BPF: CYBERSECURITY

Wim Degezelle

The Best Practice Forum on cybersecurity is an integral part of the Internet Governance Forum (IGF) and brings together volunteers to collaborate on specific topics related to cybersecurity. This forum consistently emphasizes the importance of norms in addressing cybersecurity incidents and explores their development, operationalization, and impact.

In 2018, the forum delved into the concept of norms, their definition, development process, and their relationship with cybersecurity. Subsequent discussions focused on how these norms are put into practice, providing a deeper understanding of their effectiveness.

An experiment conducted within the forum aimed to retrospectively analyze the impact of norms on past cybersecurity incidents. The findings highlighted the value of listening to the experiences of individuals affected by cybersecurity events, allowing for a more nuanced understanding of these incidents and a comprehensive assessment of the impact of norms.

Story banking is another important aspect emphasized by the forum, which involves documenting and archiving narratives of cybersecurity incidents. This practice provides valuable insights into the challenges and potential solutions in the realm of cybersecurity.

The Best Practice Forum on cybersecurity also expressed appreciation for the contributions of its team members, participants, and experts. Recognition was given to Ian Bonana and colleagues, as well as the Members of the Multistakeholder Advisory Group (MAG), who supported the forum throughout its activities. The invaluable work of numerous volunteers involved in online discussions and task completion was acknowledged. The forum also extended gratitude to co-facilitators and lead experts for their dedication and expertise.

In summary, the Best Practice Forum on cybersecurity within the Internet Governance Forum allows volunteers to collaborate on specific cybersecurity topics. It consistently highlights the importance of norms in addressing cybersecurity incidents and explores their development, operationalization, and impact. The forum also emphasizes the significance of story banking in understanding cybersecurity events and expresses gratitude for the contributions of its team members, participants, and experts.

Audience

In the discussion, speakers highlighted several critical points regarding the enforcement of international law after cyber incidents and the challenges faced in cybersecurity. The uncertainty surrounding the enforcement of international law after a cyber incident was a major concern. Francisco Libardia, a diplomat from Panama, questioned how effective enforcement can be achieved in such cases. This uncertainty calls for the establishment of legal mechanisms to hold cyber attackers accountable and claim compensation. The experiences of Costa Rica and Vanuatu in handling cyber attacks were compared to the pre-UNCLOS period, where there was no forum or legal mechanism to claim damages in cases of maritime disputes.

Attribution was identified as a significant challenge in cybercrime. Before raising a case, there is a crucial need to establish the ‘who’, ‘what’, ‘when’, and ‘how’ of an attack. It was emphasized that a universally recognized forensic process for collecting evidence is necessary to address this challenge effectively.

Transparency in state-level cyberattack attributions was a concern raised during the discussion. States often attribute cyberattacks to other states without sharing evidence, raising questions about the accuracy and accountability of such attributions.

The lack of collaboration between international cybersecurity companies and nations was another issue highlighted. This lack of collaboration often arises from diplomatic tensions and poses difficulties in effectively addressing cybersecurity threats. Some nations and large cyber companies are not collaborating with the international system of cybersecurity or the international criminal system.

The discussion also emphasized the need to address the security concerns of Global South countries, minorities, and government hacking. Security debates and policies often focus on the Global North, neglecting the unique security concerns faced by the Global South. The case of government hacking, such as the Pegasus case, was cited as a significant concern that requires appropriate policies to address.

The importance of citizens being well-equipped to protect themselves against cybercrimes was emphasized. Elaine Liu from Singapore highlighted the need for cybersecurity best practices at the individual level. Additionally, concerns were raised about excessive data collection in retail and job applications, which increases the risks of exposure to cybercrimes.

Stronger penalties for cybercrimes were also discussed. It was suggested that transparent penalties should be established to deter misbehavior in cyberspace.

The speakers and audience acknowledged the significant issues surrounding tech-based abuse, cyber-enabled trafficking, and child sexual abuse material (CSAM). Urgent attention and effective countermeasures are required to address these issues.

Collaboration, resource sharing, and avoiding duplication of efforts were emphasized as crucial in the fight against cybersecurity threats. Greater collaboration and resource sharing among stakeholders would enhance the impact and effectiveness of cybersecurity initiatives.

In conclusion, the discussion highlighted various challenges and concerns related to cybersecurity and the enforcement of international law after cyber incidents. The need for legal mechanisms, attribution processes, transparency, collaboration, and policies addressing security concerns of the Global South, minorities, and government hacking were emphasized. The importance of citizens’ awareness and protection, data privacy, and stronger penalties for cybercrimes were also highlighted. The speakers and audience stressed the importance of collaboration, resource sharing, and avoiding duplication of efforts to maximize the impact of cybersecurity initiatives.

Kivuva Mwendwa

During the discussion, several key points were raised by the speakers. Kik Danet, a cybersecurity organisation, has been actively involved in a cyber non-project since 2018. Their focus has been on policy advocacy, multi-stakeholder convening, capacity building, and research. This indicates their commitment to addressing cybersecurity challenges through various activities.

Kenya faced a serious Distributed Denial of Service (DDoS) attack carried out by an organisation called Anonymous Sudan. This attack had a detrimental impact on key installations such as M-Pesa, a critical mobile payment infrastructure, and Huduma, a government service platform. The severity of this attack highlights the need to strengthen cybersecurity measures to prevent similar incidents in the future.

The importance of strong coordination between security organisations at the international level was emphasised to effectively handle cyber attacks. Even advanced countries and corporations struggle to handle DDoS attacks, which are frequently coordinated by malicious actors using botnets and cloud infrastructure. This highlights the complexity and evolving nature of cyber threats, necessitating collaborative efforts to combat them.

The involvement of civil society in the Computer Emergency Response Team (CERT) was highlighted as an important aspect of cybersecurity. Civil society plays a vital role in representing the interests of CERT and focuses on capacity building and promoting citizen cyber hygiene. They have created informational content to educate people about cyber threats and have established a campaign called STICK (Stop, Think, and Check before you Act) to raise awareness. The training of around 140 trainers for wider distribution of information down to the village level further demonstrates the commitment to promoting cybersecurity at the grassroots level.

The speakers also highlighted the significant threat posed by social engineering in Kenya, particularly in relation to mobile banking. Criminals exploit vulnerable individuals through misinformation, leading to financial losses. Additionally, insider information leaks within telecommunication companies and banks contribute to the increasing cyber threat. To address this, a successful Citizen Cyber Hygiene campaign was conducted, reaching approximately 3 million beneficiaries. Trainers were also trained to distribute information at the village level, further emphasising the importance of educating people to mitigate cyber risks.

The slow progress of legislation and poor diplomatic relations were identified as hindrances to collaboration in global cybersecurity. The speakers highlighted how these factors impede effective cooperation between countries and hinder the sharing of knowledge and resources necessary to combat cyber threats collectively.

The need for more collaboration within the international system of cybersecurity was emphasised, particularly with big cyber companies. Strengthening partnerships and collaboration can enhance the collective effort to address cybersecurity challenges globally.

Edward Snowden’s exile after revealing massive surveillance practices served as a reminder that more powerful countries can push their own agendas while weaker countries feel helpless. This power dynamic underscores the need for international mechanisms, such as the UN Security Council, to address cybersecurity issues. Surveillance and power abuse by advanced states were highlighted as concerns that should be discussed at this level.

The collaboration with new parliaments in Kenya to encourage roundtables and the formation of IT committees was viewed positively. This collaboration can lead to better policies and regulations in the field of cybersecurity.

In handling cyber terrorism, international support plays a crucial role. The challenges faced by Kenya in combating cyber terrorism, particularly in northern regions, were discussed. International support, coupled with the establishment of a security committee in parliament and penalties for data breaching, demonstrates the commitment to addressing cybersecurity threats comprehensively.

Moreover, the importance of data minimisation and compliance with the General Data Protection Regulation (GDPR) was discussed. Countries, including Kenya, have enacted data protection laws and appointed data protection commissioners to ensure the privacy and security of citizens’ data.

In conclusion, the speakers provided valuable insights into the current state of cybersecurity in Kenya. They emphasised the importance of policy advocacy, capacity building, and multi-stakeholder collaboration to address cyber threats effectively. The challenges posed by DDoS attacks, social engineering, and power dynamics in international relations were acknowledged, highlighting the need for strong coordination and international cooperation. The involvement of civil society in cybersecurity initiatives, collaboration with new parliaments, international support to combat cyberterrorism, and compliance with data protection regulations were all highlighted as positive developments. To strengthen cybersecurity measures, it is essential to address existing challenges and continue fostering collaboration at various levels.

Speaker

The Best Practice Forum on cyber security is highlighted as highly significant and valuable. It has produced an important output document, showcasing its role in promoting best practices and knowledge sharing in the field. This demonstrates the forum’s effectiveness in generating tangible outcomes.

The speaker expresses appreciation to the team members, acknowledging their pivotal role in the successful initiative. Specific gratitude is extended to the lead expert team, consultants, and volunteers, emphasizing their contributions. The document acknowledges their names, underscoring their key involvement in its creation. This appreciation highlights the importance of collaboration and teamwork in achieving successful outcomes.

Furthermore, it is mentioned that a presentation is about to start, although no further details are provided. This indicates an upcoming session where participants can share information and insights on a particular topic.

In summary, the Best Practice Forum on cyber security is considered highly significant, with a focus on knowledge sharing and the production of valuable output documents. The recognition and appreciation shown towards the team members emphasize their essential role in the success of the initiative. The mention of an upcoming presentation suggests a platform for further discussion and sharing of insights on a specific topic.

Klée Aiken

The Best Practice Forum (BPF) on Cybersecurity for 2021 focuses on examining the human impacts of cybersecurity incidents and their relationship to international norms and principles. The incidents being investigated span from 2020, such as the Solar Winds incident, to incidents that occurred in 2022 and 2023. These incidents have had diverse effects on different types of economies across the world.

Partnerships between governments and the private sector have been essential in responding to and recovering from cybersecurity incidents. Their collaborative efforts have proven instrumental in mitigating the impact of these incidents. Moreover, previous capacity-building activities have also played a crucial role in facilitating effective responses to the incidents.

The incidents studied have revealed several common themes. These include the importance of respecting human rights, promoting international state cooperation on security, and enhancing efforts in crime and terrorism prevention. Additionally, there is a recognition of the need for robust reporting mechanisms to identify and address ICT vulnerabilities.

One significant finding is that cybersecurity incidents can amplify existing societal dynamics. For example, in Fiji, an incident involving a COVID-19 app coincided with the spread of misinformation about vaccines. Similarly, in Samoa, a ransomware attack that occurred after a contentious election fueled rumors and speculation about the government’s integrity. These incidents highlight the potential for cybersecurity incidents to exacerbate societal challenges and contribute to the spread of misinformation.

While the negative consequences of cybersecurity incidents are evident, they can also serve as catalysts for policy and capacity-building responses. Following some of the incidents reviewed, various agreements, declarations, and the establishment of response boards have been observed. This demonstrates that incidents can stimulate proactive measures to enhance cybersecurity practices and develop capacity in this critical domain.

The importance of considering the human impact in cybersecurity tasks and practices is emphasized. The human angle must be integrated into auditing and evaluation processes, ensuring that the potential effects on individuals and communities are carefully assessed and addressed. This human-centric approach to cybersecurity is essential for effective risk management and resilience.

Moreover, the significance of incorporating a human angle is not only limited to cybersecurity practices but extends to the policy space and ICT auditing as well. By recognizing the importance of the human factor, policies can be designed and implemented with a focus on addressing the needs and values of individuals involved.

Partnerships are considered indispensable in cybersecurity. Given the vast and complex nature of the field, it is virtually impossible for any entity to secure everything alone. Collaborating with partners allows for a more comprehensive approach to cybersecurity, leveraging diverse expertise and resources.

Finally, the dynamic of requests for assistance from international partners is explored. The forum acknowledges the need to engage and cooperate with international partners, facilitating the exchange of knowledge, experiences, and support in addressing cybersecurity challenges collectively.

Overall, the BPF on Cybersecurity highlights the human impacts of cybersecurity incidents, the significance of international norms and principles, the role of partnerships, and the need for a human-centric approach. By integrating these aspects, stakeholders can work towards strengthening cybersecurity practices, enhancing resilience, and promoting a secure digital ecosystem.

Dino Cataldo Dell’Accio

Dino emphasises the importance of considering the role of the Supreme National Audit Institution when assessing the impact of cybersecurity incidents. He highlights the valuable contribution auditors make in developing recommendations for effectively responding to such incidents. However, he acknowledges the challenge of integrating operational-level recommendations with principles like the UN norms of responsible behaviour.

Auditors adopt a risk-based auditing approach, which involves assessing the human impact of cybersecurity threats. Dino emphasises that people should be the ultimate priority in the ICT and IT auditing profession. This means placing a higher emphasis on addressing the needs and well-being of individuals affected by cyber attacks.

The challenge of attributing cyber attacks is also discussed. Dell’Accio shares a personal experience of collaborating with the FBI and the hosting country to address a ransomware attack. He advocates for the development of forensic principles to guide the process of evidence collection, as the lack of agreed-upon principles hinders effective attribution of cyber attacks.

Efforts to counter cyberattacks require both top-down and bottom-up approaches. Global consensus at a high level, through resolutions, treaties, and agreements, is crucial. Equally important is the agreement among practitioners responsible for day-to-day operations on standards and technical procedures.

Balancing the responsible sharing of information about cyber attacks presents a challenge. Fear, responsibilities, and accountability hinder disclosure of information. There are technologies available that allow the provision of certain information without revealing sensitive details about its origin.

Risk analysis plays a vital role in addressing cybersecurity threats. Dino emphasises the need for a comprehensive list of criteria at the beginning of the process to improve risk assessment. Feedback from work on norms informs and refines the criteria for risk analysis.

The report on the impact of cybersecurity events on global citizens exemplifies a comprehensive risk approach. It evaluates the effects of such incidents on individuals worldwide and feeds the results into the risk analysis process.

Dino agrees with Louise’s concentric circle model, which likely provides a structured framework for policy-making. However, no specific supporting facts or arguments are provided for this point.

Data oversharing is highlighted as an issue, particularly in online services. The experience of designing and implementing a digital identity solution for the United Nations Pension Fund reveals the risks associated with excessive sharing of personal data. Dino supports the practice of data minimisation and selective disclosure as measures to reduce the risks of data oversharing.

In conclusion, Dino’s insights highlight the need to consider the role of auditors, the challenges of convergence between operational recommendations and norms, the importance of addressing the human impact of cyber threats, the challenges of attributing cyber attacks, the need for global consensus and standardisation, the balancing of information sharing, the significance of comprehensive risk analysis, and the importance of data minimisation and selective disclosure.

(Note: I have corrected grammatical errors, sentence formation issues, typos, missing details, and corrected UK spelling and grammar. I have also tried to incorporate long-tail keywords without compromising the quality of the summary.

Susan Garai

This extended summary discusses the importance of considering the human impact of cybersecurity incidents, highlighting a specific incident in Vanuatu where a cyber ransomware attack had devastating consequences for the people. It emphasizes the need to foster resilience and regional collaboration to effectively combat such issues.

The incident in Vanuatu had a deep impact on the lives of the people, as the cyber ransomware attack caused the breakdown of systems. This incident serves as a reminder that cybersecurity incidents have far-reaching consequences beyond just the technological aspects. Therefore, it is crucial to take into account the well-being of individuals when addressing cyber threats.

To tackle these challenges, the development of resilience and regional collaboration is essential. Small island nations like Vanuatu are now collaborating with neighboring countries to enhance their cybersecurity measures and become more resilient against such threats. This collaboration enables them to share resources, expertise, and strategies to effectively respond to and mitigate cyber security incidents.

It is important for governments, organizations, and companies to recognize and address the human impact of cyber security incidents. Individuals are affected emotionally, psychologically, and socially when their personal data is compromised or their systems are attacked. By prioritising the well-being of individuals, decision-makers can develop more holistic solutions to cyber security issues.

Collaborations within the Pacific region play a vital role in addressing cyber threats effectively. The Pacific region has different stages of development when it comes to cyber security. Therefore, partnerships and cooperation among countries within the region are necessary to share knowledge, resources, and best practices. Conferences and meetings, such as the P4C conference in Fiji and the Paxson annual meeting in Vanuatu, foster these collaborations and enable participants to exchange experiences and strengthen their collective cyber security efforts.

Furthermore, it is essential for countries in the Pacific region to continue strengthening their relationships with global partners. By leveraging global partnerships, countries can better prepare for future cyber security incidents. Each country in the region has unique challenges and strengths in cyber security, and by enhancing understanding and fostering partnerships, they can collectively enhance their resilience to cyber security threats. Regional symposiums and meetings serve as platforms for knowledge exchange and collaboration, contributing to the overall preparedness of the region.

The establishment of legal frameworks at a regional level is seen as a practical approach. Developing international laws and frameworks that all countries agree upon can be challenging. However, countries in a specific region can agree on a regional legal framework as a benchmark for addressing cyber security issues. This approach ensures that regional needs and nuances are taken into consideration while providing a guideline for addressing cyber threats.

The importance of trust and effective communication during cyber incidents cannot be overstated. Incidents shared by CERT Vanuatu, CERT Tonga, and PNG Sur highlight the significance of mutual trust and effective communication among stakeholders during cyber security incidents. By maintaining open lines of communication and building trust among different entities, the response to cyber incidents can be coordinated more efficiently and effectively.

Strategic collaboration and cooperation are crucial in addressing cyber security issues. Going solo is not an option, and examples from Kenya and Africa’s capability in this regard are mentioned. The complexity and scale of cyber threats require collective efforts that bring together different stakeholders, including governments, organizations, and individuals. By working together strategically, they can pool resources, expertise, and knowledge to better respond to and mitigate cyber security incidents.

Efforts should be made to utilize cyber security resources effectively and avoid duplication. Platforms like the Pacific Hub, GFCE, and GC3B are already in place to facilitate resource management and coordination in cyber security. Organizing events such as the forthcoming event in Ghana, which aims to identify cyber capacity-building gaps, demonstrates the commitment of stakeholders to ensuring that resources are utilized efficiently and effectively in addressing cyber security challenges.

In conclusion, it is important to consider the human impact of cyber security incidents and foster resilience and regional collaboration to effectively combat such threats. Governments, organizations, and companies must prioritize the well-being of individuals and take into account the emotional and social consequences of cyber attacks. Collaborations within the Pacific region and partnerships with global entities are essential for sharing knowledge, resources, and best practices. The establishment of regional legal frameworks, trust, effective communication, and strategic collaboration are crucial elements in addressing cyber security challenges. Efforts should be made to utilize cyber security resources effectively and avoid duplication to enhance the overall response to cyber threats.

Louise Marie Hurel

Ransomware attacks pose a significant threat to countries across the development spectrum, but especially to developing nations. These attacks encrypt data and demand ransom payments, causing severe disruptions and financial losses. Understanding the motivation, funding sources, and impact of ransomware groups is crucial in effectively countering them. Proactive monitoring and response are essential to mitigate the impact of attacks, while internal coordination within a country’s cybersecurity sector plays a vital role in crisis response. Trust and previous engagement between countries are key to successful cybersecurity assistance, and transparency around international law is crucial for establishing norms. Balancing the prohibition of ransom payments with government support for victims is important, and developing countries face unique challenges in acquiring cyber capabilities. Information sharing and monitoring activities contribute to sustainable impact, while policy-making for cybersecurity in the global south should consider different concentric circles. Capacity building efforts should involve South-South, North-South, and triangular cooperation. The Best Practice Forum (BPF) in cybersecurity is highly praised for its contributions to improving strategies and policies in the field.

Speaker:
Ladies and gentlemen, welcome to this session of the best practice forum on cyber security. This session holds significant importance to us due to its relevance and the valuable output document produced. We are fully aware of your anticipation for this session, so before we are starting, I would like to take this opportunity to extend my heartfelt appreciation to all the members of the team who have generously dedicated their time and expertise to the BPF. As a member, we would like to say thanks to those who have participated. This includes our lead expert team, our consultant experts, as well as the dedicated volunteers in each working group whose names are acknowledged in the document. Your unwavering commitment and valuable contributions have played a crucial role in the success of this initiative. The IGF is sincerely grateful for your efforts. That being said, we would like to hand over now the floor to Wim to start the presentation. Thank you very much.

Wim Degezelle:
Thank you, Jan-Bernardo, for these opening words and welcome also on my behalf. I’m Wim Deggezelle. Actually, I’m working as a consultant with the IGF Secretariat supporting this best practice forum, so I had the pleasure to work with both the MAG members and the team of volunteers and the people that actually did all the work to bring you this report. I was asked to give this short introduction to just picture or position the best practice forum to give a little bit of background of what best practice forums actually are and what the BPF on cybersecurity has been doing in the previous years because it is a nice trajectory between and the linkage between the work in the previous years and what will be discussed and what has been done this year. So the best practice forum is a format, is an intersessional activity of the IGF. That means it is an initiative taken by the MAG that is then run in the months ahead of an IGF meeting, giving the opportunity to people from the community following the idea of an open and bottom-up model of discussions to come together and work on a very specific topic. In this case, cybersecurity. It allows, like I said, different volunteers to work together, to come together, and that helps that they come to an IGF meeting with some preparations, with a draft document that has been prepared and do some more research and background discussions or preparatory discussions, and that helps to also compile a nice output that is part of the overall output of this year’s IGF meeting. Like I said, there has been a best practice forum that focused on cybersecurity topics for the last couple of years, but every time a different focus or a different team. However, there is before. This is the first night. This is the first time we come up. And this is some link between the last three, four years of the BPF cyber security as there has been one consistency that one way or another we’re linked to the idea of norms and cybersecurity norms. And we’re not just talking about the last three years of the BPF, but the last three years of the BPF. And this is a very long time ago. So this was a Berlin IGF that is the last IGF before we had the COVID. So I leave it to you if that’s a very long time ago or is it fresh in your memory. But in the year 2018, the best practice forum asked actually the question, what are norms? And how are norms developed? And what are the consequences of norms being developed? And what is the context of cybersecurity and what are cyber norms? To then the following year, look into how norms have been or are operationalized. And also have a discussion on how important it actually is to involve stakeholders in the development, but also in the operationalization of norms. So this is a very long time ago, but it’s a very long time ago, and it’s a very long time ago. And it’s also for the IGF in general, a very interesting experiment, because part of the best practice forum was dedicated to look explicitly outside of this arena, and outside of the Internet-related discussions, and look how norms and what kind of norms exist outside cybersecurity, and outside the cyber norm. And then, two years ago, I think, we had a discussion on the best practice forum, and we had a discussion on the best practice forum, and we had a discussion on the importance of cyber norms in the context of diplomacy, in the nuclear area, of also in the banking and foreign investments. With the question, what can actually be learned when you talk, what best practices, what practices can be useful when you look at cyber norms? And then, two years ago, I think it’s also important to look at what is the value of those norms? And the team of the group working that year actually did a kind of experiment. They wanted to look at cybersecurity incidents, historical incidents, and see if norms that have been created later actually would have made a difference, if they would have been helpful, or if that wouldn’t have made a difference. So, that was an interesting discussion, and I think it’s directly linked to the discussion we will have today. And, last year, also very much linked, I think, to today’s discussion, the best practice forum worked on the idea of story banking, looked into different examples of story banking, and came up with the conclusion that it is important to listen to the experiences of people, and to listen to the experiences of people that have been involved in addressing cybersecurity events, or have been impacted by them, and that is a very important part of the discussion. Listening to their stories can be very interesting or can deliver rich information or also a lot of nuance. And that’s, I think, especially the last two years, feed directly into or form directly a basis for this year’s work. But I will let Clay explain that to you in a minute. I really wanted to give this overview of the work the Best Practice Forum has been doing in the last couple of years because there are documents, each of the years produced an output document. And these documents are still are available on the IGF website. So if you’re interested, I would say please go to the go to the web page and you can find there what has been discussed in the in the previous years. So I will hand over in a minute to Clay to start actually today’s program and to discuss what has been done this year. But before doing that, I really would like to thank a number of people. First of all, Ian Bonana and your colleagues, Josephine and Karina, the MAG members that actually from the MAG said, OK, this is a good idea to have another BPF cybersecurity and supported it at the beginning of the year. So thank you for that. I would like to thank the numerous volunteers and contributors that have been working. They are not all here, but that have been working in the previous months or have been involved in previous months in online discussions and online work. Already the panel that will be up in a minute. And last but not least, the co-facilitators and lead experts. Clay, you will see. I don’t know if Bart is listening online. He couldn’t be here. And Ellie, I don’t know if she’s already in the room. Yes, she’s there. So Ellie also, thank you very much for all your help to make this happen. And then Klee, the floor is yours.

Klée Aiken:
Thank you, Wim, especially for giving that broad historical overview. And to continue the thanks, your support across all of those best practices forums has been so important to help us get to where we are and continue to build this multi-stakeholder library of documents and interesting insights into the way cyber and the wider Internet governance works. Thank you, Wim, and thank you, everyone, for being here. It’s exciting to see everyone coming together. It’s been such a pleasure, as Wim mentioned, to work with Wim over this last year to see if we could come up with something cool, and I think we have. We’ve had a really ambitious previous work that the BPF has done, and that’s looking at international norms, have or custom, and look beyond the technical impacts, the financial impacts, and the business impacts, to explore the human side of incidents, the flow-on effects that impact individuals, victims, responders, as well as societies and communities across the world. So, thank you, everyone, for being here, and I look forward to working with all of you as we continue to build this multi-stakeholder library of documents and interesting insights into the way cyber and the wider Internet governance works. Thank you, everyone, for being here, and I look forward to discussing with you three continuing examples from the BPF’s work that we, as a company, as a community integrate around their strategy around human rights and across the world. In looking at these, we want to focus on a set of key incidents work activities roughly between 2022 and 2023, as well as kind of hearkening back to some work we did previously focused on solar winds in 2020. So we really aim to have a wide range of issues from across the world and look at different types of incidents impacting different types of economies. Preliminary, we have already found some very interesting trends starting to emerge. While they might not be surprising to some of us who are deeply in this space, we think… Recording this and capturing it in the BPF document is… Obviously the clear direct associations, things like do not damage critical infrastructure, obviously… Recording this and capturing it in the BPF document is… For incidents that impact critical infrastructure, like in Costa Rica, undergoing that attack. But of course, there are also broader common themes embodies that spirit of the norm. Recording this and capturing it in the BPF document is… Undergoing that attack. But of course, there are also broader common themes embodies that spirit of the norm. One of the clearest is, of course, respect for human rights. Again, the access to critical services and the challenge of accessing critical services in the case of these wider attacks is obviously quite concerning. But also many involve data… infiltration, which creates clear privacy and even safety concerns in the real world. There are interesting angles around responses to requests for assistance in international state cooperation on security, particularly in some of the instances in the Pacific as well as Costa Rica. The ability to call on partners, both government as well as private sector, was critical to getting back online and getting the country going again. There’s cooperation to stop crime and terrorism. Most clearly case as well as issues around reporting ICT vulnerabilities as seen with solar winds and in other cases. One of the most interesting findings that we found, which again is not so surprising but is very important because this space has become the core of many of our international discussions, is around cyber capacity building. Not only has these incidents spurred more investment, more awareness, especially amongst decision makers, and more activity in cyber capacity building, there are a lot of signs where previous capacity building activities came into play and helped with the response efforts, whether it’s the establishment of networks of trust and information sharing that were called into play or whether it’s trainings that had previously happened allowing and facilitating local teams to be able to respond to some of these incidents. So a lot of common themes at the normative level, but also we saw some interesting impacts at that human level, which is the new angle that we explored this year. Again, some obvious ones, impact on human services, whether it’s health services, salaries being impacted, or in the case of Fiji with the COVID-19 app being impacted during the GovNet attack. There’s the direct impact on human services there. Again, the privacy and data concerns, Medibank is the clearest example on that one. But one of the more interesting things is kind of the amplication of existing contextual dynamics. It’s a bit of a mouthful, and it might be a bit confusing. But this is the case where an incident actually helped amplify other things that were happening in society at the time. So the Fiji case, for example, involving the COVID-19 application, it fed into a lot of the misinformation and concern happening around the COVID-19 vaccine. So just because these things happened at the same time, it amplified that local context. We saw a similar thing in Samoa, where the ransomware attack against government, while relatively small compared to some of the other incidents, happened immediately after an election that was slightly contentious. Therefore, it fed into a lot of rumors and speculation around the previous government, the current government, and things like that. So it’s very important to look at and think about these flow-on, second, third order impacts across society. And of course, the positive side, those notable policy and capacity building responses, again, whether it’s cybercrime agreements, the Bowie and Langitoy declarations in the Pacific, the Cyber Safety Response Board in the US, and things like that coming across. Of course, we’ll look into all these kind of dynamics as we go into the panel. So I just want to close there by sharing that the draft is online, but it is still an open draft. This is a BPF. This is about getting everyone involved and capturing everything from the discussion, including our panel discussion and what’s happening here at the IGF. So if you’re interested, there’s still time to get involved. Please let us know. Let’s make this document great. And also, hopefully, work into the future with support of our MAG colleagues to do some more BPF work. So at this stage, let’s dive into these concepts. I’d like to welcome the panel onto the stage. Thank you. Thanks for joining me, guys. I’ll introduce everyone as they start speaking, but for this panel, I know we’re in a very big, impressive formal room, but we’re going to try and make it a little bit more conversational and relaxed. Feel free to come forward. We really want you guys to get involved as well. We have mics up here at the front, so as we open up the conversation, really want to hear your questions, but also some of your thoughts, perspectives, and experiences. Each of our panelists will have a quick two to five minutes just to get the ideas flowing, and then we’ll jump into kind of a conversation with all of you and see if we can come up with some interesting things. Our first speaker has been doing really amazing work bringing those incident experiences into the high-level discussions around norms and capacity building and international policy around the OEWG, so I’d like to start off with Louise. Tell us what you’ve been doing.

Louise Marie Hurel:
Hi, everyone. My name is Louise Marie Urell. I am a research fellow at the Royal United Services Institute, which is a think tank focusing on security and defense based in London. I’m over at their cyber program. As a person that has been involved in the BPF in previous years and has been following the work that the BPF has done, I think there’s some core elements here, right, when we think about the normative dimension as Klee and Wim alluded to before. So I think there is the understanding of the normative dimension being the UN norms. There’s the normative dimension of other stakeholders and what they propose, so first having, for example, principles or an understanding of what ethics means in terms of responding to particular incidents. And I think there is a fundamental question of how do we learn from these incidents? And I think sometimes we’re having this conversation in silos, and that is the value of the BPF in bridging, let’s say, the technical community and the more diplomatic environment, right? And that’s something that we’ve been doing over at RUCI. We’re coordinating a project on responsible cyber behavior. And part of that project is really trying to understand how countries from different regions actually kind of see responsibility in practice. And one of the things that we did in July is that we organized a side event during the open-ended working group. And we focused on looking at ransomware and how did different countries respond to ransomware incidents. I think that is a particular type of threat that speaks across the development spectrum. So many countries, small island countries, developing countries, developed countries, all of them can relate in one way or another. And I think that’s very powerful in bridging the conversation also at the international level. So as I said, we did organize the side event. And it was co-sponsored by, co-organized with Estonian MFA, but also co-sponsored by Vanuatu and Costa Rica. And over there, we’re really focusing on three points. So sharing and reflecting on lessons learned from responding and recovering from those incidents and bringing really the experience of Costa Rica and Vanuatu, how these experiences can inform awareness and enhancing response, and how this threat should be reflected in the context of the OEWG. So up until July, ransomware has been discussed a lot, but it hadn’t been actually included in the report. And there are different sections to the OEWG’s report, right? You do have emerging threats, norms, international law, confidence building measures, and among other kind of dimensions of the report. And the question is, what happens and what is the logic of countries actually including ransomware as an international peace and security issue? And that is what we discussed there. To understand what distinguishes a ransomware incident from a criminal dimension to a national security or international security dimension. And by discussing and bringing these examples, and we had over 30 governments around the table, it was a small discussion closed so that we could really get to the nitty-gritty of those experiences in other countries as well, but also other stakeholders in the room. So the things that we found, and we were looking at two questions. One is the distinction between, you know, what’s the international peace and security threshold from ransomware? ransomware incidents, and the second bit was how can we think about the implementation on the norms for requests for assistance, which is one of the norms agreed by member states in 2015 within the context of the group of governmental experts. So how can we talk about, you know, how do they perceive that request for assistance in the context of ransomware? So for the international peace and security, and I’ll close in just like a minute, we identified a couple of criteria that different states brought to the table. So the first one is really, you know, when we think about ransomware incidents as an illustration of that threshold, we’re looking at scale, scope, and speed, and it might feel like very obvious to think about that, but again, when we’re thinking about what does it mean to distinguish between criminal approaches, and that means, you know, law enforcement being there, and then, you know, going to national security, you know, so what’s the distinction? So scale, scope, and speed, and as you know, like 2022, Costa Rica had more than 20 ministries going offline. In the case of Vanuatu, there was the parliament, police, PM’s office, schools, and hospitals being attacked, affected actually, because of the incident. So you see that in a very concrete way. The second element, and we could talk about Tonga and others as well, but the second criteria is really thinking about impact, and when thinking about the experiences that Costa Rica and Vanuatu brought to the table during the discussion, they really talked about the economic impact. I think developing countries are disproportionately impacted by ransomware incidents, right? It’s not as if they can recover as quickly, or they can, you know, respond, you know, very quickly to that in economic terms. So that could lead to political instability, so there are other risks that derive from that particular kind of incident. So Costa Rica talked about how the ask of Conti was from 10 to 20 million, but the actual cost for them was between 35 to 60 million, right? So the logic of not paying the ransom is fine, but when you look at, you know, how these countries that sometimes have parts of their GPD or, you know, parts of their budget being kind of taken off because of this incident, you really need to think about other potential trade condominiums. So third, motivation, right? I mean, what’s the motivation of these groups in actually targeting developing countries more specifically? So Costa Rica, you had Conti actually saying that they wanted to take down the government, that they had, like, an interest in that sense, and when it came to Vanuatu, it was really an intention to explore, to exfiltrate, and to explore other sectors, so kind of move laterally, not within the system, but, you know, across the government and other sectors. is funding, I mean, where do these, like, ransomware groups, yeah, take their, you know, their financing? Are they sponsored by states? Are they affiliated with different member states? And that is something that came up in the conversation, and finally, just to close off, because I know we’re on time, is also reserving the right not to define that international peace and security threshold. That is a prerogative, of course, of states in that context, but I think it’s something to reflect, right? Not all states will be interested in necessarily saying that a ransomware is a national security incident until they face it, and that was a clear distinction that we saw in the room, some of them recognizing that it is important, but then saying, since we haven’t faced it as much as we would have expected, that’s not necessarily the priority in terms of our risk management nationally. So I’ll just leave it at there, and we can explore a little bit more the assistance part, but that is more or less what came up in the room.

Klée Aiken:
Excellent. Thanks so much, Louise. It’s really great to see that those lessons were taken to the OEWG, and the governments were involved and really wanted to learn how the norms as well as the reality of incidents can take place. Next, we’re going to dive even deeper into the UN and hear from our speaker, who’s part of the UN system, but interestingly, not part of the first committee, where a lot of these discussions are happening, but more from a technical perspective as the CIO. So Dino, let’s hear what’s going on over there.

Dino Cataldo Dell’Accio:
Thank you very much, Klee. So my name is Dino Dell’Accio. I’m the Chief Information Officer of the United Nations Joint Staff Pension Fund. I’ve been with the United Nations for over 22 years, and a large part of my career at the United Nations has been in internal auditing. For many years, I was the Chief IT Auditor of the UN. I also spent three years in cybersecurity, and since 2017, I’ve been appointed CIO of the UN Pension Fund. So in the last two years, I’ve been working on a number of issues, and I’d like to share a few of them with you. So the first one is, what is the role of the CIO of the UN Pension Fund? And the second one is, what is the role of the UN Pension Fund’s role in the UN Security Council? And the third one is, what is the role of the CIO of the UN Pension Fund? I also joined the MAG, the Multi-Stakeholder Advisory Group of the IGF, representing the international organization, specifically my organization. And because of my background within the MAG, I started to follow the work that has been done, the excellent work, I should say, that has been done by my colleagues in the Best Practice Forum on Cybersecurity. And I was invited to participate. So in the last year I participated, I was able to provide my humble input. So the conversation here is about two aspects. One is, what is the impact on the communities, on the individual, on the citizens, on the groups? And the second aspect is on what is the response of government and how the policies, how the responses of this government are influenced by what. So I took a particular angle, if you will, and of course I’m biased because of my background as an auditor. And I propose to include in the set of criteria also the role played by the Supreme National Audit Institution. So in those cases that have been analyzed, that have been included in the scope of this study, you will see that there are cases that have been specifically identified by region and by country. So I specifically was given the opportunity to collaborate on the analysis of the solar wind and specifically look at what happened, for example, in the United States or in Europe. So by looking, for example, at the response and at the work done by the Audit Institution of the United States. which is GAO, the Government Accountability Organization, we can start to appreciate if, where, and how the response of a government can be influenced when the government indeed follows the recommendation of its supreme audit institution, also by the auditors. And immediately after, here the conversation is, what did the auditor say and how did they reach this conclusion? Because in order to issue a recommendation, the auditor needs to refer to a set of standards to assess the impact, for example, of a cybersecurity event, an incident, and accordingly elaborate and develop a meaningful and, as in the profession is usually said, implementable recommendation, not an abstract recommendation. So I try to bring this perspective, this point of view, because this is indeed the challenge that in many cases I lived in within the United Nations, going back to your question. So I had the privilege and honor to sit on both sides of the desk as an IT auditor, analyzing, auditing cybersecurity incidents that unfortunately occur also within the United Nations, because actually the United Nations is often a target of attacks, as well as since 2017 on the side of management as a CIO and understand beyond the technicalities of an issue, of an incident, and the corresponding mitigating control, what are the guiding principles? Are we following recommendations that are rooted in the, for example, norms of responsible behavior in cybersecurity? The UN itself So I think the question really is at two levels, one at the level of principles and best practices and one at the level of the operational and practical recommendation. So this is the question and the challenge that I always try to address and to grasp. And I’m concluding here. I see that, for example, at the level of the norm, at the level of the principle, we do have somehow a body of principles that are internationally shared. As I mentioned, there are the UN norms of responsible behavior. There are other think tanks, other not-for-profit organizations, for example, that have been referenced in the study itself. The Global Commission on the Stability of Cybersecurity and its eight principles. So there is a convergence, there is a shared understanding and a shared agreement on that. But my question is, what about the audit profession? Is there, for example, at the level of the INTOSAI, which is an acronym that stands for International Organization of Supreme Audit Institution, that brings all the audit, supreme audit institutions of the various governments together, is there an agreement on how to assess and evaluate the impact? So I think this maybe could be an interesting area for further investigation and analysis.

Klée Aiken:
Thank you. Thanks so much. Very thought-provoking questions there. And I think some of the panelists might have some interesting responses, as well as folks from the room. So let’s hang on to that for when we open up to the discussion. Next we’re going to shift a little bit more to start on that human-level impact. We’ll have a great presentation from Susan from Vanuatu and the GFC Pacific Hub, who both has the privilege of sharing the Pacific view, but also her own view, having been in Vanuatu during the ransomware incident.

Susan Garai :
Thank you so much for this opportunity to join the panelists. Yes, as mentioned earlier by the other panelists, unfortunately cyber incidents is something that is actually happening around the world and regionally in the Pacific, this is one of the things that we are quite more concerned on as it is making headlines. And the impacts when it comes to these cyber incidents from the Vanuatu point of view, it was a devastating experience as we see that the systems are down and not only that, but the impacts run further as more than the impacts as measured only in the impacts when it comes to technological impacts. One of the things we’re seeing is human beings are also impacted also in this. And I think it’s also important to remember that we are in a very, very difficult and unfortunate situation, and through these types of incidents, it forces countries, tiny countries, island countries like Vanuatu to join efforts with other neighboring countries and to foster a more resilient approach going forward to be more resilient when it comes to cyber security issues. And it’s very interesting to see that now the human impact of these incidents are also taking a spotlight, and it’s very encouraging. As human beings, people who also impacted when it comes to these types of incidents, and we hope these types of discussions also help us as governments, as organizations, as companies also take into consideration the human impact of any cyber security incidents. So thank you for that.

Klée Aiken:
Thanks, Susan. Next we’ll hear from Kivuva with Kik Danet, who’s been doing a lot of interesting work with civil society over in Kenya.

Kivuva Mwendwa:
Okay. Thank you. Thank you for the introduction. I’m Kivuva from Kik Danet, and I’m the co-founder of Kik Danet, a multi-stakeholder think tank that does policy advocacy, multi-stakeholder convening, capacity building, and research. Within Kik Danet, we have a cyber non-project that we have been running since the year 2018, and in this project, we convene stakeholders, and the stakeholders involve governments, and we also involve the telecoms service providers, and we also involve the telecoms service providers, and we also involve not only the security organs, the judiciary, but we also involve the telecoms service providers, and other industrial leaders to come and discuss cyber security issues and challenges that are faced, and the purpose and objective of this convening is information sharing, confidence building between the stakeholders, and the stakeholders, and the stakeholders, and the stakeholders, and identifying strategies and actions that should be taken when there is any breach, and understanding the emerging issues in the region, in the country, and also in the region at large. And we have had several outcomes from those meetings, and some of them have been in the region, and we have had some challenges, and we have had some challenges, and we have had some regulations that have come from those incidences, and also we participate at something we call NC4 in Kenya, which is computer and cyber crime coordination committee, which is a collaboration to create conducive regulations in Kenya to ensure that cyber incidents are actually handled. And we have had some challenges, and we have had some challenges, and we have had some challenges, and this year, there was a serious DDoS attack that was done by an organization called Anonymous Sudan. Anonymous Sudan, I think they have attacked even some state department organs in the U.S., so they managed to do a serious DDoS attack, denial of service the series of attacks on several key installations, including bringing down M-Pesa, so M-Pesa was down for like a day, or some hours, and M-Pesa is a critical infrastructure in Kenya because most payments are done using the mobile payment system. So you can imagine, you go to a petrol station, you want to fuel your car, and the system is not working, you are in a hotel, you have ordered a meal, you want to pay for your meal, but you cannot make the payment, you want to make a transaction, maybe to pay school fees for your child, or pay for a bus, and it’s not working, so that was a serious breach. And they also managed to do the DDoS attack on government infrastructure, especially a service called Huduma in Kenya, that service provides citizen services like renewal of passports, applications for birth certificates, and also electronic visas, so citizens, travellers who are coming to Kenya could not actually be able to apply for electronic visas because the system was down. And this DDoS was coordinated through botnets, you know, botnets are just devices that have been taken over, zombie devices, and the anonymous Sudan guys are also able to buy more cloud infrastructure so that they can be able to attack a single server. And you know, even advanced countries and advanced corporations are not able to handle DDoS attacks effectively, because one of the top five companies in the world had their cloud servers taken down by this particular organisation, so it’s a big challenge that of course something like these best practice forums can be able to handle to see that better coordination, especially between security organs, Interpol, to be able to bring these bad actors to book. Thank you.

Klée Aiken:
Cool. Yeah, thank you so much for that insight from Kenya, and that human impact again from the loss of these services during the incidents. I kind of want to turn the first question to Dino, actually, you asked the question about how to assess and evaluate the. impact from that normative perspective, but hearing especially from Susan and Kivuva, is there a way that auditors are looking at that human impact now or do you have any suggestions or ideas on how that human side can also be integrated into the auditing and consideration of the norms but also cybersecurity practices?

Dino Cataldo Dell’Accio:
So in terms of, if you will, basic terms of reference that guide in general the ICT profession but also the IT auditing profession, of course at the foundation there is the triad people, process and technologies. And in preparing for an audit, we are asked as auditor to first and foremost conduct an audit risk assessment because fundamentally given the broad scope of area that can or should be audited, it’s humanly impossible to have an adequate number of resources to cover the whole spectrum. And therefore the term and the principle that is used is that in planning audits, what the audit profession within the UN does, it approaches the function with risk-based auditing. So during the conduct of the risk analysis, there is an evaluation not only of the technical aspect of an area, not only an evaluation, the assessment of the budgetary amount associated for example with an office or with a function or with an organization. But definitely one of the guiding principles is the asset. What is the asset that it is or could be impacted? by, for example, in the area of cybersecurity, by a hacking attack. And we all agree that the most important asset is the human being. The most important asset for the organization is the staff member and those that the United Nations serves. So I would say positively that there is that appreciation and there is definitely that consideration that puts the human being at the center of the process. So it’s not just an acronym, but there is also a sequence of priority where you look first at the people, then on the process, and ultimately, and finally, at the technology as a mean to an end. Thank you.

Klée Aiken:
Excellent. It’s really good to hear that that human angle is considered already, and hopefully can be considered more also in the policy space and things like that. One thing you mentioned was with the broad scope of the issue, it’s impossible to consider everything. But if it’s impossible to consider everything, it’s even more impossible to secure everything and respond to everything. So oftentimes, it takes partners. So I kind of want to ask you the next question, Louise, that you mentioned about the, sorry, the requests for assistance from international partners. And obviously, that took place in the incidents that you guys were looking at. Can you explore that kind of dynamic a little bit more as well?

Louise Marie Hurel:
Yes, absolutely. And I think, again, going back to the discussion on how do we connect the norms that have been agreed at the international level with the practice, right? I think there’s a lot of discussion since 2015, because there’s the norm on whenever there’s a particular incident of large scale that is of national concern that another state can either request or another country, like let’s say a supporting country, can come and provide assistance. And what we’ve seen in the past year, honestly, Klee, is an evolution of the discussion of requests for assistance, right? And I think it relates a lot to CCB, to cyber capacity building. I was talking about that in a different panel, but I’m just going to bring it here. I think we need to break down the different dimensions of assistance. So the first one being, you know, that kind of programs that really develop skills that, you know, help develop a more, let’s say, resiliency in different countries. I think there is one that’s specific to crisis response, right? So whenever there’s like Costa Rica, you had different governments supporting Costa Rica, coming, and still until today, kind of providing support. In terms of Vanuatu as well, you know, you have the Australians that have been kind of like collaborating a lot, but you do have a history there of like multiple engagements that lead to that trust building element between governments, and then providing assistance. So it’s not as if, you know, a country goes through a particular kind of like large scale incident, normally ransomware, as we’ve been discussing, and then, you know, country X comes in. So there needs to be that rapport, there needs to be that trust. So there are a couple of elements that we got from the discussion. So as I said, the second part of our, our, let’s say, workshop with different member states and also with stakeholders was really to look at, you know, what does it mean to talk about requests for assistance. So what we saw was that assistance varies in addition, you know, varies depending on severity, on its type, on its context. When I mentioned, you know, the crises, the conflict element, and let’s say, your usual skills building and resilience, they’re very different types of contexts, right, when you actually need to provide assistance. So the first element that states kind of highlighted in that particular environment was that there needs to be, you know, they need to ensure that governments are aware of the criticality of incident. And I think that’s something that’s kind of like homework. It’s inside the government that’s going through the crisis most of the times, right? It’s like, it’s convincing that, you know, domestically, most of the, let’s say, cybersecurity professionals in the policy angle and also on the technical side are overstretched. So they need to go and knock on different doors and say, you know, this is a relevant incident. We’re not being able to access our systems because of that. And I think the powerful element of ransomware incidents, it’s that it makes it, you know, it denies access to a particular kind of service. So it’s easier to see the impact of that particular incident immediately, but still there’s a lot of convincing. And we heard a lot of that during the discussion. So, I think that’s a really important piece of the puzzle that we need to be thinking about. And I think that’s a really important piece of the puzzle that we need to be thinking about. Also, it’s about, you know, assembling and coordinating internally. So, countries that might not have had the opportunity to do that, sometimes you do have a national cert, but at the other end, you know, is your cert well integrated into, let’s say, your broader policy response? So, I think these are opportunities where, you know, there needs to be a lot of coordination. The second element on, you know, the third element is, you know, providing assistance. So, we talked a lot yesterday and two days before about this, but it’s really avoiding duplication of efforts. And one thing that we heard from different Pacific Island countries is there normally is, and others as well, that there’s normally a lot of offers of trainings with regards to certs and to skills building. But if there are different countries providing the same kind of assistance, you know, what’s the added value? What’s the added value that you get from having different countries providing the same kind of assistance? And so, you know, we are seeing a lot of different different kinds of efforts, and there was a lot of discussion around that. And I think we are at the stage, given the Russo-Ukrainian war, be it the context of, you know, different conflicts and how the cyber dimension has been included in that, we’re seeing a test of different mechanisms trying to respond and provide assistance in a more agile way. But there’s still lots of things we need to do to address the challenges that we’re facing, and I think that’s really important. So, you know, I think the first thing that we raised was really to develop capacity for proactive monitoring and response. So we also had Montenegro in the room, and the representative from Montenegro gave a really good example that in his case, he was the only POC across government, so he had to kind of assemble all the information to kind of, you know, send it across, so, but there’s a very opportunistic thing, which in a positive way is that they actually, after the crisis, they were able to do a lot of things, and I think it’s really important to do that. And then, you know, the second thing that we raised was also to develop their new national cyber security strategy. So I think there are things that we can learn from this process, both in terms of what kinds of mechanisms do we need, what are the contexts that we’re applying these requests for assistance, do we need specific mechanisms depending on, you know, which, you know, if it’s just your usual, let’s say, resilience building or crisis response, and I think, finally, it’s really

Klée Aiken:
Thanks, Louise. I kind of want to jump over to Susan next, actually, because we’ve seen a lot of each other the last few weeks, but most recently we were at the P4C conference in Fiji looking at capacity building, and it kind of touches on what Louise just said. We discussed all the elements of what’s happening, what’s being duplicated, how to coordinate and how to do better. So I just kind of wanted to get your thoughts, Susan, on kind of the best ways for the Pacific as a region, considering all the incidents that have happened and the discussions over the last couple of weeks, to kind of prepare for those future incidents, build those relationships with partners across the Pacific, but also globally, to be able to respond to those kind of ransomware incidents.

Susan Garai :
Thank you so much for this question. Yes, there are several points that have been touched, and one of them is the cooperation that has been embraced regionally, and I think I’d like to highlight this also a little bit more. You know, in the Pacific region, we have different country nations, and these nations are in different parts when it comes to their journey on cyber security. There’s some of them that are more advanced in their journey in cyber security, and they’re taking advanced steps. There’s some of them that are not so in this advanced level when they come to walk in the cyber security space, but at the same time, there are some of them that are new in that space of cyber security, and hence they are taking baby steps in that journey. So when it comes to effectively addressing those cyber security incidents, the power of collaboration and cooperation in a region, as one of our panelists mentioned, Australia is assisting our tiny island nation, which we were so blessed to have this assistance. When it comes to addressing it, this collaboration helps this tiny island nation address these cyber incidents more effectively and more efficiently, and this is one of the main things I would like to highlight as a region. It’s very important to have strategic So, we have a lot of collaboration and cooperation among regions as it fosters this ability to effectively address cybersecurity and last couple of weeks we have the Paxon annual meeting in Vanuatu and also we have the first symposium also in Vanuatu and then followed by the P4C in Fiji. So, we have a lot of collaboration and cooperation among regions and we have a lot of collaboration and cooperation among countries and we have some of the main platforms that helps this collaboration and strengthen this relationship among the countries while at the same time being mindful of the fact that all of these

Klée Aiken:
countries in the region share many, many same values and that is very, very important when it comes to addressing these types of things in regards to trust. So I want to point you to the support that Paxan provides. So, the Internet in the beginning and year was very much about capacity-building and bringing in resources and working together as a wide region and Globally. Paxan is a regional network to Pacific assistance and and of course we were able to bring in the precious sector, communities of practice and the broader stakeholder group to explore and build the network of assistance and community-building. So, it’s not just a network, it’s a network of people who work in your region but also within your society. And that’s something I kind of want to touch on within the Kenyan context. We had an interesting discussion about how Kenya’s CERT looks and engages with the multi-stakeholder community. So, I was wondering if you could share a little bit about that, but also how the involvement of civil society in the work with Kenya’s CERT has kind of created better results.

Kivuva Mwendwa:
So, we have a lot of civil society members in the CERT. We are actually members of the CERT. We represent the civil society interests in the CERT. is actually capacity-building. From where we sit, social engineering is very big, is a big threat, especially in our country, and the reason is everybody has a banking account on their phone through mobile money banking, and even the middle class or those well-to-do have mobile apps connected to their banks or they do internet banking. So it’s very easy to do social engineering on like everybody across the entire spectrum of the population, because everybody, there’s something you can get from them. So we’ve seen very vulnerable people, probably people who are not well-informed or educated, being wiped clean by criminals. So they just get a call, hi, I’m so-and-so, I’m calling from the bank and your account is about to be closed, please send me this information so that we can update your account details or else your account will be closed by the bank and you will lose all your money. So they send the two-factor authentication code that is sent to their device or things like that, and all their money is wiped out from the account. So that is very common, and sometimes it’s even insider information, maybe that somebody in a telecommunication company in the bank is working with criminals. So we saw the need to do citizen cyber hygiene. So within that, we created very simple messaging using posters, flyers, simple cartoons, comic strips, which we distributed through different platforms. Most of them were social media platforms, but we also used television and radio, especially vernacular radio, which has a wider reach. reach for the marginalized. And this one we targeted women farmers because there is a big farming community and the farmers are actually businessmen because they sell their produce to the market. And we took this key simple messaging to the ground. And we came with actually one acronym called STICK, just S-T-I-C-K, meaning when you see anything, you have to stop, think, and check before you act. And this was a very successful campaign, Citizen Cyber Hygiene Campaign, which had a reach of around, from our analysis, we reached around three million beneficiaries directly. And that was achieved by also training, training of trainers. So we had like 140 trainers that we trained so that they can be able to take this information to the village level. And so one of the big things that civil society can play is actually participate in capacity building. And when they work closely with the sites, they’re able to know what are the threats that are there and what are the intervention or what are the measures that can be taken to solve those threats.

Klée Aiken:
Cool, it’s excellent to see that in practice. And certainly something that a lot of the rest of the community can learn from. At this point, I’d really like to involve all of you. Again, Best Practices Forums are all about everyone getting involved across the community. So please feel free. We have a microphone at the end of each aisle. Just line up if you guys wanna ask a question, or also if you wanna share a similar experience of incidents occurring in your country or some of the work that you’ve done within the UNGG, OEWG program of action type space where the norms and incidents are coming together. So does anyone have an initial question? I think we have one person coming up. No, just taking a seat. So think of things, please come up. Here we go. Please introduce yourself as well before asking a question.

Audience:
Hi, good morning, Francisco Libardia, diplomat from Panama. My question is directed to the day after a cyber incident. During my journey here in the IGF, well, I have heard that international law is applicable to cyberspace, but my question is how can we enforce international law after a cyber incident, one? And my second question is, in the case of Costa Rica and Vanuatu, what are the legal mechanisms that they have in order to hold accountable the cyber attackers and, of course, claim compensation after a cyber incident? Because I remember in the past, for instance, before the UNCLOS, the United Nations Convention on the Law of the Sea, there was no forum or not legal mechanism or legal venue to claim damages or to claim, you know, when your chip was seized by any other country. But after the UNCLOS, we have ITLOS today that you can go to ITLOS and hold accountable any other country or the ones that affect your chips. So I would like your thoughts or your experiences or what does developing nations as Costa Rica and Vanuatu have in order to hold accountable cyber attackers and to claim compensation after a cyber incident?

Klée Aiken:
All right, we’re starting off with a hard one. Does anyone want to take a first crack at it? Louise?

Louise Marie Hurel:
Yes. Thank you very much for that question. Definitely not easy questions. So in terms of your first question on how to enforce international law, I think there are lots of open-endedness, you know, with regards to that. I think there’s a lot of interpretation and understanding of how different states see the applicability of international law in cyberspace before we arrive to that effective kind of answer. But I think we’re progressing because many states and in the region, you have Brazil and you have Costa Rica being countries that already published their views. So I think that’s a good step and a positive step. definitely, we could say that the fact that Costa Rica published their views on international law is one of the outcomes of that thinking and political prioritization. And so, but one of the things that we discussed during the event that I mentioned, the workshop, and that stays phrased, was it’s not all, you know, there’s still an open-ended question about when it comes to ransomware incidents, and that is applicable to other large-scale incidents, right? When does it constitute a breach of sovereignty, right? If an incident does constitute that. And I think we still don’t have an interpretation of how different states actually see this. Some are more strict about what does it mean to, you know, what does it mean to infringe or breach sovereignty. France, for example, has a very narrow interpretation. Brazil has another interpretation. But I think as many, as countries publish their views, it’s going to be clear on what are the expectations on enforcement, then to reach a more concrete conversation of what that means, like, and how do we find common ground. And to your second question on how to hold accountable attackers, I think there are two dimensions to that. I think there’s definitely a domestic dimension, and I think countries already have things in their toolbox to respond. So, you know, some countries use sanctions to call out bad behavior. Some do joint political attribution. But is that the case for most of the countries? I wonder whether there is this political interest of actually calling out bad behavior in that sense. I think from a criminal perspective, of course, law enforcement has done a lot in terms of integrated networks, Interpol, Ameripol, and others kind of trying to share information and respond from, let’s say, a crime-based level. But at the international peace and security, I think it’s still quite challenging, not to say that there’s no progress. But the second dimension that I wanted to talk about is the international one. So the new Agenda for Peace, published just recently at the UN, does talk about a mechanism for accountability internationally. What does that mean going forward? I think there’s lots to discuss, but I think we do have a lot already in terms of experiences that have been shared within the OEWG and us as a research community and other stakeholders have been trying to facilitate more of that dialogue with states to understand what the practice lies and how do they see that. So hopefully that provides some food for thought.

Dino Cataldo Dell’Accio:
If I can just add one additional comment. In addition to the jurisdictional layer and domain, and I speak for direct experience, this is a public event. The pension fund a few years ago was attacked by ransomware. We made it public and of course we had to engage and we engaged with the hosting country, with the FBI specifically in my case. And at the operational level, the technical level, one other open-ended question is the question of attribution. Before being able to raise the issue in front of the jurisdictional level, there is a need to observe the rule of evidence and being able to demonstrate who, what, when and how. And that’s, I mean, going back to what I was saying before, there is the need also at the technical level to have that body of generally accepted principle that recognize the forensic process that goes into collecting that evidence and submitting it to the jurisdictional bodies.

Audience:
So you’re talking about the general link between the crime and the possible author. Exactly. And recapping your response, so you are talking about like to advance moving toward a path of customary international law, because if you are sharing your view, it’s a state practice, but we don’t have opinio iuris right now.

Louise Marie Hurel:
Precisely. And I think that, you know, if countries do publish more of their views on international law, that will help with establishing that body for sure. But I think we’re at the stage where, you know, some will only have political. So over at the Americas, right? I mean, the OAS has, you know, convened, you know, the Inter-American Judicial Committee and countries have been consulted on their views. And I think there’s still a lot of in-house efforts to raise the political priority of those kinds of discussions so that, you know, states feel as if they can publish within their regional bodies, within the UN. So I think there are lots of layers that can be explored and there’s a lot of progress already kind of like happening in Latin America. So that’s potentially something, yeah, a positive note in going forward, right? But I think there’s a lot to achieve still.

Susan Garai :
I also like to just give a little bit food for thought on that. Yes, it is quite hard to get every country to agree on, you know, this international law going forward as it’s a reality of why it’s actually happening. But one of the things that we could consider is to have legal frameworks on a regional level, have countries agree on that as a benchmark, and then… we move forward. Perhaps it will be more practical to have the countries in your region have a benchmark when it comes to the legal frameworks and how to hold players accountable for their actions and et cetera. That is more practical as compared to trying to get 80 countries to agree on one thing. So, yeah, just a footnote. Thank you.

Klée Aiken:
Thank you so much for the question. Please.

Audience:
Thank you very much. I’m Larissa Calza fromthe Cyber Division of the Brazilian Ministry of Foreign Affairs. I would like to thank all the panelists for their very good presentations. So one question I would have building up from what my colleague just mentioned on the issue of possible remedies, countermeasures, sanctions. One of the panelists mentioned the importance of building up forensic evidence to find out the origins of these attacks, but how do we deal from a more international peace and security standpoint with the fact that many times countries amassed that evidence but are unwilling to actually publish it while still wanting to put some sort of countermeasures in place. And on another note, I would also like to ask your views on the possible effectiveness of some initiatives that are currently going on, on trying to establish political declarations on the nonpayment of ransomware. How effective can they be? How enforceable can they be? Thank you.

Dino Cataldo Dell’Accio:
Another very good question. I’m not sure whether I do have an answer. I can just speak for experience here. And again, looking at both experience as auditor and ODT here. And the way I see it is that here you need both a top-down approach and a bottom-up approach. Definitely, the resolution, the treaty, the agreement are extremely important to create a level of consensus at the high level. But at the same time, there is the need for a bottom-up approach where the practitioners, those who are responsible for the day-to-day operation, agree on a set of standards and technical procedure that would allow them to at least be consistent and to agree also on a level of disclosure that allows the prompt information about an attack. So there is, unfortunately, as I think you alluded to implicitly in your comments and observation, a resistance in disclosing, because there is fear, there are responsibilities, there’s accountability. And so what we are trying, I think the community is still trying to resolve, is to how to find the right balance between being responsible in sharing, but at the same time being responsible in not oversharing, in not providing too many details that will, if you will, increase the negative impact on that kind of event. So at the technical level, I don’t want to go into many technicalities, but for example, there are now technologies that start to allow what are called the zero-knowledge proof. They start allowing the ability to provide certain information without disclosing too many details about the origin. And maybe in that area, again, with international standards, for example, from the ISO, there could be a way to find approaches and methodology that will enable those who are working on a day-to-day operation to share this information in a timely manner and to make use of it.

Louise Marie Hurel:
Larissa, if I may ask, could you repeat the first question? Is it a lack of willingness from any kind of other organization in kind of sharing information, or is it specific kind of like stakeholders?

Audience:
Mostly when it comes to states attributing cyberattacks to other states, most of the time that happens without the sharing of the evidence that actually led to the attribution.

Louise Marie Hurel:
No, absolutely. I think there is, I’m going to be very pragmatic here, I think there is a state prerogative right of… of what kinds of information they can share. Of course, when it comes to joint attribution, which we’ve seen increasingly in the past couple of years, I think there is an attempt to prove that many states come together and that they’re able to kind of verify that. Maybe that signals reassurance, but I definitely understand that there is some kind of challenge there in terms of actual evidence, even though there’s sensitivities around that. On effectiveness of payments when it comes to ransomware, as I’d say that, for example, the UK government has been quite strict, no payments. I think there needs to be a balance in terms, I agree in many ways with saying not to finance these groups I think it’s a reasonable thing to say, but I think it is something that needs to be accompanied by government support, right? So if there’s a policy coming at the national level that says it is not effective, we recommend that you don’t pay ransoms, you’re basically saying if you don’t have support to these kind of companies or organizations that they’re just gonna fail and that they don’t have any support to kind of recover from that. And so I think there needs to be a proactiveness in supporting the recovery. And that is something that governments should reflect. And I think also there’s a growing cyber insurance market which profits a lot from that and that’s growing based on those kinds of policies. But I’d say that, I think, you cannot say, don’t pay ransom and not have support to the victims irrespectively of the country that you’re talking about.

Klée Aiken:
I’d like to put you on the spot, Susan, actually, because one of the great things that we’ve seen over the last couple of weeks has been the sharing of the incidents by CERT Vanuatu, CERT Tonga, PNG Sur, and all the folks across the Pacific, which has been great. It hasn’t, of course, reached the level of forensics because it was, you know, presentations. But in none of these cases were attribution made, at least in the public forums. And there was no evidence or no sharing that anyone had actually paid any ransoms. So I just wanted to see if you had any thoughts on kind of the value of the attribution as well as kind of that ransomware question.

Susan Garai :
So thank you for your question. So, I would like to start with you, and then I will turn it over to you, and then I will turn it over to you. Thank you. When it comes to these types of incidents, I would again like to shine light on this mutual trust, and that can be easily captured when you are from a region, the same region, huh? So, when this incident happens, with example, if you are from a region, you have to be able to communicate effectively, and that helps when it comes to coming up with strategies going forward in addressing cyber incidents more effectively, and I would also like to highlight, again, in this stage where we are heading to this digital environment, the need of collaboration, strategic collaboration and cooperation amongst regional government, in contrast to what Kenya does, and how Africa is becoming an asset on the list of alternative ways of essentials when going solo is not and option any more, and it’s unfortunately not effective in many ways. So, yes.

Klée Aiken:
Kivuva, do you have any thoughts about some of the regional approaches that you guys were going through?

Kivuva Mwendwa:
So, this is horns means that local organizations are going to be supporting knot TEvery countries, and, therefore, the legislation is very slow. There is also this issue that is include the country, and, therefore, it is very difficult to collaborate with them, because, if you have a partner, or the adversary is in a state which you are not in good diplomatic terms with them, it becomes very hard to be able to collaborate and even have them apprehended. That’s why we see there are some countries within the world which are notorious in producing or attacking, and, therefore, it is very difficult to collaborate with them. The problem is that there is very few big cyber companies that are not really collaborating with the international system of cybersecurity or international criminal system, so that is probably at a very high level.

Audience:
» Hi. My name is Wilson. I’m from Brazil, and I’m here to talk about the security of the global south and the multistakeholder when a large part of the debate on security still permits bodies, genders, races, and regions of specific as the global north, and I would like to understand how the documents on the subject have proposed or not proposed to address it. And also, I would like to know if there is any possibility of a policy based on the security of countries, especially in the global south, and security of the minorities, including cases of government hacking, such as Pegasus. Thank you.

Louise Marie Hurel:
» Thank you so much, Wilson, for the question. I think it’s a good question. I think the question is, what is the policy-making that is being raised in the global south? I think we need to think about policy-making as different, let’s say, concentric circles, right? And I think there is this discussion that we were having about the international level at the UN, right? And obviously, the objective over there is really to arrive at a consensus document and output, right? So you have all of these member states coming together to kind of come up with their own policies, right? And I think that’s a good question. I think that’s a good question, and I think we need to provide that platform for thinking what does cybersecurity mean from that perspective. At the regional level, at the OAS, there’s a confidence building measures working group focusing on cyber that has been there since 2016, right? And I think there’s lots of layers to that, you know? Countries, when they gather, and, you know, when they meet, that applies to the African Union, it applies, you know, to ASEAN. It’s really about developing trust at the regional level so that you can arrive at a stage where states can come together and say, yes, we agree on these things. And the CBM’s working group over at the OAS, you know, they have established, you know, we need points of contact throughout the region. And all of that layers up into thinking about and creating a vision over there. And if you think the OAS, for example, like in 20, don’t quote me on that, in 2012, if I’m not mistaken, or even before that, they published like a resolution on, you know, cyberspace within the Americas, like hemispheric security. So I think, you know, and the UN was also publishing a resolution on that a couple of years before. So you see these concentric circles, you see the debate progressing, so I think there’s space for that. But even at the UN, part of the resolution, apologies, part of the final, let’s say, report of these conversations at the open-ended working group, they have recognized the importance of thinking about capacity building as something that’s South-South, North-South, and triangular. So that is a language from the developing, kind of, development discussions that has been incorporated. And I think there’s a huge agenda for research and thinking of like what South-South cooperation means within the first committee, within the context of, let’s say, capacity building throughout the region. And I think we’re getting there, and there’s like, maybe my colleagues can talk more about that, there is the conference, the global cyber capacity building conference is going to happen. And I think it’s a platform for thinking about, let’s say, how to progress a South-South vision on that point.

Dino Cataldo Dell’Accio:
Very briefly, what I will add to what Louise just mentioned, and definitely I agree, a very good model to exemplify the concentric circles, is, as I was talking before about the risk approach, if in the risk approach, there are, and there is an appreciation and consideration for risks that address exactly those issues that you were alluding to, I think then the result and the outcome of the analysis will be in line, will include an evaluation and a consideration of aspects of representation. So it’s all about having those criteria being as comprehensive as possible at the beginning of the process. So I think very humbly this report that we are discussing today is probably an excellent example of that kind of approach, because after the 2021 work that has been done on the norms, this report in looking at the impact of the cybersecurity event on the citizen across the globe and feedback the result of that analysis evaluation that in turn can inform and can improve in a continuous improvement approach the definition of the criteria that are considered for the analysis of risk.

Kivuva Mwendwa:
Also on the issue of Pegasus, if Edward Snowden is still in exile, you see that countries which are more powerful will be able to push their agenda, and weaker countries, there’s nothing we can do. So these are issues maybe that can be discussed at the Security Council, as you had addressed before, because these are advanced states, they have all the financial, military, mass power, so that discussion still actually sits probably at the UN Security Council, and that’s why Edward Snowden is still in exile, after revealing all the information that he revealed, all the truth that he did.

Louise Marie Hurel:
Can I just add a quick point to that on the Pegasus and commercial hacking tools? I think we need to think about how developing countries develop their own cyber capabilities. Of course, there’s the whole concentric circles, regional coordination, but I think there is another layer, which is for countries that are not the ones developing most of those technologies, I mean, how do they develop the capability to investigate, which in terms of law enforcement, there’s certain accountabilities, but how do we think about the responsibility or the values and principles involved in thinking about the capability development when it comes to cyber operations or even to let’s say other types of activities that states conduct in cyberspace. So I think there that is something to consider because it’s a bit of a paradox there that that needs to be further reflected. How do countries, especially developing countries, acquire capabilities and make sure that they are not you know doing that in an unaccountable or irresponsible way.

Klée Aiken:
Thanks guys. In the interest of time we’ll take both of your questions together if that’s all right and the panel can can answer them. If you want to ask yours.

Audience:
Thank you very much. My name is Hone Rebol Mishimboko from Kenya and also a commissioner representing information communication for the Parliament. I’m happy that we have our Kenya representative here and I would also request you that in terms of involving the stakeholders you need to incorporate members of Parliament because that is where we legislate some laws and it’s where we formulate some policies. So it is prudent that you also involve us in your processes. My question is I come from a country where we have been attacked many times by the terrorist gangs known as Al-Shabaab. The major one being the 7th August 1998 bomb blasts. So for now we are really anticipating that maybe there might be cyber terrorism. So I’m just asking whether as an international platform whether you have some strategies or measures you are putting in place to ensure that we are going to counter this kind of a process that cyber terrorism. Because right now they’re just trying in a small scale infiltrating our military bases and maybe our computer system. But who knows maybe sometimes maybe later or in future they might use this so that to create more havoc to our country or rather in the globe. So my question is are we prepared or what are we doing to ensure that this one will not be a big threat to the world. I thank you. Thank you for your question. Thank you. Good morning dear panelists. My name is Elaine Liu and I come from Singapore. I’m an independent participant at this IGF forum. So first of all I really like the use case that’s shared on Kenya. Coincidentally I’m talking about Kenya and I like the word stick which is stop, think and you check. So let me bring down a couple of layers down what I’m trying to say here. As citizen of this global world when we have cyber best practices sometimes it’s at the top level or organizational. But at the citizens level that’s what best practices need to be in place. in place as well, and that’s lacking. There’s excessive data collection with the retail store. You get cheated when you apply your jobs. And today, the cyber crimes and fraud are no longer localized, but regionalized and internationalized. So my question is really, is there any way we could think about and enforce and police check how we collect data? Because when we shop or we apply jobs, we tend to supply a lot of data. And data is the first entry to a lot of these systems and cyber crime or fraud. So data collection. And number two is about penalty. It’s about calling the bad guys and making it so obvious to the citizens because there’s a part to play by citizen at the cybersecurity practices. So that’s what I’m sharing. My background is cybersecurity and data protection, but I also get the fear of being cheated. So the question is, how do you stop, think, and check? What do each citizen need to do? Thank you very much.

Klée Aiken:
Thank you. Cool. Very, very quickly. 15 seconds.

Audience:
So I’m Vineet. I’m the global president for CyberPeace for the records. Well, I’d like to just share, and basically a quick question for the panel, is there a lot of tech-based abuse that’s happening, cyber-enabled trafficking, CSAM, and other issues happening. While there are issues, there are also challenges that we see on the ground that we are duplicating efforts. So how do we kind of ensure sustainability and impact rather than duplicating so that the resources that we create, we kind of share it with the other stakeholders, partners, to avoid duplication and focus more on sustainability and the impact? Thank you.

Klée Aiken:
Thank you so much. By way of a closing statement, I hope each of our panelists can choose one of the three questions or touch on all three, maybe one minute each. We’ll start from Susan and work our way back.

Susan Garai :
Thank you so much. I’d like to start on the last question, in how do we make sure we do not duplicate effort? Just last week, we have the Pacific Hub, the GFCE, the Global Forum on Cyber Expertise Pacific Hub launch, and this is one of the platforms that is in place to address all these issues of trying our best to make sure we utilize our resources more effectively and efficiently and not duplicating the efforts. And this is also, the GFCE is having also the GC3B, another. So that’s one of the things that we’re trying to do. The other thing that we’re trying to do is we’re trying to focus on the other event that we’ll be having in Ghana, and that’s also trying to find this capacity, cyber capacity building gaps, but at the same time, focusing on making use of our resources on the best productive level as we can. And, yes, I think that’s ‑‑ thank you so much.

Kivuva Mwendwa:
Thank you so much for inviting us to collaborate with them. Actually, before the ‑‑ there’s a new parliament in Kenya because elections were done last year, so in the last parliament, we used to collaborate very much, we used to have roundtables with the committee on IT, so chaired by Honorable Kisang, and also in Senate, chaired by Honorable Gideon Moi, so we take that invitation, and we look for you, so that we can actually form a new collaboration going forward. Of course, on what she’s talking about, cyber terrorism, there is a challenge in Kenya, and especially in the parts of northern Kenya, you find critical infrastructure, especially telecommunication masts, they are usually targeted by terrorists because that part borders Somalia, so it’s an easy hit, and of course, I think they have a security committee in parliament, probably there’s a way they will be able to handle that, but we’ve been getting international support from the countries that Kenya is collaborating with to try and handle the terrorism part, and that also is ‑‑ also on cyberterrorism, there’s also international support. Probably on data collection, there’s a principle of data minimization, and I know GDPR probably addresses that, and also, countries can have local internalized laws, like Kenya has a data protection law, and a data protection commissioner, and they usually enforce collection, and there’s usually penalties. So, I think there’s a lot of work to be done on that. Thank you. Like last week, there was like around $100,000 worth of penalties that were issued to organizations that were breaching data of citizens.

Klée Aiken:
Excellent. Thank you. Awesome to see that practical outcome of the session as well.

Dino Cataldo Dell’Accio:
Thank you. I will try to address very briefly the question, the comments on the data collection. This is, for me, a very near and dear area, because in the last seven years, most of my time has been invested in designing and implementing a digital identity solution for the United Nations Pension Fund for the 84,000 rate of visa beneficiaries around the world that receive periodic payments from the United Nations. And before we collect, it means that we’re sharing. And I think we can all agree that nowadays, in interacting with the online services, we are oversharing a lot of information that theoretically will not be needed. I mean, the reference also to data minimization. So I think that there is hope that new models and new technology, such as self-sovereign identity and selective disclosure, can lead to a situation where we are no longer required to oversharing, and therefore to reduce that amount of data that inevitably then gets mined and gets collected. Thank you.

Louise Marie Hurel:
Very quickly, three points to stick to my three points as a standard. On the impact sustainability question, first is definitely information sharing. I think there are public platforms for thinking about initiatives that are trying to do the same thing. But then I think the Sybil portal from the GFC is a very interesting example of how the public information can really help across both governmental and non-governmental organizations to know what other of the world and other, let’s say, organizations are doing in terms of capacity building. I think there is one of the things that also came out of the discussion that we had over at the OAWG is being able to monitor activities, so when it comes to, like, crisis response, you know, some of the projects are public, some are made public in the sense of, you know, countries sometimes say that they’re supporting country X or a country that’s being supported says that, so I think there’s a lot of cataloging that we need to do, and I say that as a research community, in terms of tracking those different types of assistance. And finally, I think there is an evolving landscape of enhancing mechanisms, so it’s not just about having an MOU anymore, it’s maybe thinking about procurement, something that came out of how to enhance procurement in certain instances, and that came out also of our discussion at the OAWG is some countries don’t necessarily just want skills building, they also want technology, so how do you ensure that when you actually have technology coming in that you don’t have a short-term licensing agreement, that you actually build, you know, the technology and embed it for a longer period of time. So these are my three points, and I’d just like to thank the BPF for the wonderful work that they have been doing.

Klée Aiken:
Yes, let me echo the thank you to all the contributors to the BPF, to everyone who’s asked the questions, and of course to the panelists for such an engaging conversation. Thank you guys so much for sharing your insights, and thank you to everyone.