Open Forum #45 Advancing Cyber Resilience of Critical Infrastructure

Summary

This open forum discussion focused on advancing cyber resilience of critical infrastructure in an increasingly connected world where malicious actors frequently target essential services. The panel brought together diplomatic and technical experts to explore how different communities can collaborate more effectively to strengthen cybersecurity defenses.

Pavel Mraz from UNIDIR outlined the alarming threat landscape, noting that nearly 40% of state-sponsored cyber operations in 2024 targeted critical infrastructure, with ransomware attacks surging by 275% and global cybercrime losses exceeding $10 trillion. Timea Suto from the private sector emphasized that companies face diverse threat actors including state-sponsored groups, criminal organizations, and insider threats, but stressed that even well-funded private entities cannot combat these challenges alone without government support and public-private partnerships.

Floreta Faber shared Albania’s experience with major cyber attacks in 2022, highlighting key lessons about cybersecurity being a mindset issue requiring involvement from all organizational levels, not just technical teams. She described significant reforms including expanding their cybersecurity authority from 20 to 85 people and increasing critical infrastructure designations by 50%. Caroline Troein from ITU discussed capacity building efforts, particularly the importance of national CERTs and cyber exercises that simulate real-world attacks to foster cross-sectoral coordination and build trust between stakeholders.

Lars Erik Smevold provided the energy sector perspective, emphasizing that resilience requires understanding cyber-physical systems and conducting regular drills with operational staff. He stressed the importance of cross-border cooperation, particularly in interconnected electricity grids. The discussion concluded with calls for bridging diplomatic and technical communities through practical cooperation frameworks, shared exercises, and inclusive capacity building that translates international norms into real-world protection measures.

Keypoints

## Major Discussion Points:

– **Current Cyber Threat Landscape for Critical Infrastructure**: The discussion revealed alarming statistics, with nearly 40% of state-sponsored cyber operations in 2024 targeting critical infrastructure sectors like energy, healthcare, finance, water, and telecommunications. Ransomware attacks surged by 275%, and global cybercrime losses exceeded $10 trillion, making cybercrime equivalent to the world’s third-largest economy if measured by GDP.

– **Multi-Stakeholder Collaboration and Breaking Down Silos**: A central theme emphasized the critical need to bridge gaps between diplomatic and technical communities, strengthen public-private partnerships, and foster cross-sectoral cooperation. Panelists stressed that no single actor—whether government, private sector, or international organization—can secure critical infrastructure alone.

– **National Experiences and Lessons Learned**: Albania’s experience with major cyber attacks in 2022 provided concrete insights into building resilience, including the importance of expanding from purely technical approaches to comprehensive capacity building, increasing staff from 20 to 85 people, and implementing new legal frameworks based on the NIS2 directive.

– **Capacity Building and Practical Implementation**: The discussion highlighted the vital role of cyber drills, tabletop exercises, and training programs in building national resilience. These practical tools help translate international frameworks and norms into real-world protection while fostering trust and coordination between different stakeholders who may not have previously interacted.

– **Policy Frameworks and International Cooperation**: Panelists explored how UN frameworks for responsible state behavior in cyberspace can be operationalized through practical measures like point-of-contact directories, crisis communication protocols, and regional cooperation models, while emphasizing the need for “smarter policy, not more regulation.”

## Overall Purpose:

The discussion aimed to explore how to advance cyber resilience of critical infrastructure through enhanced cooperation between diplomatic and technical communities, sharing of best practices and lessons learned, and development of practical frameworks for protecting essential services that underpin modern society.

## Overall Tone:

The discussion maintained a professional yet urgent tone throughout, beginning with sobering statistics about the threat landscape but evolving into a more constructive and solution-oriented conversation. While acknowledging the serious challenges and complexities involved, panelists remained optimistic about progress being made and emphasized practical, collaborative approaches. The tone was notably inclusive and emphasized mutual learning, with speakers from different sectors and regions sharing experiences openly and building on each other’s insights.

Speakers

– **Marie Humeau**: Moderator of the session

– **Floreta Faber**: Deputy Director General Envoy for Cyber Diplomacy, Director of International Project Coordinator and Strategic Development of Cybersecurity at the National Cyber Security Authority of Albania

– **Lars Erik Smevold**: Security and Processor Control Architect, R&D IT and ICS at Stratgraft (energy sector)

– **Pavel Mraz**: Cybersecurity researcher at UNIDIR (UN Institute for Disarmament Research)

– **Caroline Troein**: Cybersecurity Division at the ITU (International Telecommunication Union)

– **Ms. Timea Suto**: Global Director Policy Lead (private sector perspective on critical infrastructure protection)

– **Mr. Akhil Thomas**: Strategy and Operation Manager at the Global Forum for Cyber Expertise (session summarizer)

– **Participant**: Works for an IT company owned by the Church of Norway (identified as Eirik)

**Additional speakers:**

– **Gautam Kaila**: Chief Executive Officer of the Global Cyber Forum (mentioned in introduction but did not speak during the recorded portion)

# Advancing Cyber Resilience of Critical Infrastructure: A Multi-Stakeholder Forum Discussion

## Executive Summary

This comprehensive open forum discussion brought together diplomatic and technical experts to address the urgent challenge of strengthening cyber resilience for critical infrastructure in an increasingly interconnected world. The session, moderated by Marie Humeau, featured perspectives from international organisations, national governments, the private sector, and technical specialists, all united by the recognition that malicious actors are increasingly targeting essential services that underpin modern society.

The discussion revealed a concerning threat landscape whilst highlighting promising avenues for enhanced cooperation. Through detailed presentations and interactive dialogue, participants explored how different communities can collaborate more effectively to strengthen cybersecurity defences, moving beyond traditional silos to create comprehensive protection frameworks for critical infrastructure.

## Current Threat Landscape and Scale of Challenge

Pavel Mraz from UNIDIR opened the discussion by presenting statistics that established the gravity of the current cybersecurity environment. He reported that nearly 40% of state-sponsored cyber operations in 2024 specifically targeted critical infrastructure sectors, including energy, healthcare, finance, water, and telecommunications. This targeting represents a significant shift in the threat landscape, with essential services becoming primary objectives rather than collateral targets.

Mraz highlighted the economic scale of cybercrime, noting that global cybercrime losses have reached substantial levels, with ransomware attacks showing significant increases. He emphasised the evolution of attack methodologies, particularly the rise of supply chain attacks that leverage a “target one, compromise many” principle, allowing threat actors to reach multiple downstream customers through a single successful breach.

The UNIDIR researcher also introduced the UN framework for responsible state behaviour in cyberspace, particularly norm F, which prohibits attacks on critical infrastructure. He stressed the importance of translating these frameworks into practical measures through national legislation and institutional coordination.

## Private Sector Challenges and Investment Needs

Timea Suto, representing the private sector perspective, outlined the diverse threat landscape confronting private entities, which includes state-nexus actors, organised cybercriminal ecosystems, and insider threats from employees or contractors. She detailed significant investments being made by private sector organisations, including implementation of zero-trust architectures, vulnerability management programmes, supply chain security assessments, and incident response plans.

However, Suto emphasised a critical limitation: “Even well-funded private entities cannot deter state-sponsored actors or dismantle global criminal networks alone.” This led to her call for a fundamental shift in policy approaches, advocating for “smarter policy focused on incentives rather than more regulation, with rebalanced responsibility between private and public sectors.”

Suto stressed the importance of inclusive policymaking processes that give all stakeholders a meaningful voice in developing critical infrastructure protection frameworks. She argued that governments should take a more active role in disrupting threat actors whilst allowing private companies to focus on operational security and innovation.

## National Experience: Albania’s Response to Cyber Attacks

Floreta Faber, Albania’s Deputy Director General Envoy for Cyber Diplomacy, shared Albania’s experience with major cyber attacks in 2022 that targeted the country’s e-government services. Her most significant insight was reframing cybersecurity from a purely technical challenge to a comprehensive organisational issue.

“We understood that talking about cyber security it’s not talking about technology, it’s talking about a mindset, it’s talking involving more people from the top management to the simple employee inside every organisation that cyber security is something everyone needs to focus on,” Faber explained.

Following the attacks, Albania dramatically expanded its cybersecurity authority from 20 to 85 people and expanded its critical infrastructure designations by 50%. The country also implemented new legislation based on the NIS2 directive and established regular cyber drills to build understanding between stakeholders.

Faber described Albania’s long-term approach to building regional cooperation through youth engagement, establishing cyber camps for young people in the region. “We believe those are things which take time. And sometimes they prevent you not talking to each other for different trust reasons, which are not only cyber security,” she noted, acknowledging that technical cooperation cannot be separated from broader geopolitical contexts.

## International Capacity Building Efforts

Caroline Troein from the International Telecommunication Union provided insights into global capacity building efforts, noting that “many of the issues that developing countries are facing are ones that developed countries are facing. Are you being agile? Do you have the right people in the right places? Are the stakeholders actually coordinating?”

Troein reported that ITU receives requests from multiple countries for cybersecurity support, including CERT establishment, strategy development, and specialised training programmes. She emphasised the critical role of national Computer Emergency Response Teams (CERTs) as the first line of defence, noting they require legal mandates, operational structures, sustainable funding, and continuous training to be effective.

The ITU representative highlighted the importance of cyber exercises that simulate real-world attacks and test response mechanisms. She noted that whilst countries now have more cybersecurity measures than ever before, challenges persist in coordination and implementation, suggesting that the bottleneck is not necessarily in individual components but in how these elements work together as integrated systems.

## Energy Sector Operational Realities

Lars Erik Smevold, representing the energy sector as a Security and Processor Control Architect, provided insights into the operational realities of protecting critical infrastructure. He defined resilience as the ability to “anticipate, prepare for, respond to, recover from, and learn from disruptions.”

Smevold emphasised the unique challenges of cyber-physical systems, where cybersecurity measures implemented on one system can affect other interconnected systems. This is particularly relevant in the energy sector, where cross-border electricity grid connections require coordinated responses between Nordic and European transmission system operators.

He stressed the importance of involving operational staff in cybersecurity preparations and noted that technical specialists need better understanding of different critical infrastructure sectors. Smevold also contributed to discussions on bridging technical and diplomatic communities, suggesting that these communities need informal arenas to meet and build understanding of each other’s work and resource needs.

## Building Trust and Communication Networks

A recurring theme throughout the discussion was the critical importance of pre-established relationships and communication channels. Mraz introduced a compelling metaphor: “You cannot exchange business cards in a hurricane when a real cyber crisis hits, and you need assistance from abroad… You need to have all these channels, the trust, and the network already in place to know where to reach out.”

Faber described practical approaches to building regional cooperation through informal communication channels, including regular information sharing platforms. She emphasised that trust-building requires long-term investment and can be developed through professional networks that persist beyond specific projects or initiatives.

The discussion revealed that effective cooperation requires both formal structures and informal mechanisms. Whilst official frameworks and protocols are necessary, the human relationships and mutual understanding that enable effective cooperation often develop through informal interactions and shared experiences.

## Information Sharing Challenges

A significant challenge addressed was sharing sensitive cybersecurity information across borders. A participant from an IT company asked: “How can we make arrangements for sharing sensitive technical data across borders without making it public, while still allowing technical people to defend their systems better?”

This question highlighted a fundamental tension in cybersecurity cooperation: the need to share threat intelligence to enable collective defence whilst maintaining operational security. Faber responded by describing Albania’s approach to building regional cooperation through informal communication channels, representing practical mechanisms that technical professionals can use to build relationships and share information.

The discussion emphasised that information sharing requires sustained engagement and trust-building through professional networks and alumni connections that persist over time.

## Bridging Technical and Diplomatic Communities

Multiple speakers recognised that effective cybersecurity requires both technical expertise and diplomatic coordination, yet these communities often operate separately. Faber described Albania’s approach of bringing experienced diplomats into technical organisations, creating important translation capabilities between communities.

Smevold reinforced this theme by suggesting informal meeting opportunities and cross-visits between technical facilities and diplomatic offices. The discussion revealed that bridging these communities requires both formal structures and informal mechanisms, with understanding built through direct exposure to each other’s working environments and challenges.

## Areas of Consensus and Practical Recommendations

Despite the complexity of the challenges discussed, participants demonstrated strong consensus on several key points. There was universal agreement that multi-stakeholder collaboration is essential, with no single actor capable of addressing cyber threats alone. All participants agreed on the importance of capacity building and training that goes beyond technical skills to include awareness at all organisational levels.

The discussion generated several concrete recommendations:

– Countries should designate points of contact for crisis communication and establish pre-crisis trust networks

– Technical and diplomatic communities need more informal meeting opportunities to build mutual understanding

– Development of secure channels for sharing sensitive threat information across borders between technical professionals

– Strengthening regional cooperation through platforms like CERT-to-CERT information sharing

– Investment in long-term trust-building initiatives, including youth engagement programmes

– Translation of UN cyber norms into practical national frameworks with clear legal mandates and operational structures

## Ongoing Challenges

Several significant challenges remain unresolved. The question of how to effectively share sensitive technical threat information across borders whilst maintaining security represents a fundamental operational challenge. Balancing regulatory requirements with operational flexibility for private sector critical infrastructure operators remains an area where different stakeholders advocate for different approaches based on their experiences.

The fragmentation of critical infrastructure definitions and frameworks across different countries creates coordination challenges that may require improved mapping and translation between different national approaches. Additionally, scaling cybersecurity capacity building to meet global needs represents a resource challenge that may require innovative approaches to knowledge transfer and peer-to-peer learning.

## Conclusion

This comprehensive discussion demonstrated both the complexity of protecting critical infrastructure in the digital age and the potential for enhanced cooperation across traditional boundaries. The participants’ emphasis on cybersecurity as fundamentally a human and organisational challenge, rather than merely a technical one, represents a mature understanding that has significant implications for policy and practice.

The discussion’s focus on practical cooperation mechanisms—from informal communication channels to structured exercises and cross-community engagement—offers concrete pathways for translating high-level commitments into operational improvements. The emphasis on trust-building as a long-term strategic investment provides a foundation for sustainable cybersecurity cooperation.

Whilst significant challenges remain, particularly around information sharing mechanisms and regulatory approaches, the level of consensus achieved on fundamental principles provides a strong foundation for continued progress. The participants’ recognition that no single actor can secure critical infrastructure alone, combined with their practical suggestions for enhanced cooperation, offers pathways for more resilient and collaborative approaches to protecting the essential services upon which modern society depends.

Marie Humeau: Thank you and welcome to our open forum. We want to discuss with you how to advance cyber resilience of critical infrastructure. In an ever more connected world, not only people are more connected, but also the critical infrastructure we rely on. The resilience of critical infrastructure that are increasingly targets of malicious actors is key. A robust cyber resilience measures is therefore vital. In an environment where incidents could have overspilling effect on international peace and security, there are risk of escalation. We need to look at overcoming the silos between diplomatic and technical communities, strengthening national and cross-border CERT to CERT cooperation and fostering multi-stakeholder engagement. The idea of this discussion came from the observation that different communities have an important role to play, but that they need to be offered more opportunities to share expertise and knowledge. To get better informed and to get a greater understanding of what each community is doing and how we can support one another in our work to build a resilient cyberspace. We will explore all of this with our distinguished panel today. My name is Marie Meaux and I will be your moderator today. I’m happy to introduce you to our cross-community panel. On my right is Floreta Faber. She is Deputy Director General Envoy for Cyber Diplomacy, Director of International Project Coordinator and Strategic Development of Cybersecurity at the National Cyber Security Authority of Albania. On my left is Lars-Erik Smethel, Security and Processor Control Architect, R&D IT and ICS at Stratgraft. Online I also have three panelists, Mr. Pavel Mraz, who works as a cybersecurity researcher at UNIDIR, Caroline Trine, Cybersecurity Division at the ITU, and Timea Souto, our Global Director Policy Lead. and Mr. Gautam Kaila, the Chief Executive Officer of the Global Cyber Forum. To facilitate my work and our reporting, I will also ask Akhil Thomas, Strategy and Operation Manager at the Global Forum for Cyber Expertise, to summarize the discussion in a few words at the end of the session. We also will look at your active participation, so please prepare some questions for the Q&A session. Because it’s a very rich issue, I’m going to stop talking now and I’m going to ask the question to my panelists. And I will start with really looking at the threat landscape and the national experience on how to really build an efficient critical infrastructure protection. And for this, I will start with asking Pavel Mraz online the first question. What does today’s global cyber threat landscape look like for critical infrastructure and where are the biggest vulnerabilities emerging?

Pavel Mraz: Marie, thank you for the floor and good morning to Oslo to everyone and also good day to those connecting online. To your question, the UN Institute of Disarmament Research will have a research report coming out summarizing the main threats of 2024 in cyberspace. And let me give you a few highlights, specifically focusing on critical infrastructure. When it comes down to critical infrastructure, the cyber threat landscape in 2024 has grown increasingly complex. It became clear that critical infrastructure remains both an attractive target for financially motivated actors, and also a strategic target for some state affiliated actors. In 2024, alarmingly, nearly 40% of all documented cyber operations by states have focused on critical infrastructure, including targeting sectors such as energy, healthcare, finance, water, and telecommunications. And of course, these sectors are foundational. and Mr. Sajjan Dharma. As a result, we have seen last year a surge in ransomware attacks by 275%. And global financial losses from cybercrime disruptions exceeded US$10 trillion last year. To put it in other words, if cybercrime was a country measured by GDP, it would have, it would be the third world’s largest economy. We, of course, also see attacks on digital supply chains. These are becoming more prominent. And leveraging the principle, target one, compromise many, malicious cyber actors now increasingly use supply chain attacks to target downstream customers, including critical infrastructure operators. Importantly, internet infrastructure, which includes satellites, undersea cables, and data centers are also increasingly vulnerable and targeted by cyber attacks. And these type of threats raise concerns about widespread interruption of critical digital services, particularly in times of heightened geopolitical tensions. Even the UN system itself and humanitarian operations are not exempt from cyber attacks. According to the UN latest reporting, over 50% of cyber threats targeting the UN in 2024 came from advanced precision. and Mr. Steven Cooley. I’m excited to be here today. I’m here to talk about cyber attacks. Cyber attacks are a common threat to many countries. They are often associated with a number of existing threat actors, which include states. And these attacks have disrupted critical aid operations and endangered vulnerable populations. Taken together, these trends show that cyber attacks are becoming a question of when for many organizations, not a question of if. And no sector or state can contain cyber risks alone. And as infrastructure becomes more digital, interconnected, securing these types of infrastructure will require both a multi-level and a multi-functional approach. And this is a challenge that we are facing. And I’m excited to be here today to talk about cyber attacks. I’m here to talk about cyber attacks. I’m here to talk about cyber attacks. And this is a challenge that we are facing. And I’m excited to be here today to talk about cyber attacks. And as infrastructure becomes more digital, interconnected, securing these types of infrastructure will require both a multi-level, multi-stakeholder cooperation, but also resilience planning and preparing for when cyber attacks hit. Positively, the UN member states have acknowledged these risks, with states calling for greater protection of critical infrastructure. Particularly those that deliver essential services across borders. And also, states have called for reinforcing an international taboo against targeting these types of systems. But of course, a number of states also indicated that they will be protecting these types of systems. But of course, a number of states also indicated that they will be protecting these types of systems. And this is a challenge that we are facing. And I’m excited to be here today to talk about cyber attacks on our city. But obviously, states have called for reinforcing an international taboo against targeting these types of systems. But also, states have called for reinforcing an international taboo against targeting these types of systems. And of course, a number of states also indicated that they will be protecting these types of systems. But obviously, states have called for reinforcing an international taboo against targeting these types of systems. But also, states have called for reinforcing an international taboo against targeting these types of systems. But of course, a number of states also indicated that they will be protecting these types of systems. But obviously, states have called for reinforcing an international taboo against targeting these types of systems. But also, states have called for reinforcing an international taboo against targeting these types of systems. And that will require strong cross sectoral, and cross border cooperation, and also practical tools. And that will require strong cross sectoral, and cross border cooperation, and also practical tools. Including adopting national frameworks, using cyber drills and stepping up capacity building to translate shared global principles into real world protection on the ground Including adopting national frameworks, using cybersecurity drills and stepping up capacity building to translate shared global principles into real world protection on the ground Including adopting national frameworks, using cybersecurity drills and stepping up capacity building to translate shared global principles into real world protection on the ground Including adopting national frameworks, using cybersecurity drills and stepping up capacity building to translate shared global principles into real world protection on the ground Including adopting national frameworks, using cyberdrills and stepping up capacity building to translate shared global principles into real world protection on the ground I need to talk about these in more detail later on. But I will leave it at that for now and over back to you Marie. I need to talk about these in more path now and over back to you Marie.

Marie Humeau: Thank you very much Pavel and thank you for this very clear scene setter. I think now that we have looked at the threats and the more just scary things, I think we’ll also look at the resiliency and how to strengthen really our cyberspace. But Timea first. Maybe on your side Timea, from a private sector lens. who are the main threat actors targeting critical infrastructure, and how is the industry adapting? But also, what is needed is to strengthen the resilience of the private sector. So, Timea, over to you.

Ms. Timea Suto: Thanks very much, Marie, and I’d just like to preface that everything I say here today it’s written in much more detail in a report that ICC has published at the IGF last year on the protection of critical infrastructure and their supply chains, and that’s available in English, Spanish, and Chinese, as well as Arabic. So, if you want to hear more about what I try to cram into my short interventions, please take a look at the report, and I’ll put the link in the chat later on. To answer your question, Marie, from a private sector perspective, the threat landscape facing critical infrastructure has never been more serious or diverse. We are seeing a broad range of actors, each with their distinct motivations and capabilities that target essential services that underpin our economies and societies. On one end of the spectrum, we have the state nexus threat actors, often referred to as advanced persistent threats, or APTs. These actors are often supported by governments, military, or intelligence institutions, and they are typically well-funded, highly skilled, and capable of executing long-term complex operations. And their objectives vary from disrupting services and accessing sensitive information to advancing geopolitical interests or undermining public trust in institutions, and they can target both public and private sector entities. At the same time, the private sector must contend with increasingly organized cyber-criminal ecosystems. These criminal groups are often globally distributed and structured in ways that make them resilient to takedowns and prosecution, while also ransomware as a service has made it possible for even relatively unsophisticated attackers to cause major disruptions. Thirdly, there are insider threats that are also a significant concern. These are individuals, whether militia, We have a small group of people that are very ambitious or simply negligent, that could be employees or third party contractors to critical infrastructure services, who often have privileged access and fewer securities checks. And even a small mistake on their part or intentional sabotage can have a big cascading real-world consequences. What makes all of these threats more dangerous is the interconnected nature of our infrastructure systems, right. A compromise in one sector, say electricity, can ripple into others like healthcare, telecommunications or transportation. And these aren’t just IT risks, these are national and global security concerns. Cyberattacks on critical infrastructure can lead to service outages, physical destruction or even endanger lives. And it’s not just about keeping these systems aligned, it’s about making sure that these attacks don’t compromise the confidentiality and integrity of data that can lead to long-lasting consequences like identity theft or misinformation, which can cause havoc long after the incident has been dealt with, right. So how is the private sector responding to this? It is actually stepping up, making significant investments in cybersecurity resilience. We are seeing growing adoption of zero-trust architectures, continuous patching and vulnerability management, strong data backups, supply chain risk assessments. Companies are building robust incident response plans and embedding cybersecurity by design into their systems. So there’s a lot that the private sector does, but it is critical to be clear-eyed about the limits of what the private sector can actually do by its own. Even the best-funded private entities cannot deter state-sponsored actors or take down global criminal networks on their own. Cybersecurity, especially in the context of critical infrastructure, is a shared responsibility between government and industry. So to strengthen the resilience, I think there are four things that are critical. First, governments must play a more active role in disrupting threat actors, enforcing laws and creating accountability in cyberspace. This includes strengthening national capabilities, supporting law enforcement collaboration across borders, and fully implementing the existing international norms and frameworks of responsible state behavior in cyberspace. Secondly, we need more stronger and operational public-private partnerships, not just during the crises themselves, but in the ongoing governance and design of security measures. This includes real-time threat intelligence sharing, joint exercises, collaborative development of standards and guidelines, and many more. Third, we need to invest in capacity building and resilience, especially in sectors or regions where cybersecurity maturity is still developing. And last but not least, we need to strike the right balance between regulatory obligations and the sustainability of security controls. Regulations should be clear, risk-based, and consistent across borders. At the same time, voluntary standards and flexible frameworks can allow companies to adapt quickly to emerging threats and invest in the most effective protections. So to conclude, protecting critical infrastructure requires continuous investment, cooperation, and innovation. The private sector is deeply committed to strengthening its defenses and ensuring business continuity, but without decisive government action and deep ongoing collaboration, we will not be able to keep pace with the evolving threat environment that Pavel has been talking about earlier. Thanks, Marie.

Marie Humeau: Thank you, Timéa. I think you point out the importance of what we have to do together, and that no one can achieve anything on their own, and that really the stakeholder needs to work together. So now I will go to Floretta. Unfortunately, Albania has suffered recent cyber attacks. So can you maybe share some lessons? Because that’s how also it works, is sharing best practices, lesson learned. And how to be more resilient? Can you also give us some idea on how, in that time, the diplomatic and the technical community collaborated during the response? So Floretta, the floor is yours.

Floreta Faber: Thank you very much. This is a great opportunity to be here in this very honored panel and speak about the case of Albania. Yes, it is true in mid-2022 we had a big cyber attack on the e-gov services and Albania is a government which has today over 1,200 e-services to the Albanian citizens. Over 95% of all our services to citizens are online so hitting that system was really something which was was aiming to disrupt our work to the citizens, to disrupt their trust to the government and it was a long and and very important process for us because we were fighting corruption, we were bringing more efficiency to citizens and we were really focused on on doing our best but then this was kind of a wake-up call for us because as we focused so much on on having a technological advancement on responding to cyber security in 2022 when we did have a law on cyber security according to the NIS 1 directive by then we did have an authority on cyber security and we thought we had it covered. We understood that talking about cyber security it’s not talking about technology, it’s talking about a mindset, it’s talking involving more people from the top management to the simple employee inside every organization that cyber security is something everyone needs to focus on. The investment need to be in technology but capacity building is also important for training people and also people who are not technical have the right mindset and awareness that even one mistake in one person inside a big organization can allow the that a simple attack become a big incident on cyber security. So these were the main lessons on 2022. We made big changes in the country, really big reforms legally on making a new law on cyber security on 2024 according to the NIS2 directive. As we are talking for the critical and important infrastructures, this week actually we’re expecting the government to approve the new list of critical and important infrastructure, which we build according to the new procedures, a new methodology according to the NIS2 directive. And a big change, it has been not only working with all the critical infrastructures and their technical employees, but also going beyond that and looking at the procedures, looking at how people are trained, looking at every employee inside organizations, public or private sector, to really have a focus on why they need to be focused and understanding that on cyber security and the cyber attacks, it’s not simply a password which needs to be more secure. So it’s people who need to look at every email, at every message they get, to make sure that the links that they’re opening, they are safe and they can continue their business or private life really in a secure manner. They have been big changes inside the authority, we had about 20 people, now we’re going to 85 people inside the authority. The list of critical infrastructures is increased by 50% with the new methodology. We work really on a daily basis with all the critical and important infrastructures, with the big state-sponsored cyber attack of 22 was not one and alone. it has continuously, we’re being continuously under those attacks. The last one practically happened last week, which was really a severe attack on the Tirana municipality. And our technical teams are like the big changes that in 2022, it was difficult to have a group, a good group of experts to work on the case. But in cases like today, in over one and a half years now, we have only the team that goes from the authority on cybersecurity, working closely with the team cybersecurity teams inside the organizations in trying, first of all, what’s important to bring back the services and also go back and do the reverse engineering, find out what happened, where the attack came from. And this is where the important part is, what do we do with the attribution? When we find out at the end where the attack came from, which is not, at least in the last cases, it has happened. We have had about over 80 attempts last year and 32 attacks because became incidents. And we dealt with all the cases successfully. But what we fear as in every country, I believe, is that if the attacks are severe, if the attacks go more than in one infrastructures, how our capacities are to respond to those and then how we we work with the diplomatic community actually to deal with the cases. Now, I’ve been part of many UN and a number of UN open-ended working group, which gave us a good understanding how countries in the world actually act or react in case of big cyber attacks and in case of incidents. There is a system where every country can do that. Maybe some countries need to be more active, but at least from the Albanian side, in the last over a year now, every Friday, we send all the information that we can make public and share with the other CERTs. And those are practices which we need to enforce also with the diplomatic community. Different regions in the world have different experiences, like in Asia or Baltic countries So we all come with our own difficulties sometimes in talking to each other when it comes to political level or diplomatic level. And then is, of course, very important the technical side. So first, we need to make everyone aware that all those groups need to communicate with each other in all the kind of preparation time that we do in order to be able to protect ourselves, but also know how to communicate when there is a cyber incident. First, because we want to share what happened, be able to share what happened, be able to protect other critical infrastructures on the same field or on the same category. As we know, the cyber attacks can go cross-border sometimes very easily. So it can happen to us, but it can happen to, unfortunately, to every other country. So we need to be prepared and have… very, very clear how we communicate in cases of cyber attacks. So, through UN or through OSCE or different regions of the world on different type of groups, we have agreed on confidential building measures where protecting critical and important infrastructures is really one of the key pillars on which we always look at. So, maybe I’ll stop here and if you have more questions, I’ll come back.

Marie Humeau: Thank you very much, Floreta. I think you already point out certain of the points we will come back to at a later stage on the cooperation and the framework and the way ahead. But before we jump into this, I still have two speakers for the first part. So, you mentioned the need for political commitment, for clarity. You mentioned the growing number of critical infrastructure and actually the need to invest in tech and capacity building. So, talking about capacity building, I will now give the floor to Caroline because the ITU does a lot of capacity building with national certs. So, maybe you can explain to us how that works and how does the role of the cross-sectoral cooperation works, the importance of having some simulation exercise, for example. And also, maybe you can tell us a bit about the kind of requests that the ITU receive and how actually you address those requests to efficiently protect critical infrastructure. Caroline, the floor is yours.

Caroline Troein: Thank you, Marie. I’d like to start actually on a positive note because we’ve heard a lot about the increasing challenges that the countries are facing. But according to the ITU’s Global Cybersecurity Index, countries now actually have more cybersecurity measures in place than ever before. So, that means that there are more laws, more technical capabilities, more strategies, more trainings, more cooperation. Great. The challenge, and echoing what Marie said, and others have said is that now countries really need to think about how do I enhance my maturity, sharpen my responsiveness, adapt to the new challenges that, for example, AI brings, and even maybe prepare for things like what would a quantum future look like. As Marie mentioned, we work on, in part, on national certs, and we really see them as foundational to cyber resilience because they serve as that first line of defense against ICT threats targeting critical infrastructure in particular. Now as countries evolve, they may develop like a cybersecurity agency, but the core of responsibilities for incident response is still with that cert. Going to the point made earlier, cybercapacity building should not be just a technical thing. While certs are key and are that front line, they need to have a legal mandate, they need to have clear operational structures, they need to have sustainable funding. All of these form part of what makes a successful cert. And they also need to have that continuous training and the ability to adapt to what comes next. And that’s where things like cyber drills, which are the cyber exercises IT does, can be a really vital tool because they aim to simulate real world attacks, test national response mechanisms, and then foster cross-sectoral coordinations. Ideally also they help bridge the gap between that technical audience and non-technical communities, which is a big challenge in protecting critical infrastructure. I want to bring in an example here. I was recently in a country where we ran some exercises specifically focused around critical information infrastructure, so a subset there. And for this, we had some trainings, what they should be aware of in terms of their national regulations that were relatively new, understanding what the roles of the different actors were. were in the different dependencies that existed. And it was interesting to see the shift in mentality that started to happen with many of the participants who, firstly, while it was a relatively small country, most of the stakeholders there had not interacted before and had not interacted around these topics particularly. The mentality shifts then started to build trust because they saw how they had connections to each other, how they could help each other, and how they could move from a tick-in-the-box exercise that the regulator might have been putting in place to thinking proactively about what can they build as methods and pathways for sharing information. Like Feretta was saying, how do you actually share that information in a timely way? What structures do we need in place? What are the vulnerabilities that we haven’t, that may be uncomfortable to talk about? Only when you have trust can you actually begin to talk about those limitations. And, of course, these kinds of exercises can bring a bit of a renewed energy as everybody then is on the same page. They see an alignment to move forward. Now, this is just one of the types of interventions that we do. We receive a lot of requests from member states, especially now we have a list. I think it’s the latest count is 46 countries that have requested some sort of support from IT in terms of cybersecurity. We work with them in terms of establishing or enhancing a national cert, developing or updating national cybersecurity strategies. We do quite a few different tailored trainings around topics from everything to try to bolster the number of women in cybersecurity, to topics around child online protection, critical infrastructure, of course. We also try to do a lot of train the trainer programs because our ultimate goal is to build local capacity. We’re not that big of a UN agency and our team is small within that. And I I think one of the things that we very much recognize, and the reason I like working with a lot of the people in this room is there’s a mutual recognition of you have to work together, but you also have to make sure that the country itself that you’re helping is empowered to start on their own journey. They need to be owning the process going forward. It won’t be ITU doing the cybersecurity of a country, it will be the country doing it. And we need to then look at things, what we do, how can we actually then make sure that we’re developing practices for the country that can build that trust between stakeholders as trust is particularly vulnerable when there are political or economic challenges. And with this, I do wanna take a side note to just say, this is not a developing developed country issue. Many of the issues that developing countries are facing are ones that developed countries are facing. Are you being agile? Do you have the right people in the right places? Are the stakeholders actually coordinating? And for least developed countries, suddenly they had the extra added issue and small island developing states I’d like to add to this, in that they lack the human capacity, let alone the technical tools. So as countries are facing these competing priorities, exercises can be a useful way to help identify where the areas for prioritization lie, where they can work more effectively together and where they should go next. Thanks.

Marie Humeau: You mentioned bridging the gap between the tech audience and the non-technical audience. So I’m going to move to my technical person on the panel. So Lars, you are actually kind of trying to bridge this gap also between the tech inside the company and the non-technical people, the operational. So, which is really crucial, but from your perspective in the energy sector, what does resilience look like in practice and how is it evolving? And based on your experience, what concrete action and processes help strengthening cyber resilience?

Lars Erik Smevold: Thank you. for having me on this panel, Marie, so I appreciate that a lot. What strikes me in these discussions that we are sitting here is that availability, that is definitely part of the front of our heads, because we are running a critical infrastructure like hydropower plants, solar, wind, batteries, grid stabilizers, everything that keeps electricity grids in different countries around the globe up and running. And for us, the resilience part is kind of like the, we need to introduce the ability to anticipate, prepare for, respond to, recover from, and learn from disruptions that happens. And to make these happen, we need to have the people in the sharp end. They need to get a better understanding, together with the operations and also the managers and the policy makers, at least, to actually, how can we make these operationalized? The processes are very good, the policies are good, but we need to adapt and keep in mind that security and cybersecurity, we are actually adapting into cyber physical systems. And these cyber physical systems, they need to be taken good care of. And it’s not like we can put any type of security measures into any type of system, because that system will affect another type of system that can get consequences and impacts you maybe don’t want to have. So you need to build a better understanding of what you actually try to achieve. So for us, it’s like the resiliency part is, for our site, is a lot of physical, what kind of spare parts do we have stored in case of emergency? Wind and weather, we are… Highly educated and trained to handle We work to handle a lot of the cyber security part attacks and understanding From our part we have actually done drills the last couple of years Directly to our power stations and the people outside there and they are loved that we actually came down to them talk to them Make us understand how they day by day work and life is and Also how that will affect them and their family if a cyber attack happens And one thing is the cyber attack in itself But if that is combined with other type of physical attacks at the same time, how do we? handle that and How do we together with the national security authorities? The regulators for our sector How do we work together to actually achieve? our end goal to actually keep the availability of these The critical infrastructure that we actually are working on So for our parties also At the same time we also need to adapt to the the climate changes that we already have felt And work close together with these the other authorities both in the Norwegian countries And the Nordics because the electricity grids Both in the Nordics and Europe. We are highly connected and We need to build that understanding Also from experience back in 2015-2016 the Nordic TSOs transmission system operators that are responsible for the highways in the electricity grids in each and every country Actually did drills Together to actually see what affected us together with the national security The National Regulators, and also with the different CERT teams in these countries. And what we actually achieved from that type of exercise was actually the better understanding what is needed of knowledge, and not only for the cyber security and IT, but you also need a good understanding from each and every type of, from electricity, from telecoms, from water and water sewage, and other critical infrastructure that are in this mixture, to actually do the right decisions at the right time. So from my perspective, it’s definitely the go together, collaborate, and then make the people in the sharp end able to do their work and get a better understanding. So I think that’s good for now.

Marie Humeau: Thank you very much, Lars. So the time is flying fast, because we have a lot to say. And I would like to jump, actually, based on your point on the importance of talking, working together, cross-sectoral, cross-regional, between the authorities, at national level, at regional level, you mentioned as well, Floretta, I would like to look at cooperation frameworks and path ahead. So for this, I will give you a bit of a shorter time, so we can also have a bit of time for a question. But I will start with you, Timea, online. So you mentioned the challenges of the private sector to protect critical infrastructure. What do support you would need from policymakers? And also, why do you think the business should care about discussion that are happening at the international level, in international fora, such as the UN? And please keep it short, so we can have time for questions from the audience. Thanks.

Ms. Timea Suto: Thanks, Marie. I’ll try to be brief. Really, for business protecting critical infrastructure today, It is increasingly difficult and not because of a lack of willingness, but because of the complexity and fragmentation that surrounds this. So we have challenges like many of the essential services we rely on today not being originally conceived as critical, so not designed to operate with the resilience and security that we now require. At the same time, these infrastructures are highly interdependent, not just with each other, but with suppliers, contractors, and digital service providers who might not themselves be classified as critical. Then we have a huge issue with fragmentation, not a shared global understanding of what constitutes critical infrastructure, with definitions and legal frameworks differing widely between countries, and in some cases missing altogether. And then there’s the question of maturity of critical infrastructure operators that vary enormously from those companies that can’t have the resources to invest in advanced security measures to those, especially SMEs, who lack the tools, funding, and expertise, but they are just as critical in the supply chains. So how do we ensure security for essential services without overburdening the companies that we actually rely on to operate and innovate them? I won’t talk about what the private sector could do. Please read the report that I posted in the chat. We say a lot about that. But I focus on the policy makers, as that’s what you asked about, Marie. And there, I have a very short answer. It’s not more regulation, but smarter policy. Focus less on control and more on creating the right incentives for cybersecurity investment. There’s also a need to rebalance responsibility between the private and public sectors. Governments must recognize that security for socially critical infrastructure is not solely a private burden, particularly when that infrastructure is necessary for public well-being, national security, and economic stability. Instead of defaulting to new regulatory obligations, we need public investment, fiscal support, and policy environments that enable this. So there’s one line that I’d like to leave you with today is this, if we want effective cybersecurity outcomes, we need inclusive policymaking processes. I hope I was brief enough, Marie.

Marie Humeau: Thank you. I think you point out to all the complexity and challenges. I guess there are also some challenges within the technical community. So Lars, maybe you can tell us a bit more about how the technical community cooperate together. and how the cross at cross sectoral level as well, and also international level. But also, from your perspective, should the technical community engage more with the diplomats? I think you pointed out you started pointing it out. But if you can dig it a bit further, that would be great. And also, how can the industry better engage or have an incentive to engage actually, in those multilateral processes, where governments are sitting and discussing the protection of critical infrastructure?

Lars Erik Smevold: Yeah, from my perspective, and our perspective. It’s definitely important to collaborate more with the diplomats and diplomacy to get a better common understanding of what’s actually needed and what type of resources are needed and how much time, things, and what it actually takes to do. So to have some arenas that we can actually meet, talk, not that formal in a way, I will say, because that makes it more easier and comfortable to speak out in a better way. Today I brought out my white shirt. I tried to adapt to Floreta. I think that is a start. And maybe sometimes I will shortly invite Floreta and others to be part on a trip for our sake. There are some of our, maybe some plans or some that are available, and talk to our specialists and technicians, because that will definitely help you and others to understand at the same time the other way around. What is your work going on? What can we help you with on your way? Because, as was mentioned before, the arenas that we can actually meet and get a better actual understanding of what critical infrastructure are, is very, very important. Because sometimes there are so on a high level discussions. So the people down, sorry, on the ground, they do not feel any, does that hit me actually, or does it? So the right arenas, cross-sectional with the diplomats, but also internally in the countries, cross-sectoral. General Weiss, and also over borders, because in the electricity community we have the NSOE in Europe, the interest group for TSOs, but we also have SIGRE, that is a global interest organization, that also have cyber security on topic. But these different arenas, maybe we sometimes from the cyber security technical perspective can go to these arenas and talk more, and the same from the diplomacy and IT community also. Do we get a better understanding of electricity, water, and other types?

Marie Humeau: Thank you very much, Lars. And thankfully I have a white and blue shirt, so I’m not sitting in between the two of you. And also I’m wearing sneakers, you can’t see, but I’m not that formal. So I think one of the important things is exactly this, that one understands the other, but it’s not only for one side to come to the diplomatic arena, it’s also for the diplomats to concretely understand what your needs are and how you operate on a daily basis. And actually to create this environment of trust and to be down to earth. Pavel, I’m going to jump to you to maybe look at how the UN framework can actually be more practical and to protect critical infrastructure. How can we actually follow what just Lars said and be more practical and down to earth and to better understand each other to make sure that we create this trusted environment? Pavel, over to you.

Pavel Mraz: Thank you so much, Marie. The UN framework for responsible state behavior in cyberspace, it has been mentioned by Florida, it has been mentioned by Caroline. It does provide a strong foundation for protecting critical infrastructure. At the core of this framework are agreed voluntary cyber norms, something that all states have committed to do, notably norm F, which affirms that states should not conduct or support any ICT activity that intentionally damages It’s Practically Implemented. And some things that are currently being done at the UN and global level is countries are designating points of contacts globally for crisis communication in recognition that you cannot exchange business cards in a hurricane when a real cyber crisis hits, and you need assistance from abroad, whether it’s assistance from the private sector or another member states if the malicious activity is emanating from outside of your own territory. You need to have all these channels, the trust, and the network already in place to know where to reach out. Of course, there is another challenge here, and that is when we do capacity building in developing countries, we often see this mindset of cybersecurity being an IT department problem or national cybersecurity agency problem. And here is where the tabletop exercises simulating real crisis really come into focus because bringing in all the decision makers and demonstrating that when critical services are down, whether it’s energy, water or health care, it is far broader as a problem than a problem for a national cybersecurity agency. So that really helps bring people together, as Carolyn said, and we have seen this on the ground. So in order for the UN framework to have a real world impact and not remain just on paper, it must be operationalized nationally through legislation, institutional coordination, but also sustained investment in cybersecurity that needs to be supported not only by the technical community. but also by the political decision makers in a country. It must be inclusive, involving also technical experts, civil society and the private sector, in order words, all the stakeholders that have a role to play in protecting critical infrastructure. And of course it should be backed by practical capacity-building. I will leave it at that, in the interest of time and

Marie Humeau: over back to you. Thank you. So I think, Floretta, I will give you the floor and I would like to keep a few minutes for questions, if there are any, and also for Akil at the end to wrap up all those information that we gathered. But you are the perfect link between the diplomat and the technical. You’re a diplomat, you’re sitting in the technical organization, you’ve been part of the UN discussion, you’re also part of the Women in Cyber Fellowship. Maybe you can give us a bit of, very quickly, your view on how to bridge those different communities and how to ensure that each community understands and engages with one another.

Floreta Faber: As it was said here, it is absolutely crucial that those communities talk to each other. As I mentioned, Albania has taken a number of reforms on trying to bring the best what you can do in a country, in the cyber ecosystem, in order to reach the best results. Unfortunately, only the countries that have had big attacks, kind of, have learned the lesson. But as we always try to say in cyber security, it’s like in a football match. You can be the best team in the world, you always try and make the training in order, when there is a game, you don’t have a goal. But sometimes, even if you are the best and you have the best players, you still have the goal from the other side. So it’s the same on cyber security. You prepare, you believe you have the best team in protecting you, but sometimes, you know, there are circumstances when the attacks can hit you. So this is the moment. where we all train, when we all talk in a peacetime, when there is not a hurricane, in order to be responsive. That’s why those communities need to talk to each other, because the crisis can be internal to that organization, which can be big. It can spill out in the society, but it can also become an international issue. And especially when it becomes an international issue, it’s the diplomatic community who do the talks. Now, the UN is one of the best examples, and OSCE and other organizations, that can bring together always diplomat and technical communities. And that’s actually one way to talk to each other. There are fellowships, like the Women in Cyber Fellowship, which I have been part of, but there was a UN Singapore Fellowship and other numerous fellowships supported from the UN, where you see those communities be together for one week, for two weeks, on the same room, that obviously you kind of start to build that trust on talking to each other. The point of contact directory, the UN-based, it’s another step how countries talk to each other. But on the daily basis, as you said, it’s really important that we all speak with a critical and important infrastructure. We maybe have the luxury of being a small country. We’re going to have over 200 critical and important infrastructures. In some countries, there are a few thousand. But we all have to find a way, either through clusters or through sectors, that they talk to each other, they talk with the national authority on cybersecurity, and they understand why it’s important that not only local, but also international connections are very important. We have put together a new strategy on cybersecurity, which is also one of the sub-laws which need to be passed in a matter of a week or two. And in Albania, there are two main points where we focus, supporting the critical and important infrastructure, and also awareness and support for children being safe online, but awareness to every level of society, underrepresented groups, SMEs, you know, all groups who otherwise do not hear about cybersecurity. But one of the five pillars of the strategy, it is the international cooperation. In some countries, international cooperation is important because we do not have the means and the opportunities and the money to really invest in cybersecurity, and the international support is very important in this case. But we also need the international support because we need to be connected. It is a world where we need to speak freely to each other, and when it comes to cybersecurity, there is no border. You know, the attack can have an effect in one country, go to other countries. You know, it can be a European or, I don’t know, a U.S. organization or a company who have branches around a number of countries, and one hit can hit, you know, several countries all in once. So that’s why it’s important. Another thing we have tried is exactly this, bring an experienced diplomat inside a technical organization. It was for me to understand first, what would I do in an organization like this if I come with, you know, at least two years of experience working on cyber diplomacy? But now I understand that maybe this is… Singapore has it as an example. They have a team which works… which have one leadership but two groups, one with the Ministry of Foreign Affairs or Communication, as they call it, and one with a technical group, understanding that there should be a very strong link between the organizations. We kind of started doing this, and it works perfectly because the translation is very important with the internationals, with the diplomatic community. But also everything the technical groups have done you translate it in the way you presented to your bosses to the government to the prime minister to people who want to know what happened because if you go too technical they want it’s normally you know they it’s a it’s a different language but the point is people need to understand in their own language what has going on and how they should be prepared. So this link is very important and I believe every country one way or another is trying to take steps in this direction.

Marie Humeau: Thank you Floreta. So Caroline I give you the floor for one minute and then I will keep two minutes for a question from the audience here and then two minutes to Akil for to wrap up. But Floreta you mentioned international cooperation is key so maybe Caroline very shortly you can you can share some of maybe some cooperation models that have been proven to be very effective that could be like basis for best practices and and how to can it like provide some some ideas for future discussion in the UN. Thanks and yeah for the sake of time I won’t

Caroline Troein: share stories from we did a tabletop exercise with UNIDIR and UNODA for the point of contacts directory that Pavel mentioned. I’ll just summarize and say often felt like the technical and diplomatic contacts were operating from completely different playbooks. So more coordination is definitely needed here and I want to note that we want we should note that coordination needs to happen at the national regional and global levels because that a lot of coordination efforts are either concentrated on the diplomatic or the technical levels and we need those cross-cutting aspects. So to just quickly mention a few models of course there’s the ASEAN certain maturity framework, MISA, OAS is a very successful model, OIC, they’re all driving coordination.

Marie Humeau: Thank you very much, Caroline. So I just want to check with the audience if there is a very burning question. If not, I do have one, but in the sake of time, yes, please.

Participant: Hello, my name is Eirik, I work for the IT company owned by the Church of Norway. Just interested in sharing more sensitive data across borders, because when you are a technical person, you sometimes get technical information. You don’t necessarily want to go public, but you still want to share it with other technical people so that they can defend their systems better. How can we make arrangements for that?

Floreta Faber: This is part of building trust with the people you work with. And in the Western Balkans, there is a region where the technical communities, different ways and different formats, try to be in contact with each other, either starting with WhatsApp, with groups of emails, with the platforms that we’re using to share weekly the information. We are also trying another way. It’s a long-term investment, we believe. We have started a cyber camp of young people in the region. And we are building an alumni group of people who go on cyber security. So, for the first time, they met when they were 20, 21. And we believe that in each country, since they come together on the same cyber camps every year, they still meet in alumni group, who was the first year, the second year. For the first time, we did the alumni last year online. We’re going to do this in person. And we try to build the trust, really, from the young age, because we believe those are things which take time. And sometimes they prevent you not talking to each other for different trust reasons, which are not only cyber security. And in order to overcome those, we’re trying all the best way possible, practically, how to really build the communities regionally all together. Very good.

Marie Humeau: Okay, great question. I think we could now talk about this for 20 minutes. I think Lars was willing to answer. But I will give like 30 seconds, nearly one minute, but I think we are cut short of time. But like very, very briefly, Akhil, if you can wrap up the entire hour of discussion that we had. Thank you. And you have the last word.

Mr. Akhil Thomas: Thank you, Marie. Well, as you said, I got the last word, which is a slightly unfair advantage of going last, which means that I get to sound smart by summarizing all the great points that were shared here. So let me try to do justice to that in just two minutes. Well, firstly, thank you to our panelists and participants, both on site and online. Key takeaways from today’s session underscore that collaboration is non-negotiable, whether it’s bridging diplomatic technical divides, strengthening cert-to-cert cooperation, or fostering public-private partnerships, silos are a luxury. We heard from Floreta that resilience is both a mindset and a systemic effort, rooted in governance, funding, and international collaboration. Lars highlighted the energy sector’s resilience on cross-border teamwork, where regular drills and shared awareness are vital. Kimia reminded us that while the private sector is innovating with zero trust and threat intelligence, what’s needed now to reduce fragmentation is smarter policy, not necessarily more regulation. Caroline emphasized the ITU’s role in building third capacity through cyber drills, peer learning, and stressing that resilience requires legal mandates and cross-cutting coordination at all levels, national to global. And Pavel mapped the alarming scale of threats from ransomware to space infrastructure and the urgent need to turn UN norms into action through practical tools like crisis exercises, POCs, and inclusive capacity building. Three themes came through very clearly. Preparation through exercises, clear protocols, and strong leadership. Inclusivity, making sure that governments, industry, and civil society all have a seat at the table. And shared responsibility, recognizing that threats cascade across borders and no single actor can secure critical infrastructure alone. As we conclude, I encourage everyone to carry forward today’s calls to action, concrete partnerships, actionable frameworks, and sustained dialogue. Thank you again for your insights and wishing you all a meaningful and productive time at IGF. Over to you, Marie.

Marie Humeau: Thank you. I’m just like closing. So thank you very much. We are running out of time. It has been very, I would like to thank the panelists and I’ll give the floor back to the next panel.

Agreement points

Multi-stakeholder collaboration is essential for cybersecurity

Speakers

– Pavel Mraz
– Ms. Timea Suto
– Floreta Faber
– Caroline Troein
– Lars Erik Smevold

Arguments

International cooperation must be operationalized through legislation, institutional coordination, and sustained investment

Even well-funded private entities cannot deter state-sponsored actors or dismantle global criminal networks alone

Bringing experienced diplomats into technical organizations creates important translation between communities

Coordination needs to happen at national, regional, and global levels with cross-cutting aspects between diplomatic and technical levels

Technical and diplomatic communities need informal arenas to meet and build understanding of each other’s work and resource needs

Summary

All speakers emphasized that cybersecurity, especially for critical infrastructure, requires collaboration across sectors, borders, and communities. No single actor can address cyber threats alone.

Topics

Cybersecurity | Development

Capacity building and training are fundamental to cybersecurity resilience

Speakers

– Pavel Mraz
– Floreta Faber
– Caroline Troein

Arguments

Tabletop exercises help demonstrate that critical infrastructure attacks are broader problems than just IT department issues

Cybersecurity requires investment in both technology and capacity building, with awareness training for all employees from top management to simple workers

National CERTs serve as the first line of defense and need legal mandate, operational structures, sustainable funding, and continuous training

Summary

Speakers agreed that effective cybersecurity requires comprehensive capacity building that goes beyond technical training to include awareness at all organizational levels and practical exercises.

Topics

Cybersecurity | Development

Trust-building is essential for effective information sharing and cooperation

Speakers

– Pavel Mraz
– Floreta Faber
– Caroline Troein

Arguments

Countries are designating points of contact for crisis communication, recognizing need for pre-established trust and networks

Building trust requires long-term investment including regional cooperation and youth engagement through cyber camps

Cyber exercises simulate real-world attacks, test response mechanisms, and foster cross-sectoral coordination while bridging technical and non-technical communities

Summary

Speakers emphasized that trust must be built before crises occur and requires sustained investment in relationships and communication channels.

Topics

Cybersecurity | Development

Critical infrastructure faces increasingly complex and diverse threats

Speakers

– Pavel Mraz
– Ms. Timea Suto

Arguments

Nearly 40% of state cyber operations target critical infrastructure including energy, healthcare, finance, water, and telecommunications

Critical infrastructure faces threats from state-nexus actors, organized cybercriminal ecosystems, and insider threats from employees or contractors

Summary

Both speakers highlighted the severity and diversity of threats targeting critical infrastructure, including state actors, criminals, and insider threats.

Topics

Cybersecurity

Similar viewpoints

Both emphasized the need for balanced approaches to cybersecurity governance that involve appropriate resource allocation and smart policy rather than just regulatory burden.

Speakers

– Ms. Timea Suto
– Floreta Faber

Arguments

Industry needs smarter policy focused on incentives rather than more regulation, with rebalanced responsibility between private and public sectors

Albania increased cybersecurity authority staff from 20 to 85 people and expanded critical infrastructure list by 50% following attacks

Topics

Cybersecurity | Legal and regulatory | Economic

Both speakers emphasized the importance of regular exercises and cross-border coordination, drawing from their practical experience in managing critical infrastructure.

Speakers

– Lars Erik Smevold
– Floreta Faber

Arguments

Cross-border electricity grid connections require coordinated response between Nordic and European transmission system operators

Regular cyber drills help build understanding between stakeholders and create trust for sharing sensitive information

Topics

Cybersecurity | Infrastructure

Both speakers highlighted the global demand for cybersecurity capacity building and the effectiveness of practical exercises in building understanding across communities.

Speakers

– Caroline Troein
– Pavel Mraz

Arguments

ITU receives requests from 46 countries for cybersecurity support including CERT establishment, strategy development, and specialized training

Tabletop exercises help demonstrate that critical infrastructure attacks are broader problems than just IT department issues

Topics

Cybersecurity | Development

Unexpected consensus

Informal communication channels are as important as formal frameworks

Speakers

– Floreta Faber
– Lars Erik Smevold

Arguments

Regional cooperation can start with informal communication channels like WhatsApp groups and email platforms for weekly information sharing

Technical and diplomatic communities need informal arenas to meet and build understanding of each other’s work and resource needs

Explanation

It was unexpected to see both a diplomat and a technical expert emphasize the importance of informal communication channels like WhatsApp groups alongside formal diplomatic and technical frameworks. This suggests that practical, everyday communication tools are recognized as vital for cybersecurity cooperation.

Topics

Cybersecurity

Long-term youth engagement as a cybersecurity strategy

Speakers

– Floreta Faber

Arguments

Trust-building requires sustained engagement and can be developed through alumni networks of cybersecurity professionals

Explanation

The emphasis on building cybersecurity cooperation through youth engagement and alumni networks represents an unexpected long-term strategic approach that goes beyond traditional diplomatic or technical cooperation models.

Topics

Cybersecurity | Development

Overall assessment

Summary

The speakers demonstrated remarkable consensus on the need for multi-stakeholder collaboration, capacity building, trust-building, and the recognition that cyber threats to critical infrastructure are complex and require coordinated responses. There was strong agreement on the limitations of single-actor approaches and the importance of both formal and informal cooperation mechanisms.

Consensus level

High level of consensus with practical implications for cybersecurity policy. The agreement suggests that the cybersecurity community has matured in its understanding that technical solutions alone are insufficient, and that sustainable cybersecurity requires investment in human relationships, institutional cooperation, and long-term capacity building across all stakeholder groups.

Different viewpoints

Regulatory approach to private sector cybersecurity

Speakers

– Ms. Timea Suto
– Floreta Faber

Arguments

Industry needs smarter policy focused on incentives rather than more regulation, with rebalanced responsibility between private and public sectors

Albania increased cybersecurity authority staff from 20 to 85 people and expanded critical infrastructure list by 50% following attacks

Summary

Timea advocates for less regulation and more incentives for private sector, emphasizing that security shouldn’t be solely a private burden. Floreta’s experience shows Albania’s response involved significant regulatory expansion and increased government oversight of critical infrastructure.

Topics

Cybersecurity | Legal and regulatory | Economic

Unexpected differences

Role of government regulation in critical infrastructure protection

Speakers

– Ms. Timea Suto
– Floreta Faber

Arguments

Industry needs smarter policy focused on incentives rather than more regulation, with rebalanced responsibility between private and public sectors

Albania increased cybersecurity authority staff from 20 to 85 people and expanded critical infrastructure list by 50% following attacks

Explanation

This disagreement is unexpected because both speakers represent the need for stronger critical infrastructure protection, yet they have fundamentally different views on government’s role. Timea, from private sector perspective, argues against more regulation while Floreta’s practical experience led to significant regulatory expansion. This reveals a tension between private sector preferences and real-world government responses to cyber incidents.

Topics

Cybersecurity | Legal and regulatory | Economic

Overall assessment

Summary

The discussion showed remarkable consensus on the nature of threats and the need for cooperation, with limited but significant disagreement on regulatory approaches and implementation methods

Disagreement level

Low to moderate disagreement level. Most speakers agreed on fundamental challenges and goals, but differed on specific approaches to regulation and implementation. The main tension was between private sector preference for incentive-based policies versus government experience favoring regulatory expansion. This disagreement has significant implications as it reflects the ongoing global debate about how to balance private sector autonomy with government oversight in critical infrastructure protection.

Partial agreements

Similar viewpoints

Both emphasized the need for balanced approaches to cybersecurity governance that involve appropriate resource allocation and smart policy rather than just regulatory burden.

Speakers

– Ms. Timea Suto
– Floreta Faber

Arguments

Industry needs smarter policy focused on incentives rather than more regulation, with rebalanced responsibility between private and public sectors

Albania increased cybersecurity authority staff from 20 to 85 people and expanded critical infrastructure list by 50% following attacks

Topics

Cybersecurity | Legal and regulatory | Economic

Both speakers emphasized the importance of regular exercises and cross-border coordination, drawing from their practical experience in managing critical infrastructure.

Speakers

– Lars Erik Smevold
– Floreta Faber

Arguments

Cross-border electricity grid connections require coordinated response between Nordic and European transmission system operators

Regular cyber drills help build understanding between stakeholders and create trust for sharing sensitive information

Topics

Cybersecurity | Infrastructure

Both speakers highlighted the global demand for cybersecurity capacity building and the effectiveness of practical exercises in building understanding across communities.

Speakers

– Caroline Troein
– Pavel Mraz

Arguments

ITU receives requests from 46 countries for cybersecurity support including CERT establishment, strategy development, and specialized training

Tabletop exercises help demonstrate that critical infrastructure attacks are broader problems than just IT department issues

Topics

Cybersecurity | Development

Key takeaways

Cybersecurity for critical infrastructure requires a multi-stakeholder approach involving governments, private sector, technical communities, and diplomatic communities working together

Cyber resilience is fundamentally about mindset and people, not just technology – requiring awareness and training from top management to individual employees

The threat landscape is escalating rapidly with nearly 40% of state cyber operations targeting critical infrastructure and ransomware attacks surging 275%

No single actor can secure critical infrastructure alone – shared responsibility between public and private sectors is essential

Trust-building between different communities (technical, diplomatic, operational) is crucial and requires sustained long-term investment

Practical cooperation mechanisms like cyber drills, tabletop exercises, and informal communication channels are vital for building operational resilience

International frameworks like UN cyber norms must be operationalized through national legislation, institutional coordination, and practical capacity building

Cross-border coordination is essential given the interconnected nature of critical infrastructure, especially in sectors like energy and telecommunications

Resolutions and action items

Countries should designate points of contact for crisis communication and establish pre-crisis trust networks

Technical and diplomatic communities need more informal meeting opportunities to build mutual understanding

Implementation of cross-visits between technical facilities and diplomatic offices to understand operational realities

Development of secure channels for sharing sensitive threat information across borders between technical professionals

Strengthening of regional cooperation through platforms like CERT-to-CERT information sharing

Investment in long-term trust-building initiatives including youth engagement through cyber camps and alumni networks

Translation of UN cyber norms into practical national frameworks with clear legal mandates and operational structures

Unresolved issues

How to effectively share sensitive technical threat information across borders while maintaining security

Balancing regulatory requirements with operational flexibility for private sector critical infrastructure operators

Addressing the fragmentation of critical infrastructure definitions and frameworks across different countries

Scaling cybersecurity capacity building to meet the needs of 46+ countries requesting ITU support

Ensuring adequate funding and resources for expanding cybersecurity authorities and capabilities

Managing the complexity of interdependent critical infrastructure systems where security measures on one system can affect others

Bridging the maturity gap between well-resourced critical infrastructure operators and smaller companies in supply chains

Suggested compromises

Focus on ‘smarter policy’ with incentives for cybersecurity investment rather than additional regulatory burdens

Rebalance responsibility between private and public sectors, with governments taking more active role in disrupting threat actors while private sector focuses on operational security

Use flexible frameworks and voluntary standards that allow companies to adapt quickly to emerging threats while meeting regulatory requirements

Implement inclusive policymaking processes that give all stakeholders a seat at the table rather than top-down regulatory approaches

Combine formal diplomatic channels with informal technical cooperation mechanisms to bridge different community cultures and working styles

We understood that talking about cyber security it’s not talking about technology, it’s talking about a mindset, it’s talking involving more people from the top management to the simple employee inside every organization that cyber security is something everyone needs to focus on.

Speaker

Floreta Faber

Reason

This comment fundamentally reframes cybersecurity from a technical problem to a human and organizational challenge. It challenges the common perception that cybersecurity is solely an IT department responsibility and emphasizes the critical role of human factors and organizational culture.

Impact

This insight shifted the discussion from technical solutions to human-centered approaches. It influenced subsequent speakers to emphasize training, awareness, and cross-community collaboration. Caroline later built on this by discussing the importance of bridging technical and non-technical audiences, and Lars emphasized the need to make people ‘in the sharp end’ understand their role.

If cybercrime was a country measured by GDP, it would have, it would be the third world’s largest economy.

Speaker

Pavel Mraz

Reason

This striking analogy puts the scale of cyber threats into perspective by comparing cybercrime’s economic impact to national economies. It transforms abstract statistics into a concrete, relatable comparison that emphasizes the magnitude of the challenge.

Impact

This comment established the gravity of the threat landscape early in the discussion, setting a serious tone that influenced all subsequent contributions. It provided context for why the collaborative approaches discussed later are not just beneficial but absolutely necessary given the scale of the challenge.

It’s not more regulation, but smarter policy. Focus less on control and more on creating the right incentives for cybersecurity investment.

Speaker

Timea Suto

Reason

This comment challenges the conventional regulatory approach to cybersecurity and proposes a paradigm shift from compliance-based to incentive-based policy frameworks. It addresses a fundamental tension between government oversight and private sector innovation.

Impact

This insight introduced a nuanced policy perspective that moved the discussion beyond simple public-private cooperation to examining the quality and nature of policy interventions. It influenced the later discussion about the need for ‘inclusive policymaking processes’ and shaped the conversation about sustainable approaches to critical infrastructure protection.

You cannot exchange business cards in a hurricane when a real cyber crisis hits, and you need assistance from abroad… You need to have all these channels, the trust, and the network already in place to know where to reach out.

Speaker

Pavel Mraz

Reason

This vivid metaphor illustrates the critical importance of pre-established relationships and communication channels in crisis management. It emphasizes that crisis response preparation must happen during peacetime, not during emergencies.

Impact

This comment reinforced the importance of proactive relationship-building and influenced the discussion toward practical cooperation mechanisms. It connected with Floreta’s later emphasis on building trust ‘from a young age’ through initiatives like cyber camps, and supported the overall theme of sustained, long-term collaboration rather than ad-hoc responses.

Many of the issues that developing countries are facing are ones that developed countries are facing. Are you being agile? Do you have the right people in the right places? Are the stakeholders actually coordinating?

Speaker

Caroline Troein

Reason

This comment challenges the traditional developed/developing country dichotomy in cybersecurity discussions and identifies universal challenges that transcend economic development levels. It reframes capacity building as a shared global challenge rather than a one-way transfer.

Impact

This insight shifted the conversation from a donor-recipient model to a more collaborative, peer-learning approach. It influenced the discussion toward recognizing that all countries face similar fundamental challenges in coordination, agility, and human resources, regardless of their development status.

We have started a cyber camp of young people in the region… we believe those are things which take time. And sometimes they prevent you not talking to each other for different trust reasons, which are not only cyber security.

Speaker

Floreta Faber

Reason

This comment introduces a long-term, generational approach to building trust and cooperation that acknowledges non-technical barriers to collaboration. It recognizes that geopolitical and historical tensions can impede technical cooperation and proposes a creative solution.

Impact

This insight added a temporal dimension to the discussion, emphasizing that effective cooperation requires sustained, long-term investment in relationships. It influenced the conversation toward recognizing that technical cooperation cannot be separated from broader political and social contexts, and that innovative approaches are needed to overcome these barriers.

Overall assessment

These key comments fundamentally shaped the discussion by challenging conventional approaches and introducing more nuanced perspectives. Floreta’s reframing of cybersecurity as a mindset rather than just technology set the tone for a human-centered discussion throughout. Pavel’s economic comparison and crisis metaphor established both the scale of the challenge and the urgency of proactive cooperation. Timea’s call for ‘smarter policy’ introduced a sophisticated policy framework that moved beyond simple regulatory approaches. Caroline’s observation about universal challenges across development levels democratized the discussion and promoted peer learning. Finally, Floreta’s generational approach to trust-building added a long-term strategic dimension. Together, these comments elevated the discussion from technical problem-solving to strategic, human-centered, and politically-aware approaches to cybersecurity cooperation. They created a narrative arc that moved from threat assessment to collaborative solutions, emphasizing that effective cybersecurity requires sustained investment in relationships, innovative policy approaches, and recognition of the human factors that underpin all technical systems.

How can we make arrangements for sharing sensitive technical data across borders without making it public, while still allowing technical people to defend their systems better?

Speaker

Eirik (participant from IT company owned by the Church of Norway)

Explanation

This addresses a critical gap in international cybersecurity cooperation where technical experts have valuable threat intelligence but lack secure channels to share it across borders for collective defense

How do we handle attribution when we find out where cyber attacks came from, and what do we do with this information diplomatically?

Speaker

Floreta Faber

Explanation

This highlights the challenge of translating technical attribution findings into appropriate diplomatic responses and the need for clear protocols on how to act on attribution intelligence

How do our capacities hold up when attacks are severe and target multiple infrastructures simultaneously?

Speaker

Floreta Faber

Explanation

This addresses concerns about scalability of national cyber response capabilities during coordinated or large-scale attacks affecting multiple critical infrastructure sectors

How do we prepare for what a quantum future would look like in terms of cybersecurity?

Speaker

Caroline Troein

Explanation

This identifies the need for forward-looking research and preparation for quantum computing’s impact on current cybersecurity measures and critical infrastructure protection

How can we ensure security for essential services without overburdening the companies that we rely on to operate and innovate them?

Speaker

Timea Suto

Explanation

This addresses the balance between regulatory requirements for cybersecurity and maintaining business viability, particularly for smaller companies in critical supply chains

How do we handle cyber attacks combined with other types of physical attacks simultaneously?

Speaker

Lars Erik Smevold

Explanation

This highlights the need for research and planning around hybrid attacks that combine cyber and physical elements, which could overwhelm traditional response capabilities

How can the industry better engage or have incentives to engage in multilateral processes where governments discuss protection of critical infrastructure?

Speaker

Marie Humeau (moderator)

Explanation

This addresses the gap between private sector technical expertise and international policy discussions, seeking ways to improve industry participation in global governance processes