybersecurity Tech Accord is a coalition of now 167, 168 technology companies from around the globe committed to some foundational cybersecurity principles, but really what it is is trying to be the industry organization that gives the industry a voice on matters of peace and security online. And the group’s been around for five and a half years now, and I’ll tell you what has not been a challenge is getting folks on the same page on that. It’s sort of been remarkable how much there’s been a lot of interest in joining the group. We kicked off in 2018 with just 34 companies and then pushing 170 now, and I think that reflects a lot of pressure that companies feel across the industry from our customers as cyberspace continues to emerge as a domain of conflict to make clear where do we stand, what is our role as the folks who are developing the products and services that are so often weaponized by various actors, but including increasingly governments. So it’s been easy to sort of get folks on board to say, hey, we have commitments to good security, protecting our customers, we are not interested in weaponizing our products and services to undermine peaceful security or peaceful technology. One of the challenges though is just sort of, I think, getting companies that have just such widely different capacities on the same page. Some companies, like you said, are very large multinational firms and have the resources to dedicate to some of these challenges, and for many of the companies that have joined the Cyber Security Tech Accord beforehand, familiarity with UN processes on peace and security online were very, very foreign. And so it’s been interesting to sort of bring a broader swath of the industry into the conversation. And we’ve also seen, I think, some real meaningful progress taken across the industry by virtue of the work of the Tech Accord, maybe most notably, starting a few years ago, we started encouraging companies to have coordinated vulnerability disclosure policies in place as a matter of just sort of baseline expectation. When we started calling on companies to do that within the group, there were, I think, maybe a dozen or so CVD policies that we could find easily online. And today you can find over 100 coordinated vulnerability disclosure policies from across that Tech Accord signatory base that are reviewable online and can serve as a proof point, I think, for action for that group, but then also a point of reference for other companies seeking to think about, well, what would a CVD policy look like in our particular context? So that’s just one example, and yes, you debrief, so I’m gonna cut there. No, that’s fine, and I said I was gonna do one round,

Louise Marie Hurel:
but I’m gonna squeeze in, just because of our time, the second question over here to you, John, which is, you talked about the Tech Accord, and I think it’s a really interesting kind of like endeavor to kind of bring folks together from industry and across, as you said, like different levels, you know, not necessarily just strictly tech companies, right, I mean, in that case. But when we think about Microsoft’s role specifically, and I mean, that doesn’t apply just to Microsoft, but maybe other companies that have been engaging, like in context of conflict, crisis scenarios, right, I mean, the war, the Russian-Ukrainian war. So what is the role, then, of the private sector in those contexts, right? What is the responsibility of the private sector in engaging in conflict situations, as we’ve been seeing right now in Ukraine? So what would you say about that?

John Hering:
So a lot of that question, I don’t think, is my place or Microsoft’s place to answer in terms of what is the proper role of industry as it relates to armed conflict. I will say it’s something that’s been thrust to the fore, though, in the past year and a half since the war in Ukraine started, and certainly Microsoft has played a very forward-leaning role here. I should say that the Tech Accord early on in the conflict also did come out with a statement on industry responsibilities in times of armed conflict. But in particular, for Microsoft, I think we focus on doing three things as it relates to the conflict in Ukraine. The first is hardening security for our customers that are in the region. If you’re gonna be exposed to particularly sophisticated threat actors, making sure we’re providing the best security that we can. We did a lot of work to migrate Ukrainian data into secure cloud environments, which made data centers in Ukraine redundant targets. We also did a lot of work, then, on the active defense side. It’s the second thing we’ve done. We’ve responded to now, I think, upwards of 10 different generations of wiper malware in the context of the operations targeting Ukrainian data. And then the third, and this has been, I think, something we’ve leaned into more over the past year in particular, is regular reporting on what we’re seeing in the context of the war in Ukraine. We’ve redoubled, I think, a lot of our efforts around threat context analysis in particular, so not just talking about what one cyber event was, but painting a picture about the activities of a broad threat actor group, how they’re aligned, then, and oftentimes with a military campaign. We’ve seen, often, missile strikes either immediately preceding or taking place right after cyber operations, often against the same targets or same geographies. Microsoft obviously can’t know the level of coordination and where that takes place within government agencies, but the correlation would seem to suggest that. And then the other, but Microsoft certainly hasn’t been alone in this. There have been a lot of private sector companies that have been leaning forward in similar ways, and then, obviously, a lot of the success of those efforts to thwart cyber operations in the context of that conflict are attributable to the work of the Ukrainian CERT, which was so prepared to readily provide necessary authorizations, to move quickly, to coordinate the efforts of a broad multi-stakeholder coalition. This is sort of the first example we’ve ever seen of large-scale hybrid warfare. It certainly won’t be the last, but I think one silver lining and encouraging element here is that it looks like a robust multi-stakeholder coalition that is well-coordinated and determined can at least ensure that as this emerges as a domain of conflict, there can be asymmetric benefits to defenders.

Louise Marie Hurel:
Wonderful. I think that gives us a lot of food for thought. I mean, of course, there are various types of companies engaged, right? I mean, tech companies, threat intelligence companies, and you can go more and more kind of nuanced in the classification of companies involved in conflict. Right, I mean, they’re evolving questions of whether they are combatants or not, on whether the private sector has an extra responsibility because they’re infrastructure providers. But anyway, I wanted to pass over to Charlotte because since we’re talking about conflict situations, I wanted to also talk about the more, let’s say, human element and the organizations that sometimes are the primary target, or let’s say the ones that suffer the spillover of a lot of that geostrategic competition. So Charlotte, I don’t know if you can hear us. I just wanted to check. Yes, I can hear you. Can you hear me? Lovely. Thanks so much, Charlotte. It must be so early over there. So thanks so much for joining us. So Charlotte, I know that Cyber Peace Institute has been doing a really great work in trying to measure the impact of the harms that cyber incidents have to civilians and to civil society organizations. And normally, individuals in civil society organizations and the third sector are left by themselves to actually know how to best respond or to protect themselves and their infrastructure. So could you share a little bit more what can be done better to support these groups? Thank you, and good afternoon.

Charlotte Lindsey:
I’m really sorry I can’t be there in person, but thank you for inviting me today. So yes, the Cyber Peace Institute has been working to understand the impact and harms of cyber attacks. And I think firstly, it’s important to build evidence and data-driven understandings of the harm inflicted by cyber attacks. There’s always a lot of hypotheses, but I think what we’ve been trying to do is really foster more context-aware approaches so of the harms and impacts, so that we can also look at then what’s the best way to support and engage in capacity building and building resilience for particularly vulnerable communities. And so I think that’s a very good starting point, understanding the evidence and data-driven impact and harms. What we’ve been looking at, for example, a particular vulnerable group who’ve become more and more impacted and targeted by cyber attacks are humanitarian and human rights and development organizations that are working to support victims of armed conflict and vulnerable populations in crisis situations. And what we have done there is really built both a humanitarian cybersecurity center, but also a very specific cyber peace builders program where we match the needs of individual organizations to cyber resilience and capacity building support that can be provided free to those organizations to help them respond and build their capabilities to prevent or to respond to attacks. And I think that’s a very important point, but then also on the policy side, it’s really important to take the understanding and lessons learned from that and inject that understanding into policy discussions, for example, at the Open-Ended Working Group or the Ad Hoc Committee on the Cybercrime Convention in order to be able to say, look, this is what is happening and this is what needs to be done to prevent that. Another particularly vulnerable community we saw during the pandemic was the healthcare community. And we saw also during the pandemic, particularly the heightened two years of the pandemic, we saw increasing attacks against very critical infrastructure, the healthcare infrastructure linked to the response to the pandemic. One of the things that we did with our partners there, which is the government of the Czech Republic, Microsoft and the Cyber Peace Institute, we built a multi-stakeholder compendium on best practices on protecting the healthcare sector from cyber harm, which was looking at really practical recommendations that could improve the resilience and protection of the healthcare sector. So another concrete way is looking at the data, what it’s telling us about what the harms are, putting together those people who are impacted from the healthcare sector in this case, looking at practical recommendations of what’s worked and then building that into resilience programs. And then just lastly, we’ve been working over the last two years on the cyber attacks in times of conflict, particularly related to the Ukraine and Russian conflict. And there we are monitoring currently at the moment, 112 different threat actors who are very loud and proud about the attacks that they’ve been carrying out. They have been self-attributing. So obviously that there still needs to be more technical, policy, legal attribution behind that. But I think that speaks to what Regina and Pablo were talking about at the beginning, about being very clear about the responsibility of states, also to make sure that attacks don’t happen from their territory or to then potentially hold persons accountable for that. And I think that will be very important steps going forward, looking at how those who’ve breached the laws and norms are going to be held accountable.

Louise Marie Hurel:
Thank you so much, Charlotte. And I think that starts to paint to us like a, let’s say a gradient of understandings of responsibility that are complimentary, right? We discuss the national, like the domestic and the external notion of responsibility when we’re talking about statecraft and what that means when it comes to applicability of the norms. We talked about the private sector and the evolving understanding of what it means to engage in conflict situations, being a company, not that private sector has not been involved in Lincoln conflict. I mean, when we look at other, let’s say, contexts, it’s not new. But I think when we’re talking about the tech sector engaging in protecting and providing support and assistance, then maybe we’re talking about new dimensions of responsibility over there. And now, looking at the third sector, looking at civil society organizations and what the Cyber Peace Institute has been doing, I think there’s extra layer of responsibility there, which is thinking about how the civil society organizations can feed back into government and say, these are the harms, be very thorough about the data that we collect and be able to hold them accountable for the actions and the spillovers of many of these activities, right? And Charlotte, I will get back to you on the second question, definitely. So I will now pass it over to Eugene. So Eugene, now we’re in the sweet spot because as a person that comes from academia, you know, my heart goes out to you as well as a fellow person from the same sector. So I was wondering, at the heart of the global partnership really lies this commitment to foster research-led dialogue with different views from different countries and regions on the topic. Are we doing enough as a research community to really connect to those realities or are we really in our own silo? So how does RSIS kind of done and worked through those different silos? Thanks, Louise.

Eugene EG Tan:
So let me first say that it’s an honor and a privilege for RSIS to be involved in this project. And I think this project represents a wonderful opportunity for us to shape and build what responsible behavior in cyberspace looks like from a global multi-stakeholder perspective through dialogue and research. So for the longest time, I think academic research has been done on a very individual regional case study basis where actions by states are documented and on the actions and commitments made by states. And it’s from this where we draw what we think is best practice and also maybe implement it in a arbitrary manner. So what I think has been lacking in research is this common measurement of what responsibility actually is, which is what makes this project so exciting. What makes this project doubly exciting is how wide the consultation is and the intersectionality that each individual on this panel or online or even in this room here brings to the whole project. This means the discussions, the findings come from a group of people and not just a snapshot from a specific region or from an academic perspective, but rather one which considers a wider context of responsibility with states, industry, civil society, academic view coming together on a very global scale. So bringing back to your question about having the need to connect different realities when doing comparative studies among the region. So I think as an academic community, we haven’t necessarily done enough talking across regions and academics tend to focus more on our individual contexts when talking about cybersecurity. This can be area studies, these can be specific topics that you’re interested in. But I think that has been changing, especially when funding is starting to come online where academics like myself can actually interface with different regions. I mean, I met you first in Mexico. What’s an ASEAN person meeting someone who is based in Europe doing in Mexico, right? So doing so helps us build that bridge, helps us understand the different contexts that we actually reside in. And I think this broadens the richness in conversation, broadens the conversations that we have. And I think we’re all richer for that, yeah.

Louise Marie Hurel:
Wonderful, and I wanted to follow up on that, actually, Eugene. And yeah, it’s quite interesting that the need to connect to the global, let’s say, research community around this, and definitely it’s at the heart of what the GPRCB, the Global Partnership for Responsible Cyber Behavior, seeks to do. But Eugene, what can we do better? I mean, you started alluding to some points over there, but what can we do better to develop a research agenda that’s more attentive to the cultural, contextual kind of elements that might play into defining responsible cyber behavior? So you’re asking a fellow academic how to do research design. Yes, absolutely, because I mean, this is part of what we can do, right? Yeah, so personally, I think, because this is a global study,

Eugene EG Tan:
it’s gonna be really difficult to control for all the cultural and contextual elements across the regions and different states. So what would be reasonable would be to pull out the common strands of what constitute responsible behavior and note these deviations from the norm. This would enable us to put out a document which potentially defines responsible behavior as a baseline rather than building on existing research, which is to provide a case study on how states think or how businesses think, how they’re being responsible, because it’s such a nebulous concept of responsibility. There is no one measurement, like I was speaking about earlier, because there’s no one measurement. Everyone thinks they’re responsible, right? So it’s how we draw out these extra measures, how we could actually inform the whole community as a whole, how these extra measures can be actually implemented that will bring value to the whole ecosystem.

Louise Marie Hurel:
Absolutely, and I think, if what I’m hearing potentially is painting a spectrum of responsibility. So we already have the norms, right? They are at the international level. How they’re interpreted, we have the area studies, of course, but I think your point on understanding the deviation element is quite fundamental, right? And how do we access those, let’s say, practices to be able to draw that. So that is part of what we’ll be doing like in the next year so that’s quite exciting. I wanted now to turn to Koichiro. So Koichiro, you know, you have been engaged in so many different bits and pieces of the of the technical community, right, as JPCert, being part of FIRST’s advisory board and so on and so forth. So I wanted to speak to you particularly about, you know, the certs have a really important role. So at the UN, you know, the norms, there’s a norm to protect certs against being targets and they have a fundamental role in maintaining the security of networks and systems and for many years now. But many countries have now establishing, have established reporting requirements, right, and we already discussed that a bit, for incidents. Is it realistic to expect organizations to report incidents within a short time frame sometimes or to have governments require that some vulnerabilities and incidents be first reported to them? So I see that there’s a responsibility from the side of the cert community, right, but is it realistic to expect some certain things from, especially when it comes to vulnerability reporting and reporting requirements, is it realistic to expect that given your experience in the field? Thank you, Ruiz. Hello everyone, my name is Koichiro

Koichiro Komiyama:
Sparky Komiyama from Japan Computer Emergency Response Team. Well, you know, I’m glad that Ruiz mentioned the role of CSERT or cert to protect the global Internet and my contribution is to explain the role of CSERT has been changed slightly since last few years. I have three points. First, of course, we see more rules or regulation or local registration for anyone to report the vulnerability and incidents to authorities, which also, which includes, for example, India’s case, reporting cybersecurity incident to CERT India, the Indian CERT, within a few hours of occurrence or since I spent a week in IGF meeting room this week, I just learned Sri Lanka will have a similar regulation in a few months and I also like to note certain, you know, there are many other authority or government agencies who to receive the security incident reports. For our case, Japan, if there’s a cybersecurity incident, they share information with JP CERT or National Cybersecurity Center, but if it is, if the case is associated with personal information leak, then they have another government-led commission, which they are mandated to report up. And just recently, US Securities and Exchange Commission also introduced a new regulation for incident disclosure to US financial institutions. Now, my second point is, you may be not familiar with what we are receiving. For example, JP CERT, we receive 20,000 cases or incidents per year and about half of the cases or half of the incidents, we need to engage or we need to communicate with someone in United States, the ISPs, platformers, researchers in United States. Then, that’s a half of our received report. Another 30 to 40 percent, we need to reach out to China. So US-China combined is more than 80 percent and from this fact, I like to suggest to you, cyberspace may not be as global as you imagine. What’s crucial on the internet is not this part, not very, not very distributed, but rather concentrated in a few places on earth. And the other thing is, you know, often regulator misunderstood. If they got more information, they can make more accurate decision or assessment. To us, like among 20,000 incident cases, what we like to see is less than 1%. Only, you know, less than 100 cases can be used or can be very beneficial for us to analyze what type of APT attack is happening, which specific Japanese critical infrastructure is compromised already, and others. The rest is not a garbage, but it’s not something, you know, it’s not very informative or actionable, at least for us. Now, I’d like to conclude my last point. The worst-case scenario is the local registration hinder or undermine the international or global information sharing, which we have been, we have been doing for us 10 or 20 years. Log4j is a very good example. There’s a common software library widely used everywhere, and this vulnerability was first identified by a Chinese researcher working for Alibaba’s subsidiary. They made a great job to identify the issue, and then also sharing it with Log4j developers immediately. But far from being praised or get a reward, you know, they are summoned by Chinese authority, and since then, there’s a chilling effect among Chinese security researcher community. I do not expect they can be, you know, they can share vulnerability information with, for example, JPSET or other government agencies in the future. So, like we see data being localized, we also see vulnerability information being localized, and we’re in the middle of the process, and I don’t have, yeah, and I like to, you know, together with you, I’d like to explore how we can fix this issue and, you know, make sure vulnerability information being shared among stakeholders who should be, or who should know. Thank you. Thank you. Thank you very much,

Louise Marie Hurel:
Koichiro. I think then we see a double entendre over there, because it’s, on the one hand, you know, the state, and we go back to, like, Regine and Pablo over here, where they were talking about, you know, as a state, we need to actually kind of develop, like, regulations and develop national policies that we make sure that we have, you know, vulnerability disclosure, that we have kind of, like, procedures in place, and then, on the other hand, it’s kind of like, let’s think more carefully about, you know, what the procedures are and, you know, whether that actually hinders our communication channels that have been established, right? And I think, you know, we could see that is not just the case of, let’s say, Log4J, but we could talk about, like, the NIS directive. When all of these regulations come first, right, there’s always this process of adjusting in many ways, like, is the timing correct for expecting certs to report? Is it responsible? I mean, it’s an understanding of what certs are responsible to do, like, what’s their responsibility, but at the end, I mean, is it feasible or not? And I think we’re always trying to figure that out in one way or another. We have 10 minutes left, which I think it’s, like, thanks so much to my panelists for really sticking to the time, and I wanted to open the floor to all of you, whomever has any questions to the panelists. I definitely have lots of questions, and I imagine, hope you have also questions to each other, but I wanted to open up the conversation. Are there any questions from the audience or any kind of comments or anything, if we have government representatives in the room that would like to share also their views, that would be great,

John Hering:
or are we just very tired because it’s the last day? Absolutely, go ahead. I think co-signing a lot of the same concerns and would advise a lot of policymakers to start thinking about what the impact, especially to the security research community, is going to be of any policies you’re pursuing, because it’s not just some of the ones you were citing, but also, you know, the current negotiations around the Cyber Resilience Act in Europe, which would mandate reporting of, you know, non-exploited vulnerabilities to, you know, central government agencies, which are not in a position necessarily, then, to take action to fix that, and making sure that we’re reporting in a way that is prioritizing getting a fix and keeping customers and users secure, and also, just emphasizing your point that there’s then people who want to replicate that policy. You kind of create a race to the bottom where you have different imitators who are all sort of creating similar vulnerability reporting requirements, which may not be in the interest of actually the best product security and keeping the most sensitive data secure. Great. Any other points from the audience? No. Everyone’s very tired. It’s the

Louise Marie Hurel:
last day of the IGF. I get you. It’s overwhelming. I wanted to go back to Charlotte. Charlotte, if you’re still online, hopefully. Are you there? Yes, I’m here. Lovely. Charlotte, I wanted to follow up on, let’s say, this dimension of civil society organizations, right? I think it’s undeniable when we’re talking about, you know, state responsibility, when we’re talking about private sector responsibility, there’s an interesting spot, which is definitely the development of commercial hacking tools or spyware, which is often a very tricky topic, both for democracies and, let’s say, those in the spectrum and even authoritarian regimes. So, what kinds of accountability measures do we need to be setting in place to protect citizens from

Eugene EG Tan:
the misuse of those kinds of technologies? Thank you. It’s a great question, and there’s probably a very long answer, but I will try to keep it short in view of the time. Firstly, I think, so the use of commercial spyware surveillance tools, the associated lack of transparency, the consequences of its use and abuse on human rights and respect of laws. So, we see this as a growing and very lucrative market, and I think the issue of accountability, first, we have to look at as being a responsibility of all actors. Particularly, we also have to look at the focus on how do we get redress for victims? So, if their governments are able to hold accountable those who cause the violations of human rights, what’s the redress to victims? But if we look at some of the measures that need to be taken, and we’ve talked about this before on here, public attribution. So, you have to be able to identify the actor and build on and complement and reinforce findings of any technical analysis to achieve accountability. You have to be able to hold somebody accountable. So, attribution is going to be a very important aspect of this. Then, looking at legal action, we’ve seen some countries who have taken legal action now. So, formal investigations, and then if those investigations build enough evidence and cases to then be able to bring legal cases, which will then focus attention on who commissions, who’s financing and sanctioning such abusive use of surveillance technology, and that can support driving accountability. I think that we do, I think it’s important to look at, you know, states have a legal obligation to protect and promote human rights and hold those who violate them to account. So, you know, looking at state responsibility and how states are taking up this responsibility is important. And then, also looking at how do you operationalize accountability at the international level? And I think this is going, this is very important. So, collectively, governments have to shape the political and normative environment related to spyware, and particularly where spyware is now being carried out as a service to and abusing human rights. So, that needs to have a coordinated response to ensure responsible state behavior at the international level and to promote accountability between states because, obviously, there’s a lot of cross-border issues that are critical here. So, states will have to act on their responsibilities in order to engage individually and collectively to bring perpetrators to and hold them accountable. But accountability also requires transparency, and I think that’s one of the very difficult things about this use of offensive surveillance software or spyware. And that’s something that has, there has to be a willingness to be much more transparent about what is today a very opaque market about the supply and the demand and the use. So, transparency is a really important step. And then, yes, as I say, I think there are a number of laws, norms that can be brought to, that can be invoked. And I think that’s going to be very important to look at where human rights of individuals have been breached, holding them to account that can be under something like the International Covenant on Civil and Political Rights, the Covenant on Economic, Social, and Cultural Rights. So, there are a number of ways forward. I would just like to conclude by saying there is actually between a collaboration ongoing to a number of civil society organizations at the moment, and co-chaired by the Paris Call and the Cyber Peace Institute, where we’re working on a multi-stakeholder agreement for transparency around this spyware and cyber mercenaries market. And this, the first iteration of this will be brought to the Paris Peace Forum in November. Wonderful. I see that you want to

Louise Marie Hurel:
chip in. Yeah, just two quick points also on accountability, because I saw a colleague earlier today who, on the other side of IGF, she was saying, oh my goodness, we’re having the exact same conversation on cybersecurity that we were having when I left cybersecurity five years ago.

John Hering:
But I, like, want to assure folks that things are moving forward, and especially as it relates to accountability, you know, first on accountability via attribution statements. One thing that’s been really exciting over the past year, year and a half, has been to see government start to, really for the first time, include norms violations explicitly in attribution statements that they’ve released publicly, which has been sort of the first innovation in a public attribution statement that I’ve seen in a while. And my jaw dropped it when I saw it, so I hope yours can now too. And then the second piece has to do with the sort of, again, that innovation of the use of cyber operations in the context of an armed conflict. And we did see just probably six weeks ago now, the ICC prosecutor come out and say publicly that his office has a mandate to, and will be, investigating the potential of cyber-enabled war crimes for the first time, which when you think about what it would mean to uphold expectations for responsible behavior, both in the context of peacetime, but then really importantly in the context of warfare, that’s a really important innovation or, you know, evolution as well. So just one more thing to add. Absolutely. Any of the other panelists would like to chime in or have a tweet of a last remark? No? I’ll trigger then Regine and Pablo very quickly

Louise Marie Hurel:
if they want to respond to this. So I think in terms of the last point on thinking about transparency measures and accountability, over at the OEWG, there has been a lot of discussions as well as to whether include the actors like, you know, cyber mercenaries or include, you know, SPIRA as something that’s more explicitly defined or made recognizable in the emerging threats kind of discussion there. How can we evolve that particular kind of discussion? Is it ripe for inclusion or is it ripe for further kind of elaboration or discussion on, let’s say, these kinds of emerging threats right now over there? Because I know this was one of, let’s say, a key point of contention. So I don’t know if, like, again, a tweet from either Regine, if you’re still online, if you can hear us, or you, Pablo, putting in the last spot over there.

Pablo Castro:
So, Regine? No? Okay. It’s a good question. I think in my point of view, just maybe a personal point of view, when it comes to in our conversation and how to move on at the working group, you know, in different, you know, sections, it’s sometimes we have to be very careful about what exactly we want to put there because, you know, we have to agree by consensus. So that’s the point, you know, how you can start a conversation, discussion, and things with definitely things that could be important, you know, there. But the other point is, if we start some conversation, things are probably going to create maybe not the consensus we want. It’s going to make our conversation more difficult in the very end. So it’s a difficult balance. Now, it is true that, especially in the threats, you know, we were including, for example, artificial intelligence and new techniques, but I still want to be sometimes a little bit careful because we, especially in AI, for example, that we just start to maybe other conversations, other discussion, and I think it’s probably one of the challenges we have in emerging technologies, you know, where exactly we have to discuss one of the things or another. But it’s still up to the state, you know, to, in a way, to try to see how we can address this point. The cyber mercenary can be something really challenging. I used to be in charge of mercenary years ago. It’s a concept that I’ve never seen before, but I think it’s something that, in a way, it is reflected, you know, the concern of some state. In that case, of course, it’s legitimate to discuss this in that forum because that is the place that we have right now to have this conversation. So, in a way, we cannot stop it, but, again, how can you see if we cannot not create this problem at the very end, especially at the end of Friday in the United Nations when everyone wants to really, I mean, go back home, let’s try to get this consensus. Thank you. Thank you, and thanks

Louise Marie Hurel:
for taking that last kind of, like, curveball over there. Well, I just wanted to thank you all for sticking over here. I think having a, you know, a slightly kind of full room at the end of the IGF is not trivial at all. I hope you can stay in touch. The Global Partnership for Responsible Cyber Behavior has its website where you can access more information on our members, our institutional partners, and please do get in touch if you want to get involved in doing research, and I’d like to thank my panelists, Regine and Charlotte, that are online. Thanks a lot, and thanks to all of you, and keep in touch.

Speakers

Charlotte Lindsey

Speech speed

182 words per minute

Speech length

687 words

Speech time

227 secs

Eugene EG Tan

Speech speed

153 words per minute

Speech length

1285 words

Speech time

504 secs

John Hering

Speech speed

213 words per minute

Speech length

1562 words

Speech time

440 secs

Koichiro Komiyama

Speech speed

111 words per minute

Speech length

694 words

Speech time

375 secs

Louise Marie Hurel

Speech speed

191 words per minute

Speech length

4136 words

Speech time

1300 secs

Pablo Castro

Speech speed

198 words per minute

Speech length

1589 words

Speech time

482 secs

Regine Grienberger

Speech speed

154 words per minute

Speech length

780 words

Speech time

305 secs