Day 0 Event #260 Securing Basic Internet Infrastructure

Summary

This panel discussion focused on securing basic internet infrastructure, examining the vulnerabilities and resilience challenges facing the physical foundations of the global internet. The conversation brought together experts from various sectors including the Internet Society, Cloudflare, the European Commission, regulatory authorities, and Microsoft to discuss how the internet’s distributed “network of networks” model has evolved to include critical dependencies on data centers and subsea cables.

The panelists emphasized that while internet protocols were designed for resilience, the physical infrastructure supporting them faces numerous threats including cable cuts, power outages, cyber attacks, natural disasters, and potential sabotage. Dr. Olaf Kolkman from the Internet Society illustrated these challenges using the example of West African cable cuts in March, demonstrating how preparedness and redundancy enabled the region to maintain connectivity despite significant infrastructure damage. The discussion highlighted the importance of internet exchange points, diverse network connections, and local infrastructure capacity in maintaining resilience.

A key theme throughout the conversation was the critical need for collaboration between governments and private sector operators who own and manage most internet infrastructure. Johannes Theiss from the European Commission outlined the EU’s cable security action plan, which focuses on prevention, detection, response, recovery, and deterrence. Microsoft’s Erica Moret described how major technology companies invest in redundant systems and diverse cable pathways to prevent single points of failure.

The panelists stressed that internet resilience requires continuous cooperation, transparent information sharing about outages and vulnerabilities, and coordinated international responses to threats. They concluded that maintaining the internet’s global, interconnected nature while addressing security concerns requires balancing national sovereignty interests with the fundamental need for international collaboration and avoiding fragmentation that could undermine the internet’s inherent resilience.

Keypoints

## Overall Purpose/Goal

This panel discussion aimed to examine the vulnerabilities and security challenges facing basic internet infrastructure, particularly focusing on subsea cables and data centers. The workshop brought together experts from various sectors – including internet policy organizations, cloud service providers, EU regulators, telecommunications authorities, and major tech companies – to discuss how to strengthen internet resilience through collaboration between governments and private industry.

## Major Discussion Points

– **Physical Infrastructure Vulnerabilities and Real-World Impact**: The discussion extensively covered threats to physical internet infrastructure, using the March 14th West African cable cuts as a key example. Panelists highlighted how subsea cables, data centers, and terrestrial networks face risks from natural disasters, ship anchors, power outages, cyber attacks, and potential sabotage, with these physical disruptions having immediate real-world consequences for connectivity.

– **The Critical Role of Redundancy and Interconnection**: Multiple speakers emphasized that internet resilience depends heavily on having diverse pathways, multiple cable routes, geographically distributed data centers, and extensive network interconnections. The discussion stressed that maximum connectivity and settlement-free peering relationships are essential for maintaining the internet’s ability to “route around” problems when infrastructure fails.

– **Public-Private Partnership and Information Sharing**: A central theme was the need for closer collaboration between governments and private infrastructure owners. Panelists discussed the importance of sharing threat intelligence, coordinating risk assessments, joint funding for infrastructure in economically challenging areas, and establishing formal frameworks for communication during incidents while balancing security sensitivities.

– **EU Policy Framework and International Coordination**: The discussion covered the EU’s comprehensive approach through their Cable Security Action Plan, which includes prevention, detection, response, recovery, and deterrence measures. This highlighted the challenge of coordinating policies across borders while avoiding fragmentation that could undermine the internet’s inherently global and interconnected nature.

– **Communication and Transparency During Outages**: The panel addressed a significant gap in current practices – the lack of systematic communication to end users during internet outages. Unlike power utilities that have established notification systems, internet outages often leave users uninformed about the status and expected resolution of connectivity problems, pointing to a need for better incident communication protocols.

## Overall Tone

The discussion maintained a collaborative and constructive tone throughout, with panelists building on each other’s points rather than disagreeing. The atmosphere was professional and solution-oriented, with speakers demonstrating mutual respect and shared concern for internet resilience. While acknowledging serious challenges and geopolitical tensions, the overall sentiment remained optimistic about the possibility of strengthening infrastructure through continued cooperation. The tone became slightly more urgent when discussing specific vulnerabilities and recent incidents, but consistently returned to emphasizing partnership and shared responsibility as the path forward.

Speakers

**Speakers from the provided list:**

– **Amund Kvalbein** – Moderator from AnalysisMason company, leading the panel discussion on securing basic internet infrastructure

– **Olaf Kolkman** – Principal for Internet technology policy and advocacy with the Internet Society, astronomer by training with long career in Internet technology and policy development

– **Petra Arts** – Director for public policy for Europe at Cloudflare, experienced public policy professional with background from European Parliament and private companies

– **Johannes Theiss** – Head of sector for the EU’s Directorate General for Communication Networks, Content and Technology, political science major who previously worked for German Broadband Association and Vodafone

– **Elise Lindeberg** – CEO of Skygar (data center hosting company in Oslo), former Director for Security and Resilience in Networks at Norwegian Regulatory Authority for telecoms, active in ICANN and IGF

– **Erica Moret** – Director for United Nations and International Organizations at Microsoft, former diplomat and scholar with education from France’s École Nationale d’Administration and PhD from Oxford University

– **Michael Kende** – Online moderator for the event, colleague of Amund Kvalbein

– **Anriette Esterhuysen** – Civil society representative from South Africa

**Additional speakers:**

None identified beyond the provided speakers names list.

# Comprehensive Report: Securing Basic Internet Infrastructure – Panel Discussion

## Executive Summary

This panel discussion, moderated by Amund Kvalbein from AnalysisMason with online moderation by Michael Kende, brought together leading experts from across the internet infrastructure ecosystem to examine critical vulnerabilities facing the physical foundations of the global internet. The conversation featured representatives from the Internet Society, Cloudflare, the European Commission, regulatory authorities, and Microsoft, alongside civil society voices, creating a dialogue on strengthening internet resilience through enhanced collaboration between governments and private sector operators.

The discussion reframed the traditional understanding of the internet from purely a “network of networks” to include critical dependencies on physical infrastructure. As moderator Amund Kvalbein noted, “today, I think it’s fair to say that this network of networks is also a network of data centres and subsea cables. The move to the cloud and now also the advent of AI has made these core physical building blocks of the internet immensely important.”

## Key Participants and Their Perspectives

The panel assembled diverse expertise spanning technical, policy, and regulatory domains. Olaf Kolkman from the Internet Society, who described himself as “an astronomer by training” who found “internet working more interesting than astronomy,” provided technical insights (and notably corrected that he is “not a doctor” and “never wrote a thesis”). Petra Arts from Cloudflare offered the perspective of a major content delivery network operator. Johannes Theiss represented the European Commission’s policy approach through the EU’s Directorate General for Communication Networks, Content and Technology. Elise Lindeberg brought regulatory experience from her role as CEO of Skygar and former Director for Security and Resilience in Networks at the Norwegian Regulatory Authority. Erica Moret from Microsoft contributed the viewpoint of a major technology company. The discussion included civil society input from Anriette Esterhuysen, who raised critical questions about user communication during outages.

## Physical Infrastructure Vulnerabilities and Real-World Impact

The discussion examined various threats facing physical internet infrastructure, with panellists emphasising that while internet protocols were designed for resilience, underlying physical systems create significant vulnerabilities. Kolkman illustrated these challenges using the March 14th West African cable cuts as an example, demonstrating how preparedness and community collaboration enabled the region to maintain connectivity despite substantial infrastructure damage.

Moret detailed multiple threat vectors facing data centres and submarine cables, including power outages, extreme weather events, geographical clustering risks, and damage from ship anchors, fishing activities, natural disasters, and potential sabotage. Lindeberg emphasised that “the internet is physical. It’s not in the sky. It’s not on your phone just driving around in the sky either. It is always linked to a data centre, which is critical infrastructure.”

Kolkman introduced the concept of “hidden correlation of risks,” where multiple infrastructure failures occur simultaneously due to shared physical dependencies. He explained that “sometimes things might be a low risk, high cost, but almost always happen together… if flood may take out, or let’s say an anchor might take out both a power cable and an internet cable at the same time.”

## Audience Engagement and Polling Results

The workshop included interactive elements through Mentimeter polling, engaging the audience on key threats and solutions. The polling revealed audience perspectives on various infrastructure vulnerabilities and potential mitigation strategies, adding a participatory dimension to the expert panel discussion.

## The Role of Redundancy and Interconnection

Multiple speakers emphasised that internet resilience depends on having diverse pathways, multiple cable routes, geographically distributed data centres, and extensive network interconnections. Arts highlighted Cloudflare’s approach of connecting with over 13,000 networks globally to ensure resilience, while cautioning against regulatory barriers that could disincentivise interconnection.

Moret described Microsoft’s strategy of building extensive redundancies with multiple cable pathways, diverse landing points, and Azure regions designed with availability zones as physically separate data centres. Kolkman stressed the importance of Internet Exchange Points in keeping traffic local and reducing the impact of external connectivity failures.

Arts warned that attempts by some large ISPs to introduce payment requirements for interconnection could “lead to disincentivisation of interconnection,” potentially undermining the internet’s foundational architecture of settlement-free peering relationships.

## Public-Private Partnership and Information Sharing

A central theme was the need for enhanced collaboration between governments and private sector operators who own and manage most internet infrastructure. Lindeberg emphasised the need for formalised cooperation between regulators and infrastructure owners, noting that trust and information sharing between government and private sector is essential for preparedness.

Moret described Microsoft’s collaborative approach with governments on joint risk assessments and best practices, while advocating for real-time threat intelligence sharing. Theiss outlined the EU’s systematic approach through their expert group, which is developing coordinated risk assessment methodologies and a comprehensive cable security toolbox.

## EU Policy Framework and Initiatives

Theiss provided insights into the European Union’s Cable Security Action Plan, encompassing five key pillars: prevention through improved risk assessment and monitoring; detection via enhanced surveillance capabilities; response through coordinated incident management; recovery through streamlined repair processes; and deterrence through appropriate consequences for malicious activities.

The EU’s approach includes substantial financial commitments, with hundreds of millions of euros allocated through the Connecting Europe Facility for cable projects. Theiss noted that EU funding supports cables in areas where the business case is not straightforward. He also mentioned the ongoing consultation on the EU Digital Networks Act regarding peering and interconnection regulations.

## Communication and Transparency During Outages

Esterhuysen raised critical questions about communication to end users during internet outages, using South Africa as an example where undersea cable outages left users uninformed. She pointed out that “most people get their internet not from ISPs, but from mobile data providers, and they are pay-as-you-go clients, they’re not even contracted. You are completely in the dark as to what the status is.”

The panellists’ responses revealed this as an under-considered aspect of internet resilience. Lindeberg suggested a shared responsibility model where governments alert users during severe outages while service providers inform their customers. Kolkman advocated for transparent disclosure of dependencies and failures, while Arts highlighted Cloudflare’s radar dashboard as an example of providing public information on internet disruptions.

## Monitoring and Assessment Tools

The discussion revealed both existing capabilities and gaps in tools for assessing internet infrastructure resilience. Kolkman highlighted the Internet Society’s Pulse platform (pulse.internetsociety.org), which provides an Internet Resiliency Index for countries. Arts described Cloudflare’s radar dashboard (radar.cloudflare.com) for tracking internet shutdowns and disruptions.

An online question raised the need for better tools to help governments assess their national internet infrastructure resilience. While some tools exist, participants noted they may not be optimally designed for government use or provide the specific metrics most relevant for policy makers.

## Balancing National Sovereignty and International Cooperation

The discussion addressed the tension between national digital sovereignty goals and the need for international cooperation in internet infrastructure management. Lindeberg offered a perspective that “national sovereignty or national autonomy… and international cooperation isn’t in conflict with each other. They have to live side by side.”

Arts warned that fragmentation threatens internet resilience and should be avoided, while Theiss emphasised that internet infrastructure inherently involves multiple parties and cannot operate in silos. The general view was that effective internet governance requires both respect for national interests and recognition of the internet’s fundamentally international character.

## Key Action Items and Next Steps

The discussion identified several specific initiatives. The EU expert group is committed to delivering by year-end a comprehensive package including mapping of cable infrastructures, coordinated risk assessment methodologies, and a cable security toolbox for member states.

The European Commission will publish a priority list of “cable projects of European interest” under the Connecting Europe Facility funding programme. Implementation of the NIS2 directive and critical entities resilience directive will formalise incident reporting requirements between private and public entities.

Theiss mentioned emerging technologies such as distributed acoustic sensing for submarine cable monitoring, indicating that the EU is developing a technology roadmap for cutting-edge cable monitoring and detection systems.

## Conclusion

This panel discussion demonstrated that securing basic internet infrastructure requires addressing technical, economic, policy, and social dimensions simultaneously. The participants showed general agreement on fundamental principles including the need for public-private cooperation, the importance of redundancy and diverse pathways, and the inherently international nature of internet infrastructure.

The discussion highlighted that internet infrastructure is both physical and global, requiring both national attention and international cooperation. Key gaps identified include the need for better communication systems during outages, improved tools for government assessment of infrastructure resilience, and continued development of frameworks for sharing sensitive threat intelligence while maintaining security.

The workshop’s interactive format and diverse stakeholder participation provided a foundation for understanding the complex challenges facing internet infrastructure resilience, while the commitment to concrete action items suggests potential for tangible improvements in the months ahead.

Amund Kvalbein: So, hello, everyone. My name is Amund Kvalbein. I come from a company called AnalysisMason, and it’s my great pleasure to welcome you all to this panel discussion on securing basic internet infrastructure. So, the internet has proven fantastically resilient against a range of challenges to its operations. And there are many reasons for this. The internet protocols were designed for resilience from the beginning. They’ve been able to scale and adapt as the internet has grown. And today, it is the dominant platform for communication and information sharing. The internet is often referred to as a network of networks, and this distributed model of operations for the internet has proven to work very well. But today, I think it’s fair to say that this network of networks is also a network of data centers and subsea cables. The move to the cloud and now also the advent of AI has made these core physical building blocks of the internet immensely important. We all rely on them every day as a society and as individuals. So with this dependence, it becomes all the more important to understand more about the vulnerabilities of this basic infrastructure, and that is the ambition of this workshop today. So, warm welcome to all of you. And to discuss this important matter, I’ve been so lucky to gather with me a prominent set of panelists here. So what we’ll do now, I will just briefly introduce these panelists. And then… We will talk a little bit more about how you in the audience and both here in Oslo and also online can participate in this workshop. So with me on the stage here today, we have first Dr. Olaf Kockmann. Olaf is an astronomer by training. I don’t know much about his career in astronomy, but I do know that he has a long and very active career in Internet technology and policy development. And today Olaf is the principal for Internet technology policy and advocacy with the Internet Society. Next, I have with me Petra Arts. Petra is an experienced public policy professional. She has experience from the European Parliament and from several private companies. The last five years, she has worked for Cloudflare and today she is director for public policy for Europe in Cloudflare. Jumping now to online, we have with us, not here in the hall today, but online over Zoom, Johannes Theiss. Johannes plays a central role in the EU’s work on the resilience of basic Internet infrastructure. He is a political science major who has worked on Internet policy questions for the German Broadband Association and for Vodafone. And today, he is the head of sector for the EU’s Directorate General for Communication Networks, Content and Technology. Here in the panel, next, we have with us Elisabeth. Elisa Lindeberg. Elisa has worked many years for the Norwegian Regulatory Authority for telecoms, most recently there as the Director for Security and Resilience in Networks. She has been active in internet policy development in ICANN and the IJF for many years, but a bit more than a year ago she made a career change from the regulatory side, and today she’s the CEO of Skygar, which is a data center hosting company here in Oslo. Last but not least we have with us Erika More. She’s a former diplomat and scholar with education from France’s École Nationale d’Administration and a PhD from Oxford University, where she studied the effects of sanctions on Cuba’s economy. She has had a long and distinguished career in international policy development. Today she’s based in Geneva, where she is the Director for United Nations and International Organizations at Microsoft. So a warm round of applause and welcome to our panelists. Very soon these panelists are going to give an introduction to this topic and where they’re coming from on that topic, but before we do that I just wanted to introduce also Michael Kenda, my colleague, who is the online moderator for this event. So Michael will be monitoring the chat here and take any questions that you might post in the chat and bring them here to the audience in due time. We also have another way for you in the audience, both online and here in Oslo, to interact with this. workshop, and that is Mentimeter, or Menti. Some of you might know this tool. So on your screens now, you can basically just see a question. So just to introduce Menti as a tool, for those of you who want, you can either scan this QR code with your camera or you can type in, go to menti.com and type in this code that is written on the screen. And we’ll use this a couple of times during the workshop for you to voice your opinion on some of these questions. So just as a starter, to warm you up to this tool, you can go in there and click where you’re originally from. I guess many of you are in Oslo today, but just to show a little bit the breadth of the audience that we have with us today. Okay. With that introduction and without further ado, we will run this now so that each of the panelists will, as I said, get a few minutes to introduce themselves and where they are coming from and their thoughts on today’s topic. Then we will have a discussion in the panel. I will ask you some questions. You might ask each other questions. And then we will also open up for questions from the audience in due course. So please prepare your questions for these panelists. So first, Olaf, will you give us your perspective on

Olaf Kolkman: securing basic internet resilience? Yes, I will try so. By the way, I’m not a doctor. I never wrote a thesis. I found internet working more interesting than gazing at stars. So I basically, during the PhD research, moved. careers, only doctorandus. But let’s talk a little bit about resiliency and the internet and what is important to that. And I want to do that on the basis of an example, namely the cable cuts on 14 March near the west coast of Africa. There were four cables cut at that day because of a tectonic plate shift or a micro-earthquake or something. And that had an enormous impact on the region. What that impact was was basically connectivity, a lot of capacity to connect outwards disappeared. The internet has always been reliant on subsea cable networks. When the first networks were laid in the US as part of the ARPANET, obviously that was always terrestrial. But as soon as Europe was connected, we needed subsea cables. And after that, you know, they’ve been a hallmark of connectivity across the globe. Anyway, four cables were cut. There were still a number of uncut cables in that region. And what happened is that the West African internet community collaborated together. That’s what you do when you collaborate, to find alternative routes. The internet itself routes around problems. It does that by a protocol called the Border Gateway Protocol, a system called routing. But you also basically have to make sure that the connections are there. That was work that was done way in advance of the cable cuts. And parts of that are having the policy. the infrastructure, the capacities, all in-house to be able to deal with the things that you cannot predict, or that you can predict and that you need to be ready for. At the Internet Society we have a platform which is called Pulse, pulse.internetsociety.org, and there is a very good story about this West African Cable Cut. If you look for Internet Society Pulse and West African Cable Cut you will find sort of an analysis there. But what we also feature on that is an Internet Resiliency Index. For each country we have calculated an index, and in that index are parameters, derived parameters, about infrastructure. What are the number of IXs, the Internet Exchange Points, in a country? Because Internet Exchange Points keep traffic local. And if you keep traffic local, and if an external connectivity in the form of a subsea cable breaks, the impact is lower and you’re more resilient. What is the amount of networks in a country? What is the hackonomy of certain networks? Is there one major transit provider in the country? One major telco that basically handles all the traffic with a few pieces around that? Or is it a nicely volatile environment? We look at security. Security is a proxy also for capability of the local community. We look at the performance of the networks, because also those are, you know, if you have more capacity in country, you might be able to deal more with breakages. And we look at market readiness. also includes, for instance, indices that are about the openness of the regulation, the ability to establish new networks, the abilities to lay cables, terrestrial cables. And what we have seen in the continent, in the African continent, is the enormous amount of capacities that have been built over the last couple of years that allowed the West African community to deal with the breakage of those important cables. But the impact in the end was significant, but there was still Internet and people could still function and could still reach. And of course, I’m talking about the lower layers of the Internet here. But what we also saw is that at the higher layers, people started to realize that they were, for instance, dependent on Microsoft infrastructure to do their work. And there again, having available infrastructure in the form of existing cables, of existing operator networks that people know how to find each other, and having the contacts available to route around the problems, those problems were solved later on the day on 14 March. So, resiliency is about readiness, is about preparedness, is about understanding what can go wrong. And if you have that all in place, the Internet itself will do a lot of magic to give it to you.

Amund Kvalbein: Thank you, Ulla, very interesting. This interplay between the basic or the physical infrastructure and the protocols is an important topic, and I’m sure we’ll come back to that as well, Ulla. I would like to move on to our next panelist, Petra. work for a company that doesn’t own that much of the basic infrastructure but that is still very dependent on it. So please give us your perspective on the

Petra Arts: topic. Yeah thanks and thanks for having me on this panel. It’s really a very important topic also from Klaufer’s perspective. A lot of what Olof said is also kind of in my speaking points. I guess it’s also probably some of us will repeat ourselves a little bit on the topic of resilience I think. From Klaufer’s perspective as you say you know we run a global network which provides a number of services including cybersecurity services for web properties which basically needs a very interconnected network and a very resilient network. To that end we depend a lot on interconnection and that is really the kind of like core of how our network operates. We connect with over 13,000 networks globally so we’re probably one of the most well connected networks in the world and that is to make sure that our data centers, our point of presence that we have all over the world can run our software with very low latency and very securely and very reliably. All those interconnections as Olof was explaining is also to be prepared for any kind of unexpected events that happen daily basically on a global scale. Of course the internet was made to be resilient but of course things can happen. Cable cuts can happen, other events can happen and then of course from our perspective as a service provider it’s important that our network stays up regardless of what happens. So interconnection and finding a different path and that our network can actually route around the issues is very very important and it is also something that obviously our engineers are are working on on a day-to-day basis to make sure that that is the case. So this is one of the most, you know, important aspects I think for us is that interconnection is not, let’s say, disincentivized. And we see that obviously from, sometimes from a regulatory point of view or from a government approaches point of view, that that’s not always something that people think of, that interconnections and peering and transit and other kind of ways to interconnect are really essential for companies, for governments, for anybody who is connected to the Internet to make sure that there are as many paths to follow as possible, which leads to more better redundancy, it leads to more resilience, it leads to faster connections as well and lower latency. And, you know, some of the discussions that we see, and I’m obviously from work in Europe, so I work in Brussels, so we talk a lot about the regulatory environment there. There are sometimes, you know, ideas that are being brought forward in some debates in the policy space that are talking about, for example, paid peering or kind of introducing payments in a system that usually is based on trust and based on settlement-free kind of relationships. As we know, you know, this is sort of also explained, it’s based on preparedness and engineers making sure that the connections are there, that need to be there. So if, you know, some parts of the ecosystem, in this case large ISPs mostly in the European area, trying to say, you know, there needs to be a contract, there needs to be payment, needs to be additional cost for all networks to connect to each other, that obviously is problematic, I think, from our point of view, from a resilience point of view as well, because it can actually lead to disincentivization of interconnection, that you would not necessarily have more interconnection points if you would have to bear a lot of costs to do it. And I think it also goes against the kind of… you know, nature of the Internet as a network of networks and a kind of organic way to connect to each other, and we all have an interest to connect to each other. So that’s, from my perspective, I think, one of the main issues to the topic of today.

Amund Kvalbein: Thank you. Very interesting. I think we’ll also return to this point about the Internet being built borderless and with incentivizing maximum connectivity and interconnections and how that hopefully can continue to be the case while also catering for other worries that people have about the Internet. I would like now to move to our next panelist, which is Johannes. Johannes is not on stage, but he will come up here, I think, on the screen. Johannes, you work with the EU, who obviously shows a lot of interest in the Internet and has lately also been showing particular interest in the topic of subsea cables, which is a very important part of the basic Internet infrastructure. So, Johannes, can you introduce us a little bit to the work you’re doing there? Hello, can you hear me well? Now we can hear you, thank you.

Johannes Theiss: Very well. Okay, well, thanks, first of all, for having invited me and the European Commission to this panel discussion, and perhaps before I go into some of the overviews, one comment as already kind of now the topic was flagged a bit, and I think it’s not perhaps the core topic of today, the question of peering and those types of issues, but the European Commission has an ongoing consultation. on an upcoming regulation at the end of the year called the Digital Networks Act. So if you have views that you would like to contribute, now would be a good time to talk about that specific issue. So I will not touch about this later as it’s not perhaps the core of this panel, just since it was brought up. What we are doing in the unit I work on is we contribute to something that the EU published at the beginning of this year. It is a joint communication on an EU cable security action plan. So a bit to what Olaf said in the beginning, that resilience is a cycle, there are several elements to it. And as policymakers we try to have these elements on the radar, not least because there have been some incidents in particular in the Baltic Sea that rose the political limelight on the this important topic and the resilience of submarine cable infrastructures. So when I talk about the resilience cycle and here I would go a bit into its various elements which are described in the action plan, you would have basically four to five points that cover the cycle from prevention, over-detection, response and recovery up to deterrence. And the action plan tries to really tackle or propose some ideas and action on all of these points. The part that my unit is working most on is the pillar of prevention. And here there are of course several issues, transposing ongoing legislation, also developing new technologies, but in particular, and I’m happy later on to dive into some of these elements a bit more in detail, we have formed an expert group with EU member state authorities that was done after already publishing a recommendation last year, and this expert group is supposed to deliver by the end of this year a mapping of existing and planned cable infrastructures, a coordinated risk assessment based on an overview of what are the existing threats vulnerabilities and dependencies so also tackling economic security aspects, then come up with a mitigating a set of mitigating measures and we call that a cable security toolbox. Some of you might know that I’ve worked in the field of 5G might know the 5G cybersecurity toolbox so we try to kind of mirror that approach and also having some of when I talk about risk some of these risks could even be combined into into scenarios that can then be stress tested and there might even be funding for that made available from from the EU budget and then last but not least we are funding already cables that that have a difficult case difficult economic viability we have a program called the connecting Europe facility and there is already hundreds of millions of euros going into this and there will be further investments under this program coming up but what the expert group will will deliver on by the end of the year is a so-called list of priority areas of interest we call them cable projects of European interest. Then without going into too much detail into the other topics when we talk about detection it’s all about how can we integrate more surveillance mechanisms that that exist connect more data that’s available because there’s a lot of data available it’s rather a question of how to bring it together and how to make sure it reaches the right addressees and then also increased how technology can help with that know what about the role of drones what about the role of sensors so there’s a lot we could discuss there when we discuss response and recovery it’s a lot about repairing and maintaining the cable so we have the issue of are there enough ships available how good are the ships How new are they? And we might touch on that a bit later. Who finances these ships? How profitable is it to work with them? But of course, also general crisis response frameworks, which are very important. And then finally, the whole deterrence block is really also about international relations, proactive cable diplomacy. It’s of course sometimes difficult to attribute certain incidents because it’s not always clear. So it’s important to respect the international rule book that is in place, and then make sure that if certain of these incidents can be attributed, that the actors are held responsible and to prevent future incidents on these types of infrastructures. But I’ll probably stop here and happy to dive into details later on during the panel. Thanks again.

Amund Kvalbein: Excellent. Thanks, Johannes. And I think this topic of what the EU or governments do versus what the owners of this infrastructure, which is often private, and how they work together is a key issue that we will touch more upon. Elisa, you have spent a lot of your life in working on the resilience and the security of internet infrastructure in various capacities. Can you give us your introduction to this topic?

Elise Lindeberg: Yes, thank you. I’ve been talking about, as you said, the important discussion about the cooperation between the regulators and the regulating side, and who actually have to do this and have to live by it, and also have to provide the security that we need to have the trust in the internet. services that we’re now going to build up. So from going from the regulation that I worked a lot of years with the regulatory side, it was always fascinating to see how this was something that was taken for granted or not even considered a problem in the beginning when I started about this, working with the resiliency. And then suddenly it was the main topic for the trust in the internet services and the internet layer on top. Because the internet is a very solid structure. As you said, it’s also a net of networks. And in IGF, we always talked about how solid that is in itself. But we forget that the internet is physical. It’s not in the sky. It’s not on your phone just driving around in the sky either. It is always linked to a data center, which is critical infrastructure. It’s fiber, and it’s networks, and it’s cable, and it’s undersea cables and everything. And what we have seen is that when we talk about the internet and the use of the internet and all the fantastic things that we can do on the top layer, developing internet services and building a lot of functions, critical functions in the community and in the society, is that there is now, as I at least experienced it from the government side, when something happened, it’s zero tolerance for failure. Not only because we have critical services on top, but also because people are used to these services always being there. So you have zero tolerance for the services going down, and you have layers and layers and layers of all private companies and everyone relying on each other, and in the end, relying on the physical layer, on the bottom line. That is both power, and it is the physical infrastructure. Data centers are cabling. So I think it’s really interesting that when we talk about the development of the internet. the Internet and all the possibilities that we have, which is basically the backbone of this IGF and this multi-stakeholder community discussions, we should also have thorough discussion on the physical infrastructure layer. And it needs to be a cooperation between the one who builds it, not only the regulating side, but the one who builds it and the one who uses it. And to not lose that perspective. And it’s also a question about payment, that some of you spoke about. Because it’s going to be, in this, in the world today, there’s more insecurity about how secure the Internet connections are and the fibering and the undersea cables and everything. And if we’re going to secure it even more and have more redundancy on it, it’s going to cost money. It’s also going to cost money to build very secure and stable Internet services in the data centers. You know, it’s going to take and have enough power and have enough redundancy. And that has something to do with the whole cost picture. So maybe we need to realize that to build trust in the Internet services, we should have the infrastructure layer more into the debate also in IGF forums, like we do today. But that has been somewhere missed in the past, because we’ve discussed more the Internet itself and not the infrastructure around it. Yeah. Thank you.

Amund Kvalbein: Great. Thank you. Thank you, Elisa. Erika, you represent one of the biggest players on the Internet, I would say, who owns and operates a lot of this infrastructure. You’ve invested heavily in both data centers and subsea cables. So you build this resilient Internet together with others. part of it. What is your perspective?

Erica Moret: Well, thank you very much, first of all, for the kind invitation to join you today. You can hear me okay? Yeah. The last time I had a system like this, I was saying earlier to the organizers with headphones, it was in a cryptocurrency conference and there was very loud music playing at the same time. So I’m glad this, this setting is slightly more manageable. And so, as you said already, very rightly, Microsoft operates one of the largest global networks of fiber and subsea cables. And it also owns and operates a vast network of data centers around the world. We jointly own major submarine cable systems like Maria and also I meet you, which are transatlantic cables to ensure high capacity connectivity between continents. These investments are designed to increase the geographical diversity of cable landings and reducing single points of failure and enhancing network resistance. Likewise, Microsoft Azure spans 60 or more cloud regions in over 140 countries, which houses data in over a hundred highly secure facilities, which is a scale that underpins the responsibility and safeguarding reliable and resilient internet infrastructure. So you asked me to talk a little bit about some of the challenges and risks that are at play and the panelists have already outlined this very eloquently, but I’ll focus first on data centers here as one of the backbones of the internet, which face their own distinct set of challenges. They require enormous stable power supplies and cooling, hence power grid failures or extreme weather, including heat waves, floods, earthquakes, hurricanes, and so on can threaten operations. Physical attacks or sabotage are rarer, but not impossible. And as critical hubs, they could be targets for hostile actors or criminals, even an accidental fire or localized disaster at a large data center can knock out services for millions of users. Another often overlooked risk. with geographical clustering. If many cloud facilities are in one region, a single regional event, a wide area blackout or an earthquake could affect them all simultaneously. And turning to submarine cables, they’re of course also prone to damage from ship anchors, fishing activities, natural disasters, and also malicious tampering and sabotage. In sum, both cables and data centers are single points of failure in the digital economy and for users worldwide, if not made users of the internet, if not made resilient against these various threats. And these challenges really underscore why this discussion today is so vital and paramount. At Microsoft, we have comprehensive approach to mitigating these risks at both the physical and logical network layers. We’ve built extensive redundancies into the network,

Elise Lindeberg: deploying multiple cable pathways and diverse landing points so that if one link is lost, traffic can be rerouted to other alternate routes. Also internally, we continuously monitor all network links for performance degradation or outages using advanced telemetry tools. And this early warning system combined with predictive analytics allows near instant rerouting of internet traffic if a cable fails. In data centers, redundancy is critical. Azure regions are designed with availability zones, which are physically separate data centers with independent power and cooling systems to sustain operations even if one facility goes down. Microsoft data center architecture equally seeks to ensure critical services can fail over to alternate sites, providing high availability and disaster recovery capabilities. I was gonna talk a little bit about our collaboration with government and stakeholders, but maybe I’ll save that in the interest of time to the next round of questions.

Amund Kvalbein: Excellent. Thank you. Now we’ve gotten some interesting. introductions and perspectives on this topic from our panelists. Before we move on, I would now just like us to move to a metameter, if we can get that up. So for you in the audience, let’s see, do I control this one now? Yes. So we have a question for you, which is a simple but open question. Several of the panelists now have touched upon several threats or challenges to the basic Internet infrastructure. We would just like to hear from you, what do you think are the most important or challenging threats against the basic Internet infrastructure? So if you go to a metameter here now, you should get up like a small text form where you could enter your reply in a few short words, and they will show up here, and there will also be the possibility to, I think, give the different options a thumb up or a vote so that we can get a picture of what, if there’s a consensus in the room or whether there are opinions in all directions, which there might be. Excellent, so we get a lot of different challenges here. Several of you mentioned power outages, which are a major source of outages. There are answers along the attacks, both against BGP specifically. more general cyber attacks, malicious actors. Several of you mentioned topics having to do with governance, politics, regulatory fragmentation, and poor and conflicting legislation. All very good and interesting perspectives. Now we will go into some discussion, some topics. I have a few questions for the panelists. I assume you do in the audience as well. If you want, you can post some of them in the chat in Zoom, or in a few minutes, you will also be able to do it here in the room in the microphone. If you are with us online, you will unfortunately not be able to to speak your question. But if you put it in the chat, then Michael, our online moderator, will convey them here to the audience. We see from the topics brought up on the wall here, and several of you also mentioned it, this interdependency between the basic internet infrastructure, kind of in the middle, and other infrastructure that supports it in terms of power, in terms of repair capacity, in terms of civil works, and also the protocols on the higher level. So these parts all must work together. Olaf, you mentioned when we talked before this, you mentioned the notion of hidden correlation of risks. What do you mean by that?

Olaf Kolkman: When I said that, sometimes disasters happen at the same time. A power outage or a software problem that causes a power outage, something that relies on the internet in the power center, things that are related that you at some direct point do not see as related. For instance, a lot of people will make a risk diagram, likelihood costs, and put crosses on that. And sometimes things might be a low risk, high cost, but almost always happen together. I don’t have an example in this context, but this is something to think about when you are thinking about resiliencies and risks that you have within the system that you operate. I want to go back and say something about the things that we identified on the slide as being risk to infrastructure. As far as I can tell, all those things are relatively isolated geographically. A power outage is almost always with a geographic scope. The Iberian Peninsula is a more recent example. The internet as a system, as a global system on which we relied, has never seen an outage. And I think that very critical services should think about, for instance, that geographical spread that was talked about, because that allows for catching up your back-end services at least. So you always have to think about what is what I’m protecting against. and what are the things that, in your risk-based approach, what are the things that cause real harm and have a high impact? But when you do so, if flood may take out, or let’s say an anchor might take out both a power cable and an internet cable at the same time, and that would be a sort of hidden correlation, that would be an example. Yeah. So this is a more open question, and I’ll start with you, Erika, but the others here, feel free to add into this. We discussed a bit earlier about, call it the division of labor between the governments or the regulatory authorities on one side and the large internet actors, which you represent on the other side, who owns and builds and operates this. How do you work with these governments to secure this infrastructure? And on the tail of that, do you have a wish? Would you like to ask something from these governments? What could they do?

Erica Moret: Yeah, thanks, that’s a great question. We work very actively and proactively around the world in different types of partnerships with governments and other stakeholders, and very much in local context as well with national governments. And so, a key wish, that’s a really difficult one, but I think I would say for governments to continue and perhaps do even more in terms of actively partnering with industry and with other stakeholders, civil society and so on, as the cornerstone of resilience, I really think that public-private partnerships should be embraced and are incredibly important here. And I think there’s a number of key elements to that, and again, the panellists have done such a great job of outlining some of these areas already, but I would say sharing the threat intelligence is a really important one in real time with companies to pre-empt attacks and vulnerabilities. As part of, giving an example, as part of industry coalitions, Microsoft contributes to joint risk assessments and also adheres to best practice standards for critical infrastructure, so I think working together with governments to get that right is very important and have a kind of constant conversation and a trusted feedback loop is vital as well. I think second would be investing in redundancy, such as supporting back-up subsea cables or extra data centre capacity to eliminate these single points of failure that we’ve been discussing today is again a really important area. The third is the need for coordinating internationally, so that cross-border issues like undersea cable repairs or common security standards are handled swiftly and collaboratively, and that of course is a big challenge in today’s geopolitical climate and it really underscores why meetings like these I think are very important as well for fostering trust and building those relations. And then I think a final one would be policy support. In the case of Microsoft but also other companies, we’ve joined efforts to designate and treat key data centres as critical national infrastructure, which can help to facilitate better government support during incidents.

Amund Kvalbein: Excellent. I think Elisa, you want to comment on that? I know this is right up your alley.

Elise Lindeberg: Yes, it is. We’ve been discussing this in Norway for years, you know, how to share the threat picture between the governments who sit on a lot of information. And it’s been kind of a siloed thinking in the past because this is something that intelligence keep close and they don’t want to spread it. And again, you miss out on using all the power that sits on the companies and the infrastructure owners to dive in and actually help in a situation where communication is cut off, which is one of the basics that we need in every critical situation, as Ukraine also shows this morning how it really matters. So to trust each other and to make some sort of formalized discussion between the companies and the government on that side is needed, and I think basically all governments are working on this now, at least as I know in Europe, that this is an issue. So this cannot be said enough times, I think, that we need this cooperation to be more thorough and even be like a baseline for preparedness and readiness in the community and in society. So that I very much agree on, yes.

Amund Kvalbein: Any others in the panel who have a view? Johannes, you represent basically, not the government here, but the EU as an important regulator, player here. What role do these infrastructure owners play in the interaction with you?

Johannes Theiss: Yes, can you still hear me well? Seems to be the case. So indeed, first of all, when I think about the metameter question and government being mentioned or regulators being mentioned many times with a negative connotation, I hope at least as EU we try to make a positive contribution to the regulatory landscape, especially when it comes to improving coordination, both between… between governments, so cross-border was mentioned, but also between governments and private entities. Perhaps a couple of points that I would like to make. So first of all, some of these exchanges are already formalized, in particular, through recent legislation that came into force. To mention two, the NIS2 directive is one, and the critical, so that’s about cybersecurity focus more, but it has a broader approach, also tackling some physical elements, and then the critical entities resilience directive. These directives really formalize the exchange, especially when it comes to incident reporting between private and public entities. So in the EU, these are really, although they are directives, they have to be transposed nationally, but they seek to kind of create a more harmonized situational awareness. Then, of course, when it comes to the funding side, there’s also regular exchanges. I mentioned before already the SEF funding program, so Connecting Europe facility, because we see, of course, that there is a concentration, the market goes where it makes sense and where there’s already a lot happening. If there is an internet exchange point, if the latency is short, then that’s where you go. And those things are at times not necessarily creating increased resilience, no, because for that, you need more redundancy and not necessarily more of the same. So it’s important to strike there a good balance between the two, and that’s why we have been investing under SEF already for quite some time. And actually, currently, there is still a funding round, we call those calls, ongoing, where the evaluations are taking place, and you will see some results in the next coming weeks and months, where, again, the submarine cables will be supported, especially in areas where. business case is not straightforward. And many times, some of you mentioned this already, these are of course consortia that come already together. They propose a certain project and then it’s co-funded, so it’s not entirely from the public purse. But when private sector is going somewhere, they might need a bit of a bridging, a bit of support to bridge the viability gap. And that’s what these funding programs are for. And then last but not least, of course, we are also in regular exchange with companies when it comes to any types of threat analysis and potential mitigating measures. I think Erica mentioned already some of the faults that may be related to submarine cable incidents. That’s precisely information that we, of course, are interested in and that we also learn through our exchanges with private companies, who, by the way, are regularly invited sometimes to speak with our experts in the expert group. It’s true that there is always then a certain realm of sensitivity, which makes it a bit harder to be, let’s say, too forthcoming in what is being made public or not. But in any event, we try at least as much as possible to facilitate these exchanges. And so far, I would say, it seems we have been on the right track with the proposals that we have put forward. When you read through the cable action plan and also for the recommendation last year, you would see that many of the things mentioned are reflected quite well. Last point, because Olaf mentioned it, the accumulation of things that can happen, take the power and telecoms cable cut, that actually did happen at the beginning of the year. So these are things that are really not in season. They’re happening in practice and it’s important to mitigate those types of situations. Thanks.

Amund Kvalbein: Great, great. Thank you, Johannes. So, I would like us to turn quickly to Mentimeter again. We have another question. Oops, we have another question for you. So, moving from what are the challenges, the threats, what are the most important actions that governments and private companies and or private companies can take to strengthen internet resilience? There’s a question for you. Not a simple one, but we’d love to hear your thoughts on that. And while you are typing in those, I would again like to encourage those who participate online to post your questions in the chat and Michael will convey them. And then I have, of course, many questions in my head that I would like to get the answers from this panel, but I’m sure you do as well. So, I very much hope that you in the audience will also raise your hand and take this opportunity to ask our panelists about this topic. Just seeing what comes up here. That’s an interesting one. Avoid national autonomy. That’s an interesting topic. Some of the panelists might have words to say on that. Diversity is mentioned by several. Partnerships, collaboration, cooperation, education. Contribute to a redistributed internet. implying that it’s not as distributed anymore, perhaps, as it was, I don’t know. You might disagree or agree in that. So I think I’ll leave the microphone open now, in case any one of you has a question to pose, and while you prepare your question, I don’t know, maybe one of you in the panel would have a comment on exactly this. Oh, sorry, here is the first question already. Let’s go to you. Ah, lovely. Thank you very much.

Anriette Esterhuysen: My name is Anette Esterhuisen, I’m from South Africa, very much affected by undersea cable outages. I’m from civil society. My question is, none of you have touched on this particular topic, whose responsibility is it to communicate to the end user that there’s an outage and that there’s an attempt to work around it? For an internet exchange point, the peering points will let their members know. Data centres will let their clients know. If you, in the case of a power outage, you usually would be informed by the power utility or you’d have an app, like in my country, where the power goes down every other day, and there’s an app that tells you what the load shedding schedule is. But when it comes to internet outages, you essentially need a newspaper subscription to a business newspaper, which is not something that’s available in the public at large. Most people get their internet not from ISPs, but from mobile data providers, and they are pay-as-you-go clients, they’re not even contracted. You are completely in the dark as to what the status is. If you have fibre to the home, your fibre provider might update. you, but they often actually don’t. So that’s my question, is that something also in this partnership you’re talking about between regulators, government and private sector, to try and centralise in some way that there’s active communication and interaction with the end user?

Amund Kvalbein: Thanks. So Elisa, you raised your hand or Olaf, do you want to start Elisa?

Elise Lindeberg: Yes, if it’s an outage that is critical enough, obviously, that’s the government’s role to alert the one who’s been affected by it. It will always be like that. So if it’s severe enough, you will hopefully have systems in place so the government will react and also send out, I mean, and communicate with what is available for the users. But it’s also, you know, the service provider, the one who gives the services, they also need to alert their users, but also the government probably. So in my experience, if it’s severe enough and if it’s enough individuals or companies or whatever that is affected, these are systems that should be put in place. That is why we should have, you know, coordination and coordination between governments and private companies and this put in place as a system upfront, because it’s both, it’s not one of

Olaf Kolkman: the other. Oh yeah, Henriette, this is not a question to punt. I think it’s an important question. But I’m going to return the question a little bit. Are you aware of any best practices that are executed anywhere on the globe? Because this seems to be a thing where through national IGFs, regional IGFs, something might percolate upwards and become best common practice. You’re not aware, I see you shaking your head.

Anriette Esterhuysen: No, not for internet outages. I think for internet shutdowns, I think you now do have to some extent there are civil society organizations that monitor internet shutdowns and they’ll communicate that fairly widely. I think for power outages you have at a national level, I think now, you know, a much more structured approach. But I think for internet outages, and also it often doesn’t, you know, the way that undersea cables work, there is a lot of redundancy. So it doesn’t necessarily affect everyone at national level in the same way. It depends very much, if you’re in an academic network, you might have access to different cables to people that get their internet through mobile network. No, so Olaf, I’m not aware of good practices. And I think governments are not set up. I think many countries don’t even have centralized communication about ransomware attacks or cyber attacks or cyber breaches. Information regulators are getting better at making alerts about data breaches, public. But this type of outage, infrastructure outages, I’m not aware of any. But maybe someone else in the room is. Thank you.

Amund Kvalbein: Michael, I think there is a question from the chat.

Michael Kende: That’s right, hi. There is a question online. There’s about 20 people that have been participating. And Vahan asked a question. Should we create a tool for the governments and regulators so they can check how resilient is their internet infrastructure? And some of those tools that he said Olaf mentioned be IXPs, regulations, interconnections, so I think some of this would be ways to strengthen it, but also if there are tools and if you can fill in how that might look that could help governments and regulators to determine how resilient everything is. Thank you.

Olaf Kolkman: I don’t want to steal people’s thunder, but pulse.internetsociety.org has a resiliency index which just maybe not measures it, but gives an index about the resiliency in-country. That said, I don’t want to flatten the discussion, because resiliency has to do with the complexity in the world that we live in, and even if we have a very resilient network or internet, still we might rely on, say, one provider of a specific application interface in order to get our work done, and if that application interface is down, a lot of stuff breaks. So resiliency is actually for everybody, your dependencies will be different, and the complexities involved are very important. So I think that if you go into resiliency for your systems, be it as a country, be it as an SME or a company or maybe even for you at home, you have to go and do sort of the analysis, the risk assessment, and the tabletop exercises to deal with them.

Amund Kvalbein: Unless there is a question now, I just wanted to pick up, and I think, Petra, maybe this is for you to start on. but I was triggered a little bit by one of the statements, a couple of the statements from our Mentimeter here now, so avoid national autonomy. I mean, you in Cloudflare are not particularly national, you are rather international, right? Would you agree with this statement or is there

Petra Arts: more complexity to it? Yeah, I saw that answer. I’m not exactly sure what the person kind of meant by it. I don’t know if they’re in the room or online, but I’m more generally about the, also to the point of collaboration and cooperation that was mentioned. I think that’s exactly where we would need to go and where I think this discussion has kind of led to us already to say, you know, the collaboration between governments, between private sector governments, between all actors that are basically responsible for making the internet, you know, work and being resilient as it is. I think that’s where we need to go, like national autonomy. I think obviously in the European context, we talk a lot about digital sovereignty, right, in these days, and there’s obviously a lot of policy discussions on things like data localization and things like that. They’re all kind of related to it. I think from a, from Cloudflare’s point of view, and also I think from a, you know, internet resilience point of view, fragmentation is like, you know, the way that we shouldn’t go, you know, to make sure that that resilience kind of stays as it is and is improved. I think fragmentation can lead to, you know, a lot of negative consequences from a resilience point of view. So I would not necessarily agree with that we, you know, I would agree with the fact that that is one of the threats, I think, that they were mentioning, like the different decisions by different parts of government in different parts of the world, I think, can lead to fragmentation. I think we need more forums to collaborate and discuss and to also come to kind of common solutions and share best practices. I think that’s kind of of where we need to go, and to your point on Pulse, which also collaborates a lot with ISOC on the Pulse side, on the internet shutdown side, maybe also to promote a little bit our radar dashboard, radar.cloudflare.com, which also gives you a lot of knowledge and information, I think, on what we see from a internet shutdown, also kind of disruption point of view from our network, which can also help civil society and others to kind of find out maybe more about what’s going on in these cases.

Johannes Theiss: Can I come on this one as well, Amund? Absolutely. Yes, no, I actually, when I was seeing the Mentimeter replies coming in, I was always thinking, okay, the toolbox writes itself, so we can lean back, and it looks quite good, but jokes aside, those are precisely the points that we are, first of all, currently working on, that we are developing in much greater detail, of course, and without interpreting too much into the avoiding national autonomy, I think that the point that can be made there is that the internet as such, but submarine cables, this is not a one-way, it’s not a silo. There are always two, at least two parties, connected to a cable, often more. There are consortia of various types of players coming together. They connect them to other types of players in a data center, so this is not a silo business, and I think that’s something to keep in mind. Other points mentioned, which I found important to highlight is the use of technology as well. I mentioned in the beginning that some of these new systems, they can really help with monitoring and detection. For example, distributed acoustic sensing, which can be applied to the submarine cables, can help here. We’re actually putting together, or would like to put together a roadmap at the European Commission to scope a bit what are these cutting-edge technologies that one should create. in mind and there will be some research funding available made for this. So have a look at the current Horizon Europe work program and at the action related to submarine cables because that’s that’s precisely something we’re gonna look into a bit more in detail. And then lastly what also popped up on the on the overview was the investment incentives. It’s really important to keep those incentives high but also to strike the balance not to crowd out private investment. There’s a lot of private investment happening and we welcome that very much and that is that is essential. Without that things wouldn’t work. But there are some gaps here and there especially when things get more in areas which are a bit less viable and there are still some gaps here. The public authorities and the public purse can play an important role and this is something we have been doing and continue to do so. Thanks.

Amund Kvalbein: Excellent. We are approaching the end of this session. There is there is still time and room for a question from the audience if you have one. But you have to be quick. No? So if there is not then then I would just like to take to round this up to go a quick round again with our with our panelists to to very briefly in 30 seconds. What is your takeaway or your message from this from this discussion? Is there an action? As Lenin said what needs to be done? Olaf do you want to start?

Olaf Kolkman: I think awareness building is is one part of it. Understanding your dependencies. I think that the parties at the left of me have a quite well understanding of their dependencies, although sometimes things break. I’m also looking at the left at me. One of the things that I am very for, so to speak, is that when things break, you tell the world. And you tell that in a very transparent way, where you disclose or you tell a story about what were my dependencies, what did I know about those dependencies, and how can you, a random other person who builds infrastructure, figure out whether you have the same dependencies that I had that broke and I didn’t know about them. So it’s about sharing information, it’s about understanding your risks and the dependencies, that risk matrix, building that out, but also about practicing. And again, this is not only the large corporations, the Cloud Flares and the Microsoft of this world, it’s also the local data center in Oslo, or a small data center maintained by an SME that might have services running for, say, a hospital or another service, a logistical service that we may all depend on for getting our groceries in the store the next day.

Amund Kvalbein: Thank you. Petra?

Petra Arts: Yeah, I mean, not so much to add, I think, from my side. I think, Olof, I think you’re very right on the transparency point of view, and I think, I hope, the Cloud Flare is doing quite a good job in the rare instances that we do have, you know. things to say about outages. There is a learning that you take from everything that happened to you and happens to your network. And then indeed sharing it and making sure that others can learn and also prevent things from happening on their own side is really key. I think from our perspective, I think the diversity of connections of the internet and the preventing of fragmentation is, I think, the two key points from our side when it comes to making sure that infrastructure and the internet as a whole operates as it should, I think, and to the benefit of everybody in the whole ecosystem, businesses, end users, everybody who uses our services and other people’s services on a day-to-day basis, we all rely on that physical infrastructure. And we all play a part in the chain. So that’s, I think, the most important thing. And resilience really is a job that everybody kind of has to work together on continuously. I think that’s also obviously something that kind of became clear from this panel that we all do.

Elise Lindeberg: Lisa, 30 seconds. 30 seconds, I’ll be very brief then. I would just want to mention that national sovereignty or national autonomy, as somebody said, and international cooperation isn’t in conflict with each other. They have to live side by side. I think everyone wants to cooperate as much as possible. And I think we will continue doing that. But I see when we’re so dependent on internet that we aren’t today in democracies and societies, I think that it’s naive to think that we can have one without the other. We need to think of them in parallel. And I think that’s possible, very possible.

Erica Moret: Erica. Thank you. 30 seconds. I would end by saying that there are tremendous geopolitical challenges right now and threats to the multi-national. order and the UN remains as important as ever in this context and so when we’re thinking about the the urgent need and the continued pressing need for partnerships, trust, collaboration, cross-border working, I would again emphasize that working in fora like the UN and bringing in all the relevant stakeholders is a vital one and in doing so we can then of course be thinking about all the types of agreements and monitoring and information sharing and so on and I just wanted to also end with an announcement that was made by our vice chair and president Brad Smith in a recent about a month ago outlining Microsoft’s European digital commitments but one of the pillars I thought you might be interested if you haven’t seen it is to uphold Europe’s digital resilience even when there’s geopolitical volatility and I think that’s a lesson also for a kind of global picture as well is how important these types of commitments are across the board. Thank you.

Amund Kvalbein: Johannes we have not forgotten you but you only have 20 seconds. That’s fair I

Johannes Theiss: just have the feeling that from the discussion with what we’re doing in the EU we seem to be on the right track I just could give you some of the flavors of of what we have in store but no more is more will be coming and we hope to also make some of these points public in the autumn so stay tuned perhaps I’ll leave you with that. Thanks again for for inviting me. Thank you. That

Amund Kvalbein: concludes our our workshops thank you so much all for coming it’s been a pleasure and please join me in giving our panelists a last round of applause.

Agreement points

Need for formalized public-private cooperation and information sharing

Speakers

– Elise Lindeberg
– Erica Moret
– Johannes Theiss

Arguments

Need for formalized cooperation between regulators and infrastructure owners

Trust and information sharing between government and private sector essential for preparedness

Governments should share threat intelligence in real-time with companies

Microsoft collaborates with governments on joint risk assessments and best practices

NIS2 directive and critical entities resilience directive formalize incident reporting

Summary

All speakers agree that effective internet infrastructure security requires formalized cooperation between government agencies and private infrastructure operators, including real-time threat intelligence sharing and joint risk assessments.

Topics

Infrastructure | Cybersecurity | Legal and regulatory

Importance of redundancy and diverse pathways for resilience

Speakers

– Olaf Kolkman
– Petra Arts
– Erica Moret

Arguments

Internet Exchange Points keep traffic local and reduce impact of external connectivity failures

Cloudflare connects with over 13,000 networks globally to ensure resilience

Microsoft builds extensive redundancies with multiple cable pathways and diverse landing points

Azure regions designed with availability zones as physically separate data centers

Summary

Speakers consistently emphasize that resilience comes from having multiple pathways, diverse connections, and redundant systems that can route around failures.

Topics

Infrastructure

Internet infrastructure is inherently international and requires cross-border cooperation

Speakers

– Johannes Theiss
– Petra Arts
– Erica Moret

Arguments

Internet infrastructure inherently involves multiple parties and cannot operate in silos

Fragmentation threatens internet resilience and should be avoided

Cross-border coordination essential for submarine cable repairs and security standards

Summary

All speakers agree that the internet’s fundamental nature as an interconnected global system requires international cooperation and that fragmentation or national silos undermine resilience.

Topics

Infrastructure | Legal and regulatory

Transparency and information sharing during outages helps broader community preparedness

Speakers

– Olaf Kolkman
– Petra Arts

Arguments

Transparent disclosure of dependencies and failures helps others learn and prepare

Cloudflare radar dashboard offers information on internet shutdowns and disruptions

Summary

Both speakers advocate for transparent sharing of outage information and lessons learned to help the broader internet community understand vulnerabilities and improve preparedness.

Topics

Infrastructure | Cybersecurity

Similar viewpoints

Both speakers recognize submarine cables as critical vulnerable infrastructure that faces multiple threat vectors, but emphasize that proper preparation and community collaboration can enable effective recovery from outages.

Speakers

– Olaf Kolkman
– Erica Moret

Arguments

West African cable cuts demonstrate both vulnerability and community collaboration in recovery

Submarine cables prone to damage from anchors, fishing, natural disasters, and sabotage

Topics

Infrastructure | Cybersecurity

Both speakers see outage communication and infrastructure protection as shared responsibilities between government and private sector, requiring coordinated approaches rather than single-party solutions.

Speakers

– Elise Lindeberg
– Erica Moret

Arguments

Government should alert users during severe outages while service providers inform their customers

Microsoft collaborates with governments on joint risk assessments and best practices

Topics

Infrastructure | Legal and regulatory

Both speakers recognize that market forces alone are insufficient for optimal infrastructure resilience and that public investment and international coordination are necessary to fill gaps in commercially unviable but strategically important areas.

Speakers

– Johannes Theiss
– Erica Moret

Arguments

EU funding supports cables in areas where business case is not straightforward

Cross-border coordination essential for submarine cable repairs and security standards

Topics

Infrastructure | Economic

Unexpected consensus

Balance between national sovereignty and international cooperation

Speakers

– Elise Lindeberg
– Johannes Theiss
– Petra Arts

Arguments

National autonomy and international cooperation must coexist, not conflict

Internet infrastructure inherently involves multiple parties and cannot operate in silos

Fragmentation threatens internet resilience and should be avoided

Explanation

Despite representing different perspectives (national regulator, EU policy maker, and private company), all speakers agreed that national sovereignty concerns and international cooperation are not mutually exclusive but must work in parallel. This consensus is unexpected given typical tensions between sovereignty and globalization in internet governance.

Topics

Infrastructure | Legal and regulatory

Need for government involvement in market-driven infrastructure

Speakers

– Johannes Theiss
– Erica Moret
– Elise Lindeberg

Arguments

EU funding supports cables in areas where business case is not straightforward

Microsoft collaborates with governments on joint risk assessments and best practices

Need for formalized cooperation between regulators and infrastructure owners

Explanation

There was unexpected consensus between EU regulators and private sector representatives that government involvement and public funding are necessary complements to private investment, rather than interference. This suggests a mature understanding that resilience requires both market efficiency and strategic public intervention.

Topics

Infrastructure | Economic | Legal and regulatory

Overall assessment

Summary

The speakers demonstrated remarkable consensus on core principles of internet infrastructure resilience, including the need for public-private cooperation, importance of redundancy and interconnection, value of transparency, and recognition that internet infrastructure is inherently global requiring international coordination.

Consensus level

High level of consensus with strong alignment on fundamental principles. The implications are positive for internet governance, suggesting that despite different organizational perspectives, there is shared understanding of what makes internet infrastructure resilient. This consensus provides a solid foundation for collaborative policy development and implementation of security measures across the public and private sectors.

Different viewpoints

National autonomy versus international cooperation in internet governance

Speakers

– Elise Lindeberg
– Petra Arts
– Johannes Theiss

Arguments

National autonomy and international cooperation must coexist, not conflict

Fragmentation threatens internet resilience and should be avoided

Internet infrastructure inherently involves multiple parties and cannot operate in silos

Summary

Elise argues that national sovereignty and international cooperation must operate in parallel and are both necessary for democracies dependent on internet infrastructure. Petra and Johannes emphasize that fragmentation is harmful and that the internet’s interconnected nature makes national autonomy approaches fundamentally incompatible with how infrastructure actually functions.

Topics

Infrastructure | Legal and regulatory

Responsibility for communicating outages to end users

Speakers

– Elise Lindeberg
– Anriette Esterhuysen

Arguments

Government should alert users during severe outages while service providers inform their customers

No clear responsibility exists for communicating internet outages to end users

Summary

Elise believes there are existing systems where governments alert users during severe outages and service providers inform customers, making it a shared responsibility. Anriette argues that unlike power outages, there is no clear system for internet outage communication, leaving most users uninformed.

Topics

Infrastructure | Legal and regulatory | Human rights

Unexpected differences

Scope of existing outage communication systems

Speakers

– Elise Lindeberg
– Anriette Esterhuysen

Arguments

Government should alert users during severe outages while service providers inform their customers

No clear responsibility exists for communicating internet outages to end users

Explanation

This disagreement is unexpected because both speakers have extensive experience in internet governance and infrastructure policy, yet they have fundamentally different views on whether adequate communication systems already exist for internet outages. Elise, coming from a regulatory background, believes systems are in place, while Anriette, from civil society, sees a clear gap in user communication.

Topics

Infrastructure | Human rights | Legal and regulatory

Overall assessment

Summary

The main areas of disagreement center on the balance between national sovereignty and international cooperation in internet governance, and the adequacy of existing communication systems during outages. There were also nuanced differences on the role of public versus private sector in maintaining resilience.

Disagreement level

The level of disagreement was relatively low overall, with most speakers sharing common goals of maintaining internet resilience and security. The disagreements were more about approach and emphasis rather than fundamental conflicts. This suggests a mature policy discussion where stakeholders largely agree on objectives but may differ on implementation strategies, which is typical and healthy for complex infrastructure policy discussions.

Partial agreements

Similar viewpoints

Both speakers recognize submarine cables as critical vulnerable infrastructure that faces multiple threat vectors, but emphasize that proper preparation and community collaboration can enable effective recovery from outages.

Speakers

– Olaf Kolkman
– Erica Moret

Arguments

West African cable cuts demonstrate both vulnerability and community collaboration in recovery

Submarine cables prone to damage from anchors, fishing, natural disasters, and sabotage

Topics

Infrastructure | Cybersecurity

Both speakers see outage communication and infrastructure protection as shared responsibilities between government and private sector, requiring coordinated approaches rather than single-party solutions.

Speakers

– Elise Lindeberg
– Erica Moret

Arguments

Government should alert users during severe outages while service providers inform their customers

Microsoft collaborates with governments on joint risk assessments and best practices

Topics

Infrastructure | Legal and regulatory

Both speakers recognize that market forces alone are insufficient for optimal infrastructure resilience and that public investment and international coordination are necessary to fill gaps in commercially unviable but strategically important areas.

Speakers

– Johannes Theiss
– Erica Moret

Arguments

EU funding supports cables in areas where business case is not straightforward

Cross-border coordination essential for submarine cable repairs and security standards

Topics

Infrastructure | Economic

Key takeaways

Internet resilience requires collaboration between physical infrastructure (data centers, subsea cables) and protocol-level redundancy, with both public and private sectors playing essential roles

The internet’s distributed ‘network of networks’ model remains fundamentally sound, but increasing dependence on cloud services and AI has made physical infrastructure components critically important

Hidden correlation of risks poses significant threats – multiple infrastructure failures can occur simultaneously (e.g., power and internet cables cut by same anchor)

Transparency in outage reporting and sharing lessons learned from failures is crucial for improving overall ecosystem resilience

Interconnection diversity and avoiding fragmentation are more important for resilience than national autonomy or sovereignty approaches

Current communication systems for internet outages to end users are inadequate compared to other utilities like power companies

Investment incentives must balance private sector leadership with public funding for economically unviable but strategically important infrastructure

Resolutions and action items

EU expert group to deliver by end of year: mapping of cable infrastructures, coordinated risk assessment, and cable security toolbox

EU to publish priority list of ‘cable projects of European interest’ under Connecting Europe Facility funding program

Continued development of monitoring technologies like distributed acoustic sensing for submarine cables

European Commission to develop technology roadmap for cutting-edge cable monitoring and detection systems

Ongoing consultation on EU Digital Networks Act regarding peering and interconnection regulations

Implementation of NIS2 directive and critical entities resilience directive to formalize incident reporting between private and public entities

Unresolved issues

No clear framework exists for communicating internet outages to end users, unlike other utilities

Lack of standardized best practices for outage communication across different types of internet service providers

Tension between national digital sovereignty goals and need for international cooperation remains unresolved

Question of who should bear costs for increased security and redundancy measures not definitively answered

How to balance private investment incentives with public funding without crowding out private sector participation

Need for better tools to help governments assess their national internet infrastructure resilience

Challenge of sharing sensitive threat intelligence while maintaining security protocols

Suggested compromises

National sovereignty and international cooperation should coexist rather than conflict – both are necessary for modern internet infrastructure

Public funding should focus on filling gaps where private sector business cases are not viable, rather than replacing private investment

Formalized but flexible frameworks for government-private sector cooperation that respect both security needs and commercial interests

Balanced approach to regulation that incentivizes interconnection and redundancy while addressing legitimate sovereignty concerns

Shared responsibility model for outage communication where both government and service providers have roles depending on severity and scope

But today, I think it’s fair to say that this network of networks is also a network of data centers and subsea cables. The move to the cloud and now also the advent of AI has made these core physical building blocks of the internet immensely important.

Speaker

Amund Kvalbein

Reason

This reframes the traditional understanding of the internet from purely a ‘network of networks’ to include critical physical infrastructure, highlighting how technological evolution (cloud computing, AI) has fundamentally changed internet dependencies.

Impact

This comment set the foundational framework for the entire discussion, establishing that modern internet resilience cannot be understood without considering physical infrastructure. It guided subsequent speakers to address both logical and physical layers throughout their presentations.

When I said that, sometimes disasters happen at the same time… For instance, a lot of people will make a risk diagram, likelihood costs, and put crosses on that. And sometimes things might be a low risk, high cost, but almost always happen together… if flood may take out, or let’s say an anchor might take out both a power cable and an internet cable at the same time, and that would be a sort of hidden correlation.

Speaker

Olaf Kolkman

Reason

This introduces a sophisticated risk analysis concept that challenges traditional siloed thinking about infrastructure vulnerabilities. It reveals how seemingly independent systems can fail simultaneously due to shared physical dependencies.

Impact

This comment elevated the discussion from simple redundancy planning to complex systems thinking. It influenced later discussions about the need for geographic diversity and cross-sector coordination, and was referenced by Johannes when discussing real-world examples of combined power and telecom cable cuts.

So if, you know, some parts of the ecosystem, in this case large ISPs mostly in the European area, trying to say, you know, there needs to be a contract, there needs to be payment, needs to be additional cost for all networks to connect to each other, that obviously is problematic… because it can actually lead to disincentivization of interconnection.

Speaker

Petra Arts

Reason

This comment introduces a critical tension between economic incentives and technical resilience, challenging the assumption that market mechanisms always optimize for resilience. It highlights how regulatory or commercial changes could undermine the internet’s foundational architecture.

Impact

This shifted the discussion from purely technical resilience to economic and policy dimensions. It introduced the concept that well-intentioned regulations might inadvertently harm resilience, influencing later discussions about the balance between sovereignty and interconnection.

Because the internet is physical. It’s not in the sky. It’s not on your phone just driving around in the sky either. It is always linked to a data center, which is critical infrastructure. It’s fiber, and it’s networks, and it’s cable, and it’s undersea cables and everything.

Speaker

Elise Lindeberg

Reason

This blunt statement cuts through abstract discussions of internet resilience to emphasize the fundamental physical reality that is often overlooked in policy discussions. It challenges the common misconception of the internet as ethereal or virtual.

Impact

This comment grounded the entire discussion in physical reality and influenced the conversation toward practical considerations of infrastructure protection, maintenance, and investment. It reinforced the workshop’s core premise and helped bridge the gap between technical and policy perspectives.

My question is, none of you have touched on this particular topic, whose responsibility is it to communicate to the end user that there’s an outage and that there’s an attempt to work around it?… Most people get their internet not from ISPs, but from mobile data providers, and they are pay-as-you-go clients, they’re not even contracted. You are completely in the dark as to what the status is.

Speaker

Anriette Esterhuysen

Reason

This question exposed a critical gap in the resilience discussion – the human dimension and democratic accountability. It challenged the panel’s focus on technical and policy coordination by highlighting the disconnect between infrastructure providers and end users, particularly in developing countries.

Impact

This question fundamentally shifted the discussion from infrastructure-centric to user-centric thinking. It revealed that resilience isn’t just about maintaining services but also about transparency and communication. The panelists’ responses showed this was an under-considered aspect, with Olaf even turning the question back to ask about best practices, indicating this was a blind spot in current approaches.

I would just want to mention that national sovereignty or national autonomy, as somebody said, and international cooperation isn’t in conflict with each other. They have to live side by side… it’s naive to think that we can have one without the other. We need to think of them in parallel.

Speaker

Elise Lindeberg

Reason

This comment addresses one of the most challenging tensions in modern internet governance – the apparent conflict between national sovereignty and global connectivity. It offers a nuanced perspective that rejects false dichotomies.

Impact

This comment provided a sophisticated resolution to the fragmentation versus cooperation debate that had been building throughout the discussion. It influenced the final tone of the workshop by suggesting that seemingly opposing forces (sovereignty and cooperation) can be reconciled, offering a path forward for policy makers.

Overall assessment

These key comments fundamentally shaped the discussion by introducing multiple layers of complexity that moved the conversation beyond simple technical solutions. The workshop began with a focus on physical infrastructure but evolved to encompass economic incentives, policy tensions, user experience, and geopolitical realities. The most impactful comments challenged assumptions – that the internet is virtual rather than physical, that technical resilience can be separated from economic and political considerations, and that infrastructure providers adequately serve end users. Anriette Esterhuysen’s question about user communication was particularly transformative, exposing a democratic deficit in current resilience approaches. The discussion’s evolution from technical to socio-political dimensions reflects the maturation of internet governance discourse, where purely technical solutions are increasingly recognized as insufficient for addressing real-world challenges.

What are the best practices for communicating internet outages to end users?

Speaker

Anriette Esterhuysen

Explanation

She highlighted a gap in communication systems where end users are often left uninformed about internet outages, unlike power outages where utilities typically provide updates. This is important for public awareness and preparedness during infrastructure failures.

Should we create tools for governments and regulators to check how resilient their internet infrastructure is?

Speaker

Vahan (online participant)

Explanation

This question addresses the need for standardized assessment tools that could help policymakers evaluate and improve their national internet infrastructure resilience, which is crucial for national preparedness and security.

What cutting-edge technologies can be applied to submarine cable monitoring and detection?

Speaker

Johannes Theiss

Explanation

He mentioned distributed acoustic sensing and indicated the EU is developing a roadmap for emerging technologies in submarine cable security, which is important for improving early warning systems and threat detection.

How can the balance between national digital sovereignty and international cooperation be achieved?

Speaker

Multiple participants (implied from discussion)

Explanation

This emerged from discussions about avoiding national autonomy versus maintaining sovereignty, which is crucial for policy development that maintains internet resilience while respecting national interests.

What are the hidden correlations of risks in internet infrastructure?

Speaker

Olaf Kolkman

Explanation

He mentioned this concept but didn’t provide detailed examples in the internet context, indicating a need for further research into how seemingly unrelated infrastructure failures can cascade and compound each other.

How can threat intelligence sharing between governments and private sector be formalized and improved?

Speaker

Multiple participants

Explanation

Several speakers emphasized the need for better information sharing mechanisms, but the specific frameworks and protocols for effective collaboration remain to be fully developed.

What is the optimal funding model for submarine cables in economically unviable but strategically important areas?

Speaker

Johannes Theiss

Explanation

He mentioned the challenge of balancing public funding without crowding out private investment, which requires further research into sustainable financing mechanisms for critical infrastructure gaps.