Open Forum #1 Challenges of cyberdefense in developing economies

Summary

This panel discussion focused on cybersecurity and cyber defense challenges facing developing economies. Experts from various fields shared insights on key issues and potential solutions.

The panelists emphasized that while cyber threats are similar for developed and developing nations, the latter often lack adequate preparation, skilled personnel, and effective policies to respond. They highlighted the importance of capacity building, noting the significant skills gap in cybersecurity professionals in developing countries. The need for critical thinking, effective communication, and promoting collaboration were identified as crucial skills for Chief Information Security Officers (CISOs) in these regions.

Several speakers stressed the importance of international cooperation and trust-building between nations to combat cyber threats effectively. They discussed the role of artificial intelligence in both offensive and defensive cybersecurity measures, as well as the increasing sophistication of attacks targeting critical infrastructure and supply chains.

The discussion also touched on the challenges of participating in numerous international cybersecurity forums, with limited resources available to developing nations. Panelists suggested focusing on demand-driven approaches to capacity building and leveraging existing frameworks and resources rather than reinventing the wheel.

Legal frameworks were addressed, with emphasis on the need for well-trained law enforcement personnel rather than simply creating new laws. The panelists concluded that effective implementation of existing tools and laws, coupled with sustained capacity building efforts, is crucial for improving cybersecurity in developing economies.

Keypoints

Major discussion points:

– The importance of preparation, people, and policy for effective cybersecurity in developing economies

– The need for capacity building and skills development to address gaps in cybersecurity capabilities

– The challenges of limited resources and expertise in developing countries for cybersecurity

– The role of international cooperation and information sharing in improving cybersecurity

– The importance of implementing existing frameworks rather than creating new laws/regulations

Overall purpose:

The goal of this discussion was to explore cybersecurity challenges and strategies for developing economies, with a focus on practical steps these countries can take to improve their cyber defenses despite limited resources.

Tone:

The tone was collaborative and solution-oriented throughout. Speakers built on each other’s points and emphasized the need for practical, implementable approaches rather than just theoretical frameworks. There was a sense of urgency about the importance of cybersecurity for developing nations, but also optimism about existing resources and frameworks that can be leveraged.

Speakers

– Olga Cavalli: Moderator

– José Cepeda: European parliamentarian from Spain

– Merike Kaeo: CISO, board member and technical advisor

– Ram Mohan: Chief Strategy Officer of Identity Digital, former ICANN board member

– Christopher Painter: Director of Global Forum on Cyber Expertise, first cyber diplomat in the world

– Wolfgang Kleinwächter: Professor emeritus of University of Aarhus, former commissioner of the Global Commission of Stability and Cyberspace

– Philipp Grabensee: Defense counsel and former chairman of Afilias

Cybersecurity Challenges and Strategies for Developing Economies: A Comprehensive Panel Discussion

This panel discussion brought together experts from various fields to explore the cybersecurity and cyber defence challenges facing developing economies. The conversation was solution-oriented, emphasising practical approaches to improve cyber defences in countries with limited resources.

Key Challenges for Developing Economies

The panellists agreed that while cyber threats are similar for developed and developing nations, the latter often lack adequate preparation, skilled personnel, and effective policies to respond. Merike Kaeo highlighted the significant skills gap in cybersecurity professionals in developing countries, while Ram Mohan stressed that the first point of failure in cyber incidents is often the lack of preparation among systems and people.

The discussion revealed a consensus on the critical importance of capacity building and skills development. Christopher Painter emphasised the need for technical assistance, while Wolfgang Kleinwächter argued that developing countries should define their own cybersecurity needs rather than relying solely on exported models from developed nations.

Essential Skills and Strategies

Merike Kaeo identified critical thinking, effective communication, and promoting collaboration as crucial skills for Chief Information Security Officers (CISOs) in developing regions. She also emphasized the importance of CISOs being stakeholders in developing national cybersecurity laws and regulations. Ram Mohan emphasised the importance of preparation, people, and policy as key factors in cybersecurity readiness.

Several speakers, including José Cepeda and Christopher Painter, stressed the importance of international cooperation and trust-building between nations to combat cyber threats effectively. Merike Kaeo echoed this sentiment, highlighting the value of collaboration and information sharing between countries.

Importance of Preparation and Drills

Ram Mohan and other speakers emphasized the critical role of preparation and regular drills in enhancing cybersecurity readiness. They stressed that organizations and nations should conduct frequent exercises to test their response capabilities and identify areas for improvement.

Future Cyber Threats

José Cepeda provided a forecast for cyber threats in 2025, highlighting the increasing sophistication of attacks targeting critical infrastructure and supply chains. He also discussed the potential role of artificial intelligence in both offensive and defensive cybersecurity measures.

International Forums and Frameworks

The panel discussed the challenges developing nations face in participating in numerous international cybersecurity forums due to limited resources. Christopher Painter highlighted several important forums, including the UN Open-Ended Working Group, the Global Forum on Cyber Expertise, and the upcoming WSIS+20 event. Wolfgang Kleinwächter pointed to the African Digital Compact as a model for regional strategies.

Olga Cavalli raised the question of how developing countries can find the time and resources to prepare information for sharing with colleagues, highlighting the practical challenges of international cooperation. She also noted the language barriers in accessing cybersecurity information, a point echoed by Ram Mohan, who stressed the importance of accessibility of information in the right language and at the right level.

Legal and Policy Considerations

Philipp Grabensee cautioned against hastily creating new laws in response to cybercrime, emphasising instead the importance of enforcing existing laws and building capacity. He also discussed content-related crimes and the potential negative consequences of rapidly implemented legislation. This view aligned with Ram Mohan’s focus on preparation and policy implementation rather than constant policy changes.

José Cepeda discussed the development of common certification systems in the EU, while Christopher Painter stressed the need for political will to prioritise cybersecurity.

Practical Approaches and Resources

The panel suggested several practical steps for improving cybersecurity in developing economies:

1. Utilise existing resources like the Global Forum on Cyber Expertise (GFCE) framework and materials.

2. Implement established guidelines such as Australia’s Essential Eight principles and the Center for Internet Security’s 10 essential controls.

3. Focus on practical, small steps in building cyber defence rather than overwhelming large-scale changes.

4. Encourage developing nations to set up national CSIRTs (Computer Security Incident Response Teams).

Ram Mohan emphasized the importance of taking small, practical steps in building cyber defense for developing economies, rather than attempting comprehensive changes all at once.

Changing Nature of Cybersecurity Personnel

Wolfgang Kleinwächter highlighted the evolving role of military personnel in the context of cybersecurity, noting that future conflicts may require different skill sets and approaches compared to traditional warfare.

Conclusion

The discussion highlighted the complex challenges facing developing economies in cybersecurity, emphasising the need for capacity building, international cooperation, and strategic resource allocation. While there was broad consensus on the importance of these issues, the panel also recognised the need for tailored approaches that consider the specific contexts and needs of developing nations. Moving forward, the focus should be on implementing existing frameworks, building human capacity, and fostering sustainable, locally-driven cybersecurity strategies that prioritize preparation, skill development, and practical, incremental improvements.

Olga Cavalli: It’s Chris, I can hear you. Wolfgang and Rob, they have their own conversation, I could tell from here, so… Hello, hello. Okay, perfect. Okay, thank you for being… Hola. Thank you. Let’s start, because we have only one hour. Thank you. Thank you very much for being with us. Thank you, Philip. Thank you, Chris. Thank you, Meike, for being with us remotely. And finally, we have another big audience, but here are the good ones. More people are coming. But as we only have one hour, and we have a lot to talk about, I would like to start. First, thank you to all of you. Thank you, Jose. Thank you, Wolfgang. Thank you, Rob, Philip, Meike, Chris, and those of you who are here with us. We have this space to talk and exchange some ideas about cyber security and cyber defense in developing economies. We have some issues here. So, I would like first to start presenting our distinguished panelists. We have Mr. José Cepeda. He’s a European parliamentarian. He’s from Spain. We have Marike Keo. She’s from remote. She’s CISO and board member and technical advisor. Hi, Marike. We have Ram Mohan here with us. He’s chief strategy officer of Identity Digital. And he was former ICANN board member. We have Chris Painter, our dear friend Chris, from remote from the United States. He is the director of Global Forum on Cyber Expertise. And Chris was the first cyber diplomat in the world. So, he’s very well known for that. We have Professor Wolfgang Kleinwächter, also a very good friend of us. Professor emeritus of University of Aarhus and former commissioner of the Global Commission of Stability and Cyberspace, GACSC. And we have our… Our dear friend, Philippe Grabenze from Germany, he is the defense counsel and former chairman of Afilias, which is a company devoted to DNS services and internet services. So thank you all for being with us. And I would like to start from a statement from José Cepeda from the European Parliament. Jose will make some remarks in Spanish and I will translate into English. And if you want to practice your Spanish, it’s a good moment to listen to Jose. Jose, the floor is yours. Thank you.

José Cepeda: It’s okay. Good. I will. Okay. Well, thank you. Thank you all. Thank you for your invitation about this panel. It’s very important for Europe, for the Parliament of Europe to debate about cyber security and cyber defense. But we say it is very important to speak in Spanish to a Latin America area. It’s very important for us. Yes. Well, I want to speak a little bit in Spanish, especially for that area so important to the world. It is America, with our colleagues, who are doing an immense job, a great job in recent years to promote the policy of cyber security and the policy of cyber defense in all their countries. From the European Parliament, my introduction, what I wanted to contribute is a bit the work of projection that we are doing, a prospective work in a very complex world context, based on multiple military conflicts that we are also having at the border of Europe with Ukraine, for example, the whole Middle East, which is affecting us. Europe to become aware of the importance of future forecasts and where we also have to direct our cybersecurity policies to protect ourselves. In this sense, I would like to share with all colleagues the work that is being directed towards hybrid cyber-threats, starting, on the one hand, with the multi-channel attacks, which we call them like this, which are, in the end, the famous state actors sponsored by states that are working in a direct way, in a multiple way. First, they generate disinformation structures and, on the other hand, what they do is spread them. In this way, they also make the countries unbalanced in some way. Of course, we are working on this analysis. We are also talking about technical cyber defense, which is a very important element where artificial intelligence is opening a new path, let’s say, for the bad guys. And what we also have to do in the field of defense is to work to protect ourselves, generating cyber-shields also based on artificial intelligence that make forecasts of possible cyber-attacks and, above all, high-level structures to respond in real time. I mean that artificial intelligence, as a technology, is not only going to serve the bad guys, but also all European structures, for example, are already working in that direction and in that direction. There is also a very important element that is linked to what is mass espionage. I am talking about critical platforms based on the satellite network, encrypted communications, data processing centers, which, for example, according to the European Agency, European Cybersecurity Agency, CENISA, will use methods where the use of advanced, stealthy, deep malware, for example, using the infiltration techniques in Firmware, will be very common. Personally, I am very concerned about the training of countries in the field of putting themselves at the forefront, for example, in quantum computing. That is a question that we are going far behind. I mean, there are many private companies that have it, and yet there are many governments that do not have it, because large investments are needed, and that is also one of the very important issues that we are going to work on. The forecast for next year is also based on the automation of cyberattacks around polyphonic malware, based on artificial intelligence, with a malicious mutant code, that is, a code that is inserted in critical infrastructures, and that, possibly thanks to the technology based on artificial intelligence, is mutating as possible cyber defense structures are developed, in this case, by the institutions or governments. That is going to be very complicated, but precisely because of that, it is also very important to know how it will evolve in the coming years. Regarding autonomous cyberattacks, talking about bootnet systems, distributed attacks based on DD2, for example, without a doubt, they will reach new scales, they will be programmed and adapted precisely, dynamically, based on technology based on artificial intelligence. Perfect. Very good, very good. Thank you, José. I will translate. José is explaining to us all the preventions. and activities that they are doing about cyber security and cyber defense forecast for 2025. So first he spoke about the escalation of hybrid threats by integrated multi-channel attacks from state and state-sponsored state actors that combine cyber attacks with disinformation, digital sabotage and kinetic activities. As an example, he explained the manipulation of ICS networks to dispute power followed by disinformation campaigns to maximize social impact. Then he explained to us about the technical cyber defense about early detection systems with machine learning algorithms that will be necessary to identify patterns in these hybrid actions. And then he explains about targeted mass spionage, critical platforms such as satellites and critical communications and distributed data centers will be prime targets. According to EISA, what’s EISA? That’s the European Cyber Security Agency. Methods will include the use of advanced deep stealth, malware and fear web infiltration techniques. Then he explained to us the automation of cyber attacks based threats and artificial intelligence based threats. Not only artificial intelligence used by bad actors, also for good actors. Polyphonic malware with artificial intelligence. Attackers will use artificial intelligence to generate malicious code in real time that evades traditional detection solutions. This type of malware will be especially problematic for environments that are not updated or do not implement artificial intelligence based adaptive systems. Then he explained to us about autonomous cyber attacks. attacks, about botnets, systems that distributed attacks, such as the denial of service. We reached new scales by being programmed to dynamically adapt defense responses. And then finally, he explained about technical cyber defense, CM, security information and event management, and SOAR, security orchestration, automation, and response platforms will be essential for managing automated responses. All these are issues about the cyber security and cyber defense forecast that they are

Olga Cavalli: preparing for the next year. It seems like we have a round of comments, if that’s possible. OK. I would suggest, after these very interesting comments that Jose made about the forecast for cyber defense in 2025, I would like to go to the questions to our panelists. Allow me to find my script. So Marike, are you there? Now I can hear you because. Marike, you’re an experienced CISO, so you’re a woman devoted to cyber security. And based on your experience, which are the skills that a CISO must have, especially in a developing country, to deal with challenges that developing economies usually face in relation with cyber security and cyber defense, and also after what Jose shared with us, which is the threats that are forecast as they see that for the next year. And welcome. Thank you very much for joining us.

Merike Kaeo: Yeah. Thank you very much for the question. Yeah, being a chief information officer is a position that has evolved over the years. And it can mean different things to different people. However, to me, the role has always meant that you are the person responsible for developing and implementing the strategy to provide resilience and trustworthiness in our digital environments. And in developing countries, where sometimes they are still evolving to create effective regulation and also national cyber security laws, you are most often also a stakeholder and should be in the room to be a voice, and especially so if you’re a CISO in critical infrastructure. So I’m going to list three primary skills. One of them is that you absolutely must have critical and strategic thinking. And part of that is because in developing economies, you’re often faced with challenges that include lack of resources. And it’s not always financial. There’s really, I think, the biggest challenge is a skills gap, where you just don’t know or you don’t have the people that can help with overall cyber security roles. And this lack of resources and effective team means that sometimes the CISO has to be the security architect, the security operations team, the security operations center, the incident response team, and the threat intelligence team. They have to do everything while they’re trying to prioritize what needs to be done and how do you actually get it done. So by utilizing strategic thinking, a CISO in developing economies can determine when to outsource and which tasks need to be prioritized. Most developing nations or companies that provide cyber security help will have usually a list of the top five or 10 items to do. And they think, oh, that’s not so much. Well, in many developing economies and with the lack of resources, you might only be able to one or at most two of these items. So which ones do you choose? And when outsourcing, it is extremely important to be strategic and ensure that capacity building training is included so that developing economies can build internal knowledge and expertise to provide for future opportunities within their own countries. It can also be beneficial because sometimes in developing countries, there are language constraints. So being able to communicate. in your own language. The second skill is having effective communication skills because you must be able to communicate critical risks that are relevant to your organization, industry, or nation state. And as I previously mentioned, you are a stakeholder typically in perhaps developing legal constructs and also regulations within your developing country. And effective communication can also help build trust and collaboration, which is what brings me to the third extremely important skill of being able to promote collaboration and information-sharing. This is absolutely critical in developing economies. We all learn from each other. I’ve had the privilege to work in a very global environment, and I know that the Pacific Island nation-states, Southeast Asia, Latin America, Africa, the Balkans, I mean there are many, many information-sharing groups that are region-specific. And this very much helps developing economies because within a region you usually have different levels of maturity when it comes to cybersecurity, either defense or understanding or skills. And so it’s not even that you just build up sharing groups within your own sector, being financial or health care or what have you, but sometimes also you have similar issues based on geographic region. So that information-sharing and collaboration as to which threats you’re most vulnerable to, right, what is actually happening in your region is extremely important. And also what is critical regarding collaboration is that you must know who to escalate when, as a CISO, when you see that there’s nation-state relevant information that is specific and that can target your specific nation-state or region. So to sum it up, I think the three skills that are really important are one, critical and strategic thinking, two, effective communication, which means with the technical sector, with policymakers and regulators, and also three, which is extremely important to me, is promoting collaboration and information-sharing. So thank you for that, for giving me a chance to enumerate on those aspects.

Olga Cavalli: We always go to the one of the things that we will talk always talk about capacity building learning and exchanging information I think this is so important, but sometimes, and having work in several technological environments. We don’t have that much time, and have very few resources. So, sometimes, not that you don’t want to share the information is you don’t have the time to prepare the information to be shared to other colleagues because sometimes you have to reshape it or prepare it to be easily exchanged among colleagues. So that’s something that has happened to me and maybe something that we lack of the time or somehow a resource that could help us is making the communication easier. So, expert in critical infrastructure which I consider DNS and critical infrastructure. And you are the chief strategy officer of a very big company that has an infrastructure, start all over the world, and that was security is is a main issue issue because if the DNS doesn’t work. Most of the activities that we go on the internet won’t be possible to perform. So, how do you think that in a developing economy. How is this critical infrastructure being protected how how which measures should the local people and actions can be taken to protect this national and critical infrastructure from cyber attacks.

Ram Mohan: Thank you. Can you hear me. Okay, great. Thank you. We have the privilege of serving both developed nations as well as nations that are developing. Right. So we run the the critical infrastructure of australia.au we’re the designated service provider and we’re actually designated a critical infrastructure provider for Australia, a developed nation. But we also do this for many other smaller countries, countries in the Caribbean. We do this for Belize. We do this, we’re gonna be doing this shortly for anguilla.ai in just a little while. And what you find is that the nature of the threat is not any different. The kinds of threats that developed nations encounter and the kinds of threats that developing nations encounter are no different. The scale and size of the threats are also often not much different. And what is different is preparation, people and policy. Those are the three things that distinguish the responses of a developed nation from a developing one. America already spoke about resources and you spoke Olga about accessibility of information. It’s not enough to just have the data on what the threats are and how to respond. It is important to have it accessible in the right language, at the right level, you have to calibrate it. But in reality, in my perspective, when the problem actually happens, when you have a nation under attack, a nation’s assets, critical assets under attack, when you have the banking system that is crucial being targeted, when you have telecommunications networks that are in trouble. The very first thing that fails are the systems and the people who are unprepared. And it doesn’t matter if you have great resources, great knowledge, great education, but you will find, and this is true even in developed nations, but it’s especially true in developing countries, there is no preparation for it. They have read the paper, they have seen the website, they have even had a discussion at the cabinet level on the DDoS attack that had happened or the fact that you need to secure your routers, right? So they have the theoretical knowledge, but when the attack happens, they’ve never drilled about it before. So what you find is that that preparation is the crucial difference between a developed nation’s response to a cyber attack and a developing nation’s response to cyber attack. The second thing is people. Often you will find in developing countries, the people who have the knowledge to distinguish whether a problem that is occurring, to distinguish whether that is an attack or merely an error, there are only a few people who know it. And if those people are not available or on vacation, right? I mean, I can tell you a story in one of the countries that we serve, there was one primary person responsible for cyber defense and his wife was giving birth, he was in the hospital, the country came under attack and the systems went down. because he had to choose between being there for the baby or being there for the country, and he chose the baby, right? But that’s a, it’s a real life issue, right? So people, second thing, you just don’t have enough resources in that area. The third part is policy. You find in developing nations, governments, they look at, say, the UNSDG. They look at the various protocols or capability and maturity models. JCSC had a bunch of norms that they developed on safety in cyberspace. They are excellent frameworks, but you need governments to actually take those frameworks and implement policy so that it gets into curriculums, it gets into training systems, it gets into other governmental departments. It becomes a priority for those departments. An example there, if you look at Australia, for instance, several years ago, they got really concerned about cyber defense, and the government came up with what they called the Essential Eight. These are eight essential principles for cyber defense. They include well-known things like two-factor authentication, et cetera. But what they did was they implemented policy. They said every government department within 12 months must implement the Essential Eight. And then two years later, they said every critical infrastructure provider must certify implementation of the Essential Eight, right? So I think what you need in developing economies for success here or for a proper cyber defense strategy is… reparation, people, and policy.

Olga Cavalli: And then the policy, the eight things, very interesting. Although I think that also developed companies and countries are also attacked. So that caused my attention because there are nations and companies that have a lot of resources to have a very secure infrastructure, even though they get under attack. And so developing economies are in a much vulnerable situation, yes. So it’s preparation is the issue, okay. So I would like to go to Jose, you share with us more of your… I don’t know if you can continue commenting. We go with the forecast made by… I don’t speak, no, no, no, no, no, no. Yes.

José Cepeda: Well, the next points I want to just say about cyber defense, and it’s very, very important is collaboration at a level to international. Spanish said that’s the oldest possible with… So, yes, sorry, I try in Spanish and in English. Well, no, I’m not going to say what we have, but cyber defense and international collaboration, especially for our listeners and collaborators in the Latin American space. It is very important to convey that there is a unique structure that can unite everything. is trust between countries, trust between governments, trust to develop international cooperation policies. In all my experience that I have had over the years in work in Latin America, and it is something that we are also starting to develop in a very important way in the European context, just a few weeks ago, the Finnish Prime Minister, Nyn Nistro, presented a report talking about cooperation and European intelligence to unite the 27 countries of the European Union. Well, in that context, joint work of NATO, of the Organization for the Transatlantic Treaty with the European Union, to promote a great cyber coalition, precisely based on trust, to be able to work in a single European common intelligence system. Here I have some colleagues from the European Parliament, Galvez and some others, who have been working in a very important way, the NIS2, which is a cooperative environment, also a series of rules that are setting the pace for the 27 countries, a series of standards based on cybersecurity, which will undoubtedly be the environment of the future, such as the Cyber Security Matrix Certification, which is very important, because it implements common certification systems throughout the context of the European Union, precisely speaking of critical infrastructures for the 27 countries. Well, in short, I don’t want to extend much more. I think that, especially thinking about next year, in 2025, the main cyber threats will be based on a greater sophistication of cyberattacks, the use of artificial intelligence as a weapon, both offensive and defensive, an increase in the risks. associated to technology, based on the Internet of Things and, above all, the supply chains. And the cyber defense strategies must include active defense measures, must include predictive intelligence, based above all on artificial intelligence, and a series of solid regulatory frameworks based on that international cooperation that I mentioned, and, above all, a protection of the physical, critical infrastructures, also based on new technologies. I believe that the future bet is going to be a reality in the coming years, and it has a lot to do with quantum computing. All countries are witnessing quantum computing in a serious way, precisely to develop the entire structure of artificial intelligence, and, of course, the bad guys, to name a few, who are already using it, will have much more resources within their reach. And we play a lot in this, not only the government structures at the civil level, but, without a doubt, all the armed forces and all the structures also at the military level and at the level of the defense of all our countries. So, what Jose explained is a very interesting issue, is that there is a thing, which is trust, trust among different countries. And he explains that a presentation made by the Minister of Finland and Europe, is a piece of personal information by the Minister of Finland, that Ursula von der Leyen expressed that cooperation, want to create an intelligence European cooperation agency, something like that. It’s a project based on trust and there is a joint work with the organization, the Coalition based on Trust, and a unique way of harnessing all these threats. We think that for next year we expect more sophistication in all the attacks, that the use of artificial intelligence will be not only for defense, but also for offensive attacks. There will be also attacks done through Internet of Things, things connected to the Internet, in the supply chains using Internet of Things. So all the strategies of cyber defense must use predictive intelligence, and also the regulations frameworks must be based on trust, and also the quantum computing must be considered, because this big capacity that the computers will have in the future will have a very big impact in cyber security and cyber defense. Not only for the countries, but also for the military forces. Okay, thank you very much, Jose. Now I will go to my… There’s something in the… How…

Olga Cavalli: We finished this gap that exists in human research in cyber defense. Just for you to have an idea, my university, we have opened a new career, cyber defense, and we had one person in one month. So the high demand people didn’t have some time. So Wolfgang, what do you think?

Wolfgang Kleinwachter: It’s indeed a difficult question, and it was already mentioned by previous speakers. We have this gap, the skill gap, which is clear. We have the resource gap. And then what Ronald said, preparation, people, and policy are the differences, but it’s a complex problem, which you cannot settle with one hit. So that means you have a number of different initiatives, which pull together a stream which will enable the developing countries or the global South to step by step to close the gap. And certainly, it needs also help from the global North. Help, I would say, quote unquote, in quotation marks, because the best help is if you just provide resources which enable those countries to find their own way, because otherwise they are just a target on the export of models. And I see here a problem, because the whole world agrees capacity building in AI and capacity building in AI, in every domain, is extremely important. There is no disagreement. But what we have seen in the General Assembly of the United Nations this year, we had two resolutions, one sponsored by the United States and one sponsored by China, and the Chinese resolution in particular is about AI capacity building in third world countries. So and it got the overwhelming support. Americans even supported the Chinese resolution and China supported the U.S. resolution. So that’s fine. There is no reason to be against it, but there is a risk in it that just, you know, capacity building organized by China will include the export of the Chinese model and the capacity building offered by the United States will include the export of the American model. So I think the challenge is really, and this goes to policy and people, but that means developing countries and the global south has to develop its own strategy and to define exactly what they need. And if they have a list which specify exactly the needs, then they can ask who can help to set up the needs so that you are not dependent on the big brother or the big sister or the big uncle, but you start from your own needs. And I think this is an important point and has to guide the strategy, the long-term strategy for the global south. That’s why the African digital compact is so important because, you know, they had their own digital compact which was in the cradle of the global digital compact in the United Nations, but the African digital compact has specified the specific needs of Africa. And what is relevant for the general digital strategy for those countries is also important for the defense sector, for AI, because what Ron has said, you know, there are no, you know, if it comes to attacks, it’s no difference whether it’s developing countries or developing countries. That’s the same. The question is how you react, how you prepare the people, and how you have policy in place, and in particular this preparation aspect, so that you have, you know, not only one person, but, you know, a backup for the person that is in a vacation, the other one should be in the office. So I think that’s a problem. But if it comes to another aspect, which includes also the preparation of military personnel, so I was in another workshop a couple of months ago, where they discussed, you know, what is the type of the soldier of the future, how to train the soldiers of the future. You know, in the 20th century, you needed strong young men who could, you know, move very fast. But today, you know, if you have a young man who has over it and sits and is very capable with this computer and with the keyboard, he’s probably the better soldier. So I think this will, the whole AI revolution in the military field will change also, or it’s a challenge to understand how to train the soldiers of the future. So the best thing is you do not need them. So that means peace is always better as well. But you have to be prepared, and if you have the wrong soldiers, then you will lose the war in the 21st century. I like this soldier of the future concept.

Olga Cavalli: I think it’s very interesting to think about, but about this independence that the countries should have about capacity building. There is a big challenge because the technology is developed in few countries. I mean, I would say mainly in two countries and all the rest of the world is producing that technology. So capacity building comes also based on which technology are we using. I would like to ask Chris, Chris, are you there? Thank you for being with us. It’s a pity not to have you here at the IGF. You’re an expert in cyber diplomacy, the first cyber diplomat in the world and international relations. Which are the international and regional debate spaces our developing economies should focus on about what is happening, especially considering that sometimes you don’t have the resources to follow the spaces and to go to all the meetings. Which one would you say are the most important ones?

Christopher Painter: Olga, thanks. Good to be with you all. Sorry, I can’t be there in person. I wish I was, but sadly I’m not. I’d say a couple of things. First of all, just that is a real problem that there’s a myriad of different forums, things that people should, particularly developing world countries, global South should be in, should be participating in not just to gain the knowledge, but also to gain, to share their experience because that’s critically important. And just to the point that others have said, when we talk about capacity building, I view that as a foundational element for everything else in cyberspace. If you don’t actually have the capability, both the policy capability and the technical capability, you can’t really participate either in these forums well or secure your own systems or respond to attacks. So that really is, I think, the connective point. And for me, when I’ve seen that, as someone, as it was also noted, as Rahm noted this, you need a number of different factors, including the political will in the country too, not just the technical people saying they want the training, but also the political. commitment that this is a real priority for them. And that’s becoming more real, but that’s been hard. And that’s why for the Global Forum on Cyber Expertise, for instance, one of the groups that I do a lot of work with and have for years, which is a capacity building platform that has 60 countries, a couple dozen companies, civil society, and academia, we’ve moved very much to a demand-driven approach, as was said, that ask the global South what do they want, rather than saying, here’s what you get. And that’s a much more sustainable model. But in terms of the forums that you mentioned, there is obviously the UN, the Open-Ended Working Group, in particular, which is dealing with cyber. I’d say that when that first met, the first one of those, and now about eight years ago, I was struck by the number of developing world countries who came and said, look, we’d love to debate things like norms and these esoteric concepts, but what we really need is help. We need help with our own capacity. We need help in building our institutions and our technical capabilities. So that’s a critical one. I’d say there’s some good news story on that in trying to get more global South participation, particularly a women in cyber program that’s been administered by GFC, but many countries behind it. And there’s been lots of women from the developing world have been going to and participating and making interventions in that session, so that’s important. There’s been training that UNODA has done for cyber diplomats, especially in developing world countries. And of course, there’s a number of others, Diplo and others have done that, and that’s important. Coming up this year is the WSIS plus 20, which will be a big deal, I think. It’s hard to believe that we’re already at plus 20. I remember plus 10, but that’s an important one, I think, for developing world countries to be at. The GFC, our platform, we have 220 members and partners. We have regional. What’s important is we’ve created regional hubs to allow these countries to more easily interact, including in the Pacific Islands, ASEAN. the Americas region with OAS, African Union, and so that, and the Baltics. So that gives, that’s some way these institutions are trying to come to the community. The ITU, I think, is important, more on the technical side. FIRST, for first responders and CERTs. The Council of Europe and the UNODC for cybercrime issues. And so, as you noted, the problem is there’s so many different forums that these folks could attend. You need the right people to attend. You can’t just have your representative in New York, for instance, in the UN, go to all these meetings unless they have expertise. And you need the ability to attend them. And even for big countries, trying to attend all these meetings, these plethora of these meetings is hard. For small countries where it’s one person, and I’ll give you an example, a Pacific Island country, wonderful person from Fiji who is both doing their cybersecurity there, but she’s also traveling to New York and these other forums to try to participate. It’s very difficult on them to be able to split that time. And so we need to figure out how we can more constructively engage with the developing world and allow them to be part of these forums because it’s critically important. And obviously the IGF is another forum as well. So that’s a real challenge because we can’t simply have the developing world at one level and the rest of the world at another level. We need to make sure, for practical reasons too, even for the developing world’s standpoint, they need a lot of countries to work with them to be able to go after cyber threats, which are often routed through these countries if they don’t have strong laws or capabilities.

Olga Cavalli: Thank you, Chris. And the good thing is that now most of the events are hybrid and many things get recorded. I know it’s not the same. It’s lovely to be here and interact with people, share coffee, share a sandwich. But if you want to do research or you want to know about something, you can find information online. And luckily, several languages, which And language is also a big barrier. At least for Latin America, it’s a big barrier. Not everyone, not everyone speaks English. In order to understand foreign speakers or read clearly the documents. And now I would like to go to my dear friend, Philip Graves. I say Philip is a defense counselor and an expert also in DNS structure, which is a critical infrastructure because he was former chairman of Affiliate who was a company. Now it’s merged with another company, but it’s a global company that manages DNS infrastructure. Philip, how do you think developing economists can find guidance or reference in order to legal update their legal frameworks who will fight against cybercrime around prevention as an important thing, regulations and policy? So how can that be really considered and up to date? So the agility in the development of this regulations and welcome and it’s a pity that we don’t have you here, but we are seeing you online.

Philipp Grabensee: Thanks for having me. And this is a tough question to answer in the remaining two, three, four minutes I have, but let me try to summarize that a little bit and make a few points regarding that. So far, we have basically talked about crimes against computer systems, but another big part is of cybercrime and fighting crimes is the content related crimes. And let me, and I think we cannot learn too much or of course we can learn, but we can also learn from the mistakes, which has been made within. legal frameworks, because every time something horrible happens, and I will give you an example for that, the society and the people are calling for new laws and new tools for enforcement agencies and increasing of laws, and a lot of times this crying and asking for new laws has very negative side effects, and I think the problems are really somewhere else, or a lot of the problems are somewhere else, and I think in the discussion we had, you know, some, you know, it has become very clear that the problems are not so much the laws or the framework or technology, but it’s really that people are unprepared, or the problems are the, you know, what Marek calls the skills gap you have, and as much as you have the skills gap in, you know, people in the technology field, you have also the skills gap or people unprepared in law enforcement, and so it’s not really the technology, it’s not so much a framework, it’s really about, you know, the skill set missing, and the preparation of the people, so the example I’m giving you here, it’s a, you know, an example of, you know, horrible cases of, you know, possession of child sexual abuse material in Germany, so there were horrible cases in the news, a lot of big outrage in society, and laws were increased and new laws were passed, and, you know, reform of the German criminal law, which in the end led to unintended consequences for teenage sexual expression to the digital media, because suddenly all kind of, you know, exchange of information and exchange of pictures from teenagers, you know, on media were suddenly criminalized and a crime, so that was a really negative side effect, you know, of that calling for new regulations. And the real problem was, why was law enforcement not effective before, you know, against, or why is law enforcement, or where’s the weaknesses still in law enforcement to fight against, you know, these horrible crimes? The problem is you’re lacking well-trained and, you know, the capacity of well-trained people in law enforcement. That was really the problem. And this problem has not been solved by increasing, you know, increasing fines or introducing new paragraphs, making certain behavior, or criminalizing certain behavior. It is the same, what counts, what Rom said, what Marengo said, it’s really the capacity of the people, the capacity building, the training of the people, the skills gap. In the specific example of, you know, sexual abuse material, we were just lacking in, you know, in Germany, we were lacking the, you know, the police enforcement officers who were prepared to the exposure of traumatic material, who had the psychological training to deal with that. We had not enough people to do it, and not prepared people to go through the internet and look at this content. So that’s why, you know, still it’s a problem. So what you need is really also here, of course, frameworks help, and also you can have then framework for capacity building. But it’s not so much a frameworks, and it’s not so much a laws. It’s really about, you know, it comes down, so, you know, still it comes down to the people. Of course, it’s official intelligence helps you to, you know, go through the internet and identify, you know, potential, you know, crimes. But in the end, it has to be people who look at it and bring it to prosecution. And that what really, you know, what really, you know, what really helps protect the victims of those horrible crimes. So I can only echo what my colleague says. Also, in regard to content-related crimes and enabled and related crimes, it’s the same as what accounts for crimes against the computer system itself.

Olga Cavalli: It’s not only having the policy, it’s making it work, making it relevant. Because if not, how to make it relevant? So we have five minutes. Is anyone in the audience who would like to add something or make any comment? Or we make a final one minute per speaker, and we have to leave the room. I will start with Ram, who’s looking at me directly.

Ram Mohan: Thank you, Olga. This is a really terrific set of comments that have come through from everybody. What strikes me as a useful next step is to think about collating the information that has happened in a session like this and to go back and look at developing countries, at least those who you know, who we know, and check whether this will actually work. You know, you see what GFC is doing, what Chris was talking about what GFC is doing. They already have a framework. They already have material that is available. And I think that we ought to look at what’s already done, not reinvent the wheel, in building cyber defense. Effective cyber defense is not new cyber defense. Effective cyber defense is cyber defense that has already worked, and more importantly, defense that has already failed and therefore been patched. So that, I think, is kind of the way to look at it. Let’s be practical. Let’s take small steps, because the large steps will overwhelm developing economies.

Olga Cavalli: Thank you. Wolfgang?

Wolfgang Kleinwachter: It’s not a theoretical question. It’s a very practical question. It’s just implementation. You have to do it.

José Cepeda: Thank you. Well, I see three pillars. People, policies and preparation. It’s very, very important. Three pillars are necessary to all countries. This is not the future. It’s the present. It’s necessary now.

Olga Cavalli: Thank you, José. Marika, your final comments?

Merike Kaeo: Chris had mentioned first, and I had the privilege of helping a developing nation set up their national CSIRT. I think that is critical, and there are many, many guidelines that exist that also talk about the legal constructs and the regulatory frameworks that countries should have within their own culture, within their own legal systems, to build up this national CSIRT that I think will greatly help developing nations.

Olga Cavalli: Thank you very much. Chris, your last comments?

Christopher Painter: I think it goes back to what we were saying before. This is a critically important area. You need the political will in countries. You need sustainability and continuity, which is always difficult, and you need non-duplication. I think as we try to match resources with the needs, and the needs are great, there are a number, and I totally agree, don’t recreate the wheel. There’s lots of stuff out there. It’s an important area. The Sybil portal that the GFC runs has hundreds of projects, calendars, things that I think are helpful, and it’s publicly available. It’s not limited just to the members of the GFC. It’s been linked to the UNIDIR cyber policy portal at the UN portal, and so that’s, I think, a really good cross-linking resource. And the last thing I’d just say is, On the topic of things that are out there, I also am on the board of a nonprofit called the Center for Internet Security, which like the essential aid has the 10 essential controls. So a lot on cyber hygiene is available. So I agree. Coaliting what’s there rather than recreating things is critical.

Olga Cavalli: Thank you. Philipp, your last comment.

Philipp Grabensee: I think I can just really echo the last four comments. I think we all came out, you know, in the end to the same same opinions implementing not just, you know, the same thing, not recreating the wheel means also not always making new laws, new laws in force, recreating not recreating the wheels means in law enforcement, you know, just enforcing existing laws and building capacity for people to enforce those laws. That’s the way to go forward. And also because existing laws have always shown that they, you know, they have gone to the critical test of, you know, how they how they relate to human rights and constitutional rights. So always creating new laws, you know, always, you know, puts a lot of danger. You know, talking as a defense counsel puts a lot of danger, you know, because then those laws has to be under, you know, has to be under looked at, you know, from from all kind of perspective. And a lot of things go wrong when you lost being passed, especially in a hurry. So not recreate the wheel, not just do new words, implementation and enforcement of existing tools and laws. I think that that’s the way to go ahead.

Olga Cavalli: Okay, please help me applauding our dear friends and colleagues for a very interesting session. And for the remotes, don’t go away, we will take a picture. Don’t go away. We take a picture with you. Oh, thanks to you. ¿Me sacaste una foto? Yes. Espero que se vean ellos. Estoy aquí en el medio, ¿no? Sí, por favor. All right, thanks, have a great day and see you wherever, maybe next year in Oslo, who knows. All right, see you guys. Take it easy. Happy Christmas. Happy season. See you soon.

Agreement Points

Importance of capacity building and skills development

Merike Kaeo

Ram Mohan

Christopher Painter

Wolfgang Kleinwachter

Skills gap in cybersecurity workforce

Lack of resources and preparation for cyber attacks

Importance of capacity building and technical assistance

Developing countries should define their own cybersecurity needs

Multiple speakers emphasized the critical need for capacity building and skills development in cybersecurity, particularly for developing economies. They agreed that addressing the skills gap and providing technical assistance are fundamental to improving cybersecurity capabilities.

Need for international cooperation and trust

José Cepeda

Christopher Painter

Merike Kaeo

Need for trust and international cooperation

UN Open-Ended Working Group as an important forum

Collaboration and information sharing between countries

Speakers agreed on the importance of international cooperation and trust-building in addressing cybersecurity challenges. They highlighted various forums and initiatives that facilitate such cooperation.

Similar Viewpoints

Both speakers emphasized the importance of focusing on implementation and capacity building rather than creating new laws or frameworks. They argue that effective enforcement of existing measures is more critical than constantly developing new ones.

Ram Mohan

Philipp Grabensee

Preparation, people, and policy as crucial factors

Importance of enforcing existing laws and building capacity

Unexpected Consensus

Caution against hasty creation of new laws

Philipp Grabensee

Ram Mohan

Caution against hastily creating new laws in response to cybercrime

Preparation, people, and policy as crucial factors

While most discussions focused on building capacity and implementing new measures, there was an unexpected consensus on the need for caution in creating new laws. Both speakers, from different perspectives (legal and technical), agreed that hasty creation of new laws or constant policy changes might not be the most effective approach to cybersecurity.

Overall Assessment

Summary

The main areas of agreement centered around the importance of capacity building, skills development, and international cooperation in addressing cybersecurity challenges, particularly for developing economies. There was also consensus on the need for strategic thinking and prioritization of resources.

Consensus level

There was a high level of consensus among the speakers on the fundamental challenges and approaches to cybersecurity in developing economies. This consensus suggests a clear direction for future efforts in this area, focusing on capacity building, international cooperation, and strategic resource allocation. The implications of this consensus are that international initiatives and policy-making bodies may find broad support for programs that address these agreed-upon priorities.

Different Viewpoints

Approach to cybersecurity capacity building

Wolfgang Kleinwachter

Christopher Painter

Developing countries should define their own cybersecurity needs

Importance of capacity building and technical assistance

While both speakers emphasize the importance of capacity building, Kleinwachter stresses the need for developing countries to define their own needs, while Painter focuses on the importance of external assistance and international cooperation.

Unexpected Differences

Overall Assessment

summary

The main areas of disagreement revolve around the approach to capacity building and the role of international assistance versus self-reliance for developing countries in cybersecurity.

difference_level

The level of disagreement among the speakers is relatively low, with most differences being in emphasis rather than fundamental approach. This suggests a general consensus on the importance of capacity building and international cooperation in cybersecurity, particularly for developing economies.

Partial Agreements

Both speakers agree on the importance of preparation and capacity building, but Mohan emphasizes policy development while Grabensee focuses on enforcing existing laws rather than creating new ones.

Ram Mohan

Philipp Grabensee

Preparation, people, and policy as crucial factors

Importance of enforcing existing laws and building capacity

Similar Viewpoints

Both speakers emphasized the importance of focusing on implementation and capacity building rather than creating new laws or frameworks. They argue that effective enforcement of existing measures is more critical than constantly developing new ones.

Ram Mohan

Philipp Grabensee

Preparation, people, and policy as crucial factors

Importance of enforcing existing laws and building capacity

Key Takeaways

Developing economies face significant cybersecurity challenges, including skills gaps, lack of resources, and inadequate preparation

Critical skills for cybersecurity in developing countries include strategic thinking, effective communication, and promoting collaboration

Preparation, people, and policy are crucial factors in cybersecurity readiness

International cooperation and trust between countries is essential for effective cybersecurity

Capacity building and technical assistance are vital for improving cybersecurity in developing economies

Developing countries should define their own cybersecurity needs rather than relying solely on models from developed nations

Implementing existing cybersecurity frameworks is often more effective than creating new laws or regulations

Resolutions and Action Items

Collate information from discussions like this and check its applicability with developing countries

Utilize existing resources like the Global Forum on Cyber Expertise (GFCE) framework and materials

Focus on practical, small steps in building cyber defense rather than overwhelming large-scale changes

Encourage developing nations to set up national CSIRTs (Computer Security Incident Response Teams)

Unresolved Issues

How to effectively address the cybersecurity skills gap in developing countries

Balancing the need for international cooperation with maintaining independence in cybersecurity strategies

How to ensure sustainable and continuous improvement in cybersecurity capabilities despite limited resources

Addressing language barriers in accessing cybersecurity information and participating in international forums

Suggested Compromises

Using hybrid or online formats for international meetings to increase participation from developing countries

Creating regional hubs for cybersecurity cooperation to make participation more accessible for smaller countries

Focusing on enforcing existing laws and building capacity rather than constantly creating new cybersecurity legislation

Balancing the adoption of international best practices with developing country-specific strategies that fit local contexts

The very first thing that fails are the systems and the people who are unprepared. And it doesn’t matter if you have great resources, great knowledge, great education, but you will find, and this is true even in developed nations, but it’s especially true in developing countries, there is no preparation for it.

speaker

Ram Mohan

reason

This comment highlights the critical importance of preparation and readiness, beyond just having resources or knowledge. It challenges the assumption that simply having advanced technology or information is sufficient for cybersecurity.

impact

This shifted the discussion towards the practical aspects of cybersecurity implementation, especially in developing countries. It led to further exploration of the gaps between theoretical knowledge and practical readiness.

The best help is if you just provide resources which enable those countries to find their own way, because otherwise they are just a target on the export of models.

speaker

Wolfgang Kleinwächter

reason

This insight emphasizes the importance of empowering developing countries to create their own cybersecurity strategies rather than simply adopting models from other nations. It introduces a nuanced perspective on international cooperation and capacity building.

impact

This comment sparked a discussion about the balance between international assistance and local autonomy in cybersecurity. It led to considerations of how to provide support without imposing external models.

It’s not so much a frameworks, and it’s not so much a laws. It’s really about, you know, it comes down, so, you know, still it comes down to the people.

speaker

Philipp Grabensee

reason

This comment cuts through the focus on legal frameworks and technology to emphasize the human element in cybersecurity. It challenges the notion that solutions are primarily about laws or technical systems.

impact

This insight refocused the discussion on the importance of human capacity and training in cybersecurity efforts. It led to further exploration of how to address skills gaps and prepare people effectively.

Overall Assessment

These key comments shaped the discussion by shifting focus from theoretical frameworks and technological solutions to practical implementation challenges, especially in developing countries. They highlighted the importance of preparation, local autonomy in strategy development, and human capacity building. The conversation evolved from discussing broad international policies to exploring specific ways to empower and prepare individuals and institutions for cybersecurity challenges.

How can developing economies find the time and resources to prepare information for sharing with colleagues?

speaker

Olga Cavalli

explanation

This is important because information sharing is crucial for cybersecurity, but developing economies often lack the time and resources to prepare and share information effectively.

How can developing countries build their own strategies for capacity building in AI and cybersecurity, rather than relying on models exported from other countries?

speaker

Wolfgang Kleinwächter

explanation

This is important to ensure that developing countries can address their specific needs and avoid becoming dependent on models from other countries that may not be suitable for their context.

How can we make international cybersecurity forums more accessible and relevant for developing world countries?

speaker

Christopher Painter

explanation

This is crucial because developing countries often struggle to participate in multiple international forums due to resource constraints, yet their participation is essential for global cybersecurity efforts.

How can we address the skills gap in law enforcement for dealing with cybercrime, particularly in developing countries?

speaker

Philipp Grabensee

explanation

This is important because effective law enforcement is crucial for combating cybercrime, but many countries lack the necessary trained personnel and resources.

How can we collate existing cybersecurity frameworks and resources to make them more accessible and applicable for developing economies?

speaker

Ram Mohan

explanation

This is important to avoid reinventing the wheel and to help developing economies implement effective cybersecurity measures based on existing, proven frameworks.

How can developing nations set up effective national CSIRTs (Computer Security Incident Response Teams)?

speaker

Merike Kaeo

explanation

This is critical for developing nations to build their cybersecurity capacity and respond effectively to cyber incidents.