Uncategorized Archives | Page 23 of 117 | Digital Watch Observatory

Session at a glance

Summary

This lightning talk focused on advancing equality and inclusion in artificial intelligence systems, co-organized by the Council of Europe and the European Union Agency for Fundamental Rights at the Internet Governance Forum. Deputy Secretary-General Björn Berge opened by highlighting the systemic nature of AI bias, noting that women comprise only 22% of the AI workforce and that algorithms routinely screen out women from jobs and misinterpret names and accents. He emphasized that Europe is responding through the Council of Europe Framework Convention on Artificial Intelligence, the first international treaty placing AI under the rule of law, alongside the EU AI Act.

David Reichel from the EU Agency for Fundamental Rights identified key risks to equality in AI, explaining that machines are not neutral despite common assumptions. He provided examples of biased training data, such as facial recognition systems trained primarily on white male faces, and demonstrated how large language models can perpetuate discrimination against religious minorities and exhibit intersectional biases. Reichel noted that African American dialect speech patterns trigger higher error rates in AI systems, illustrating systemic discrimination.

The discussion revealed that companies primarily use AI for efficiency rather than fairness, missing opportunities to create more equitable decision-making processes. Reichel advocated for embracing current regulations as opportunities to identify and address societal biases through fundamental rights impact assessments. The session concluded with emphasis on the importance of AI literacy, proper documentation access for testing systems, and ensuring remedies are available when discrimination occurs, establishing a framework for more inclusive AI development.

Keypoints

**Major Discussion Points:**

– **Systemic bias and discrimination in AI systems** – The discussion highlighted how AI perpetuates and amplifies existing inequalities, with examples including algorithms that screen out women from jobs, facial recognition systems that work poorly for non-white faces, and biased training data from sources like racially profiling police forces.

– **Current regulatory frameworks and legal responses** – Speakers emphasized the importance of existing and emerging regulations, particularly the EU AI Act, the Council of Europe Framework Convention on AI (the first international AI treaty), and how anti-discrimination laws apply to AI systems.

– **The myth of AI neutrality** – A key point was debunking the misconception that machines are neutral, using the example of travelers in 2015 who believed automated border gates would be less discriminatory than human guards, which has proven false.

– **Practical implementation challenges and solutions** – Discussion focused on the need for guidance on conducting fundamental rights impact assessments, the importance of AI literacy, and tools being developed to help organizations detect and address AI discrimination in practice.

– **Opportunities for fairer AI systems** – The conversation explored how proper assessment and regulation can be viewed as opportunities rather than burdens, allowing organizations to identify societal biases and create more accountable, fair decision-making processes.

**Overall Purpose:**

The discussion aimed to provide a comprehensive overview of equality and inclusion challenges in AI systems, showcase current regulatory responses from European institutions, and demonstrate practical approaches for addressing bias and discrimination while highlighting opportunities for creating fairer AI systems.

**Overall Tone:**

The tone was professional and educational throughout, maintaining a balance between acknowledging serious concerns about AI bias and discrimination while remaining constructively optimistic about solutions. The speakers presented a realistic but forward-looking perspective, emphasizing that while AI poses significant equality risks, proper regulation, assessment, and implementation can transform these challenges into opportunities for creating more just and equitable systems.

Speakers

– **Sara Haapalainen**: Works for the Hate Speech, Hate Crime and Artificial Intelligence Unit of the Council of Europe

– **David Reichel**: Head of Data and Digital Sector from FRA (European Union Agency for Fundamental Rights)

– **Bjorn Berge**: Deputy Secretary-General of the Council of Europe

**Additional speakers:**

– **Ivana Bartoletti**: Was scheduled to speak but was unable to attend due to unfortunate circumstances. Role/expertise not specified in the transcript.

Full session report

# Advancing Equality and Inclusion in Artificial Intelligence Systems: A Comprehensive Discussion Report

## Introduction and Context

This lightning talk, co-organised by the Council of Europe and the European Union Agency for Fundamental Rights at the Internet Governance Forum, addressed the critical challenges of advancing equality and inclusion in artificial intelligence systems. The session brought together two key speakers from European institutions to examine how AI systems perpetuate discrimination and explore regulatory and practical solutions for creating more equitable technology.

The discussion was originally scheduled to include Ivana Bartoletti, who was unfortunately unable to attend due to unforeseen circumstances. The remaining speakers provided comprehensive coverage of the topic from institutional, regulatory, and practical perspectives. The session included interactive elements using Mentimeter to gather audience input on AI risks and opportunities.

## Speaker Contributions and Key Arguments

### Björn Berge: Framing AI as a Justice Issue

Deputy Secretary-General Björn Berge of the Council of Europe opened the discussion by establishing AI as fundamentally a justice issue, stating: “Let us not treat AI as just a technological issue. Let us treat it also as a justice issue. Because if AI is to serve the public good, it must serve everyone equally and fairly. Period.”

Berge highlighted that women comprise only 22% of the AI workforce, directly influencing the fairness and bias of AI systems. He provided concrete examples of discrimination: algorithms screening out women from job opportunities, chatbots misinterpreting names and accents, and AI systems making decisions without providing explanations or recourse.

He emphasised Europe’s regulatory response through the Council of Europe Framework Convention on Artificial Intelligence, which opened for signature last year as “the first international treaty placing AI under the rule of law” specifically for human rights and equality protection.

### David Reichel: Evidence-Based Analysis of AI Bias

David Reichel, Head of Data and Digital Sector from the European Union Agency for Fundamental Rights, provided detailed empirical analysis of AI bias, systematically challenging the misconception that machines are neutral. He illustrated this with automated border control systems: “Back then, the majority of travellers actually said, oh, that’s good because a lot of border guards are discriminating us. When the machine is there, it’s better and it’s neutral. Unfortunately, 10 years later now, we learned a lot of examples that this is unfortunately not true. Machines are not neutral.”

Reichel presented specific research findings from FRA’s work testing offensive speech detection algorithms. Their research revealed intersectional biases in AI systems, showing higher error rates when processing gendered language combined with religious or ethnic identifiers. For example, when testing Italian language processing, they found that combining gender with religious terms increased error rates significantly. He also highlighted how African American dialect speech patterns trigger elevated error rates in AI systems.

He noted that organisations “very rarely” use AI to make better or fairer decisions, focusing almost exclusively on efficiency gains. He argued this represents a missed opportunity, suggesting that bias detection could serve as a diagnostic tool: “If we look into biases, we actually learn a lot about where society is going wrong. If there’s recruitment software that prefers men over women, then this reflects ongoing practices.”

Reichel concluded with a business-focused argument: “It’s also not innovative if you use AI and discriminate. It’s also not efficient and not sustainable. So there’s the opportunity to actually create a better AI.”

### Sara Haapalainen: Practical Implementation and Legal Integration

Sara Haapalainen from the Council of Europe’s Hate Speech, Hate Crime and Artificial Intelligence Unit focused on practical implementation, emphasising that AI systems “are not neutral and reproduce structural inequalities that need active promotion of equality.”

She stressed the continued relevance of existing anti-discrimination legislation alongside new AI-specific regulations, and highlighted collaborative efforts between European institutions. She described a joint project between the Council of Europe and the EU developing practical tools including policy guidelines, online training programmes, and complaint handling protocols specifically for equality bodies.

Haapalainen concluded with three key points: first, that AI systems are not neutral and require active promotion of equality; second, that access to remedies and documentation is crucial when discrimination occurs; and third, that the Council of Europe’s Committee of Experts is currently drafting a soft law instrument on AI equality and non-discrimination.

## Audience Engagement and Key Findings

The session included interactive polling using Mentimeter, which revealed important insights about audience perceptions. When asked about the biggest risks of AI for equality and inclusion, the top responses were:

– Biased algorithms

– Lack of regulation and laws

– Opacity of AI systems

When asked about opportunities, the most popular response was “increasing AI literacy,” highlighting the importance of education and awareness in addressing AI bias.

## Areas of Strong Consensus

The speakers demonstrated remarkable alignment on fundamental issues, creating a coherent European institutional perspective on AI governance and equality.

Both speakers agreed that AI systems are not objective or neutral tools but rather reflect and amplify existing societal biases. This consensus emerged through complementary evidence: Berge’s statistical evidence about workforce diversity and discriminatory outcomes, and Reichel’s technical examples of biased training data and algorithmic discrimination.

The speakers also showed strong consensus on the necessity of comprehensive legal frameworks, though with different emphases. Berge highlighted the groundbreaking Framework Convention, while Reichel emphasised how multiple EU laws including the AI Act, Digital Services Act, and data protection regulations can work together. Haapalainen stressed that existing anti-discrimination legislation remains relevant alongside new AI-specific regulations.

Both Reichel and Haapalainen emphasised the gap between regulatory requirements and practical implementation capabilities, agreeing that organisations often lack the knowledge and tools necessary to assess biases effectively. This led to shared emphasis on developing concrete tools and guidance, including fundamental rights impact assessments and capacity-building programmes.

## Practical Outcomes and Future Directions

The discussion identified several concrete initiatives translating insights into practical action. The speakers highlighted ongoing collaboration between the Council of Europe and EU institutions to develop practical tools for addressing AI discrimination, including policy guidelines for equality bodies, online training programmes, and complaint handling protocols.

Reichel indicated that the European Union Agency for Fundamental Rights will publish several relevant reports covering high-risk AI applications, remote biometric identification, and the digitalisation of justice systems. These publications will provide additional empirical evidence and practical guidance for addressing AI bias in specific contexts.

The speakers emphasised AI literacy and awareness as essential components of effective equality promotion, suggesting ongoing need for educational initiatives targeting AI developers, users, and oversight bodies.

## Conclusion

This discussion represents a mature approach to AI governance that positions equality and human rights as central concerns in AI development and deployment. The strong consensus among European institutional representatives suggests a coherent, rights-based approach to AI regulation is emerging.

The speakers successfully demonstrated that addressing AI bias requires legal frameworks, practical tools, institutional capacity, and shifts in how organisations approach AI development. Their emphasis on viewing regulation as opportunity rather than burden, and framing AI assessment as a diagnostic tool for broader social inequalities, provides a constructive foundation for progress.

The collaborative approach between the Council of Europe and EU institutions demonstrates how international cooperation can address challenges that transcend national boundaries. The session’s interactive elements and focus on practical implementation alongside regulatory development suggests European institutions are moving toward effective enforcement and support mechanisms.

The discussion contributes to growing international consensus that AI systems must be designed, deployed, and governed to promote rather than undermine equality and human rights, with the European approach providing a valuable model for ensuring AI serves everyone equally and fairly.

Session transcript

Sara Haapalainen: Welcome to the lightning talk on advancing equality and inclusion in AI, co-organized by the Council of Europe and the European Union Agency for Fundamental Rights. My name is Sara Haapalainen and I work for the Hate Speech, Hate Crime and Artificial Intelligence Unit of the Council of Europe. In this session, we will give you a snapshot on key challenges related to bias, anti-discrimination and equality in AI systems and opportunities to address them. To have a more inclusive discussion, we invite the audience to contribute to this session through an online platform I’ll introduce shortly. Discussions can also continue after this short session. But first, I have the great pleasure to give the floor to the Deputy Secretary-General of the Council of Europe, Björn Berge, to say a few opening words. Please, the stage is yours.

Bjorn Berge: Thank you very much, Sara, and very good afternoon to all of you. Let me first start by congratulating Norway, my home country, for hosting this year’s Internet Governance Forum. We are here to address a reality we can no longer ignore. Artificial intelligence is shaping how people access jobs, services, information and justice. But too often, these systems reinforce inequality. Women make up just 22% of the world’s AI workforce. That lack of diversity influences not only how systems are built, but how fair or biased they become. And we clearly see the impact. Algorithms screening out women for jobs. Chatbots that misread names and accents. Decisions made with no explanation or recourse. These are not isolated issues. They are systemic deficiencies, and they demand a systemic approach and response. In Europe, we are responding. The Council of Europe Framework Convention on Artificial Intelligence opened for signature last year. It is the first international treaty placing AI under the rule of law, and at the service of human rights, democracy and equality. Together with the EU AI Act, it offers a legal foundation to ensure AI upholds rights, not only undermines them. But as you know, rules alone are not enough. Equality bodies, national human rights institutions and civil society must help shape, monitor and improve these systems. Our joint project with the European Union to support equality bodies is one example of this in practice. Earlier this year, the UN Secretary-General, Antonio Guterres, asked, are we ready for the future? His answer was plain, no. And he was right. Let us not treat AI as just a technological issue. Let us treat it also as a justice issue. Because if AI is to serve the public good, it must serve everyone equally and fairly. Period. I thank you very much, and please enjoy the discussion now between my two colleagues.

Sara Haapalainen: Thank you very much. Thank you very much, Deputy Secretary-General of the Council of Europe, for setting the stage for our discussion. Let’s unpack the linkages between human rights and AI a bit more together with David Reichel, Head of Data and Digital Sector from FRA, the European Union Agency for Fundamental Rights. But before we dive into the discussion, I also want to announce that unfortunately our second speaker, Ivana Bartoletti, is not able to be with us today due to unfortunate circumstances. Nevertheless, the audience can share their thoughts via the Mentimeter by going to menti.com and adding the code shown on the screen. You will have the same question as David. We will discuss first about the risks AI poses to equality. What do you think are the key risks for equality in AI? The mic is yours.

David Reichel: Thank you, Sarah. It’s a big pleasure to be here. Good afternoon. I’m from the EU Agency for Fundamental Rights, where we’ve been dealing with AI and equality issues for many years now. One of the key risks for equality when using AI is to use it for decision making without properly assessing it for potential biases. It’s a key risk if we use AI blindly. To give an example, in the year 2015, so 10 years ago, we interviewed people at EU border crossing points about the use of automated border gates. Back then, the majority of travelers actually said, oh, that’s good because a lot of border guards are discriminating us. When the machine is there, it’s better and it’s neutral. Unfortunately, 10 years later now, we learned a lot of examples that this is unfortunately not true. Machines are not neutral. Using them is not without risks. To the contrary, AI, as we also just heard, may perpetuate, it may reinforce, or even create inequalities and discrimination. We heard examples also in the opening speech of the Deputy Director General of the Council of Europe. Why can this happen? There are several reasons why the use of AI may lead to more inequality. For example, the training data, the data used to build certain algorithms are already biased. If you have police forces, which in some areas, unfortunately, engage in racial profiling, you shouldn’t use these data to automate predictions for police. What else could be the case? Training data may not be of high quality, may not be representative. A lot of people heard already about the case of face recognition technology that worked really well at the beginning for white male faces, but not at all for black and female faces. The problem obviously was it was just trained on white male faces. What is more, currently more and more AI tools use general purpose AI models, meaning large language models trained on much data from the internet. We tested offensive speech detection algorithms by building them ourselves and then testing them for certain biases. What we found was that these speech detection models very often overreact to certain words, most notably words like Muslim or Jew, because there’s a lot of hatred targeted at these groups. However, the reason for these biases was not always in our training data. Sometimes the biases were also coming from their large language models. There was also some bias included, intersectional bias. For example, in Italian, we tested the offensive speech algorithms for biases. And in Italian, like also in German, you use more gendered nouns. And the error rates for non-offensive sentences for the feminine version of Muslim in Italian was much higher than for the masculine version. And the other way around for Jews. Lastly, we also did a test and found that speech that is completely neutral, but more likely to be African American dialect, that was prone to higher error rates for non-offensive speech compared to other sentences that were not likely to have this kind of dialect. So we have enough evidence that we should be worried. And this is not to get me wrong. The use of AI is great, of course, and we can use it in a variety of areas. But as was also hinted to in the opening speech, we need regulation. And we not only need regulation, but we also need guidance on how to apply the regulation in practice. In our research, we speak very often to developers and users of AI. And a lot of companies, but also public administrations, want to do the right thing, but often don’t know how do I actually assess biases and how do I mitigate the risks in practice. So as was mentioned, in the EU, we have several laws that can help making AI fairer and better. We have the EU AI Act recently adopted, which has a lot of requirements that can help providers and deployers of AI to look into biases. We have the Digital Services Act, which tackles the very large online platforms and has risk mitigation. and lastly we also have our long adopted data protection laws in the EU that also help processing data in a fairer way and to avoid discrimination.

Sara Haapalainen: Thank you, outlining the serious risks to individuals and to our societies, obviously affecting those who are already impacted by discrimination and inclusion. You also went a bit to the solutions and opportunities which we will discuss next, but let’s have a look at the Mentimeter and what the audience voted as key risks for equality in AI. I see biased algorithms and lack of regulation and laws as the highest, and then opacity of the AI systems as a third key risk foreseen in AI. You touched upon the biased algorithms, also the regulation, obviously in the Europe at least we are lucky we are having regulation, not only the EU AI, but also what was mentioned by the Deputy Secretary General of the Council of Europe, we have the Framework Convention of AI, which is actually a global international treaty, so we have some tools and elements. I also want to highlight that together with the Council of Europe and the European Union are currently developing some solutions to respond to some of the risks in addition to regulation, and we are for example cooperating with the equality bodies across Europe and together we are developing tools and knowledge to detect and address discrimination resulting from the use of AI systems, including ensuring sufficient remedies, and these tools include inter alia policy guidelines and online training on AI and anti-discrimination, as well as a protocol to handle victims’ complaints. But let’s dive into more of the solutions and opportunities, and we have also the same question for the audience. So what are the key opportunities for ensuring equality in AI?

David Reichel: Thank you. It’s a pity that Ivana can’t be with us, but I’m also happy not just to speak about risks but also opportunities of AI. In our research with developers and users of AI, we also asked about why are companies or administrations using AI? And we were very surprised to see that almost exclusively people were saying we want to use it for efficiency purposes, we want to make things faster and quicker. That’s fair enough, of course that’s a good reason to use, but first of all efficiency as such is not enough reason to interfere with fundamental rights on the one hand. But secondly I was also surprised to see that very rarely those using AI say we want to use AI to actually make better decisions, to make fairer decisions. And when people see in the Mentimeter also that risks of fundamental rights are the lack of regulation and biased algorithms, I would really suggest that we all embrace the current regulation and use it to make use of all the opportunities of AI. First of all, when regulation requires you to assess AI before you use it in practice, then this is an opportunity. If we look into biases, we actually learn a lot about where society is going wrong. If there’s recruitment software that prefers men over women, then this reflects ongoing practices. So learning about these disadvantages in society is a great opportunity. Once we identify these issues, we can of course think about how we can fix those biases and try to find ways to make fairer and also more accountable decision making. Obviously to embrace this fairer decision making and proper assessments, we need protocols and guidance on how this can be done in practice. A lot of the law includes so-called fundamental rights impact assessments, or at the Council of Europe it’s the Human Rights, Democracy and Rule of Law impact assessment. A lot of people think this is very complicated to do, but in a sense I would say it’s not that difficult to do. You usually start by describing your system, what tasks you want to automate, what purposes you’re using AI, what technology is used, what training data did you use. And secondly, you look into different fundamental rights. You usually start with privacy and data protection. Do you process information about the private life of people that you’re actually not allowed to do? That should be ruled out. Secondly, and that’s the big block, bias and non-discrimination. So here you would start by scanning the information that is processed in your algorithm. Is there any information linked to protected characteristics, ethnic origin, gender, and so forth? Obviously, just taking this information out is sometimes not enough, so you have to look for so-called proxies. Is there any information that is highly correlated with some protected characteristics? And lastly, there’s also the right to an effective remedy under any fundamental rights impact assessment. So making this assessment and making transparent what you’re doing, you allow the decisions also being challenged in court, and this way provide an equality of arms. So as was mentioned, the Council of Europe, but also in the EU, we work a lot on this guidance and help developers and providers of AI to make these kind of assessments. And this way, really showing that the regulation is an opportunity to embrace a human rights approach to the use of AI. It’s of course not innovative if you use AI and discriminate. It’s also not efficient and not sustainable. So there’s the opportunity to actually create a better AI. At the Fundamental Rights Agency, we are working on several reports. One on high-risk AI, where we looked into the use of AI in the area of employment, education, law enforcement, and migration. And we will publish a report later this year, which will include some of this guidance. We’ll have another report on the use of remote biometric identification, including face recognition in the context of law enforcement. And the third one on digitalization of justice, which will all come out later this year.

Sara Haapalainen: Thank you very much, David. In addition, let me look at the Mentimeter. So the audience has suggested that the key opportunity for ensuring equality in AI is increasing AI literacy, which is indeed very important as well, and is included in the European regulation as well. We need to raise awareness of the AI, its risks and opportunities. I will also use the opportunity from the Council of Europe side to highlight three things based on our work with the equality bodies and based on the Council of Europe study published on the impact of artificial intelligence, their potential to promote equality, including gender equality and risks they may cause in relation to non-discrimination. And mention three things. Firstly, as we know already, AI systems are not neutral and reproduce and amplify structural inequality. Equality needs to be promoted in and through the use of AI and informed by the views of those impacted, as outlined in the Council of Europe Framework Convention on AI. In addition to the AI governance, we must also remind the legislators and the AI deployers that the anti-discrimination legislation applies to AI as well. So it’s not only the AI legislation that we should look into. And then, secondly, if prevention fails and discrimination by AI system occur, then we need to ensure access to remedies, exactly as David was saying, to restore rights and provide justice for those being discriminated. And here, the human rights institutions, equality bodies and CSOs can play an important role to inform the rights of the victims, but also request testing of AI systems, which requires obviously having also access to documentation of the AI systems. And then finally, and thirdly, the Council of Europe’s Committee of Experts on Artificial Intelligence, Equality and Discrimination is currently drafting a soft law instrument for states on AI equality and non-discrimination. And this will provide also valuable additional guidance on the topic in the future. With these remarks, I want to thank you very much for the discussion, our Deputy Secretary General Björn Berge and David Reichelt, as well as the audience for the insights and participation. If you have questions or would like to discuss with us further, please feel free to connect with us after this talk. And I would like to also show we have some QR codes and links for the audience, assumingly, yes, on the screen. So if you are interested in our work as the Council of Europe and for our publications and work, you can take the QR codes on the screen. Thank you very much and have a lovely rest of the day here at the IGF. Neil Gaiman, Fischer, Constantine Tang theライ THE CHINESE COUNTRY For your information, a session will start on the open stage in five minutes.

Bjorn Berge

Speech speed

89 words per minute

Speech length

Legal and Regulatory Framework for AI Governance

Topics

Legal and regulatory | Human rights

Agreed with

– David Reichel
– Sara Haapalainen

Agreed on

Comprehensive legal frameworks are essential for addressing AI bias and discrimination

David Reichel

Speech speed

150 words per minute

Speech length

1410 words

Speech time

561 seconds

Biased training data from discriminatory practices leads to perpetuation of inequality in AI systems

Explanation

Reichel explains that when AI systems are trained on data that already contains discriminatory patterns, they will reproduce and amplify these biases in their decision-making. He emphasizes that this is a fundamental problem in AI development that requires careful attention to data quality and representativeness.

Evidence

Sara Haapalainen

Speech speed

125 words per minute

Speech length

1019 words

Speech time

486 seconds

AI systems are not neutral and reproduce structural inequalities that need active promotion of equality

Explanation

Agreements

Legal and regulatory | Human rights

Similar viewpoints

Both speakers view regulatory frameworks and awareness-raising as opportunities rather than burdens, emphasizing the positive potential for creating more equitable AI systems through proper governance and education

Speakers

– David Reichel
– Sara Haapalainen

Arguments

Regulation should be embraced as opportunity to identify societal biases and create fairer decision-making systems

AI literacy and awareness of risks and opportunities are essential for ensuring equality

Topics

Human rights | Legal and regulatory | Sociocultural

Both speakers emphasize the importance of systematic assessment procedures and accountability mechanisms, including the need for transparency and access to remedies when AI discrimination occurs

Speakers

– David Reichel
– Sara Haapalainen

Arguments

Fundamental rights impact assessments provide structured approach to evaluate AI systems for bias and discrimination

Access to remedies and documentation is crucial when discrimination occurs, with equality bodies playing important oversight role

Topics

Human rights | Legal and regulatory

Unexpected consensus

Reframing regulation as opportunity rather than burden

Speakers

– David Reichel
– Sara Haapalainen

Arguments

Regulation should be embraced as opportunity to identify societal biases and create fairer decision-making systems

AI literacy and awareness of risks and opportunities are essential for ensuring equality

Explanation

Rather than viewing regulatory requirements as obstacles to innovation, both speakers consistently frame them as valuable opportunities for improvement and learning about societal inequalities, which is somewhat unexpected in technology policy discussions

Topics

Legal and regulatory | Human rights

Overall assessment

Summary

The speakers demonstrate strong consensus on fundamental issues: AI systems perpetuate inequality, comprehensive legal frameworks are necessary, and practical implementation support is crucial. They share a unified vision of AI governance that prioritizes human rights and equality.

Consensus level

Very high level of consensus with no apparent disagreements. This strong alignment suggests a mature understanding of AI governance challenges and indicates that European institutions have developed a coherent, rights-based approach to AI regulation that could serve as a model for global AI governance frameworks.

Differences

Different viewpoints

Unexpected differences

Overall assessment

Summary

The discussion shows remarkable consensus among all three speakers on the fundamental issues surrounding AI bias and discrimination. There were no direct disagreements identified in the transcript.

Disagreement level

Very low disagreement level. The speakers demonstrate strong alignment on key issues including the existence of AI bias, the need for regulation, the importance of practical implementation tools, and the necessity of protecting human rights. The few partial agreements identified relate to different emphases in approach rather than fundamental disagreements. This high level of consensus suggests a mature understanding of AI bias issues among European institutions and may facilitate coordinated policy implementation, though it might also indicate a need for broader perspectives in future discussions.

Partial agreements

Similar viewpoints

Both speakers view regulatory frameworks and awareness-raising as opportunities rather than burdens, emphasizing the positive potential for creating more equitable AI systems through proper governance and education

Speakers

– David Reichel
– Sara Haapalainen

Arguments

Regulation should be embraced as opportunity to identify societal biases and create fairer decision-making systems

AI literacy and awareness of risks and opportunities are essential for ensuring equality

Topics

Human rights | Legal and regulatory | Sociocultural

Both speakers emphasize the importance of systematic assessment procedures and accountability mechanisms, including the need for transparency and access to remedies when AI discrimination occurs

Speakers

– David Reichel
– Sara Haapalainen

Arguments

Fundamental rights impact assessments provide structured approach to evaluate AI systems for bias and discrimination

Access to remedies and documentation is crucial when discrimination occurs, with equality bodies playing important oversight role

Topics

Human rights | Legal and regulatory

Takeaways

Key takeaways

AI systems are not neutral and systematically perpetuate and amplify existing societal inequalities, particularly affecting underrepresented groups

The lack of diversity in AI development (women represent only 22% of AI workforce) directly influences how fair or biased systems become

Biased training data and inadequate representation in datasets lead to discriminatory outcomes in real-world applications like recruitment, face recognition, and content moderation

Europe has established comprehensive legal frameworks including the Council of Europe Framework Convention on AI and EU AI Act to address these issues

Fundamental rights impact assessments and human rights-based approaches provide practical tools for identifying and mitigating AI bias

AI should be treated as both a technological and justice issue, requiring systemic approaches rather than isolated technical fixes

Existing anti-discrimination legislation applies to AI systems in addition to specific AI regulations

AI literacy and awareness are essential for ensuring equality in AI development and deployment

Resolutions and action items

Council of Europe and EU are developing joint tools for equality bodies including policy guidelines, online training, and complaint handling protocols

FRA will publish reports on high-risk AI, remote biometric identification, and digitalization of justice later in the year

Council of Europe’s Committee of Experts is drafting a soft law instrument on AI equality and non-discrimination for states

Organizations should embrace current regulations as opportunities to conduct proper bias assessments before deploying AI systems

Developers and users need practical guidance on how to assess biases and mitigate risks in AI systems

Unresolved issues

How to effectively address intersectional biases in large language models that are increasingly used in AI applications

Ensuring adequate access to AI system documentation for equality bodies and civil society organizations to conduct proper oversight

Bridging the gap between companies wanting to ‘do the right thing’ and having practical knowledge to assess and mitigate AI bias

Balancing efficiency goals (primary driver for AI adoption) with fairness and fundamental rights considerations

Addressing the challenge that biases can come from multiple sources including training data and underlying large language models

Suggested compromises

Using regulation as an opportunity rather than burden – embracing requirements for bias assessment as a way to improve AI systems

This comment is strategically brilliant because it reframes fairness in AI using business language that resonates with decision-makers. By connecting ethical AI practices to innovation, efficiency, and sustainability, it makes a compelling business case for equality rather than positioning it as a constraint on technological progress.

Impact

This statement provided a bridge between ethical imperatives and practical business considerations, potentially influencing how organizations approach AI development. It helped conclude the discussion on a constructive note, showing that ethical AI and successful AI are not competing goals but complementary objectives.

Overall assessment

Explanation

David noted that biases were coming from large language models used in general purpose AI, not just training data, indicating a need for solutions to address this source of bias

Disclaimer: This is not an official session record. DiploAI generates these resources from audiovisual recordings, and they are presented as-is, including potential errors. Due to logistical challenges, such as discrepancies in audio/video or transcripts, names may be misspelled. We strive for accuracy to the best of our ability.

Day 0 Event #260 Securing Basic Internet Infrastructure

Session at a glance

Summary

This panel discussion focused on securing basic internet infrastructure, examining the vulnerabilities and resilience challenges facing the physical foundations of the global internet. The conversation brought together experts from various sectors including the Internet Society, Cloudflare, the European Commission, regulatory authorities, and Microsoft to discuss how the internet’s distributed “network of networks” model has evolved to include critical dependencies on data centers and subsea cables.

The panelists emphasized that while internet protocols were designed for resilience, the physical infrastructure supporting them faces numerous threats including cable cuts, power outages, cyber attacks, natural disasters, and potential sabotage. Dr. Olaf Kolkman from the Internet Society illustrated these challenges using the example of West African cable cuts in March, demonstrating how preparedness and redundancy enabled the region to maintain connectivity despite significant infrastructure damage. The discussion highlighted the importance of internet exchange points, diverse network connections, and local infrastructure capacity in maintaining resilience.

A key theme throughout the conversation was the critical need for collaboration between governments and private sector operators who own and manage most internet infrastructure. Johannes Theiss from the European Commission outlined the EU’s cable security action plan, which focuses on prevention, detection, response, recovery, and deterrence. Microsoft’s Erica Moret described how major technology companies invest in redundant systems and diverse cable pathways to prevent single points of failure.

The panelists stressed that internet resilience requires continuous cooperation, transparent information sharing about outages and vulnerabilities, and coordinated international responses to threats. They concluded that maintaining the internet’s global, interconnected nature while addressing security concerns requires balancing national sovereignty interests with the fundamental need for international collaboration and avoiding fragmentation that could undermine the internet’s inherent resilience.

Keypoints

## Overall Purpose/Goal

This panel discussion aimed to examine the vulnerabilities and security challenges facing basic internet infrastructure, particularly focusing on subsea cables and data centers. The workshop brought together experts from various sectors – including internet policy organizations, cloud service providers, EU regulators, telecommunications authorities, and major tech companies – to discuss how to strengthen internet resilience through collaboration between governments and private industry.

## Major Discussion Points

– **Physical Infrastructure Vulnerabilities and Real-World Impact**: The discussion extensively covered threats to physical internet infrastructure, using the March 14th West African cable cuts as a key example. Panelists highlighted how subsea cables, data centers, and terrestrial networks face risks from natural disasters, ship anchors, power outages, cyber attacks, and potential sabotage, with these physical disruptions having immediate real-world consequences for connectivity.

– **The Critical Role of Redundancy and Interconnection**: Multiple speakers emphasized that internet resilience depends heavily on having diverse pathways, multiple cable routes, geographically distributed data centers, and extensive network interconnections. The discussion stressed that maximum connectivity and settlement-free peering relationships are essential for maintaining the internet’s ability to “route around” problems when infrastructure fails.

– **Public-Private Partnership and Information Sharing**: A central theme was the need for closer collaboration between governments and private infrastructure owners. Panelists discussed the importance of sharing threat intelligence, coordinating risk assessments, joint funding for infrastructure in economically challenging areas, and establishing formal frameworks for communication during incidents while balancing security sensitivities.

– **EU Policy Framework and International Coordination**: The discussion covered the EU’s comprehensive approach through their Cable Security Action Plan, which includes prevention, detection, response, recovery, and deterrence measures. This highlighted the challenge of coordinating policies across borders while avoiding fragmentation that could undermine the internet’s inherently global and interconnected nature.

– **Communication and Transparency During Outages**: The panel addressed a significant gap in current practices – the lack of systematic communication to end users during internet outages. Unlike power utilities that have established notification systems, internet outages often leave users uninformed about the status and expected resolution of connectivity problems, pointing to a need for better incident communication protocols.

## Overall Tone

The discussion maintained a collaborative and constructive tone throughout, with panelists building on each other’s points rather than disagreeing. The atmosphere was professional and solution-oriented, with speakers demonstrating mutual respect and shared concern for internet resilience. While acknowledging serious challenges and geopolitical tensions, the overall sentiment remained optimistic about the possibility of strengthening infrastructure through continued cooperation. The tone became slightly more urgent when discussing specific vulnerabilities and recent incidents, but consistently returned to emphasizing partnership and shared responsibility as the path forward.

Speakers

**Speakers from the provided list:**

– **Amund Kvalbein** – Moderator from AnalysisMason company, leading the panel discussion on securing basic internet infrastructure

– **Olaf Kolkman** – Principal for Internet technology policy and advocacy with the Internet Society, astronomer by training with long career in Internet technology and policy development

– **Petra Arts** – Director for public policy for Europe at Cloudflare, experienced public policy professional with background from European Parliament and private companies

– **Johannes Theiss** – Head of sector for the EU’s Directorate General for Communication Networks, Content and Technology, political science major who previously worked for German Broadband Association and Vodafone

– **Elise Lindeberg** – CEO of Skygar (data center hosting company in Oslo), former Director for Security and Resilience in Networks at Norwegian Regulatory Authority for telecoms, active in ICANN and IGF

– **Erica Moret** – Director for United Nations and International Organizations at Microsoft, former diplomat and scholar with education from France’s École Nationale d’Administration and PhD from Oxford University

– **Michael Kende** – Online moderator for the event, colleague of Amund Kvalbein

– **Anriette Esterhuysen** – Civil society representative from South Africa

**Additional speakers:**

None identified beyond the provided speakers names list.

Full session report

# Comprehensive Report: Securing Basic Internet Infrastructure – Panel Discussion

## Executive Summary

This panel discussion, moderated by Amund Kvalbein from AnalysisMason with online moderation by Michael Kende, brought together leading experts from across the internet infrastructure ecosystem to examine critical vulnerabilities facing the physical foundations of the global internet. The conversation featured representatives from the Internet Society, Cloudflare, the European Commission, regulatory authorities, and Microsoft, alongside civil society voices, creating a dialogue on strengthening internet resilience through enhanced collaboration between governments and private sector operators.

The discussion reframed the traditional understanding of the internet from purely a “network of networks” to include critical dependencies on physical infrastructure. As moderator Amund Kvalbein noted, “today, I think it’s fair to say that this network of networks is also a network of data centres and subsea cables. The move to the cloud and now also the advent of AI has made these core physical building blocks of the internet immensely important.”

## Key Participants and Their Perspectives

The panel assembled diverse expertise spanning technical, policy, and regulatory domains. Olaf Kolkman from the Internet Society, who described himself as “an astronomer by training” who found “internet working more interesting than astronomy,” provided technical insights (and notably corrected that he is “not a doctor” and “never wrote a thesis”). Petra Arts from Cloudflare offered the perspective of a major content delivery network operator. Johannes Theiss represented the European Commission’s policy approach through the EU’s Directorate General for Communication Networks, Content and Technology. Elise Lindeberg brought regulatory experience from her role as CEO of Skygar and former Director for Security and Resilience in Networks at the Norwegian Regulatory Authority. Erica Moret from Microsoft contributed the viewpoint of a major technology company. The discussion included civil society input from Anriette Esterhuysen, who raised critical questions about user communication during outages.

## Physical Infrastructure Vulnerabilities and Real-World Impact

The discussion examined various threats facing physical internet infrastructure, with panellists emphasising that while internet protocols were designed for resilience, underlying physical systems create significant vulnerabilities. Kolkman illustrated these challenges using the March 14th West African cable cuts as an example, demonstrating how preparedness and community collaboration enabled the region to maintain connectivity despite substantial infrastructure damage.

Moret detailed multiple threat vectors facing data centres and submarine cables, including power outages, extreme weather events, geographical clustering risks, and damage from ship anchors, fishing activities, natural disasters, and potential sabotage. Lindeberg emphasised that “the internet is physical. It’s not in the sky. It’s not on your phone just driving around in the sky either. It is always linked to a data centre, which is critical infrastructure.”

Kolkman introduced the concept of “hidden correlation of risks,” where multiple infrastructure failures occur simultaneously due to shared physical dependencies. He explained that “sometimes things might be a low risk, high cost, but almost always happen together… if flood may take out, or let’s say an anchor might take out both a power cable and an internet cable at the same time.”

## Audience Engagement and Polling Results

The workshop included interactive elements through Mentimeter polling, engaging the audience on key threats and solutions. The polling revealed audience perspectives on various infrastructure vulnerabilities and potential mitigation strategies, adding a participatory dimension to the expert panel discussion.

## The Role of Redundancy and Interconnection

Multiple speakers emphasised that internet resilience depends on having diverse pathways, multiple cable routes, geographically distributed data centres, and extensive network interconnections. Arts highlighted Cloudflare’s approach of connecting with over 13,000 networks globally to ensure resilience, while cautioning against regulatory barriers that could disincentivise interconnection.

Moret described Microsoft’s strategy of building extensive redundancies with multiple cable pathways, diverse landing points, and Azure regions designed with availability zones as physically separate data centres. Kolkman stressed the importance of Internet Exchange Points in keeping traffic local and reducing the impact of external connectivity failures.

Arts warned that attempts by some large ISPs to introduce payment requirements for interconnection could “lead to disincentivisation of interconnection,” potentially undermining the internet’s foundational architecture of settlement-free peering relationships.

## Public-Private Partnership and Information Sharing

A central theme was the need for enhanced collaboration between governments and private sector operators who own and manage most internet infrastructure. Lindeberg emphasised the need for formalised cooperation between regulators and infrastructure owners, noting that trust and information sharing between government and private sector is essential for preparedness.

Moret described Microsoft’s collaborative approach with governments on joint risk assessments and best practices, while advocating for real-time threat intelligence sharing. Theiss outlined the EU’s systematic approach through their expert group, which is developing coordinated risk assessment methodologies and a comprehensive cable security toolbox.

## EU Policy Framework and Initiatives

Theiss provided insights into the European Union’s Cable Security Action Plan, encompassing five key pillars: prevention through improved risk assessment and monitoring; detection via enhanced surveillance capabilities; response through coordinated incident management; recovery through streamlined repair processes; and deterrence through appropriate consequences for malicious activities.

The EU’s approach includes substantial financial commitments, with hundreds of millions of euros allocated through the Connecting Europe Facility for cable projects. Theiss noted that EU funding supports cables in areas where the business case is not straightforward. He also mentioned the ongoing consultation on the EU Digital Networks Act regarding peering and interconnection regulations.

## Communication and Transparency During Outages

Esterhuysen raised critical questions about communication to end users during internet outages, using South Africa as an example where undersea cable outages left users uninformed. She pointed out that “most people get their internet not from ISPs, but from mobile data providers, and they are pay-as-you-go clients, they’re not even contracted. You are completely in the dark as to what the status is.”

The panellists’ responses revealed this as an under-considered aspect of internet resilience. Lindeberg suggested a shared responsibility model where governments alert users during severe outages while service providers inform their customers. Kolkman advocated for transparent disclosure of dependencies and failures, while Arts highlighted Cloudflare’s radar dashboard as an example of providing public information on internet disruptions.

## Monitoring and Assessment Tools

The discussion revealed both existing capabilities and gaps in tools for assessing internet infrastructure resilience. Kolkman highlighted the Internet Society’s Pulse platform (pulse.internetsociety.org), which provides an Internet Resiliency Index for countries. Arts described Cloudflare’s radar dashboard (radar.cloudflare.com) for tracking internet shutdowns and disruptions.

An online question raised the need for better tools to help governments assess their national internet infrastructure resilience. While some tools exist, participants noted they may not be optimally designed for government use or provide the specific metrics most relevant for policy makers.

## Balancing National Sovereignty and International Cooperation

The discussion addressed the tension between national digital sovereignty goals and the need for international cooperation in internet infrastructure management. Lindeberg offered a perspective that “national sovereignty or national autonomy… and international cooperation isn’t in conflict with each other. They have to live side by side.”

Arts warned that fragmentation threatens internet resilience and should be avoided, while Theiss emphasised that internet infrastructure inherently involves multiple parties and cannot operate in silos. The general view was that effective internet governance requires both respect for national interests and recognition of the internet’s fundamentally international character.

## Key Action Items and Next Steps

The discussion identified several specific initiatives. The EU expert group is committed to delivering by year-end a comprehensive package including mapping of cable infrastructures, coordinated risk assessment methodologies, and a cable security toolbox for member states.

The European Commission will publish a priority list of “cable projects of European interest” under the Connecting Europe Facility funding programme. Implementation of the NIS2 directive and critical entities resilience directive will formalise incident reporting requirements between private and public entities.

Theiss mentioned emerging technologies such as distributed acoustic sensing for submarine cable monitoring, indicating that the EU is developing a technology roadmap for cutting-edge cable monitoring and detection systems.

## Conclusion

This panel discussion demonstrated that securing basic internet infrastructure requires addressing technical, economic, policy, and social dimensions simultaneously. The participants showed general agreement on fundamental principles including the need for public-private cooperation, the importance of redundancy and diverse pathways, and the inherently international nature of internet infrastructure.

The discussion highlighted that internet infrastructure is both physical and global, requiring both national attention and international cooperation. Key gaps identified include the need for better communication systems during outages, improved tools for government assessment of infrastructure resilience, and continued development of frameworks for sharing sensitive threat intelligence while maintaining security.

The workshop’s interactive format and diverse stakeholder participation provided a foundation for understanding the complex challenges facing internet infrastructure resilience, while the commitment to concrete action items suggests potential for tangible improvements in the months ahead.

Session transcript

Amund Kvalbein: So, hello, everyone. My name is Amund Kvalbein. I come from a company called AnalysisMason, and it’s my great pleasure to welcome you all to this panel discussion on securing basic internet infrastructure. So, the internet has proven fantastically resilient against a range of challenges to its operations. And there are many reasons for this. The internet protocols were designed for resilience from the beginning. They’ve been able to scale and adapt as the internet has grown. And today, it is the dominant platform for communication and information sharing. The internet is often referred to as a network of networks, and this distributed model of operations for the internet has proven to work very well. But today, I think it’s fair to say that this network of networks is also a network of data centers and subsea cables. The move to the cloud and now also the advent of AI has made these core physical building blocks of the internet immensely important. We all rely on them every day as a society and as individuals. So with this dependence, it becomes all the more important to understand more about the vulnerabilities of this basic infrastructure, and that is the ambition of this workshop today. So, warm welcome to all of you. And to discuss this important matter, I’ve been so lucky to gather with me a prominent set of panelists here. So what we’ll do now, I will just briefly introduce these panelists. And then… We will talk a little bit more about how you in the audience and both here in Oslo and also online can participate in this workshop. So with me on the stage here today, we have first Dr. Olaf Kockmann. Olaf is an astronomer by training. I don’t know much about his career in astronomy, but I do know that he has a long and very active career in Internet technology and policy development. And today Olaf is the principal for Internet technology policy and advocacy with the Internet Society. Next, I have with me Petra Arts. Petra is an experienced public policy professional. She has experience from the European Parliament and from several private companies. The last five years, she has worked for Cloudflare and today she is director for public policy for Europe in Cloudflare. Jumping now to online, we have with us, not here in the hall today, but online over Zoom, Johannes Theiss. Johannes plays a central role in the EU’s work on the resilience of basic Internet infrastructure. He is a political science major who has worked on Internet policy questions for the German Broadband Association and for Vodafone. And today, he is the head of sector for the EU’s Directorate General for Communication Networks, Content and Technology. Here in the panel, next, we have with us Elisabeth. Elisa Lindeberg. Elisa has worked many years for the Norwegian Regulatory Authority for telecoms, most recently there as the Director for Security and Resilience in Networks. She has been active in internet policy development in ICANN and the IJF for many years, but a bit more than a year ago she made a career change from the regulatory side, and today she’s the CEO of Skygar, which is a data center hosting company here in Oslo. Last but not least we have with us Erika More. She’s a former diplomat and scholar with education from France’s École Nationale d’Administration and a PhD from Oxford University, where she studied the effects of sanctions on Cuba’s economy. She has had a long and distinguished career in international policy development. Today she’s based in Geneva, where she is the Director for United Nations and International Organizations at Microsoft. So a warm round of applause and welcome to our panelists. Very soon these panelists are going to give an introduction to this topic and where they’re coming from on that topic, but before we do that I just wanted to introduce also Michael Kenda, my colleague, who is the online moderator for this event. So Michael will be monitoring the chat here and take any questions that you might post in the chat and bring them here to the audience in due time. We also have another way for you in the audience, both online and here in Oslo, to interact with this. workshop, and that is Mentimeter, or Menti. Some of you might know this tool. So on your screens now, you can basically just see a question. So just to introduce Menti as a tool, for those of you who want, you can either scan this QR code with your camera or you can type in, go to menti.com and type in this code that is written on the screen. And we’ll use this a couple of times during the workshop for you to voice your opinion on some of these questions. So just as a starter, to warm you up to this tool, you can go in there and click where you’re originally from. I guess many of you are in Oslo today, but just to show a little bit the breadth of the audience that we have with us today. Okay. With that introduction and without further ado, we will run this now so that each of the panelists will, as I said, get a few minutes to introduce themselves and where they are coming from and their thoughts on today’s topic. Then we will have a discussion in the panel. I will ask you some questions. You might ask each other questions. And then we will also open up for questions from the audience in due course. So please prepare your questions for these panelists. So first, Olaf, will you give us your perspective on

Olaf Kolkman: securing basic internet resilience? Yes, I will try so. By the way, I’m not a doctor. I never wrote a thesis. I found internet working more interesting than gazing at stars. So I basically, during the PhD research, moved. careers, only doctorandus. But let’s talk a little bit about resiliency and the internet and what is important to that. And I want to do that on the basis of an example, namely the cable cuts on 14 March near the west coast of Africa. There were four cables cut at that day because of a tectonic plate shift or a micro-earthquake or something. And that had an enormous impact on the region. What that impact was was basically connectivity, a lot of capacity to connect outwards disappeared. The internet has always been reliant on subsea cable networks. When the first networks were laid in the US as part of the ARPANET, obviously that was always terrestrial. But as soon as Europe was connected, we needed subsea cables. And after that, you know, they’ve been a hallmark of connectivity across the globe. Anyway, four cables were cut. There were still a number of uncut cables in that region. And what happened is that the West African internet community collaborated together. That’s what you do when you collaborate, to find alternative routes. The internet itself routes around problems. It does that by a protocol called the Border Gateway Protocol, a system called routing. But you also basically have to make sure that the connections are there. That was work that was done way in advance of the cable cuts. And parts of that are having the policy. the infrastructure, the capacities, all in-house to be able to deal with the things that you cannot predict, or that you can predict and that you need to be ready for. At the Internet Society we have a platform which is called Pulse, pulse.internetsociety.org, and there is a very good story about this West African Cable Cut. If you look for Internet Society Pulse and West African Cable Cut you will find sort of an analysis there. But what we also feature on that is an Internet Resiliency Index. For each country we have calculated an index, and in that index are parameters, derived parameters, about infrastructure. What are the number of IXs, the Internet Exchange Points, in a country? Because Internet Exchange Points keep traffic local. And if you keep traffic local, and if an external connectivity in the form of a subsea cable breaks, the impact is lower and you’re more resilient. What is the amount of networks in a country? What is the hackonomy of certain networks? Is there one major transit provider in the country? One major telco that basically handles all the traffic with a few pieces around that? Or is it a nicely volatile environment? We look at security. Security is a proxy also for capability of the local community. We look at the performance of the networks, because also those are, you know, if you have more capacity in country, you might be able to deal more with breakages. And we look at market readiness. also includes, for instance, indices that are about the openness of the regulation, the ability to establish new networks, the abilities to lay cables, terrestrial cables. And what we have seen in the continent, in the African continent, is the enormous amount of capacities that have been built over the last couple of years that allowed the West African community to deal with the breakage of those important cables. But the impact in the end was significant, but there was still Internet and people could still function and could still reach. And of course, I’m talking about the lower layers of the Internet here. But what we also saw is that at the higher layers, people started to realize that they were, for instance, dependent on Microsoft infrastructure to do their work. And there again, having available infrastructure in the form of existing cables, of existing operator networks that people know how to find each other, and having the contacts available to route around the problems, those problems were solved later on the day on 14 March. So, resiliency is about readiness, is about preparedness, is about understanding what can go wrong. And if you have that all in place, the Internet itself will do a lot of magic to give it to you.

Amund Kvalbein: Thank you, Ulla, very interesting. This interplay between the basic or the physical infrastructure and the protocols is an important topic, and I’m sure we’ll come back to that as well, Ulla. I would like to move on to our next panelist, Petra. work for a company that doesn’t own that much of the basic infrastructure but that is still very dependent on it. So please give us your perspective on the

Petra Arts: topic. Yeah thanks and thanks for having me on this panel. It’s really a very important topic also from Klaufer’s perspective. A lot of what Olof said is also kind of in my speaking points. I guess it’s also probably some of us will repeat ourselves a little bit on the topic of resilience I think. From Klaufer’s perspective as you say you know we run a global network which provides a number of services including cybersecurity services for web properties which basically needs a very interconnected network and a very resilient network. To that end we depend a lot on interconnection and that is really the kind of like core of how our network operates. We connect with over 13,000 networks globally so we’re probably one of the most well connected networks in the world and that is to make sure that our data centers, our point of presence that we have all over the world can run our software with very low latency and very securely and very reliably. All those interconnections as Olof was explaining is also to be prepared for any kind of unexpected events that happen daily basically on a global scale. Of course the internet was made to be resilient but of course things can happen. Cable cuts can happen, other events can happen and then of course from our perspective as a service provider it’s important that our network stays up regardless of what happens. So interconnection and finding a different path and that our network can actually route around the issues is very very important and it is also something that obviously our engineers are are working on on a day-to-day basis to make sure that that is the case. So this is one of the most, you know, important aspects I think for us is that interconnection is not, let’s say, disincentivized. And we see that obviously from, sometimes from a regulatory point of view or from a government approaches point of view, that that’s not always something that people think of, that interconnections and peering and transit and other kind of ways to interconnect are really essential for companies, for governments, for anybody who is connected to the Internet to make sure that there are as many paths to follow as possible, which leads to more better redundancy, it leads to more resilience, it leads to faster connections as well and lower latency. And, you know, some of the discussions that we see, and I’m obviously from work in Europe, so I work in Brussels, so we talk a lot about the regulatory environment there. There are sometimes, you know, ideas that are being brought forward in some debates in the policy space that are talking about, for example, paid peering or kind of introducing payments in a system that usually is based on trust and based on settlement-free kind of relationships. As we know, you know, this is sort of also explained, it’s based on preparedness and engineers making sure that the connections are there, that need to be there. So if, you know, some parts of the ecosystem, in this case large ISPs mostly in the European area, trying to say, you know, there needs to be a contract, there needs to be payment, needs to be additional cost for all networks to connect to each other, that obviously is problematic, I think, from our point of view, from a resilience point of view as well, because it can actually lead to disincentivization of interconnection, that you would not necessarily have more interconnection points if you would have to bear a lot of costs to do it. And I think it also goes against the kind of… you know, nature of the Internet as a network of networks and a kind of organic way to connect to each other, and we all have an interest to connect to each other. So that’s, from my perspective, I think, one of the main issues to the topic of today.

Amund Kvalbein: Thank you. Very interesting. I think we’ll also return to this point about the Internet being built borderless and with incentivizing maximum connectivity and interconnections and how that hopefully can continue to be the case while also catering for other worries that people have about the Internet. I would like now to move to our next panelist, which is Johannes. Johannes is not on stage, but he will come up here, I think, on the screen. Johannes, you work with the EU, who obviously shows a lot of interest in the Internet and has lately also been showing particular interest in the topic of subsea cables, which is a very important part of the basic Internet infrastructure. So, Johannes, can you introduce us a little bit to the work you’re doing there? Hello, can you hear me well? Now we can hear you, thank you.

Johannes Theiss: Very well. Okay, well, thanks, first of all, for having invited me and the European Commission to this panel discussion, and perhaps before I go into some of the overviews, one comment as already kind of now the topic was flagged a bit, and I think it’s not perhaps the core topic of today, the question of peering and those types of issues, but the European Commission has an ongoing consultation. on an upcoming regulation at the end of the year called the Digital Networks Act. So if you have views that you would like to contribute, now would be a good time to talk about that specific issue. So I will not touch about this later as it’s not perhaps the core of this panel, just since it was brought up. What we are doing in the unit I work on is we contribute to something that the EU published at the beginning of this year. It is a joint communication on an EU cable security action plan. So a bit to what Olaf said in the beginning, that resilience is a cycle, there are several elements to it. And as policymakers we try to have these elements on the radar, not least because there have been some incidents in particular in the Baltic Sea that rose the political limelight on the this important topic and the resilience of submarine cable infrastructures. So when I talk about the resilience cycle and here I would go a bit into its various elements which are described in the action plan, you would have basically four to five points that cover the cycle from prevention, over-detection, response and recovery up to deterrence. And the action plan tries to really tackle or propose some ideas and action on all of these points. The part that my unit is working most on is the pillar of prevention. And here there are of course several issues, transposing ongoing legislation, also developing new technologies, but in particular, and I’m happy later on to dive into some of these elements a bit more in detail, we have formed an expert group with EU member state authorities that was done after already publishing a recommendation last year, and this expert group is supposed to deliver by the end of this year a mapping of existing and planned cable infrastructures, a coordinated risk assessment based on an overview of what are the existing threats vulnerabilities and dependencies so also tackling economic security aspects, then come up with a mitigating a set of mitigating measures and we call that a cable security toolbox. Some of you might know that I’ve worked in the field of 5G might know the 5G cybersecurity toolbox so we try to kind of mirror that approach and also having some of when I talk about risk some of these risks could even be combined into into scenarios that can then be stress tested and there might even be funding for that made available from from the EU budget and then last but not least we are funding already cables that that have a difficult case difficult economic viability we have a program called the connecting Europe facility and there is already hundreds of millions of euros going into this and there will be further investments under this program coming up but what the expert group will will deliver on by the end of the year is a so-called list of priority areas of interest we call them cable projects of European interest. Then without going into too much detail into the other topics when we talk about detection it’s all about how can we integrate more surveillance mechanisms that that exist connect more data that’s available because there’s a lot of data available it’s rather a question of how to bring it together and how to make sure it reaches the right addressees and then also increased how technology can help with that know what about the role of drones what about the role of sensors so there’s a lot we could discuss there when we discuss response and recovery it’s a lot about repairing and maintaining the cable so we have the issue of are there enough ships available how good are the ships How new are they? And we might touch on that a bit later. Who finances these ships? How profitable is it to work with them? But of course, also general crisis response frameworks, which are very important. And then finally, the whole deterrence block is really also about international relations, proactive cable diplomacy. It’s of course sometimes difficult to attribute certain incidents because it’s not always clear. So it’s important to respect the international rule book that is in place, and then make sure that if certain of these incidents can be attributed, that the actors are held responsible and to prevent future incidents on these types of infrastructures. But I’ll probably stop here and happy to dive into details later on during the panel. Thanks again.

Amund Kvalbein: Excellent. Thanks, Johannes. And I think this topic of what the EU or governments do versus what the owners of this infrastructure, which is often private, and how they work together is a key issue that we will touch more upon. Elisa, you have spent a lot of your life in working on the resilience and the security of internet infrastructure in various capacities. Can you give us your introduction to this topic?

Elise Lindeberg: Yes, thank you. I’ve been talking about, as you said, the important discussion about the cooperation between the regulators and the regulating side, and who actually have to do this and have to live by it, and also have to provide the security that we need to have the trust in the internet. services that we’re now going to build up. So from going from the regulation that I worked a lot of years with the regulatory side, it was always fascinating to see how this was something that was taken for granted or not even considered a problem in the beginning when I started about this, working with the resiliency. And then suddenly it was the main topic for the trust in the internet services and the internet layer on top. Because the internet is a very solid structure. As you said, it’s also a net of networks. And in IGF, we always talked about how solid that is in itself. But we forget that the internet is physical. It’s not in the sky. It’s not on your phone just driving around in the sky either. It is always linked to a data center, which is critical infrastructure. It’s fiber, and it’s networks, and it’s cable, and it’s undersea cables and everything. And what we have seen is that when we talk about the internet and the use of the internet and all the fantastic things that we can do on the top layer, developing internet services and building a lot of functions, critical functions in the community and in the society, is that there is now, as I at least experienced it from the government side, when something happened, it’s zero tolerance for failure. Not only because we have critical services on top, but also because people are used to these services always being there. So you have zero tolerance for the services going down, and you have layers and layers and layers of all private companies and everyone relying on each other, and in the end, relying on the physical layer, on the bottom line. That is both power, and it is the physical infrastructure. Data centers are cabling. So I think it’s really interesting that when we talk about the development of the internet. the Internet and all the possibilities that we have, which is basically the backbone of this IGF and this multi-stakeholder community discussions, we should also have thorough discussion on the physical infrastructure layer. And it needs to be a cooperation between the one who builds it, not only the regulating side, but the one who builds it and the one who uses it. And to not lose that perspective. And it’s also a question about payment, that some of you spoke about. Because it’s going to be, in this, in the world today, there’s more insecurity about how secure the Internet connections are and the fibering and the undersea cables and everything. And if we’re going to secure it even more and have more redundancy on it, it’s going to cost money. It’s also going to cost money to build very secure and stable Internet services in the data centers. You know, it’s going to take and have enough power and have enough redundancy. And that has something to do with the whole cost picture. So maybe we need to realize that to build trust in the Internet services, we should have the infrastructure layer more into the debate also in IGF forums, like we do today. But that has been somewhere missed in the past, because we’ve discussed more the Internet itself and not the infrastructure around it. Yeah. Thank you.

Amund Kvalbein: Great. Thank you. Thank you, Elisa. Erika, you represent one of the biggest players on the Internet, I would say, who owns and operates a lot of this infrastructure. You’ve invested heavily in both data centers and subsea cables. So you build this resilient Internet together with others. part of it. What is your perspective?

Erica Moret: Well, thank you very much, first of all, for the kind invitation to join you today. You can hear me okay? Yeah. The last time I had a system like this, I was saying earlier to the organizers with headphones, it was in a cryptocurrency conference and there was very loud music playing at the same time. So I’m glad this, this setting is slightly more manageable. And so, as you said already, very rightly, Microsoft operates one of the largest global networks of fiber and subsea cables. And it also owns and operates a vast network of data centers around the world. We jointly own major submarine cable systems like Maria and also I meet you, which are transatlantic cables to ensure high capacity connectivity between continents. These investments are designed to increase the geographical diversity of cable landings and reducing single points of failure and enhancing network resistance. Likewise, Microsoft Azure spans 60 or more cloud regions in over 140 countries, which houses data in over a hundred highly secure facilities, which is a scale that underpins the responsibility and safeguarding reliable and resilient internet infrastructure. So you asked me to talk a little bit about some of the challenges and risks that are at play and the panelists have already outlined this very eloquently, but I’ll focus first on data centers here as one of the backbones of the internet, which face their own distinct set of challenges. They require enormous stable power supplies and cooling, hence power grid failures or extreme weather, including heat waves, floods, earthquakes, hurricanes, and so on can threaten operations. Physical attacks or sabotage are rarer, but not impossible. And as critical hubs, they could be targets for hostile actors or criminals, even an accidental fire or localized disaster at a large data center can knock out services for millions of users. Another often overlooked risk. with geographical clustering. If many cloud facilities are in one region, a single regional event, a wide area blackout or an earthquake could affect them all simultaneously. And turning to submarine cables, they’re of course also prone to damage from ship anchors, fishing activities, natural disasters, and also malicious tampering and sabotage. In sum, both cables and data centers are single points of failure in the digital economy and for users worldwide, if not made users of the internet, if not made resilient against these various threats. And these challenges really underscore why this discussion today is so vital and paramount. At Microsoft, we have comprehensive approach to mitigating these risks at both the physical and logical network layers. We’ve built extensive redundancies into the network,

Elise Lindeberg: deploying multiple cable pathways and diverse landing points so that if one link is lost, traffic can be rerouted to other alternate routes. Also internally, we continuously monitor all network links for performance degradation or outages using advanced telemetry tools. And this early warning system combined with predictive analytics allows near instant rerouting of internet traffic if a cable fails. In data centers, redundancy is critical. Azure regions are designed with availability zones, which are physically separate data centers with independent power and cooling systems to sustain operations even if one facility goes down. Microsoft data center architecture equally seeks to ensure critical services can fail over to alternate sites, providing high availability and disaster recovery capabilities. I was gonna talk a little bit about our collaboration with government and stakeholders, but maybe I’ll save that in the interest of time to the next round of questions.

Amund Kvalbein: Excellent. Thank you. Now we’ve gotten some interesting. introductions and perspectives on this topic from our panelists. Before we move on, I would now just like us to move to a metameter, if we can get that up. So for you in the audience, let’s see, do I control this one now? Yes. So we have a question for you, which is a simple but open question. Several of the panelists now have touched upon several threats or challenges to the basic Internet infrastructure. We would just like to hear from you, what do you think are the most important or challenging threats against the basic Internet infrastructure? So if you go to a metameter here now, you should get up like a small text form where you could enter your reply in a few short words, and they will show up here, and there will also be the possibility to, I think, give the different options a thumb up or a vote so that we can get a picture of what, if there’s a consensus in the room or whether there are opinions in all directions, which there might be. Excellent, so we get a lot of different challenges here. Several of you mentioned power outages, which are a major source of outages. There are answers along the attacks, both against BGP specifically. more general cyber attacks, malicious actors. Several of you mentioned topics having to do with governance, politics, regulatory fragmentation, and poor and conflicting legislation. All very good and interesting perspectives. Now we will go into some discussion, some topics. I have a few questions for the panelists. I assume you do in the audience as well. If you want, you can post some of them in the chat in Zoom, or in a few minutes, you will also be able to do it here in the room in the microphone. If you are with us online, you will unfortunately not be able to to speak your question. But if you put it in the chat, then Michael, our online moderator, will convey them here to the audience. We see from the topics brought up on the wall here, and several of you also mentioned it, this interdependency between the basic internet infrastructure, kind of in the middle, and other infrastructure that supports it in terms of power, in terms of repair capacity, in terms of civil works, and also the protocols on the higher level. So these parts all must work together. Olaf, you mentioned when we talked before this, you mentioned the notion of hidden correlation of risks. What do you mean by that?

Olaf Kolkman: When I said that, sometimes disasters happen at the same time. A power outage or a software problem that causes a power outage, something that relies on the internet in the power center, things that are related that you at some direct point do not see as related. For instance, a lot of people will make a risk diagram, likelihood costs, and put crosses on that. And sometimes things might be a low risk, high cost, but almost always happen together. I don’t have an example in this context, but this is something to think about when you are thinking about resiliencies and risks that you have within the system that you operate. I want to go back and say something about the things that we identified on the slide as being risk to infrastructure. As far as I can tell, all those things are relatively isolated geographically. A power outage is almost always with a geographic scope. The Iberian Peninsula is a more recent example. The internet as a system, as a global system on which we relied, has never seen an outage. And I think that very critical services should think about, for instance, that geographical spread that was talked about, because that allows for catching up your back-end services at least. So you always have to think about what is what I’m protecting against. and what are the things that, in your risk-based approach, what are the things that cause real harm and have a high impact? But when you do so, if flood may take out, or let’s say an anchor might take out both a power cable and an internet cable at the same time, and that would be a sort of hidden correlation, that would be an example. Yeah. So this is a more open question, and I’ll start with you, Erika, but the others here, feel free to add into this. We discussed a bit earlier about, call it the division of labor between the governments or the regulatory authorities on one side and the large internet actors, which you represent on the other side, who owns and builds and operates this. How do you work with these governments to secure this infrastructure? And on the tail of that, do you have a wish? Would you like to ask something from these governments? What could they do?

Erica Moret: Yeah, thanks, that’s a great question. We work very actively and proactively around the world in different types of partnerships with governments and other stakeholders, and very much in local context as well with national governments. And so, a key wish, that’s a really difficult one, but I think I would say for governments to continue and perhaps do even more in terms of actively partnering with industry and with other stakeholders, civil society and so on, as the cornerstone of resilience, I really think that public-private partnerships should be embraced and are incredibly important here. And I think there’s a number of key elements to that, and again, the panellists have done such a great job of outlining some of these areas already, but I would say sharing the threat intelligence is a really important one in real time with companies to pre-empt attacks and vulnerabilities. As part of, giving an example, as part of industry coalitions, Microsoft contributes to joint risk assessments and also adheres to best practice standards for critical infrastructure, so I think working together with governments to get that right is very important and have a kind of constant conversation and a trusted feedback loop is vital as well. I think second would be investing in redundancy, such as supporting back-up subsea cables or extra data centre capacity to eliminate these single points of failure that we’ve been discussing today is again a really important area. The third is the need for coordinating internationally, so that cross-border issues like undersea cable repairs or common security standards are handled swiftly and collaboratively, and that of course is a big challenge in today’s geopolitical climate and it really underscores why meetings like these I think are very important as well for fostering trust and building those relations. And then I think a final one would be policy support. In the case of Microsoft but also other companies, we’ve joined efforts to designate and treat key data centres as critical national infrastructure, which can help to facilitate better government support during incidents.

Amund Kvalbein: Excellent. I think Elisa, you want to comment on that? I know this is right up your alley.

Elise Lindeberg: Yes, it is. We’ve been discussing this in Norway for years, you know, how to share the threat picture between the governments who sit on a lot of information. And it’s been kind of a siloed thinking in the past because this is something that intelligence keep close and they don’t want to spread it. And again, you miss out on using all the power that sits on the companies and the infrastructure owners to dive in and actually help in a situation where communication is cut off, which is one of the basics that we need in every critical situation, as Ukraine also shows this morning how it really matters. So to trust each other and to make some sort of formalized discussion between the companies and the government on that side is needed, and I think basically all governments are working on this now, at least as I know in Europe, that this is an issue. So this cannot be said enough times, I think, that we need this cooperation to be more thorough and even be like a baseline for preparedness and readiness in the community and in society. So that I very much agree on, yes.

Amund Kvalbein: Any others in the panel who have a view? Johannes, you represent basically, not the government here, but the EU as an important regulator, player here. What role do these infrastructure owners play in the interaction with you?

Johannes Theiss: Yes, can you still hear me well? Seems to be the case. So indeed, first of all, when I think about the metameter question and government being mentioned or regulators being mentioned many times with a negative connotation, I hope at least as EU we try to make a positive contribution to the regulatory landscape, especially when it comes to improving coordination, both between… between governments, so cross-border was mentioned, but also between governments and private entities. Perhaps a couple of points that I would like to make. So first of all, some of these exchanges are already formalized, in particular, through recent legislation that came into force. To mention two, the NIS2 directive is one, and the critical, so that’s about cybersecurity focus more, but it has a broader approach, also tackling some physical elements, and then the critical entities resilience directive. These directives really formalize the exchange, especially when it comes to incident reporting between private and public entities. So in the EU, these are really, although they are directives, they have to be transposed nationally, but they seek to kind of create a more harmonized situational awareness. Then, of course, when it comes to the funding side, there’s also regular exchanges. I mentioned before already the SEF funding program, so Connecting Europe facility, because we see, of course, that there is a concentration, the market goes where it makes sense and where there’s already a lot happening. If there is an internet exchange point, if the latency is short, then that’s where you go. And those things are at times not necessarily creating increased resilience, no, because for that, you need more redundancy and not necessarily more of the same. So it’s important to strike there a good balance between the two, and that’s why we have been investing under SEF already for quite some time. And actually, currently, there is still a funding round, we call those calls, ongoing, where the evaluations are taking place, and you will see some results in the next coming weeks and months, where, again, the submarine cables will be supported, especially in areas where. business case is not straightforward. And many times, some of you mentioned this already, these are of course consortia that come already together. They propose a certain project and then it’s co-funded, so it’s not entirely from the public purse. But when private sector is going somewhere, they might need a bit of a bridging, a bit of support to bridge the viability gap. And that’s what these funding programs are for. And then last but not least, of course, we are also in regular exchange with companies when it comes to any types of threat analysis and potential mitigating measures. I think Erica mentioned already some of the faults that may be related to submarine cable incidents. That’s precisely information that we, of course, are interested in and that we also learn through our exchanges with private companies, who, by the way, are regularly invited sometimes to speak with our experts in the expert group. It’s true that there is always then a certain realm of sensitivity, which makes it a bit harder to be, let’s say, too forthcoming in what is being made public or not. But in any event, we try at least as much as possible to facilitate these exchanges. And so far, I would say, it seems we have been on the right track with the proposals that we have put forward. When you read through the cable action plan and also for the recommendation last year, you would see that many of the things mentioned are reflected quite well. Last point, because Olaf mentioned it, the accumulation of things that can happen, take the power and telecoms cable cut, that actually did happen at the beginning of the year. So these are things that are really not in season. They’re happening in practice and it’s important to mitigate those types of situations. Thanks.

Amund Kvalbein: Great, great. Thank you, Johannes. So, I would like us to turn quickly to Mentimeter again. We have another question. Oops, we have another question for you. So, moving from what are the challenges, the threats, what are the most important actions that governments and private companies and or private companies can take to strengthen internet resilience? There’s a question for you. Not a simple one, but we’d love to hear your thoughts on that. And while you are typing in those, I would again like to encourage those who participate online to post your questions in the chat and Michael will convey them. And then I have, of course, many questions in my head that I would like to get the answers from this panel, but I’m sure you do as well. So, I very much hope that you in the audience will also raise your hand and take this opportunity to ask our panelists about this topic. Just seeing what comes up here. That’s an interesting one. Avoid national autonomy. That’s an interesting topic. Some of the panelists might have words to say on that. Diversity is mentioned by several. Partnerships, collaboration, cooperation, education. Contribute to a redistributed internet. implying that it’s not as distributed anymore, perhaps, as it was, I don’t know. You might disagree or agree in that. So I think I’ll leave the microphone open now, in case any one of you has a question to pose, and while you prepare your question, I don’t know, maybe one of you in the panel would have a comment on exactly this. Oh, sorry, here is the first question already. Let’s go to you. Ah, lovely. Thank you very much.

Anriette Esterhuysen: My name is Anette Esterhuisen, I’m from South Africa, very much affected by undersea cable outages. I’m from civil society. My question is, none of you have touched on this particular topic, whose responsibility is it to communicate to the end user that there’s an outage and that there’s an attempt to work around it? For an internet exchange point, the peering points will let their members know. Data centres will let their clients know. If you, in the case of a power outage, you usually would be informed by the power utility or you’d have an app, like in my country, where the power goes down every other day, and there’s an app that tells you what the load shedding schedule is. But when it comes to internet outages, you essentially need a newspaper subscription to a business newspaper, which is not something that’s available in the public at large. Most people get their internet not from ISPs, but from mobile data providers, and they are pay-as-you-go clients, they’re not even contracted. You are completely in the dark as to what the status is. If you have fibre to the home, your fibre provider might update. you, but they often actually don’t. So that’s my question, is that something also in this partnership you’re talking about between regulators, government and private sector, to try and centralise in some way that there’s active communication and interaction with the end user?

Amund Kvalbein: Thanks. So Elisa, you raised your hand or Olaf, do you want to start Elisa?

Elise Lindeberg: Yes, if it’s an outage that is critical enough, obviously, that’s the government’s role to alert the one who’s been affected by it. It will always be like that. So if it’s severe enough, you will hopefully have systems in place so the government will react and also send out, I mean, and communicate with what is available for the users. But it’s also, you know, the service provider, the one who gives the services, they also need to alert their users, but also the government probably. So in my experience, if it’s severe enough and if it’s enough individuals or companies or whatever that is affected, these are systems that should be put in place. That is why we should have, you know, coordination and coordination between governments and private companies and this put in place as a system upfront, because it’s both, it’s not one of

Olaf Kolkman: the other. Oh yeah, Henriette, this is not a question to punt. I think it’s an important question. But I’m going to return the question a little bit. Are you aware of any best practices that are executed anywhere on the globe? Because this seems to be a thing where through national IGFs, regional IGFs, something might percolate upwards and become best common practice. You’re not aware, I see you shaking your head.

Anriette Esterhuysen: No, not for internet outages. I think for internet shutdowns, I think you now do have to some extent there are civil society organizations that monitor internet shutdowns and they’ll communicate that fairly widely. I think for power outages you have at a national level, I think now, you know, a much more structured approach. But I think for internet outages, and also it often doesn’t, you know, the way that undersea cables work, there is a lot of redundancy. So it doesn’t necessarily affect everyone at national level in the same way. It depends very much, if you’re in an academic network, you might have access to different cables to people that get their internet through mobile network. No, so Olaf, I’m not aware of good practices. And I think governments are not set up. I think many countries don’t even have centralized communication about ransomware attacks or cyber attacks or cyber breaches. Information regulators are getting better at making alerts about data breaches, public. But this type of outage, infrastructure outages, I’m not aware of any. But maybe someone else in the room is. Thank you.

Amund Kvalbein: Michael, I think there is a question from the chat.

Michael Kende: That’s right, hi. There is a question online. There’s about 20 people that have been participating. And Vahan asked a question. Should we create a tool for the governments and regulators so they can check how resilient is their internet infrastructure? And some of those tools that he said Olaf mentioned be IXPs, regulations, interconnections, so I think some of this would be ways to strengthen it, but also if there are tools and if you can fill in how that might look that could help governments and regulators to determine how resilient everything is. Thank you.

Olaf Kolkman: I don’t want to steal people’s thunder, but pulse.internetsociety.org has a resiliency index which just maybe not measures it, but gives an index about the resiliency in-country. That said, I don’t want to flatten the discussion, because resiliency has to do with the complexity in the world that we live in, and even if we have a very resilient network or internet, still we might rely on, say, one provider of a specific application interface in order to get our work done, and if that application interface is down, a lot of stuff breaks. So resiliency is actually for everybody, your dependencies will be different, and the complexities involved are very important. So I think that if you go into resiliency for your systems, be it as a country, be it as an SME or a company or maybe even for you at home, you have to go and do sort of the analysis, the risk assessment, and the tabletop exercises to deal with them.

Amund Kvalbein: Unless there is a question now, I just wanted to pick up, and I think, Petra, maybe this is for you to start on. but I was triggered a little bit by one of the statements, a couple of the statements from our Mentimeter here now, so avoid national autonomy. I mean, you in Cloudflare are not particularly national, you are rather international, right? Would you agree with this statement or is there

Petra Arts: more complexity to it? Yeah, I saw that answer. I’m not exactly sure what the person kind of meant by it. I don’t know if they’re in the room or online, but I’m more generally about the, also to the point of collaboration and cooperation that was mentioned. I think that’s exactly where we would need to go and where I think this discussion has kind of led to us already to say, you know, the collaboration between governments, between private sector governments, between all actors that are basically responsible for making the internet, you know, work and being resilient as it is. I think that’s where we need to go, like national autonomy. I think obviously in the European context, we talk a lot about digital sovereignty, right, in these days, and there’s obviously a lot of policy discussions on things like data localization and things like that. They’re all kind of related to it. I think from a, from Cloudflare’s point of view, and also I think from a, you know, internet resilience point of view, fragmentation is like, you know, the way that we shouldn’t go, you know, to make sure that that resilience kind of stays as it is and is improved. I think fragmentation can lead to, you know, a lot of negative consequences from a resilience point of view. So I would not necessarily agree with that we, you know, I would agree with the fact that that is one of the threats, I think, that they were mentioning, like the different decisions by different parts of government in different parts of the world, I think, can lead to fragmentation. I think we need more forums to collaborate and discuss and to also come to kind of common solutions and share best practices. I think that’s kind of of where we need to go, and to your point on Pulse, which also collaborates a lot with ISOC on the Pulse side, on the internet shutdown side, maybe also to promote a little bit our radar dashboard, radar.cloudflare.com, which also gives you a lot of knowledge and information, I think, on what we see from a internet shutdown, also kind of disruption point of view from our network, which can also help civil society and others to kind of find out maybe more about what’s going on in these cases.

Johannes Theiss: Can I come on this one as well, Amund? Absolutely. Yes, no, I actually, when I was seeing the Mentimeter replies coming in, I was always thinking, okay, the toolbox writes itself, so we can lean back, and it looks quite good, but jokes aside, those are precisely the points that we are, first of all, currently working on, that we are developing in much greater detail, of course, and without interpreting too much into the avoiding national autonomy, I think that the point that can be made there is that the internet as such, but submarine cables, this is not a one-way, it’s not a silo. There are always two, at least two parties, connected to a cable, often more. There are consortia of various types of players coming together. They connect them to other types of players in a data center, so this is not a silo business, and I think that’s something to keep in mind. Other points mentioned, which I found important to highlight is the use of technology as well. I mentioned in the beginning that some of these new systems, they can really help with monitoring and detection. For example, distributed acoustic sensing, which can be applied to the submarine cables, can help here. We’re actually putting together, or would like to put together a roadmap at the European Commission to scope a bit what are these cutting-edge technologies that one should create. in mind and there will be some research funding available made for this. So have a look at the current Horizon Europe work program and at the action related to submarine cables because that’s that’s precisely something we’re gonna look into a bit more in detail. And then lastly what also popped up on the on the overview was the investment incentives. It’s really important to keep those incentives high but also to strike the balance not to crowd out private investment. There’s a lot of private investment happening and we welcome that very much and that is that is essential. Without that things wouldn’t work. But there are some gaps here and there especially when things get more in areas which are a bit less viable and there are still some gaps here. The public authorities and the public purse can play an important role and this is something we have been doing and continue to do so. Thanks.

Amund Kvalbein: Excellent. We are approaching the end of this session. There is there is still time and room for a question from the audience if you have one. But you have to be quick. No? So if there is not then then I would just like to take to round this up to go a quick round again with our with our panelists to to very briefly in 30 seconds. What is your takeaway or your message from this from this discussion? Is there an action? As Lenin said what needs to be done? Olaf do you want to start?

Olaf Kolkman: I think awareness building is is one part of it. Understanding your dependencies. I think that the parties at the left of me have a quite well understanding of their dependencies, although sometimes things break. I’m also looking at the left at me. One of the things that I am very for, so to speak, is that when things break, you tell the world. And you tell that in a very transparent way, where you disclose or you tell a story about what were my dependencies, what did I know about those dependencies, and how can you, a random other person who builds infrastructure, figure out whether you have the same dependencies that I had that broke and I didn’t know about them. So it’s about sharing information, it’s about understanding your risks and the dependencies, that risk matrix, building that out, but also about practicing. And again, this is not only the large corporations, the Cloud Flares and the Microsoft of this world, it’s also the local data center in Oslo, or a small data center maintained by an SME that might have services running for, say, a hospital or another service, a logistical service that we may all depend on for getting our groceries in the store the next day.

Amund Kvalbein: Thank you. Petra?

Petra Arts: Yeah, I mean, not so much to add, I think, from my side. I think, Olof, I think you’re very right on the transparency point of view, and I think, I hope, the Cloud Flare is doing quite a good job in the rare instances that we do have, you know. things to say about outages. There is a learning that you take from everything that happened to you and happens to your network. And then indeed sharing it and making sure that others can learn and also prevent things from happening on their own side is really key. I think from our perspective, I think the diversity of connections of the internet and the preventing of fragmentation is, I think, the two key points from our side when it comes to making sure that infrastructure and the internet as a whole operates as it should, I think, and to the benefit of everybody in the whole ecosystem, businesses, end users, everybody who uses our services and other people’s services on a day-to-day basis, we all rely on that physical infrastructure. And we all play a part in the chain. So that’s, I think, the most important thing. And resilience really is a job that everybody kind of has to work together on continuously. I think that’s also obviously something that kind of became clear from this panel that we all do.

Elise Lindeberg: Lisa, 30 seconds. 30 seconds, I’ll be very brief then. I would just want to mention that national sovereignty or national autonomy, as somebody said, and international cooperation isn’t in conflict with each other. They have to live side by side. I think everyone wants to cooperate as much as possible. And I think we will continue doing that. But I see when we’re so dependent on internet that we aren’t today in democracies and societies, I think that it’s naive to think that we can have one without the other. We need to think of them in parallel. And I think that’s possible, very possible.

Erica Moret: Erica. Thank you. 30 seconds. I would end by saying that there are tremendous geopolitical challenges right now and threats to the multi-national. order and the UN remains as important as ever in this context and so when we’re thinking about the the urgent need and the continued pressing need for partnerships, trust, collaboration, cross-border working, I would again emphasize that working in fora like the UN and bringing in all the relevant stakeholders is a vital one and in doing so we can then of course be thinking about all the types of agreements and monitoring and information sharing and so on and I just wanted to also end with an announcement that was made by our vice chair and president Brad Smith in a recent about a month ago outlining Microsoft’s European digital commitments but one of the pillars I thought you might be interested if you haven’t seen it is to uphold Europe’s digital resilience even when there’s geopolitical volatility and I think that’s a lesson also for a kind of global picture as well is how important these types of commitments are across the board. Thank you.

Amund Kvalbein: Johannes we have not forgotten you but you only have 20 seconds. That’s fair I

Johannes Theiss: just have the feeling that from the discussion with what we’re doing in the EU we seem to be on the right track I just could give you some of the flavors of of what we have in store but no more is more will be coming and we hope to also make some of these points public in the autumn so stay tuned perhaps I’ll leave you with that. Thanks again for for inviting me. Thank you. That

Amund Kvalbein: concludes our our workshops thank you so much all for coming it’s been a pleasure and please join me in giving our panelists a last round of applause.

Olaf Kolkman

Speech speed

119 words per minute

Speech length

Agreed on

Transparency and information sharing during outages helps broader community preparedness

Petra Arts

Speech speed

167 words per minute

Speech length

1296 words

Speech time

463 seconds

Cloudflare connects with over 13,000 networks globally to ensure resilience

Explanation

Cloudflare operates a global network providing cybersecurity services that depends on extensive interconnection with over 13,000 networks worldwide. This interconnection is core to how their network operates, enabling low latency, secure, and reliable service delivery from data centers and points of presence globally.

Evidence

Agreed with

– Johannes Theiss
– Erica Moret

Agreed on

Internet infrastructure is inherently international and requires cross-border cooperation

Disagreed with

– Elise Lindeberg
– Johannes Theiss

Disagreed on

National autonomy versus international cooperation in internet governance

Cloudflare radar dashboard offers information on internet shutdowns and disruptions

Explanation

Cloudflare operates a radar dashboard that provides knowledge and information about internet shutdowns and disruptions as observed from their network. This tool can help civil society and others understand what’s happening during internet disruption events.

Evidence

Dashboard available at radar.cloudflare.com, developed in collaboration with Internet Society on internet shutdown monitoring

Major discussion point

Monitoring and Assessment Tools

Topics

Infrastructure | Human rights

Agreed with

– Olaf Kolkman

Agreed on

Transparency and information sharing during outages helps broader community preparedness

Johannes Theiss

Speech speed

153 words per minute

Speech length

Agreed on

Internet infrastructure is inherently international and requires cross-border cooperation

Disagreed with

– Elise Lindeberg
– Petra Arts

Disagreed on

National autonomy versus international cooperation in internet governance

Distributed acoustic sensing and other technologies can improve cable monitoring

Explanation

New cutting-edge technologies like distributed acoustic sensing can be applied to submarine cables to help with monitoring and detection of issues. The EU is developing a technology roadmap and making research funding available for these innovations.

Evidence

Current Horizon Europe work program includes actions related to submarine cables, with research funding available for technology development

Major discussion point

Monitoring and Assessment Tools

Topics

Infrastructure | Cybersecurity

Elise Lindeberg

Speech speed

150 words per minute

Speech length

1211 words

Speech time

481 seconds

Need for formalized cooperation between regulators and infrastructure owners

Explanation

There needs to be formalized discussion and cooperation between governments who possess threat intelligence and companies who own and operate the infrastructure. This cooperation should be a baseline for preparedness and readiness in society, moving beyond the traditional siloed approach where intelligence agencies keep information close.

Evidence

Norway and European governments are working on this issue, recognizing that communication infrastructure is critical during emergencies as demonstrated by Ukraine’s situation

Major discussion point

Public-Private Partnership and Cooperation

Topics

Infrastructure | Cybersecurity | Legal and regulatory

Agreed with

– Erica Moret
– Johannes Theiss

Agreed on

Need for formalized public-private cooperation and information sharing

Trust and information sharing between government and private sector essential for preparedness

Explanation

Disagreed on

Responsibility for communicating outages to end users

Erica Moret

Speech speed

161 words per minute

Speech length

975 words

Speech time

363 seconds

Data centers face risks from power outages, extreme weather, and geographical clustering

Explanation

Data centers require enormous stable power supplies and cooling systems, making them vulnerable to power grid failures and extreme weather events like heat waves, floods, earthquakes, and hurricanes. Geographical clustering of cloud facilities creates additional risk where a single regional event could affect multiple data centers simultaneously.

Evidence

Physical attacks or sabotage are rarer but possible, and accidental fires or localized disasters at large data centers can knock out services for millions of users

Major discussion point

Internet Infrastructure Resilience and Vulnerabilities

Topics

Infrastructure | Cybersecurity

National Sovereignty vs International Cooperation

Topics

Infrastructure | Cybersecurity

Agreed with

– Johannes Theiss
– Petra Arts

Agreed on

Internet infrastructure is inherently international and requires cross-border cooperation

Anriette Esterhuysen

Speech speed

153 words per minute

Speech length

428 words

Speech time

166 seconds

No clear responsibility exists for communicating internet outages to end users

Explanation

Unlike power outages where utilities inform customers or provide apps with outage schedules, there’s no clear system for communicating internet outages to end users. Most people get internet from mobile data providers as pay-as-you-go clients without contracts, leaving them completely uninformed about outage status unless they have business newspaper subscriptions.

Evidence

Internet exchange points inform members, data centers inform clients, power utilities provide apps and schedules, but internet outages require business newspaper subscriptions for information. Fiber providers might update customers but often don’t

Major discussion point

Communication and Transparency During Outages

Topics

Infrastructure | Human rights

Disagreed with

– Elise Lindeberg

Disagreed on

Responsibility for communicating outages to end users

Need for best practices in outage communication similar to power utilities

Explanation

There’s a need to develop best practices for internet outage communication that could be shared through national and regional IGFs. While civil society organizations monitor internet shutdowns and there are structured approaches for power outages nationally, internet infrastructure outages lack similar communication frameworks.

Evidence

Civil society organizations monitor internet shutdowns, power outages have structured national approaches, but internet outages affect users differently depending on their network access (academic networks vs mobile networks have different cable access)

Major discussion point

Communication and Transparency During Outages

Topics

Infrastructure | Human rights

Michael Kende

Speech speed

146 words per minute

Speech length

97 words

Speech time

39 seconds

Need for tools to help governments assess their internet infrastructure resilience

Explanation

There should be tools created for governments and regulators to check how resilient their internet infrastructure is. These tools could include metrics like Internet Exchange Points, regulations, and interconnections to help determine resilience levels and identify areas for strengthening.

Evidence

Reference to tools that Olaf mentioned including IXPs, regulations, and interconnections as ways to both measure and strengthen resilience

Major discussion point

Monitoring and Assessment Tools

Topics

Infrastructure | Legal and regulatory

Amund Kvalbein

Speech speed

121 words per minute

Speech length

Public-Private Partnership and Cooperation

Topics

Infrastructure | Legal and regulatory

Agreements

Agreement points

Need for formalized public-private cooperation and information sharing

Speakers

– Elise Lindeberg
– Erica Moret
– Johannes Theiss

Arguments

Need for formalized cooperation between regulators and infrastructure owners

Trust and information sharing between government and private sector essential for preparedness

Governments should share threat intelligence in real-time with companies

Microsoft collaborates with governments on joint risk assessments and best practices

NIS2 directive and critical entities resilience directive formalize incident reporting

Summary

All speakers agree that effective internet infrastructure security requires formalized cooperation between government agencies and private infrastructure operators, including real-time threat intelligence sharing and joint risk assessments.

Topics

Infrastructure | Cybersecurity | Legal and regulatory

Importance of redundancy and diverse pathways for resilience

Speakers

– Olaf Kolkman
– Petra Arts
– Erica Moret

Arguments

Internet Exchange Points keep traffic local and reduce impact of external connectivity failures

Cloudflare connects with over 13,000 networks globally to ensure resilience

Microsoft builds extensive redundancies with multiple cable pathways and diverse landing points

Azure regions designed with availability zones as physically separate data centers

Summary

Speakers consistently emphasize that resilience comes from having multiple pathways, diverse connections, and redundant systems that can route around failures.

Topics

Infrastructure

Internet infrastructure is inherently international and requires cross-border cooperation

Speakers

– Johannes Theiss
– Petra Arts
– Erica Moret

Arguments

Internet infrastructure inherently involves multiple parties and cannot operate in silos

Fragmentation threatens internet resilience and should be avoided

Cross-border coordination essential for submarine cable repairs and security standards

Summary

All speakers agree that the internet’s fundamental nature as an interconnected global system requires international cooperation and that fragmentation or national silos undermine resilience.

Topics

Infrastructure | Legal and regulatory

Transparency and information sharing during outages helps broader community preparedness

Speakers

– Olaf Kolkman
– Petra Arts

Arguments

Transparent disclosure of dependencies and failures helps others learn and prepare

Cloudflare radar dashboard offers information on internet shutdowns and disruptions

Summary

Both speakers advocate for transparent sharing of outage information and lessons learned to help the broader internet community understand vulnerabilities and improve preparedness.

Topics

Infrastructure | Cybersecurity

Infrastructure | Economic

Unexpected consensus

Balance between national sovereignty and international cooperation

Speakers

– Elise Lindeberg
– Johannes Theiss
– Petra Arts

Arguments

National autonomy and international cooperation must coexist, not conflict

Internet infrastructure inherently involves multiple parties and cannot operate in silos

Fragmentation threatens internet resilience and should be avoided

Explanation

Despite representing different perspectives (national regulator, EU policy maker, and private company), all speakers agreed that national sovereignty concerns and international cooperation are not mutually exclusive but must work in parallel. This consensus is unexpected given typical tensions between sovereignty and globalization in internet governance.

Topics

Infrastructure | Legal and regulatory

Need for government involvement in market-driven infrastructure

Speakers

– Johannes Theiss
– Erica Moret
– Elise Lindeberg

Arguments

EU funding supports cables in areas where business case is not straightforward

Microsoft collaborates with governments on joint risk assessments and best practices

Need for formalized cooperation between regulators and infrastructure owners

Explanation

There was unexpected consensus between EU regulators and private sector representatives that government involvement and public funding are necessary complements to private investment, rather than interference. This suggests a mature understanding that resilience requires both market efficiency and strategic public intervention.

Topics

Infrastructure | Economic | Legal and regulatory

Overall assessment

Summary

The speakers demonstrated remarkable consensus on core principles of internet infrastructure resilience, including the need for public-private cooperation, importance of redundancy and interconnection, value of transparency, and recognition that internet infrastructure is inherently global requiring international coordination.

Consensus level

High level of consensus with strong alignment on fundamental principles. The implications are positive for internet governance, suggesting that despite different organizational perspectives, there is shared understanding of what makes internet infrastructure resilient. This consensus provides a solid foundation for collaborative policy development and implementation of security measures across the public and private sectors.

Differences

Different viewpoints

National autonomy versus international cooperation in internet governance

Speakers

– Elise Lindeberg
– Petra Arts
– Johannes Theiss

Arguments

National autonomy and international cooperation must coexist, not conflict

Fragmentation threatens internet resilience and should be avoided

Internet infrastructure inherently involves multiple parties and cannot operate in silos

Summary

Elise argues that national sovereignty and international cooperation must operate in parallel and are both necessary for democracies dependent on internet infrastructure. Petra and Johannes emphasize that fragmentation is harmful and that the internet’s interconnected nature makes national autonomy approaches fundamentally incompatible with how infrastructure actually functions.

Topics

Infrastructure | Legal and regulatory

Responsibility for communicating outages to end users

Speakers

– Elise Lindeberg
– Anriette Esterhuysen

Arguments

Government should alert users during severe outages while service providers inform their customers

No clear responsibility exists for communicating internet outages to end users

Summary

Elise believes there are existing systems where governments alert users during severe outages and service providers inform customers, making it a shared responsibility. Anriette argues that unlike power outages, there is no clear system for internet outage communication, leaving most users uninformed.

Topics

Infrastructure | Legal and regulatory | Human rights

Unexpected differences

Scope of existing outage communication systems

Speakers

– Elise Lindeberg
– Anriette Esterhuysen

Arguments

Government should alert users during severe outages while service providers inform their customers

No clear responsibility exists for communicating internet outages to end users

Explanation

This disagreement is unexpected because both speakers have extensive experience in internet governance and infrastructure policy, yet they have fundamentally different views on whether adequate communication systems already exist for internet outages. Elise, coming from a regulatory background, believes systems are in place, while Anriette, from civil society, sees a clear gap in user communication.

Topics

Infrastructure | Human rights | Legal and regulatory

Overall assessment

Summary

The main areas of disagreement center on the balance between national sovereignty and international cooperation in internet governance, and the adequacy of existing communication systems during outages. There were also nuanced differences on the role of public versus private sector in maintaining resilience.

Disagreement level

The level of disagreement was relatively low overall, with most speakers sharing common goals of maintaining internet resilience and security. The disagreements were more about approach and emphasis rather than fundamental conflicts. This suggests a mature policy discussion where stakeholders largely agree on objectives but may differ on implementation strategies, which is typical and healthy for complex infrastructure policy discussions.

Partial agreements

Infrastructure | Economic

Takeaways

Key takeaways

Internet resilience requires collaboration between physical infrastructure (data centers, subsea cables) and protocol-level redundancy, with both public and private sectors playing essential roles

The internet’s distributed ‘network of networks’ model remains fundamentally sound, but increasing dependence on cloud services and AI has made physical infrastructure components critically important

Hidden correlation of risks poses significant threats – multiple infrastructure failures can occur simultaneously (e.g., power and internet cables cut by same anchor)

Transparency in outage reporting and sharing lessons learned from failures is crucial for improving overall ecosystem resilience

Interconnection diversity and avoiding fragmentation are more important for resilience than national autonomy or sovereignty approaches

Current communication systems for internet outages to end users are inadequate compared to other utilities like power companies

Investment incentives must balance private sector leadership with public funding for economically unviable but strategically important infrastructure

Resolutions and action items

EU expert group to deliver by end of year: mapping of cable infrastructures, coordinated risk assessment, and cable security toolbox

EU to publish priority list of ‘cable projects of European interest’ under Connecting Europe Facility funding program

Continued development of monitoring technologies like distributed acoustic sensing for submarine cables

European Commission to develop technology roadmap for cutting-edge cable monitoring and detection systems

Ongoing consultation on EU Digital Networks Act regarding peering and interconnection regulations

Implementation of NIS2 directive and critical entities resilience directive to formalize incident reporting between private and public entities

Unresolved issues

No clear framework exists for communicating internet outages to end users, unlike other utilities

Lack of standardized best practices for outage communication across different types of internet service providers

Tension between national digital sovereignty goals and need for international cooperation remains unresolved

Question of who should bear costs for increased security and redundancy measures not definitively answered

How to balance private investment incentives with public funding without crowding out private sector participation

Need for better tools to help governments assess their national internet infrastructure resilience

Challenge of sharing sensitive threat intelligence while maintaining security protocols

Suggested compromises

National sovereignty and international cooperation should coexist rather than conflict – both are necessary for modern internet infrastructure

Public funding should focus on filling gaps where private sector business cases are not viable, rather than replacing private investment

Formalized but flexible frameworks for government-private sector cooperation that respect both security needs and commercial interests

This comment addresses one of the most challenging tensions in modern internet governance – the apparent conflict between national sovereignty and global connectivity. It offers a nuanced perspective that rejects false dichotomies.

Impact

This comment provided a sophisticated resolution to the fragmentation versus cooperation debate that had been building throughout the discussion. It influenced the final tone of the workshop by suggesting that seemingly opposing forces (sovereignty and cooperation) can be reconciled, offering a path forward for policy makers.

Overall assessment

Explanation

He mentioned the challenge of balancing public funding without crowding out private investment, which requires further research into sustainable financing mechanisms for critical infrastructure gaps.

Business Engagement

Dynamic Coalition Collaborative Session

Open Forum #76 Digital Literacy As a Precondition for Achieving Universal a

Session at a glance

Summary

The Nigeria Open Forum, organized by the Nigerian Internet Governance Forum, focused on digital literacy as a precondition for achieving universal access, featuring government officials, policy experts, and international stakeholders. Dr. Ibiso Kingsley-George from the Nigerian Communications Commission moderated the session, which included interventions from Senate and House Committee Chairs on ICT and Cyber Security who emphasized Nigeria’s potential as a digital leader given its 250 million population with 70% youth demographic.

Mr. Kashifu Inuwa Abdullahi, Director General of NITDA (National Information Technology Development Agency), presented Nigeria’s comprehensive Digital Literacy for All initiative, which aims to achieve 95% digital literacy by 2030 and 70% by 2027. The framework includes six competency areas covering device operation, information literacy, content creation, collaboration, safety, and problem-solving. NITDA’s implementation strategy involves three key sectors: informal sector training through NYSC champions who target market women and artisans, formal education curriculum integration from primary to university levels, and public sector capacity building.

International expert Judith Hellerstein emphasized the need for collaborative policy frameworks beyond basic digital access, including cybersecurity policies, data sharing mechanisms, consumer protection laws adapted for the digital era, and infrastructure coordination. She stressed the importance of tracking metrics and enforcement rather than just policy creation. Representatives from Ghana and Liberia’s Internet Governance Forums praised Nigeria’s comprehensive approach as a regional benchmark.

Key challenges identified included bridging the rural-urban digital divide, ensuring affordable device access, and moving from policy formulation to effective implementation. Speakers emphasized the importance of professional teacher development, leveraging social media platforms like TikTok for educational content, and supporting local device manufacturing. The discussion concluded with calls for enhanced collaboration among government agencies, private sector engagement, and continued focus on inclusive access for women, persons with disabilities, and underserved populations to ensure Nigeria’s digital transformation serves as a model for other emerging economies.

Keypoints

## Major Discussion Points:

– **Nigeria’s National Digital Literacy Framework and Implementation Strategy**: NITDA’s comprehensive approach to achieving 95% digital literacy by 2030, including the “Digital Literacy for All” initiative that targets training 50 million Nigerians through collaborative programs with NYSC, formal education curriculum integration, and public sector training.

– **Policy Framework Integration and Multi-Agency Collaboration**: The need for coordinated efforts across government agencies, proper data sharing, enforcement mechanisms, and alignment of digital literacy policies with broader national development goals including cybersecurity, consumer protection, and infrastructure development.

– **Bridging the Rural-Urban Digital Divide**: Strategies to ensure inclusive access focusing on underserved populations including rural communities, women, people with disabilities, and informal sector workers through community-based programs, local language content, and affordable device accessibility.

– **Teacher Development and Educational System Reform**: The critical importance of professional teacher development, integration of digital skills into formal education curricula from elementary through tertiary levels, and collaboration with institutions like Schools of Education and TVET institutes.

– **Regional Collaboration and Scalability**: How Nigeria’s digital literacy model can serve as a blueprint for other West African nations and emerging economies, with emphasis on leveraging social media platforms, community radio, and locally manufactured devices for cost-effective scaling.

## Overall Purpose:

The discussion aimed to examine Nigeria’s digital literacy initiatives as a foundation for achieving universal digital access, exploring how the country’s comprehensive framework could serve as a model for other nations while addressing implementation challenges, policy coordination, and strategies for reaching underserved populations.

## Overall Tone:

The discussion maintained a consistently positive and collaborative tone throughout. Participants demonstrated mutual respect and shared commitment to digital transformation goals. The conversation was highly constructive, with speakers building upon each other’s points rather than challenging them. There was notable enthusiasm about Nigeria’s progress and potential, with international participants expressing admiration for the comprehensive approach. The tone remained professional and solution-oriented, with speakers offering practical recommendations and sharing experiences from their respective expertise areas. The collaborative spirit was evident in the regional participation from Ghana and Liberia, emphasizing West African unity in digital development efforts.

Speakers

**Speakers from the provided list:**

– **Dr. Ibiso Kingsley-George** – Moderator, Nigerian Communications Commission

– **Kashifu Inuwa Abdullahi** – Director General (DG) of National Information Technology Development Agency (NITDA), technocrat with experience in growth management, policy and strategy formulation, IT governance, government relations, talent development, financial regulation and digital transformation

– **Adediji Stanley Olagide** – Honorable, Chairman House Committee on ICT and Cyber Security, represents Oyo State in the House of Representatives of the National Assembly

– **Judith Hellerstein** – Founder and CEO of Hellerstein and Associates, over 30 years of experience in developing policies, regulations, building regulatory capacity, strategy development, broadband build-out, digital government assessment, regulatory reform, competition law, and internet governance issues

– **Yomi Arowosafe** – Secretary, Universal Service Provision Fund, over 26 years of experience in oil and gas and telecommunication, regulatory expert at Nigerian Communications Commission

– **Poncelet Illeleji** – Computer scientist with over 25 years experience, lead of Jokulabs Banju in Gambia, board member of Jokulabs Global Network, consultant for ICT4D, digital learning, Internet governance and health informatics projects in Africa

– **Abdu Karim Oluweidi** – Professor of Wireless Telecommunications, University of Ilona, Nigeria

– **Ebenezer Dari** – Executive Member of the Board of Directors of the Nigerian Internet Registration Association

– **Participant** – Various unidentified participants who made interventions

– **Audience** – Online moderator/facilitator managing online questions and comments

**Additional speakers:**

– **Senator Shwaibu Afolabi Salisu** – Senate Committee Chairman on Cyber Security and ICT

– **Honorable Shola Oye** – Nigerian House of Representatives member

– **Distinguished Senator Dickette Plank** –

– **Honorable Shino Oyedeji** –

– **Mrs. Mary Uduma** –

– **Mr Adesola Akinsanya** –

– **Engr. Kunle Olorundare** –

– **Mr. Ihueze Nwuibilor** –

– **Mr. Kedja** – Representative from Ghana Internet Governance Forum

– **Liberian IGF Representative** – Representative from Liberian Internet Governance Forum

– **Ghana IGF Representative** –

– **Bemisola** – Fellow of the Nigerian School on Internet Governance (online participant)

– **Akimbo** – Vice President of Internet Society, Chief Executive of DNS Africa (online participant)

– **Tino Ade** – Fellow of Nigerian School on Internet Governance (online participant)

Full session report

# Nigeria Open Forum: Digital Literacy as a Precondition for Universal Access

## Discussion Summary

### Introduction and Context

The Nigeria Open Forum, organised by the Nigerian Internet Governance Forum, brought together government officials, policy experts, and international stakeholders to examine digital literacy as a prerequisite for universal digital access. Dr. Ibiso Kingsley-George from the Nigerian Communications Commission moderated the session, which featured interventions from Senate and House Committee Chairs on ICT and Cyber Security who emphasized Nigeria’s potential as a digital leader, given its population of 250 million with 70% comprising youth demographics.

The session experienced some technical difficulties and time constraints that affected certain interventions, with some speakers’ contributions being cut short due to audio issues and scheduling limitations.

### Nigeria’s National Digital Literacy Framework

Mr. Kashifu Inuwa Abdullahi, Director General of the National Information Technology Development Agency (NITDA), presented Nigeria’s Digital Literacy for All initiative, targeting 95% digital literacy by 2030 and 70% by 2027. The framework encompasses six competency areas: device operation, information literacy, content creation, collaboration, safety, and problem-solving, with 23 individual competencies.

NITDA’s implementation strategy employs a “three-bucket approach” across different sectors:

– **Informal sector training**: Utilizing NYSC (National Youth Service Corps) champions to target market women, artisans, and other informal sector workers, aiming to reach 30 million Nigerians over three years

– **Formal education**: Focusing on curriculum integration from primary through university levels, including collaboration with Cisco for university programs

– **Public sector**: Concentrating on capacity building for government employees, working with the Head of Public Service Commission

Abdullahi noted that digital transformation aligns with Nigeria’s economic diversification agenda and supports the Renewed Hope priorities. He emphasized that Africa can position itself as a global talent exporter due to its young, digitally native population, while other regions face aging demographics. He observed that “technology or AI or any technology we think of will replace us as a human. But it will replace the skills we have and the processes we follow to do our work today. So therefore we need to learn, relearn and unlearn how we do things before.”

### International Policy Perspectives

Judith Hellerstein, founder and CEO of Hellerstein and Associates, brought over 30 years of experience in policy development to the discussion. She emphasized the need for comprehensive policy frameworks extending beyond basic digital access, including cybersecurity policies, data sharing mechanisms, consumer protection laws, and infrastructure development strategies.

Hellerstein stressed the importance of tracking metrics and enforcement mechanisms rather than merely creating policy documents. She referenced the Digital Protection Act and highlighted cyberbullying as a significant problem in schools that requires policy attention. Her recommendations included implementing subsidy programs for affordable devices and ensuring that educational curriculum changes begin early in elementary school and build through all educational levels, including trade schools and TVET programs.

She advocated for open regulatory frameworks with affordable licensing schemes to enable different types of networks and infrastructure sharing arrangements, emphasizing the importance of avoiding negative international associations while building digital trust and credibility.

### Regional Participation and Collaboration

Representatives from Ghana and Liberia’s Internet Governance Forums participated in the discussion. The Ghana IGF representative inquired about strategies for energizing youth participation in digital literacy conversations and providing them with basic tools to begin their digital journey. The Liberian IGF representative contributed perspectives on cross-border collaboration and shared challenges facing West African nations in digital transformation efforts.

### Educational Integration and Teacher Development

Oluyomi Arawu-Shafer, Secretary of the Universal Service Provision Fund, emphasized that digital literacy initiatives should focus on tiered approaches building foundational skills through community-based programs, including computer laboratories and emerging technology centers. He stressed the importance of internship programs, job placement initiatives, and innovation hubs including hackathons and boot camps for youth digital economy readiness.

Poncelet Illeleji, a computer scientist leading Jokulabs Banju in Gambia, made significant contributions regarding teacher development. He argued that professional teacher development represents the crucial foundation for successful digital literacy implementation, requiring specific programs involving Schools of Education and TVET institutes to address the rural-urban digital divide. He referenced “the late Professor Kwasi” who cautioned that one should “torture the data and it will confess to anything,” emphasizing the need for genuine metrics in policy evaluation.

Illeleji recommended adopting the UNESCO ICT competency framework for teachers based on open educational resources and working with technology communities to manufacture low-cost devices locally.

### Digital Engagement and Social Media Platforms

Illeleji presented striking data about existing digital engagement in Nigeria: 37 million Nigerians actively use TikTok (approximately 15% of the population), while the entire West African region has about 41 million TikTok users. This data challenged assumptions about digital literacy deficits, demonstrating substantial digital engagement already exists within the population.

This led to discussions about leveraging existing digital behaviors for educational purposes, with Illeleji advocating for using social media platforms like TikTok to deliver educational content. He also emphasized that traditional media channels, particularly community radios, remain powerful tools for reaching populations with digital literacy programs.

### Addressing Digital Divides and Implementation Challenges

Adedeji Stanley-Olajide, Chairman of the House Committee on ICT and Cyber Security, highlighted the wide digital divide existing in Nigeria and across Africa, requiring targeted interventions for underserved populations. Multiple speakers emphasized the need for inclusive access for rural populations, women, people with disabilities, and underserved youth.

Online participants raised concerns about device accessibility and closing the device gap, particularly given cost barriers and Nigeria’s limited domestic device production capacity. The discussion revealed the tension between digital literacy aspirations and practical barriers preventing citizens from accessing necessary tools for digital participation.

### Domain Name Integration and Digital Infrastructure

Ebenezer Dari, Executive Member of the Board of Directors of the Nigerian Internet Registration Association, introduced perspectives on integrating domain name sector collaboration with digital literacy promotion. He suggested enforcing .ng domain usage for businesses conducting government work, mentioning collaboration with the CAC (Corporate Affairs Commission) as a mechanism for promoting digital literacy across sectors.

### Key Challenges and Unresolved Questions

Several critical implementation questions emerged from the discussion:

**Measurement and Accountability**: Online participant Tino Ade, a fellow of the Nigerian School on Internet Governance, emphasized that “what gets measured is what gets done,” highlighting the gap between policy formulation and effective implementation.

**Funding and Sustainability**: Specific funding mechanisms and budget allocations for scaling digital literacy initiatives require further development, particularly regarding the sustainability of volunteer-based models like the NYSC champion approach.

**Inter-agency Coordination**: Detailed coordination mechanisms between multiple government agencies need further development to avoid duplication and ensure effective collaboration.

**Device Accessibility**: The challenge of making devices affordable and accessible remains significant, with various approaches suggested including subsidy programs and local manufacturing partnerships.

### Statistical Context

During the discussion, a Senator mentioned that “Out of every ten FinTech from Africa, seven are from Nigeria,” illustrating Nigeria’s existing digital economy presence, though this was presented as a general observation rather than verified statistical data.

### Conclusion

The forum demonstrated stakeholder alignment on strategic priorities while acknowledging significant implementation challenges. The discussion evolved from policy presentations to examination of practical implementation requirements, emphasizing the need to move from policy documentation to measurable outcomes with inclusive approaches that reach underserved populations.

The integration of international best practices with locally adapted solutions, combined with recognition of existing digital engagement among Nigerian youth, provides a foundation for program development. However, success will depend on addressing the identified challenges around measurement, coordination, funding, and device accessibility while building on Nigeria’s demographic advantages and existing digital behaviors.

Session transcript

Dr. Ibiso Kingsley-George: Good morning everyone and welcome to the Nigeria Open Forum organized by the Nigeria Internet Governance Forum. On behalf of the Nigerian Internet Governance Forum, I will be moderating this session on digital literacy as a precondition for achieving universal access. My name is Dr. Ibiso Kingsley-George from the Nigerian Communications Commission. With me today we will have the DG Nitida, Mr. Kashifu Inua Abdullahi to make a lead presentation, after which he will give some interventions and the rest of the panelists will also make comments. Before we commence, we have some dignitaries with us. We have here with us the Senate Committee Chairman on Cyber Security and ICT, Senator Shwaibu Afolabi Salisu. He will make an intervention and we also have the House Committee Chair on ICT and Cyber Security, Honorable Adediji Stanley Olagide. We would like them to just give us some encouragement before we proceed with the session. Thank you.

Participant: Good morning all. I am extremely delighted to be here and to convey the goodwill and best wishes of the Nigerian Senate Committee on ICT and Cyber Security. It is particularly interesting that we are talking about digital literacy as a precondition for Universal AU and DER. This topic is relevant and that the Father of Nigeria discussing this at a UN global event on IGF even makes it more interesting. For so long, Nigeria has been known for our national resources, after all, our oil powers, the global economy. But in recent times, Nigeria is also known for the skills and expertise of its citizens. We gave the world something to share about in terms of our movies. Out of every ten FinTech from Africa, seven are from Nigeria. And our financial institutions are all over, not just Africa but globally. Now we are talking about digital literacy, we are talking about digital economy. We are a country of over 250 million people, 70% of which are youth. This puts us in an advantaged position to leverage the powers of technology, not only for development of our country but also to be a leading member of the international community. Therefore, I would like to encourage us to have these conversations and also recognize that much as the government is putting together a number of initiatives for digital literacy, we need to also get the private sector to come with initiatives that will leverage our local languages.

Dr. Ibiso Kingsley-George: Thank you very much, Distinguished Senator. We will now have an intervention from the Chairman, House Committee on Cyber Security, ICT and Cyber Security, sorry, Honorable Adedeji Stanley-Olajide. Thank you.

Adediji Stanley Olagide: Very good morning to you all. I remain Honorable Adedeji Stanley-Olajide. I represent Oyo State in the House of Representatives of the National Assembly. I bring you warm greetings. I think when we’re talking about digital literacy, it’s all about how do we bring technology close and close the gap. The digital divide in Nigeria, it’s so wide, and all across Africa actually is not only Nigeria. So how do we bridge this gap? And I believe with the discourse that we’re having in this forum, we can’t do just that. We understand technology is here to stay. Nigeria has adopted technology. We’ll continue to do the best we can. We’ll continue to make all the right laws to make sure that all of our citizens, that nobody, because we still have a huge amount of our population living in the rural area, and in order for us to close Munanu, Dr. Neweu Coronaq II, and Emma Sen DES tablet, Trient Warden assure Chole will be joining us for this frakt imaging training program.

Dr. Ibiso Kingsley-George: First I’m going to introduce Nelson and him started in Nigeria. 飄 shift will combine with Babita Laos British Awareness Awareness website. Which will be providing students from different of the Nigerian, of the National Information Technology Development Agency, popularly known as NITDA, to give us his presentation. Mr. Abdullahi is a technocrat with substantial experience in growth management, policy and strategy formulation, IT governance and government relations, talent development, financial regulation and digital transformation. We are clearly going to hear from an expert today on the Digital Literacy for All project, which is a pet project of NITDA. Thank you.

Kashifu Inuwa Abdullahi: Okay. Thank you very much and thank you for having me. The Chairman Senate Committee on ICT and Cyber Security, the Chairman House Committee on ICT and Cyber Security, distinguished guests, good morning. In a world where digital is a lifestyle, we can never exaggerate the importance of digital literacy because we all need to develop our digital fluency to navigate the world we live today. So in Nigeria, we started our journey very early to digital literacy. In 2021, we developed our national IT policy and the same year in April, NITDA was established to implement National IT Policy. In 2027, NIDA Act was passed into law, and the policy main objective was to get Nigerians to use IT, because as of 2021, less than 500,000 Nigerians had access to computer, and ICT was contributing less than 0.05% to our GDP. In 2012, a new policy was developed, which is focused more on ICT, not just IT, so that people can start using technology not just for their day-to-day activities, but even to communicate between government officials, government to citizens, and private to government. Then in 2019, a new policy was developed, the National Digital Economy Policy, which was a major shift from just getting people to use technology, but getting people to use technology for economic activities. Then NIDA developed the Strategic Roadmap and Action Plan in 2021, and in 2023, renewed Hope, the Mr. President, on assuming duty, he made it clear that economic diversification and inclusivity are paramount to his administration’s renewed Hope agenda. So the President outlined eight key priorities to achieve this vision, with priority number seven specifically focused on accelerating diversification through industrialization, digitization, creative art, innovation, and manufacturing. These are Mr. President’s Renewed Hope Agenda, the eight points. If you look at them, they all focus on reforming the country. And today we live in a world where every organization is a tech organization. No organization today that do not use IT. And every industry is becoming digital today. Therefore, digital can help Mr. President to achieve the eight point areas. Then the ministry blueprint has five pillars, with knowledge as the first pillar. Because knowledge is the foundation upon which countries build robust and sustainable economy. Then at NIDA, our strategic roadmap and action plan has eight strategic pillars. The first one is to foster digital literacy and cultivate talent. Because digital literacy is something that we must give priority in this era. Everything we do is about digital. Therefore, we need to develop our digital fluency and we need to get all our citizens to be able to use technology safely and responsibly. The second pillar is about building a robust technology research ecosystem, because digital Tracey and talents are quick wins, but for the future, we need to invest in deep tech research. Because according to Conferi, by 2030, there would be 85 million talent deficit globally, which if left unaddressed could result to $8.5 trillion in unrealized annual revenue. So Nigeria and Africa, we can position ourselves as a global talent net exporter, because most of the part of the world are suffering from aging, while we have a very young and digitally native population. Then the third pillar is about promoting inclusive access to digital services and infrastructure. Therefore, this also aligns with Mr. President’s priority on inclusivity. We need to get every Nigerian to have access to digital devices and services. Sorry, that’s the fourth pillar. The third one is on strengthening policy implementation and legal framework, because we need to enable the playing field for our citizens to build both the digital literacy content and digital offerings that will digitize Nigeria. Then we have a pillar also on cybersecurity and digital trust, because as we digitize, we need to also build confidence in our citizens to use the technology. And we have a pillar on nurturing innovative and entrepreneurial ecosystem. After training people, they need to be able to come up with services that will help Nigeria build its own digital offering and achieve our digital sovereignty. Creating an agile workforce and organizational culture that everybody should be able to transform. How can we come up with a job evolution within our organization, within government, that can help people to be ready for the future work? Because we have this fear that technology is going to replace or displace us. But I don’t think technology or AI or any technology we think of will replace us as a human. But it will replace the skills we have and the processes we follow to do our work today. So therefore we need to learn, relearn and unlearn how we do things before. If you want to download the Strategic Roadmap and Action Plan, you can scan the QR code to get it online. Because it is a comprehensive document that helps us to orchestrate our digital journey. So based on the first pillar of our Strategic Roadmap and Action Plan, which focuses on fostering digital literacy and cultivating talent, we developed the National Digital Literacy Framework with an ambitious target of achieving 95% digital literacy by Dr. Ibiso Kingsley-George, Mrs. Mary Uduma, Mr Adesola Akinsanya, Engr. Kunle Olorundare Dr. Ibiso Kingsley-George, Mrs. Mary Uduma, Mr Adesola Akinsanya, Engr. Kunle Olorundare Dr. Ibiso Kingsley-George, Mrs. Mary Uduma, Mr Adesola Akinsanya, Engr. Kunle Olorundare Dr. Ibiso Kingsley-George, Mrs. Mary Uduma, Mr Adesola Akinsanya, Engr. Kunle Olorundare Dr. Ibiso Kingsley-George, Mrs. Mary Uduma, Mr Adesola Akinsanya, Engr. Kunle Olorundare The Digital Literacy Framework has six competency areas and 23 individual competencies. Our target is to build our citizens’ digital fluency on device and software operation and information and data literacy, content creation, collaboration and communication, safety and problem solving. So these competency areas are key for you to use digital literacy or digital services safely and responsibly. And the framework was built based on the DIGICOM Framework, which is an EU digital literacy framework and the UNESCO Digital Literacy Framework. So we use these two frameworks and crafted our own national digital literacy framework based on our need as a country. We have an implementation strategy for the framework, which we call a digital literacy for all. The target is achieving 95% digital literacy level by 2030. Then we have a mid-term target of achieving 70% by 2027. So we are implementing this initiative in three buckets. We’ve done the assessment to know where we are to establish the baseline. The only available report we were able to use to establish that was a report from the World Bank, Data for Better Lives 2021. Based on that report, Nigeria… and Mr Adesola Akinsanya. We have looked at what has been done between 2021 to 2024 and government intervention and we extrapolated that. We have added about six points. Therefore, as of 2024, our baseline was 50%. Then to achieve 70% of the population, at least we need to train 50 million Nigerians to achieve that. Therefore, we have the initiatives in three buckets. The first one is our informal sector, which is the most exclusive in terms of digital literacy. They are the ones that also suffer the most. They are the ones that also suffer the most when it comes to cybersecurity breaches. To achieve that, we came up with a participatory and collaborative framework, which we work with the NYSC. It is a program, a scheme in Nigeria, whereby every graduate does a one-year service. The NYSC has six batches, six streams in a year. It runs across 36 states, 774 local governments in Nigeria. We design an initiative whereby we recruit 80 champions in every stream. If you take in a state, you have 80 times six streams, which will give you 460 champions in a year. When you multiply 460 champions in a year, you get 17,760 champions in a year. We have a target for each champion to have at least two, three, four, five, six, seven, eight, ten, 12,000 champions. We have a target of increasing the number of champions every year. We have a target of increasing the number of champions every year. to train two Nigerians on a basic digital literacy, which will give you, at the end of month, our average is for every champion to train 60 Nigerians on a basic digital literacy. And in a year, we have an average target of 600. When you multiply 17,760 by 600, you get 10,600,000 plus in a year. So over a three-year period, we want at least to train 30 million Nigerians on a basic digital literacy. Those champions, they go to marketplaces to train market women, to train motor park workers, artisans. They go to our religious places and meet our senior citizens to train them on basic digital literacy. Then we also have the formal sector, the formal education, where we worked with the Minister of Education. We’ve developed the content for digital literacy and curriculum for primary and secondary school, which has been approved by the Council of Education. Now the next stage is to train our teachers on how to start teaching digital literacy in our formal education. For universities, we have done a pilot with Nassau State University in collaboration with Cisco. Cisco built content for us based on the NDLF and the content has been put online where students can take those courses. They get Cisco certification as well as earn credit units for their degree program. So this has become a general studies in the Nassau State University and we are working

Dr. Ibiso Kingsley-George: Extensive presentation that has actually given us the answers that we require because we wanted to know how can Nigeria’s digital literacy for all model serve as a blueprint for other nations in structuring cost-effective digital literacy initiatives that reach underserved informal populations. And I think what you have done here, you have spoken about a national agenda, a global alignment, proper implementation strategies, collaborative engagement with other agency, robust research, the advantage of a youthful population that you believe that Africa should take advantage of to grow its digital transformation journey, participatory and collaborative framework including the youths in your policymaking and in driving the programs, and revamping the curriculum of formal education by embedding digital literacy, working with the Ministry of Education and its subsidiary agencies, and also working with with the head of the Public Service Commission to ensure that every public servant is digitally literate. Thank you very much, sir. On that note, I’d like to move to policy question two. And Ms. Judith Hellerstein is sitting to my right, is the founder and CEO of Hellerstein and Associates. She has over 30 years of experience in developing policies, regulations, building regulatory capacity, strategy development, broadband build-out, digital government assessment, regulatory reform, competition law, and on internet governance issues. She will be giving us insights because she has worked with various governments and regulatory agencies and has also been a policymaker in the United States. She will be giving us insights and responding to some of the steps that Nigeria has taken and probably giving us insights on other possibilities that we could look at as a country. Thank you. Ms. Judith, you have the floor.

Judith Hellerstein: Thanks so much. And thanks so much to my dear friend, Mary Uduma, who invited me to this panel. So I was given the task to talk about the different policy and regulatory frameworks as well as international collaborations to manage, to ensure affordable and inclusive digital access. So when we first look at the land stream, we need to look at, first of all, are the correct policy frameworks in place? Not only looking at whether there’s a UAS policy, a broadband policy, but we need to look broader. We need to look at, especially with the onset of everything digital, We need to be working collaboratively within the region and with others on cyber security policy and cyber crime issues because we are all one nation. We don’t want Nigeria to be known as the king of spam. We want Nigeria to be known for all those five pillars that they were talking about and all the work you’ve been doing on affordable access. So we need to look at the most important policies on meaningful connectivity. And by that, we mean not only is access affordable, but it’s also what percentage of the population have smart devices and can actually do their work independently. And with that, I love the discussion of the pillars because you wanted it. You were breaking it down between gender, persons with disabilities and other areas so we could track. Many of the problems we find in countries is that while they may have a policy, there’s no enforcement because they don’t have the metrics behind it. So when you’re thinking of what, if you’re looking at a broadband plan and how you’re going to do about it, you should not just focus on the plan aspect, you should focus on how it could be a strategic framework to tie in all those pillars together and then how the objectives could be built in so that you could have metrics to track how well you’re doing so that you could re-steer the country a different way if the metrics are not coming out correctly. But to do that, you need to have the data. And so you have to work with other agencies within the country to get the data to match your objectives. And with that, most of this data is often tracked, like they track how many cell phones and how many other ones that they don’t. and Mr Adesola Akinsanya, Mrs. Mary Uduma, Mr Adesola Akinsanya, Engr. Kunle Olorundare and Mr. Ihueze Nwuibilor, we need to address our connectivity policy, we need to track the affordability, we need to track digital government, we need to track all those different items, digital economy, that make up the digital economy and that we all work together. So some of the frameworks that you may be looking at besides the cyber security ones that you have and the cyber crime, but also a dig ones policy. So basically those are very important because every time there’s roads are being built in rural areas or other areas, we need to lay down fiber. So we need a coordinated effort within all the areas, rural provinces and other local governments in Nigeria that when the roads are being put out for like building roads, or building electricity, fiber is put down. We need, as we’re doing much of the digital government, digital transformation relies upon sharing of data. And while you have a Digital Protection Act, do we have data sharing with each agency and also work with agencies to overcome the cultural issues? You may have a perfect plan on paper, but if it’s not being implemented correctly, if other agencies… are not tracking this information. They say, oh, well, we are doing it differently. We’ve always been doing it this way, and it’s a better way. Well, we need everyone to be working together because if, until we have a collaborative effort, we’re not going to have an easy wheel in doing it. Other policies, consumer protections. When we have the, we had different protections for consumers when we were in a non-broadband world, but a non-digital world. But the problem is many of these same laws that protect the consumers are not brought into the digital era. So besides misinformation and disinformation, cyberbullying is a big problem in the schools. We have a lot of issues of child protection. We have a lot of issues of consumer protection, how consumers are prevented against fraud and against misrepresentation. We also have how the children are protected, not just for online safety, but identity fraud, because children and teens are the most apt for identity fraud, and then they cannot become productive members of society later when they have been hacked and all their identity has been stolen. So they have to be sort of looked at with that eye. So you have to look at so many different areas. Lastly, I want to touch on the regulatory scheme. We need an open regulatory framework. We need to have licensing for open licensing. We need to not only, what we want to get, the goal is to get connectivity in all parts of the country. And to do that, we need to rely on different types of networks, not just mobile networks or fixed networks. But do we have an infrastructure? Do we have spectrum like? and Mr Adesola Akinsanya, Mrs. Mary Uduma, Mr Adesola Akinsanya, Engr. Kunle Olorundare. You can easily get licenses without a high cost, or of no cost, so they can share, so they can cover these areas. And then as they grow, then we look at different licensing frameworks. So those are some of the things that we need to address, and I can be talking on this for a long time, but I’m just giving you certain frameworks that we do need to address on these issues.

Dr. Ibiso Kingsley-George: Thank you so much, Judith. My take from your presentation. Policymaking shouldn’t stop at policymaking. There should be collaboration to drive policymaking, collaboration across government agencies, data sharing, reviewing existing laws to ensure that they cover the digital era. Tracking of efforts to ensure that all stakeholders work together. And then, of course, robust cybersecurity engagement and implementation of cybersecurity policies and laws to protect Nigerians, as well as changing perception that would say that this is the spam capital of the world.

Judith Hellerstein: And I would be remiss if I didn’t talk about the efforts of education in providing ICT training in the schools. We need to change the education curriculum. We need to focus on how do we teach digital literacy. and Mr Adesola Akinsanya. We have a lot of students who are coming from Nigeria. We need to build literacy to kids. And we start, it’s not too late to start in elementary school, but we need to start in elementary, then build it up into the latter school so that we create the background for the students to take later jobs because our engineers are coming from Nigeria. We need to build them up. We need the education to start early. Some people may not go to a traditional tertiary education. They may go to a trade school. They may go to other places, but we need to make sure that in all these academies, we’re building up the digital skills that are necessary for the workforce.

Dr. Ibiso Kingsley-George: Thank you very much, Judith. To take our next intervention would be Mr. Oluyomi Arawu-Shafer, the Secretary, Universal Service Provision Fund. He has over 26 years of experience spanning oil and gas and telecommunication, a seasoned project manager. He has spent the last 18 years serving in various capacities as a regulatory expert at the Nigerian Communications Commission, including universal service and access, licensing, project management, compliance, monitoring and enforcement, consumer affairs, and stakeholder management. He will be responding to the question on what strategies can policymakers adopt to bridge the gap between basic digital literacy and advanced technological skills development, ensuring workforce readiness for the digital economy. As earlier stated by the DG NITDA, there are digital literacy policies and interventions across most of the sectors within the communications industry. One of the things that they have done in NITDA is to try to harness and try to collaborate amongst themselves. Mr. Oluyomi Arawu-Shafer will be sharing insights with his experience at the Universal Service Provision Fund, as well as within the NCC. Thank you.

Yomi Arowosafe: Thank you very much. Distinguished Senator and the Honorable Chair Committee and the DG Nidda distinguished guests and co-panelists. Thank you very much for giving me this opportunity. I’m delighted to present on this issue. And just to go straight, for want of time, to bridge the gap between basic digital literacy and advanced technological skills, policymakers are enjoined to adopt a tiered approach that builds foundational skills through community-based programs. And we have something similar in the Universal Service Provision Fund, which we call for the computer laboratories, like the Digital Nigerian Center, the TIDC, and other computer laboratories. And these are like low-end to help develop and to upscale and to, it can now lead to a program that we have called Emerging Technology Center. So this kind of programs help to upscale and help for workers to develop their readiness for digital economy. Other areas that we can look at is to ensure inclusive access, focusing on rural access, women, people living with a disability, and underserved youth. There should be concerted effort towards looking at policies that will encourage or ensure inclusiveness in these areas that I just mentioned. And at the same time, to integrate digital skills into our formal educational system. Some of our educational system needs to now have some digital skills embedded in the system to encourage people, the students, to have some basic knowledge that will now improve and develop. Dr. Ibiso Kingsley-George, Mrs. Mary Uduma, Mr Adesola Akinsanya, Engr. Kunle Olorundare Dr. Ibiso Kingsley-George, Mrs. Mary Uduma, Mr Adesola Akinsanya, Engr. Kunle Olorundare and Access to Digital Tools will help create a pipeline of digitally competent citizens equipped for the demands of the evolving digital landscape. Then the offer of internship, job placement and co-finance innovation hubs, hackathons and boot camps. These are some kind of engagements that brings up the youthful population to help get them engaged and to help them in the readiness for digital economy. So policies, concerted policies should be put in place in these areas to support the digital economy in this area. So I think at this point, I will just put this.

Dr. Ibiso Kingsley-George: Thank you very much, Mr. Arouf Shafie. On this note, I’d like to go to our next speaker. Just a minute, please. I’d like to go to our next speaker, Mr. Poncilet Ileleji. He is a computer scientist with over 25 years experience. He has been involved with the use of ICT as a tool for sustainable development, both as the lead of Jokulabs Banju in Gambia, and he’s also on the board of Jokulabs Global Network. He has also served as consultant for several projects in Africa, covering areas such as ICT4D, digital learning, Internet governance and health informatics. Today, Mr. Ileleji. would be giving his voice by responding to, by telling us how national digital literacy initiatives can be scaled, can cost-effectively be scaled up while maintaining quality and ensuring measurable impact. Mr. Ileleji, you have the floor. Thank you.

Poncelet Illeleji: Thank you very much, Madam Moderator. Good morning all, all protocols duly observed. If we look at all the presentations today, especially, even the introductions from the Honorable Senator and the Honorable Member of House and the DG Director General, NITDA Director General, everything reflects on policy and you have to move all this policy frameworks into implementation. But it’s one thing the late Professor Kwasi said, he said, torture the data and it will confess to anything. Let us take the Nigerian scenario this way. 37 million Nigerians are on TikTok. That is about 15% of the population. In the whole of West Africa, you have about 41 million people on TikTok. So you can imagine out of that 41 million, 37 million on TikTok in Nigeria, you know, and it just shows what is being done and how the average Nigerian appreciates digital literacy with all the policies being put in place. But to drive these policies being put in place, one of the core essence is professional teachers development. I believe that NIDDA should have to have programs that will directly involve the School of Education and the Tibet Institutes. So modules should be developed for them because at the end of the day, the disparities that exist between rural and urban Nigeria is so large that an average teacher in most parts of Nigeria, in rural Nigeria, might not have the right digital literacy skills to be able to compete on an equal level playing field with a teacher in maybe one of your big cities, Abuja, Lagos, Ibadan, and stuff like that. So it’s very important NIDA has these grassroots initiatives that will be able to take those policies down to the grassroots, focusing on teachers. And with all the policy frameworks you’ve learned from, UNESCO has a very good, UNESCO has the ICT competency framework for teachers based on open educational resources. And this is what that model can be used because they are all open educational resources that NIDA can be able to use to put it on their platform. There will be a learning platform and work with the Ministry of Education to be able to roll out EduTech tools that will help teachers at the training level, at the school of training, and also TVET education. We should also note that when we look at the overall what NIDA is doing in terms of working with various stakeholders in the country, you have by 2027, you want to get 70% of Nigerians to be digitally literate. By 2030, you want to get up to 95%. When you look at all what you’re trying to do, and you look at the African Union Digital Transformation Strategy, Imagine having video content on digital literacy on TikTok. You already know that you get 37 million people following you and more. So we have to be able to use those social media platforms which the youths of Nigeria really follow to put educational content out there. We have to also walk with already existing, because despite my computer science background, I’m still a traditionalist. I believe in the power of community radios. You go around the BBC, they have the BBC house service, for example. You know, digital literacy programs can be rolled out through all these, whether it’s BBC or local community radios, because everybody still likes to listen to a traditional radio. So these are things we can do to improve this setting. And the last word I will say is that most of our hardware are still imported. We have to also look at working with our tech communities to try to see how we can be manufacturing low-cost devices so that the average person can be able to have those devices to access all these resources that will improve their lives in line with our digital transformation strategy of the African Union. Thank you very much.

Dr. Ibiso Kingsley-George: Thank you very much, Mr. Ileleji. He has asked us to move from policy to action. Professional teacher development to reduce rural-urban divide, digital divide. Adoption of the UNESCO ICT competency framework for teachers. Proper alignment. He is happy to note that the Nigerian framework is properly aligned with the African Union framework. The use of social media to push digital literacy trainings as well. And then work with tech communities to promote the manufacture of locally made devices. At this point, we would invite a two-minute intervention from Mr. Kedja from the Ghana Internet Governance Forum. I don’t know if there’s someone from the Liberian Internet Governance Forum here. We also have a speaker from the Liberian Internet Governance Forum. I think I’ll take the Liberian Internet Governance Forum first because he would be responding to how Nigeria’s approach to digital literacy implementation informed global policymaking on sustainable and inclusive digital transformation, particularly in emerging economies. Please, this intervention should be limited to two minutes each. Thank you.

Participant: Okay, thank you so much. And thanks to the senator and then the honorable as well as the DG for the brilliant presentation on Nigeria so far. And for one of the interventions I think I can present right now is the road map the DG presented. I see it’s a very comprehensive road map. In terms of emerging economies, Nigeria is already ahead of every country within the West African region in terms of digital literacy, in terms of issues of digital transformation. For what I see is a more way to and Mr Adesola Akinsanya. We believe that the digital literacy is important to ensure that we do these policies are domesticated. Beyond the normal big cities in Nigeria, we know of the bigger ones of Lagos and Abuja and the rest. We believe that a holistic approach to other cities outside the normal one is also key to this. And I think that to ensure digital literacy, we need to ensure that we have a holistic approach to the digital literacy. And I think the data will help to see what is being targeted in terms of this road map as well is also key to be achieved. So not much to say, we from Liberia are always looking at what countries like Nigeria is doing, because we believe that it has a benchmark in terms of policymaking. So we believe that the digital literacy is important to ensure that we have a holistic approach to the digital literacy. And we believe that the data will help to see what is being targeted in terms of this road map as well is also key to be achieved in due course. So this is my submission for now.

Dr. Ibiso Kingsley-George: Thank you very much, Liberia IGF. We will now have the speaker from Ghana IGF, and he would particularly be amazed by these microphones because wanna strive to reduce your insecurity and control on digital literacy.

Participant: We have got a number of people from Ghana today, many will ask why Ghana is on this platform to speak on Nigerian matters. I’ve always said we are cousins and I will borrow Sally Suw. Thank you to both of you for making time for the day. I’d like to welcome the panel and I’m Lorraine Pratt for having me. We’ve got a lot of questions and these discussions are quite interrelated. Youth. How do we energize the youth to be part of this conversation? This conversation takes different dimensions and shapes and different colors. How do we energize them in terms of even basic tools to get their start? Talking about affordability of the internet and also policy communication. They say in public administration, perception is always seen as the obvious. Many youth perceive that, after all, I get into digital literacy, work readiness. The DJ laid a wonderful foundation. I mean, during the presentation, it captures very comprehensive, but the implementation. I envisage West Africa, where we are powerhouse when it comes to digital literacy, leading the force. We’ve seen the fintech companies in Nigeria, Money Point, Kooda, or Pay. Similarly, we could just bring our energies together. And I’d like to quote also Chinua Achebe, who we all read during our formative years too. He said, God loves ordinary people. That has created many of us. So let’s pull our energies together so that we can just push all this digital literacy conversation forward. Thank you very much.

Dr. Ibiso Kingsley-George: Thank you, Mr. Keja from the Ghana IGF. We will open the floor for another five minutes, both to online participants and our audience in the room. Each intervention, we’re going to take two from the room, and if there’s anyone online, that’s fine. But please, this has to be limited to two minutes each, not above two minutes.

Abdu Karim Oluweidi: Okay. Thank you very much. Dr. Abdu Karim Oluweidi, Professor of Wireless Telecommunications, University of Ilona, Nigeria

Ebenezer Dari: My name is Ebenezer Dari, I’m an Executive Member of the Board of Directors of the Nigerian Internet Registration Association. I was expecting to see how the NIDA digital framework plans to collaborate with the domain name sector. In promoting the digital literacy for Nigerians across all the sectors mentioned by the DG. So I know there’s a conversation going on with the CAC now on how to make sure that every organization, every business is registered as a .ng domain name. But I want it to become a reality beyond just the regular conversation and also enforcing existing businesses, doing existing organizations, doing businesses with the government to make sure that they are on .ng to promote the digital literacy. Thank you very much.

Dr. Ibiso Kingsley-George: Thank you very much for that intervention. We will go online now, please.

Audience: Hello, testing. Okay. All right. Thank you very much, Madam Moderator. So the online has been buzzing ever since we started this session. And as a matter of fact, there are a lot of comments and questions. So first, I will quickly go through the comments for our panelists to listen to and probably maybe react to them. And of course, I’ll go through the questions. Then after that, we’ll give the floor to somebody from online to, you know, to hear himself or herself, depending on how much time we have, probably one person or two persons. Mr. Moderator. All right. Thank you.

Dr. Ibiso Kingsley-George: Mr. Moderator, sorry. Yes. We have only nine minutes. So for online, I think we’ll take only three minutes. Okay. All right. So let me quickly go through the comments.

Audience: Thank you. Bemisola, who is a fellow of the Nigerian School on Internet Governance, made mention of the fact that there is need for us to ensure enforcement while we are implementing. And she also talked about multi-stakeholders approach. Then Akimbo, who doubles as the vice president of Internet Society, that is the chief executive of DNS Africa, noted that the effort, I mean, efforts should be collaborative. Then Tino Ade, who is also a fellow of Nigerian School on and Mrs. Mary Uduma. The first question on Internet Governance says this. I want to quote her because this is quite catchy. What gets measured is what gets done. Tracking performance metrics. Moving from policy on paper to enforcement. That’s what she said. Then there are questions. The second audience member did not say anything. I said I would like to increase the volume today. But because we are running out of time, let me take a snap chic bag to a small bakery to go get aapons and mellows to take to my lectures tonight. Let me share this bond. Thank you, Martha, for the opportunity. And for speaking with us and for engaging people in unstructured settings, such as the market women, out-of-school youth, streets vendors, among others, and improve their digital literacy. And the last question posted online is this. Infrastructure sorted. Literacy education achieved. How do we plan to close the divide of device gap, device gap, especially because of cost of ownership? Annette Bloss. We don’t produce most of these devices. What can be done? So I’m quoting verbatim because I just copied the question. I don’t want to add my own words. Thank you very much, Madam Moderator.

Dr. Ibiso Kingsley-George: Thank you. So Mr. Elilijie and the Speaker from Ghana IGF.

Poncelet Illeleji: I want to respond to the professor that spoke from, I think, University of Illinois. One thing I would like to say is that the majority of the content produced on TikTok, forget content that relates to entertainment or culture. Most of them are educational. And you have a lot of young Nigerians that have created different content. And this is evidence-based from business coaching to learning mathematics. There’s a Nigerian I met some years ago in Hong Kong that teaches foreigners who come to China how to speak Chinese with over one million followers just learning Chinese subscribed. And the conventional wisdom to say today education has involved being a son of a mathematician and knowing how education has evolved, whereby even big tech companies are not looking at first degrees necessary. It’s more about skill sets. And that is what NIDA is trying to do, giving competencies in digital literacy that will have a ripple effect. My last thing I will say on this, during the COVID period in the Gambia, we trained my innovation hub, we trained market women how to use social media to sell their items. People who were selling fish have stopped selling fish conventionally. All they do, they just use even WhatsApp messages to market their products and they are doing very well. So we have to get out of that notion that it’s only the academically Inclined that can be successful. Most of the most successful people today most parts of Africa are from the informal sector and with digital skills you were up there again. Thank you.

Judith Hellerstein: Thank you. Thank you. Mr Elidji very quickly just in 30 seconds, Judith. Yes, and I wanted to answer some of the questions that were paced by our online Viewers as I mentioned in the presentation it is for the The affordable devices are extremely important a lot of the work can be done with the UAS fund in having that support subsidies for affordable devices, but also working with other communities in Nonprofit and others to give affordable devices or affordable Computers or other things doing subsidy programs because that is where you can do it but unless you have the these subsidy programs need to be backed up by data if you could show what the impact of giving away these subsidies and devices to people we can then see how it led to Affordability and how it led to that and then these can thank you.

Dr. Ibiso Kingsley-George: Thank you, Judith. Thank you, Judith. I Don’t know we have just three minutes to close and I think we should actually be summarizing what we have Heard today and I’m going to do that in less than a minute before I do that I’d like to recognize the presence of Honorable Shola Oye from the Nigerian House of Representatives With That I’d like to just state that we’ve had a very robust conversation To this end, I’ll say that the panelists as well as the audience and the online interventions have come from a position of speaking on policy making, policy implementation, robust policy implementation, research, carrying the youths along, ensuring local content through making affordable devices available, and then collaboration amongst agencies and with the different populations of demographics of our population, the women, the people living with disabilities, and all others. Okay, I would like to also would like to recognize the presence of Distinguished Senator Dickette Plank and also Honorable Shino Oyedeji. Thank you very much, sirs, for joining. On that note, I’d like to call it a day and I’d like to say thank you very much to all our panelists.

Kashifu Inuwa Abdullahi

Speech speed

115 words per minute

Speech length

1599 words

Speech time

827 seconds

Nigeria developed a National Digital Literacy Framework targeting 95% digital literacy by 2030, with six competency areas and 23 individual competencies

Explanation

Nigeria has created a comprehensive framework based on EU DIGICOM and UNESCO frameworks, with specific competency areas including device operation, information literacy, content creation, collaboration, safety and problem solving. The framework has an ambitious target of achieving 95% digital literacy by 2030 with a mid-term goal of 70% by 2027.

Evidence

The framework was built based on the DIGICOM Framework (EU digital literacy framework) and the UNESCO Digital Literacy Framework. Six competency areas: device and software operation, information and data literacy, content creation, collaboration and communication, safety and problem solving.

Major discussion point

Digital literacy framework development and implementation

Topics

Development | Online education | Capacity development

The framework implements a three-bucket approach: informal sector training through NYSC champions, formal education curriculum integration, and public sector capacity building

Explanation

The implementation strategy uses National Youth Service Corps (NYSC) members as champions to train informal sector workers, integrates digital literacy into formal education curriculum, and builds capacity in the public sector. The NYSC approach targets training 30 million Nigerians over three years through 17,760 champions annually.

Evidence

NYSC has 6 batches per year across 36 states and 774 local governments. 80 champions per stream, each training 60 Nigerians on basic digital literacy monthly (600 annually), totaling over 10.6 million trained per year. Champions train market women, motor park workers, artisans, and senior citizens in religious places.

Major discussion point

Implementation strategies for digital literacy programs

Topics

Development | Capacity development | Online education

Agreed with

– Yomi Arowosafe

Agreed on

Multi-tiered approach to digital literacy implementation

Disagreed with

– Poncelet Illeleji

Disagreed on

Primary channels for delivering digital literacy education

Africa can position itself as a global talent net exporter due to young, digitally native population while other regions face aging demographics

Explanation

According to projections, there will be 85 million talent deficit globally by 2030, which could result in $8.5 trillion in unrealized annual revenue. Nigeria and Africa can leverage their young population to fill this gap and become global talent exporters.

Evidence

According to Conferi, by 2030, there would be 85 million talent deficit globally, which if left unaddressed could result to $8.5 trillion in unrealized annual revenue. Most parts of the world are suffering from aging, while Africa has a very young and digitally native population.

Major discussion point

Africa’s demographic advantage in global digital economy

Topics

Development | Future of work | Economic

Community-based approaches using local languages and reaching informal sector workers like market women and artisans are essential

Explanation

The digital literacy program specifically targets the informal sector, which is the most exclusive in terms of digital literacy and suffers the most from cybersecurity breaches. Champions go to marketplaces, motor parks, and religious places to train these underserved populations.

Evidence

Champions go to marketplaces to train market women, motor park workers, artisans. They go to religious places and meet senior citizens to train them on basic digital literacy. The informal sector is the most exclusive in terms of digital literacy and suffers the most from cybersecurity breaches.

Major discussion point

Inclusive approaches to digital literacy training

Topics

Development | Digital access | Inclusive finance

Agreed with

– Yomi Arowosafe
– Adediji Stanley Olagide

Agreed on

Focus on inclusive access for underserved populations

Disagreed with

– Poncelet Illeleji

Disagreed on

Role of traditional vs. digital media in education delivery

Digital literacy curriculum has been developed and approved for primary and secondary schools, with next phase focusing on teacher training

Explanation

Working with the Minister of Education, digital literacy content and curriculum for primary and secondary schools has been developed and approved by the Council of Education. The next stage involves training teachers on how to implement digital literacy education in formal schooling.

Evidence

Content for digital literacy and curriculum for primary and secondary school has been approved by the Council of Education. For universities, a pilot was done with Nassau State University in collaboration with Cisco, where students can take courses, get Cisco certification and earn credit units.

Major discussion point

Integration of digital literacy into formal education

Topics

Online education | Capacity development | Development

Agreed with

– Yomi Arowosafe
– Judith Hellerstein
– Dr. Ibiso Kingsley-George

Agreed on

Integration of digital literacy into formal education systems

Digital transformation aligns with Nigeria’s economic diversification agenda and can help achieve the eight-point Renewed Hope priorities

Explanation

President’s Renewed Hope agenda has eight key priorities, with priority seven focused on accelerating diversification through industrialization, digitization, creative arts, innovation, and manufacturing. Digital literacy supports this economic transformation as every organization today is becoming a tech organization.

Evidence

President outlined eight key priorities with priority number seven specifically focused on accelerating diversification through industrialization, digitization, creative art, innovation, and manufacturing. Today every organization is a tech organization and every industry is becoming digital.

Major discussion point

Alignment of digital literacy with national economic strategy

Topics

Economic | Development | Digital business models

Yomi Arowosafe

Speech speed

99 words per minute

Speech length

– Kashifu Inuwa Abdullahi
– Judith Hellerstein
– Dr. Ibiso Kingsley-George

Agreed on

Integration of digital literacy into formal education systems

Internship programs, job placement, and innovation hubs like hackathons and boot camps help prepare youth for digital economy readiness

Explanation

Policies should support programs that offer internships, job placement opportunities, and co-finance innovation hubs, hackathons, and boot camps. These engagements specifically target the youthful population and help prepare them for participation in the digital economy.

Evidence

Offer of internship, job placement and co-finance innovation hubs, hackathons and boot camps are engagements that bring up the youthful population to help get them engaged in readiness for digital economy.

Major discussion point

Youth engagement in digital economy preparation

Topics

Future of work | Development | Capacity development

Poncelet Illeleji

Speech speed

142 words per minute

Speech length

921 words

Speech time

387 seconds

Professional teacher development is crucial, requiring programs that involve Schools of Education and TVET institutes to reduce rural-urban digital divide

Explanation

NITDA should develop programs directly involving Schools of Education and TVET institutes because the disparity between rural and urban Nigeria is large. Rural teachers often lack the digital literacy skills to compete on equal footing with urban teachers, making grassroots teacher training essential.

Evidence

Disagreed with

– Kashifu Inuwa Abdullahi

Disagreed on

Primary channels for delivering digital literacy education

Traditional media like community radios remain powerful tools for reaching populations with digital literacy programs

Explanation

Despite digital advancement, traditional community radios remain important for digital literacy outreach. Services like BBC house service demonstrate how radio can be used for educational content, as people still enjoy listening to traditional radio.

Evidence

BBC has the BBC house service as an example. Digital literacy programs can be rolled out through BBC or local community radios because everybody still likes to listen to traditional radio.

Major discussion point

Multi-channel approach including traditional media

Topics

Online education | Development | Cultural diversity

Disagreed with

– Kashifu Inuwa Abdullahi

Disagreed on

Role of traditional vs. digital media in education delivery

Working with tech communities to manufacture low-cost devices locally can improve accessibility for average citizens

Explanation

Most hardware is still imported, creating accessibility challenges. Nigeria should work with tech communities to explore manufacturing low-cost devices locally, making digital tools more accessible to the average person and supporting the digital transformation strategy.

Evidence

Most of our hardware are still imported. Need to work with tech communities to see how we can manufacture low-cost devices so average person can access resources that improve their lives in line with African Union digital transformation strategy.

Major discussion point

Local device manufacturing for improved accessibility

Topics

Development | Digital access | Economic

Judith Hellerstein

Speech speed

144 words per minute

Speech length

1306 words

Speech time

540 seconds

Comprehensive policy frameworks must include cybersecurity, data governance, consumer protection, and infrastructure sharing policies beyond just broadband policies

Explanation

Effective digital access requires looking beyond just broadband and UAS policies to include cybersecurity, cyber crime, meaningful connectivity policies, and consumer protection frameworks. The focus should be on collaborative regional approaches and ensuring Nigeria is known for positive digital contributions rather than spam.

Evidence

Agreed with

– Poncelet Illeleji

Agreed on

Teacher training and professional development as critical foundation

Affordable device access is crucial and requires subsidy programs backed by data showing impact on affordability and digital inclusion

Explanation

Affordable devices are essential for digital inclusion and can be addressed through UAS fund subsidies and nonprofit partnerships. However, these subsidy programs must be supported by data demonstrating their impact on affordability and digital inclusion to justify continued investment.

Evidence

Affordable devices extremely important. Work can be done with UAS fund having subsidies for affordable devices, working with communities and nonprofits for affordable devices or computers. Subsidy programs need to be backed up by data showing impact on affordability and inclusion.

Major discussion point

Device affordability and subsidy programs

Topics

Development | Digital access | Consumer protection

Participant

Speech speed

160 words per minute

Speech length

789 words

Speech time

294 seconds

Nigeria’s 250 million population with 70% youth provides an advantaged position to leverage technology for development and international leadership

Explanation

Nigeria’s demographic profile of over 250 million people with 70% being youth creates a significant advantage for leveraging technology. This positions Nigeria not only for domestic development but also to be a leading member of the international community in digital transformation.

Evidence

Nigeria is a country of over 250 million people, 70% of which are youth. Out of every ten FinTech from Africa, seven are from Nigeria. Nigerian financial institutions are present globally, not just in Africa.

Major discussion point

Nigeria’s demographic advantage for digital transformation

Topics

Development | Future of work | Economic

Nigeria’s digital literacy approach can serve as a benchmark for other West African countries in policymaking and implementation

Explanation

Nigeria is already ahead of every country in the West African region in terms of digital literacy and digital transformation. Other countries in the region, including Liberia, look to Nigeria as a benchmark for policymaking and comprehensive roadmap development.

Evidence

Nigeria is already ahead of every country within the West African region in terms of digital literacy and digital transformation. Countries like Liberia are looking at what Nigeria is doing as a benchmark in policymaking.

Major discussion point

Nigeria as regional leader in digital literacy

Topics

Development | Capacity development | Digital access

Adediji Stanley Olagide

Speech speed

148 words per minute

Speech length

174 words

Speech time

70 seconds

The wide digital divide in Nigeria and across Africa requires targeted interventions to reach underserved populations

Explanation

The digital divide in Nigeria is very wide, and this challenge extends across Africa, not just Nigeria. Bridging this gap requires focused efforts to ensure that rural populations and underserved communities are not left behind in digital transformation efforts.

Evidence

The digital divide in Nigeria is so wide, and all across Africa actually, not only Nigeria. Large population still living in rural areas needs to be reached to close the gap.

Major discussion point

Addressing the digital divide across Africa

Topics

Development | Digital access | Inclusive finance

Agreed with

– Kashifu Inuwa Abdullahi
– Yomi Arowosafe

Agreed on

Focus on inclusive access for underserved populations

Ebenezer Dari

Speech speed

172 words per minute

Speech length

125 words

Speech time

43 seconds

Collaboration with domain name sector and enforcement of .ng domain usage for businesses can promote digital literacy across sectors

Explanation

The NITDA digital framework should collaborate with the domain name sector to promote digital literacy. There should be enforcement requiring businesses working with government to use .ng domain names, moving beyond just conversations with CAC to actual implementation.

Evidence

Conversation going on with CAC on how to make sure every organization and business is registered as .ng domain name. Need to enforce existing businesses doing business with government to use .ng domains.

Major discussion point

Domain name sector collaboration for digital literacy

Topics

Legal and regulatory | Digital identities | Development

Audience

Speech speed

135 words per minute

Speech length

388 words

Speech time

171 seconds

Enforcement and measurement are crucial for moving from policy on paper to actual implementation with trackable performance metrics

Explanation

Multiple online participants emphasized that successful digital literacy initiatives require moving beyond policy documents to actual enforcement and implementation. The principle ‘what gets measured is what gets done’ highlights the importance of tracking performance metrics and ensuring multi-stakeholder approaches.

Evidence

Online comments from fellows of Nigerian School on Internet Governance emphasized need for enforcement while implementing, multi-stakeholder approach, collaborative efforts, and tracking performance metrics. ‘What gets measured is what gets done’ – moving from policy on paper to enforcement.

Major discussion point

Implementation and measurement of digital literacy policies

Topics

Legal and regulatory | Development | Capacity development

Dr. Ibiso Kingsley-George

Speech speed

105 words per minute

Speech length

Agreed on

Comprehensive policy frameworks beyond basic broadband access

Robust cybersecurity engagement and implementation is necessary to protect citizens and change negative perceptions

Explanation

The moderator stressed the importance of implementing strong cybersecurity policies and laws to protect Nigerian citizens. She also emphasized the need to change international perceptions and ensure Nigeria is not seen as a source of cybercrime but rather as a leader in digital innovation.

Evidence

She mentioned robust cybersecurity engagement and implementation of cybersecurity policies and laws to protect Nigerians, as well as changing perception that would say that this is the spam capital of the world.

Major discussion point

Cybersecurity implementation and reputation management

Topics

Cybersecurity | Legal and regulatory | Development

Agreements

Agreement points

Multi-tiered approach to digital literacy implementation

Speakers

– Kashifu Inuwa Abdullahi
– Yomi Arowosafe

Arguments

The framework implements a three-bucket approach: informal sector training through NYSC champions, formal education curriculum integration, and public sector capacity building

Digital literacy initiatives should focus on tiered approaches building foundational skills through community-based programs like computer laboratories and emerging technology centers

Summary

Both speakers advocate for structured, multi-level approaches to digital literacy that progress from basic to advanced skills through different delivery mechanisms

Topics

Development | Capacity development | Digital access

Integration of digital literacy into formal education systems

Speakers

– Kashifu Inuwa Abdullahi
– Yomi Arowosafe
– Judith Hellerstein
– Dr. Ibiso Kingsley-George

Arguments

Digital literacy curriculum has been developed and approved for primary and secondary schools, with next phase focusing on teacher training

Integration of digital skills into formal education creates pipeline of digitally competent citizens for evolving digital economy demands

Educational curriculum changes must start early in elementary school and build up through all levels including trade schools and TVET programs

Revamping formal education curriculum by embedding digital literacy is crucial for systematic change

Summary

All speakers agree that digital literacy must be systematically integrated into formal education from elementary through tertiary levels, including vocational training

Topics

Online education | Development | Capacity development

Focus on inclusive access for underserved populations

Speakers

– Kashifu Inuwa Abdullahi
– Yomi Arowosafe
– Adediji Stanley Olagide

Arguments

Community-based approaches using local languages and reaching informal sector workers like market women and artisans are essential

Digital literacy initiatives must focus on inclusive access for rural populations, women, people with disabilities, and underserved youth

The wide digital divide in Nigeria and across Africa requires targeted interventions to reach underserved populations

Summary

Speakers consistently emphasize the need to prioritize underserved populations including rural communities, women, people with disabilities, and informal sector workers

Topics

Development | Digital access | Gender rights online | Rights of persons with disabilities

Teacher training and professional development as critical foundation

Speakers

– Poncelet Illeleji
– Judith Hellerstein

Arguments

Professional teacher development is crucial, requiring programs that involve Schools of Education and TVET institutes to reduce rural-urban digital divide

Educational curriculum changes must start early in elementary school and build up through all levels including trade schools and TVET programs

Summary

Both speakers recognize that effective digital literacy education requires comprehensive teacher training and professional development programs

Topics

Online education | Capacity development | Development

Comprehensive policy frameworks beyond basic broadband access

Speakers

– Judith Hellerstein
– Dr. Ibiso Kingsley-George

Arguments

Comprehensive policy frameworks must include cybersecurity, data governance, consumer protection, and infrastructure sharing policies beyond just broadband policies

Policymaking should not stop at policy creation but must include collaboration, data sharing, and updating existing laws for the digital era

Summary

Both speakers emphasize that effective digital transformation requires comprehensive policy frameworks that go beyond basic connectivity to include cybersecurity, governance, and legal updates

Topics

Legal and regulatory | Cybersecurity | Data governance

Future of work | Development | Capacity development

Unexpected consensus

Leveraging social media platforms for educational content delivery

Arguments

Collaboration with domain name sector and enforcement of .ng domain usage for businesses can promote digital literacy across sectors

Explanation

The connection between domain name usage and digital literacy promotion represents an unexpected technical consensus that wasn’t challenged by other speakers

Topics

Legal and regulatory | Digital identities | Development

Overall assessment

Summary

There is strong consensus among speakers on the need for comprehensive, multi-tiered approaches to digital literacy that integrate formal education, target underserved populations, leverage youth demographics, and require robust policy frameworks with proper implementation mechanisms

Consensus level

High level of consensus with speakers building on each other’s points rather than contradicting them. The implications are positive for Nigeria’s digital literacy agenda as stakeholders appear aligned on key strategies and priorities, suggesting strong potential for coordinated implementation across government agencies, educational institutions, and civil society organizations

Differences

Different viewpoints

Primary channels for delivering digital literacy education

Speakers

– Poncelet Illeleji
– Kashifu Inuwa Abdullahi

Arguments

Social media platforms like TikTok should be used to deliver educational content given their massive reach among Nigerian youth

The framework implements a three-bucket approach: informal sector training through NYSC champions, formal education curriculum integration, and public sector capacity building

Summary

Illeleji advocates for leveraging existing social media platforms like TikTok (citing 37 million Nigerian users) for educational content delivery, while Abdullahi focuses on structured programs through NYSC champions and formal education systems. Illeleji emphasizes digital-native approaches, while Abdullahi emphasizes systematic institutional approaches.

Topics

Online education | Content policy | Development

Role of traditional vs. digital media in education delivery

Speakers

– Poncelet Illeleji
– Kashifu Inuwa Abdullahi

Arguments

Traditional media like community radios remain powerful tools for reaching populations with digital literacy programs

Community-based approaches using local languages and reaching informal sector workers like market women and artisans are essential

Summary

Illeleji advocates for maintaining traditional media channels like community radio alongside digital platforms, while Abdullahi focuses on direct community engagement through NYSC champions without emphasizing traditional media channels.

Topics

Online education | Cultural diversity | Development

Unexpected differences

Emphasis on social media platforms for formal education delivery

Speakers

– Poncelet Illeleji
– Other speakers

Arguments

37 million Nigerians are on TikTok (15% of population), demonstrating existing digital engagement that can be leveraged for educational content

Various structured approaches through formal institutions

Explanation

It’s unexpected that in a formal policy discussion about national digital literacy frameworks, there would be disagreement about leveraging popular social media platforms. Most speakers focused on institutional approaches, while Illeleji uniquely advocated for TikTok as a primary educational delivery channel, which represents a significant departure from traditional educational policy thinking.

Topics

Online education | Content policy | Development

Overall assessment

Summary

The discussion showed remarkably high consensus on goals and principles, with disagreements primarily focused on implementation methods and delivery channels rather than fundamental objectives. Main areas of disagreement centered on whether to prioritize digital-native platforms versus institutional approaches, and the role of traditional media in digital literacy delivery.

Disagreement level

Low to moderate disagreement level with high strategic alignment. The disagreements are constructive and complementary rather than conflicting, suggesting different approaches could be integrated rather than being mutually exclusive. This indicates a mature policy discussion where stakeholders share common vision but offer different tactical approaches, which could strengthen overall implementation through multi-channel strategies.

Partial agreements

Future of work | Development | Capacity development

Takeaways

Key takeaways

Nigeria has developed a comprehensive National Digital Literacy Framework targeting 95% digital literacy by 2030 (70% by 2027) with six competency areas and 23 individual competencies

A three-pronged implementation strategy includes: informal sector training through NYSC champions reaching 30 million Nigerians over three years, formal education curriculum integration, and public sector capacity building

Nigeria’s young demographic advantage (70% of 250 million population are youth) positions the country to become a global talent net exporter while other regions face aging populations

Digital literacy initiatives must prioritize inclusive access for underserved populations including rural communities, women, people with disabilities, and informal sector workers

Policy implementation requires comprehensive frameworks beyond broadband policies, including cybersecurity, data governance, consumer protection, and cross-agency collaboration

Professional teacher development and early integration of digital skills in education from elementary through tertiary levels is crucial for sustainable digital transformation

Leveraging existing digital engagement (37 million Nigerians on TikTok) and traditional media like community radio can amplify educational content delivery

Affordable device access through subsidy programs and local manufacturing partnerships is essential for bridging the digital divide

Nigeria’s approach can serve as a benchmark for other West African countries in digital literacy policy development and implementation

Resolutions and action items

NITDA to continue implementing the three-bucket digital literacy strategy with NYSC champions, formal education integration, and public sector training

Ministry of Education to proceed with training teachers on approved digital literacy curriculum for primary and secondary schools

Collaboration with domain name sector to enforce .ng domain usage for businesses doing government work

Development of subsidy programs for affordable devices backed by impact measurement data

Integration of UNESCO ICT competency framework for teachers using open educational resources

Creation of educational content for social media platforms like TikTok to reach youth demographics

Establishment of innovation hubs, hackathons, and boot camps for workforce development

Implementation of performance metrics and tracking systems to measure policy effectiveness

Unresolved issues

Specific funding mechanisms and budget allocations for scaling digital literacy initiatives

Detailed coordination mechanisms between multiple government agencies for policy implementation

Concrete strategies for local device manufacturing and technology production capabilities

Specific enforcement mechanisms for cybersecurity and consumer protection in the digital era

Detailed approaches for reaching the most remote rural populations with limited infrastructure

Integration challenges between different educational levels and institutions

Sustainability of volunteer-based NYSC champion model for long-term implementation

Measurement methodologies for tracking the quality and impact of digital literacy training

Suggested compromises

Balancing formal academic education with skills-based competency development to accommodate different learning paths

Using both traditional media (community radio) and modern platforms (social media) to reach diverse population segments

Implementing tiered licensing frameworks that start with low-cost or no-cost options and scale up as organizations grow

This concise comment captured a fundamental challenge in policy implementation – the gap between policy creation and actual results. It emphasized accountability and measurement as critical success factors.

Impact

Though brief, this comment reinforced the theme of implementation challenges that had been building throughout the discussion. It validated concerns raised by multiple speakers about the need for robust monitoring and evaluation systems, contributing to the overall emphasis on moving beyond policy documents to measurable outcomes.

Overall assessment

Explanation

This focuses on creating evidence-based approaches to device affordability that can demonstrate return on investment

Lightning Talk #34 Digital Cooperation for Sustainable Heritage Preservation

Session at a glance

Summary

Martin Alvarez Espinar presented a discussion on preserving cultural heritage through collaborative technology and open data initiatives. As an IT engineer with 15 years of experience at the World Wide Web Consortium, Espinar developed this project after moving from Spain to Belgium, where he struggled to understand local cultural heritage due to language barriers and limited accessibility of information. He observed that many cities have hidden cultural gems and historical assets that are poorly documented or accessible only to locals, with information often available only in local languages or through hard-to-find plaques and markers.

Espinar introduced “Heritage Inn,” an open-source project designed to make cultural heritage more accessible globally while preserving local significance. The methodology utilizes existing open data from public archives, libraries, and sources like Wikipedia, combined with modern technologies including QR codes, mobile applications, and AI tools to create comprehensive heritage databases. The system can be customized for any type of heritage beyond cultural assets, including botanical, geographical, or astronomical resources, as demonstrated through examples in Belgian cities, Oslo, and Paris.

The project emphasizes community collaboration as its cornerstone, recognizing that local residents, neighbors, and community experts possess invaluable knowledge about their area’s heritage that often goes undocumented. The application can be deployed in multiple formats including progressive web apps, native apps, and mini-apps, with setup time reduced from hours to minutes using generative AI tools. Espinar concluded that successful global heritage preservation requires sustainable infrastructure, supportive open data policies, and active participation from civil society, public institutions, and academia to bridge local knowledge with global accessibility.

Keypoints

**Major Discussion Points:**

– **Personal motivation and accessibility challenges**: The speaker’s experience moving to Belgium and struggling to understand local cultural heritage due to language barriers and inaccessible information, highlighting how cultural assets are often only available in local languages or hidden from visitors

– **Technology as a solution for heritage preservation**: Presentation of ICT tools, mobile applications, and digital technologies (including QR codes, augmented reality, and AI) as ways to make cultural heritage more accessible, multilingual, and inclusive for people with different abilities

– **The Heritage Inn project methodology**: Introduction of an open-source, low-cost platform that allows communities to digitally catalog and share local heritage assets, with customizable applications that can be deployed quickly using templates and databases

– **Community collaboration and open data**: Emphasis on involving local communities, experts, and citizens in contributing knowledge about heritage sites, combined with leveraging open data from public archives, libraries, and platforms like Wikipedia to create comprehensive heritage resources

– **Scalability and global application**: Demonstration of how the methodology can be applied to various types of heritage (cultural, botanical, geological, astronomical) across different cities and contexts, with examples from Oslo, Paris, and Belgium

**Overall Purpose:**

The discussion aims to present a practical, technology-driven solution for preserving and promoting local cultural heritage globally. The speaker advocates for using open-source tools, open data, and community collaboration to make heritage information more accessible and inclusive, while demonstrating how this can be achieved cost-effectively and sustainably.

**Overall Tone:**

The tone is consistently enthusiastic, informative, and solution-oriented throughout the presentation. The speaker maintains an optimistic and encouraging approach, sharing personal experiences and practical examples to demonstrate feasibility. The tone becomes slightly more technical when explaining implementation details but returns to being inspirational when discussing community involvement and global potential. There’s no significant change in tone – it remains positive and advocacy-focused from beginning to end.

Speakers

– Martin Alvarez Espinar

– Role/Title: IT engineer

– Areas of expertise: Web standards, worked at W3C (World Wide Web Consortium) for 15 years, standards interoperability, open data advocacy, helping governments define open data strategies, local heritage enthusiast, cultural heritage preservation using technology

Additional speakers:

None identified – this appears to be a single-speaker presentation by Martin Alvarez Espinar.

Full session report

# Discussion Report: Heritage Inn – Making Cultural Heritage Accessible Through Technology

## Overview and Speaker Background

This presentation was delivered by Martin Alvarez Espinar, an IT engineer with 15 years of experience at the World Wide Web Consortium (W3C). Espinar combines technical expertise in web standards with advocacy for open data initiatives. His professional background includes helping governments define open data strategies, while his personal interests include local heritage and applying technology for cultural heritage preservation.

## Personal Motivation and Problem Identification

Espinar’s Heritage Inn project originated from his personal experience moving from Spain to Belgium, where he encountered barriers in understanding local cultural heritage. This transition highlighted accessibility challenges that affect cultural heritage preservation and access globally.

He explained how language barriers create obstacles for newcomers and visitors trying to engage with local cultural assets. Many cities have what he calls “hidden gems” – cultural and historical assets that remain poorly documented or accessible only to local residents. Information about these heritage sites is often available only in local languages or through hard-to-find markers, preventing broader appreciation and understanding.

## The Heritage Inn Project and Technology Solutions

Heritage Inn is an open-source project designed to make cultural heritage more accessible globally while preserving local significance. The methodology uses existing open data from public archives, libraries, and sources like Wikipedia, combined with modern technologies including QR codes, mobile applications, and artificial intelligence tools to create heritage databases.

The platform provides a replicable framework for creating heritage applications using simple databases and templates. This approach reduces technical barriers traditionally associated with heritage preservation initiatives. The system can be customized for various types of heritage beyond cultural assets, including botanical, geographical, or astronomical resources, with implementations demonstrated in Belgian cities, Oslo, and Paris.

## Specific Examples and Applications

Espinar provided several concrete examples of the platform’s applications:

– **The Unfinished Church**: He described a church that was never completed due to architectural problems and ground issues, explaining how the application shows what the church would have looked like if finished.

– **Open-air Museum in Antwerp**: An example featuring statues that users can explore through the application.

– **Famous and Illustrious Women in Paris**: A heritage trail focusing on notable women in Parisian history.

– **Big Bang/Universe Expansion Artwork**: An installation showing galaxies that represents temporal context as users walk around the city, designed for astronomy enthusiasts.

The applications show users how far they are from points of interest and can be exported in various formats, including progressive web apps, native apps, and mini-apps for different platforms including Open Harmony operating system.

## AI Integration and Development Speed

A significant development highlighted by Espinar is the impact of generative artificial intelligence on application development. He demonstrated that while initial application creation previously required substantial time investment, AI integration has dramatically reduced development time. In a recent test using “Deep Seek” as the AI engine, he showed that applications could be set up in minutes rather than hours, making heritage preservation tools more accessible to communities regardless of technical expertise.

## Community Collaboration and Open Data

Espinar emphasized that community collaboration is central to effective heritage preservation. Local residents and community experts possess valuable knowledge about their area’s heritage that often remains undocumented in official sources. The Heritage Inn approach positions community members as active contributors to cultural content.

The platform integrates open data from public archives and libraries as foundational material, which is then enhanced through community contributions. When community-contributed information might be questionable, Espinar mentioned that the system encourages validation by asking local experts for input.

The collaborative framework includes partnerships between civil society, public institutions, and academia, recognizing that sustainable heritage preservation requires diverse forms of expertise and support.

## Technical Implementation and Accessibility

The technical architecture of Heritage Inn prioritizes accessibility for people with different abilities and technological capabilities. Espinar mentioned provisions for blind users and individuals with mobility limitations. The platform incorporates emerging technologies such as augmented reality and explores potential applications within metaverse environments.

QR codes provide a solution for connecting physical heritage sites with digital information, enabling contextual information delivery based on user location, language preferences, and accessibility needs.

The open-source nature ensures communities can access, modify, and deploy the technology without licensing restrictions or significant financial investment.

## Global Applications and Scalability

The presentation demonstrated the methodology’s adaptability across different geographical contexts and heritage types. Beyond traditional cultural assets, the approach has been applied to botanical heritage, geological features, and astronomical sites, showing the framework’s versatility in accommodating how communities define their local heritage.

Espinar positioned his work within the context of UN Sustainable Development Goal 11, which includes provisions for preserving cultural heritage, demonstrating how technological solutions can contribute to international development objectives while maintaining local relevance.

## Implementation Challenges

Several challenges emerged that require consideration:

– **Infrastructure Support**: Building sustainable global infrastructure for heritage preservation platforms requires support for hosting servers and technical infrastructure.

– **Open Data Access**: Effective utilization of open data sources depends on supportive policies and institutional frameworks. Espinar noted that proper policies and grants are necessary for accessing foundational data.

– **Quality Control**: Managing community-contributed heritage information requires validation processes, though detailed mechanisms for ensuring accuracy were not fully elaborated.

– **Long-term Sustainability**: Ensuring continued operation and updates of heritage platforms over time, particularly in communities with limited technical resources, remains a consideration.

## Key Insights

Espinar’s presentation revealed several important insights:

– Cultural heritage preservation represents a universal need that can benefit from technological solutions

– Local knowledge is crucial for comprehensive heritage documentation

– AI and open-source technology are reducing barriers to heritage preservation activities

– Communities can actively participate in documenting and promoting their cultural assets

## Conclusion

Martin Alvarez Espinar’s Heritage Inn project represents a practical approach to cultural heritage preservation that combines technological innovation with community participation. The methodology addresses accessibility challenges while providing tools for communities to document, preserve, and promote their local heritage.

The project demonstrates how personal experience can inspire solutions with broader applicability, transforming challenges with inaccessible cultural information into a framework for community-driven heritage preservation. The approach tends to be sustainable and offers communities a way to ensure their cultural stories remain accessible for future generations through collaborative technology and open data initiatives.

Session transcript

Martin Alvarez Espinar: Thank you. Good morning. Welcome. Thank you for being here. Some online watchers, so viewers in the, joining this session. It’s great to be here in this open stage. I will present a new topic, a different topic that we have been discussing this morning today. It’s about cultural heritage and how we can preserve it using the collaboration, the collaboration from everyone. So I will start by introducing a little bit of my background because I think it’s important because this talk and this project I will present is something personal, something I developed myself because I’m, yeah, some curious and perhaps you have the same initiative, the same request or the same ideas when you have, you travel abroad or you are visiting a new city and you see in the streets the names, the plaques representing the name of the streets and the different places, right? And you figure out why this person representing the street, representing the place or who was this politician or why this animal is giving the name to this street. So I wondered this when I was in many places, right? And I decided to look into these details and find information and try to do some, yeah, let’s say easy way to understand the reality of the cities and the past and the history of the cities. So basically the cultural heritage of the city or the heritage of the city. So I’ve been, well, basically I’m an IT engineer with a lot of experience with web standards. I’ve been working in W3C, the World Wide Web Consortium, for 15 years, always related to standards interoperability, also advocating for open data because this is very important. Open data, the public information that is held by the public administrations, the archives, the libraries, yeah, these public assets that by definition are public, are for the citizens, are by the citizens and can help us to create and to understand this cultural heritage of the local places and cities, towns in a global scale. Also something important is that I’ve been helping some of the governments worldwide, specifically in Europe, in Spain, to define these open data strategies. So how they can release the open data, the public resources, to help third parties like myself as a citizen to create applications or projects like the one I will present here today. And also, yeah, as I told you at the beginning, I’m a local heritage enthusiast. So I want to promote the cultural heritage in my city. Everyone is proud of the culture, right? Our cultures. The communities, we are focused on preserving the culture. So the culture is something that identifies basically the community or a specific collective of people. So we need to preserve. It’s part of the activities we need to do. And this project, I’m going to present, is something that I, it became when I moved to Belgium. I’m from Spain and I moved to Belgium. And I moved to the Flemish part of Belgium. They speak Flemish, a variant of Dutch. Very difficult for me. So it was a nightmare at the beginning. So I tried to understand all the remaindings they had about the Middle Ages and the huge and rich culture they have. And the cultural heritage they have in their cities, right? And they have a lot of artworks. They have a lot of, I don’t know, many, many information around. But it was very difficult to understand for me. So you can find a specific plague with information about the artwork or the figure representing the specific milestone in the history. But I couldn’t understand. But this might happen in all the places worldwide. Everyone is proud of their culture. It could be artworks. It could be important people in the past. It could be even, I don’t know, museums or gastronomy, botanics. So everyone is proud of something they have locally. And they will be able to promote it globally using the technologies, right? The internet and the IT technologies, right? So as I told you, when you are walking around, I was walking around in my city in Leuven. Every asset, every touristic plague around was in Dutch. So very difficult for me to understand. It’s not accessible. It’s not only because of the language. Also for people with some different functionalities, blind people or someone that cannot access to read these plagues, they have difficulty to understand what happened there or what is the asset that was there, right? So it’s something that we need to solve and we can solve very easily. Also we have some hidden gems around the city that only locals might know. For instance, you can see in the slide one tree that is part of the culture of the city. And it’s very difficult to find. There is a small plaque behind the tree, but it’s very difficult to find unless someone tells you that it represents an important milestone of the city. So we need to provide something. We need to do something, right? And we see that ICTs are our ally to represent information, to collect information, preserve information and also to publish information and represent information publicly. So we can use ICT to preserve and promote and understand the heritage. So we have in our devices, we have the capability to access to more context who we are, the language we speak, which is the context where we are based right now, the geolocation and the things we like. And we can use this context to find the information we like and to represent something or to find better ways to represent, in this case, the heritage around us. So another example that it was interesting for me at the beginning, this is the picture or representing the picture of a church that is called the Unfinished Church. And what this was for? There is no, well, some history that, or you can read something if you understand Dutch, that history that, yeah, they tried to build a much larger, a much bigger church, something like this. But it’s something interesting, right? We don’t see this information. You cannot see this information unless you go to the Wikipedia or the archives of the city and find this kind of information. And this was how, or this is how the church would look like if they could finish. It was a problem of the, let’s say, the ground and the, it was an architectural problem. So with ICT, we can help, we can help citizens, people around, visitors to understand what was the heritage of the city. So as I told you, more context and better ways to represent. And also something very important, as I told you before, accessibility. We can provide better ways to provide this information, to express this information to all people independently on the different needs and requirements they have. If they are blind, if they have some mobility problems, we can use these technologies, as you know, augmented reality, metaverse, or something simple as this project, as I will present. This project is called Heritage Inn, and this is something, it’s not commercial, it’s open source, it’s something that you can use. What we try to do or what I try to do was maximizing these technologies in a very simple way no cost at all, so Using the basic open source information Sorry, the open data information. So the public information in the archives in the newspapers also published on the web in the Wikipedia or Wikidata and Using some tools to help the community which is the most important part for this talk how the community can contribute to the original data to create a better resource and to express better the the The story about the and the history of this asset you want to represent. It’s something that it tends to be Sustainable so low-cost very easy to maintain using open source for everyone to Innovate with it and if you want to expand the use case you can you can create a better your better idea even monetized idea and also as I always mentioned more accessible trying to Be inclusive to all communities Multilingual and also providing more accessibility for representing the data so this is basically the outcome you can see in the in the slide the One screenshot of a simple application you can Using your mobile phone and just scanning a QR code or just placing or going around the city. You can be Recommended is some places around you that are special for this for this place. So in this project we tried to Collect and represent Local assets to the global community. So this is a methodology and a set of tools that can be implemented by any anyone so it’s important here in this forum because it it’s totally related to one of the SDGs in concrete the 11 and the goals for how to preserve the cultural heritage But in this case, we are not promoting all only the cultural heritage as I told you It’s a promoting all kind of heritage. You can have in your community. It could be related to Geography, I don’t know museums Botany whatever you need or whatever you have so at a glance the methodology that Basically, it’s a to show that this is feasible. So the collaboration and the open source and open data is feasible to preserve this So The the cultural heritage worldwide, so this is basically the summary of the methodology at the beginning you can clone so replicate take download the specific project and Just use it. You can use it. Whatever you want. It’s a open source. So you Only needs to access the internet and get the the source code and the templates you can use you have Some databases that you can just modify and From using some basic spreadsheets and you can translate the spreadsheet to the specific database format You can customize the app the basic application changing colors modifying the Look-and-feel of the application and after that just upload The the specific resources you have and start the collaboration you can run the application and start the collaboration with the rest of the community the rest of the citizens or the rest of the Visitors that are around as I told you at the beginning the most important part of the the preserving the the heritage or the cultural heritage could be your neighbor yourself your Grandfather that they always know some Story about that place about that person about this asset, right? So just emphasizing a little in the database and the how we can customize the application so Very simple way. So some code you don’t need to understand the code But you see that this very very simple very simple to to change Even we can create some tools on top of this to avoid just writing the code specifically so this is only the information that you have to Mmm, let’s say customize for your own application for a new application from scratch. So creating or adding some new colors or changing the names changing the the attribution Let’s say texts and also. Yeah all all the information you want to add this description of the application Just changing how to customize this. This is another example. You can see there in this case. It’s a an example with the collaboration of the One museum in the city of Antwerp in Belgium with open-air Museum with some statues in the open-air museum so you can see that you can create for many many purposes So this is the configuration file very simple to to understand and to to update you can customize the colors the languages the icons in Minutes and the application is ready in seconds. You only need to include some Points of interest the ones that you you need to for sure This is something that is the most important part and you can rely on the open data Resources you have in the municipality in the archives Around you or just a start starting from scratch from some some templates and at the end you will have something like this this example it’s the application you can see in the in your Smartphone you can play in some other devices So far the application apart from the metal methodology you have the application in three formats Progressive web application a native app using the open harmony operating system or a mini app, which is a new form of Small application light applications to run on the on the devices. So the application is ready in seconds. You can Export whatever you in whatever format you need or just run on the web. I Said in seconds in relative minutes, right? I did a test yesterday Now that we have AI generative AI, right? So When I created the application, it was a bit tougher. So It said at the beginning they say this slide was about one hour or half a day now It’s minutes so we can use something like this. It was it’s it’s amazing This is just one example you can replicate with whatever Model your engine AI engine you want Okay, let me or show me the top touristic attractions. This is the touristic attractions in Oslo and In this case deep seek showed some of results, right? Okay, you can order you can ask different things. I told The a-engine, okay model in the way I want so give me the latitude longitude So the coordinates the title the description give me a couple of links if I need more information external information also the link of open Image from the Wikipedia or whatever you you find it and after that Give me a specific format I want the template as I told you before as I showed you before so this is something like we got and at the end we had this I told the this engine to give me a set of 10 or 15 elements to represent this and in a couple of minutes I got this so the full list of or the top list according to the AI engine In Oslo with Something. Yeah showing the application with the information contextual information about once you open the application it will tell you how far you are from the from this point of interest the information description the title nice picture If you tap on the specific card of this asset You have more information more descriptive information. Also the map to to help you to To to go to this place and more information useful information to understand to share and the most important asking experts for input if it is wrong or if you can expand the The information we have here. We want to have the collaboration from everyone so as I told you this information at the beginning was collected by public archives or the Wikipedia or whatever Open data source you can have but the important part is enriching from the community their local communities The local experts or the normal citizen that is walking around and they know something about this place and at the end also, you can include many things like sharing the information or whatever so you can expand the the topics we can expand the application and can apply to any type of heritage not only cultural heritage or as I told you the botanics or geography or Geology or whatever, right? This was another example the Famous and the illustrious women in Paris So another example we already created in several minutes just to show that this is this is possible one example, I will I will escape because we are running out of time just to show the Full application how it is, but basically I described it before But something very important you can adapt the application to a specific artworks or resources this was one of the adaptations of the application To cover one specific artwork that is showing the expansion of the universe. So the Big Bang Considering the context the exposed spatial and temporal Context so represented in a big city in a big circle You can walk around the city and the application will tell you where you are in time Since the origin of the universe and is represented by different Galaxies, so it’s very advanced. It’s related to astronomy So you see that it’s another topic, but it’s a adapted to a new need and in this case supported by the specific community that is the enthusiast for Astronomy, so just to summarize what we want is preserving the local heritage we all have local heritage, but globally and we can do it in a Easy way very low cost way using open data open source Involving everyone involving in the community involving. Yeah, our friends our the local community that they are the experts and exposing everything in a timely and Accessible way to to everyone. It’s important to build some infrastructures for this like Yeah, if you want to create something if you want to replicate something on top of this platform now I can give you the permission to use it. But if you want to do it globally, we need some support someone that can host the the servers and the infrastructure in general and also policies because you know, if you want to use the first Information the first resources this open data as I told you that it’s the first Let’s say that the first raw data you can add into the application you need to grant it and you have to at least to to have a specific open data policy for using this and yep at the end what we need is the collaboration from the the civil society the Public bodies the academia that they are the experts that they can also research on the topic But the most important part is involving everyone from the street to make the most of this Preservation of the heritage and cultural heritage. Thank you

Martin Alvarez Espinar

Speech speed

157 words per minute

Speech length

Global Heritage Preservation Vision

Topics

Sustainable development | Cultural diversity

Agreements

Agreement points

Similar viewpoints

Unexpected consensus

Overall assessment

Summary

This transcript represents a single-speaker presentation by Martin Alvarez Espinar about the Heritage Inn project, with no other speakers participating in discussion or debate.

Consensus level

No consensus analysis possible as this is a monologue presentation rather than a multi-speaker discussion. The speaker presents a unified vision for heritage preservation using technology and community collaboration without any opposing viewpoints or alternative perspectives being presented.

Differences

Different viewpoints

Unexpected differences

Overall assessment

Summary

This transcript represents a single-speaker presentation by Martin Alvarez Espinar about the Heritage Inn project, with no other speakers presenting opposing or alternative viewpoints. All arguments listed are from the same speaker presenting a cohesive methodology for cultural heritage preservation using technology and community collaboration.

Disagreement level

No disagreement present – this is a monologue presentation rather than a debate or discussion with multiple viewpoints. The speaker presents a unified vision for heritage preservation through open source technology, community collaboration, and accessible design without any counterarguments or alternative approaches being discussed.

Partial agreements

Similar viewpoints

Takeaways

Key takeaways

Cultural heritage preservation faces significant accessibility barriers including language limitations, lack of visibility for hidden gems, and exclusion of people with disabilities

ICT technologies combined with open data and open source approaches can provide sustainable, low-cost solutions for heritage preservation that are contextual and inclusive

The Heritage Inn project demonstrates a replicable methodology that can be customized for any community to create heritage applications in minutes using simple templates and databases

AI and generative tools have dramatically reduced development time for heritage applications from hours/days to minutes, making the technology more accessible

Community collaboration is essential – local citizens, neighbors, and experts possess valuable knowledge that must be incorporated alongside official archives and open data sources

Heritage preservation should extend beyond cultural assets to include botanical, geographical, astronomical, and other types of local heritage

The approach aligns with UN Sustainable Development Goal 11 and supports global preservation of local heritage through accessible, multilingual platforms

Resolutions and action items

The Heritage Inn open source platform is available for anyone to clone and use for their own heritage preservation projects

Communities can start heritage preservation efforts by accessing the provided templates, customizing databases through spreadsheets, and uploading local resources

Applications can be deployed in multiple formats (progressive web apps, native apps, mini apps) to ensure broad accessibility

Unresolved issues

Infrastructure support needs are identified but no specific solution provided for hosting servers and technical infrastructure at scale

Open data policies are needed to access foundational public information, but no concrete policy recommendations or implementation strategies were discussed

Martin Alvarez Espinar

Reason

This synthesizing comment is insightful because it articulates a vision that reconciles the tension between local specificity and global accessibility. It presents a model where preservation doesn’t require expensive infrastructure or expert gatekeepers, but can be achieved through community collaboration and open technologies.

Impact

This comment serves as the culminating vision that ties together all the previous observations and technical demonstrations. It transforms the discussion from a presentation about a specific app to a broader manifesto about democratizing cultural heritage preservation.

Overall assessment

Explanation

The speaker mentioned accessibility for blind people and those with mobility problems, and referenced technologies like augmented reality and metaverse, but didn’t provide specific implementation details for different accessibility needs

Open Forum #35 Addressing International Crimes Enabled by Cyber Operations

Session at a glance

Summary

This discussion focused on addressing international crimes enabled by cyber operations, specifically examining how international criminal law can strengthen global cybersecurity and prosecute core international crimes committed through digital means. The session was jointly hosted by the International Criminal Court (ICC) and Microsoft, featuring experts from policy, private sector, and civil society backgrounds.

Professor Marko Milanović, Special Advisor to the ICC’s Office of the Prosecutor, outlined the forthcoming ICC policy on cyber-enabled crimes, which explains how the Rome Statute applies to international crimes committed or facilitated by cyber means. The policy addresses war crimes, genocide, crimes against humanity, and aggression that involve digital technologies, emphasizing that the ICC is prepared to prosecute those who use technology to commit these serious crimes. Examples include using AI to facilitate attacks on civilians, disseminating humiliating imagery of prisoners of war online, or conducting direct incitement to genocide through social media.

Panelists highlighted several critical challenges in investigating and prosecuting cyber-enabled crimes. Estonian prosecutor Kati Reitsak emphasized the importance of international partnerships and trust-building, noting similarities between organized crime and international crimes in their cross-border nature. The preservation and authentication of digital evidence emerged as a major concern, particularly given that these cases can take decades to prosecute while digital evidence is ephemeral and easily altered.

Microsoft’s Michael Karimian discussed the private sector’s crucial role in evidence collection, attribution, and international cooperation, while acknowledging potential conflicts of interest when tech companies provide services to various parties in conflicts. Civil society representatives Katitza Rodriguez and Chantal Joris stressed the importance of adhering to international human rights standards during investigations and avoiding overly broad surveillance powers that could undermine the very evidence needed for prosecutions.

The discussion concluded that while existing international criminal law is adequate for addressing cyber-enabled crimes, success requires unprecedented cooperation between states, private sector entities, and civil society organizations to overcome the unique challenges posed by the digital nature of these crimes.

Keypoints

## Major Discussion Points:

– **ICC’s Proposed Policy on Cyber-Enabled International Crimes**: The International Criminal Court’s Office of the Prosecutor is developing a groundbreaking policy document that explains how existing Rome Statute crimes (genocide, war crimes, crimes against humanity, and aggression) can be committed or facilitated through cyber means, rather than creating new categories of crimes.

– **Evidence Collection and Preservation Challenges**: Panelists extensively discussed the unique difficulties of collecting, preserving, and authenticating digital evidence in cyber-enabled crimes, including issues with evidence disappearing quickly, the need for rapid response, maintaining chain of custody over decades-long investigations, and the risk of platforms deleting crucial evidence.

– **Multi-Stakeholder Cooperation and Partnerships**: The discussion emphasized the critical importance of collaboration between various actors including international courts, national prosecutors, private sector companies (especially tech platforms), civil society organizations, and intelligence agencies to effectively investigate and prosecute these cross-border crimes.

– **Human Rights Considerations and Conflicts of Interest**: Significant attention was given to ensuring that investigations respect international human rights law, avoid legitimizing mass surveillance or repressive practices, and manage potential conflicts of interest when tech companies both hold evidence and provide services that may facilitate crimes.

– **Practical Implementation and Case Prioritization**: The panel explored which types of cases might be prioritized initially (starting with smaller, less complex cases), the challenges of attribution in sophisticated cyber operations, and how traditional legal frameworks need to adapt to address the unique aspects of cyber-enabled international crimes.

## Overall Purpose:

The discussion aimed to explore the legal, operational, and technical challenges involved in prosecuting international crimes committed through cyber means, highlighting the ICC’s forthcoming policy as a significant milestone while examining the roles of various stakeholders in strengthening global cybersecurity and accountability for core international crimes.

## Overall Tone:

The discussion maintained a professional, collaborative, and forward-looking tone throughout. Participants demonstrated expertise while acknowledging the complexity and novelty of the challenges. The tone was constructive and solution-oriented, with panelists building on each other’s points and offering practical insights. There was a sense of cautious optimism about the potential impact of the ICC’s policy, balanced with realistic assessments of the significant challenges ahead. The atmosphere remained respectful even when addressing sensitive topics like conflicts of interest and human rights concerns.

Speakers

**Speakers from the provided list:**

– **Harriet Moynihan** – Head of Accountability in International Law at the Oxford Institute of Technology and Justice at the Blavatnik School of Government, University of Oxford; Associate Fellow in the International Law Programme at Chatham House; Session moderator

– **Marko Milanović** – Professor; Special Advisor to the International Criminal Court, specifically to the Office of the Prosecutor on Cyber Enabled Crimes

– **Chantal Joris** – Senior Legal Officer at Article 19; focuses on freedom of expression

– **Katitza Rodriguez** – Policy Director for Global Privacy at the Electronic Frontier Foundation

– **Michael Karimian** – Director of Digital Diplomacy at Microsoft

– **Kati Reitsak** – Prosecutor at the State Prosecutor’s Office of the Republic of Estonia; has over 10 years of experience combating organized crime and recently moved to dealing with international law and international crimes

– **Audience** – Various audience members who asked questions during the Q&A session

**Additional speakers:**

– **Chelsea Smith-Hurst** – Microsoft representative; helped with online moderation questions during the Q&A (mentioned but did not speak in the transcript)

– **Joeri Bokovoy** – Finnish Green Party member; audience questioner

– **Aaron Clements-Hunt** – Works for the Heartland Initiative; audience questioner

– **Vilda** – Criminologist; audience questioner

– **Christian Faizili** – Public prosecutor from the Democratic Republic of Congo; audience questioner

– **Meredith** – Works with the Business and Human Rights Resource Center; audience questioner

Full session report

# Addressing International Crimes Enabled by Cyber Operations: A Comprehensive Discussion Report

## Introduction and Context

This discussion, jointly hosted by the International Criminal Court (ICC) and Microsoft, brought together leading experts from policy, private sector, and civil society backgrounds to examine how international criminal law can address core international crimes committed through digital means. The session was moderated by Harriet Moynihan, Head of Accountability in International Law at the Oxford Institute of Technology and Justice, and featured distinguished panellists including Professor Marko Milanović, Special Advisor to the ICC’s Office of the Prosecutor on Cyber Enabled Crimes, alongside representatives from civil society organisations, the private sector, and national prosecution services.

The discussion centred on the ICC’s forthcoming policy on cyber-enabled crimes, which represents a groundbreaking initiative in international criminal law. This policy addresses how existing Rome Statute crimes—genocide, war crimes, crimes against humanity, and aggression—can be committed or facilitated through cyber means, rather than creating entirely new categories of international crimes.

## The ICC’s Policy on Cyber-Enabled International Crimes

### Policy Framework and Scope

Professor Marko Milanović outlined the comprehensive nature of the ICC’s proposed policy, explaining that it focuses on applying existing international criminal law to cyber-enabled crimes rather than expanding the Rome Statute’s scope. The policy addresses four core areas: genocide, war crimes, crimes against humanity, and aggression when committed through digital technologies. Additionally, it covers offences against the administration of justice under Article 70 of the Rome Statute, such as hacking court systems or intimidating witnesses through cyber means.

Milanović provided specific examples of cyber-enabled crimes the ICC is prepared to prosecute: using artificial intelligence to facilitate attacks on civilians, disseminating humiliating imagery of prisoners of war online, conducting direct incitement to genocide through social media platforms, and attacks on critical infrastructure that could cause severe humanitarian consequences. He emphasised that the policy serves dual purposes: providing internal guidance for the Office of the Prosecutor’s operations and communicating publicly how the Rome Statute applies to cyber-enabled crimes.

### Civil Society Support and Human Rights Considerations

Civil society representatives strongly supported the policy’s approach of focusing on existing Rome Statute crimes rather than creating new categories. Katitza Rodriguez from the Electronic Frontier Foundation noted that this approach helps avoid overly broad cybercrime laws that could undermine human rights. She emphasised that all investigations must respect international human rights law frameworks, including principles of necessity, legality, proportionality, and transparency with proper oversight mechanisms.

Chantal Joris from Article 19 reinforced these concerns, highlighting that whilst internet shutdowns and mass surveillance often violate freedom of expression and can exacerbate harms for communities impacted by conflict, most do not rise to the level of international crimes. She specifically noted that direct attacks on ICT infrastructure and internet shutdowns could potentially constitute international crimes depending on their scale and impact.

## Evidence Collection and Preservation Challenges

### Digital Evidence Vulnerabilities

One of the most significant challenges identified relates to the unique nature of digital evidence in international crimes prosecutions. Katitza Rodriguez highlighted the fundamental challenge: “evidence in this context must last. We are talking about 10, 20, 30 years. A video recorded today might remain courtroom ready for a long period of time, even 20 years from now. One mobile phone clip can expose a massacre and be published on YouTube. An algorithm can delete that proof forever.”

Rodriguez provided a specific example of YouTube’s automatic extremism filter purging channels and videos of human rights researchers and journalists documenting Syrian conflicts, illustrating how platform content moderation policies can inadvertently destroy crucial evidence. She also referenced the Guatemala National Police Archive case and Patrick Ball’s work on statistical analysis of human rights violations, demonstrating how digital documentation can provide crucial evidence for accountability efforts.

### Technical and Procedural Requirements

Michael Karimian from Microsoft detailed the technical complexities involved in evidence preservation, emphasising that digital evidence requires rapid identification and preservation using sophisticated technical capabilities. Estonian prosecutor Kati Reitsak reinforced these concerns from a practical perspective, explaining that investigators must preserve and collect evidence following strict standards to ensure admissibility in court, particularly given that digital evidence is heavily contested.

Reitsak also highlighted the need to overcome institutional siloing, noting that successful cyber-enabled crime investigations require cooperation between different units within law enforcement agencies, such as cybercrime units and international crimes units. She compared this to organised crime investigations, which also require extensive technical capabilities and cross-border cooperation.

## Multi-Stakeholder Cooperation and Partnerships

### The Essential Role of Private Sector Cooperation

Throughout the discussion, there was strong consensus that private sector cooperation is essential for successfully prosecuting cyber-enabled international crimes. Michael Karimian outlined the crucial roles that private companies play in rapid evidence preservation, attribution, cross-border cooperation, and ensuring procedural integrity in investigations.

Karimian explained that attribution—one of the most complex challenges in prosecuting cyber-enabled crimes—requires the ability to track activity across different digital infrastructures and jurisdictions, capabilities that often reside primarily within private companies. He noted that successful investigations require judicial frameworks with international partners and technical expertise that goes beyond traditional law enforcement capabilities.

### Trust and Cross-Border Cooperation

Kati Reitsak emphasised the critical importance of personal connections and trust between partners in successful cross-border investigations. She noted that these investigations require swift action and reliable information sharing, which depends not only on formal frameworks but also on established relationships between investigators across different jurisdictions.

Reitsak provided examples of successful prosecutions in France, the Netherlands, and Norway for Syria-related cases, and mentioned Estonia’s specific rules about in absentia proceedings and the genocide network at Eurojust as examples of effective cooperation mechanisms.

### Civil Society as Evidence Holders

Civil society organisations emerged as crucial stakeholders in the evidence ecosystem. Rodriguez highlighted that civil society organisations often hold crucial evidence and documentation that may be the last remaining proof of atrocities, requiring collaboration with prosecutors. This positions civil society not merely as advocates but as essential partners in the investigative process.

## Conflicts of Interest and Corporate Accountability

### The Dual Role of Technology Companies

One of the most challenging aspects of the discussion concerned the complex position of technology companies in cyber-enabled international crimes. Chantal Joris identified a fundamental tension: “The reality is as well that very often those same tech companies are the ones that provide services to conflict parties, cloud computing services, surveillance technologies, AI capabilities that are also very much needed to perpetrate those exact crimes that the policy seeks to address.”

This tension became particularly evident during the question-and-answer session, when Aaron Clements-Hunt directly questioned Microsoft’s provision of services to Israeli entities whilst simultaneously positioning itself as a partner in international justice efforts. This exchange illustrated the real-world complexities of public-private partnerships in this space.

### Managing Corporate Responsibility

In response to civil society feedback, Milanović noted that the ICC policy will include language acknowledging potential criminal responsibility of corporate executives, representing an attempt to balance the need for private sector cooperation with recognition of their potential liability. This represents a significant development in how international criminal law addresses corporate involvement in international crimes.

## Case Prioritisation and Prosecution Strategy

### Different Strategic Approaches

The discussion revealed different perspectives on how the ICC should begin prosecuting cyber-enabled crimes. Professor Milanović advocated for starting with smaller, less complex cases, particularly Article 70 offences against the administration of justice, such as hacking court systems. He argued that “a good way to start would be, for example, an Article 70 case, so a case about the administration of justice. Somebody hacks the court… Those are easier cases to deal with.”

Michael Karimian offered a different perspective, arguing that cases involving widespread harm to critical infrastructure and essential services should be prioritised because they pose substantial risks to human life and send clear international signals.

Kati Reitsak supported the general principle of starting with smaller cases but suggested that war crimes or crimes against humanity cases would be preferable starting points as they provide broader possibilities for establishing new legal precedents in cyber-enabled crime prosecutions.

## Practical Challenges and Unresolved Issues

### Attribution and Technical Complexity

Attribution emerged as one of the most significant technical challenges in prosecuting cyber-enabled crimes. The discussion acknowledged that sophisticated cyber operations often involve multiple layers of obfuscation designed specifically to complicate attribution efforts, requiring extensive technical expertise and international cooperation.

### Outstanding Questions from Practitioners

Several practical questions remained unresolved during the discussion. Christian Faizili from the Democratic Republic of Congo raised a specific concern about how prosecutors can prove command responsibility via digital traces when forensic laboratories are destroyed in conflict zones, highlighting the intersection between traditional conflict dynamics and new technological challenges.

Questions were also raised about gaming platforms and voice chat monitoring, illustrating the breadth of digital spaces where potential evidence of international crimes might be found.

### Institutional Capacity Gaps

Both Reitsak and Karimian acknowledged that traditional law enforcement institutions often lack sufficient technical capabilities for complex cyber investigations. This represents a significant institutional challenge that requires law enforcement agencies to develop new capabilities or rely heavily on external expertise.

## Human Rights Safeguards and Concerns

### Avoiding Legitimisation of Mass Surveillance

Civil society representatives consistently emphasised the importance of ensuring that cyber-enabled crime investigations do not legitimise mass surveillance or repressive practices. Rodriguez specifically warned against the ICC relying on evidence gathered through abusive surveillance powers, arguing that this could undermine both the legitimacy of prosecutions and the broader human rights framework.

### Platform Policies and Content Moderation

The discussion highlighted concerns about platform content moderation policies that may inadvertently destroy evidence. Rodriguez noted that platforms face incentives to mass delete information to avoid liability, potentially destroying evidence before courts can examine it. This prompted discussion about the need for platforms to implement public interest exceptions for content with educational, documentation, or newsworthy value.

## Broader Impact and Future Directions

### The ICC’s Leadership Role

Multiple speakers emphasised that the ICC’s policy will likely have impact far beyond the ICC itself. Harriet Moynihan described it as “a groundbreaking initiative that can lead the way for national jurisdictions and set important legal precedents.” Kati Reitsak noted that national courts can look to the ICC as a beacon and be encouraged by its systematic approach to cyber-enabled international crimes.

### Policy Development Timeline

The discussion concluded with concrete next steps for policy development. The ICC Office of the Prosecutor has received many comments during the public consultation phase and will take these on board as they revise the draft policy. The policy is expected to be formally promulgated at the Assembly of States Parties later this year.

### Supporting Research and Documentation

The UC Berkeley Human Rights Center’s submission to the Office of the Prosecutor regarding Mali was mentioned as an example of academic institutions contributing to the development of this area of law. Additionally, ongoing research efforts are supporting the practical implementation of the policy framework.

## Conclusion

This discussion represented a significant milestone in the development of international criminal law’s response to cyber-enabled crimes. The ICC’s forthcoming policy addresses a critical gap in international justice mechanisms by providing a framework for prosecuting serious international crimes committed through digital means.

The conversation revealed both the promise and the challenges of this initiative. While there was broad support for the policy’s approach and recognition of the need for multi-stakeholder cooperation, significant practical challenges remain around evidence preservation, attribution, conflicts of interest, and the development of new institutional capabilities.

Perhaps most importantly, the discussion demonstrated that addressing cyber-enabled international crimes requires extensive cooperation between diverse stakeholders with different capabilities and perspectives. The success of this effort will depend on building trust between partners, managing conflicts of interest, and developing new technical and legal capabilities that bridge traditional boundaries between different sectors and jurisdictions.

As the ICC moves forward with implementing this policy, the frameworks and partnerships developed through this initiative will likely prove crucial for maintaining accountability for international crimes in the digital age. The broad engagement from various stakeholders suggests a strong foundation for this work, while the practical challenges identified highlight areas where continued development and cooperation will be essential.

Session transcript

Harriet Moynihan: At this point, Harriet was tired when she heard that she would no longer be on time and was decided to quit. Relax. Relax We are all women. We are all women. Is this… a quake? I thought it was a quake. So they will give you a sign? I’m not sure. Well, good afternoon everyone. Both to those of you who are joining us here in the room and those of you joining us online. Welcome to… to this session on addressing international crimes enabled by cyber operations. I’m Harriet Moynihan, I’m Head of Accountability in International Law at the Oxford Institute of Technology and Justice at the Blavatnik School of Government, University of Oxford. I’m also an Associate Fellow in the International Law Programme at Chatham House and I’m delighted to be moderating this session. I’m also going to be joined online by Chelsea Smith-Hurst of Microsoft, who’s going to be helping with online moderation questions once we get into the Q&A. Today we’re going to look at how international criminal law within both national and international judicial settings can help to strengthen global cyber security and address core international crimes which are committed through cyber means. And of course by international crimes we mean war crimes, genocide, aggression and crimes against humanity. And this session is going to highlight the forthcoming policy of the International Criminal Court on international crimes committed by cyber means and that’s obviously a significant milestone in investigating and prosecuting such crimes at the international level. This session is being hosted jointly by the International Criminal Court and by Microsoft and I’m delighted to say that both are represented here today. And in this panel we’re going to have the opportunity to explore some of the legal, operational and technical challenges in this area by hearing from a range of experts from policy makers to private sector, to civil society and the special advisor to the International Criminal Court on cyber enabled crimes. And I should add that at Chatham House where I’ve been working we’re conducting a research project on this very issue which seeks to complement the work of the International Criminal Court and we’re going to be publishing a research paper that dives into some of the broader legal and practical issues around this area and that paper will be published in January. Today our panellists are going to look at the evolving cyber threat landscape, challenges in the collection and attribution of evidence, the need for stronger multi-stakeholder cooperation in this area, and ways to strengthen accountability generally. And the way that we’re going to do this is we’re going to have a moderated panel discussion, and then we’re going to open it up to Q&A, both from you here in the audience and those of you joining us online. But before that, let me introduce our speakers. We’re joined online by two speakers, first of all Professor Marko Milanović, who amongst many other roles is the Special Advisor to the International Criminal Court, specifically to the Office of the Prosecutor on Cyber Enabled Crimes. Welcome Marko. Also joining us online, we have Michael Karimian, who’s Director of Digital Diplomacy at Microsoft. And here in the room, the stellar panel continues. We have Kati Reitsak, who’s a prosecutor at the State Prosecutor’s Office of the Republic of Estonia. We have Chantal Joris, who’s Senior Legal Officer at Article 19. And last but not least, we have Katica Rodriguez, Policy Director for Global Privacy at the Electronic Frontier Foundation. I’d like to start the conversation by turning to Marko. Marko, could you set the scene for us a bit by telling us a bit more about the Office of the Prosecutor’s proposed policy in this area? How does it relate to the various initiatives that are going on worldwide in relation to cyber crimes? And what does it mean for the work of the International Criminal Court? Thank you so much, Kerit.

Marko Milanović: And allow me to welcome everybody, both online and offline, also on behalf of the Office of the Prosecutor of the ICC, to this event that we have jointly organized together with Microsoft. And thank you so much, Kerit, for moderating the panel. The Office of the Prosecutor launched this effort to formulate a policy document, which will be used both for its internal purposes, but also for communicating with the public, which does several things. It explains how the Rome Statute of the International Criminal Court can be applied to the commission or facilitation of international crimes by cyber means. That’s the first thing it does. It also explains how other than the core international crimes, also the offenses against the administration of justice, which interfere with the working of the court as such, can also be committed and facilitated by cyber means. And then it goes on into various practical questions about the investigation, prosecution of these crimes, about the cooperation that the office needs to have with national authorities and the capacities that the office needs to build to essentially be able to investigate these offenses properly. So that is the point of this policy. The policy has now finished the public consultation phase. We have received many comments from states, from civil society, including organizations represented at this panel, from academics, from various other stakeholders, which we will take on board. And the policy will then be revised and adopted by the Office of the Prosecutor and formally promulgated at the Assembly of States Parties later this year. So that is the core idea of this policy. And the message that the Office of the Prosecutor essentially wants to send is that it is ready, it is prepared to prosecute those who use these technologies to commit international crimes. Here, it is really important to emphasize as Harriet did in her introduction, that we’re not talking here about normal, ordinary cybercrime like hacking, unauthorized access to a computer system, fraud, the dissemination of imagery of child sexual abuse, and so on. What we’re here talking about is genocide, war crimes, feminism, anti-aggression, and all of these crimes, including offenses against the administration of justice, can be committed by cyber means. AI, for example, can be used to facilitate attacks against civilians or the civilian population during an armed conflict, which is a war crime. Online technologies can be used to disseminate humiliating imagery of prisoners of war, which can also be a war crime, depending on the intensity of the suffering that these individuals are exposed to. Attacks against critical infrastructure, against airports, against air traffic control can qualify, for example, as murder, as a crime against humanity. Direct and public incitement to genocide can very easily be committed by social media, and so on. So that’s the core thing that the policy does. It really explains how cyber tools, including AI, can be used to commit these crimes. It also emphasizes the facilitation aspect. Many of these crimes can be committed, and most of them will be committed by traditional kinetic means, but cyber will be used to facilitate them. Everything from obtaining targets to conducting monetary transactions using cryptocurrency, for example, in a way that facilitates the commission of these crimes. The office is ready to prosecute these crimes, and that is the key signal that it wishes to send through this policy. and Marko Milanović, Harriet Moynihan, Kati Reitsak, Chantal Joris, Michael Karimian And also, perhaps, if you can talk about what makes a successful investigation when you’re looking at these cross-border type crimes.

Kati Reitsak: Thank you, Harriet. Thank you, everyone, for gathering here today, in here and online. So, yeah, it’s true. My main experience is more than 10 years combating organized crime. And just recently, I think maybe four or three years ago, I moved on to deal with cases concerned international law and international crimes. So, but there are so many similarities. If we are talking about core international crimes, there is very often a state actor at play. And if you are thinking about traditional organized crime, they often attempt to function as a state. within the state. It’s like a parallel force. It maintains the hierarchy with clearly defined roles and assignments. Organized crime also collects and distributes finances as they see fit, provides financial assistance to those who need and enforces its own system of punishment if someone were to break the rules. So, if we think in these concepts, we see that there are actually very many similarities between a wannabe state, like an organized crime group, traditional one, or a really legal state. So, we then have to assess both the jura and the facto powers of these persons acting within these systems and understand how these systems work kind of beneath the surface. Also, I have to say that in jurisdiction wise in Estonia there are also very many similarities. For example, core international crimes, Estonia exercises universal jurisdiction over them as they are considered as crimes that every state, every civilized state should be interested in prosecuting them. And the cross-border element is also something that is similar to those two. Because like organized crime, also crimes against humanity, they don’t know any state borders. And they are not limited by it, but they might seek profit all over. So, I think that what makes a successful investigation, both in organized crime and in crime against humanity, and in international crimes is a judicial framework with your partners. You have to have a very good partnership with all the other state and state actors. And if we are talking about criminal investigations, I think you all agree that information and evidence sharing is of the essence. And you have to trust the partner that you share your information and evidence with because otherwise you might be putting danger to your witnesses and your sources. So personal contacts that have always been very helpful in combating organized crime which acts cross-border and I think in international crimes as well. We have to build those personal connections because sometimes time is of essence. Especially if we are talking about cyber-enabled international crimes. Just tackling like a network, it needs to be very, very, very swift. And it is based on personal communication and personal sources. So it all comes down to willingness of the partners to investigate and get some good results. And of course as we go on, all the evidence is being very, very heavily contested in courts. As you see already, if you are looking at the media, you see that if there is a news clip already one of the parts of this clip might call it fake news. This is doctor, this is not true. So in this digital area that we are living in, it is very difficult to know what is the truth, true truth. and what is doctored. And therefore, for investigators also, it presents a challenge to preserve and collect evidence in a way that it will be fully admissible later on in a court of law. As I mentioned, these personal connections that we use to tackle organized crime with, they are also being formed at international level concerning international crimes. For example, I would just point out the genocide network at the moment in Eurojust. And do not be fooled by the name, it’s not only limited to genocide, but the members of this network actually share the experiences of investigating both war crimes and crimes against humanity as well. So I think I will stop here and thank you.

Harriet Moynihan: Thank you, Kati, and thank you for highlighting the importance of partnership and trust and cooperation and indeed giving examples of some of the forums that exist at the moment to try and promote that. And you mentioned the genocide network and the great work that they do. Michael, if I may turn now to you, and thank you for joining us online. The role of the private sector is very important in this space because, as we’re hearing, by their very nature, cyber-enabled crimes are likely to involve infrastructure that will traditionally be owned by the private sector. It might be social media companies, it might be cloud services, it might be computer networks. And so it would be really interesting to hear from you about what role you see for the private sector in this space, perhaps particularly in relation to things like collecting evidence, because obviously some platforms will hold evidence. How do prosecutors go about getting that evidence? Well, they’ll have to approach tech companies or they’ll have to go through states to do so. So any thoughts you have on that? in general but also in relation to evidence would be really interesting to hear. Over to you.

Michael Karimian: Absolutely and thank you Harriet not just for facilitating today’s discussion but also for the important work of yourself and colleagues at Chatham House and the research project that you’re undertaking and of course thank you to Marko and colleagues at the Office of the Prosecutor for their essential work in developing the policy. It’s been a real privilege to witness and support that work from the outset and I’m very glad to be part of this discussion today. Evidence preservation and collection in cyber-enabled international crimes presents a number of technical, legal and operational challenges and I think Microsoft’s experience could highlight several critical roles that the private sector can play in effectively addressing these challenges. Roles that are explicitly recognized in the ICC OTP’s forthcoming policy on cyber-enabled crimes and also further expanded upon in Chatham House’s important upcoming research. First I think rapid identification and preservation of digital evidence are crucial just as Kati was touching upon. Cyber-enabled crimes can often leave behind digital traces that are quite ephemeral and easily lost, deleted or altered and a number of technology companies have developed quite sophisticated technical capabilities for rapid detection, attribution and preservation of digital evidence. For example at Microsoft our digital crimes unit the DCU routinely uses advanced threat intelligence, machine learning and sophisticated analytics to identify and preserve relevant evidence from cyber operations swiftly and accurately and these capabilities allow companies like Microsoft to secure time-sensitive digital evidence long before traditional law enforcement methods can respond and that’s a critical element which is highlighted in the OTP’s drug policy as essential for successful prosecutions. Second, in terms of attribution, which is one of the most complex challenges in prosecuting cyber-enabled international crimes, the private sector brings unique technical capabilities. You know, accurate attribution requires the ability to track and correlate activity across different digital infrastructures and jurisdictions. And Microsoft’s global telemetry and network visibility, which is detailed quite extensively in our annual digital defense report, enables quite granular tracking of cyber-threat actors, including state-sponsored groups and sophisticated criminal networks. This capability aligns with Chatham House’s research, which emphasizes the need for robust technical partnerships to enhance prosecutorial confidence and attribution. Third, the cross-border nature of cyber-enabled crimes demands unprecedented international cooperation, not only among law enforcement, but significantly with the private sector. And again, the OTP’s draft policy explicitly underscores the importance of such cooperation networks, where you see emphasis on the value of private sector expertise in navigating jurisdictional complexities. And, you know, at Microsoft, we have firsthand experience with such cooperation, including partnerships like our recent collaboration with Europol, where investigators are being directly embedded within the European Cybercrime Center. Those types of partnerships really help to streamline international evidence sharing and overcome procedural hurdles, which, again, has been identified by Chatham House as a major bottleneck in prosecuting cyber-enabled crimes. Finally, in terms of ensuring evidence visibility in court, as we just touched upon, again, that requires private sector entities to follow quite rigorous standards in digital forensics and chain of custody management. At Microsoft, we have been proactively investing in building evidence handling capabilities compliant with international legal standards, again, recognizing the emphasis both OTP and Chatham House place on meeting rigorous. legal thresholds for evidence collection and admissibility. You know, by sharing best practices and technical standards, I think companies can also help court to build robust, credible cases against perpetrators. I guess I’ll end by saying that the private sector’s role seems to really extend far beyond just, you know, sort of passive cooperation, and instead it must really involve quite active partnership in evidence collection, attribution, international coordination, and ensuring procedural integrity. And Microsoft’s experience seems to be relatively consistent with the OTP’s forthcoming policy and Chatterhouse’s comprehensive analysis, all of which I think demonstrates that strong public-private collaboration is advantageous, but also indispensable for effectively prosecuting cyber-enabled international crimes.

Harriet Moynihan: Thanks, Michael. And I think what comes out of your remarks there is the fact that the private sector are involved throughout the process, from the very beginning of an investigation right through to evidence being submitted to court in a trial. And it’s also that word partnership coming out again, and thank you for the example you gave of the partnership with Europol. I’d like to turn now to another sector, another actor, civil society, and to you, Katitza. You work for the Electronic Frontier Foundation, and it would be really interesting to hear about what role you see for civil society here, how they can help, and perhaps maybe what the ICC

Katitza Rodriguez: should learn from the experience of civil society in this area. Okay, so thank you for the very kind invitation. We are actually really glad to see the prosecutors that draft policy on cyber-enabled crimes, especially because it explains how technology can be used to commit or facilitate crimes. Crucially, it sticks to Rome statute crimes rather than creating new types of crimes. This is important because it helps guard against the very pitfalls we have witnessed when a state has adopted overly broad cybercrime laws that have been used at the domestic level to undermine human rights. We submitted comments on the OTP policy consultation together with Derecho Digitales. We came up with a few recommendations. From time, I will just share a few ones. One is, and I will focus on evidence in this case. First, evidence in this context must last. We are talking about 10, 20, 30 years. A video recorded today might remain courtroom ready for a long period of time, even 20 years from now. One mobile phone clip can expose a massacre and be published on YouTube. An algorithm can delete that proof forever. Second, the Rome Statute is crystal clear that every investigation must fulfill or respect international human rights law. Meaning that the prosecutor and the authorities must gather detailed proof and detailed evidence under a framework of necessity, legality, proportionality, legitimate aim, and transparency and, of course, oversight mechanisms which are embedded in international human rights law and standards. And third, overly broad surveillance and cybercrime status have jailed journalists and silent dissidents. The ICC should ensure not to rely on evidence gathered through such abusive surveillance powers and avoid risk legitimizing repression and intentionally undermining its own cases. It’s the time for everyone to work together. to ensure justice can be delivered. And I think this is a good way of working holistically in these cases. And why does it matter? Because if the evidence disappears or it is tainted by abusive surveillance powers, the perpetrator walk free and the Rome Statue promise to victims is broken. And that’s serious things. I’m thinking on the Guatemala National Police Archive, 18 million pages of paper records were discovered in a collapsed warehouse. Later, using prosecution from disappearance and crimes against humanity, we had an interview with Patrick Ball, which is a data scientist analyst on the Human Rights Data Analysis Group, who told us that regime files have been central for documentary and data analytic evidence in trials of former heads of state in a couple of countries, where he identified patterns of repressions. In those cases, former dictators, police, and military leaders were convicted of war crimes, war crimes against humanity, disappearance, and genocide. Without contemporaneous record, and Patrick told us, our work, his work, would have been immensely harder. The digital age has not changed that lesson. It has merely shifted the evidence from dusty papers to bites. And so they rely a lot on preservations and collaborations with the courts to preserve the evidence. So for lack of time, I will focus on just one topic, which is improper incentives to destroy evidence. But there are other topics that we like to talk about, territoriality or about joint investigations, too. But on the improper incentives to destroy evidence, we are concerned that sometimes routine platforms functions are threatened with criminal or civil liability, and companies. When this happens, companies try to comply, over comply with the law to avoid fines, steep fines. This creates an incentive for companies to mass delete information, content that can be used in litigation, that can be used, can serve as evidence in courts. The result is that the very material prosecutors need in a case is wiped and possibly permanently destroyed before any court can see it. This is a case study. We have concerns of this global liability concerns and their own concerns about community standards. Platforms are being incentivized to delete conflict-related materials on a huge scale. And a paper that we wrote a few years back, where we document how YouTube used a new automatic extremism filter that was purging channels and videos of human rights researchers and journalists documenting Syrian conflicts. So our recommendation to the OTP is not only to caution about free expression, but also to ensure about the risk of destroying important evidence and the risk from state-compelling companies or companies voluntarily destroying evidence that can be used in courts. And we ask that much good can come from collaboration. And one of the things that could be done that the OTP should avoid is incentivizing these blanket takedowns orders and instead should encourage platforms and states to honor public interest exceptions so that content with educational documentation or newsworthy information remains online, even if it is not public. even if it’s graphic. So some of that is some of our concerns. NGOs, there are a lot of NGOs working in humanitarian response and in conflict documentations, whether contemporaneous or after the fact, may also hold the last, that we should collaborate with those NGOs because they may hold the evidence. And there are needs to ensure that, for instance, and that’s the words of my colleague, of this friend, Patrick Ball, that it’s documented cases and they use change of command and way of ensuring that the evidence is authenticated and that it still can serve in the court. And it can be done with a preservation order without relying on mass surveillance or abuse of surveillance powers that will end up not only, that will end up also impacting human rights. And I will stop here because of the five minutes.

Harriet Moynihan: Thank you so much. Thank you, Katitza. And you’ve really underlined the importance of international human rights law, which is always good to hear, and the role of civil society and the importance of preserving evidence, which is difficult when these cases can take so long. And now we have another voice here from civil society as well as Chantal being a very impressive international lawyer. So I’d like to turn to you, Chantal. I know you work for Article 19 focusing on freedom of expression. So it would be interesting to hear if you have any thoughts on how that fits into this place. Also, if you have anything you want to pick up from Katitza and if there are potentially any things that the ICC needs to be bearing in mind when it’s prosecuting these cases. Yes, absolutely. Thanks and thanks everyone for joining us at lunchtime or right after lunchtime.

Chantal Joris: Yeah, so I wanna agree with Katitza for sure. We think it’s a very important initiative together with many other human rights organizations. We have documented extensively the way in which digital rights violations, freedom of expression violations exacerbate harms. for Communities Impacted by Conflict or Prosecution or Crimes against Humanity, Occupation, and so on. So, we have, Article 19, been calling systematically on accountability mechanisms, also, for example, the International Court of Justice, as it assesses genocide cases, for example, in South Africa against Israel, to consider also the role of the human rights violations, free expression violations, digital rights violations, even if they may, in certain instances, directly amount to genocide or one of the other substantive crimes under the Rome Statute, but they certainly can play such an important contributing factor, be it in directly carrying out these more, perhaps, kinetic crimes, but also in contributing to a culture of impunity, in concealing evidence, and in potentially prolonging the situation of conflict or prolonging the situation in which these mass atrocities can take place. So, good initiative. Also, it will also be an important contribution, I mean, you mentioned there are so many discussions about how international law can apply, does it have responses to these new technologies, evolving technologies, so it’s also a very important contribution to that general discussion, I think. I think, perhaps, three main comments. So, we have also recommended that the policy, and of course the ICC, focus perhaps a bit more on direct attacks. Marko mentioned critical infrastructure, that should include also, of course, ICT infrastructure. For example, there is such an increased use now of internet shutdowns through various means, kinetic means, non-kinetic means. and others who are working on the digital transformation of the internet, the digital transformation of the internet by using the internet as a genetic means that have extreme implications now in conflict zones and, again, other zones impacted by atrocity crimes. And those should really also be considered more extensively. In fact, two certain forms of online harms have on human rights defenders, on journalists, on specifically those communities that, specifically in very restrictive information environments that we, of course, often see in those settings. They are key stakeholders, of course, for the evidence, to bring evidence to the prosecutor. I also want to mention, we’ve talked about the role of private entities, technology companies, and the policy does mention them as an important potential partner. It is a reality. They often hold important evidence. They might be able to assist and cooperate in the prosecution, investigation of crimes. The reality is as well that very often those same tech companies are the ones that provide services to conflict parties, cloud computing services, surveillance technologies, AI capabilities that are also very much needed to perpetrate those exact crimes that the policy seeks to address. So, I think that that sort of big challenge that we are facing, given that we have tech giants that are essentially used by every institution and every conflict actor at the same time, that needs to be spelled out better, I think, in the policy. And there needs to be a recognition that the ICC doesn’t only rely on them, but also needs to put them on notice of legal risks that are involved with the proliferation of these services. How to avoid unintended consequences? Again, Katitza has touched upon it, the responses to cyber security threats, cyber crimes, very often fall short of international human rights standards, both in terms of the substantive offences, but also in terms of how they are investigated. So I think it’s very important that there is a clear distinction between the OTP being active in investigating, prosecuting crimes under the Rome Statute, but not being too generous in extending cooperation with any domestic authorities that could go beyond what is really covered by the Rome Statute. And as a last point, I think that just means that it’s very important that any human rights consequences are really carefully considered, that is through engagement, close engagement with civil society. We have this Article 21, Paragraph 3 in the Rome Statute, of course, that says in terms of the substantive crimes, but also in terms of any prosecutions, human rights need to be considered. I think there is much to learn as well from human rights bodies, taking the example of the idea of cyber torture, for example, has been quite extensively looked at under human rights standards. I think those are aspects that also the ICC can learn from and also avoid, we’ve talked about this yesterday, any fragmentation of how, for example, a torture concept in the cyber domain is understood as opposed to in the human rights aspect. Thank you, Chantal, and thank you for mentioning the impact on civilians and

Harriet Moynihan: journalists and human rights defenders. It’s obviously quite easy to have these conversations in the abstract, but victims are and should be centred to this. You also mentioned conflicts of interest and thinking about how to manage those when partnerships are put together, which which are very necessary. I’d like to have a bit of a more relaxed conversation with the panel now just for a short time before I open it up to questions. While I’m doing so, please be thinking of questions that you might like to ask, both those of you in the room and those of you online. I think there’s a Zoom facility for raising questions, so do have them ready. Marko, if I may come back to you, it’s clear that what we’ve heard is that there’s all sorts of different ways in which cyber-enabled crimes can be carried out. For example, a commander using his phone to send a message to his troops to incite genocide. But at the other end of the spectrum, perhaps a massive cyber attack which uses very complex malware. We’ve also heard about mass surveillance. Obviously the ICC’s resources are finite. Do you have a sense of which kind of cases might be prioritised? And this is actually to all of the panel, but Marko perhaps to start with you. Are there some types of cases that would particularly benefit from being prioritised here under the new policy?

Marko Milanović: It’s a really interesting question, Harriet. Of course, it’s one that I cannot answer by reference to anything going on right now in the sense of what the Office is actually investigating. I will say two things. First of all, even today, even the most traditional kind of kinetic crime cases will involve digital evidence. All of my predecessors talked about digital evidence as sort of being indispensable to modern investigations. That’s true. So every kind of investigation that, for example, was dealt with by the tribunals for Yugoslavia or Rwanda a couple of decades ago would today involve analysing people’s phones, analysing social media postings, analysing various kinds of cyber operations, digital records and so on. So in that sense, every single ICC case will have a huge digital aspect. Our policy, though, does not mainly deal with that. Like, so, I mean, the whole question of digital evidence is so big that our policy only touches upon it. So, again, our main focus is really on how can a person be held responsible for enabling an international crime by cyber means, or by committing an international crime by cyber means. And if the question is, what’s the best first case, you know, my own sense would be, it would actually be nice to start relatively small. You know, so Michael talked about attribution being like a huge issue in many cyber operations. You know, it will be really difficult to prosecute a case, a first case dealing with, you know, super sophisticated state actors who are very well versed in hiding their tracks. You know, you don’t necessarily need to start off that way. You know, a good way to start would be, for example, an Article 70 case, so a case about the administration of justice. Somebody hacks the court, which has actually happened a few years ago. You know, somebody falsifies evidence before the court uses AI to submit fake evidence to the court, intimidates witnesses or prosecutors or judges by using online means. Those are easier cases to deal with. And, you know, if it was up to me, you know, a first digital or cyber case would be something fairly modest rather than something enormous. But, you know, I think that’s a good way of testing various abilities and capabilities. But it really all depends on the facts. It really all depends on what the prosecutors have before them at any given time.

Harriet Moynihan: Thanks, Marko. Starting small sounds sensible in this area, which is pretty new and cutting edge, and establishing a good precedent would be good. Opening up to the other critics, what are your thoughts? Well, I’m not a prosecutor, but I have an idea.

Katitza Rodriguez: I’m not an expert on the Roma status, I will defer that to the experts, but an idea that I have and that we have been discussing in my office is that investigated use of cross-border malware campaign that are targeted against ethnic groups and against the diaspora community that have been used actually for transnational repression, but we are wondering to what extent to understand the scope and the impact of those campaigns against this ethnic group in order to see whether they may rise to the level of a Roma status crime or not. They may or may not, but there’s so much we don’t know about the scope and the scale and purpose of the use of malware in this context, so I would try to learn more of those details. And of course, we may find, as the policy seems to suggest, that some of these are facets of larger campaigns and persecutions that have both online and offline campaigns. And that’s why, just tying to the submission, when we were talking about the definition of cyber, we were saying that it can be used not only to directly harm people, but in order to identify targets from other attacks too. They could be used to locate targets for a physical attack, for physical persecution, but so we do envision and we hope that perhaps malware and other mechanisms would turn out to be part of this larger pattern again with online and offline elements. So it’s not only also about the data, it’s not just about the physical, but when it comes to, you know, attacks against ethnic groups that have led to actually death, disappearance and repression.

Harriet Moynihan: Thank you. And that actually relates to a question I had, which is, obviously, as I said, the ICC’s resources are somewhat limited, and the draft policy makes clear that the prosecutor’s only going to pursue the gravest cases, and in traditional cases that usually… does mean death and serious injury. But in the cyber-enabled crimes context, do we need to think about gravity more broadly or differently? Chantal, did you have any thoughts on that or on anything that Katitza said in this regard, which some of the points that Katitza herself was making?

Chantal Joris: I mean, perhaps I would agree with Marko starting small is a good idea. I think also starting small could mean, again, for example, prosecuting a crime against humanity and explicitly recognising the chapeau elements, like what are indications of a widespread systemic attack on the civilian population that is needed for a crime against humanity? And there, looking at questions around internet shutdowns, mass surveillance and so on, or looking at a war crime around impeding humanitarian assistance, looking at has this happened also through attacks. So it could also be another way to just more emphasise that role in the commission of more kinetic attacks. I think also when it comes to what you mentioned around the assessment of harm, assessment of gravity is obviously very complicated as we have these more sort of kinetic, physical notions of harm. I think at least, I mean, there are so many, on the one hand, indirect consequences. Again, a shutdown might, you know, kill someone because they can’t communicate with the hospital, or even further down the line, there can be psychological consequences. So other types of harms, but I also think we should not completely forget any sort of broader societal impacts, economic impacts. They might not neatly fit under any of the crimes under the Rome Statute, but I do think they need to be considered as well, and the ICC should be cognisant of those broader effects of what a mass surveillance campaign can produce within a population, and consider those aspects as well.

Harriet Moynihan: Thank you. Katy, as a prosecutor, I can’t resist asking you, what would be your sort of first kind of case? What would you be? I suppose there’s no such thing as an easy case, but perhaps one of the priority cases in this area. Do you have a sense for that?

Kati Reitsak: Yeah, I think that at first, as a national prosecutor, if I were a national judge, I would really like the ICC to show us the way by choosing whether a war crime or a crime against humanity. Because this would give us, kind of the ICC, the more broader possibility to say the essence of this new terminology that is being used, like cyber-enabled and how will it start to fit in ICC’s work. And I also want to say that I think that national courts can look up to ICC as a kind of beacon leading the way and being maybe encouraged by the ICC’s very systematic approach to cyber-enabled international crimes. If we are talking, of course preferably, I would not have any cases of war crimes or crimes against humanity, but in Estonia you would have to take into account the very, very strict in absentia rules. So I think this is also, and it depends of course on the state, on the rules, but for example in Estonia you cannot indict anyone unless you have pressed charges and the person has been present to see the charges and has had the possibility to personally get acquainted to the material of the criminal investigation. And then maybe later on, maybe in trial stage, if this person has been present to see the criminal investigation and has had the possibility to personally get acquainted to the material of the criminal investigation and has had the possibility to personally get acquainted to the material of the criminal investigation. If this person then leaves, then we can kind of carry on without him or her. But yeah, the rules in national courts are even sometimes a bit more stricter than in international courts, if we are talking about. So I would choose a case where I would have a suspect, like present. So this is definitely something that I would choose. Also, a war crime and a crime against humanity. Maybe a war crime episode could be more individual. You don’t have to have that many aspects. It doesn’t have to be very, very large-scale. For example, if we are talking about genocide, I think that the burden of proof there is much higher and much more difficult to obtain, for example, than if we are talking about war crimes or crimes against humanity. So definitely, I agree with Marko that it should be smaller, start with small steps, but still significant enough to lead the way.

Harriet Moynihan: Yeah, thanks, Kati, for thinking about some of the practical and procedural issues that come up in these cases. And you mentioned about having the suspect in the jurisdiction. Obviously, in the cyber context, often these operations are carried out remotely. Certainly, if we’re thinking about a cyber attack, and that can be one of the problems that the suspect is in a jurisdiction that refuses to extradite. So I can see why you’d like that as a starting point. Michael, I’ve been leaving you a long time. Thank you for being patient. But I had a question for you, which is for all the panel, but to you to start with, which is really to think about the ICC’s policy more broadly. What are the wider benefits? Do we think there are wider benefits? Do you think states will embrace this? We have heard from Kati that this policy could lead the way. And I certainly think it is groundbreaking and significant. Do you see it as having impact beyond just the ICC?

Michael Karimian: So, in brief, the answer is yes, Harriet. Firstly, I’ll just maybe turn to the other questions you’ve posed to the panel. In terms of prioritising cases, absolutely a long-term view is essential. In an ideal world, once the policy has been released, we would see dozens of cases in front of the court, but of course, perhaps that’s not so likely. Ultimately, it’s up to the prosecutor to decide which cases to prioritise, but one way to think about it would be cases that involve widespread harm to critical infrastructure, as Chantal mentioned, but also critical services such as healthcare, humanitarian organisations or essential utilities. Those are sectors we already see being highly targeted by threat actors anyway, and there are two reasons why I think it’s beneficial to focus on such cases. One is that these attacks pose substantial risks to human life and wellbeing, even if their immediate physical harm might not seem as direct as traditional kinetic violence. Also, prioritising such cases sends a clear international signal about the unacceptable nature that such cyber operations pose when they endanger civilian populations. Again, just briefly, Harriet, on the question of gravity, of course traditional definitions focus on physical violence and direct casualties, but of course cyber-enabled crimes can lead to severe, widespread and prolonged disruptions of essential services, as well as significant economic damage and psychological impacts, again, as has already been mentioned. And so I do think we should consider how such assessments can incorporate not just immediate physical harm, but also the scale, scope and duration of those indirect humanitarian consequences that cyber-enabled crimes can cause. That’s something which perhaps we need to expand upon further. In terms of that question you mentioned there, Harriet, of wider benefits of the ICC’s involvement, I am optimistic that states will embrace the ICC’s initiative on cyber-enabled crimes, because these threats affect everyone really, they transcend borders. There will undoubtedly be challenges and sensitivities around sovereignty and jurisdiction. But despite this, the ICC’s involvement can significantly enhance the legitimacy of international efforts to hold cybercriminals accountable, and quite importantly, to set legal standards and precedents elsewhere. Additionally, I think the ICC’s focus can simulate more robust national action. So Estonia leads the way in its application of the principle of universal jurisdiction. We’d love to see more countries taking such action. Perhaps we will see that. But of course, other benefits we might see include fostering better cross-border cooperation and encouraging public-private partnerships, all of which I think would ultimately contribute to greater global cybersecurity and resilience.

Harriet Moynihan: Thank you, Michael. Thank you for addressing all of those points. And I’m thinking through a bit how this policy could have wider benefits. I’d like to hear from you as well. We start with you, perhaps, Katitza, about the idea of the policy leading the way and having wider impact. So, yeah. Well, I agree with the prosecutor about a specific case that will lead the way, but I want to build upon the last speaker’s comments. I think it’s clear that every year that computer systems are used in various ways in committing, like, mass killings or all kinds of crimes under the Rome Statute. And I think there will be many, many more cases as technology advances and the prosecutors and the authorities start investigating those cases.

Katitza Rodriguez: But at some point, I think, when I was reviewing the draft policy, the OTP mentioned that military cyberattacks targeted against civilians, perhaps including civilian ICT systems, civilian data, and groups of civilians, could conceivably constitute war crimes. even without causing tangible physical injury. And we think that this perspective is useful because of just how important ICT systems are in people’s life, culture, family, life. It’s not just like a hobby, it’s part of how communities and society organize themselves and talk to themselves. And it’s also about organize themselves when there is like a bomb coming and we need to leave the area and maybe we need that mechanism of communication to be able to go to a safe place. And being cut off of that is just like problematic. So cyber attacks against communications infrastructure but also against data or things that will not allow people to get health information or information that is crucial to get timing could be really problematic. And that may lead eventually to personal injury but not directly and I think that’s equally important.

Harriet Moynihan: Thank you. Before we open it up, Kati, Chantal, I’d be interested in your thoughts on this sort of wider question. I mean the question about whether states would be interested in this policy, whether they will be leading the way. There have actually been some states, I should say, that have prosecuted war crimes which involve cyber means. So for example, fighters in Syria who have been filming pictures of dead bodies or maimed bodies and putting them online. They’ve been prosecuted in France and the Netherlands and I think Norway as well actually. So it would be interesting to hear your thoughts on this as a state prosecutor.

Kati Reitsak: Okay, thank you. As Katicia very well pointed out that our societies are changing and the values that we kind of tend to take granted like with all this information technology systems, they are totally different than for example, 10 or 20 years ago. But if you think of the judiciary system. in many countries, the people who are working in judiciary, for example, judges, this is a position for life. So, it means that we might have in the judiciary system very many people who are not, like, they don’t feel comfortable with dealing with this digital era that has dawned upon us, right? So, more and more we have to rely on technical expertise as well. So, I think that, and it’s probably the same in every country, that there always will be people who are willing and wanting to learn and to develop their knowledge. And I think that we should be, and we should help them and assist them. And of course, the private sector’s assistance, the trainings, the investigators have to be trained. So, from a very practical viewpoint, as you pointed out, yes, there are videos and it’s not that complicated to to see whether it’s authentic and what’s the metadata behind this video or a photograph. But still, as they are going more complex and complex, and as you pointed out, these foreign actors, they might be cross-border, we will never see them. And we will have to tell and explain to the court how exactly a very, very sophisticated digital attack has been committed. It definitely needs high-level expertise from outside of the investigative authorities. And just on that point, I would like to point out that, for example, in Estonia, we have a cyber crimes unit in our central criminal police, right? But international crime is being investigated by security service. totally different authorities, with totally different kind of, not background, but their data and their intelligence and their focus is on different things. Therefore, if we are talking about very successful investigations, we also have to see that siloing your data and information between investigative authorities is not an answer, you have to also cooperate and exchange the knowledge that one or the other unit actually has in order to have a successful investigation.

Harriet Moynihan: Thank you. So, joined up not just in a cooperation between states, but even within a state. Yes, very interesting. Thank you. And Chantal, over to you for any final thoughts on this. Yeah, I think from the perspective of civil society, I think we can, also for us,

Chantal Joris: we can use the policy as well in our advocacy. We have plenty of conversations about the role of taking on conflicts. For example, we had one two days ago at IGF itself. So, I think it just helps also to complete the picture from different angles. And also, Kati, you mentioned that it might also be leading the way in terms of the domestic authorities. The ICC has so many jurisdictional constraints plus this element of gravity that you mentioned that makes it a fact that they will not be able to prosecute that many cases. So, I think I find it also very interesting to think about strategic litigations in front of domestic courts under universal jurisdiction provisions. And then, we have the policy showing that it is not something totally far-fetched. And it contains a lot of interesting examples that can be used to think about how we can push the needle further in this aspect. Thank you so much. Well, we’ve got lots of food for thought there.

Harriet Moynihan: And thank you to the panel for coming. for setting us up for the Q&A. So now is the chance, if you’d like to raise a question. We have a microphone here. We already have one questioner. That’s perfect. So feel free to form a queue if you’d like to raise a question. And also, for those of you joining us online, please do type in your questions to Zoom and Chelsea, my online moderator, will help to get those to us. So if I could turn to the first questioner to say your question, please.

Audience: Yeah, Joeri Bokovoy from the Finnish Green Party. Chantal mentioned about crimes against humanity or human rights violations in suppression of information networks. One thing that comes to mind is in, and this is the question more, I guess, to Marko, in which, I guess, capacity does this apply to also partial suppression of network, which we have seen, especially recently in the Southeast Asian territories, where internet shutdowns have been used to push users more to telecommunications in traditional way, which are more easy to surveil and break their privacy in that way. And I have a second question about, Katitza was mentioning the removal of evidence by social media platforms. There are known cases of organized crime being perpetrated or conspired through gaming platforms as well, like the PlayStation Network or different other services, which a lot of them don’t even record or monitor the voice chats, because it’s much cheaper for them to either turn it off in the regions where they’re forced to or just leave it on and not deal with it at all, and basically wash their hands in the regions where they’re not. What can be actually done about that?

Harriet Moynihan: Thank you very much for both questions. So the first question was about… the suppression of networks and internet shutdowns, and thinking about how the proposed policy might be relevant to that. And Marko, perhaps if I turn to you on that one

Marko Milanović: initially. Well, thank you. I mean, it’s an excellent question. So I have to preface it, though, by doing this horrible lawyerly thing, which is to make some… Marko, we’ve lost the sound. I’m not sure if you’re muted. It’s okay, your end. It might be our end. Just give it a minute. Testing. You’re back. Yes. Perfect. Thank you. Good. So the key point I want to make is that most internet shutdowns are human rights violations, right? In particular, they violate freedom of expression. To date, of the examples of various internet shutdowns that many states have done, it is really difficult to find an example of an internet shutdown that could be justified in human rights terms. So most internet shutdowns violate human rights in a relatively straightforward way. However, it is difficult to say, though, that every internet shutdown is a crime for which individuals accrue responsibility at the international level. For example, a crime against humanity. A crime against humanity is defined, for instance, as an act which takes place in the context of a widespread or systematic attack against the civilian population. Crimes against humanity include, for example, things such as murder or extermination. They could include persecution, which is a discriminatory denial of fundamental rights. And one could think of an extreme type of an internet shutdown that could qualify as, for example, persecution. But the vast majority of internet shutdowns will not be criminal. and many others. So that is the sort of point I would make. Remember our policy is not about human rights online, it is about international crimes committed by cyber means. And so only a smaller subset of human rights violations in the digital context will actually accrue criminal responsibility directly under international law. There might again be some shutdowns that could be justified. You saw, for example, how a few days ago Iran shut down the internet on its territory in order to stop cyber attacks from Israel, right, in the context of an armed conflict. That is one of those rare situations where you could think of a justified shutdown, maybe, maybe. Yeah, again, so the fact that most internet shutdowns violate human rights does not however translate to an international crime is the point I would make.

Harriet Moynihan: Thanks Marko, very clearly explaining the distinction there. The other question was about the removal of evidence by social media and the question I mentioned in particular gaming platforms and the fact that they do not even monitor voice chats sometimes, so there is this problem with having evidence and retaining it. I do not know if any of you would like to either pick up on that question or the question about internet shutdowns. Of course, Katitza, you had mentioned this issue of internet shutdowns, so do you have any thoughts on that question?

Katitza Rodriguez: No, I was mentioning more whether it rises or not to a Roma statute crime, and that was more my question from the prosecutor because we are not like super experts on all the court cases that are under the Roma statute right now, so it was whether or not it could potentially rise. I did not understand the question on evidence, on platform, what was the question? I think it was about the fact that you had been talking about preservation of evidence and that sometimes social media platforms have been accused of deleting evidence. With gaming platforms, that might be a problem because sometimes they have even less sort of transparency around what they are doing and they may not even be retaining, recording the evidence at all. We don’t want retention. Retention is different than preservation. Preservation is linked to a specific crime. It’s for a specific period. It’s not mass surveillance. So I don’t know if he is specifically concerned about… What we say in EFF, if it did exist, it will be low access to that data. Some companies have certain policies about how long they retain certain data. Now, when we ask preservation, you know, is when there is like… They don’t have all the necessary information right now to probably… But they ask authorities to preserve it for a period of time for a specific investigation. The nuance in the Romance Statute is that these crimes take 20, 30 years. It’s not crimes that come very fast. They take years and years to change in governments and be able to persecute someone. And how we preserve the evidence and how that will work, how we do a change of cost and custody in a way that, for instance, civil society, who may be more up to date with where evidence and violations have happened, can learn from the traditional human rights in Europe, who have been doing Romance Statute for years, documenting abuses, and trying to do it in the digital age with a chain of custody and all the knowledge that we have about harsh metadata and trying to have these standards. So whenever is the time to bring the case to justice, the evidence can pass a test that the court settles for admissibility of evidence in the court. And that was my point. Not to try to establish laws that will… And I don’t know if that was his concern, that will record all chat or voice communications on all platforms, because that will be the…

Harriet Moynihan: Chantal Joris, Harriet Moynihan, Kati Reitsak, Chantal Joris, Katitza Rodriguez, Michael Karimian Chantal Joris, Harriet Moynihan, Kati Reitsak, Chantal Joris, Michael Karimian Chantal Joris, Harriet Moynihan, Kati Reitsak, Chantal Joris, Michael Karimian

Chantal Joris: Chantal Joris that also, or alignments, that will also favour one side of the conflict over the other. And that’s even on the moderation level and then, of course, even if moderation or removal might be justified then there’s a question around how do you preserve that sort of evidence, what sort of mechanisms you have in place with accountability mechanisms or certain vetted CSOs or international courts so that evidence doesn’t get lost. And again, we’re often talking about extreme… extremely restrictive information environments where journalists are threatened, killed, have to go into exile, where the only evidence that you have really comes from those users that simply witness what’s happening.

Harriet Moynihan: Thank you. And I suppose just one point that’s come out of our Chatham House research is that some of the bigger companies have quite sophisticated systems for at least holding evidence and for providing that evidence to law enforcement, whereas some of the smaller companies, and you mentioned the gaming platforms, but there may be other smaller companies who just not as set up for this. Their procedures aren’t perhaps ready and there may be a role for training and cooperation around those issues. We don’t, as far as I’m aware, we don’t have any questions online yet, so I’m going to throw it back to you, the in-person audience, and we have a question over to you.

Audience: Yeah, good afternoon everyone. I’m Aaron Clements-Hunt. I work for the Heartland Initiative. Thank you Harriet and all the panelists for a really thought-provoking discussion so far. My question is to Michael. There seems to be a pretty clear tension between Microsoft’s admirable work in partnership with the ICC and their now well-documented involvement or links to cyber-enabled crimes. I’m talking in particular about the fact that since the Hamas attack on Israel in October 2023, Microsoft has surged capacity and services to Israeli state entities, including the Ministry of Defense and the IDF. So my question, Michael, is, is Microsoft really in a position to lead private sector efforts to address international crimes enabled by cyber operations when the company itself can be credibly linked to those very crimes? Thank you. So Michael, I didn’t go to you before on the questions we had earlier, so

Harriet Moynihan: feel free to pick up on any of the ones we’ve had already, including the idea of companies cooperating on evidence. But that question was obviously about this question I suppose that came up earlier about the sort of potential for conflicts of interest. how tech companies approach those. As we’ve heard, tech companies are important in this space, their cooperation is vital. But at the same time, it’s important that conflicts of interest are managed. So if you could talk to that. Thank you, Harriet. Glad to do so.

Michael Karimian: Firstly, in terms of the question on internet shutdowns, I really appreciated Marko’s articulation of the way in which the policy will likely relate to internet shutdowns, just broadly, if anyone is interested on this topic. Access Now has done tremendous work in its coalition and campaign in shedding light on the impacts and widespread use of internet shutdowns. And that’s available online at their Keep It On webpage. Definitely encourage colleagues and interested stakeholders to take a look at that. In terms of the earlier question as well on online gaming platforms, historically, the issues we’ve seen there have more fit into the categories of child sex abuse material online, so CSAM, as well as terrorist and violent extremist content, TBEC. But that’s not to say that actually we won’t see connections to the crimes relevant to this policy, more crimes, crimes against humanity and genocide in online gaming platforms, if we take a very long term view as to how actors may engage in those platforms in the long term. As some stakeholders might know, UC Berkeley’s Human Rights Center just submitted evidence to the OTP in relation to a case in Mali, evidence in Mali, which really demonstrates the use of multimedia and outrages upon personal dignity. And actually, it’s possible to see how you would witness similar uses of multimedia in online gaming platforms, too. And so this question of retention in such platforms is really critical. And so, just as you touched upon, Harriet, how companies of different sizes This is a really important topic and I appreciate that it has been brought up. There has been a lot of information in the public domain about this, and Microsoft recently published a blog post in the past month or so, which is available online, and of course I would encourage anyone interested to please take a moment to read that. The blog post seeks to provide insights to the work that Microsoft has been doing to better understand the issues. So for example, we’ve hired an external third party to undertake an independent assessment to identify the extent to which the allegations that came out in the press in January and February were truthful, and as well the company has been undertaking its own investigations in this space by engaging with Microsoft’s subsidiary in Israel, and with that it was found that actually there is no direct connection between the provision of Microsoft services and the conflict in Gaza, and there is work now underway to improve how human rights due diligence is applied in these contexts built upon the company’s long-standing human rights policies and practices. To the kind of question, Aaron, which you pose as well about the conflict of interest and tensions here, and Harry, you picked up on this earlier, this also came up in the discussion so far, that this is a challenge whereby these large platform companies provide products and services to a wide range of customers around the world, and those customers in turn can use products and services in harmful ways. This is a challenge that has existed across how companies apply the UN guiding principles on business and human rights. an extent to which they can effectively conduct human rights due diligence and, where needed, have remedy and transparency in place. This is not unique to the issues that we’re discussing here in the context of the ICC’s, OTP’s upcoming policy but it does demonstrate I think not just the responsibility that companies have. Companies of course have a responsibility to respect domestic law, they also have a responsibility to respect international law including international criminal law. And when Microsoft’s human rights policy was last debated, which I believe was 2019, and the policy is available at microsoft.com slash human rights, intentionally the wrong statute was included in the list of human rights frameworks and individual conventions and frameworks which the company looks to when it seeks to uphold its corporate responsibility to respect human rights. And so that recognition is there and this policy I think will go a long way to assisting technology companies including Microsoft among others to be better at respecting international criminal law as well as identifying the role that they can play in helping all actors address cyber-enabled crimes. Thank you Michael and I recommend that blog post

Harriet Moynihan: as well. We are also going to have another opportunity to go to in-person questions if there are any questions. I think there was one over there so thank you. If you’d like to say where you come from before you say the question thank you. Of course, I also want to remind you that there are two more people who want to ask the questions. Thank you so much for an excellent panel.

Audience: My name is Vilda and as a criminologist I’ve spent a lot of time looking at traditional crime versus cybercrime and the differences between them and obviously there are a lot of similarities but in my opinion cybercrime has so many unique elements to it that it’s hard to sort of treat them the same way. So I would love to hear your thoughts on this. When setting up a system to deal with cybercrime, where do we, in which part can we use the tools that we already know and where do we have to start from scratch? Thank you. Thank you. And now Kati, I’m going to go to you on that but

Harriet Moynihan: you’re very welcome to touch on any of the things that we’ve heard in all the questions if you have thoughts. I mean it’s similar to the point in a way that we were talking about organized crime and cybercrime but if in your experience you’re seeing anything that’s, you know, some of the unique features that the questioner mentioned and how those can be addressed.

Kati Reitsak: Thank you for the question. Yes, it might seem and it definitely is that investigating cybercrime, there are so many nuances that one must know in order to get the evidence from the private partners, in order to seize the evidence quickly, as I said, as it is very, very prone to being deleted. So, this is the cooperation part which in some ways is the same but investigators have been training, have had extensive training also on how to, for example, seize digital devices in order not to compromise the material that is in the digital devices. Also, we should not forget digital currency because we have to, as organized crime and crime in itself, you know, there is financial interests moving in these circles also and in order for the crime not to pay, states also have an obligation to seize possible criminal assets, whether they are in a physical or crypto form also and this needs a specific knowledge and training. and our investigators in cybercrime units are trained to do that. But in the end, sometimes it all comes down to the good old ways of collecting evidence. For example, you have to have, as these are all covered crimes, you don’t necessarily have a victim if we’re talking just about cybercrimes. And who could point out the actor, you need intelligence. You need good old-fashioned intelligence, which is very difficult to get if these actors are not in your own country. And this, of course, then intelligence agencies and their partnerships are coming to role. If we are talking about organized crime, cyber-enabled international crime, I wanted to point out this aspect before. And also, when civil society was talking about communicating with victims and witnesses, actually, and collecting evidence themselves. In a matter of trust, it’s also important not the partners only to trust each other, but the victims and witnesses to trust the law enforcement in order to turn to us. Because in many countries, it’s not like that. In Estonia, we see that most people, we trust law enforcement and we don’t fear retaliation if we turn to the police, right? But it’s not like that in many countries. So, even if we have, for example, citizens of other countries who are on Estonian territory and could be valuable witnesses or victims of international crimes, it’s also difficult to gain that trust. Because they’re in a foreign country, they don’t know. They don’t know what’s going on, they don’t know the traditions or the background. So this is also something we have to address as law enforcement representatives. Also, if we are talking that digital evidence might disappear, so can human evidence disappear. Because judicial systems are very different of how we accept a person’s testimony. For example, if we go to trial in Estonia, just this written paper, maybe in pre-trial phase, this means nothing, it’s nothing, unless I have to bring the person into court, they have to be cross-examined, and then it will be like good evidence. Otherwise, I will not be able to use this kind of pre-trial piece of paper testimony, maybe only if the person is dead, or yeah, maybe, that’s about it. But this is our own national kind of specifics, every national system has its own. So we have to think about preserving human evidence as well. Maybe because you are absolutely right, after 10, 20 years, 30 years, these crimes against, I’m sorry, these international crimes, they don’t have any statute limitations.

Harriet Moynihan: Thank you, and interesting to hear some of the similarities as well as the differences and unique features. Now we haven’t got many minutes left, so we’re going to have the two questions together, and if you could be brief, and the responses will be brief, then we can stick to time. Over to you.

Audience: Yes, thank you. My name is Christian Faizili, I’m a public prosecutor from the Democratic Republic of Congo, and thank you for the insightful presentation and discussion. The situation in the DRC, as you know, recently, our courthouse has been destroyed when the M23 took over the town. So I would like to know how can prosecutors prove command responsibility via digital traces if our forensic labs in Goma and Bukavu are destroyed? Another one is how can Article 28 of the Rome Statutes apply for foreign officials enabling civil war crimes? If not, how do we close these impunity gaps? Thank you very much. Thank you. Hi, my name is Meredith. I’m with the Business and Human Rights Resource Center. Thank you for this fantastic panel. My question actually is for Marko about any updates to the draft policy. Chantal had pointed out that the language is very much in favor of corporate cooperation for getting what’s needed in order to effectively implement the new policy. But is there a shift now that we can expect in relation to accountability, given, as you mentioned, that making sure that individuals are accountable for these crimes is the key ethos behind the document as such, including tech executives who may be involved in execution of some of this, whether or not there is explicit instructions coming from a state? Thank you.

Harriet Moynihan: Thank you very much to both of you. Given time, we’re going to have very quick responses. Marko, I think one of those questions was directed to you, but if you wanted to pick up on any of them, then please do. I just have one minute.

Marko Milanović: Sure. On superior responsibility, I would simply direct you to looking at the draft policy. The draft policy directly addresses questions of liability for modes of liability other than direct commission, and it includes a discussion of superior responsibility. So we do think that an individual can be responsible by those means by article 28 of the statute, including for cyber-enabled crimes. I will not talk about specific situations though. On the question of corporate actors and accountability, we have had very productive engagement with civil society organizations in particular, those focused on business and human rights, and we took their comments on board, and you will see the exact formulations the policy will use when the final text comes out, but I can assure you that the policy does include language that acknowledges the potential criminal responsibility of corporate executives. Thank you, Marko, and thank you for being brief. I’m sure that we all have further comments, but I’m very conscious of time, so I would just like to take this moment to do a bit

Harriet Moynihan: of summing up before we close. I think we’ve heard that existing international criminal law is very much fit for purpose and able to deal with cyber-enabled international crimes, and we look forward to the proposed policy coming out, but we’ve also heard a lot about the challenges, a lot of which relate to the cross-border nature of these crimes and the digital evidence and managing that. We’ve been reminded about the importance of international human rights law and also conflicts of interest in managing those. Above all, cooperation networks are vital, and we’ve heard about the importance of partnerships and given many examples of those, and I’m sure there will be more to come as they’ll need to be strengthened in order to tackle these kind of crimes. So we look forward to not only the policy itself, but the influence it will surely have on different national jurisdictions as they think about how to prosecute cyber-enabled crimes. It remains for me to thank you in the room for actively participating and for your questions, to thank those of you who joined us online, and to thank this wonderful panel. If you could join me in thanking them. And finally, thank you to Microsoft and the International Criminal Court for co-hosting this event, and I’ll end it there. Thank you. Thank you.

Marko Milanović

Speech speed

144 words per minute

Speech length

1569 words

Speech time

653 seconds

The ICC Office of the Prosecutor is developing a policy to address international crimes committed through cyber means, focusing on genocide, war crimes, crimes against humanity, and aggression rather than ordinary cybercrime

Explanation

The policy explains how the Rome Statute can be applied to international crimes committed or facilitated by cyber means, distinguishing these from ordinary cybercrimes like hacking or fraud. The focus is specifically on the core international crimes under ICC jurisdiction.

Evidence

Agreed with

– Kati Reitsak

Agreed on

Starting with smaller, less complex cases for ICC prosecution

Disagreed with

– Michael Karimian

Disagreed on

Case prioritization strategy – complexity vs. scope

Katitza Rodriguez

Speech speed

140 words per minute

Speech length

1840 words

Speech time

784 seconds

Civil society supports the policy’s focus on existing Rome Statute crimes rather than creating new crime categories, which helps avoid overly broad cybercrime laws that undermine human rights

Explanation

The Electronic Frontier Foundation appreciates that the policy explains how technology can be used to commit existing crimes rather than creating entirely new categories of crimes. This approach helps guard against the pitfalls of overly broad cybercrime laws that have been used domestically to undermine human rights.

Evidence

EFF submitted comments on the OTP policy consultation together with Derecho Digitales with specific recommendations

Major discussion point

ICC Policy on Cyber-Enabled International Crimes

Topics

Human rights | Legal and regulatory | Cybersecurity

Agreed with

– Marko Milanović

Agreed on

Support for ICC policy focusing on existing Rome Statute crimes

Evidence must remain admissible in court for decades, but algorithms and platform policies can delete crucial proof forever

Explanation

Digital evidence in international criminal cases must last for 10-30 years to remain courtroom ready, but automated systems can permanently delete this evidence. A single mobile phone clip can expose a massacre, but an algorithm can delete that proof forever.

Evidence

Reference to Guatemala National Police Archive with 18 million pages of paper records used in prosecutions, and Patrick Ball’s work on regime files being central for trials of former heads of state

Major discussion point

Evidence Collection and Preservation Challenges

Topics

Legal and regulatory | Human rights | Cybersecurity

Agreed with

– Michael Karimian
– Kati Reitsak

Agreed on

Evidence preservation challenges in cyber-enabled crimes

Human rights | Legal and regulatory | Cybersecurity

Cross-border malware campaigns targeting ethnic groups and diaspora communities for transnational repression should be investigated to determine if they rise to Rome Statute crime levels

Explanation

There is much unknown about the scope, scale and purpose of cross-border malware campaigns targeted against ethnic groups and diaspora communities used for transnational repression. These campaigns should be investigated to understand whether they may rise to the level of Rome Statute crimes.

Evidence

These campaigns may be facets of larger persecution campaigns with both online and offline elements, where malware could be used to identify targets for physical attacks or persecution

Major discussion point

Case Prioritization and Prosecution Strategy

Topics

Human rights | Cybersecurity | Legal and regulatory

Michael Karimian

Speech speed

142 words per minute

Speech length

1809 words

Speech time

761 seconds

Digital evidence in cyber-enabled crimes is ephemeral and easily lost, requiring rapid identification and preservation using sophisticated technical capabilities

Explanation

Cyber-enabled crimes leave behind digital traces that are easily lost, deleted or altered, requiring swift action. Technology companies have developed sophisticated capabilities for rapid detection, attribution and preservation of digital evidence that can secure time-sensitive evidence before traditional law enforcement can respond.

Evidence

Microsoft’s Digital Crimes Unit uses advanced threat intelligence, machine learning and sophisticated analytics to identify and preserve relevant evidence from cyber operations

Major discussion point

Evidence Collection and Preservation Challenges

Topics

Cybersecurity | Legal and regulatory

Agreed with

– Katitza Rodriguez
– Kati Reitsak

Agreed on

Evidence preservation challenges in cyber-enabled crimes

Disagreed with

– Katitza Rodriguez

Disagreed on

Evidence preservation approach – targeted vs. mass retention concerns

The private sector plays crucial roles in rapid evidence preservation, attribution, cross-border cooperation, and ensuring procedural integrity in cyber-enabled crime investigations

Explanation

Private sector entities bring unique technical capabilities across multiple areas of cyber-enabled crime investigation. They provide essential services from the beginning of investigations through to evidence submission in trials, requiring active rather than passive cooperation.

Evidence

Microsoft’s global telemetry and network visibility enables granular tracking of cyber-threat actors including state-sponsored groups, and partnerships like collaboration with Europol where investigators are embedded within the European Cybercrime Center

Major discussion point

Public-Private Partnerships and Cooperation

Topics

Cybersecurity | Legal and regulatory

Estonia leads the way in applying universal jurisdiction principles, and the ICC’s focus could encourage more countries to take similar action

Major discussion point

Broader Impact and International Cooperation

Topics

Legal and regulatory | Cybersecurity

Kati Reitsak

Speech speed

118 words per minute

Speech length

National courts can look to the ICC as a beacon leading the way and be encouraged by its systematic approach to cyber-enabled international crimes

Explanation

The ICC’s systematic approach to cyber-enabled international crimes can serve as guidance for national prosecutors and courts. This leadership role can encourage national jurisdictions to develop their own capabilities and approaches to these complex cases.

Major discussion point

Broader Impact and International Cooperation

Topics

Legal and regulatory | Cybersecurity

Chantal Joris

Speech speed

141 words per minute

Speech length

Broader Impact and International Cooperation

Topics

Human rights | Legal and regulatory

Harriet Moynihan

Speech speed

171 words per minute

Speech length

2966 words

Speech time

1035 seconds

The policy represents a groundbreaking initiative that can lead the way for national jurisdictions and set important legal precedents

Explanation

The ICC’s policy on cyber-enabled crimes is described as groundbreaking and significant, representing an important milestone in investigating and prosecuting international crimes committed through cyber means. It is expected to have influence beyond just the ICC itself.

Evidence

The policy is being jointly hosted by the ICC and Microsoft, and Chatham House is conducting complementary research to be published in January

Major discussion point

ICC Policy on Cyber-Enabled International Crimes

Topics

Legal and regulatory | Cybersecurity

Audience

Speech speed

141 words per minute

Speech length

689 words

Speech time

292 seconds

The distinction between traditional and cyber crimes requires understanding which existing tools can be used versus where new approaches must be developed from scratch

Explanation

A criminologist’s perspective highlighting that while there are similarities between traditional crime and cybercrime, cybercrime has many unique elements that make it difficult to treat them the same way. The question focuses on identifying where existing tools can be applied versus where completely new approaches are needed.

Major discussion point

Attribution and Technical Challenges

Topics

Cybersecurity | Legal and regulatory

Agreements

Agreement points

Starting with smaller, less complex cases for ICC prosecution

Speakers

– Marko Milanović
– Kati Reitsak

The ICC Office of the Prosecutor is developing a policy to address international crimes committed through cyber means, focusing on genocide, war crimes, crimes against humanity, and aggression rather than ordinary cybercrime

Civil society supports the policy’s focus on existing Rome Statute crimes rather than creating new crime categories, which helps avoid overly broad cybercrime laws that undermine human rights

Summary

Both speakers support the approach of applying existing international criminal law to cyber-enabled crimes rather than creating entirely new categories of offenses

Topics

Legal and regulatory | Human rights | Cybersecurity

Legal and regulatory | Cybersecurity

Unexpected consensus

Private sector as indispensable partner despite potential conflicts of interest

Speakers

– Michael Karimian
– Chantal Joris
– Katitza Rodriguez

Arguments

Strong public-private collaboration is indispensable rather than merely advantageous for effectively prosecuting cyber-enabled international crimes

Tech companies often provide services to conflict parties while simultaneously holding evidence needed for prosecutions, creating complex conflicts of interest that must be managed

Companies face improper incentives to mass delete information to avoid liability, potentially destroying evidence before courts can examine it

Explanation

Despite representing different perspectives (private sector vs civil society), there is unexpected consensus that private sector involvement is essential while simultaneously acknowledging the serious conflicts of interest and challenges this creates

Topics

Cybersecurity | Legal and regulatory | Human rights

Need for technical expertise from outside traditional law enforcement

Speakers

– Kati Reitsak
– Michael Karimian

Arguments

Successful investigations require judicial frameworks with international partners and extensive technical expertise from outside investigative authorities

Attribution is one of the most complex challenges in prosecuting cyber-enabled crimes, requiring ability to track activity across different digital infrastructures and jurisdictions

Explanation

A state prosecutor and private sector representative unexpectedly agree that traditional law enforcement lacks sufficient technical capabilities and must rely on external expertise, representing acknowledgment of institutional limitations

Topics

Legal and regulatory | Cybersecurity

Overall assessment

Summary

There is strong consensus among speakers on the fundamental challenges of cyber-enabled crime prosecution, the need for multi-stakeholder cooperation, evidence preservation difficulties, and the value of the ICC policy as a guiding framework. Agreement spans across different sectors (prosecutors, civil society, private sector, academia) on core operational and legal principles.

Consensus level

High level of consensus with significant implications for successful implementation of cyber-enabled crime prosecution. The broad agreement across diverse stakeholders suggests strong foundation for developing effective international cooperation mechanisms and legal frameworks, though practical implementation challenges around conflicts of interest and technical capabilities remain to be addressed.

Differences

Different viewpoints

Case prioritization strategy – complexity vs. scope

Speakers

– Marko Milanović
– Michael Karimian

Arguments

Starting with smaller, less complex cases like Article 70 offenses against the administration of justice would be preferable to establish capabilities before tackling sophisticated state actors

Cases involving widespread harm to critical infrastructure and essential services should be prioritized as they pose substantial risks to human life and send clear international signals

Summary

Marko advocates for starting small with less complex cases like administration of justice offenses to build capabilities, while Michael argues for prioritizing cases with widespread harm to critical infrastructure that send stronger international signals, representing different strategic approaches to establishing precedent.

Topics

Legal and regulatory | Cybersecurity

Evidence preservation approach – targeted vs. mass retention concerns

Speakers

– Katitza Rodriguez
– Michael Karimian

Arguments

Companies face improper incentives to mass delete information to avoid liability, potentially destroying evidence before courts can examine it

Digital evidence in cyber-enabled crimes is ephemeral and easily lost, requiring rapid identification and preservation using sophisticated technical capabilities

Summary

Katitza focuses on the problem of over-deletion by companies trying to avoid liability, advocating for targeted preservation orders, while Michael emphasizes the need for rapid technical preservation capabilities, representing different perspectives on balancing evidence preservation with privacy concerns.

Topics

Human rights | Legal and regulatory | Cybersecurity

Unexpected differences

Scope of gravity assessment for international crimes

Speakers

– Michael Karimian
– Chantal Joris

Arguments

Cases involving widespread harm to critical infrastructure and essential services should be prioritized as they pose substantial risks to human life and send clear international signals

Explanation

While both speakers acknowledge that cyber operations can cause significant harm beyond direct physical violence, they disagree on how broadly to interpret gravity. Michael advocates for including infrastructure attacks with indirect humanitarian consequences in prioritization, while Chantal is more cautious about expanding the scope, emphasizing that most digital rights violations don’t rise to international crime levels despite their serious impact.

Topics

Human rights | Legal and regulatory | Cybersecurity | Infrastructure

Overall assessment

Summary

The discussion reveals relatively low levels of fundamental disagreement, with most tensions arising around strategic approaches rather than core principles. Main areas of disagreement include case prioritization strategies (starting small vs. high-impact cases), evidence preservation approaches (targeted vs. comprehensive), and the scope of gravity assessment for international crimes.

Disagreement level

Low to moderate disagreement level. The speakers largely agree on the importance of the ICC policy, the need for multi-stakeholder cooperation, and the application of existing international criminal law to cyber-enabled crimes. Disagreements are primarily tactical and strategic rather than fundamental, which suggests good prospects for developing consensus approaches while allowing for different implementation strategies based on specific circumstances and institutional capabilities.

Partial agreements

Similar viewpoints

Both civil society representatives emphasize the critical importance of maintaining human rights standards in cyber-enabled crime investigations and prosecutions

Speakers

– Katitza Rodriguez
– Chantal Joris

Arguments

All investigations must respect international human rights law frameworks including necessity, legality, proportionality, and transparency with proper oversight mechanisms

Topics

Human rights | Legal and regulatory | Cybersecurity

Both speakers acknowledge the dual role of technology companies as both essential partners in investigations and potential contributors to the crimes being investigated

Speakers

– Michael Karimian
– Chantal Joris

Arguments

The private sector plays crucial roles in rapid evidence preservation, attribution, cross-border cooperation, and ensuring procedural integrity in cyber-enabled crime investigations

Tech companies often provide services to conflict parties while simultaneously holding evidence needed for prosecutions, creating complex conflicts of interest that must be managed

Topics

Cybersecurity | Legal and regulatory | Human rights

Both speakers see the ICC policy as having significant influence beyond the ICC itself, serving as guidance for national jurisdictions

Speakers

– Kati Reitsak
– Harriet Moynihan

Arguments

National courts can look to the ICC as a beacon leading the way and be encouraged by its systematic approach to cyber-enabled international crimes

The policy represents a groundbreaking initiative that can lead the way for national jurisdictions and set important legal precedents

Topics

Legal and regulatory | Cybersecurity

Takeaways

Key takeaways

The ICC’s proposed policy on cyber-enabled international crimes represents a groundbreaking initiative that applies existing Rome Statute crimes (genocide, war crimes, crimes against humanity, aggression) to cyber means rather than creating new crime categories

Digital evidence preservation is critical but challenging due to its ephemeral nature – evidence must remain admissible for decades while platforms may delete it through automated systems or compliance policies

Public-private partnerships are indispensable for successful prosecutions, with tech companies providing crucial capabilities in evidence preservation, attribution, and cross-border cooperation

International human rights law must be respected throughout investigations, with concerns about avoiding evidence gathered through abusive surveillance powers

Starting with smaller, less complex cases (like Article 70 administration of justice offenses) would be preferable to establish precedents before tackling sophisticated state actors

Cross-border cooperation and trust between partners are essential, requiring both formal frameworks and personal connections for swift action

The policy will likely have broader impact beyond the ICC, leading the way for national jurisdictions and setting important legal precedents

Resolutions and action items

The ICC Office of the Prosecutor will revise the draft policy based on public consultation comments and formally promulgate it at the Assembly of States Parties later this year

Chatham House will publish a research paper on cyber-enabled international crimes in January to complement the ICC’s work

Microsoft mentioned ongoing work including hiring external third parties for independent assessments and improving human rights due diligence processes

The policy will include language acknowledging potential criminal responsibility of corporate executives based on civil society feedback

Unresolved issues

How to effectively manage conflicts of interest when tech companies both provide services to conflict parties and hold evidence needed for prosecutions

Whether and how internet shutdowns and mass surveillance campaigns could rise to the level of Rome Statute crimes versus human rights violations

How to assess gravity in cyber-enabled crimes context – whether traditional focus on death and physical harm needs to be expanded to include indirect humanitarian consequences

How prosecutors can prove command responsibility via digital traces when forensic labs are destroyed in conflict zones

How to address evidence preservation challenges with smaller gaming platforms and companies that lack sophisticated retention systems

How to build trust with victims and witnesses from different countries who may fear law enforcement

How to preserve human evidence over the decades-long timeframes typical for international crimes prosecutions

Suggested compromises

Platforms should honor public interest exceptions for content with educational, documentation, or newsworthy value even if graphic, rather than implementing blanket takedown orders

Evidence preservation orders should be used for specific investigations rather than mass surveillance or blanket data retention requirements

The ICC should focus on cooperation with vetted civil society organizations and accountability mechanisms for evidence preservation rather than requiring broad platform monitoring

This comment brought crucial practical reality to the discussion by highlighting how national procedural requirements can be even more restrictive than international ones. It shows how cyber-enabled crimes, often committed remotely, create particular challenges for domestic prosecution.

Impact

This observation grounded the theoretical discussion in practical prosecutorial challenges, leading to consideration of jurisdictional issues and the importance of having suspects physically present. It influenced the conversation about which cases to prioritize and highlighted the complexity of cross-border cyber crimes.

Overall assessment

Explanation

Automated content removal systems may delete crucial evidence of international crimes, requiring mechanisms to preserve such content for potential prosecutions while respecting community standards.

Nri Collaborative Session Navigating Global Cyber Threats Via Local Practices

Session at a glance

Summary

This discussion focused on navigating global cyber threats through multi-stakeholder cooperation, examining how national, regional, and international collaboration can build stronger cybersecurity frameworks while balancing innovation, security, and human rights protection. The panel featured representatives from Internet Governance Forums across Ecuador, Netherlands, Panama, Serbia, and South Africa, moderated by Jennifer Chung from DotAsia.

Carlos Vera from Ecuador IGF emphasized four key principles for addressing AI and IoT cybersecurity concerns: security by design, local empowerment through capacity building, participatory governance involving all stakeholders, and global frameworks adapted to local realities. He stressed that ethics must apply not only to end users but also to governments and companies handling sensitive information. Dejan Djukic from Serbia’s registry operator highlighted the challenge of regulation keeping pace with rapidly evolving technology, noting that community involvement is essential since regulatory responses are often too slow. He illustrated the complexity of DNS abuse mitigation through a recent case involving illegal weapons sales, demonstrating how multi-stakeholder cooperation between registries, registrars, and law enforcement is crucial for effective action.

Lia Hernandez from Panama emphasized that cybersecurity must become a permanent state policy rather than shifting with political administrations, and that legal frameworks need updating to address new cybercrime trends. Dennis Broeders focused on the critical challenge of information sharing for cybersecurity resilience, explaining how various stakeholders—intelligence agencies, companies, and threat intelligence firms—have institutional disincentives to share valuable security information despite its collective benefits. Latty Thlaka from South Africa described their comprehensive national approach including the Cybersecurity Hub and multi-stakeholder structures, while acknowledging tensions between cybersecurity laws and privacy protections. The discussion concluded with consensus that cybersecurity requires inclusive governance, harmonized international frameworks, continuous capacity building, and recognition that defending networks ultimately means defending people, democracy, and human dignity in the digital world.

Keypoints

## Major Discussion Points:

– **Balancing Innovation with Security in Emerging Technologies**: The panel discussed how AI and IoT are transforming communities while creating new cybersecurity risks, particularly for local communities with limited digital literacy. Key concerns include data privacy violations, vulnerable infrastructure in smaller organizations, and the need for “security by design” approaches.

– **Information Sharing Challenges and Incentives**: A significant focus on the barriers to cybersecurity information sharing between organizations, including intelligence agencies, companies, and threat intelligence firms. The discussion highlighted how different stakeholders have conflicting incentives – companies fear reputational damage and liability, while intelligence agencies prioritize secrecy over transparency.

– **Multi-stakeholder Cooperation and Governance**: Emphasis on the need for inclusive, multi-stakeholder approaches to cybersecurity that involve government, private sector, civil society, academia, and local communities. Several speakers stressed that underrepresented groups, including youth and marginalized communities, must have seats at the decision-making table.

– **Regional Variations in Legal Frameworks**: Discussion of how different regions are adapting international cybercrime conventions (Budapest Convention and UN Cybercrime Convention) to local contexts, with speakers noting that “one size fits all” approaches don’t work and that legal frameworks must consider local political, geographical, and economic realities.

– **Capacity Building and Local Empowerment**: Strong emphasis on the need for comprehensive education and capacity building programs that go beyond technical training to include citizens, local leaders, and law enforcement. Speakers highlighted the importance of utilizing local talent from universities and ensuring cybersecurity becomes a sustained state policy priority rather than changing with political administrations.

## Overall Purpose:

The discussion aimed to explore how national, regional, and multi-stakeholder cooperation can build stronger global cybersecurity resilience while balancing innovation, security, and human rights protection. The session focused on examining the tension between cybersecurity legislation and privacy/data protection, sharing best practices from different regions, and identifying actionable approaches for addressing evolving cyber threats through inclusive governance models.

## Overall Tone:

The discussion maintained a collaborative and constructive tone throughout, with speakers building upon each other’s points rather than disagreeing. The atmosphere was professional yet accessible, with moderator Jennifer Chung effectively facilitating engagement between panelists and audience members. The tone became increasingly solution-oriented as the session progressed, moving from problem identification in the early presentations to concrete recommendations and calls for action in the latter portions. There was a consistent emphasis on pragmatism over idealism, with speakers acknowledging the complexities and trade-offs involved in cybersecurity governance while maintaining an optimistic outlook about the potential for multi-stakeholder cooperation to address these challenges.

Speakers

**Speakers from the provided list:**

– **Jennifer Chung** – Moderator, affiliated with DotAsia

– **Carlos Vera** – Executive Director of ISOC Ecuador, affiliated with IGF Ecuador

– **Dennis Broeders** – Professor of Global Security and Technology, Senior Fellow at the Hague Program on International Cyber Security, Institute of Security and Global Affairs at Leiden University, Project Coordinator of EU Cyber Direct, affiliated with Netherlands IGF

– **Lia Hernandez** – Founder of Appendatech, affiliated with Panama IGF, Panamanian lawyer working in Central American region and Spanish-speaking Caribbean

– **Dejan Djukic** – CEO of RNIDS, affiliated with Serbia IGF

– **Latty Thlaka** – Chairperson of the South Africa IGF multistakeholder committee, affiliated with South Africa IGF

– **Bangladesh IGF representative** – Mohammad Abdullah Gono, Secretary-General of Bangladesh Internet Governance Forum

– **Godsway Kubi** – Lead facilitator for online cybersecurity, representing Ghana IGF, online moderator

– **Mary Uduma** – Representative from Nigeria Internal Registration Association, .NG managers

– **Audience** – Dr. Nazar (specific role/title not clearly mentioned)

**Additional speakers:**

– **Emmanuel** – Remote participant who asked questions online (specific role/expertise not mentioned)

Full session report

# Navigating Global Cyber Threats Through Multi-Stakeholder Cooperation: Discussion Report

## Introduction

This discussion examined building global cybersecurity resilience through multi-stakeholder cooperation, bringing together representatives from Internet Governance Forums across multiple countries. Moderated by Jennifer Chung from DotAsia, the session featured Carlos Vera (Executive Director of ISOC Ecuador), Dennis Broeders (Professor at Leiden University), Lia Hernandez (Founder of Appendatech, Panama), Dejan Djukic (CEO of RNIDS, Serbia), Latty Thlaka (Chairperson of South Africa IGF), with audience participation from Mohammad Abdullah Gono (Secretary-General of Bangladesh IGF), Godsway Kubi (Ghana IGF), and Mary Uduma (Nigeria Internal Registration Association). Godsway Kubi also served as online moderator, facilitating questions from the online platform.

Jennifer Chung opened by highlighting the scale of the challenge: “Global cyber crime is projected to cost 10.5 trillion annually by this year,” emphasizing the need for collaborative approaches to address cybersecurity threats while balancing innovation, security, and human rights protection.

## Key Speaker Perspectives

### Emerging Technology Challenges: AI and IoT Security

Carlos Vera from Ecuador IGF addressed cybersecurity concerns in AI and IoT technologies, outlining four fundamental principles. First, security by design, ensuring cybersecurity is embedded from initial development stages. Second, local empowerment through capacity building, investing in training citizens and local leaders. Third, participatory governance involving all stakeholders. Fourth, global frameworks adapted to local realities.

Vera highlighted specific concerns including data privacy violations in communities with limited digital literacy, vulnerable infrastructure in smaller organizations lacking cybersecurity resources, and trust issues affecting rural communities and minorities.

Significantly, Vera reframed the ethics discussion: “We are talking about ethics, but it’s not only what you as a user can and cannot do. It has to be also with what governments and what companies can and cannot do. They have all the information, they have all the knowledge. They only do not release the final user. So we have to work on ethics also beyond the final users.”

### Information Sharing Challenges

Dennis Broeders identified information sharing as a critical barrier to effective cybersecurity cooperation. He explained how various stakeholders have institutional disincentives to share valuable security information despite collective benefits.

“Sharing would be fantastic. I love sharing, it’s very nice. But institutionally, many of these organisations are biased against sharing. They have no interest in sharing or they have interest in sharing certain things, but not other things,” Broeders observed.

He noted that intelligence agencies prioritize secrecy, companies fear reputational damage from disclosing incidents, and threat intelligence firms view information as intellectual property. However, he highlighted successful models, particularly C-certs and the cert community, which are effective at information sharing due to their health and safety approach rather than security-focused mindset.

Broeders also distinguished between public and private approaches to infrastructure management: “We have larger and larger companies doing things that traditionally were public utilities, but we have put them in the hands of private corporations who do not have a public ethos. They have a private ethos, they’re there to make money.”

### Regulatory Implementation and Multi-Stakeholder Cooperation

Dejan Djukic from Serbia highlighted challenges of regulation keeping pace with rapidly evolving technology. He emphasized that while regulation is necessary, it is often too slow to follow technology evolution, requiring community involvement to fill gaps.

Djukic provided a concrete example involving illegal weapons sales websites, describing a multi-week process involving registrars, police, and prosecutors that demonstrated how multi-stakeholder cooperation between registries, registrars, and law enforcement is crucial for effective action.

He noted that stricter regulations like the NIS2 directive create compliance costs, raising questions about whether expanding reporting obligations will actually create more resilience as intended.

### Global South Perspectives on Policy Continuity

Lia Hernandez from Panama emphasized that cybersecurity must become permanent state policy rather than shifting with political administrations: “It’s necessary that the states establish the issues of cybersecurity or cybercrime like as a state policy. Most of the countries in Central America and the Caribbean, they change of government every four or five years. And for that reason, they also change the priorities.”

Hernandez argued that legal frameworks need updating to address new cybercrime trends and expressed skepticism about existing international conventions, suggesting countries should take the best elements from both the Budapest Convention and UN Cybercrime Convention rather than wholesale adoption.

### Human Rights and Multi-Stakeholder Governance

Latty Thlaka from South Africa described their national approach, including the Cybersecurity Hub and multi-stakeholder structures, while acknowledging tensions between cybersecurity laws and privacy protections. She mentioned specific frameworks including the SADC strategy and AU Malabo Convention.

Thlaka emphasized that “Cybersecurity resilience is not just about defending networks, it’s about defending people, democracy, and dignity in a digital world,” framing cybersecurity as fundamentally a human rights, development, and governance issue.

She described South Africa’s comprehensive legal framework but acknowledged implementation challenges and potential overreach, noting growing tension between cybersecurity laws and constitutional duties to uphold privacy and data protection.

## Audience Participation and Additional Perspectives

Mohammad Abdullah Gono from Bangladesh IGF reinforced the importance of community-based awareness and multi-stakeholder engagement, arguing these approaches are more effective than top-down strategies.

Mary Uduma from Nigeria’s .NG registry emphasized that capacity building with law enforcement is crucial for effective cybercrime response, noting that many law enforcement agencies lack technical understanding necessary to effectively investigate and prosecute cybercrimes.

Online questions facilitated by Godsway Kubi included inquiries from Emmanuel about international frameworks for Global South law enforcement agencies, highlighting the global nature of these challenges.

Dr. Nazar from the audience highlighted that local universities create skilled young people whose talents are underutilized by companies and governments, raising questions about better integrating available local cybersecurity expertise.

## Key Themes and Observations

The discussion revealed several recurring themes. Multi-stakeholder cooperation emerged as essential, with all speakers emphasizing that cybersecurity challenges require collaborative approaches involving government, civil society, private sector, technical community, and citizens.

Information sharing was recognized as crucial but facing significant practical barriers, with institutional disincentives preventing effective implementation despite acknowledged benefits.

Capacity building across all stakeholder groups was consistently emphasized, extending beyond technical training to include broader digital literacy and understanding.

The effectiveness of internet governance organizations, particularly C-certs, was noted as a successful model for information sharing due to their health and safety approach rather than security-focused mindset.

## Different Approaches to Implementation

While speakers agreed on fundamental principles, they offered different perspectives on implementation strategies. Dennis Broeders emphasized the need for regulation when private companies prioritize profit over public interest, arguing that voluntary cooperation has limitations.

Carlos Vera, however, emphasized citizen empowerment and democratic accountability: “We, the citizens, have not to forget that we are the boss, really. If the government doesn’t have the capacity to share the responsibility, the accountability, and the decision-making process, we can change the government. And if the company doesn’t work observing the right condition of the consumers, we can change the company.”

## Conclusion

The discussion demonstrated cybersecurity as a complex challenge requiring coordinated responses across multiple domains. Speakers consistently moved beyond technical solutions to address questions of accountability, democratic governance, and human rights in the digital age.

The session highlighted both the potential for multi-stakeholder cooperation and the practical challenges of implementation, from institutional barriers to information sharing to the need for policy continuity across changing governments. The conversation emphasized that cybersecurity is not merely a technical issue but a governance challenge requiring inclusive approaches that protect both networks and fundamental human rights.

Carlos Vera’s closing emphasis on citizen agency provided a framework for understanding cybersecurity governance as fundamentally about democratic participation and accountability, where citizens have both responsibility and power to influence the future of cybersecurity governance.

Session transcript

Jennifer Chung: My name is Jennifer Chung, I’m with DotAsia, and I’ll be your moderator for today. Just a quick housekeeping note for the people sitting in the U-shape. These mics are pushed to talk, so they’re not the ones that are on the entire time. Just a quick reminder. So, navigating global cyber threats. In an increasingly interconnected world, cyber security challenges are growing in scale and complexity. Global cyber crime is projected to cost 10.5 trillion annually by this year, posing serious risks to institutions, economies, and fundamental rights. So this session is going to look at the good practices and the actual impacts, how national, regional, multi-stakeholder cooperation can build stronger and more resilient cyber security frameworks while balancing innovation, security, and the protection of human rights. We’ll have a key focus on the tension between the cyber security legislation on the one hand, and existing privacy and data protection matters on the other. In some cases, stricter regulations on service providers, such as DNS operators, may also inadvertently undermine effective, rights-respecting security mechanisms that are already in place. We’re going to hear from all the different speakers from NRIs around the world here up on the stage. But, of course, this is a dialogue, and we invite everybody that can see down there. If you’d also like to move up to the U-shape, we really do welcome you. If you’re not comfortable, I think there’s also mics on either side as well. We’d love to hear your thoughts on this. We have an expert panel to set the stage for everyone. I’m going to do a very quick introduction, and then I’m going to go into the policy questions that I will ask them. To my right, we have Mr. Carlos Vera. He’s the Executive Director of ISOC Ecuador. Next to him, we have Mr. Dennis Broeders, the Professor of Global Security and Technology, a Senior Fellow at the Hague Program on the International Cyber Security, and Institute of Security and Global Affairs, Leiden University. He’s also the Project Coordinator of EU Cyber Direct. He’s also affiliated with the Netherlands IGF. Next to Dennis, we have Ms. Lia Hernandez. She is the founder of Appendatech, and she’s also affiliated with Panama IGF. To my left, we have Mr. Dejan Djukic. He’s the CEO of RNIDS and also affiliated with Serbia IGF. And finally, but not least, we have next to Dejan, Ms. Latty Thalaka. She is the chairperson of the ZIA IGF multistakeholder committee and is affiliated with South Africa IGF. So with this illustrious panel, actually, and good NRI colleagues, I’d like to turn first to Carlos to speak really from your point of view, IGF Ecuador as well. In a world where AI and IoT are increasingly shaping our lives, what are the key cybersecurity concerns faced by local communities? And how can we strike a balance between fostering innovation and ensuring security in these emerging technologies?

Carlos Vera: Thank you. Good morning, everyone. And thank you for the opportunity to speak here at the IGF 2025 in Norway. I’m Carlos Vera from Internet Society Ecuador and from IGF Ecuador in Lattyn America. Please allow me to read you to necessary time constraints. As we agree today, AI and IoT are no longer distant concepts. They are in our homes, schools, hospitals, and increasingly in our local governments and public service. This technology offers great potential, but they also bring real cybersecurity risks, especially for local communities. Let me highlight three of the most pressuring concerns. First, data privacy and misuse. IoT devices collect a lot of information about us. But in smaller communities where the digital knowledge may be limited, that data is often collected without real understanding or consent. This creates real risk of surveillance, profiling, or unintentional harm. Second, vulnerable infrastructure. Local authorities and small organizations often lack resources to protect the digital systems. That makes a prime target for cyberattacks, especially ransomware, which can cripple schools, hospitals, or even our water systems. And third, trust and inequality. When AI systems are biased or when IoT systems fail, people lose trust. And those who are already vulnerable, rural communities, minorities, low-income groups, are often the ones most affected. So, how do we move forward? How do we embrace innovation while also protecting our communities? Let me suggest four principles. One, security by design. We must demand that AI and IoT systems are secure from the beginning. Two, local empowerment. We need to invest in training and capacity building, not just for engineers in big tech corporations, but for the citizens, for the local people, for the local leaders. They are the ones who manage, who use, who maintain the system, and they deserve the tools and knowledge to do it safely. Three, participatory governance. That’s what we call and we are talking about all these IGF in Norway, the multistakeholder governance. It is really necessary to participate. We need inclusive process where citizens help shape how AI and IoT are used in our lives. And let me have a small reflection about this. While United Nations, European Commission on Union and ITY, they play a key role in the making of standards of participation in the IGF, we still need more civil society spaces like internet society, when the civil society, the academy, the private sector and the tech community can participate. And four, global frameworks for local action. In this kind of things, in this kind of public policies, in this kind of law, one size fits all doesn’t work. We need to take account of the local community, the necessities and reality. And I have another reflection here about the ethics. We are talking about ethics, but it’s not only what you as a user can and cannot do. It has to be also with what governments and what companies can and cannot do. They have all the information, they have all the knowledge. They only do not release the final user. So we have to work on ethics also beyond the final users. And without security, without cyber security, there is no sustainable innovation. And finally, a call to action. Let’s empower our communities to lead the way. Thank you very much for your question Jennifer.

Jennifer Chung: Thank you Carlos. You brought together actually very, very important points and thank you for setting the scene about that. I think the four points that you gave us to take away is actually very good action points that we need to have security by design, local impairment and participatory governance especially when we’re looking at the multi-stakeholder model here. Actually a quick reflection before I go to our next speaker is this morning I heard at one of the sessions he came up and he said he was a coder and he said I’m here, I’m listening to all these policy people speak but where are the people who make and do and code? We really need to bring in all of these communities that actually can take action from the policy that we’ve shaped here to be able to have real impact. So I think that’s actually very important to have that as well. I’m now going to move on to Mr. Dejan Djukic and I know for RNIDS you are the CCTLD for Serbia and also of course Serbia IGF and maybe a little shift towards that question. Do you think and will stricter regulations on tech service providers really and truly improve overall security? What are the costs for both service providers and end users?

Dejan Djukic: Thank you for interesting question, good afternoon everyone. Regulation is necessary as threat becomes more and more sophisticated every minute but in most cases regulation is too slow to follow technology evolution. We have many examples of that like GDPR now needs two directives so the evolution of regulation and technology are not fast at the same time. So that’s the reason why community involvement is essential. So we cannot sit and wait for the regulator to solve all our problems. raising awareness that is something that we have to do constantly. Improvements are needed, following up to stricter regulation can help us to be the top of our game, perhaps much faster than it’s done nowadays. Five years ago, we didn’t have those sophisticated threats like today. However, TechKip’s security on a top priority reinvents solutions to protect infrastructure and services it provides. That is what keeps our system stable and running. Caution is also needed by all parties, however, especially for lawmakers. In general, it’s really challenging to find balance between privacy and security. When we speak about time age before NIS2 directive, our TLD decided to collect fewer personal data in our database and we came to that solution in cooperation with Data Protection Authority. But now when NIS2 came into force in most countries in EU and we are preparing our local laws, we will have to collect same amount of data as time before of the most probably we collected before. So, when we started first time our domain registration in our TLD, we collected documents and we are allied with GDPR, we decided that no documents are needed to collect. In our zone, abuse is small and we have 150,000 domain registrations and around 100 domain reported abuse in 2024. So, of course, the law applies to everyone, but numbers are cruel sometimes. And definitely there will be cost for users and operators as well. Because operators have to improve their systems, but users also have to be prepared to use those improved systems as well. And when we speak from perspective of DNS operator, established as a private foundation like Serbian TLD, multi-stakeholder cooperation is essentially important. So since we don’t have any executive power regarding fighting abuse and cyber crime, involvement of relevant parties are necessary. So on a local level, we cooperate many with organizations in order to raise awareness. With our partners, we organized many cyber security conferences, workshops, and hackathons. So also in concrete cases of cyber crime, we also need the assistance of relevant authorities. So I can raise an example from a few days ago. It was a situation with several domain names that with the website that are offering illegal weapons on them. Since we are not dealing as a registry with the content, we contacted the registrar to check the registration data. And after the registrar confirmed that data is correct, we couldn’t do much. And we started to communication with the local police, cyber crime police, and after continuous communication of few days and mostly few weeks, they managed to provide public prosecutor order and we finally suspended those several domains used for weapon selling. So that’s just one illustration, an example how cooperation is important and sharing relevant data and knowledge among stakeholders is crucial. Thank you.

Jennifer Chung: Thank you very much, Dejan. You actually touched on a whole host of really critical items that has actually been discussed very much now, DNS abuse, in the ICANN context as well, looking at how it’s not just policymaking in a very narrow scope there, but. In actual practice, registry operators, registrars as well, as well as local jurisdiction, local law enforcement, there is a whole host and chain of how you can actually address and mitigate and report and finally do any takedowns, if that is what it is. I do note that, you know, the original question was asking really about stricter regulations, but you gave us a very comprehensive mapping of what it actually means to the end user, to the operators, and actually for the Internet, I guess, as a whole as well. So thank you for that sharing. So now I’m going to turn over a little bit to policy approaches. I’m going to go over to Ms. Lia Hernandez. So Lia, I guess from your point of view as founder of Epanditec and also from the Panama IGF point of view, which policy approaches can be adopted to effectively educate social media and Internet users to identify and avoid emerging cybercrimes such as online scams and phishing attacks? Lia.

Lia Hernandez: Thanks, Jennifer. Are you hearing me? Yeah. Good morning. Well, good morning. My name is Lia Hernandez. I am a Panamanian lawyer. I’m based in Panama City, but my work is focused more in the Central American region and the Spanish speaker Caribbean. So I’m going to talk based on my experience in my region, mainly in my region and in some countries in Lattyn America, because we have the same issues regarding to the application of cybersecurity or cybercrime standards. And actually, I think that to effectively educate the users on social media, social network, on the Internet is not enough the capacity building. It’s necessary that the states establish the issues of cybersecurity or cybercrime like as a state policy. Most of the countries in Central America and the Caribbean, they change. of government every four or five years. And for that reason, they also change the priorities. So maybe in Panama right now, my hometown, cybersecurity is a priority. But in five years, there’s not going to be a priority anymore because a new government and the EU party arrived to the power. So for that, I think that it’s not enough to say that we have a commitment with the cybersecurity or we have a commitment with the cybercrime. We must really be and incorporate in our agendas the agenda of the governments and the policymakers topics as cybersecurity, digital security, cybercrime. And also, it’s very important to adequate our legal frames war to the new trends on cybercrime times. We have two main cybercrimes conventions in the world, the Budapest Convention and the recently approved United Nations Cybercrime International Convention. I know that not all of us, we are agreed with the test of these two conventions. But most of the governments of our region have approved and have signed Budapest. But till now, they haven’t adequate their local legislation. So for that, I think that it’s necessary to take the best of all of these documents, the Budapest Convention and the UNESCO Convention, and maybe adequate our legal frames war because if we don’t have a crime in our criminal code, it’s very difficult to avoid these kind of conducts in the cyber space. So I also have to say that there is not sufficient the legal frame wars, the reference. We must take actions. We must take action. Stop saying that cybersecurity is the priority in my country. We just educate the citizens, from the kids, to the teenagers, to the senior people, and to explain then how the internet really works. which are the rigs to use the internet for this or this way. And don’t tell them, you shouldn’t do this or you shouldn’t act like this. Because when you talk with the kids and you say don’t do that, they are going to try to do it. So it’s better to explain them how really works the internet and the consequence of they don’t use the internet in the right way. And after that, talking about the good, the bad and the ugly of the internet. And we must educate them so they know how to identify the real risk. So I think that this is my opinion about this question, Jennifer, Mike. Thanks.

Jennifer Chung: Thank you, Lia. Especially bringing up, you know, there is always this shift when you have a shift in administration, there is a shift in priorities. And the fact that we do have the two conventions also doesn’t mean that, you know, it has been reflected in all over, you know, global and I guess to the local jurisdictions and legislations as well. Very important part about capacity building. I think it needs to be done holistically across the board as well. Now we are going to turn over to Dennis, Dennis Broeders. I guess maybe with the context of what you heard from the previous speakers, I don’t know if you can pull this into, you know, your response as well. The question really is how can national and regional multi-stakeholder cooperation help build a stronger global cybersecurity resilience? Dennis.

Dennis Broeders: Thank you, Jennifer. I will try to draw in a few things, but I will focus on a much more smaller, but actually quite big element. So I want to focus on the relationship between cybersecurity, information sharing and resilience. So keeping it a little small. So most countries also internationally say, okay, the value of information sharing is like a mantra, right? Then also the value of public-private cooperation in information sharing. is also a mantra. So I’m talking about the sharing of information about digital vulnerabilities, about incidents, about methods of states and criminal actors, so threat intel in short, right? So everybody realizes the value of information sharing for digital resilience, and yet in practice, it proves to be something that is actually very difficult. I’ve seen many forums also here talking about it. In my country, the Netherlands, every single cybersecurity strategy we had underlines the importance of information sharing, and every single strategy we had says we need to do better, right? So that’s where we are. Most recent cyber strategy, 2022, 2028, again, puts information sharing front and center, and also acknowledges that information exchange is still fragmented, and it undermines the cyber resilience of companies, of organizations, and of society as a whole. And to a certain extent, and I think many people realize that that’s easily explained, right? All the organizations that have information that would affect others, that would benefit others, they also have good or at least understandable reasons not to share that information. So information is often not shared, and there are reasons for that, right? If you look at different organizations, intelligence agencies, right? They have lots of information. They never tire of telling us, right? We know everything, but they have a professional focus on national security that comes with an emphasis on secrecy. They have limited incentive to share information with others. Internationally, they have a quid pro quo relationship with their sister organizations in other countries, and they also have an organizational interest in keeping certain vulnerability behind because they may prove useful for their own work. So transparency there is not optimal, let’s put it that way. Then we have companies, governments, organizations, they all have information that is useful when they have been breached or attacked. Bigger companies will have information about what they see in their own networks that will be useful for others. But when it comes to breaches and vulnerabilities, they also have very little incentive to share. It can lead to reputational damage. It can open them up for claims, for liabilities. So sharing, and also sharing does not necessarily get them any meaningful response from other companies, right? So why share? Then we have threatened our companies, right? The manions of the world, basically. They have a lot of data. They have a lot of information on their clients, mostly. Mostly the big companies do Western big companies, so they have mostly biased information with a Western bias. When you talk to them, they see the value of sharing, but they’re not that eager to share, which is also logical because it’s their business model to use and market that information. So resilience, societal resilience is nice, but profits is better. So no transparency, there’s client privilege, and there’s NDAs on the information. The most effective sharers, hooray for internet governance, I think are the C-certs and the cert community, right? They have a long-standing tradition in the international community of exchanging information, and they see it as a core value to do so, right? So internet governance organizations, they focus on the resilience of the internet as a global network, and they work more along the lines of what you would call like a health and safety approach, right, rather than a security approach, and that does something. Okay, having said that, how do we overcome blockages to information sharing, right? I have a few points to make, three points. So one is a little philosophical in nature, right? So starting where we left off with the C-certs, basically, say, okay, how can we extend the logic of health and safety to more forms of information sharing, right? Can we get more levels or sorts of information in the frame of sort of first medical responders where we try to make sure that the patient is okay rather than into a security frame of mind where we’re looking for, okay, who is at fault, why have they done it, what are the consequences, who is liable, et cetera, right? So there is a balance there to look for. Related to that, because I think these communities are communities of trust, and someone mentioned this before, is how can we create communities of trust? And I think this audience here is probably well aware that certain sectors, for example, like the banking and financial sectors in the Netherlands but elsewhere as well, they have created what they call information sharing and analysis centers, right, the so-called ISACs. In these ISACs, sectors exchange information about incidents, threats, and vulnerabilities. There is no question that banks are each other’s competitors, right? That is clear. But they do have a common interest in sort of keeping the digital financial system as healthy and as well-functioning as possible. So that helps. What also helps is the closed nature of ISACs, right? It’s a closed system, there’s a trust system, there’s even an amber system and a red system, what kind of information gets written down. So it’s a community of trust, but it’s also often facilitated by the government. So this is something where governments can do something. Lastly, and the NIS2 Directive has already been mentioned, there’s always regulation, right? The regulation is not always the best option forward, but for example, in the Netherlands, if we look at the implementation of the EU NIS2 Directive, that will mean that in the Netherlands 5,000 companies will now have reporting obligations and certain obligations to have preventative measures, as opposed to the 200 that were designated like that before. That is a huge difference. The idea is, of course, that this will create more resilience, whether that’s actually the case is something that we will have to see in the future. I’ll leave it at that.

Jennifer Chung: Thank you, Dennis. That was a lot of very good information and a lot to unpack. I’m not even going to attempt to try to summarize any of this before we go to our next speaker, but I think you really highlighted the big problem and the tension between having this information and the incentive to share, and shifting that paradigm to what you mentioned as health and safety instead of liability and faults. I think that really allows us to look at it a little more clearly. I think on the other context, before I go to our next speaker, is this has also played out in the ICANN context for those who do participate in ICANN policymaking, and I guess that community as well. There has been a lot of tension and a lot of urgency from the part of law enforcement. to request for information, but the problem still is how do we authenticate these requesters? How can we make sure that, you know, we have the obligation or, you know, the legal framework to do so and to disclose this information? So thank you very much for highlighting this, you know, very inherent tension between that. Hopefully we’ll be able to dig out some and tease out some possible solutions going forward, but I do see that it is not on one party or two parties, but it is a whole host of considerations. And again, multi-stakeholder is what we’re talking about here. So with our last but not least speaker, I’d like to go over to Ms. Latty Thaka from South Africa IGF. And I’d like to get a little sense of what the best practices are and the impacts, and I think she wanted to give a little bit of thread of the legislation and regulation in South Africa right now and what the recommendations are, I guess, coming forward for cybersecurity and that part from the South African point of view.

Latty Thlaka: Okay. Thank you, moderator. My name is Latty from South Africa. I am the chairperson of the South African Internet Governance Multi-Stakeholder Committee. I think just before I start, I just need to remind us that cybersecurity is not just a technical challenge. It is a human rights development and governance issue. The only way to address it meaningfully is through multi-stakeholder cooperation at national, regional, and global level. So going into best practices, South Africa strongly supports a multi-stakeholder approach to cybersecurity. We collaborate globally and regionally through AU Malabo Convention, the SADC strategy. We also participate in GFCE and ITU’s African initiatives. Nationally, we have built structures like the Cybersecurity Hub, which is a project by the Department of Communications and Digital Technologies. It is a national computer security incident response team project that was established to make cyberspace an environment where we can all safely communicate, socialize, and transact in confidence. This project works with stakeholders from civil society. It works with government. It works with the private sector. It works with the technical community and academia in preventing and responding to threats. Our South African Police Services and State Security Agency also coordinates cybercrime investigations and threat intelligence together with private sector and ISPs. And I think it’s also worth noting that our IGF is also very strong when it comes to addressing and engaging in matters of cybersecurity, where cybersecurity is not just discussed annually or allocated annually. It’s also integrated in all the thematic areas. And I think we’ve also seen firsthand the impact of an action where data has revealed a 22% year-on-year increase in ransomware incidents targeting South African institutions. We have had, I think amongst others, digital fraud in the banking sector. We’ve had ransomware attacks on public institutions. Ordinary citizens are also getting attacked on a daily basis. And in addressing these, we are active in research on cybersecurity. We have a few initiatives, and I’ve already mentioned the cybersecurity hub. We’ve also got the Cyber Command Center, and where legislation is involved, we have a national cybersecurity policy framework, the Cyber Crimes Act, and the POPI Act, the Protection of Personal Information Act. However, we’ve also noticed the growing tension between the cybersecurity laws and our constitutional duty to uphold privacy and data protection, where our Cyber Crimes Act criminalizes malicious activity, while the POPI Act protects personal data. Together, they offer a legal balance, but the test really lies in the implementation, and without proper oversight, there’s a risk of overreach, public distrust, and suppressed digital freedoms. We found that the law enforcement sometimes maybe faces delays due to legal processes required under POPI Act to access digital evidence, and civil society has also raised concerns over potential overreach in surveillance protections of the Cyber Crimes Act. So I think we just need to strengthen oversight mechanisms, such as judicial review for data access, and update laws to ensure proportionality, necessity, and transparency in surveillance. And I think that’s why we’re also just calling for three things. We’re calling for policy coherence, where cybersecurity strategies must go hand-in-hand with privacy protections and rights-based governance. We’re also calling for global and regional collaboration through harmonized laws, shared intelligence, and joint incident response. And we also need to have an inclusive governance where youth, civil society, and underrepresented groups have a seat at the table. Our National Internet Governance Forum has proven that this model does work, and if we don’t act decisively, we risk widening the digital divide, weakening human rights, and undermining regional trust. So we just need to remember that cybersecurity resilience is not just about defending networks, it’s about defending people, democracy, and dignity in a digital world. South Africa is ready to collaborate, we’re ready to lead, we’re ready to learn, and we cannot afford to wait.

Jennifer Chung: Thank you very much, Latty. I think that ending was actually very important for us to remember, and we’re not just defending the networks, we are defending humans. Thank you also for sharing all the work that is being done right now with South Africa. I think, you know, I hear a thread amongst all the speakers that this is a multi-stakeholder effort that we need to address cybersecurity risks, but we need to balance it with privacy and we need to balance it with having inclusive governance where underrepresented groups do have a seat at the table. For the next 20 minutes, we have an open floor, and I think I already see some indications that we would like some, yep, speaking over there. I think this is Bangladesh IGF, Anu, please go ahead, Anu.

Bangladesh IGF representative: Hello, Jennifer, thank you. This is Mohammad Abdullah Gono, Secretary-General, Bangladesh Internet Governance Forum. As cyber threats grow in scale and complexity, it is clear that while the challenges are global, the responses must be grounded in local realities. In Bangladesh, we have witnessed how community-based awareness, capacity building, and multi-stakeholder engagement can help counter cyber threat more effectively than top-down approach alone. The Bangladesh Internet Governance Forum has been working to promote trust, security, and responsible digital practice by fostering collaboration between government agencies, civil society, the private sector, and youth groups. Our local cybersecurity framework are aligned with global norms, but are also tailored to our unique socio-economic and digital context. We believe that regional and local internet governance forums play a critical role in sharing best practice and ensure that cybersecurity is not just a technical issue, but a shared social responsibility. By building resilience from the ground up, we strengthen the global digital ecosystem. Let us continue working together across borders and stakeholder groups to ensure a safe, more inclusive digital future for all. Thank you, Jennifer.

Jennifer Chung: Thank you very much, Anu. I am also going to see if we do have anything online. We do have our online moderator, Godsway, who is checking online. He has reminded everyone who is participating remotely to also indicate whether or not you would like to ask questions or actually give some comments. Godsway, are there any questions and comments, or requests to take the mic?

Godsway Kubi: Hello, everyone. I hope I am audible. Okay, so I am Godsway Kubi, the lead facilitator for online cybersecurity, and also representing Ghana IGF here. I think for now, we don’t have much questions, but I am hoping that before we finish the session, there will be some questions.

Jennifer Chung: Thank you very much, Godsway. I see on the floor, Mary Uduma.

Mary Uduma: Thank you very much for giving me the opportunity to speak. If we are to navigate globally and locally, cyber trade via a local partnership, we have mentioned already the multi-stakeholder process, so there is a lot of collaboration to be done. a lot of capacity building to be done, and a lot of awareness creation. There are some people that are scrupulous and they don’t even know that they are being attacked. So in the password management, cyber hygiene, so those are some of the things, and collaborating with law enforcement. And the law enforcement needs a lot of capacity or capacitation. So capacity building and development with the law enforcement is very key. That’s what we have started in Nigeria, in the Nigeria Internal Registration Association, the .NG managers. We have this capacity building and exchanges and engagement with our law enforcement to be able to bring to fore some of the threats, and they also understand the threats as well. So those are the few things I just want to mention because the panelists, they’ve already mentioned a lot of them. But collaboration, capacity building, sensitization, and engagement with the law enforcement would help us navigate those streets. They are very, very rare. Thank you.

Jennifer Chung: Thank you, Mary. Thank you for sharing the perspective from Nigeria and also, of course, West Africa. I’m looking around the room to see if there’s any hands up. Of course, colleagues who are sitting in front of us, please, you are welcome to come over to the U-shape to take the mics as well. I know there are mics on the side of the room if you would prefer that as well. If not, I’m gonna use a little bit of moderator prerogative. I see Dr. Nazar. Nazar, please go ahead. Nazar, one second, you need to turn on your mic.

Audience: You will not have to use it, touch it, don’t touch. That’s what they’re saying. Thank you so much, Jennifer and team NRIs from all over the globe. My intervention on this front will be let us also focus on the local talents in terms of our universities are creating and co-creating a lot of young people with a lot of skills. And what I find is that the local conception in terms of companies and the governments and even civil societies are not actually using these local talents and the local skills that have been created by our universities. So while we are talking about, you know, combating all these cyber threats, we need to focus using the resources that are there. The young people from the universities, they are very learned on ICTs and cyber security. But the applications and the skills from the local content are not being properly utilized. So I think that will be my contribution so I can also yield time to others to contribute as well. be ensuring that we use the local content that is available to combat both the local and global cyber security threats. Thank you.

Jennifer Chung: Thank you, Nizar. Thank you, Nizar, for reminding us that, you know, we absolutely need to rely on local talent and local content to also combat all of this. I do have one comment online which I’ll go first and then I’ll come to you, Carlos. So, Godsway, please go ahead and read out the question.

Godsway Kubi: Okay. Okay. So, I think Emmanuel is asking, you know, what international frameworks do we have to empower law enforcement agencies in the Global South?

Jennifer Chung: Thank you, Godsway. So, before I go to Carlos, I’m wondering if anybody up here on the panel or anybody in the room would like to answer Emmanuel’s question. The question, again, is, you know, what international framework we have to empower law enforcement agencies in the Global South? Read it again so you have some time to think about the answer. While you’re ruminating on this answer for Emmanuel, I’d like to go to Carlos. Please go ahead.

Carlos Vera: Thank you again. I think that one of the main words or concept we have to have is share. We share the room. We were in the same room yesterday in the main hall with Joseph Gordon Leavitt. And in one moment, the girls were saying aloud, I love you, I love you, I love you. And of course, I said, thank you, thank you. And this nice-looking guy looked at me and I said, let’s share. Let’s share. That’s what we have to say to government, to big tech companies. Let’s share accountability, responsibility, cybersecurity. The decision-making process is a shaded process. That’s why we strongly support the multistakeholder process. and share, share, share. This is the key issue for all of us. Thank you, Jennifer.

Jennifer Chung: Thank you, Carlos. That was a great analogy. Maybe Joseph Gordon-Levitt can solve all our cyber crime and cyber security problems, you know, just drawing the attention and asking everyone that you need to share information. He has a PhD in computer science. We should call him to this room. Maybe that’s how we’re gonna solve all of this, right? He will help us solve the IGF renewal, all of that. Dennis, please go ahead.

Dennis Broeders: Maybe a short comment on my neighbor. Sharing would be fantastic. I love sharing, it’s very nice. But institutionally, many of these organizations are biased against sharing. They have no interest in sharing or they have interest in sharing certain things, but not other things. So we have to realize that while some of these corporations have goodwill, many of them are in the business of making profit and they will share what they need to share. So what we increasingly see now is we have larger and larger companies doing things that traditionally were public utilities, but we have put them in the hands of private corporations who do not have a public ethos. They have a private ethos, they’re there to make money. And we sort of let it happen. That’s one thing, but to sort of rely on ethical frameworks and asking them to share and basically rely on their goodwill, I think is not the way forward. We have seen time and time and time again that when push comes to shove, they will go for the dollar and not for the public interest.

Jennifer Chung: If I may actually ask a follow-up question, because in your first intervention and just now, you said incentives are not there for sharing. What incentives do you think could oblige or could be to incentivize the sharing, I guess, for different parts and different organizations?

Dennis Broeders: I think it varies. I mean, I haven’t thought the whole thing through, but the ISAC example shows you where. Competitors are actually able to agree on some common ground where they say, okay, we all benefit if the larger financial system and the transactions between us are safe, right, that’s something where they go, okay, that’s where we can cooperate. On other things, I think the general rule is when industries start saying, no, we’ll do it ourselves, we’ll self-regulate, we’ll do ethical framework, we’ll do all these things, that means they’re afraid of regulation, right, that’s the only reason they’re stepping forward to do this. That means that regulation may be the way forward, right, so you can’t expect private companies to fully embrace a public task in a public way, right, that’s not what they’re there for, but we have a long history of having private companies subjected to certain rules to make sure the public interest is safeguarded, this is not a new thing, right, we have been doing this for centuries, there is a way of organizing this between public and private parties where you weigh in as a government and say, but this is the public interest, this needs to be safeguarded, so I’m afraid it’s regulation.

Jennifer Chung: That is definitely one answer, regulation does answer certain things, but probably doesn’t encompass everything as well. I’m going to use moderator prerogative to kind of come back to Dejan Djukic because, you know, listening about this and of course being in the DNS industry, being part of CCTLD, I wonder if you have some reactions regarding this because of course .Asia is also a registry operator, we have to follow our jurisdiction, what kind of laws that we need to follow, when we have court papers or court orders to do certain things, that’s how we take action, but perhaps from the Serbian point of view for the CCTLDs, are there similarities, do you have thoughts on this?

Dejan Djukic: Yeah, I still believe that information sharing is important, I gave a recent example from a couple of days ago, so we received a complaint from some international… organization or NGO, I’m not sure at the moment what they are, and they are sending us a couple of emails and notification that they find out that those websites are selling illegal weapons and that there are many of those sites in our zone. So we can easily say to them, send those emails to local police and do whatever you want. But we try to discover our data correct, and we also use our contact in police and public prosecutor office to make them to do something. So without that information, we couldn’t do nothing. Now we have 10 websites down with really illegal content. So without sharing information, we couldn’t do nothing. But I think it’s still important, and I believe it.

Jennifer Chung: Thank you, Dejan. I’m actually having trouble pressing this button here. Having the hot mics the whole time is bad, but not being able to press the mic to actually speak is also bad. So inherent tension, again, with voice. I don’t want to leave the question unanswered that we received online from Emmanuel, but I’m wondering if Leti or maybe Lia would like to address that question. And the question is, you know, what international framework do we have to empower law enforcement agencies in the Global South? And I’m assuming empowering law enforcement agencies, I guess maybe he means how they can take action, because I feel like law enforcement is pretty empowered everywhere. So maybe an adjustment to his question.

Latty Thlaka: Thanks, Jennifer. From my point of view, I don’t like to recommend Budapest Convention or maybe the UN Convention, because I have any consideration of each of these two tests. Actually I think that Budapest Convention was created like a convention for the European Union countries, and some other countries around the world have adapted their legal framework of then, but… For example, the reality of the global south countries are not the same as the realities on cyber security or cybercrime in the European Union countries. So I don’t want to say like you should follow the text of the recommendation of Budapest or the UN cybercrime conventions, I think that we should take the best of both documents and then see what is better or what is what fits in our local legal framework.

Jennifer Chung: Thanks, Lia and Leti, did you want to add to this?

Latty Thlaka: No, I think I share her sentiments, but I think just to add on that, maybe just briefly is that South Africa, we participate in the Global Forum on Cyber Expertise. So I think maybe that could contribute to answering the question.

Jennifer Chung: Yes, pressing the button to actually speak. There is one question that we just received in the Zoom room. So if I could just have Kotswe read out the question, or I think it’s maybe a comment.

Godsway Kubi: Yeah, I think so. OK, so I said, what are the global implications to the varied approaches adopted within the AI posture across EU and the US and implications to service provider certifications? So that’s the first question, and should I read it all or go one after the other? I think this question is quite long. It is quite long, but maybe just read the entire thing with respect to it. OK, OK. The second one states that, what does this mean for global South circummarism of this variable certified services? The implications of this AI posture on the cybersecurity and cybercrime posture is critical for. So I think the first question is, the second one is a follow-up of this first one.

Jennifer Chung: So while our speakers and others in the room think about this, I want to see if there’s any other questions online and in the room.

Carlos Vera: About the law enforcement?

Jennifer Chung: You have one? Okay, please go ahead.

Carlos Vera: Okay. There is a lot of frameworks. Every law is jurisdictional, but in issues like electronic commerce or cybersecurity, we need a legal framework from the United Nations, for example, and they have several committees that work on specializing on this kind of things. So even though the law is jurisdictional, geographically restricted to one country, we need a legal framework, and UNUDI and some of the bodies work all the time providing this kind of legal framework. Thank you.

Jennifer Chung: Thanks, Carlos. I don’t see any more hands or questions in the room. Nazar.

Audience: Yes, I just wanted to add on the Interpol, it’s called the Interpol Cybercrime Directorate for the – there are so many, and even the ITU has one for the – has one framework for the – that can assist the local enforcement agencies, for example. The Interpol Cybercrime Directorate is one of those, and I think Interpol is very known for being intercontinental, interregional, and it plays a part in the local context as well.

Jennifer Chung: Thank you, Nazar, for sharing that and reminding us about this. I think without that, then I’d like to ask our speakers in reverse order, so in the reverse order that I initially asked you to speak. to just do a very quick wrap and really just the one takeaway that you want us to really take away from this session. So I will begin with Latty, please.

Latty Thlaka: I think maybe we’ve also seen from the question that was posed that it is a need for harmonization. So we need to harmonize our laws. We need global and regional collaboration in doing that. And we need to ensure that there is inclusive governance. But I need maybe just to leave us with one thing. And it’s something that I mentioned before is that we need to prioritize human rights when talking cyber crimes, when talking cyber security, because if we don’t, we risk widening the digital divide and maybe weakening human dignity. So let’s not undermine our efforts as a globe, as regions and countries. Thank you.

Jennifer Chung: Thank you, Latty. Dennis, one takeaway?

Dennis Broeders: Yeah, maybe I’ll stick with my theme of information exchange. So I mostly focus on the national level. But if we look at the international level, there is a lot to be gained. I think there really is a lot to be gained. We know it’s possible, right? We have a global community of CSIRTs that are exchanging information in a trust-based system. I don’t know if ISACs, for example, talk to each other in a sectoral way, in a broader sense, probably. This morning, I heard a speaker from Albania saying, okay, they’re really invested in sort of getting more information exchange in a regional way. But I think getting that going and also finding a way to sort of get more private information into that mix, that would be really good, albeit not necessarily easy.

Jennifer Chung: Thank you, Dennis. Lia?

Lia Hernandez: I want to remark that capacity building and regulation is not enough. We should work. It’s like there are not two… topics that we should work separately. We should still increasing the capacities and the knowledge of the population from their kids to the older generations. And that is this. In some countries, any conventions or any regulation has worked. That doesn’t mean that the others, that the regulation, they’re also going to work in your region or your country. We should take of consideration the politically, geographically, and economically context before to adapt or adequate like a regulation in any region of the world.

Jennifer Chung: Thank you, Lia. Dejan Djukic?

Dejan Djukic: Thank you. I believe that permanent activities on improving security of system infrastructure and following actual threats is a good approach. So also raising the awareness together with relevant partners on the local and international level could bring improvements constantly. Regulations, of course, is important, but usually very slow. So all of us have to do more before regulators find out the solutions. Thank you.

Jennifer Chung: Thank you, Dejan Đukić. And I guess I’ll leave the last word to Carlos.

Carlos Vera: Thank you. It’s not easy to get the shaded process from government or from international organizations. But we, the citizens, have not to forget that we are the boss, really. If the government doesn’t have the capacity to share the responsibility, the accountability, and the decision-making process, we can change the government. And if the company doesn’t work observing the right condition of the consumers, we can change the company. We cannot buy their product or service. So we have a real power. We are not only passive actors. We are active actors. And we have to use our power. to also be part of the decision in this kind of things. Thank you very much for everything.

Jennifer Chung: Thank you, Carlos. I do note that, you know, perhaps the person who asked the remote question didn’t actually hear an answer to his question or her question, but we’re happy to take this to the NRI mailing list, hopefully to get further experts to answer this. I’m not going to attempt to summarize what has been a very rich discussion, especially on the many, many issues that, and many, many ways that different NRIs, different jurisdictions, different countries are tackling cybercrime, and on all the mitigation efforts, the inherent tension of info sharing, the actual practices of, I guess, CCTLDs and registry operators, and especially, I would say most importantly, with my bias on, we need to make sure it’s an inclusive governance. We need to make sure the underserved, the voices that always get left behind are not further left behind in this conversation about mitigating, about combating cybercrime and looking at best practices. So with that, I thank you all for your time. Thank you to the panelists. Thank you to the questions. Thank you to all in the room for a great session. Thank you.

Carlos Vera

Speech speed

113 words per minute

Speech length

Private Sector Accountability and Regulation

Topics

Human rights | Economic | Legal and regulatory

Disagreed with

– Dennis Broeders

Disagreed on

Role of regulation versus voluntary cooperation in information sharing

Latty Thlaka

Speech speed

139 words per minute

Speech length

929 words

Speech time

399 seconds

Multi-stakeholder approach is essential for addressing cybersecurity as a human rights and governance issue

Explanation

Cybersecurity is not merely a technical challenge but encompasses human rights, development, and governance issues. The only meaningful way to address these complex challenges is through multi-stakeholder cooperation at national, regional, and global levels.

Evidence

Bangladesh IGF representative

Speech speed

94 words per minute

Speech length

181 words

Speech time

115 seconds

Community-based awareness and multi-stakeholder engagement are more effective than top-down approaches

Explanation

In Bangladesh’s experience, community-based awareness, capacity building, and multi-stakeholder engagement have proven more effective at countering cyber threats than top-down approaches alone. This grassroots approach builds resilience from the ground up and strengthens the global digital ecosystem.

Evidence

In Bangladesh, we have witnessed how community-based awareness, capacity building, and multi-stakeholder engagement can help counter cyber threat more effectively than top-down approach alone.

Major discussion point

Multi-stakeholder Cooperation and Governance

Topics

Cybersecurity | Development | Sociocultural

Agreed with

– Carlos Vera
– Latty Thlaka
– Jennifer Chung

Agreed on

Multi-stakeholder cooperation is essential for effective cybersecurity governance

Collaboration between government agencies, civil society, private sector, and youth groups is critical

Explanation

The Bangladesh Internet Governance Forum promotes trust, security, and responsible digital practices through fostering collaboration between multiple stakeholder groups. This collaborative approach ensures that cybersecurity becomes a shared social responsibility rather than just a technical issue.

Evidence

The Bangladesh Internet Governance Forum has been working to promote trust, security, and responsible digital practice by fostering collaboration between government agencies, civil society, the private sector, and youth groups.

Major discussion point

Multi-stakeholder Cooperation and Governance

Topics

Cybersecurity | Legal and regulatory | Development

Dennis Broeders

Speech speed

180 words per minute

Speech length

1592 words

Speech time

529 seconds

Information sharing is valued but difficult in practice due to organizational disincentives

Explanation

While most countries and organizations recognize the value of information sharing for digital resilience, it proves very difficult in practice. Organizations that possess valuable threat information also have understandable reasons not to share it, creating a persistent challenge for cybersecurity cooperation.

Evidence

Disagreed with

– Carlos Vera

Disagreed on

Role of regulation versus voluntary cooperation in information sharing

Regulation may be necessary when industries propose self-regulation to avoid stricter oversight

Explanation

When industries start proposing self-regulation, ethical frameworks, and voluntary measures, it typically indicates they fear government regulation. Since private companies cannot be expected to fully embrace public tasks in a public way, regulation becomes necessary to ensure public interest is safeguarded, following centuries of precedent in balancing public and private interests.

Evidence

When industries start saying, no, we’ll do it ourselves, we’ll self-regulate, we’ll do ethical framework, we’ll do all these things, that means they’re afraid of regulation, right, that’s the only reason they’re stepping forward to do this. We have a long history of having private companies subjected to certain rules to make sure the public interest is safeguarded, this is not a new thing.

Major discussion point

Private Sector Accountability and Regulation

Topics

Legal and regulatory | Economic | Cybersecurity

Agreed with

– Dejan Djukic
– Lia Hernandez

Agreed on

Regulation alone is insufficient and must be balanced with other approaches

Disagreed with

– Carlos Vera

Disagreed on

Role of regulation versus voluntary cooperation in information sharing

Lia Hernandez

Speech speed

133 words per minute

Speech length

– Carlos Vera
– Mary Uduma
– Audience

Agreed on

Capacity building and education are fundamental to cybersecurity resilience

Dejan Djukic

Speech speed

131 words per minute

Speech length

772 words

Speech time

353 seconds

Regulation is necessary but too slow to follow technology evolution, requiring community involvement

Explanation

While regulation is necessary as cyber threats become more sophisticated, regulatory processes are too slow to keep pace with technological evolution. Examples like GDPR needing additional directives demonstrate this lag, making community involvement essential rather than waiting for regulators to solve all problems.

Evidence

Agreed with

– Dennis Broeders
– Mary Uduma

Agreed on

Information sharing is crucial but faces significant practical barriers

Mary Uduma

Speech speed

119 words per minute

Speech length

208 words

Speech time

104 seconds

Capacity building with law enforcement is crucial for effective cybercrime response

Explanation

Law enforcement agencies need significant capacity building and development to effectively address cyber threats. Collaboration, capacity building, sensitization, and engagement with law enforcement are essential components for navigating cybersecurity challenges, as demonstrated by initiatives in Nigeria with the .NG registry managers.

Evidence

The law enforcement needs a lot of capacity or capacitation. So capacity building and development with the law enforcement is very key. That’s what we have started in Nigeria, in the Nigeria Internal Registration Association, the .NG managers. We have this capacity building and exchanges and engagement with our law enforcement to be able to bring to fore some of the threats, and they also understand the threats as well.

Major discussion point

Capacity Building and Education

Topics

Cybersecurity | Development | Legal and regulatory

Agreed with

– Carlos Vera
– Lia Hernandez
– Audience

Agreed on

Capacity building and education are fundamental to cybersecurity resilience

Audience

Speech speed

106 words per minute

Speech length

272 words

Speech time

153 seconds

Local universities create skilled young people whose talents are underutilized by companies and governments

Explanation

Universities are creating and co-creating many young people with strong ICT and cybersecurity skills, but local companies, governments, and civil society organizations are not properly utilizing these local talents and skills. While discussing combating cyber threats, there’s a need to focus on using available local resources and capabilities.

Evidence

Universities are creating and co-creating a lot of young people with a lot of skills. And what I find is that the local conception in terms of companies and the governments and even civil societies are not actually using these local talents and the local skills that have been created by our universities.

Major discussion point

Capacity Building and Education

Topics

Development | Cybersecurity | Sociocultural

Agreed with

– Carlos Vera
– Lia Hernandez
– Mary Uduma

Agreed on

Capacity building and education are fundamental to cybersecurity resilience

Organizations like Interpol Cybercrime Directorate and ITU provide frameworks for law enforcement assistance

Explanation

International organizations such as Interpol’s Cybercrime Directorate and ITU offer frameworks that can assist local law enforcement agencies. Interpol is particularly valuable for being intercontinental and interregional while also playing a role in local contexts.

Evidence

The Interpol Cybercrime Directorate is one of those, and I think Interpol is very known for being intercontinental, interregional, and it plays a part in the local context as well.

Major discussion point

Regional and International Cooperation

Topics

Cybersecurity | Legal and regulatory | Infrastructure

Godsway Kubi

Speech speed

129 words per minute

Speech length

198 words

Speech time

91 seconds

Online participation in cybersecurity discussions needs facilitation and encouragement

Explanation

As an online moderator, Godsway emphasizes the importance of facilitating remote participation in cybersecurity discussions. He actively encourages online participants to engage by asking questions and providing comments, ensuring that remote voices are included in the dialogue.

Evidence

I am hoping that before we finish the session, there will be some questions.

Major discussion point

Multi-stakeholder Cooperation and Governance

Topics

Cybersecurity | Development | Sociocultural

Jennifer Chung

Speech speed

157 words per minute

Speech length

2589 words

Speech time

984 seconds

Multi-stakeholder dialogue requires inclusive participation from all communities including technical implementers

Explanation

Jennifer emphasizes that effective cybersecurity policy requires bringing together not just policy makers but also the people who actually implement and code solutions. She highlights the need to bridge the gap between policy discussions and technical implementation by including coders and technical practitioners in governance discussions.

Evidence

Agreements

Agreement points

Multi-stakeholder cooperation is essential for effective cybersecurity governance

Speakers

– Carlos Vera
– Latty Thlaka
– Bangladesh IGF representative
– Jennifer Chung

Arguments

Need for security by design, local empowerment, participatory governance, and global frameworks for local action

Multi-stakeholder approach is essential for addressing cybersecurity as a human rights and governance issue

Community-based awareness and multi-stakeholder engagement are more effective than top-down approaches

Multi-stakeholder dialogue requires inclusive participation from all communities including technical implementers

Summary

All speakers agree that cybersecurity challenges require collaborative approaches involving government, civil society, private sector, technical community, and citizens rather than top-down or single-stakeholder solutions

Topics

Cybersecurity | Legal and regulatory | Development

Information sharing is crucial but faces significant practical barriers

Speakers

– Dennis Broeders
– Dejan Djukic
– Mary Uduma

Arguments

Information sharing is valued but difficult in practice due to organizational disincentives

Information sharing is essential for combating cybercrime, as demonstrated by recent illegal weapons case

Capacity building with law enforcement is crucial for effective cybercrime response

Summary

Speakers acknowledge that while information sharing is recognized as valuable for cybersecurity, organizations face institutional barriers and disincentives that make practical implementation challenging

Topics

Cybersecurity | Legal and regulatory | Infrastructure

Capacity building and education are fundamental to cybersecurity resilience

Speakers

– Carlos Vera
– Lia Hernandez
– Mary Uduma
– Audience

Arguments

Investment needed in training for citizens and local leaders, not just engineers in big tech

Education should explain how internet works and consequences rather than just prohibiting actions

Capacity building with law enforcement is crucial for effective cybercrime response

Local universities create skilled young people whose talents are underutilized by companies and governments

Summary

All speakers emphasize that comprehensive capacity building across all stakeholder groups – from citizens to law enforcement to local talent – is essential for building cybersecurity resilience

Topics

Development | Cybersecurity | Sociocultural

Regulation alone is insufficient and must be balanced with other approaches

Speakers

– Dejan Djukic
– Lia Hernandez
– Dennis Broeders

Arguments

Regulation is necessary but too slow to follow technology evolution, requiring community involvement

Cybersecurity must be established as state policy rather than changing with government priorities

Regulation may be necessary when industries propose self-regulation to avoid stricter oversight

Summary

Speakers agree that while regulation is necessary, it has limitations in keeping pace with technology and must be complemented by community involvement, stable policy frameworks, and appropriate oversight

Topics

Legal and regulatory | Cybersecurity | Infrastructure

Economic | Legal and regulatory | Cybersecurity

Unexpected consensus

Arguments

Private corporations prioritize profit over public interest and cannot be relied upon for voluntary sharing

Regulation may be necessary when industries propose self-regulation to avoid stricter oversight

Citizens have power to change governments and companies that don’t share responsibility and accountability

Summary

Dennis argues that regulation is necessary because private companies will prioritize profit over public interest and cannot be trusted to voluntarily share information for the public good. Carlos, however, emphasizes that citizens have the power to change both governments and companies through democratic and market mechanisms, suggesting a more optimistic view of voluntary cooperation and citizen empowerment.

Topics

Legal and regulatory | Economic | Cybersecurity

Approach to international cybercrime conventions

Speakers

– Lia Hernandez
– Carlos Vera

Arguments

Legal frameworks need to be updated to address new cybercrime trends and adequately criminalize cyber activities

International frameworks like UN committees provide legal frameworks despite jurisdictional limitations

Summary

Lia expresses skepticism about existing international conventions like Budapest and UN Cybercrime Convention, arguing that they don’t fit the realities of Global South countries and that local legal frameworks should take the best from both rather than following them wholesale. Carlos, however, supports international frameworks from UN bodies as necessary for cross-border issues like cybersecurity, despite jurisdictional limitations.

Topics

Legal and regulatory | Cybersecurity | Human rights

Unexpected differences

Trust in voluntary corporate cooperation

Speakers

– Dennis Broeders
– Carlos Vera

Arguments

Private corporations prioritize profit over public interest and cannot be relied upon for voluntary sharing

Citizens have power to change governments and companies that don’t share responsibility and accountability

Explanation

This disagreement is unexpected because both speakers are discussing the same goal of improving cybersecurity cooperation, but they have fundamentally different views on human nature and institutional behavior. Dennis takes a more pessimistic, regulatory approach based on historical evidence, while Carlos maintains an optimistic view of citizen empowerment and democratic accountability.

Topics

Economic | Legal and regulatory | Cybersecurity

Overall assessment

Summary

The main areas of disagreement center around the role of regulation versus voluntary cooperation, approaches to international legal frameworks, and trust in institutional behavior. Most speakers agreed on the fundamental challenges and goals but differed on implementation strategies.

Disagreement level

The level of disagreement is moderate and primarily methodological rather than fundamental. Speakers largely agreed on the core problems (need for information sharing, multi-stakeholder cooperation, capacity building) but disagreed on the best mechanisms to achieve these goals. This suggests that while there is broad consensus on cybersecurity challenges, there are significant differences in preferred governance approaches that could impact policy implementation and international cooperation efforts.

Partial agreements

Economic | Legal and regulatory | Cybersecurity

Takeaways

Key takeaways

Cybersecurity is fundamentally a human rights, development, and governance issue that requires multi-stakeholder cooperation at national, regional, and global levels

Information sharing is critical for cybersecurity resilience but faces significant institutional barriers due to competing interests between intelligence agencies, private companies, and threat intelligence firms

Four key principles for addressing AI and IoT cybersecurity: security by design, local empowerment through capacity building, participatory governance, and global frameworks adapted for local action

Regulation alone is insufficient – it’s too slow to keep pace with technology evolution and must be combined with community involvement and continuous awareness raising

There’s an inherent tension between cybersecurity legislation and privacy/data protection rights that requires careful balance and proper oversight mechanisms

Local talent and university-trained cybersecurity professionals are underutilized resources that should be better integrated into cybersecurity efforts

Cybersecurity must be established as permanent state policy rather than shifting with changing government priorities

The most effective information sharing occurs in trust-based communities like C-certs and sector-specific ISACs that use a health and safety approach rather than a security/liability framework

Resolutions and action items

Continue discussions on the NRI mailing list to address unanswered technical questions about AI posture differences between EU and US

Strengthen oversight mechanisms including judicial review for data access in cybersecurity investigations

Update laws to ensure proportionality, necessity, and transparency in surveillance activities

Invest in capacity building for law enforcement agencies to better understand and respond to cyber threats

Create more sector-specific Information Sharing and Analysis Centers (ISACs) to facilitate trusted information exchange

Develop harmonized laws and shared intelligence systems for regional and global collaboration

Ensure inclusive governance by giving underrepresented groups, youth, and civil society meaningful participation in cybersecurity policymaking

Unresolved issues

How to create effective incentives for private companies to share cybersecurity information when it conflicts with their profit motives

How to authenticate and verify legitimate law enforcement requests for information while protecting privacy rights

How to adapt international cybersecurity frameworks (like Budapest Convention and UN Cybercrime Convention) to fit diverse local contexts and legal systems

How to address the global implications of varied AI governance approaches between regions like EU and US for service provider certifications

How to balance the need for rapid response to cyber threats with the slower pace of democratic regulatory processes

How to ensure continuity of cybersecurity policies across changing government administrations

How to effectively utilize local cybersecurity talent that is currently underemployed by governments and private sector

Suggested compromises

Shift from security/liability framework to health and safety approach for information sharing to reduce organizational resistance

Create closed, trust-based information sharing systems with tiered access levels (amber/red systems) to balance transparency with security needs

Combine voluntary industry self-regulation with targeted government regulation where public interest requires intervention

Take the best elements from both Budapest Convention and UN Cybercrime Convention rather than adopting either framework wholesale

Establish permanent cybersecurity policies that transcend political changes while allowing for adaptive implementation based on local contexts

This comment powerfully challenges the victimization narrative often present in cybersecurity discussions by emphasizing citizen agency and democratic power. It reframes citizens from passive recipients of protection to active agents of change with real power over both governments and corporations.

Impact

As the final substantive comment, this provided an empowering conclusion that tied together themes of accountability, democratic participation, and multi-stakeholder governance. It reinforced the session’s emphasis on inclusive governance while providing a call to action that elevated citizen responsibility and power.

Overall assessment

Explanation

This explores creating more effective local cybercrime legislation by combining strengths of existing international frameworks rather than adopting them wholesale