WS #193 Cybersecurity Odyssey Securing Digital Sovereignty Trust

Summary

This discussion focused on building resilient cybersecurity governance frameworks that balance digital sovereignty, security, and human rights in an era of rapidly evolving frontier technologies like AI and quantum computing. The panel, moderated by Enes Mafuta from Zambia’s Standardization Technical Committee, brought together cybersecurity experts, policy specialists, and researchers from Africa, Asia, and other regions to explore collaborative approaches to digital governance.

The panelists emphasized that existing cybersecurity frameworks don’t need complete reinvention but require better implementation and adaptation to emerging threats. Atsen Bako highlighted the importance of leveraging established standards like NIST frameworks while addressing the challenge that cybercriminals operate “at the speed of light” while law enforcement moves “at the speed of law.” Several speakers stressed the critical need for human-centric policy design, with Lily Botsyoe using a spider web analogy to illustrate how solutions imposed without stakeholder consultation often fail.

The discussion revealed consensus around several key principles: zero-trust architecture for AI systems, mandatory threat modeling and red teaming for critical infrastructure, and the urgent need for post-quantum cryptography. Participants advocated for policy sandboxing, sunset clauses, and machine-readable policies to ensure frameworks remain adaptable. The role of regional cooperation was emphasized as essential for preventing internet fragmentation while maintaining digital sovereignty.

Civil society’s role in ensuring accountability and transparency was highlighted, with speakers noting that “security without human rights is brittle.” The panelists concluded that building digital trust requires proactive, inclusive governance that puts human dignity at the center while fostering international cooperation to address shared challenges like deepfakes and misinformation.

Keypoints

## Major Discussion Points:

– **Cybersecurity Framework Design and Implementation**: The need to optimize cybersecurity governance frameworks to balance resilience, sovereignty, and global interoperability, with emphasis on leveraging existing standards (like NIST) rather than reinventing frameworks, while addressing challenges in adoption across different countries and organizations.

– **Digital Sovereignty vs. Global Cooperation**: The tension between maintaining national digital sovereignty and ensuring international cooperation, particularly regarding data localization, trusted infrastructure, and regional approaches to cybersecurity that avoid fragmentation while respecting cultural and regulatory differences.

– **Human-Centric Policy Development**: The critical importance of involving stakeholders (especially citizens) in cybersecurity policy design from the beginning, emphasizing transparency, digital literacy, and community-based research approaches rather than treating human engagement as an afterthought.

– **Emerging Technology Threats and Preparedness**: Discussion of frontier technologies like AI-driven cyber attacks, quantum computing threats to encryption, and deepfake misinformation, with emphasis on proactive measures like zero-trust architecture, post-quantum cryptography, and continuous threat modeling.

– **Trust Building Through Accountability and Transparency**: The fundamental role of trust as the foundation of digital security, requiring genuine action behind promises (avoiding “privacy washing”), transparent governance, and multi-stakeholder collaboration including civil society, government, and private sector engagement.

## Overall Purpose:

The discussion aimed to explore collaborative approaches for establishing robust cybersecurity governance frameworks that balance security, digital sovereignty, and human rights in the face of emerging technological threats, with particular focus on how different stakeholders can work together to build trust and resilience in digital ecosystems.

## Overall Tone:

The discussion maintained a consistently collaborative and constructive tone throughout. Speakers demonstrated mutual respect and built upon each other’s points rather than contradicting them. The tone was professional yet accessible, with participants sharing both technical expertise and practical examples. There was an underlying sense of urgency about emerging threats, but this was balanced with optimism about collaborative solutions. The conversation remained inclusive and forward-looking, emphasizing partnership and shared responsibility rather than blame or pessimism.

Speakers

**Speakers from the provided list:**

– **Samaila Atsen Bako** – Security evangelist representing the African region group, from Code for Africa

– **Lily Edinam Botsyoe** – PhD candidate in Information Technology at the University of Cincinnati, from Ghana

– **Enes Mafuta** – Moderator, from the Zambia Standardization Technical Committee

– **Boutife Adisa** – Information Security expert, MPOC Communication Chair at ICANN

– **Audience** – Eirik, works for various IT companies with security in Norway

– **Kozefi Duban** – Dr., African Internet Governance MAG member, sits on advisory panel on AI, co-founded the Global Youth AI Advisory Body, coordinates AI and cyber diplomacy department, coordinates Chad Youth IGF, from Chad

– **Monojit Das** – Dr., Cyber Governance and National Security Researcher at the C-Joint Tri-Service Think Tank under the Ministry of Defense of the Government of India

– **Ihita Gangavarapu** – Cyber Security Engineer and Program Manager at CloudSec Initiative, from India

– **Osei Keija** – Public Technology Interest Specialist, from the Ghana Youth IGF

**Additional speakers:**

– **Gabriel Kassan** – Online moderator (mentioned but did not speak in the transcript)

– **Tracy Huckshaw** – Asked question online (mentioned as asking a question but did not speak directly)

# Discussion Report: Building Resilient Cybersecurity Governance Frameworks

## Executive Summary

This panel discussion, moderated by Enes Mafuta from Zambia’s Standardisation Technical Committee, brought together cybersecurity experts and policy specialists to explore collaborative approaches to digital governance. The session featured structured 5-minute presentations from each panelist followed by Q&A from both in-person and online participants, including contributions from online moderator Gabriel Kassan.

The discussion centered on whether new cybersecurity frameworks are needed or if existing ones require better implementation, with participants exploring human-centric policy design, digital sovereignty, trust-building, and international cooperation. Key themes included the importance of multi-stakeholder engagement, proactive rather than reactive security approaches, and balancing security with human rights.

## Key Participants

**Samaila Atsen Bako** from Code for Africa’s African region group; **Lily Edinam Botsyoe**, PhD candidate from Ghana studying at University of Cincinnati; **Boutife Adisa**, Information Security expert and ICANN MPOC Communication Chair; **Dr Kozefi Duban** from Chad, African Internet Governance MAG member; **Dr Monojit Das**, cyber governance researcher with India’s Ministry of Defence; **Ihita Gangavarapu**, Cyber Security Engineer from India’s CloudSec Initiative; and **Osei Keija** from Ghana Youth IGF.

## Major Discussion Themes

### Framework Design: New vs. Existing

**Samaila Atsen Bako** opened by arguing against creating new frameworks: “I personally believe there’s no real need to reinvent the wheel in terms of design… What I think the biggest issue in terms of what we’re talking about is maybe the differences in how it’s been adopted or implemented by different organisations or even countries.” He emphasized leveraging existing standards like NIST cybersecurity framework and OWASP IoT project.

**Boutife Adisa** took a different approach, advocating for specific new requirements including zero trust by design for AI systems, mandatory AI threat modeling for critical infrastructure, and post-quantum cryptography implementation. He also proposed “sandboxing innovation like UK and Singapore to test AI systems in controlled environments.”

This represented one of the key tensions in the discussion – whether to focus on better implementation of existing frameworks or develop new regulatory requirements for emerging technologies.

### Human-Centric Policy Development

**Lily Edinam Botsyoe** introduced a compelling analogy from a previous session: “The spider story – where a researcher tried to repair a broken cobweb with thread, but when the spider returned, it destroyed the entire web because it wasn’t consulted about the repair process.” She emphasized that “policies must involve humans proactively rather than reactively through stakeholder engagement.”

Botsyoe also reframed the relationship between trust and policy: “Trust is not a byproduct of strong policy. It is a foundation of it. Let’s build with Trust and Mind and not think of it as an afterthought.”

**Samaila Atsen Bako** challenged traditional views of humans in cybersecurity: “An eligible person is your first line of defence and when you equip them with the right tools, then they become literal human shields for you,” moving away from seeing humans as the weakest link.

### Digital Sovereignty and Regional Cooperation

**Ihita Gangavarapu** highlighted the global “shift from free flow of data to regional control and localisation across all government types” while arguing that “regional cooperation enables trusted data flows, shared security principles, and joint R&D on resilient infrastructure.” She cited examples including India’s trusted telecom center and Kenya’s digital ID consultations.

**Dr Monojit Das** brought a national security perspective, noting that “cyberspace is no more just a tool of communication it’s a frontier of warfare after air, space, land, water, cyber is a frontier of warfare.” He advocated for a “whole-of-nation approach involving all stakeholders beyond just government in democratic setups.”

### Trust Building and Transparency

Multiple speakers emphasized trust as fundamental to effective cybersecurity governance. **Boutife Adisa** argued that “security and trust go hand in hand – secure platforms enable greater user trust.” An audience member reinforced this by noting that “trust requires actual security provision and border control to create genuine trust.”

**Osei Keija** provided a memorable framework: “Security without rights is brittle. Security without human rights is brittle.” He also challenged traditional stakeholder definitions: “the definition of civil society should not be a preserve of a certain group… We are all involved… We cannot clap with one hand.”

### Emerging Technology Challenges

The discussion addressed AI-driven cyber attacks, quantum computing threats, and deepfake misinformation. **Boutife Adisa** proposed technical solutions including continuous threat modeling and “policy APIs for machine-readable policies that can spot violations automatically.”

**Dr Kozefi Duban** emphasized “multilateral AI treaties embedding human rights safeguards and intercontinental threat intelligence sharing” and promoted an “AI for Humanity Code of Conduct emphasising AI for peace, security, and freedom of expression.”

**Lily Edinam Botsyoe** raised concerns about “Q-Day” – when quantum computing could potentially break encryption-based protections, highlighting the urgency of post-quantum cryptography development.

## Q&A Session Highlights

**Tracy Huckshaw** asked whether universal cybersecurity standards could work across all countries or if regional approaches were preferable. Responses varied, with some speakers favoring regional cooperation building toward global standards, while others emphasized starting with common challenges like misinformation.

**Eirik** raised questions about balancing trust and privacy, prompting detailed responses about the need for demonstrable security measures rather than “privacy washing with empty banners.”

**Dr Monojit Das** suggested starting “with common challenges like fake news where all nations agree, then build broader cooperation” and proposed “a collaborative portal for tackling fake news similar to Wikipedia’s model.”

## Key Challenges Identified

**Samaila Atsen Bako** highlighted the fundamental timing challenge: “there’s this popular saying in the industry that cybercriminals operate at the speed of light, while law enforcement or The Good Guys operates at the speed of the law.”

**Dr Monojit Das** noted the urgent need for “defining thresholds for cyber warfare and appropriate response mechanisms” and expressed concern about the “shrinking relevance of UN and other international bodies” in cyber governance.

Participants identified the persistent challenge of balancing privacy and security, the need for effective international governance mechanisms, and questions about whether universal standards can work across diverse national contexts.

## Recommendations

The discussion generated several concrete recommendations:

**Technical measures:** Implement zero-trust architecture, establish sandboxing environments for AI testing, mandate threat modeling for critical infrastructure, and accelerate post-quantum cryptography adoption.

**Governance approaches:** Develop multilateral AI treaties with human rights safeguards, implement whole-of-nation stakeholder engagement, and create policy APIs for automated compliance monitoring.

**Capacity building:** Invest in civic digital literacy programs, establish intercontinental threat intelligence sharing, and start international cooperation with common challenges like misinformation.

**Policy design:** Include sunset clauses for regular policy review, embed multi-stakeholder processes in AI governance, and prioritize human-centric design from the outset.

## Conclusion

The discussion revealed both convergence and divergence in approaches to cybersecurity governance. While participants agreed on the importance of multi-stakeholder engagement, human-centric design, and proactive security measures, they differed on whether to focus on implementing existing frameworks or developing new regulatory requirements.

**Enes Mafuta** concluded that “cybersecurity governance is a long journey requiring collaborative effort across all sectors.” The session demonstrated the complexity of balancing security, privacy, sovereignty, and international cooperation while highlighting practical approaches for moving forward through regional cooperation and focusing on areas of common concern.

The emphasis on trust-building, stakeholder engagement, and human rights suggests a maturing field that recognizes cybersecurity governance must serve human needs rather than treating humans as obstacles to security.

Enes Mafuta: Good morning, good afternoon, good evening. In a digital age where trust is the currency and sovereignty the fortress, the challenge lies in building resilient, interoperable systems that uphold both security and individual rights. Recent breakthroughs in frontier technologies, artificial intelligence, quantum computing, innovative encryption methods are transforming digital ecosystems and redefining the cybersecurity landscape. They are shifting the power dynamics between states, private entities and users, exposing vulnerabilities in critical infrastructure such as the recent typhoon, espionage operation and fueling challenges like deepfake misinformation and automated ransomware. Today’s discussions will explore how policymakers, technical communities, governments, civil societies and private sector can collaboratively establish robust governance frameworks, principles rooted in security by design, resilience and digital sovereignty to ensure global interoperability and trust. So allow me to introduce my speakers. First, my name is Enes Mafuta from the Zambia Standardization Technical Committee. I’ll be your moderator. To introduce our online panelist, we have Atsen Boko who is from Code for Africa, who is a security evangelist representing the African region group. And we have also Lily Edinam Botsyoe from Ghana, who is a PhD candidate in Information Technology at the University of Cincinnati. And we have our online moderator as well, Gabriel Kassan, I’m sure he’s online. To come to the room, we have Dr. Khouzeifi Douban, who is our African Internet Governance MAG member, and he also sits as an advisory panel on AI. Then we have Bolutife Adisa, who is an Information Security. I’ve just seen him walking. Please, you can join us. And he’s also an MPOC Communication Chair at ICANN. Then we have our special lady here, Ihita, from India, who is a Cyber Security Engineer and Program Manager at CloudSec Initiative. I’ll go now to Osei Kega, who is our Public Technology Interest Specialist, and from the Ghana Youth IGF. Last but not least, we have Dr. Monojit, who is a Cyber Governance and National Security Researcher at the C-Joint Tri-Service Think Tank under the Ministry of Defense of the Government of India. Ladies, gentlemen, we’re going to have five minutes each to respond to the questions, and from there we’re going to have interventions from the room, and we’re going to also have some questions from the online speakers. So, without wasting much of your time, I’ll start with Mr. Atsen Samaila Boko, who is also online. Now, Atsen, given the rapid evolution of digital infrastructure, and Fortier Technologies. How can the design of cybersecurity governance frameworks be optimized to strengthen both resilience and sovereignty while maintaining global interoperability? Specifically, how can policy evolve to address the operational strategic challenges posed by AI-driven cyber threat and quantum encryption? Atsen, five minutes.

Samaila Atsen Bako: Thank you so much. I hope you can hear me clearly. Yes, we do. We can hear you. Oh, awesome. That’s a bit of a loaded question, but I’ll try to answer it as best I can. I think the beauty of frameworks in our times today is that we’re, I would say, at a stable point. Over the years, they’ve been worked on, they’ve been refined, they’ve been improved. So I personally believe there’s no real need to reinvent the wheel in terms of design. I also think that we don’t need to have too many frameworks per topic, per item, because I think at some point, it’ll just be like a repetition of the same thing, a remixing of what has been done before. What I think the biggest issue in terms of what we’re talking about is maybe the differences in how it’s been adopted or implemented by different organizations or even countries, which obviously we all know will be impacted by things like political will or even the level of development in the country or the budgets they assign to things like this. If I give an example using the cybersecurity industry where I mainly work, there’s a popular NIST cybersecurity framework, which by the way, just got a new version, now it’s in 2.0, that emphasizes the governance aspect of security. However, if organizations do not take their own steps to get familiar with this new version or to adopt it, and others, and upgrade their security practices, then they will naturally be left behind due to the pace of things in tech-related spaces, as you have rightly pointed out. And so when talking about frontier technologies or emerging technologies, a critical approach would be to leverage standards, because standards are widely adopted and trusted if they are solid enough that’s created by people with the right expertise and endorsed by the right bodies. So an example, for instance, if you look at another frontier tech like Internet of Things, the security of them, there’s an organization called the Open Web Application Security Project, OWASP, that released this IoT project to, and I quote, to help manufacturers, developers, and consumers better understand security issues associated with Internet of Things and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies. This means that both the manufacturers and users have a guide, and even regulators can choose the guide as a foundation or template for what the baseline security will look like when it comes to IoT devices, and then when that is enforced by a regulator, then you’ve raised the security bar in IoT devices globally, because standards are recognized globally. And I’d also like to add that there are other challenges. I think one of the key things is the general state of development, digital access, in some scenarios, even scarce subject matter experts or skilled workers, and lastly, the speed of law. And by speed of law, I’m talking about the process it takes for lawmakers to agree on the need for and decide to develop or even review and update laws, because they can become obsolete quite frequently. So there’s this popular saying in the industry that cybercriminals operate at the speed of light, while law enforcement. or The Good Guys operates at the speed of the law, and this implies that it will always be a game of catch-up for us, you know, and we are at the mercy of the interests, knowledge, and priorities of lawmakers and regulators. So, in other words, for policy to evolve and meet the challenges of the day, regulators and lawmakers have to be knowledgeable or hire the right people and appreciate the need to prioritize policy around the development and use of emerging technologies. Only an intentional approach involving the experts, users, manufacturers, and other stakeholders can yield the desired results. I realize that if some of the people in the room or joining us online are in certain countries, then this may be a scary statement I’ve just given a spell out to. I think I’ve physically exhausted my five minutes. I’ll pause there. Thanks, Ernest.

Enes Mafuta: Thank you very much, Axen, and considering that you’ve talked about standards, I come from the standardization side, and one of the things that we have been struggling with is to find a proper mechanism or adoptions of security by design standards and also, yeah, and security systems. Now, I’ll now go to Iheeta. You know, Iheeta, you’ve been part of various regional organizations. One of them is the ITU, and I think you’ve participated in the standardization making process, and also you coming from the Asia-Pacific, so how do you see these countries balance the need of a strong security systems with the preservation of digital sovereignty, especially when deploying security by design within critical infrastructure like telecoms? So, in your view, how can these regional corporates help safeguard sovereignty without creating fragmentation?

Ihita Gangavarapu: Thank you so much, Ernest. Hi, everyone, those joining us in person and remotely. I’m Iheeta Gangavarapu. First of all, I would like to say that the session title is very apt because we use the term odyssey, so it’s been a long and a very long time since I’ve been in a place where I’ve been able to talk about security. So, I would like to start by saying that I’m a big fan of the term odyssey. So, I’m a big fan of the term odyssey, , and the global internet. So this is a meaningful journey in the digital realm and especially towards digital sovereignty. So if you look at from a decade ago, the global internet was held as something very secret. And we used to believe in free flow of data, technology, services. And when we are moving, you’re seeing a shift towards regional control or localization now. And we’re seeing a shift towards localization. And we’re seeing a shift towards localization and localization across countries of all types of governments. Could be democracies or authoritarian regimes, right? And they’re placing serious bets on embedding sovereignty into their digital infrastructure. And I think much of this change that you see is because of the rapid digitalization. From India, since you mentioned it back. Because we’re looking at any kind of especially when you’re looking at critical sectors, like the telecom. It’s not just about stronger encryption or monitoring, it’s about designing systems where, you know, what we’re looking at as countries getting strategy control over data, technology, and access. In India, for example, the government has come up with a trusted telecom center, where a procurement of different telecom equipments to ensure that there is integrity and resiliency in what we incorporate in our infrastructure. And at CloudSec, we have seen firsthand, so we conduct threat intelligence research, and we have noticed that supply chain attacks and different vulnerabilities have been tied to shifting geopolitical dynamics as well. So these insights, you know, show that security by design should go beyond compliance. It is something that you anticipate, you’re anticipating risk at a very systematic level. And I’ll also bring in an enterprise perspective because sovereignty is not just about governments Enterprises are equally invested on one hand, you know, they must comply with national regulations in every jurisdiction They operate in but on the other they must also offer some the customers trust And assurance that the data is secure private and not subject to foreign laws And you’re seeing enterprises today also incorporating enterprise digital sovereignty where they are Demonstrate that you know, they comply with local laws and resist foreign access requests which could affect the trust that customers have on them So given that there are so many dimensions to this that’s where I think regional cooperation comes in to ensure there’s no fragmentation So it the answer lies in Pragmatic alignment where I mean that you need regional cooperation to enable trusted data flows Shared security principles mutual recognition of vendors trusted vendors and even joint R&D on certain Resilient infrastructure and far from fragmenting the internet. It can actually strengthen the whole process And just to add one last dimension to it I’d like to talk about content and cultural sovereignty because digital frameworks from certain like from the countries allow countries to Manage content moderation in ways that reflect their cultural and linguistic norms And in the absence of this kind of a regional cooperation and alignment global platforms may overlook and ignore local sensibilities You know that many may call cultural or linguistic colonialism, so Yeah, I just wanted to highlight over this and I look forward to your next set of questions

Enes Mafuta: Thank you for that, you know in the telecom or in the cyberspace we say trust is a very expensive word Thank you so much for joining us today, and I’m so glad that you’re here with us today. And the way you’ve highlighted it, it’s something that we’ve been talking and talking. But so I’ll go now to Lily, who is online with regard to trust and safety. Lily, I just want you to highlight how these policies and public interest driven approaches can help to reinforce sovereignty without eroding the same trust. Especially when new frontiers like threats like AI or quantum attacks are at play. Lily?

Lily Edinam Botsyoe: Hi, everyone, and good morning, good afternoon or good evening, depending on where in the world you are joining from. I usually will say that I’m so thankful for the gift of the Internet. And today I’ll say I’m thankful for the gift of time zone also, because it allows me to join online before work and also allows me to do this from miles away. So I’m joining you at 315 from Cincinnati, Ohio, and excited to join this conversation. And so I met I met a little bit of what I was describing, but I’m just going to dive into the conversation. Use examples from what we are seeing in research. See just center humans like make this whole process human centric and drive home the points I have in mind. So so thankful for for the audience we have in person and those who also have online. And so one of the questions I mean, the question that is this post has humans at the center. If you look at it critically and like you said, usually trust is so expensive because how exactly do you measure trust? So in this question that he asks right now, we have a very complex variable, which is a human being. And if those are humans, you know, humans would react to things differently based on how it appeals to them. Sometimes using emotions, sometimes using what if what they perceive as safety, sometimes even using what it is that favors them at one point. And then I. I currently do research with users when it comes to the privacy aspect, and which pretty much is language security. So I’m going to go through that aspect to break down what it is that would help us to be able to make sure that humans are actually at the forefront of all that we are talking about when it comes to digital sovereignty in a way that it drives a process to make sure that it works for them, and also to be people who accelerate this process. So one of the things that I’ll start with is just a scenario. I was in a session where somebody spoke about community-based research, and the person she was requesting said something along the lines of, somebody had seen a cobweb. We all know what cobwebs are. So spiders weave cobwebs, right? And when they weave cobwebs, usually it’s so pretty, it can stay for a couple of days, and it can get broken down, or it can stay for as long as, I mean, it’s protected. Now, somebody has seen that a part of the cobweb was broken, right? And a person had seen before the spider weaving a cobweb, and a person went in to try to use thread and a special material to try to complete the cobweb because it was broken. And the next day, the spider came, and this person was a researcher sat at the side waiting to see what the spider would do. And here is where the shocker happened. So the spider came in, and in your mind, you probably think maybe the spider will be happy and say, well, it was broken, so you held me, right? The spider came and destroyed the whole thing. Now, the person threw the question to us and asked, why did a spider behave that way? And the conversation went on, and we came to understand that pretty much the spider wasn’t contacted, wasn’t interviewed, wasn’t asked if they wanted that to happen, or wasn’t asked their view on the process being done the way it was done, and they felt that it was unnatural. So that is what happens in this space of cybersecurity and this space of digital sovereignty. And I’ll break it down as to the reason why. So usually, when we talk about cybersecurity and tech, we usually… I would like to say that things like policies trail behind technology because technology is fast evolving, and then you build so much without usually thinking about the policies that reinforce and make this robust. And sometimes we find that it’s trailing, and we do the catch-up game to try to make sure that all the systems are within a citizen-confined, that it’s protecting humans. At the center of cybersecurity and technology is that key factor, which is the human factor. If humans are not involved, if human views are not sought, usually we see that the adaption or the way that humans usually react to things that we see when it comes to laws, policies, and all of that will be limited. And in essence, there’s so much that will be happening where people will be saying, hey, let’s go back and probably do what they call stakeholder meetings or stakeholder engagement. And sometimes it is more reactive rather than proactive. So answering the question about how trust and safety for digital ecosystems can be pretty much heralded by humans in general, it brings up the whole question of even how government, if it were issues of, say, cybersecurity or not, without involving humans, usually the buy-in is very little. So I’ll give you a past example, aside from what we see with the spider story that I mentioned where even the spiders think that they should have been contacted, and that is the idea of community-based research. And in that context, we say that’s in the context of what we call multi- or multi-stakeholder engagement. When we involve more people from different backgrounds, it is legitimate and it becomes accepted. So in my view, societal confidence influences the success of national security because humans are those that would work with it, that those who buy in to make sure that whatever policies, whatever thing you’re building, it’s really robust and they make sure that it’s functioning. So you can do all the fancy policies, if you don’t involve the humans, they don’t understand it, it’s all going to come crumbling. So for how it can, in essence, breach whatever encryption we know because of how fast and strong it is, right? And they’re talking about Q-Day in this article, and they’re saying, okay, Q-Day is probably looming around, and what Q-Day looks like is a day where everything that is encryption-based or encryption-protected could fail. And me thinking as a user, well, what could that day look like? Is it bound to happen? Because we’ve seen threats from places like CrowdStrike where even airports were shut down completely. And you’re thinking about even a more powerful threat like Q-Day. And even for somebody like me in research, if that got me to panic, imagine my mom who just really uses technology and thinking, what does that mean to us? Some of these threats stifle our use of technology, and it calls on us within this ecosystem to make sure that everybody’s responsibility is pretty much taken into consideration. Government is playing its part. Businesses are playing their part without fail. For example, there have been many instances where users have pretty much lost trust in the system because of things like the concept of, in quotes, privacy washing. So you go into a website, and a company will write this nice label and banner telling you how to protect your privacy. But the actions that follow really is different from what they’re saying. And you’re wondering exactly what it is they’re saying and what it is they’re offering. So in the past, those things that happen even with privacy washing, cybersecurity washing, it’s like promises that do not really stand. And so it doesn’t give the trust to humans to be able to believe in this system. For us in the global South, it’s even well because we are playing a bit of catch-up when it comes to digital sovereignty. We are not in total control of the data, where it sits, how it’s processed, because we are in constant battle with big tech, and our systems and infrastructure are still developing. So if there is something we have to do, we have to do it. We have to do it. We have to do it. We have to do it. We have to do it. , and the other is what do we do to make sure there is this confidence and trust. I will put it in three buckets. The first one is embedding transparency and participation in policy design. We say it feels like a cliche, but like I said, you have to put people from different backgrounds from the different stakeholder groups in one room together. We have a lot of people from Africa and Kenya. They set strong examples with open digital ID consultations. If we can follow the lead globally, that would be amazing. Aside from this, embedding transparency and participation in policy design, I would also think about investing in civic digital literacy. Even the steps to do this is not in the complexity of what it looks like, but it is one of the big things. Like I said, if people don’t understand the risks and the tools at play, whether it is AI, quantum or encryption, they can’t trust or protect themselves. Aside from embedding transparency, let’s also push towards civic digital literacy. I will end with one thing about building cross-border trust. We cannot do it alone. The effort should not be in silos. Some of these frontiers and the innovation we are seeing is not within the national borders. Our response shouldn’t also be standalone and thinking only about national. We should look at how to coordinate a global approach in a way that in our emerging regions.

Enes Mafuta: Lili, your five minutes is up.

Lily Edinam Botsyoe: Thank you. I think I just landed on those three. Thank you so much.

Enes Mafuta: I like the fact that you’ve talked about policy design. There’s something that we’ve always said, that to have a nice policy should be forward-looking and future-proof. Okay, so in terms of trust, we need policies that are forward-looking and future-proof. So now, when it comes to also policy, I have somebody here, Bolutife Adisa. You’ve been in the policy engagements, like you write policy for ICANN in your constituency, NPOC constituency, and you’re a cyber security expert. So I just want you to talk a bit about these policy measures that are needed to enhance trust and security in terms of digital infrastructure and also against just these emerging frontiers threats like AI-driven attacks and quantum vulnerabilities. And also, how can we make them adaptable to future challenges while maintaining stakeholder confidence? Five minutes.

Boutife Adisa: I’m Bolutife Adisa, for the record, and it’s a pleasure to be here today. Okay, thank you very much. Hello, everyone. very limited time, I will just go straight into it. Thank you, Ernest. When we talk about trust and security, I would like to first say that these are not just technical challenges. They are more of social contracts that we need to really consider because to reinforce trust and security, especially when it comes to AI and new digital technologies, I would say we need three foundational policy pillars. So I’m adopting this from a position of operating a critical infrastructure because when we talk critical infrastructure, we don’t just talk protection. We talk resilience. So in order to ensure resilience, first, we need to ensure zero trust by design for AI systems. What is zero trust by design? Zero trust is quite a common buzzword but basically what it means is that we never trust and we always verify so this is sort of a model that should be adopted because it’s mandatory to have multi-factor authentication on some of the systems and to ensure that we don’t have sort of a breakdown that eventually we end up regretting it’s also important to vet the systems not just the systems but the models as well as the data that feeds into the systems and this also should not be a one-off thing it’s a continuous process and then it should be done more regularly and that’s zero trust by design another one is that policy needs to mandate AI threat modeling as well as red teaming for these AI systems so in the critical infrastructure space it’s regulatory requirement actually that you conduct red teaming continuously to check on the resilience of your systems and this is very important because like the earlier speaker said the attackers are moving at the speed of light so it’s important that we constantly test the resilience even when you’re not being attacked you need to ensure that this is in place and then lastly someone talked about quantum computing which is also quite important because right now it’s a race against time the current encryption we have in place how does it stand against quantum computing or quantum power computers and this also now brings the recommendation that we need to think more post quantum cryptography to protect systems especially like AI and other powerful systems that could be exploited and also as good as they are for humanity we can also see the downside of it so very quickly the other part which is How do we ensure that the policy remains multi-stakeholder, remains efficient? I think first of all, we need to look at the UK and Singapore, what they have done in terms of sandboxing innovation. So you put innovators in a controlled environment to really test out and test the resilience of these AI systems. This is very important. It’s also a way to ensure engagement of the required people. Second would be to have sunset clauses and policy APIs. So sunset clauses basically means that policy does not go forever. It gets to a point where it expires and then you can do a review and see if these policies are still adaptable in this context. And also policy API is an important technology development, which we have machine readable policies, such that these systems can spot violations by themselves. And this is also quite important. And lastly, you know, like the IGF, we have the multi-stakeholder process. I think it’s important that this is also still embedded in what we call AI governance or digital technology governance. I think my time is up, so I’d like to give the floor back to you. Thank you very much.

Enes Mafuta: Thank you very much, Bolutife, for that. And I like the fact that you’ve talked about the multi-stakeholder approach in this. And also talking about that, I would also frame it in the context of international cooperation. As you are aware that as new technologies evolve on the market, threats are also evolving. So there is need for international cooperation to ensure that we are in good standing and we are running at the same pace. So I’m going to give the floor to Dr. Kozefi Duban. You are into multiple organizations. One of them is an intergovernmental organization. Dr Kouzeifi, I just wanted to give you a perspective on how international cooperation can ensure that AI and cyber security respect sovereignty and human rights. And also I just wanted to talk about what safeguards are needed to prevent fragmentation and also to build trust and align with these global standards while balancing national interests and collective security. Five minutes.

Kozefi Duban: Thank you, moderator. Good morning to everyone. I’m very honored to speak here today and I would like to thank the predecessors of this very interesting table. Yes, my name is Dr Kouzeifi from Chad. I co-founded the Global Youth AI Advisory Body, coordinating also the AI and cyber diplomacy department and then coordinating also the Chad Youth IGF and Africa IGF MAG member. In the face of emerging threats such as driven AI cyber attacks, deepfake disinformation and quantum-enabled espionage, international cooperation must be grounded in mutual respect for sovereignty while aligning with universal values of human rights and digital trust. As youth advisors, we have co-developed an AI for Humanity Code of Conduct, emphasizing AI for peace and security, freedom of expression and responsible enforcement of international law. So this ethical framework can help guide cyber security cooperation globally, ensuring AI systems are not weaponized by states or corporations in ways that suppress civil liberties. and where state capacity and youth vulnerability are key issues. So we recommend regional capacity building initiatives that link local realities to global frameworks such as the Global Digital Compact through open consultation and public-private partnerships, academic as well. So in conclusion, to prevent fragmentation and foster interoperability, we need multilateral AI treaties, embedding human rights safeguards by design, also intercontinental threat intelligence sharing rooted in trust and inclusivity, and we need also to harmonize cyber norms that balance national digital sovereignty with collective global security. So finally, trust is built not only through technical protocols but also throughout youth inclusion, cultural contextualizations and transparent AI governance. Africa in general is not just a beneficiary, it is a co-architect of secure digital future. So let’s commit to decentralized governance models that reflect these diverse voices and realities. Thank you, Moderator.

Enes Mafuta: Thank you very much, Dr. Khouzeifi, for that. I’ll now go to Dr. Monojit. Dr. Monojit, you’ve done quite a number of research in cyber governance and national security area, most recently in geopolitics. You have expertise in these things. So my question to you would be, how should government prioritize cybersecurity policies to save their national interest in this competitive environment? What strategies should they adopt to balance immediate security needs with long-term digital resilience, especially considering the geopolitical tension around digital sovereignty and the enforcement of critical security measures? You have the floor.

Monojit Das: Thank you, Moderator. First of all, it becomes a bit challenging when you have your predecessors already speaking everything, and you’re coming inside and you have to add on something new. Let me add my bit. So firstly, a disclaimer that although I’m associated with the think tank of the Ministry of Defense, but the views are bi-personal. And regarding to the views that you mentioned about prioritizing the policies, I’ll give you a very recent example of what the government has initiated in India. We have come up with an approach of a whole-of-nation approach. So here, what we have tried is that we have introduced a future warfare course. And this is very much in the open. It’s not classified. And what we have tried to involve is not just from the tri-services, but also the other stakeholders. Because you see, today’s time, infrastructure is not solely residing with the government. In a democratic setup like India, undoubtedly the world’s largest democracy, so we have to take care of the whole-of-nation approach as a first and foremost priority to address these type of issues. So what we have done is that we have brought in all the stakeholders. And this is one such kind we are starting to go off. But my query, or rather I would submit here that the basic understanding here we have all, we are giving our opinion. Largely, it remains same, if not contrasting, but sometimes contradicting as well. But we all remain united to the fact that there should be a central institution, or at least the platform UN, that we are currently sitting and discussing. But with the given passage of time, we see somehow the relevance of the United Nations or the international body at large is shrinking. So we need to have a good discussion between government to government at a larger level should come up beforehand because you see space, cyberspace is no more just a tool of communication it’s a frontier of warfare after air, space, land, water, cyber is a frontier of warfare, domain of warfare rather. So before you know the current scenario what happens every country is in the verge of making the first or the first. So you know there is no threshold in terms of a cyber war or a cyberspace. So what happens there are accepted definitions by some countries that mentions you know if at all a large-scale cyber attack is waged so it can be retaliated with a full-scale war. So what is the threshold? So you know before a country decides its threshold and wages a full-time war or a full-fledged war it is for us to decide and for this I believe we will still need a further discussion at the apex level and the centralized format under the UN which I feel and in addition to this let me also take that since the convergence are more within the UN and the member countries so it should always start off with something like which is a problem to everyone like for example tackling the fake news you know. So these are the common goals which every nation whether they have a diverging views within the UN setup but they do agree to the point that fake news is a challenge. So with this I believe that you know that if at all we can start off with this convergence slowly and steadily we can find out some more areas for collaboration and cooperation that can always help us to form some effective policy that can ultimately pave the way. because otherwise every government has a different interest. For us, it may be different and for countries which may be belligerent to us or which are neutral to us, we’ll have a different strategy and in cyber you cannot trust anyone because always, the cyber actors, we often trace it back to having a state-sponsored support mechanism in some way or the other. And since, as my previous speaker has rightly mentioned, the lack of international law that governs is still because we need someone or some architectural body that can actually oversee because you see the existing mechanism and if you see the International Court of Justice or many such cases, International Criminal Court, but many countries do not recognize that, if you see. So, there should be some form of mechanism. So, with this, I believe my time is close to end. So, I end the word. Thank you.

Enes Mafuta: Thank you, Dr. Monijith. You’ve highlighted quite a number of very important things and one of them that I stood out is about how these fake news, deep fakes, are emerging. And I think governments are finding it so challenging to combat these deep fakes and everything. And it’s creating a different perception in the minds of users and most of these deep fakes, when they are thrown out there, is that there is what we call reputation damage and everything. So, it’s a challenge. So, I agree with you. We really need to move in that step now. I want to bring it to the civil society perspective because we know that civil society plays a key role in shaping accountable and transparent cyber security policies. So, I’m going to invite Keija. I’ll say, from your perspective, you’ve been in the civic space and you’re also a public technology interest specialist. So, how do you see civil society organizations influencing the development of cyber security framework and to ensure that they uphold human rights and social inclusion? Robert and Christine analyzes the issue. Minister of the France will give a signal how to contribute providing the country with several security measures. Emergency de bölging Forward is . Something very long.

Osei Keija: And for the record, my name is Osei Keija and I would like to welcome everyone to this conversation. It is a long journey. Do you believe that the future of cyber security lies in civil society? Just shoot your hand up if you do believe. Awesome. It seems everything is being shelved to us, pushed to us. Oh, civil society, do this. Civil society, do this. And look at the topic. Very long expedition. And for the reason, present for some people. I do acknowledge that civil society organizations play a very crucial role. They serve as the bulwark and indispensable counterweights in cyber security governance. But who should? The question is who are the people there? Is it me and you? Or the tech? Everyone is involved. So I, the term civil society organization should not be there present for everyone. I do believe everyone should be involved. That’s my first argument. Then let’s go into it. What have you been doing in terms of all this conversation? It’s a lot, honestly. Maybe my five minutes may elapse from education to responsibility. I think that a lot of people should be engaged in that. But I don’t think that I am. I think we should be engaged in the conversation about the issues we have to discuss. I think that I agree with the people who are involved in this conversation. And then I Transparency, and all that. But as I mentioned, how many civil society organizations are there in certain marginalized even communities, or even that has access to there? So in that regard, in that nuance, we need to activate something there. We all, I do acknowledge, we all can be activists. We all can be pushing, be at the forefront of things. But how can you and I contribute in a little way in demanding accountability, policy accountability? Lily mentioned about human-centric approach. We will come to that. Bolu mentioned about sunset clauses and all that. You are a lawyer here. In your individual capacity, what can you do to demand accountability? Have you written a letter to your Ministry of Communications demanding about surveillance? And with regard to the balance, which are legitimate powers and illegitimate powers, we need to activate something. How do we energize the base? So secondly, co-creating right-centric standards, something civil society have been doing. And it’s quite seen the case of the EU, I mean, most countries, where there’s co-creation of impact assessment for critical infrastructure. And it’s seen in most African countries to some African countries, where there I say security without rights is brittle. Security without human rights is brittle. It’s at the center of it all, the conversation we are having. And we need to push for an inclusive, equitable human rights for the long-term health of society. Lastly, I would like to talk about another strategy in civil society, it’s forging unlikely alliances. We saw in the case of Brazil when they had issues with WhatsApp and civil society served as a trilateral dialogue where they brought the government inside and also big tech inside trying to just make sure end-to-end encryption protocols were preserved. They serve as a dialogue. I know my five minutes may elapse, but I would like to end here that the definition of civil society should not be a preserve of a certain group. Public interest technology should not be a preserve of a certain group. We are all involved. Yes, we know we cannot be front-runners, but in our own small way, in education, creating awareness, we can cultivate. We can make things happen. So we must continue, what I’ll quote one of my favorite people, is that we must continue with all our intellectual, spiritual, and spiritual energy to campaign for the emancipation of the productive forces. And there’s one African proverb I do love very much. It says we cannot clap with one hand. So let’s try if you can clap with one hand. It doesn’t work. Collaboration. So let’s collaborate. Thank you

Enes Mafuta: Thank you very much Keija. Yeah, we can all be activists considering that We are all affected in one way or another. So let us be activists. Let’s not leave it to civil society alone I know technical communities. Let’s also come together Governments everything. Yeah, all see all sectors. So now I’ll now open the floor to the room We’re gonna have some questions from the room We’re gonna have about maybe 10 minutes for questions from the room anyone who want to take up some questions Or comments Yeah, there’s a mic there No one Okay, Kassan, do we have some questions online? There’s a hand here.

Audience: Question regarding this. My name is Eirik. I work for Various, I’ve been working for various IT companies with security in Norway for many years My question is when you talk about trust, how can you expect trust if you don’t have people making sure they have privacy? How do you make sure that How can you believe that the border control can be creating trust? Because you need to make sure that what is actually provided is secure So it’s providing the secure service would be providing the trust How do you think about this?

Enes Mafuta: Anyone want to go first? Sure, I think I’d like We’ve had a comment on trust from Lily. I’m not sure if she’s still here in the corner. Yeah. Yes Yeah, I think I’ll prefer this thing, but I just want to say I think trust

Lily Edinam Botsyoe: I don’t know if you can see me, I’m trying to get my video on, but I’ll just start by answering. I mean, in essence, craft justice, if you look at it, it’s multifaceted. When I say multifaceted, it requires many things to happen for it to really be achieved. And I give an example, like I said, there’s been the context of what is called privacy washing. Like, you go onto a platform, you see a banner, it has a title that says, hey, we preserve your privacy, or we do whatever, we don’t collect data, we don’t share with people, we don’t sell your data. In the end, it comes a week later, and then you’re getting all of these emails from people wondering how exactly they got your details to be able to even reach out to you. The concept of privacy washing has become so much out there that people do not even trust what it is that they see online, and the action that follows. So what he described is actually true. There is an offering that has to come from whoever is a provider for trust to really be actualized. It is in the doing, the action that you do to back the promise you’ve given to a user, that would ensure that the user trusts in you. Many times, we’ve seen that trust has been trashed in the face of users, and so users do not really trust that the system would even work. So for it to work, we usually would say, do the advocacy, but it’s also ways that people demand this. People are asking that, look, even online, for what it is that you put on there, we want to be able to understand, and then the concept of privacy margin comes in. What you’re putting out there, is this only to promise me, or you really are doing what you say you’ll do? Is there a place I can see how long my data is held for what purpose? Is there a place I can see even who it goes to or who you share it with? So they’re looking for a way to even actualize what is known as situational awareness online, so that people can perceive. whatever it is they see online by way of maybe pop-ups, all these banners, they can comprehend what they’re saying and they can also anticipate any future consequences. So, I would say that what you said is true. There is a need for action to follow for people to trust it. Without the action and the service level agreement being fulfilled, usually users wouldn’t feel the trust. And like I said, users will feel trust for different reasons. It can be that I accept that, yes, I’ve been treated fairly because my data wasn’t shared, or I don’t accept because I later on found that you were holding my data for whatever purpose. If what you said you do, you are doing, it also just bolsters the trust of people, and people also can feel safe using your technology or using your platform. So, that is what I’ll say about it, and I hope that it’s really helpful for you in the context that you were thinking.

Enes Mafuta: Thank you very much, Lily. I don’t know. You want to go? Yeah, I think Lily has covered it all. Okay, anyone wants to? Okay, Adisa.

Boutife Adisa: Yeah, so, Bullet Defe Adisa for the record. In my opinion, I think in addition to what Lily has already said, I think security also goes side by side with trust. So, if you have a secure platform, people are able to trust in what you’re offering and they’re able to use it more effectively, basically. So, the trust also goes both ways. I think you mentioned rightly that whoever is the border control needs to ensure that whatever they provide is trustworthy, and I think that’s extremely important, and it’s also in line with what a lot of the speakers already mentioned. So, yeah, I think ensuring that the platforms are transparent as well as secure is the major recipe for trust, especially for end users, yeah.

Enes Mafuta: Thank you, Adisa. Josefi?

Kozefi Duban: Yeah, I would like just to add two words. I think before to talk about. We need to make sure that we have contained control and regulation. Whatever the language we use, users have to be sure that if they are online, they are, first of all, safe. What they use is also safe and controlled. And for that, we need national mechanisms that will allow us to control this process. It is very important.

Enes Mafuta: Thank you very much, Khouzeifi. Anyone else want to go? Okay, so we have another question from online. I think we take this first before we come back to the room again. The question is from Tracy Huckshaw. It says, do you think there can be a one-size-fits-all set of universal cybersecurity standards that will work across all countries? Or should there be another regional or even economical status focused approach? Okay.

Osei Keija: Thank you very much, Tracy. Very insightful question. There’s nothing like one-size-fits-all, like a silver bullet when it comes to security or, say, cybersecurity issues. But I will say that, as I mentioned, security without human rights is brittle. Whatever we are designing, it must take into account the people. It must take into account the people. They are at the center of it. What are we designing for them good? Are their rights respected? That should be the answer. Policy harmonization may come in. It’s effective. It’s very good. But the core of it all must be the human-centric approach. And co-creation, it being inclusive, not designed for someone and being an afterthought. Why stakeholder consultation? We trade there. No, it doesn’t work that way. Thank you.

Enes Mafuta: Thank you very much. Anyone wants to take that?

Ihita Gangavarapu: Yeah, I think that’s okay with you. It’s actually… Thanks, Tracy, for your question. So the thing about… Although we say standards are something that should be applicable across… Maybe it could be a…

Osei Keija: Thank you very much. It’s been very, very insightful discussion and I hope and my belief and my desire, aspiration that we will live here fortified, energized to work for the common good of all humans, to make sure that our security is the core of whatever we are doing, there’s trust, there’s privacy, and most importantly, humans are the center of everything. And let’s all, in our own individual capacity, our minds, everything, contribute to this cause. Just like the topic says, cyber security or DSA, it’s not a short journey, it’s a very, very long journey. So let’s journey together. Life, they say, is better in company. So let’s all co-pilot. Thank you.

Enes Mafuta: Okay, Ihita?

Ihita Gangavarapu: Yeah. So I thought it was from here. All right, so thank you so much, actually, for this opportunity today. What I understand at Digital Sovereignty is this as a concept, it cannot work in silos, and you need to have a very layered approach. And, you know, we spoke about how regional and national and even actually global cooperation is required in this realm. Then that’s something we’ve been discussing even during WSIS and the GDC discussions as to how, you know, you need these kinds of policies and structures in place. And overall, when you look at the work that’s been done in the cyber security space, could be policy regulation standards, or any kind of activism that’s also done, it has to be flexible, scalable, adaptable, adoptable by countries, organizations, and us as individuals. So I think I’ll leave it to that.

Enes Mafuta: Yeah, thank you. Before I go to Dr. Monajit, Lily, any final closing remarks? Then I’d say no follow.

Lily Edinam Botsyoe: I think I tend to talk a lot. So I’ll just end by saying this. Past isn’t a byproduct of strong policy. It is a foundation of it. Let’s build. with Trust and Mind and not think of it as an afterthought. Thank you.

Enes Mafuta: Thank you, Lily. Atsen?

Samaila Atsen Bako: Yeah, Ernest. I just want to buttress that, you know, we’ve spoken about a lot of things, like multiple interventions that are pushing things in the right direction. You know, things like, you know, AI for Good or AI Ethics or Defense in Depth, Zero Trust, Separation of Duties, Principle of Disprivilege, you know, and while I admit that some of them are technical in nature and not the responsibility of the maybe average person or average internet user, it’s worth noting that our IT and security teams have some support, you know, and so that I do not sound like a prophet of doom or fearmonger, I think I would like to end on positive, sorry, end with positive thoughts. So, the good news is that, you know, policy is just one side of the security triangle, you know, we have technology and people to help as well. So, when dealing with the risk, you know, frontier tech, things like generative AI or quantum computing that can break, you know, encryption algorithms, we should not forget, you know, to enlighten the people and also adopt tools that can mitigate the risks we are concerned about. So, remember that an eligible person is your first line of defense and when you equip them with the right tools, then they become literal human shields for you. So, I prefer this kind of statement than saying, you know, the human is the weakest link in the security chain. So, regardless of your role or capacity, you know, aim to learn more, understand how policies and regulations can be beneficial to you or your organization and you will definitely be playing your part. Thank you so much.

Enes Mafuta: Thank you very much, Adsen. Dr. Monajith, you can go next. Yeah. So, when you talk about the term security, you know, the biggest dilemma is that whether we will be building 10 schools or we will be buying a few helicopters or ammunition, you know, this is the standard dilemma that a country faces every time. And in terms of cyberspace, so it’s either we are going to give the privacy or get the security because privacy and security sometimes we find it don’t come together. So with this I’d like to mention that since my esteemed panelists are already working in multiple fields, you know So let us do something, you know, that can really pave the way for future collaboration like for example In terms of tackling of the fake news, which is I’ll reiterate that it’s a challenge for every country that faces So, you know at least developing some portal and like how you see Wikipedia came up, you know a few years back You know, it was really not so supportive. I’ll not use any other word But you know of late you see it has developed but it’s somehow you’ll find some interesting or some valuable information So at least if at all we can have it something generated from our side, you know There can be one point of contact Then we send in something and then it verifies that whether it is right at least it can start off in a single stem and probably Like how five-year plan used to be there by all government and other agencies So if at all we can plan of something in that way It’s like a five-year plan for tackling fake news So in this way, we can have something a convergence that can really pave the way for otherwise, you know

Monojit Das: Diverging views will lead up to diverging thoughts and you know, we may not converge in some time. Okay. Thank you.

Enes Mafuta: Thank you. Dr. Monaghan, Dr. Koza if you can go next

Kozefi Duban: First of all, I’d like to say thanks to the participant for being here to listen to us. There is no good or bad idea It’s always about discussions. I would like also to say thanks to my collaborators and friends here panelist and also to you moderator for creating this I wouldn’t Forget about Kazan also who is online coordinating the the platform. Thank you also Kazan in conclusion Let me highlight this securing our digital future in the age of frontier technologies demands more than just reactive policies It calls for proactive inclusive and ethically grounded cooperation from in Jemena to Nairobi from Olso to Jakarta. We must build a cybersecurity ecosystem rooted in trust, guided by human rights and resilient by design. As youth, we are not just participants, we are co-creators of the digital compact. So let’s together ensure that the AI service humanities respect sovereignty and protect the dignity of all. Thank you very much.

Boutife Adisa: Thank you very much everyone for listening to us today. I think the panelists have really spoken well. For me, at the end of the day, I think trust and security are essential tools in building the digital backbone for our next century. So when we think security, when we think trust, I would like us to think more in terms of resilience, because it’s important that we don’t wait until things go bad before we look for solutions. So in the security sense, it’s important to always test, always discuss beforehand, always see if your system fails, see if AI probably would not work in certain aspects, so that we will not fall into a situation where humanity suffers from the product of innovation that we see today. So it’s important that we test the resilience of this. And we keep talking, we keep pushing it, pushing the policies, pushing the necessary frameworks that are required to ensure that this system works for our good and not for doom, like some people might think. But thank you very much. I would like to submit on this note. Thank you.

Enes Mafuta: Thank you very much everyone. So my final… Thank you all for your active participation and thoughtful contributions. So let’s continue this vital journey together of building bridges of trust and resilience across our regions. Thank you very much.

Agreement points

Multi-stakeholder approach is essential for cybersecurity governance

Speakers

– Boutife Adisa
– Lily Edinam Botsyoe
– Kozefi Duban
– Osei Keija
– Enes Mafuta

Arguments

Multi-stakeholder process like IGF should be embedded in AI governance and digital technology governance

Embedding transparency and participation in policy design with multi-stakeholder groups

Youth are not just participants but co-creators of digital compact and AI governance

Civil society definition should not be preserve of certain groups – everyone can be activists

Cybersecurity governance is a long journey requiring collaborative effort across all sectors

Summary

All speakers emphasized the critical importance of inclusive, multi-stakeholder approaches in cybersecurity governance, with each advocating for broader participation beyond traditional government and technical communities to include civil society, youth, and diverse stakeholders.

Topics

Legal and regulatory | Human rights | Development

Human-centric approach must be at the center of cybersecurity policy design

Speakers

– Lily Edinam Botsyoe
– Osei Keija
– Ihita Gangavarapu

Arguments

Policies must involve humans proactively rather than reactively through stakeholder engagement

Security without human rights is brittle – human rights must be at the center of cybersecurity

Digital sovereignty requires layered approach with flexible, scalable, adaptable policies

Summary

Speakers consistently emphasized that cybersecurity policies must prioritize human needs, rights, and participation from the design phase rather than treating humans as an afterthought or the weakest link in security chains.

Topics

Human rights | Legal and regulatory | Cybersecurity

Trust requires concrete actions and transparency, not just promises

Speakers

– Lily Edinam Botsyoe
– Boutife Adisa
– Audience

Arguments

Trust requires action backing promises, not just privacy washing with empty banners

Security and trust go hand in hand – secure platforms enable greater user trust

Trust requires actual security provision and border control to create genuine trust

Summary

There was strong consensus that trust cannot be built through marketing promises alone but requires demonstrable security measures, transparency, and actual protection of user data and privacy.

Topics

Privacy and data protection | Cybersecurity | Human rights

Need for proactive rather than reactive cybersecurity approaches

Speakers

– Samaila Atsen Bako
– Boutife Adisa
– Ihita Gangavarapu

Arguments

Speed of law versus speed of cybercriminals creates perpetual catch-up game for regulators

Think in terms of resilience rather than reactive security – test systems before they fail

Security by design should go beyond compliance to anticipate systematic risks

Summary

Speakers agreed that the current reactive approach to cybersecurity is insufficient and that policies and systems must be designed proactively to anticipate and prevent threats rather than responding after attacks occur.

Topics

Cybersecurity | Legal and regulatory | Infrastructure

Similar viewpoints

Both speakers emphasized leveraging existing, proven cybersecurity frameworks and standards rather than creating new ones, with focus on zero trust architectures and continuous security practices.

Speakers

– Samaila Atsen Bako
– Boutife Adisa

Arguments

Leverage widely adopted and trusted standards like NIST cybersecurity framework 2.0 and OWASP IoT project

Zero trust by design for AI systems with mandatory multi-factor authentication and continuous vetting

Topics

Cybersecurity | Infrastructure

Both speakers recognized the trend toward digital sovereignty and the need for comprehensive national approaches that involve multiple stakeholders beyond just government entities.

Speakers

– Ihita Gangavarapu
– Monojit Das

Arguments

Shift from free flow of data to regional control and localization across all government types

Whole-of-nation approach involving all stakeholders beyond just government in democratic setups

Topics

Legal and regulatory | Development | Digital sovereignty

Both emphasized the importance of educating and protecting users through both literacy programs and regulatory mechanisms to ensure people can safely navigate digital environments.

Speakers

– Lily Edinam Botsyoe
– Kozefi Duban

Arguments

Investing in civic digital literacy so people understand risks and tools like AI and quantum encryption

Need national mechanisms for control and regulation to ensure user safety online

Topics

Development | Cybersecurity | Legal and regulatory

Unexpected consensus

Civil society role should be universal rather than limited to specific organizations

Speakers

– Osei Keija
– Kozefi Duban
– Lily Edinam Botsyoe

Arguments

Civil society definition should not be preserve of certain groups – everyone can be activists

Youth are not just participants but co-creators of digital compact and AI governance

Policies must involve humans proactively rather than reactively through stakeholder engagement

Explanation

Unexpectedly, there was strong consensus that traditional boundaries between civil society, government, and other stakeholders should be dissolved, with everyone being viewed as potential activists and co-creators rather than passive recipients of policy.

Topics

Human rights | Development | Legal and regulatory

Regional cooperation strengthens rather than fragments global internet governance

Speakers

– Ihita Gangavarapu
– Kozefi Duban

Arguments

Regional cooperation enables trusted data flows, shared security principles, and joint R&D on resilient infrastructure

Need multilateral AI treaties embedding human rights safeguards and intercontinental threat intelligence sharing

Explanation

Despite concerns about digital sovereignty leading to fragmentation, speakers unexpectedly agreed that regional cooperation and localization can actually strengthen global governance by building trust and enabling better coordination.

Topics

Legal and regulatory | Infrastructure | Human rights

Overall assessment

Summary

The discussion revealed remarkable consensus on fundamental principles: the necessity of multi-stakeholder governance, human-centric policy design, proactive security approaches, and the requirement for concrete actions to build trust. Speakers consistently emphasized moving beyond traditional silos and reactive approaches toward inclusive, forward-looking governance models.

Consensus level

High level of consensus on core principles with strong implications for cybersecurity governance. The agreement suggests a mature understanding among diverse stakeholders that effective cybersecurity requires collaborative, human-centered, and proactive approaches rather than technical solutions alone. This consensus provides a solid foundation for developing comprehensive cybersecurity policies that balance security, sovereignty, and human rights.

Different viewpoints

Framework development approach – reinvention vs. new frameworks

Speakers

– Samaila Atsen Bako
– Boutife Adisa

Arguments

No need to reinvent frameworks, focus on adoption and implementation differences across organizations and countries

Zero trust by design for AI systems with mandatory multi-factor authentication and continuous vetting

Summary

Bako argues against creating new frameworks and emphasizes leveraging existing ones like NIST, while Adisa proposes specific new policy requirements like mandatory AI threat modeling and red teaming that would require new regulatory frameworks

Topics

Cybersecurity | Legal and regulatory

Civil society role definition and scope

Speakers

– Osei Keija
– Kozefi Duban

Arguments

Civil society definition should not be preserve of certain groups – everyone can be activists

Youth are not just participants but co-creators of digital compact and AI governance

Summary

Keija argues for a broad, inclusive definition where everyone can be activists and civil society shouldn’t be limited to specific groups, while Duban focuses specifically on youth as a distinct group with special co-creator status in digital governance

Topics

Human rights | Development

Sovereignty approach – regional vs. national focus

Speakers

– Ihita Gangavarapu
– Monojit Das

Arguments

Regional cooperation enables trusted data flows, shared security principles, and joint R&D on resilient infrastructure

Whole-of-nation approach involving all stakeholders beyond just government in democratic setups

Summary

Gangavarapu emphasizes regional cooperation and cross-border collaboration as key to digital sovereignty, while Das focuses on national approaches and whole-of-nation strategies, with less emphasis on regional coordination

Topics

Legal and regulatory | Infrastructure

Unexpected differences

Trust building foundation vs. outcome

Speakers

– Lily Edinam Botsyoe
– Boutife Adisa

Arguments

Trust is foundation of strong policy, not byproduct – build with trust in mind

Security and trust go hand in hand – secure platforms enable greater user trust

Explanation

This represents an unexpected philosophical disagreement about whether trust is a prerequisite for good policy (Botsyoe) or an outcome of secure systems (Adisa). Both are cybersecurity experts but have fundamentally different views on the causal relationship between trust, security, and policy

Topics

Cybersecurity | Human rights

Overall assessment

Summary

The discussion showed relatively low levels of direct disagreement, with most conflicts being subtle differences in emphasis and approach rather than fundamental opposition. Main disagreements centered on framework development approaches, the scope of civil society participation, and whether to prioritize regional vs. national sovereignty strategies

Disagreement level

Low to moderate disagreement level. The speakers largely shared common goals around human-centric cybersecurity, multi-stakeholder governance, and the need for robust security frameworks. Disagreements were primarily about implementation methods and emphasis rather than fundamental principles. This suggests a mature field where core principles are established but implementation strategies are still being debated, which is healthy for policy development and indicates room for complementary approaches rather than conflicting paradigms

Partial agreements

Similar viewpoints

Both speakers emphasized leveraging existing, proven cybersecurity frameworks and standards rather than creating new ones, with focus on zero trust architectures and continuous security practices.

Speakers

– Samaila Atsen Bako
– Boutife Adisa

Arguments

Leverage widely adopted and trusted standards like NIST cybersecurity framework 2.0 and OWASP IoT project

Zero trust by design for AI systems with mandatory multi-factor authentication and continuous vetting

Topics

Cybersecurity | Infrastructure

Both speakers recognized the trend toward digital sovereignty and the need for comprehensive national approaches that involve multiple stakeholders beyond just government entities.

Speakers

– Ihita Gangavarapu
– Monojit Das

Arguments

Shift from free flow of data to regional control and localization across all government types

Whole-of-nation approach involving all stakeholders beyond just government in democratic setups

Topics

Legal and regulatory | Development | Digital sovereignty

Both emphasized the importance of educating and protecting users through both literacy programs and regulatory mechanisms to ensure people can safely navigate digital environments.

Speakers

– Lily Edinam Botsyoe
– Kozefi Duban

Arguments

Investing in civic digital literacy so people understand risks and tools like AI and quantum encryption

Need national mechanisms for control and regulation to ensure user safety online

Topics

Development | Cybersecurity | Legal and regulatory

Key takeaways

Cybersecurity governance should focus on implementing existing frameworks rather than creating new ones, with emphasis on standards like NIST 2.0 and OWASP

Digital sovereignty requires balancing regional control with global interoperability through trusted data flows and shared security principles

Human-centric policy design is essential, requiring proactive stakeholder engagement and transparency rather than reactive approaches

Trust must be built through concrete actions backing promises, not empty privacy statements or ‘privacy washing’

International cooperation should start with common challenges like fake news where all nations agree, then expand to broader cybersecurity issues

Zero trust architecture and post-quantum cryptography are critical for protecting against AI-driven attacks and quantum threats

Civil society participation should be inclusive of all individuals as potential activists, not limited to formal organizations

Security and human rights must be integrated – ‘security without human rights is brittle’

Policy adaptability requires mechanisms like sunset clauses, sandboxing innovation, and machine-readable policies

Resilience-focused thinking is preferable to reactive security measures – test systems before they fail

Resolutions and action items

Develop multilateral AI treaties embedding human rights safeguards by design

Implement intercontinental threat intelligence sharing rooted in trust and inclusivity

Create sandboxing environments for testing AI systems in controlled settings (following UK and Singapore models)

Establish policy APIs for machine-readable policies that can automatically spot violations

Mandate AI threat modeling and red teaming for critical infrastructure systems

Invest in civic digital literacy programs to help people understand AI and quantum encryption risks

Develop a collaborative portal for tackling fake news similar to Wikipedia’s model

Create five-year plans for addressing fake news through convergent approaches

Implement whole-of-nation approaches involving all stakeholders beyond government

Establish sunset clauses in policies to ensure regular review and updates

Unresolved issues

How to balance privacy and security when they sometimes conflict

Defining thresholds for cyber warfare and appropriate response mechanisms

Addressing the speed gap between cybercriminal activities and legal/regulatory responses

Determining whether universal cybersecurity standards can work across all countries or if regional approaches are better

Establishing effective international governance mechanisms when UN relevance appears to be shrinking

Managing the dilemma between investing in social services versus security infrastructure

Ensuring adequate subject matter experts and skilled workers in developing regions

Creating effective mechanisms for individual accountability and citizen engagement in cybersecurity policy

Suggested compromises

Start international cooperation with universally agreed challenges like fake news, then gradually expand to more contentious cybersecurity areas

Adopt regional cooperation frameworks that enable sovereignty while maintaining global interoperability

Use multi-stakeholder approaches that balance government, private sector, civil society, and individual interests

Implement flexible, scalable, and adaptable policies that can work across different national contexts while maintaining core human rights principles

Balance immediate security needs with long-term digital resilience through phased implementation approaches

Create hybrid governance models that respect national digital sovereignty while enabling collective global security

Develop pragmatic alignment mechanisms for trusted data flows and mutual recognition of vendors across regions

I personally believe there’s no real need to reinvent the wheel in terms of design… What I think the biggest issue in terms of what we’re talking about is maybe the differences in how it’s been adopted or implemented by different organizations or even countries… there’s this popular saying in the industry that cybercriminals operate at the speed of light, while law enforcement or The Good Guys operates at the speed of the law

Speaker

Samaila Atsen Bako

Reason

This comment reframes the entire discussion by suggesting that the problem isn’t lack of frameworks but implementation gaps and regulatory speed. The metaphor about speed differences between criminals and law enforcement crystallizes a fundamental challenge in cybersecurity governance.

Impact

This set the tone for the entire discussion by shifting focus from creating new policies to improving implementation and adaptation speed. It influenced subsequent speakers to address practical implementation challenges rather than theoretical frameworks.

The spider story – where a researcher tried to repair a broken cobweb with thread, but when the spider returned, it destroyed the entire web because it wasn’t consulted about the repair process

Speaker

Lily Edinam Botsyoe

Reason

This powerful metaphor illustrates how well-intentioned cybersecurity policies can fail when stakeholders (especially end users) aren’t involved in the design process. It makes the abstract concept of stakeholder engagement tangible and memorable.

Impact

This story became a recurring theme throughout the discussion, with multiple speakers referencing human-centric approaches and the importance of involving affected communities in policy design. It fundamentally shifted the conversation toward inclusive governance.

Security without rights is brittle. Security without human rights is brittle… The definition of civil society should not be a preserve of a certain group… We are all involved… We cannot clap with one hand

Speaker

Osei Keija

Reason

This comment challenges the traditional boundaries between different stakeholder groups and democratizes the concept of cybersecurity governance. The phrase ‘security without rights is brittle’ provides a memorable framework for evaluating cybersecurity policies.

Impact

This redefined the role of civil society from a separate stakeholder group to an inclusive concept where everyone can be an activist. It influenced the closing remarks of several speakers who emphasized collective responsibility and collaboration.

We have come up with a whole-of-nation approach… cyberspace is no more just a tool of communication it’s a frontier of warfare after air, space, land, water, cyber is a frontier of warfare… So what is the threshold? So you know before a country decides its threshold and wages a full-time war or a full-fledged war it is for us to decide

Speaker

Monojit Das

Reason

This comment introduces the critical concept of cyber warfare thresholds and escalation, moving beyond defensive cybersecurity to offensive considerations. It highlights the urgent need for international agreements on cyber warfare rules of engagement.

Impact

This elevated the discussion from technical cybersecurity measures to geopolitical and military considerations, prompting other speakers to address international cooperation and the need for global governance mechanisms.

Trust is not a byproduct of strong policy. It is a foundation of it. Let’s build with Trust and Mind and not think of it as an afterthought

Speaker

Lily Edinam Botsyoe

Reason

This comment fundamentally reframes the relationship between trust and policy, suggesting that trust should be the starting point rather than the end goal of cybersecurity governance. It challenges conventional policy-making approaches.

Impact

This provided a conceptual framework that influenced the closing remarks of multiple speakers and reinforced the human-centric approach that became central to the discussion’s conclusion.

An eligible person is your first line of defense and when you equip them with the right tools, then they become literal human shields for you… I prefer this kind of statement than saying, you know, the human is the weakest link in the security chain

Speaker

Samaila Atsen Bako

Reason

This comment challenges a fundamental assumption in cybersecurity discourse by reframing humans from being the ‘weakest link’ to being ‘human shields’ when properly equipped. It’s a paradigm shift that empowers rather than blames users.

Impact

This positive reframing influenced the overall tone of the discussion’s conclusion, with speakers emphasizing empowerment and education rather than restriction and control as cybersecurity strategies.

Overall assessment

These key comments fundamentally shaped the discussion by shifting it from a technical policy-focused conversation to a human-centric, collaborative approach to cybersecurity governance. The spider story metaphor and the ‘security without rights is brittle’ framework became recurring themes that influenced how subsequent speakers framed their contributions. The discussion evolved from addressing ‘what policies do we need’ to ‘how do we build inclusive, trust-based governance that empowers rather than restricts people.’ The military/warfare perspective introduced urgency around international cooperation, while the reframing of humans as assets rather than liabilities provided a more optimistic and empowering conclusion. Overall, these comments transformed what could have been a dry policy discussion into a nuanced exploration of the human dimensions of cybersecurity governance.

How can we find proper mechanisms for adoption of security by design standards and security systems?

Speaker

Enes Mafuta

Explanation

This was identified as an ongoing struggle in standardization work that needs resolution for effective implementation

What does Q-Day look like and is it bound to happen?

Speaker

Lily Edinam Botsyoe

Explanation

She referenced concerns about a potential day when quantum computing could break all encryption-based protections, requiring further investigation into timeline and preparedness

What is the threshold for cyber warfare and when does a cyber attack warrant full-scale war retaliation?

Speaker

Monojit Das

Explanation

He highlighted the lack of accepted international definitions and thresholds for cyber warfare escalation, which poses significant security risks

How can we develop a centralized portal for tackling fake news, similar to how Wikipedia evolved?

Speaker

Monojit Das

Explanation

He proposed creating a collaborative verification system as fake news is a common challenge across all countries

How can we create a five-year plan approach for tackling fake news with convergent international cooperation?

Speaker

Monojit Das

Explanation

He suggested structured long-term planning similar to government five-year plans to address misinformation systematically

How can we energize and activate marginalized communities to participate in cybersecurity governance?

Speaker

Osei Keija

Explanation

He questioned how to ensure broader participation beyond traditional civil society organizations, especially in communities with limited access

What specific actions can individuals take to demand policy accountability from their governments regarding surveillance and cybersecurity?

Speaker

Osei Keija

Explanation

He challenged participants to consider concrete individual actions like writing to ministries to demand transparency and accountability

How can we ensure post-quantum cryptography implementation to protect against quantum computing threats?

Speaker

Boutife Adisa

Explanation

He identified this as a race against time requiring immediate research and implementation before quantum computers become capable of breaking current encryption

How can we establish effective international mechanisms for cyber governance given the declining relevance of traditional international bodies?

Speaker

Monojit Das

Explanation

He noted the shrinking relevance of UN and other international bodies in cyber governance, requiring new approaches to international cooperation