Uncategorized

Summary

This discussion focused on protecting critical infrastructure from cyber threats and implementing international cyber norms. Participants explored how to identify critical infrastructure, noting the challenges in reaching a universal definition due to regional differences. They emphasized the importance of understanding interdependencies between sectors and conducting thorough impact analyses.

The conversation highlighted the need for baseline cybersecurity measures for critical infrastructure operators and service providers. Suggestions included asset inventory, vulnerability management, and compliance with applicable standards. Participants stressed the importance of training employees and raising awareness about cybersecurity risks.

The role of international cyber norms and confidence-building measures was discussed, with participants generally agreeing that these voluntary agreements can help reduce risks and foster cooperation. However, questions were raised about their effectiveness in preventing attacks during conflicts.

Participants debated whether it’s realistic to expect cyber operations to avoid targeting critical infrastructure, especially during peacetime. They noted the challenges in attribution and accountability when norms are violated. The discussion touched on the potential for unintended consequences when attacking interconnected systems.

Regional and international cooperation was proposed as a way to address these challenges. Participants suggested creating shared definitions of critical infrastructure within regions and establishing mechanisms for information sharing and joint incident response.

The session concluded by emphasizing the need for more diverse global participation in discussions about critical infrastructure protection and cyber norms implementation, particularly from developing countries and civil society organizations.

Keypoints

Major discussion points:

– Defining and identifying critical infrastructure across different countries and contexts

– Implementing baseline cybersecurity measures and standards for critical infrastructure protection

– Understanding interdependencies between critical infrastructure sectors and supply chains

– The role and impact of voluntary cyber norms and confidence-building measures

– Challenges in protecting critical infrastructure during peacetime and conflicts

Overall purpose:

The goal of this discussion was to explore practical measures and international frameworks for protecting critical infrastructure, as part of the Geneva Dialogue project to connect high-level cyber norms with on-the-ground implementation.

Speakers

– Anastasiya Kazakova: Cyber Diplomacy Knowledge Fellow at Diplo, part of the Geneva Dialogue team

– Vladimir Radunovic: Director, E-diplomacy and Cybersecurity Programmes at DiploFoundation

– Thomas Schneider: Director of International Affairs, Swiss Federal Office of Communications (OFCOM)

– Nicolas Grunder: Global Lead Counsel Digital, Data & Cyber, ABB

– Bushra AlBlooshi, Director of Cybersecurity Governance Risk Management Department, Dubai Electronic Security Center

– Kazuo Noguchi, Senior Manager R&D, Hitachi America

– Kaleem Usmani, Head of the CERT-MU, Mauritius 

– Klée Aiken, Director, Community & Capacity Building, the Forum of Incident Response and Security Teams (FIRST)

– Maria Pericàs Riera, Project Assistant, Center for Geopolitics, Geoeconomics, and Technology, DGAP

– Melanie Kolbe-Guyot, Head of Digital Policy, C4DT – EPFL

Expanded Summary of Critical Infrastructure Protection Discussion

Introduction:

This discussion was part of the Geneva Dialogue on Responsible Behaviour in Cyberspace, an initiative launched by the Swiss government and implemented by DiploFoundation with the support of several actors, and aimed at connecting high-level cyber norms with on-the-ground implementation. As explained by Vladimir Radunovic and Thomas Schneider, the project currently focuses on protecting critical infrastructure from cyber threats and implementing the agreed cyber norms. The session brought together participants from various sectors, stakeholder groups and regions to explore practical measures and international frameworks for protecting critical infrastructure and promoting responsible behaviour in cyberspace.

Geneva Dialogue Project and Scenario-Based Exercise:

The session began with an introduction to the Geneva Dialogue and its goals. A significant portion of the discussion revolved around a scenario-based exercise, which presented participants with a hypothetical cyberattack on a fictional cloud service provider. This exercise served as a springboard for discussions on critical infrastructure protection, international norms, and practical implementation strategies.

1. Defining and Identifying Critical Infrastructure:

A central challenge highlighted throughout the discussion was the need to define and identify critical infrastructure across different countries and contexts. Maria Pericàs Riera presented the DGAP project and noted the significant diversity in how countries define critical infrastructure globally, with over 40% of countries not publicly announcing what they consider critical. This diversity presents challenges in establishing common norms and protections.

Dr. Bushra AlBlooshi emphasised the need for common agreement on critical infrastructure definitions at regional or international levels. Kaleem Usmani underlined a need for conducting thorough asset inventories and impact analyses at a national level, highlighting a difference in approach between standardisation and individualised assessment.

Nicolas Grunder from ABB stressed the importance of understanding what constitutes critical infrastructure, while Anastasiya Kazakova pointed out the challenges in identifying cross-jurisdictional interdependencies. This underscored the complexity of the issue, particularly when dealing with infrastructure that has national, regional, or international impact.

2. Protecting Critical Infrastructure:

The discussion emphasised the need for baseline security requirements for critical infrastructure. Kazuo Noguchi from Hitachi America highlighted the importance of backup systems and geographic distribution of infrastructure, introducing a specific, practical measure for protection. Paola Nkandu Haamaundu stressed the need for training and awareness programmes for critical infrastructure staff, while Nicolas Grunder emphasised the importance of business continuity and incident response planning.

Vladimir Radunovic pointed out the need to secure supply chains and address interdependencies, a point echoed by Dr. Bushra AlBlooshi, who highlighted the complexity of interdependencies between different infrastructure sectors. Dr. Bushra shared a practical example: “We need to defined the critical sectors, and for each sector, we need define their he interdependencies, and if one sector goes down, this will give us a better understanding of what we should expect from the other sector.”

3. Role of Cyber Norms and International Cooperation:

Kaleem Usmani from CERT-MU argued that cyber norms help reduce the risk of attacks on critical infrastructure. Vladimir Radunovic elaborated on the importance of confidence-building measures and the role of norms in guiding responsible state behavior in cyberspace.

Klée Aiken from FIRST highlighted the importance of information sharing and threat intelligence exchange. However, Melanie Kolbe-Guyot from C4DT-EPFL raised the question of whether cyber operations can realistically avoid targeting critical infrastructure, especially during conflicts.

4. Challenges in Critical Infrastructure Protection:

Several challenges were identified throughout the discussion. Dr. Bushra and Vladimir both highlighted the complexity of interdependencies between different infrastructure sectors and the challenge of protecting infrastructure with international or cross-border impacts.

Imad Aad from C4DT-EPFL pointed out the difficulty in controlling security of actors across supply chains, a point echoed by Kazuo Noguchi who emphasised the interconnected nature of supply chains, including software, hardware, IoT, and people.

Anastasiya Kazakova raised the issue of lack of transparency from some states about critical infrastructure protection approaches, suggesting that greater transparency is needed to enable stakeholders to support state efforts in critical infrastructure protection.

Vladimir Radunovic also highlighted the potential unintended consequences of attacks on service providers like the fictional OmniCloud, emphasizing the far-reaching impacts such attacks could have on various sectors and countries.

5. The Geneva Manual and Operationalizing Norms:

Thomas Schneider discussed the Geneva Manual, which focuses on operationalizing critical infrastructure-related norms. The manual aims to provide practical guidance on implementing cyber norms and protecting critical infrastructure.

Conclusion:

The discussion concluded with several key takeaways:

1. There is a need for international efforts to better understand cross-jurisdictional interdependencies across CI at national, regional and international levels.

2. Protecting critical infrastructure requires addressing complex interdependencies and supply chain vulnerabilities.

3. Cyber norms and international cooperation play an important role in critical infrastructure protection, but challenges remain in implementation.

4. Baseline security requirements and standards are needed for critical infrastructure operators and service providers.

5. Critical infrastructure protection requires engagement from multiple stakeholders including governments, industry, and researchers.

Action items included finalising the next chapter of the Geneva Manual focused on critical infrastructure protection by early next year, developing more scenario-based games and cards to facilitate discussions, and seeking more input and participation from developing countries in the Geneva Dialogue process.

Vladimir Radunovic concluded by mentioning an upcoming session on civil society engagement in technical discussions, further emphasizing the project’s commitment to inclusive dialogue.

The discussion highlighted the complexity of protecting critical infrastructure in an interconnected world, emphasising the need for continued dialogue, cooperation, and practical action at national, regional, and international levels.

Vladimir Radunovic: Okay, let’s start. I hope you all got the headphones. It’s channel number four. So, number four is the room. Welcome to the session Securing Critical Infrastructure, Who and How. My name is Vladimir Radunovic. I’m leading cybersecurity programs for Diplo Foundation, an international educational capacity building institution. I’ll be sort of a host today together with my colleague, Melanie, who is here on behalf of DPFL and C4DT. But there will be a number of distinguished experts also joining us both here and online. And there I count all of you as well. Now, critical infrastructure has become a buzzword and we have seen it everywhere, popping up in the norm setting and policy setting frameworks, but also popping up among the professionals dealing with cybersecurity. But rarely we see how these two connect. Typically, the discussions are in silos. What we are trying to do with the Geneva Dialogue Project, and you will hear in a second a bit more about that, is to connect the high-level norms, cyber norms and frameworks with the practical work in protecting critical infrastructure. But before we dive into the session, let me welcome on behalf of Switzerland, who is the main supporter of the Geneva Dialogue on Responsible Behaviour, Thomas Schneider on behalf of Ofcom of Switzerland, to maybe put the welcome words and set the stage. Thomas, the floor is yours.

Thomas Schneider: Yes, thank you. This is an initiative of the Swiss Federal Foreign Ministry, but we partner with them in many ways, so they’ve asked me to say a few things about the Geneva Dialogue and the motivation also behind this. The Geneva Dialogue on Responsible Behaviour in Cyberspace was established by the Swiss Foreign Ministry now six years ago. It is led by our friends from the Diplo Foundation with the support of the Republican State of Geneva. Geneva is, in their view, a state of themselves. Other partners include the C4DT, we’ve already heard from EPFL, Swisscom and UBS. The aim of the Dialogue is to analyse and map the roles and responsibilities of the various actors in ensuring the security and stability of cyberspace. The Geneva Dialogue is a global dialogue, building on the Geneva tradition of bringing the world together. It engages some 100 companies, organisations, institutions and experts. In 2023-2024 more than 50 representatives and independent experts have contributed to the drafting of the Geneva Manual. In this context the dialogue stems from the principle of shared responsibility and particularly asks how the agreed cyber norms can be best implemented by relevant stakeholders together as a means to contribute to international security and peace. Concretely the Geneva Dialogue investigates the consequences of agreed upon norms for the relevant stakeholders. It does not try to find consensus but to document existing views of such stakeholders on their roles and responsibilities in the Geneva Manual as well as give good practices that should inspire others and promote responsible behavior in cyberspace. So this inaugural edition of the Manual focuses on two norms related to supply chain security and reporting of ICT vulnerabilities. This year the Geneva Dialogue discusses the operationalization of the critical infrastructure related norms and the sessions is another important opportunity to gather international feedback from various experts for the next chapter of the Geneva Manual. So I’m looking forward to an interesting discussion and I hope you all enjoy it. Thank you very much.

Vladimir Radunovic: Thank you Thomas. So briefly what the outline of the session will look like. We’ll start with a short overview of what is the main challenge that we try to address and what is the Geneva Dialogue about. My colleague Anastasia remotely will run us through that and then we’ll play a little bit and I think that’s the point of making most of the sessions useful but also interesting. So we’ll have a scenario game with cards. and we’ll break up in groups, we’ll try to step into shoes of governments, operators of critical infrastructures, researchers. And then after that, we’ll get back to a plenary discussion to reflect a little bit on main issues that were raised. I’ll pass the floor now to Nastya to lead us through the main issues and the Geneva dialogue, and then to drive us into the scenario exercise that we’ll play. Nastya, over to you.

Anastasiya Kazakova: Hello, everyone. Happy to be here. My name is Anastasia Kozakova. I’m a Cyber Diplomacy Knowledge Fellow at Diplo, and I’m also part of the Geneva Dialogue team. And within my 10 minutes, I’m going to briefly tell the story of what we do within Geneva Dialogue. And I think the perfect example would be this fictional story, which, of course, unfortunately, inspired by real events. So let’s imagine a large logistics company identified as a critical infrastructure operator, which was hit by a ransomware attack because the threat actors managed to target the weak security at the company service provider. And the service provider happened to be a small company, which provides cloud services and manages the cloud infrastructure of that logistics company. Imagine a part or a whole infrastructure of your company being frozen just because you are interdependent with other companies across supply chains. But of course, you have little control over the security of other actors across supply chains. The challenge that you are inevitably affected and your infrastructure might be at risk. And that’s, I think, one of the default scenarios across different actors across supply chains where different products, infrastructure have been interconnected with inherent vulnerabilities and the potential for malicious actors to target this. One of the main questions for us that we’ll look at and this story provides us with the example, who is responsible for taking action to mitigate cyber risks and protect critical infrastructure across borders and supply chains? Fortunately, there is some guidance. Almost 10 years ago, states formulated and agreed on a set of norms for responsible state behavior at the UN and some of the norms specifically agreed on to ensure supply chain security, report ICT vulnerabilities and also to protect critical infrastructure. There are questions though, how these norms guide actors in protecting critical infrastructure and how can specifically non-state stakeholders, which is the private sector, academia, civil society, technical community can implement the norms and support state’s efforts? So these are the questions that we look at the Geneva Dialogue, which is the global dialogue, we build a community and we discuss the roles, responsibilities of different actors in cyberspace to facilitate responsible behavior, implement the norms and address cyber risks. The initiative has been running since 2018 and there was a lot of work being done since then. In 2023, we started exclusively looking at the implementation of the norms and since then you can see that more than 60 contributors, which represent organizations, businesses and also individual experts who participate on a personal capacity have contributed to the Geneva Dialogue. All of these contributors come from more than 20 countries from different regions and that highlights that Geneva Dialogue is truly about the global community connecting different people in different parts of the world. In our community, we look at the four main stakeholder groups. So as I mentioned, this includes non-state stakeholders represented by the private sector and industry, academia, civil society and technical community, which is mostly represented by open source community, cybersecurity researchers and incident response experts. As there are 11 norms that we need to look at, we started discussing them step by step and in 2023, First we started with the two norms related to vulnerabilities and supply chain security. So that was the first step of our work. The outcomes were published in the Geneva Manual, the comprehensive guidance on how the stakeholders can help support the state’s efforts, other efforts in the community and implement the norms. This year, we expanded the scope and started looking at the three norms which we grouped as the norms related to protection of the critical infrastructure protection. We did quite a lot of work and here, there’s just some of the examples. In 2020, we already discussed different good practices, which the private sector implements to build a secure by design products and reduce vulnerabilities in them. In 2021, there was a study where we looked at the different governance approaches of selected countries to regulate the security of digital products. Essentially, that was a solid basis for us to more actively look into the implementation of the relevant norms and produce the first chapter of the manual in 2023. Structurally speaking, the Geneva Manual provides different inputs and we intentionally want to keep this document user-friendly for different stakeholders with different backgrounds. So when we discuss roles and responsibilities, there’s the first element, what when we identified a particular role, which is important to implement the norm, then we also look at the responsibilities, the incentives, this is the white element, different challenges, which stakeholders might have, which serve as a barriers for them to implement the norms and the good practices. Hopefully that might be helpful for those who are not part of the Geneva Dialogue, but who might be interested to make the contributions and find different useful experiences from Geneva Dialogue experts. And specifically when we discussed the norms related to vulnerabilities and supply chain security, we identified five roles. So you see them on the right side and specific. I just want to emphasize that civil society was also highlighted as one of the roles by our experts because we believe that and we heard the feedback from our experts that civil society, especially those actors who are involved in policy, advocacy and research might be a really important element putting the pressure on both state actors and the private sector to implement the norms and facilitate implementation of the relevant security practices. Today’s session is one of the first steps for us to collect international feedback which is increasingly important for us to produce the final chapter of our work this year with the focus on the critical infrastructure protections. Early next year we are going to announce the next chapter, the second chapter, with the focus on critical infrastructure protection. Just to give you a brief example of the level of discussions that we have in the Geneva Dialogue, there are some preliminary findings that we’re able to hear from our experts. I’m not going to read out all of them and we will be actually happy to share the finalist version early next year as I just said, but just to give you some of the examples of what we discussed. When we unpacked those norms which are the result of the diplomatic agreements between states at the UN, our non-state stakeholders and experts highlighted different concerns. One of them is the lack of the international efforts to understand and protect cross-jurisdictional interdependencies in some critical infrastructure sectors that might have regional international impact. The other point that we also heard is that critical infrastructure is governed by national legal frameworks and some states prefer to keep a high level of secrecy due to national security reasons. However, a lack of sufficient transparency for stakeholders, specifically domestic stakeholders, was highlighted as one of the barriers for them to support state efforts in critical infrastructure. protection and therefore different experts have highlighted that transparency about how states see the approach to protect critical assets is important element to make sure that stakeholders are aware of those efforts. Another example of what we so far have heard from our experts and that would be the topic of our tabletop exercise, a lack of universal baseline or minimum cyber security requirements to protect critical infrastructure. The suggestion came from the discussion that again there’s acknowledgement that critical infrastructure is governed by national legal frameworks, however there are connections between different critical infrastructure facilities through transnational essential services or other types of the infrastructure and that actually raised different more or less universal questions about the security across the supply chains for critical infrastructure operators. The question then further how to make the different legal systems which govern critical infrastructure and the security in them more or less interoperable so the actors who face more or less the same security issues might already have a common basis at least baseline understanding on how to address those security issues. I’d like to stop here and just make a call that as I mentioned we build the community and we also welcome the input of our interested stakeholders to support our work and also contribute with their expertise so the first chapter of the manual that we produced last year is published and you can see the link on the website that’s open to the feedback you can get in touch with us directly and at the same link we are going to announce the next chapter of the Geneva manual and ultimately we would welcome other stakeholders who are interested who have time and passion please join us to discuss this. important topics. So thank you very much. I’d like to briefly then go to the next segment as Vlada mentioned. We have the table top exercise which will be the with the main focus on discussing possible universal minimum baseline security measures for critical infrastructure protection. And before we explain the rules for participants on-site and virtually, we prepared the fictional scenario and to explain it perfectly we prepared also the video and hope that will be a little bit entertainment today. So I’m gonna to launch the video and please let me know if you can hear it.

Vladimir Radunovic: We don’t hear the sound though it’s not necessary. You can try to see if you can

Anastasiya Kazakova: put the sound on but we have the script. Okay on my side the sound is the maximum.

Vladimir Radunovic: Is the sound also shared? I hope so. Even if not I mean it’s it’s very visual and it’s inside so it’s fine. Okay so I’ll continue.

Video: Something significant has happened. Mr. Martin. Come in. I’ve been waiting for you. We’ll skip the formalities. Global Flow Logistics has a big security problem. IT will handle that. We need your services to deal with a different type of problem. Needless to say, I expect absolute discretion. It wasn’t even us they targeted directly. The breach had come through Nimbus Tech Solutions. Could you explain what happened? The attackers have exploited vulnerabilities in Nimbus Tech Systems’ poor network segregation, weak access controls, and outdated patches. Once inside, they moved into the infrastructure of the cloud service provider OmniCloud, eventually further slipping into, among other clients, into GFL IT systems. I assume something similar to this scenario happened. All our systems are blocked. The key infrastructure is offline. What happened? We need answers now. I’m working as fast as I can. The threat actors breached our systems and the entire supply chain that supported critical infrastructure across the region. Get the global flow online and fast. Their infrastructure goes offline and puts the entire critical infrastructure in our country at risk. Great. Now all systems are blocked. I just had a call from the government. They are asking for answers. Ms. Wong? This was no ordinary cyber attack. It was a full-scale assault on the networks that kept modern society moving. It seems that it had all started with a simple, preventable breach in a small company. The consequences would echo for weeks. But at that moment, she only had a few hours to figure out how to stop the bleeding before the entire structure crumbled.

Anastasiya Kazakova: So that was the scenario. That was a really short explanation of what happened. And the main idea, it’s completely fictional that there was a supply chain attack targeted a large logistics company through the weak security of the company’s service provider. And that affected multiple critical infrastructure industries in the country. So currently, at this moment, we’d like to proceed discussing this scenario in several groups and I’ll just want to briefly explain the rules. The main goal would be for this scenario to discuss the three questions that we prepared in smaller groups and reflect mainly on what could be possible those minimum cybersecurity requirements for, first of all, critical infrastructure operators and relevant stakeholders, service providers to protect critical infrastructure. So we want to look at this problem from different perspectives, different lens: government, critical infrastructure industry and cybersecurity research stakeholders. And we will have also team captains for each group on site and virtually. And as I mentioned, we will have three questions for each group. Those questions you can see on the slide. So basically, one of the first questions, what universal baseline security should be mandated for the operators? The next question with a focus on the same security requirements, but for the service providers, if you see the difference between them, would you believe that might be actually a closer approach to define those security measures for service providers as for the critical infrastructure operators? And the third question, a little bit optional, if you still have the time, which steps are required at a regional international level to ensure these requirements are effectively implemented across different sectors and jurisdictions? The question mostly targets different international efforts, if you see the necessity, especially in currently complex, geopolitically complex environment. We mentioned we also have team captains. So on site, we will have several groups.

Vladimir Radunovic: Thank you, Nastya. But as you can see, we have quite some ladies, which is a nice surprise in cybersecurity areas, not so often. What we are going to do now, we’re going to break into, I’ll add another group because there is a huge number of people in the room. So on this side of the room, I invite everyone who wants to play a role of the government to just move there slowly. They will be led by Dr. Bushra and Melanie. On this side of the room, we’ll have all those that want to play the role of the critical infrastructure operators. Think about critical infrastructure in whatever way you want. Hospitals, transportation, energy, whatever. In this case, we have a transportation issue. Maria will lead that group. I’ll take the third group, which is the cybersecurity researchers, incident responders and techies in a way, in this part of the room. What we are going to do, my colleagues will give us the scenario. So this video that you saw you also get in a comic book format So we’ll have few minutes to go to the comic book to remind ourselves Then we’ll get the cards each group will have the cards which will make us enable us to discuss the options to choose couple of cars that are priority options based on three questions that Anastasia looked at now the important thing the scenario shows something that happened an incident We’re not responding to an incident. We are rolling the time backwards and saying what should have we done so that this doesn’t happen. So think about rolling backwards to say if we have done this measure which says maintain and up-to-date all the digital assets of the critical infrastructure. This might not have happened and so on. Don’t go into details of the incidents – we are trying to see how the global norms and these practical issues are connected. Okay those that want to play the government move to that side those that want to play the critical infrastructure play move here. We’ll have about 20-25 minutes to discuss in groups and the colleagues the leaders will tell us what to do. Thank you.

Anastasiya Kazakova: All Right, so we will proceed virtually I Hope the participants on site can hear us. So Kaleem the floor to you and I will start her in the screen.

Kaleem Usmani: Thank you very much, Anastasia, and good afternoon, everyone. As Anastasia has mentioned, we are the Cybersecurity Research Stakeholder Group, and then, as announced before just starting this scenario, we are having some 20-25 minutes, and we are having three questions in a round. One, universal baseline cybersecurity measures should be mandated for CI operators to protect their infrastructure. And again, in terms of the CI operators, in terms of the service providers, so basically what we’re trying to do here is that we are encouraging the participants to come up with their suggestions, and then we will be opening the floor soon. We will also be having our colleague, Nicholas, who will be again talking about the first question on to the CI operators. So, we will wait a little bit on to that and then maybe we can start.

Nicolas Grunder: Yeah, thank you very much, Kaleem. I think I would not add too many more words, as we only have 25 minutes, I suggest that we just get started, right? And Anastasia, I was not so sure with the cards, it’s probably difficult to pull up the cards with suggestions, right? So, maybe we… Yeah, I think I would not add too many more words, as we only have 25 minutes, I suggest that we just get started, right? And Anastasia, I was not so sure with the cards, it’s probably difficult to pull up the cards with suggestions, right? So, maybe we… So, I suggest that we maybe just start with someone from the participants, considering what should be some baseline security measures and suggestions. I think we should just open the discussion of anyone who would propose a suggestion and why you would have such a suggestion.

Kaleem Usmani: So, I think we’re having one hand raised, Imad, please go ahead.

Imad Aad: One thing that comes to my mind for researchers to make some requirements for critical infrastructure operators is first to understand the critical infrastructure first. It’s not clear for all the researchers what is a critical infrastructure even in their own country. Second thing, they don’t know what is the supply chain of this critical infrastructure, right? Here, there’s a big question which is, should the critical infrastructure make it transparent? How they depend, what are their providers, there are some pros and some cons against this.

Kaleem Usmani: All right, maybe also another aspect of it is that we are trying to focus from the organizational and the technical measures. So meaning to say that what could be the organizational measures that these CII operators, they should be putting in place and as well as the technical measures, what they should be putting in place. As Imad said that first of all, it is important for us to understand that what are the critical infrastructure, what it is, how do we identify that, how do we carry out the assessment, what organizational structure is required. So I think these are the aspects and Nicholas, I think we will be having one more hand raised, Paula. So Paula, please go ahead. Thank you. Thank you.

Paola Nkandu Haamaundu: Thank you Dr. Kaleem. Just adding on to what the previous contribution was, understanding what critical infrastructure is. So for instance, if the nation deems that maybe the health sector is critical infrastructure, what the health sector should do as a start is to identify what assets they are in charge of, what assets they have. That way, they’ll be able to know what needs to be protected, what should be classified as high risk, what should be classified as low risk. And this is maybe more on the operational side. So they should be able to understand what assets they have as the health sector, what’s critical for the nation to have and to deem as critical infrastructure, what should be protected first. If the health sector was attacked, what would cause the biggest challenge to the health sector? So a basic understanding of what the assets are, or sort of like an asset inventory.

Kaleem Usmani: All right. Thank you, Paula. So I think again, the question which is coming here is that how do we identify critical infrastructures and what are the ways of doing it? So maybe we are having Nicolas on board from ABB. Nicolas, would you be able to share a little bit of experience where what are the ways and what are the sort of, in a way, baseline questions or kind of a checklist, which helps the organizations in order to identify their critical infrastructures? Obviously, in different countries, critical infrastructures, they vary a little bit as compared to the other country. But as per your experience, Nicholas, would you quickly tell us a little bit about how to identify and then how to carry out the risk identification around so that clearly they’re able to identify which sectors are or could be considered as critical?

Nicolas Grunder: It may vary between the countries depending on the industries they’re actually having. But I think what is something common is looking at the impact. So what impact does it have if a certain company or a certain type of providers of infrastructure would be taken out of service, either partially or completely, and what impact does it have on individuals on the functioning of certain services. And it’s basically about defining the services that are critical for functioning of society, right. So, of course, it’s very, very high level but but I think that that would be something important as we have heard is, if there is at least some sort of a common understanding and I think now looking at from an info for also from a provider of products into critical infrastructure so basically looking at the supply chain. That’s of course is important for the providers of products into critical infrastructure because we will have to to actually employ and deploy and develop cybersecurity measures for the products that are then secure to be used in these critical infrastructures. So so looking at the question what what is what is the universal baseline. I think that this probably difficult to formulate conclusively what is critical infrastructure but giving some of the criteria, what, based on the impact, it can have, I think, I think that that would be certainly helpful.

Kaleem Usmani: Thank you. Thank you, Nicolas, and also, I think, along with this particular group we are having two other experts, and one is clear from first and one is casual. And maybe we can also hear from clay clay. Do you have some sort of explanation around what Nicholas has added. clearly that how and what are the best practices for identifying critical infrastructures because normally we see that as Nicolas mentioned that that’s the key that that’s the key once we have and then also some reflection onto the part of the governance and the risk management that how the whole governance of this critical information infrastructure partition has to happen in a country and then we move on to the next level of understanding. So Klee, the floor is yours.

Klée Aiken: Good everyone and thanks Kaleem. I hope everyone can can hear me okay. Yeah I think you know in terms of the basic baseline cyber security measures and things like that obviously there’s the normal level that you’d expect from any type of organization but by being critical infrastructure you do have these additional requirements that are placed upon your organization. In terms of determining which organizations fall into that category it’s very much determined by each individual government and their approach and their perspective. You know we’ve had conversations with folks in the Pacific for example where you know certain cultural aspects or assets or tourism related assets that wouldn’t necessarily be considered critical infrastructure in other countries were deemed critical infrastructure at least in the exercises that we were doing. So it’s really important as Nicolas said to look at what is that impact on the individual economy. So that’s national security perspective, that’s an economic perspective and most importantly is looking also at the human impact both directly in terms of you know for example health and human services and that impact on people’s health and their ability to get treatment and emergency care but also kind of the flow-on impacts that can that can have effects on individuals. Last or two weeks ago, we were on a panel and one of the speakers was speaking about the ransomware incident in Australia last year. And one of the challenges that they faced was finding means to coordinate between the federal government, the state governments, and being able to reach from a cyber perspective into women’s shelters, because very sensitive information about folks staying in those facilities were leaked through the ransomware incident. So you have to really focus on those kind of flow on third order impacts that wouldn’t necessarily come to mind. So critical infrastructure can get very complicated to define. But yeah, it’s just important to focus on that impact on individuals, national security, and economy. Thank you.

Kaleem Usmani: Thank you very much, Klée. And another aspect also is in terms of organizational measures we have been talking about. And then also, the other important aspect is the technical measures, because both are the combination. Because if you want to put it in a more structured, then obviously both organization and technical measures are important, because organizational measures normally govern the whole technical measures implementation. So we are having a hand, and then maybe we’ll get back to Kazuo on the technical measures. Imad, you have the floor, and then we move on.

Imad Aad: Yeah. Here I am again. Regarding the impact, it is very complicated to measure the impact of a flow in a given infrastructure because of the dependencies. Let’s say if you are cutting water, okay, water is critical infrastructure. And then how long will the society survive just because of the lack of water, but it’s also for cooling. for instance, for cooling generators or for cooling whatever, then electricity might depend on the water. Everything else depends on the electricity. And trying to measure how much dependent water is on electricity or vice versa, this is super hard, right? What may help in this direction, what may help the researchers is, for each critical infrastructure service, they can define what they depend on and what other stuff depend on them. So input and output dependencies. This may be helpful for researchers, right? In order to assess the impact of attacks.

Kaleem Usmani: Sure. Thank you very much. I think interdependencies is the key into defining the critical infrastructures. I totally agree. And this is an area, which is a complex area, which we need to look into and work onto. And I think for today’s discussion, interdependencies of the critical infrastructure is one of the areas to be discussed and have a thought process onto that. Imad, do you want to say something?

Imad Aad: Yeah, I would add to the note that it’s inward and outward for each service. So it’s not only if I am electricity, I’m an electricity provider. It’s not only what I depend on, but I can also list what other services depend on me. You see what I mean? Yeah, thanks.

Nicolas Grunder: I just may add, I just seen a comment that Paolo Carlos made and he mentioned continuity planning. And I think this is a very important baseline that… So what’s the goal of protecting critical infrastructure? So the goal is that it actually, it can continue to operate and having the business continuity and the recovery planning in place, having played that, I think that is also an important requirement that actually should be applicable across the board, regardless of jurisdiction, right? Because you want to keep it running.

Kaleem Usmani: Thanks. Thanks, Nicolas. And again, that’s again a good point, of course, continuity and business continuity is important, and especially here, we are talking about the design and that is, again, an important aspect. So maybe even Kazuo is with us. And Kazuo?

Kazuo Noguchi: Yes, great targets here already. Ultimately, for critical infrastructure to be sustainable or resilient, any attacks can be tolerated. So how long it can be sustained, regardless of attacks, how to create not to be kind of down. So that’s one of the resilience measure. But impact analysis, I totally agree the consequences, as well as the risks measure, particularly to the human lives. And from that, investment and the priorities and the resources should be allocated accordingly. But critical infrastructure named based on the countries like 15 or 13 or 18. But those are adding based on the risks and human lives these days for the technical advancement. In addition, these new additional things such as AI can be impacted quite well, positively and negatively, how to make those measures or risks or consequences human lives should be properly put into the context. So let me stop here.

Kaleem Usmani: Thank you. And so obviously, as the discussion is moving towards that, how do we identify how to identify the services? What is the importance of interdependencies inward and outward? again secure your supply chain. This is again is coming up out of this particular discussion. Even impact analysis is important. I think this was mentioned by Nicolas as well as Klée. This is also something what we need to have once we are talking about the baseline security measures which we need to have and we move on accordingly. So still I think we are having some three to four minutes for us to discuss from that. Any other questions from the floor maybe that we can take it up and then we can summarize quickly and then we can have a last round with the experts here and then maybe then we can wrap up this part of the discussion. So any questions from the floor? Paula, you have the floor.

Paola Nkandu Haamaundu: Thanks. Maybe not a question per se but I think there should also be an aspect of training for the employees and awareness because of the industry or because of how quickly cybersecurity changes and things are moving. There’s constant need to be up to date with how to protect critical infrastructure. So there’s need for training for staff that are working on that critical infrastructure but also the general awareness for staff that interact with the infrastructure. Thank you.

Kaleem Usmani: And coming back one more thing which is connecting of course because even training and awareness is important. Another aspect also once we are talking about the technical measures here is again compliance and standards and I think that connects a part of very much as a cybersecurity major onto the CI operators. So maybe I can open the floor to the experts and around compliance and standards for this as a cybersecurity major for the CI operators and then maybe we can wrap up this session here. So I’ll start with Nicolas and then Klée and then to Kazuo and for that if there is any final question which we have that we can take it up and then we can close. So over to you Nicolas.

Nicolas Grunder: Thank you Kaleem. I think I mean standards is absolutely essential especially if you look at it from perspective. of a globally operating company. I think that is where the big benefit of cooperation or global cooperation is essential, that there are certain standards that you can also rely upon and that you know they apply in country A and in country B and in country C and that would then be actually the real baseline. I’m now trying to look, I’m a lawyer so I’m not a researcher, but trying to look at it from a researcher’s perspective, I think that is where where researchers can play a huge, huge role in actually defining these standards, right? Because that’s something when you look at it from a technical perspective, that’s very much something where the researchers will actually provide the input.

Kaleem Usmani: Thank you. Thank you, Nicholas. Over to you, Klee, for your final thoughts.

Klée Aiken: Yeah, definitely. So with standards and compliance, you know, there’s obviously the clear value of the standards to help teams to uplift their cybersecurity, but there’s also kind of the responsibility on government when you’re defining certain industries and certain organizations as critical infrastructure to create certainty of the expectations that you have on the companies. So that’s a pretty critical role that can be played and you can look not only at the technical standards and technical expectations and policies that need to be in place, but also responsibilities around reporting as well as communications. Because again, we’re looking at critical infrastructure because of the flow-on impact that it has on the wider economy and individuals. So thinking about other aspects beyond just technical expectations when you’re developing these types of standards is quite important. Thank you very much, Klee.

Kazuo Noguchi: Yes. So, ultimately, global supply chains are really complex, and including small companies and small nations, and built onto supply chain, software, hardware, IoT, and the people in the supply chain, and how to make sure that the end-to-end is working well, and all the service providers to protect those, including databases, as well as those chains, and the hardware chains, which is part of this exercise, but software supply chain, there is also, and the database are all connected. So, all the researchers to analyze those, and some vulnerabilities to get to know and protect constantly, those are the part of the measures, particularly automated things are coming up, and all connected, physical, as well as the virtual things. This case is cloud, which is a new type of, perhaps, political infrastructure category, perhaps. So, how we can make sure that all connected things can be protected well. So, those are going forward. Thank you.

Kaleem Usmani: Thank you very much, Kazuo. So, more or less, I think we are getting into the shape of understanding that what should be the basic or baseline cybersecurity measures should be mandated for a CI operation. And the discussion which has come up here is, how do you identify? What are the ways of identifying and understanding the structure of the CI? I think this is another aspect which we have been talking about. Interdependencies was something, again, we have been discussing that how the interdependencies inbound and outbound, that has to be seen in order for us to look at the complete visibility of the supply chain attacks, in order to identify the CIS and accordingly put subsidy measures in place. We also have been talking about the impact analysis because this is impact analysis is important in order for you to identify whether the CI is critical or not. This is, again, I think what we have been talking about. Another discussion which came up as a baseline cybersecurity is also the business continuity and even the incident response plans, they’re important aspect of having that baseline cybersecurity measure in place for the CI operators. Also, we have been- We start? And then obviously implement the vulnerability management and of course, securing the data, that’s the data protection. So that’s the important aspect.

Vladimir Radunovic: Thank you, Nastya. Playing in different shoes. Oh. Just scratching the surface, what are some of the issues? Certainly we’ll be waiting for the next step to define more of those kinds of- See how to-

Anastasiya Kazakova: Vlada, apologies. I think we can’t really hear you properly. You are disappearing from time to time.

Vladimir Radunovic: Ah, this one, yeah. I didn’t sing enough, you know. If I sang enough, I would know how to mic. Thank you. Thank you. Okay, we move to the last part of our session. To discuss a little bit, couple of questions that we had for round table. And we start with a question on, well, Nastya, you can probably show the questions. We start with a practical aspect, then we try to connect with cyber norms and confidence building measures. At this point, I’ll pass the floor to Melanie to lead, but I invite you to jump at any point, raise a hand. We wanna interact, right? Melanie, over to you.

Melanie Kolbe-Guyot: Fantastic, so please, now we’re starting out with our discussion rounds. And I really invite everyone to also report from their group what they found was most interesting, speaking also a little bit from which perspective you were talking about, and also what your reasoning was. So the first question we wanna discuss is, how can we effectively protect critical infrastructure, facilities, and assets that do have national, regional, or international impact? So in particular, what practical measures should be implemented? And importantly, which stakeholders need to be engaged in this? Right, so we’re trying to kind of go between our online audience and the in-room audience. I would like to start very quickly with our Zoom people. Nicolas, would you start out?

Nicolas Grunder: Yeah, Melanie, thank you very much. And I’m also reporting a little bit of what we discussed in the group, and we were the researchers group. And interestingly, the first questions from the perspective of the researchers, what is actually critical infrastructure? And so we delved a bit into that topic and seeing that critical infrastructure might be defined differently from jurisdictions, but essentially, what we’ve seen important is that there is some sort of a baseline that is developed based on… on the impact that an incident can have. And then we very quickly, we started talking about standards as well, which I think we all think it can be very beneficial and standards, not only being technical standards, yes, that’s an important part of it, but also organizational standards, incident response notifications, et cetera, et cetera. So it’s that kind of broad array, but let me open the discussion again to the group of people as well.

Melanie Kolbe-Guyot: Great, fantastic. Someone else, what practical measures do you think are really important? Anyone in the room who would like to give it a go? Yes. Volunteers? Dr. Bushra, go ahead.

Bushra AlBlooshi: So thank you so much, first of all, for the invitation and for the very nice interactive session that we had so far. Just to reflect on a few practices that we’ve been doing in United Arab Emirates or in Dubai and few of the practices that we were doing also internationally with the World Economic Forum. Reaching to an agreement, what is critical infrastructure and reaching to a common agreement at the regional level or national level might be challenging, but reaching to unified agreement to the policies regulations that we can all deploy on our service providers, whether those service providers are cloud providers, software providers, or even critical infrastructure operators themselves, I think we are all doing common things but we need just to come together in order to say, okay, those are common things, let’s agree on them internationally. And we published a report with the World Economic Forum in 2021, where we were calling for harmonized certification for individuals, professionals, service providers, and even products. You can find the report in WEF website, its call for harmonized certification report with the World Economic Forum. Out of that report, actually, there was an action that was taken forward. So there is an international coalition that was created for cyber security professional certification where more countries came together, and we met last November in Wilton Park, and we came out with agreed, let’s say, set of definitions for certification accreditation within the professional domain. If that can be done for cyber security professionals, why not for other domains? Why not for cloud providers? Why not for software? And also there is a platform for certifying hardware devices. It’s called Common Criteria, and with multiple countries, they came together. They are agreeing on minimum security requirements for hardware devices. And ICT hardware devices, if that can be also done, and it was done, and it was proven to be effective, then we can do something similar at provider’s level or even software level. So for me, priority one is to agree, whether regionally or internationally, on the minimum security requirements, certification requirements that can be done for the service providers. Why I need to certify cloud provider in multiple countries with the same regulations or same requirements.

Melanie Kolbe-Guyot: Thank you. Dr. Bushra, this is precisely what we were actually talking about in our group, which was the government group. It’s like some sort of credential, some kind of checkup system and management of the service providers, and especially those four critical infrastructure providers. Let me revert back to our Zoom. Kazuo, could you chime in, please?

Kazuo Noguchi: Yeah. Thank you, Melanie. It was a really interesting scenario case that we had in a short period of time. To remind myself for the question that Brad mentioned, how to make it better before it happens. One of the critical things for the infrastructure provider is that the backup, backup, backup. And backup system in the different geography and the countries and regions, so that the spread, there are risks. That’s one thing that we can do. The difficult part here, the scenario is a new one, global cloud provider. Sometimes difficult to know, identify single point of failure, it’s great to have as a measure. And the data perspectives for the supply chain, including people, sometimes happening, how to make the measure so that that data integrity, also the hardware, software, supply chain’s integrity should make properly. And the zero trust architecture is coming up. For instance, the development, also the good for security by design and the default for the users. So risk scenario. We talked in this, the online discussions, how to make the good consequences risk assessment and all interdependent to the business as well as people, how to make that impact analysis to clarify how critical it is. And to based on those critical infrastructures level, how to make the prepared investment and prepare not to happen. And for the resilience perspective, although cloud may be not working, but there may be the way to get around. And for the United Nations, GGE and OEWG 11 norms, those are great starting point for the operationalization. As Anastasia mentioned, this one is good guide and good capacity building for that is ultimately the confidence building. And also the confidence building, meaning that communicate well. And the UN Open Networking Group started the point of contacts globally, more than 110 countries. And communicate through those, for the private or stakeholders are good or initiative through all the channels of nation jurisdictions. Finally, on the prevention and resilience coming up, some are identified, but on prevention, how to make the better use of AI for instance to detect. and to address the vulnerabilities beforehand what’s happening, but ultimately for the operators to be sustainable, that’s critical for life. Yeah, thank you for this opportunity.

Melanie Kolbe-Guyot: Thank you Kazuo. You packed up a bunch of operationalizations. Thank you very much to also put this a little bit in the global perspective, in the interdependence between service provider critical infrastructures and of course the governments. I would like to see one more person from our live audience. Yes, we have someone. Fantastic. Thank you.

Audience: Thank you. I’m assuming here that the hacker and the country that has been hacked are in peace, I mean between their two countries. However, there is a probability that both countries are in war. And I’m believing that there should be a framework under the United Nations with a certain of infrastructure. No? Shall I repeat? With a listed infrastructure items and should be agreed between everywhere around the world that those elements should not be touched in peace or wars by cyber crimes. For example, even if there is a war, electricity, water and transportation shouldn’t be touched or affected even in those sort of nonsenses. I think this is one of the agreements that should be in place these days, you know, in order to avoid such… future problems.

Melanie Kolbe-Guyot: Thank you, fantastic, and you kind of skipped a bit to question number three already, because that’s exactly an important point to consider. So we will come back to this, thank you. So let’s move to the second question. Now, we looked at the practical measures, and we kind of want to come back to what the roles of cyber norms is, right? The roles of cyber norms, especially FG&H, that’s been discussed, and confidence-building measures, CBMs, when it comes to the protection of critical infrastructure. So they are voluntary in nature, right? Do you think they have an impact on the protection of critical infrastructure, although they’re clearly voluntary? Vlada, go ahead.

Vladimir Radunovic: Yes, I actually wanted to connect to what our colleague mentioned. The context that we are discussing this is the UN agreement within the General Assembly, ultimately before, by all the states of the UN, about these cyber norms and confidence-building measures. And exactly as you said, one of the norms is do not attack each other’s critical infrastructure, and boost the resilience of each other’s infrastructure. And some of the CBMs, the confidence-building measures that the countries have agreed, include something that we have in the cards and that we have discussed in the groups, such as work on understanding how each country defines the critical infrastructure. Sorry, probably we’ll never be able to agree. This is a common agreement of what is critical infrastructure everywhere. But this is one of the CBMs to try to exchange it and understand. And then the other one is capacity-building, which we mentioned in our group, I guess, in ours, in others, capacity-building across the board. of the governments, but also, for instance, there was a good point of training of the suppliers towards their customers in critical infrastructure. What are the risks? So what I want to say is, even if these norms are voluntary, all the states have agreed. Even if they would be binding, it’s a good question if states would be adhering to them. We see breaking the international law every day. But I think the measures that we discussed are very practical ones which directly contribute to implementing the norms and CBMs. My question, maybe back, is to what extent the governments, which made the agreement understand this, that this is the implementation? Back to you, Melania.

Melanie Kolbe-Guyot: Thank you so much. Kaleem, actually, we’re calling you as the head of CERT in Mauritius.

Kaleem Usmani: Thank you, Melania. And I think that this is a good question. All the way with the rule of cyber norms and confidence building emerges when it comes to the protection of CIE. Does the voluntary nature have an impact on the protection of CIE? And I think the answer is very much yes. And this is what Vladimir has been talking about. And there are a few things around quickly how they’re going to help. And being voluntary in nature, all these 11 norms, and especially I think this is what we have been studying. So what they basically do and how they help. And though they are voluntary, first of all, what they do is that they try to reduce the risk of cyber attacks. And I think that’s the point what we are talking about. And why they do that? Because the norms establish the prohibition of cyber attacks on critical infrastructure during a peacetime. And examples are even very much mentioned into the GGE report of 2021 and the OEW report of 2021 as well as what we are talking right now through the OEWG dialogue which is going on currently. And then it will be maturing in July 2025. So yes. And then also one of the components here is that they act as a deterrent, in fact, against state-sponsored threats by increasing accountability. So I think that’s another aspect which, again, where voluntary non-binding norms, they help into protecting critical infrastructures because there are some three, four norms are specifically around CIIs if you look at the all 11 norms and including the supply chain and the vulnerability. So, of course, they all connect. Now, also, they foster international cooperation if we talk on those lines. and especially sharing the threat intelligence content against targeting CIIs. And also the states collaborate under these principles to build a global resilience to cyber threats. That’s another aspect I think, that’s how the norms, they help into protecting CIIs. And also they enhance the incident reporting mechanism. This is, I think, coming from the technical community. That’s an important aspect once we are talking about the incident handling and resolution of the critical infrastructure, especially, for example, into the SCADA systems or the technology environment. And maybe also the last comment which I wanted to add here is the promoting accountability and responsible behavior. And I think that’s what the gentleman from the audience has said, that there has to be some sort of an agreement where the states, they should not be attacking to the essential services law. Like, for example, electric grid or water supply. So that’s another aspect, and this is where the contribution of the incident response team that comes to picture. So maybe I’ll stop here. I thank you very much for giving me the floor.

Melanie Kolbe-Guyot: Thank you, Kaleem. Thank you very much. We have one more intervention from the audience.

Audience: So this intervention is within the context of the talent discussions and the two consequent manuals that have been released. So there has been international consensus on the fact that you cannot attack cyber critical infrastructure, but the problem lies in identifying those infrastructures. And a potential solution for this could be regional cooperation. For example, where we are at the Middle East could agree on any infrastructure relating to oil could be critical to them and it could be established and there could be regional cooperation setting up a body of its own for the region. And this could be done globally with certain regions focusing on their own vulnerabilities. And then this could potentially pave the way forward for international cooperation.

Melanie Kolbe-Guyot: Right, before we move to the last question, any more assessments on the impact that you think cyber norms and CBMs can have? All right, then let’s move on to the last question, and we kind of had these little nuggets of this conversation already in the previous minutes. So the question is like, is it reasonable to expect cyber operations to avoid targeting these critical infrastructures? And we’re talking here particularly about in context of peace times, right? Or is this an unrealistic expectation? And how do we establish this kind of accountability for harm that is caused by threats to critical infrastructure, especially when the agreed upon norms are being violated? So these are two kind of questions in one, but you are free to only answer to one of them. Maria, please go ahead.

Maria Pericàs Riera: Yeah, first of all, thank you. Thank you for giving me the opportunity to be here today. So first of all, I would like to talk briefly about what has been mentioned about the identification of critical infrastructure at the nation level. So I will here like to introduce the project that we have done at the DGAP. It’s called German Council on Foreign Relations. If you have any questions, then you can come to me and I will really talk a bit more individually with you about it. So what we have tried to see is to identify or to look at every country in the world, all the 190 plus something nations worldwide, and see what each country considers as critical infrastructures. And one of our main takeaways is that it’s very different worldwide. So for example, even when you check energy sector, this can mean very different things across the globe. And yeah, during our study, we’re not trying to see, okay, you should consider this or this or that as critical, but rather to see how diverse it can be and how complicated it can be. So we’re just like acknowledging that this is a huge task. Our second takeaway would be that there are still many, many countries all over the world. It was over 40% of. countries worldwide that haven’t publicly announced what is critical for them. So when I was doing this research, I was checking at all, I don’t know, constitution, ministries, websites, et cetera, to see what is critical for them, but still, this DGAP tries to be a disaster. Otherwise, again, is it better now? Thank you. So if you check the database and you see that some countries that you know that they have defined it have been omitted, please let me know, and we would love to introduce this. And regarding the accountability of these norms, I’m not the person that can say if they’re going to help or not in avoiding attacks on critical infrastructure during peacetime, but I think that at least the first step of a country saying, okay, this is critical for me, and then this respective country trying to create some type of critical infrastructure resilience, and then getting in contact with the service providers and critical infrastructure providers is already going to be a great step in order to promote the resilience of the providers, because, for example, our group, we were the critical infrastructure operator, and then we saw how many things can go wrong in one second and how interconnected we are. So yeah, these are my thoughts on this, but also, if some people from our group wants to contribute or say or mention something, please feel free to do so.

Melanie Kolbe-Guyot: Yeah. Can I just pick up on this? So yes, this is one of the issues we also in the Geneva Dialogue had the questions like we can endlessly talk about what is critical infrastructure and what is not, and it’s actually complicated because there’s a diversity across contexts, but yes, at some point, there might be some exchange necessary to understand this. At the same time, we can go very simple and say electricity grids. It’s probably, I think, probably in all contexts, we would agree that’s critical infrastructure, right? Okay. Or nuclear power plants. Right? Okay. So let’s assume we have one definition in mind. Is it reasonable to accept to expect and pursue norm violations that targeting, for example, electricity grids during peacetimes? Is this? Is this a reality? Is this something we that’s reasonable to expect? Or are we like, yeah, well, probably not. I just remember we had volt typhoon attack in the salt typhoon attack in the US, where exactly these kind of things were prepared, prepared for. Let’s go ahead.

Vladimir Radunovic: This one is probably better. Based on this, I’m thinking one thing is whether the states are going to avoid attacking each other, particularly in peacetime, which I guess and I don’t know if anyone here from the defense sector, but I suppose the defense sector would say, Okay, if we have a conflict, there are no borders. And in peacetime, we can call it a peacetime. I’m not sure they would avoid doing that. But I have another concern is that sometimes it can be an attack against the omni cloud. And the attackers actually do not know that they will cause the the spillover effect on one or more critical infrastructures. So we are back to that question, not only how we define critical infrastructure, but do we know the dependencies of all those critical infrastructure on the service providers, cloud software, and so on.

Melanie Kolbe-Guyot: Dr. Bushra, please.

Bushra AlBlooshi: Yeah, I can I can reflect on that very good point that Vladimir raised, I think from a nation, a nation perspective, it’s very important to define critical infrastructure, then define also the assets related to each sector and the sector lead and who’s doing what, this is the first step. And this is what we did. This is what we did in Dubai, it took us a while till we came out with that model, what is a critical and then what are the critical services from a business point of view, it should be done absolutely from business point of view. And then you start defining the critical assets from IT point of view. Then we also did one more important exercise. What are the interdependencies between those critical infrastructure? What is the interdependency between the power sector and transportation sector? What if the power sector goes down? How the transportation will react? How all other sectors will react? And what are the countermeasures or the agreements that we need to take at the nation level? So I think starting from the national level is very important, and then building up the other types of collaboration at the regional level or international level are considered as next steps.

Melanie Kolbe-Guyot: Thank you very much for this good illustration of how to identify these questions and interdependencies. Fantastic. So we’re on the finishing line, and I’ll hand back to Vlada, no, to Nastia, to give us our last closing remarks.

Anastasiya Kazakova: Yeah, and before that, if you allow, I’ll just probably a quick follow-up question to Dr. Bushra, because that was a really important also aspect for the second chapter of the Geneva Manual. So Dr. Bushra, if you could quickly share, is there also a defined approach? How does Dubai approach the security of those interdependencies and services which are provided by foreign companies and overseas actors?

Bushra AlBlooshi: Just briefly, because for the sake of time, I think we are limited in time here. So we have plans for each interdependency. By the way, our critical infrastructure sectors is already in our website, desc.gov.ae. You can find the critical sectors, and for each sector, we define what are the interdependencies, and if one sector goes down, what we should expect from the other sector. For example, power sector, they said if our systems goes down, we are expecting that the critical infrastructure on the other side, transportation, for example, they can react and they can operate for four hours till we bring up the service up. And in that case, transportation, they should make sure that they have generator that can operate if the power goes down in Dubai.

Melanie Kolbe-Guyot: Thank you so much. Nastya, back to you.

Anastasiya Kazakova: Thank you very much. That was really helpful. We’ll finalize on the now side. We just wanted to… briefly share the key insights what we discussed virtually in our groups and perhaps that might be also helpful maybe some thought-provoking photo for the audience on site. So we from the cybersecurity research perspective discussed the measures so which should be mandated for critical infrastructure operators to protect the infrastructure and some of the key insights so we definitely most of the inputs were about a better understanding of the what’s actually critical is and understanding the asset inventory what are those assets that needs to be protected what are those dependencies inward outward securing those dependencies and looking also more comprehensively at your supply chain. The participants we also discussed the importance of conducting impact analysis and threat assessment given the regional and local specifics of the facilities and an infrastructure and you also probably see that we specifically pointed out to the necessity to ensure the compliance with applicable standards and laws and implement vulnerability management and securing the data. So that was some of the insights that we discussed so far. I will open the floor if anyone has any further comments from the virtual group.

Kaleem Usmani: Thank you very much just the last question where we have been talking about the interdependencies and interdependencies as you mentioned about that how the overseas foreign actors they come into picture. Normally what we did at the level of the country here is that we have a clear guideline which talks about it how the interdependencies they have to be dealt with. So what we did is that we have come up with the full fledged CIIP framework and that CIIP framework is connected with the national information infrastructure guideline and which in a way the implementation of the CIIs, and that has a very clear baseline that how both overseas and the local CII operators, they have to interact with each other. So this is what we are basically trying to do to ensure this particular guideline so that there is a clear-cut actions that are required in order for them to carry out their risk assessment and the major gap in terms of the vulnerabilities and the weaknesses they have into their system so that the CII operators, they are in a position to guide their operators in order to implement those. So thank you very much. That’s the point which I wanted to make.

Vladimir Radunovic: Probably time to wrap up. Thank you so much for the online group there. I hope you also had fun. Thank you all for being with us. I want to just with a few lines close this. The next steps we are working on is trying to finalize the Geneva Manual like this on the vulnerability disclosure and supply chain about critical infrastructure. The game we did is not finalized so I hope by mid next year we’ll have the next manual. We’ll have the games as well, probably more cards, more scenarios. Everything will be open for the audience. Now what is critical for us is that in this process of shaping the final document we get as many voices particularly around the world from developing countries which honestly we’re still missing. So if any one of you want or know someone of the companies, technical community, civil society, open source community regulators, that want to get involved in Geneva Dialogue and provide their feedbacks and experiences, please do. You’ll find us around the Diplo booth over there today and tomorrow still. And then with this we close this discussion. much the civil society in this discussion. You’ll notice that in discussions about vulnerability disclosure, we did have a particular actor on civil society. We should reflect on that more. But in the meantime, the next session here in this room is connecting to that. And the question is, how do we make sure that the global civil society gets more engaged in these sometimes rather technical discussions about standards, security, Internet governance, and so on. So stay in the room for the next session. We’ll come back in 10 minutes. With that, I thank you so much.

Agreement Points

Importance of defining and identifying critical infrastructure

Nicolas Grunder

Bushra AlBlooshi

Maria Pericàs Riera

Kaleem Usmani

Importance of understanding what constitutes critical infrastructure

Need for common agreement on critical infrastructure definitions at regional/international level

Diversity in how countries define critical infrastructure globally

Importance of conducting asset inventory and impact analysis for critical infrastructure

Multiple speakers emphasized the crucial need to define and identify critical infrastructure, recognizing the challenges in reaching a common understanding across different jurisdictions and the importance of conducting thorough assessments.

Need for addressing interdependencies in critical infrastructure

Anastasiya Kazakova

Vladimir Radunovic

Bushra AlBlooshi

Challenges in identifying cross-jurisdictional interdependencies in critical infrastructure

Need to secure supply chains and address interdependencies

Complexity of interdependencies between different infrastructure sectors

Several speakers highlighted the importance of understanding and addressing the complex interdependencies within critical infrastructure, both within and across national boundaries.

Similar Viewpoints

Both speakers emphasized the importance of international cooperation and norms in protecting critical infrastructure, suggesting that collaborative approaches are essential for effective protection.

Kaleem Usmani

Unknown speaker

Cyber norms help reduce risk of attacks on critical infrastructure

Need for regional cooperation in identifying critical infrastructure

Both speakers stressed the importance of preparedness and resilience in critical infrastructure protection, focusing on backup systems and continuity planning.

Kazuo Noguchi

Nicolas Grunder

Importance of backup systems and geographic distribution of infrastructure

Importance of business continuity and incident response planning

Unexpected Consensus

Transparency in critical infrastructure protection approaches

Anastasiya Kazakova

Bushra AlBlooshi

Lack of transparency from some states about critical infrastructure protection approaches

Need for common agreement on critical infrastructure definitions at regional/international level

Despite potential national security concerns, there was an unexpected consensus on the need for greater transparency and international cooperation in critical infrastructure protection approaches.

Overall Assessment

Summary

The main areas of agreement centered around the need for clear definitions of critical infrastructure, addressing interdependencies, international cooperation, and the importance of preparedness and resilience.

Consensus level

There was a moderate to high level of consensus among speakers on the key challenges and necessary steps for critical infrastructure protection. This consensus suggests a growing recognition of the global nature of the issue and the need for collaborative, multi-stakeholder approaches to address it effectively.

Different Viewpoints

Approach to defining critical infrastructure

Maria Pericàs Riera

Bushra AlBlooshi

Diversity in how countries define critical infrastructure globally

Need for common agreement on critical infrastructure definitions at regional/international level

Maria Pericàs Riera highlighted the significant differences in how countries define critical infrastructure, while Bushra AlBlooshi argued for the need to reach a unified agreement on definitions and policies at a regional or international level.

Unexpected Differences

Overall Assessment

summary

The main areas of disagreement centered around the approach to defining critical infrastructure and the level at which security measures should be standardized (national, regional, or international).

difference_level

The level of disagreement was moderate. While there were differing perspectives on specific approaches, there was a general consensus on the importance of protecting critical infrastructure and the need for some form of standardization. This suggests that despite differences in approach, there is potential for collaboration and progress in developing effective cybersecurity measures for critical infrastructure.

Partial Agreements

Both speakers agreed on the importance of identifying and defining critical infrastructure, but differed in their approaches. AlBlooshi advocated for a common international agreement, while Usmani focused on conducting thorough asset inventories and impact analyses at a national level.

Bushra AlBlooshi

Kaleem Usmani

Need for common agreement on critical infrastructure definitions at regional/international level

Importance of conducting asset inventory and impact analysis for critical infrastructure

Similar Viewpoints

Both speakers emphasized the importance of international cooperation and norms in protecting critical infrastructure, suggesting that collaborative approaches are essential for effective protection.

Kaleem Usmani

Unknown speaker

Cyber norms help reduce risk of attacks on critical infrastructure

Need for regional cooperation in identifying critical infrastructure

Both speakers stressed the importance of preparedness and resilience in critical infrastructure protection, focusing on backup systems and continuity planning.

Kazuo Noguchi

Nicolas Grunder

Importance of backup systems and geographic distribution of infrastructure

Importance of business continuity and incident response planning

Key Takeaways

There is a need for clearer definitions and identification of critical infrastructure at national, regional and international levels

Protecting critical infrastructure requires addressing complex interdependencies and supply chain vulnerabilities

Cyber norms and international cooperation play an important role in critical infrastructure protection, but challenges remain in implementation and accountability

Baseline security requirements and standards are needed for critical infrastructure operators and service providers

Critical infrastructure protection requires engagement from multiple stakeholders including governments, industry, and researchers

Resolutions and Action Items

Work on finalizing the next chapter of the Geneva Manual focused on critical infrastructure protection by mid-next year

Develop more scenario-based games and cards to facilitate discussions on critical infrastructure protection

Seek more input and participation from developing countries in the Geneva Dialogue process

Unresolved Issues

How to effectively identify and protect cross-jurisdictional interdependencies in critical infrastructure

Whether it’s realistic to expect cyber operations to avoid targeting critical infrastructure, especially during conflicts

How to establish accountability mechanisms when agreed-upon cyber norms are violated

How to balance national security concerns with the need for transparency in critical infrastructure protection approaches

Suggested Compromises

Focus on agreeing on baseline security requirements and certifications for service providers rather than trying to reach universal agreement on critical infrastructure definitions

Pursue regional cooperation and agreements on critical infrastructure protection as a stepping stone to broader international cooperation

Start with protecting universally recognized critical infrastructure like electricity grids and nuclear plants while working towards more comprehensive definitions

Reaching to an agreement, what is critical infrastructure and reaching to a common agreement at the regional level or national level might be challenging, but reaching to unified agreement to the policies regulations that we can all deploy on our service providers, whether those service providers are cloud providers, software providers, or even critical infrastructure operators themselves, I think we are all doing common things but we need just to come together in order to say, okay, those are common things, let’s agree on them internationally.

speaker

Dr. Bushra AlBlooshi

reason

This comment shifted the focus from trying to define critical infrastructure to finding common ground on policies and regulations for service providers. It offered a practical approach to addressing the challenge.

impact

It led to discussion of specific initiatives like harmonized certification and international coalitions, moving the conversation towards concrete actions rather than theoretical definitions.

One of the critical things for the infrastructure provider is that the backup, backup, backup. And backup system in the different geography and the countries and regions, so that the spread, there are risks.

speaker

Kazuo Noguchi

reason

This comment introduced a specific, practical measure for protecting critical infrastructure that hadn’t been mentioned before.

impact

It shifted the discussion towards more technical, operational considerations and led to further comments about risk assessment and resilience.

I’m believing that there should be a framework under the United Nations with a certain of infrastructure. No? Shall I repeat? With a listed infrastructure items and should be agreed between everywhere around the world that those elements should not be touched in peace or wars by cyber crimes.

speaker

Audience member

reason

This comment introduced the idea of a global agreement on protected infrastructure, even during wartime, which was a novel perspective in the discussion.

impact

It prompted consideration of international frameworks and agreements, leading to further discussion about the role of the UN and global cooperation in cybersecurity.

So we have plans for each interdependency. By the way, our critical infrastructure sectors is already in our website, desc.gov.ae. You can find the critical sectors, and for each sector, we define what are the interdependencies, and if one sector goes down, what we should expect from the other sector.

speaker

Dr. Bushra AlBlooshi

reason

This comment provided a concrete example of how a government is addressing the challenge of interdependencies in critical infrastructure, offering practical insights.

impact

It grounded the discussion in real-world practices and prompted consideration of how different sectors interact and depend on each other in critical infrastructure.

Overall Assessment

These key comments shaped the discussion by moving it from theoretical considerations to practical approaches and real-world examples. They broadened the scope from defining critical infrastructure to considering international cooperation, technical measures, and interdependencies between sectors. The comments also highlighted the complexity of the issue, showing how it involves multiple stakeholders and requires both national and international efforts. Overall, these insights deepened the conversation and led to a more nuanced understanding of the challenges and potential solutions in protecting critical infrastructure.

How to define and identify critical infrastructure across different countries and contexts?

speaker

Maria Pericàs Riera

explanation

There is significant diversity in how countries define critical infrastructure, with over 40% of countries not publicly announcing what they consider critical. This makes it challenging to establish common norms and protections.

How to map and understand interdependencies between different critical infrastructure sectors?

speaker

Dr. Bushra AlBlooshi

explanation

Understanding interdependencies (e.g. between power and transportation sectors) is crucial for assessing vulnerabilities and developing contingency plans.

How to establish universal baseline or minimum cybersecurity requirements for critical infrastructure protection across jurisdictions?

speaker

Anastasiya Kazakova

explanation

Given the transnational nature of many critical infrastructure services, there’s a need for more universal security standards while respecting national frameworks.

How to make legal systems governing critical infrastructure security more interoperable across countries?

speaker

Anastasiya Kazakova

explanation

This would help address common security issues faced by actors across different jurisdictions.

How to effectively protect critical infrastructure facilities and assets that have national, regional or international impact?

speaker

Melanie Kolbe-Guyot

explanation

This requires identifying which stakeholders need to be engaged and what practical measures should be implemented.

How to establish accountability for harm caused by threats to critical infrastructure when agreed-upon norms are violated?

speaker

Melanie Kolbe-Guyot

explanation

This is crucial for enforcing norms and deterring attacks on critical infrastructure.

How to address the lack of transparency from some states regarding their critical infrastructure protection approaches?

speaker

Anastasiya Kazakova

explanation

Greater transparency is needed to enable stakeholders to support state efforts in critical infrastructure protection.

How to secure the complex global supply chains involving small companies and nations?

speaker

Kazuo Noguchi

explanation

The interconnected nature of supply chains, including software, hardware, IoT, and people, presents significant security challenges.

Summary

This panel discussion at the Internet Governance Forum focused on the UN Cybercrime Treaty and its potential impacts on human rights and transnational repression. Experts from various organizations expressed serious concerns about the treaty’s broad scope and lack of robust human rights safeguards. They argued that the treaty’s vague language and deference to domestic laws could enable authoritarian regimes to abuse its provisions for surveillance and repression of dissent.

Panelists highlighted how the treaty expands investigative powers and international cooperation beyond core cybercrimes to any “serious crime” as defined by domestic law. This could force countries to assist in prosecuting acts that are not crimes in their own jurisdictions. The treaty’s weak privacy protections and potential to undermine encryption were also criticized.

Case studies from Saudi Arabia and Latin America illustrated how existing cybercrime and anti-terrorism laws are already used to target activists and journalists. Panelists warned the treaty could exacerbate these abuses on a global scale. They also noted the treaty’s provisions could endanger cybersecurity researchers by criminalizing their work.

The experts urged policymakers and industry leaders to oppose ratification of the treaty in its current form. They recommended using upcoming protocol negotiations to address human rights gaps and involve civil society voices. Overall, the discussion emphasized the need for stronger safeguards and more precise language to prevent the treaty from facilitating human rights violations under the guise of combating cybercrime.

Keypoints

Major discussion points:

– The UN Cybercrime Treaty lacks adequate human rights safeguards and could enable transnational repression

– The treaty’s broad scope and vague language around “serious crimes” is problematic

– The treaty gives states too much flexibility in implementation, allowing for potential abuse

– Cybersecurity researchers and civil society could be negatively impacted by the treaty

– There are opportunities to improve the treaty through protocol negotiations and by states refusing to ratify

Overall purpose:

The discussion aimed to raise awareness about human rights concerns with the UN Cybercrime Treaty and encourage policymakers and other stakeholders to push for improvements before ratification.

Tone:

The tone was serious and concerned throughout, with speakers emphasizing the gravity of the potential human rights impacts. There was a sense of urgency in calling for action to address the treaty’s flaws before it is too late. The tone became slightly more hopeful towards the end when discussing potential ways to improve the treaty going forward.

Speakers

– Joey Shea: Covers Saudi Arabia for Human Rights Watch

– Deborah Brown: Covers tech and human rights in the tech division at Human Rights Watch

– Lina al-Hathloul: Saudi human rights defender, head of monitoring advocacy at Al-Qist

– Nick Ashton-Hart: Leads the Cybersecurity Tech Accords representation at the UN

– Veridiana Alimonti: Associate Director for Latin American Policy at the Electronic Frontier Foundation

– Fionnuala Ni Aolain: Professor of law at Queen’s University of Belfast and regents professor at Minnesota Law School, former UN Special Rapporteur on counterterrorism and human rights

Additional speakers:

– Khaled Mansour: Member of the Oversight Board for META

The UN Cybercrime Treaty: Human Rights Concerns and Potential Impacts

A panel of experts convened at the Internet Governance Forum to discuss the UN Cybercrime Treaty and its potential implications for human rights and transnational repression. Joey Shea, the moderator, opened the session with a moment of silence for detained human rights defenders, setting a somber tone for the discussion.

Human Rights Concerns and Transnational Repression

The panelists unanimously expressed significant concerns about the treaty’s current form and its potential for abuse. Deborah Brown of Human Rights Watch highlighted that the treaty provides broad surveillance powers without sufficient protections. She noted that while the treaty allows states to refuse mutual legal assistance on human rights grounds, this flexibility could be exploited by repressive regimes.

Veridiana Alimonti from the Electronic Frontier Foundation warned that the treaty could enable cross-border surveillance and data sharing by repressive regimes. This point was powerfully illustrated by Lina al-Hathloul, a Saudi human rights defender, who shared how Saudi Arabia already uses vague cybercrime and anti-terrorism laws to silence dissent. She provided specific examples of how these laws are used to target activists, journalists, and human rights defenders, emphasizing that the treaty could exacerbate such abuses on a global scale.

Nick Ashton-Hart, representing the Cybersecurity Tech Accords at the UN, raised alarm about the treaty’s allowance for secret surveillance and data collection. He also highlighted concerns about the asset seizure and forfeiture provisions in the treaty, which could be used to target individuals and organizations unfairly.

Impacts on Cybersecurity Research and Internet Security

An unexpected consequence of the treaty, as pointed out by Nick Ashton-Hart, is its potential negative impact on cybersecurity research. The treaty’s language criminalizes accessing systems without permission, which could inadvertently endanger the work of security researchers who routinely probe systems to discover vulnerabilities. This lack of protection for researchers could have far-reaching implications for overall internet security.

Recommendations and Future Considerations

The experts offered several recommendations for policymakers and stakeholders:

1. States should refrain from signing or ratifying the treaty in its current form.

2. Upcoming protocol negotiations should be used as an opportunity to address the treaty’s flaws.

3. Civil society voices must be included in treaty discussions to ensure a balanced approach.

4. Governments should engage with domestic stakeholders when making decisions about ratification.

Nick Ashton-Hart emphasized the importance of the US and EU not ratifying the treaty, as this could influence other countries’ decisions. He also suggested that better results could be achieved in future negotiations, given that opponents of safeguards and rule of law protections lack sufficient votes.

Deborah Brown stressed the need for engaging with domestic stakeholders on ratification decisions and highlighted the treaty’s flexibility, which could be both a strength and a weakness depending on how it’s implemented.

Unresolved Issues

The discussion left several important questions unanswered, including how to effectively balance cybercrime prevention with human rights protections and ensure the treaty cannot be misused for political persecution. The panelists agreed that addressing these concerns and strengthening human rights safeguards will be crucial as the process moves forward.

Technical Difficulties

It’s worth noting that the session experienced some technical difficulties, which were briefly mentioned in the transcript. Despite these challenges, the panelists were able to convey their key points and concerns effectively.

Conclusion

The panel discussion highlighted the urgent need for policymakers, civil society, and industry leaders to engage critically with the UN Cybercrime Treaty. The experts’ unified stance against ratification in its current form sends a strong message about the treaty’s potential to facilitate human rights violations under the guise of combating cybercrime. As negotiations continue, it will be essential to address these concerns and ensure that efforts to combat cybercrime do not come at the expense of fundamental rights and freedoms.

Joey Shea: with the headphones on. We’re going to begin the session. My name is Joey Shea. I cover Saudi Arabia for Human Rights Watch. We’re also joined in person by my colleague Deborah Brown, who covers tech and human rights in our tech division also at Human Rights Watch. I want to welcome you today to our session on the UN Cybercrime Treaty and the impacts that it may have on transnational repression. We have a very important and, in fact, historic panel for everyone here today. Before we begin the conversation, I do want to take a moment to acknowledge who is not here. Many human rights defenders are unable to be here on the grounds, including a number from the country in which this conference is taking place. So I do want to take a moment to say a few names of human rights defenders who have been detained arbitrarily across the Middle East, including in the country in which we now reside, and have a moment of silence for them. So I want to speak about Mohammed al-Ghamdi and Assad al-Ghamdi, who are two brothers. And all the names that I’m going to be saying, just to note, are individuals who are detained in relation to expressing themselves online, either through Twitter or X or other platforms. So Mohammed and Assad al-Ghamdi, who are both citizens of the country in which we are now in. Noura al-Qahtani, also a citizen of the country that we are now in. Ahmed Mansour, Alaa Abdelfattah, Abdelhadi al-Khawaja, and Ahmed Hassan al-Zoubi. So again, all these are individuals who have been detained for expressing themselves online. So I want to take a moment, a brief moment of silence, to reflect on these individuals and their contribution to this space. So thank you again to everyone for being here today. The other thing I want to acknowledge in addition to those defenders whose name I just spoke, other folks who are not able to be here in the room with us today. So beside me would have sat Lina Al-Hathloul, who is joining us remotely on the screen. Lina is of course a citizen of the country in which we now reside, but she is unable to be here given security concerns related to her activism abroad. So instead of her physically being here in person, we’ve laid out an empty chair and a name tag here to symbolize not only her absence, but the absence more broadly of the community of civil society members from this country who are not able to be here in person nor to attend due to the rights crisis here. I also want to welcome our other panelists to get to it more concretely, who are joining us remotely. We have Nick Ashton-Hart, who is joining us here on our lower left of the screen. So Nick leads the Cybersecurity Tech Accords representation at the UN and headed their delegation to the Cybercrime Convention negotiations. And the Tech Accord is a global coalition of more than 160 companies that advocates for greater international action to address malicious cyber incidents and their causes. We are also joined by Virginie Almondi, who is an Associate Director for Latin American Policy at the Electronic Frontier Foundation. She is a lawyer. She holds a PhD in Human Rights from the University of Sao Paulo Law School. And her work focuses on the intersection of technology and human rights, such as privacy and freedom of expression. We’re also going to be joined a little bit later. by another colleague, Fionnuala Ny-Alolen, who is a professor of law at Queen’s University of Belfast and a regents professor at the Minnesota Law School, and she’s also a former UN Special Rapporteur on counterterrorism and human rights. So to start off to our discussion here today, I want to turn to my colleague in the room, Deborah Brown, who has been focused on the UN Cybercrime Treaty for many years, and so I first would be super grateful if you could sort of take us through, first of all, what is the UN Cybercrime Treaty, what is its status, where are we today, and what are the main issues with regards to human rights concerning the treaty.

Deborah Brown: Thank you so much, Joey, for the introduction, and hi to everyone on the room and online. I know it’s very early for some of you, so thank you for joining us. Thank you also, Joey, for that moment of silence. I think that really grounds our discussion, why we’re here, to talk about transnational repression and the rights of people who’ve been detained or otherwise had their rights restricted on the basis of cybercrime laws. I’m gonna start off with an overview. I see some familiar faces in the room. I know some of you are intimately familiar with the UN Cybercrime Treaty. Others of you luckily might not be, and so I just want to sort of set a groundwork or grounding the treaty on the basics, where we are, what it does, and what comes next. So this is the first global treaty on cybercrime that we’ll be discussing today. It was first approved to move forward almost five years exactly today by the UN General Assembly. In 2019, in December, the UN General Assembly voted to start negotiations on this treaty. There was not consensus at the time that there should be a global cybercrime treaty or what even the scope or purpose of that treaty would be. The treaty was first proposed by the Russian Federation. Russia circulated a draft treaty two years prior, in 2017 and when it came down to decide whether to move ahead with this The US European Union and a number of like-minded states voted against or abstained from the treaty from the process to start the treaty negotiations since then There’s been a little over three years of negotiations give or take and in August 2024 what’s known as the ad hoc committee, which was the body established to negotiate the treaty text agreed on a treaty They agreed by consensus For the treaty that sits before the UN General Assembly this week. It’s expected to be adopted. I think any day now and At that point it will open for ratification Once 40 governments ratify the treaty 90 days after that point it will go Into effect into force and then soon after within the next two years negotiations on a protocol to be attached to the treaty will also start and That protocol will be adopted once there’s agreement on it and once 60 states have ratified it. We refer to the treaty shorthand today as the UN cybercrime treaty But it’s actually a bit of a misnomer. That’s not the full name. I’ll read out the full name for you, which is strengthening international cooperation for combating certain crimes committed by means of information and communications technology systems and For sharing of evidence and electronic form of serious crimes and that last bit is I think what brings us here today Mostly is to discuss beyond cybercrime beyond attacks on computer networks and systems this treaty is actually a general-purpose treaty to Co-op to investigate and prosecute and cooperate internationally on a much wider range of crimes specifically serious crimes The Treaty just to kind of break down the components. It does actually criminalize certain Certain acts the criminalization chapter if you will and that requires states that ratify the treaty to criminalize in domestic law certain offenses. These range from core cybercrimes like attacks on community, ICT systems, illegal access to data, illegal intercept, things like this, and cyber-enabled crimes, a select number of them, like online child sexual abuse material and non-consensual dissemination of intimate images. I think we’ll hear a bit more from Fanula later on about the compatibility of those offenses and how they’re drawn up with international human rights law, but I just want to flag that in the negotiations there was a lot of disagreement, or negotiation, one might say, on the scope of criminalization. There were some states that really wanted to see a much broader range of acts criminalized, which would include content-related offenses, things that are broadly defined, or not defined, like extremism or terrorism, and then states that wanted to see a much narrower set of crimes included. And we landed somewhere, I would say, in between, but on the flip side of that there’s a much broader scope of crimes on which investigations and prosecutions can happen and transnational cross-border cooperation. So the convention requires states to establish expansive electronic surveillance powers to investigate and cooperate on a range of crimes, even when no ICT systems were used to commit those crimes. It includes specifically international cooperation on anything called a serious crime, which under the treaty says that basically any crime as defined in domestic law that carries a criminal sentence or penalty of four years in prison or more. Now looking around the world, and I think we’ll hear more about this from my colleagues remotely, many countries criminalize acts that are defense of human rights, for example, independent journalism, criticizing one’s government, being LGBT. And under this treaty, states are required to provide mutual legal assistance to prosecute those crimes that might not even be an offense in their own country. And that’s the kind of issues that we’ll be talking about. more about later. I know for this introductory period we’re trying to just cover the high-level points so I think I’ll just move to the human rights safeguards or lack thereof before turning to other colleagues. I think it’s important to recognize that the treaty does include a provision, an article on human rights, and it also includes, so that’s article 6, it includes another article 24 on conditions and safeguards. And this wasn’t a guarantee from the outset and it’s important to recognize where some progress was made. Article 6.2 specifically says nothing in this convention shall be interpreted as permitting the suppression of human rights or fundamental freedoms. And so it’s designed in principle to guard against misuse of the treaty to restrict or violate human rights. Unfortunately that article isn’t actionable. There aren’t really enforceable limitations on the use of the treaty to restrict rights elsewhere. And I will turn to article 24 which is the condition and safeguards article which largely defers to domestic law. It does mention international human rights standards but it does so in a selective and in some cases optional way. It relies heavily on the principle of proportionality but fails to mention legality and necessity, meaning that limitations on human rights that would be permitted by the treaty should be legal like specific and really clear and that they should be necessary, meaning that they’re designed for a specific purpose and the least restrictive measure necessary. Things like judicial authorization are not required, they’re a bit optional in this, and things like independent notice of individual notice to let’s say people who’ve been surveilled or had their data collected for the purpose of an investigation there’s no individual notice and there’s no transparency required that you’d need to know in order to act. actually push back against such requests. And I’d also flag that Article 24.2, as a whole, only applies to Chapter 4, the procedural measures, and to Chapter 5 on international cooperation, when the powers on Chapter 4 are relied on. So there are certain acts like law enforcement cooperation and joint investigations, which may include the sharing of data collected outside of the treaty or domestically, aren’t covered by the human rights provisions. And there were strong efforts from some member states to apply Article 24 and conditions and safeguards to the whole treaty, and those were not successful in the end. So there are certain gaps, and there’s a lot of latitude and kind of flexibility given to governments in how they interpret and enforce the treaty from the human rights perspective. Throughout the negotiations, Human Rights Watch, Electronic Frontier Foundation, industry have been raising these concerns in terms of the gaps and how this treaty can be used to abuse or abuse to violate human rights. We often give examples in our work. These are not hypothetical, and this is why I’m very pleased that Lina will be speaking here to share from her work and her experience on the very real cases of what’s at stake.

Joey Shea: Thank you so much, Deborah, and I think that is a very appropriate note to end on as we turn now to Lina Al-Hathloul, who I didn’t actually probably introduce when we began. But Lina Al-Hathloul is a Saudi human rights defender. She is the head of monitoring advocacy at Al-Qist, which is a Saudi-led human rights organization based in London. She’s also the sister of Loujain Al-Hathloul, one of the most famous Saudi women’s rights defenders who spent over 1,000 days in Saudi prison due to her human rights work. So with that, I’d like to turn to Lina, and Deborah did an excellent job sort of outlining understanding what the cybercrime treaty is and some of the gaps with regard to human rights, particularly as the treaty sort of defers to domestic law on a number of these issues. So I’m wondering if you could speak about your experience as a Saudi human rights defender and Saudi law and how this treaty may sort of interact and lead to further repression inside of Saudi Arabia.

al-Hathloul Lina: Thank you, Joey. Thank you, Deborah. As-salamu alaykum. Good day, everyone. I’ll be reading my speech and we can have a later conversation later on. So I want to begin by expressing my gratitude for the opportunity to address you today, even if I cannot be with you in person. I had hoped to join you directly, but due to safety concerns and the legal travel bans imposed on my family since 2018, that remains impossible for now. That is, I could maybe be trapped in the country should I had come in person. For today, an empty chair will have to represent my voice, a stark symbol of the silencing faced by so many of us. I do hope the situation will change and I can join you in person very soon. My sister’s case is an example of the grim reality that many face. For her women’s rights work, she has been imprisoned, tortured and placed under an illegal travel ban. Her story is not unique and it serves as a powerful backdrop to my remarks today about the proposed UN Cybercrime Treaty and its potential ramifications for countries like Saudi Arabia. The UN Cybercrime Treaty, as it currently stands, is excessively broad and it reduces significant legal uncertainty. It provides states with the tools to leverage high-level, intrusive domestic and cross-border surveillance powers to address a vaguely defined list of criminal offences. This vague framing risks becoming a serious weapon in the hands of governments that are already using cybercrime laws to suppress dissent. The situation in Saudi Arabia is a cautionary tale. Over the past few years, our monitoring and research have revealed the disturbing extent of Saudi Arabia’s surveillance apparatus, both online and offline. Civil society can no longer speak independently, and those who dare to express what the authorities consider dissent are often silenced through imprisonment or worse. One of the most troubling discoveries we made was the existence of a Saudi state security watch list known as Watch Upon Return or Tarqab al-Awda in Arabic. This list monitors social media accounts of Saudis abroad, targeting them upon their return. To give you a stark example, a Saudi citizen was arrested simply for criticising the quality of food provided by the embassy during COVID-19. Another case is Salma Shihab, a PhD student who was arrested upon her return from the UK for social media content supporting human rights defenders. Her initial sentence was six years, which was then later increased to 34 years before being reduced to 27 years. She remains in detention to this day. Even more surprisingly, Saudi state television has laid bar the authorities’ efforts to suppress free speech online. On the Thursday night programme Blindspot, But five imprisoned social media users were interviewed, including one man jailed for a single tweet, a tweet that he hadn’t expected could land him in prison. The message was chillingly clear. No one is safe. No one is safe online. And even what one considers mild criticism can become a crime. We have documented hundreds of cases of individuals in prison solely for their online expression. Among them is Abdelrahman al-Sathan, a man who remains forcibly disappeared to this day. His case highlights the dangers of a poorly constructed cybercrime treaty. Abdelrahman was tweeting anonymously when his identity was allegedly revealed after Saudi authorities corrupted Twitter employees to obtain user data. Under Article 34 of the proposed treaty, states are required to cooperate in collecting, obtaining, preserving and sharing electronic evidence for any serious crime punishable by four years or more. Article 40 requires states provide one another with the widest measures of mutual legal assistance in investigations, prosecutions and judicial proceedings in relation to acts criminalized by the treaty and any serious crime. Without clear and robust limitation, such provisions will give governments unchecked power to surveil, arrest and silence individuals under the guise of law enforcement. It also risks making states part to the treaty complicit in abuses by Saudi authorities. The problem is compounded by differences in judicial systems and their independence. or lack thereof. The treaty largely defers to domestic law in the conditions and safeguards it outlines in Article 24. In Saudi Arabia, laws such as the counter-terrorism law and the anti-cyber crime law define criminal offences in dangerously vague terms. These laws are routinely used to target peaceful activism and free speech. Offences committed are tried in the Specialized Criminal Court, or the SCC, a jurisdiction that has been increasingly weaponized against human rights defenders. Trials are often held in secret, court documents withheld, and witnesses barred from testifying. This lack of due process leaves individuals without any protection against abuse of the law. The cybercrime treaty will only exacerbate these existing abuses, it would provide governments with even more tools to surveil, silence, and detain critiques, undermining fundamental human rights under the pretense of addressing cybercrime. It is critical to address these risks and implement clear safeguards to ensure that such provisions cannot be misused. In closing, I want to emphasize that cybercrime legislation must prioritize human rights and include robust definitions, safeguards, and independent oversight. The price of failing to do so is measured in lives silenced, freedoms lost, and families torn apart, a price that many, including my family and I, know all too well. Thank you for listening, and for holding space for voices like mine. I look forward to a day where I can join you in person, without fear, to continue this vital conversation. Wassalamu alaikum.

Joey Shea: Thank you. Thank you. to hear even further how the cybercrime treaty will impact human rights and freedoms here in Saudi Arabia. I also want to turn now to Veridiana. I just want to make sure that the screen, there we go. I want to turn now to Virjana to speak about another case study, and I just want to make sure that our technical, we’re just going to wait until the Zoom appears on the screen here so that we can see Virjana as we are hearing from her. Hi. Excellent. Virjana, I’m sure you can’t see in the room, but you’re now on our screen. So welcome. So Virjana, I want to sort of turn to you now and ask you about the lack of robust privacy and data protections and the conventions, and specifically how these may be problematic from a Latin American perspective, particularly with regards to the legal frameworks in place and the weak protections in your region. So welcome.

Veridiana Alimonti: Thank you very much, Joey and Deborah. So we at the Electronic Frontier Foundation have engaged with the UN debates on the cybercrime convention from the early stages, and as Joey mentioned, the point I want to highlight is the fundamental imbalance of the proposed treaty between surveillance powers and human rights safeguards and how this is concerning vis-a-vis transnational repression. So EFF has repeatedly stressed that the convention has become a broad surveillance pact. As Deborah mentioned, it establishes intrusive investigative measures at national level and requires international cooperation in accessing and sharing data, even for crimes that do not involve ICTs, and such powers come without adequate safeguards. to prevent their abusive application. Although the treaty text that’s that the implementation of surveillance obligations must comply with state’s commitments before international human rights law, not all states that are UN members and may join the convention have ratified important treaties such as the international covenant on civil and political rights or have domestic legal frameworks that ensure sufficient guarantees. So if we consider Latin American countries within any spectrum of democratic nations, safeguards that we can deem essential are not necessarily present in domestic legal frameworks. Looking only at prior judicial authorization for accessing communications related data for example, Colombia doesn’t require prior judicial order for the interception of communications content. Peru allows real-time location data access without a previous warrant under specific conditions subject only to later judicial review. In Panama, the law authorizes prosecutors to request a considerable amount of communications metadata to telephone providers without previous judicial authorization. Law enforcement authorities in Paraguay also rely on a supreme court’s ruling to require access to metadata without judicial authorization. And in Brazil, there is an ongoing legal debate on whether the disclosure of storage location data requires a previous judicial order. Yet as Deborah mentioned, article 24 of the UN convention sets that the application of the investigatory surveillance powers and procedures provided for in its specific chapter are subject to conditions and safeguards provided for under the country’s domestic law. And that in accordance with and pursuant to the domestic law of each state party, such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power of concern, include safeguards that are absolutely crucial as judicial or independent review, the right to an effective remedy, which is an international human right established in international human rights instruments, grounds just to find the application, and limitation of the scope and the duration of such power or procedure. Also, it’s Article 24 establishes the principle of proportionality, but not legality necessity and non-discrimination. So as such, the text of the UN Cybercrime Convention does not require that surveillance measures have prior judicial authorization, are only carried out in the face of reasonable suspicion, and are necessary for the investigation. Furthermore, the authorities could keep such measures secret indefinitely, according to the law of each country. These surveillance powers that state parties to the convention will have to establish in their domestic law and will be available for international cooperation, include real-time collection of metadata, interception of content data, which are two provisions that could be abused to underpin government use of malicious software, for example, to spy dissidents and human rights defenders. It also includes a provision that can force individual tech employees working at service providers to provide information, possibly including security weaknesses that could be used to bypass system security safeguards. The fundamental imbalance between surveillance powers and human rights safeguards is particularly concerning in Latin American countries, where the lack of adoption of legal safeguards against data, the absence of comprehensive data protection laws in the law enforcement context, and the insufficient mechanisms for transparency, notification, effective remedy, and oversight pose significant risks to human rights and vulnerable communities. This is also particularly concerning on how it can boost transnational repression. The key function- The intention of the convention, if ratified, will be to create a means of requiring legal assistance between countries that do not already have mutual assistance treaties, MLATs, or other cooperation agreements. This could include repressive regimes who may previously have been hindered in their attempts to engage in cross-border surveillance and data sharing. In some cases, because their concerning human rights records have excluded them from MLATs. The Treaties International Cooperation Chapter compels countries to collect and share private data across borders, effectively requiring them to assist each other in electronic surveillance for a wider range of serious crimes, whether or not technology is involved in the crime. The cross-border evidence gathering applies to any crime that a state chooses to punish with at least four years of imprisonment under its national law, subject to certain restrictions. Proposals to define more strictly serious crimes were not accepted. So, this broad discretion granted to states under the UN Cybercrime Treaty is a deliberate design intended to secure agreement among countries with varying levels of human rights protections. This flexibility in certain cases allows states with strong protections to uphold them, but also permits those with weak standards to maintain their lower levels of protection. The Convention’s underlying flaw is the assumption that, in accommodating all countries’ practices, states will always act in good faith. But what the history and patterns of transnational repression teach us is that this does not hold true, and that mandatory human rights safeguards and effective oversight of whether these safeguards are fulfilled are absolutely essential. A key learning that unfortunately and alarmingly is not reflected in the text of the UN Cybercrime Convention. Thank you.

Joey Shea: Thank you for, thank you for Jana for those important remarks. And I think it’s very important that we look at multiple different case studies to see how the rights impacts of this treaty globally. I’d like to turn now to Fanula if we could get her up on screen as well. I’ll just take a moment. Hi everyone. Brilliant. Fanula welcome, you’re on our screen even if you can’t see the room. Thank you so much for joining us. So I’m wondering if you could speak a bit more about the treaty, but specifically how the broader securitization policies and practices by member states may be impacted and the relationship between the treaty and those policies and practices.

Fionnuala Ni Aolain: Sure, everyone I’m delighted to be joining you today albeit remotely and am pleased to offer an assessment I think of what might be described as selective human rights pieces of the UN Convention Against Cybercrime and really to reflect on in some ways the fundamental incompatibility of parts of this treaty with international human rights law. I think it’s also really fair to say that due to the scale scope subject matter of the convention, the convention poses distinct human rights risks that really should have required heightened scrutiny and safeguards rather than lesser scrutiny and safeguards. And here I align my remarks with the views of the U.N. High Commissioner for Human Rights in their submission to the treaty process in July of 2024. And my focus is really to start by looking at the nitty gritty language of the treaty. And I do that because I think it’s really important that we’re not simply abstract in thinking about how this treaty really has failed to grasp with and create obligations for states under human rights law, but the deliberate avoidance and obfuscation of human rights language and human rights requirement. And I think this represents something of a broader challenge that human rights is facing, particularly in the intersection of new technologies and human rights globally, is the way in which human rights language or what I would call human rights light constructions of new treaties really serve to undermine existing treaty language and practice. And the second is the treaty, I think, represents another pattern, which is the failure to address or be acknowledgement of fundamental and existing patterns of abuse by states. And so that the treaties, in fact, almost it’s like the emperor’s new clothes, an unwillingness to address what we know about state behavior in a particular area and address it through treaty law. And the third, I think, is this really important point that that is sort of builds on the point about human rights light standards, is the weakening of existing treaty framework standards, human rights treaty frameworks by creating de facto spaces of opt out or spaces where critic critical spaces where states essentially get to exclude human rights protection. And the broader point is that new technologies have effectively, particularly in this area of security and new technology, have been given a pass on the application of international human rights law, often based on arguments of exceptionality, that these spaces are exceptional, that they require exceptional, fast and particular kinds of responses, creating, I think, enormous disjunction in our. overall protection schemes. But let me go to some of the language. And I want to start with Article four of the treaty that requires states parties to criminalize offenses under, quote, other applicable U.N. conventions and protocols when committed through the use of an information and communications technology system, end quote. And this provision, I think, is the practical effect of extending the scope of the offenses under other conventions to encompass cyber means without formally amending each of those conventions. So it’s quite an important slight of hand, a move that I think is quite significant. Now, there might be reasons to legitimately extend some offenses under earlier conventions and to update earlier conventions. But I think Article four is objectionable for two fundamental reasons. One is because it’s inherently vague and uncertain in scope, and it doesn’t identify the specific conventions or the offenses that will be updated. And there are dozens of instruments and many more offenses within them that might be affected. And when those treaties were negotiated, each of those offenses was carefully negotiated, giving due legal scrutiny to the particular elements of each substantive and incoherent offense under the convention. And so as a fairly doctrinal lawyer, I think I’m really concerned that Article four requires wholesale and indiscriminate potential extension of every offense under every convention without close drafting scrutiny of whether it’s appropriate or possible or even necessary. And what more particularly what the human rights implications of that are adverse consequences of doing that would be. So this haphazard extension of a wide range of criminal offenses seeking a variety of really different purposes is just not good practice on drafting critical criminal instruments, and I think gives rise to not just inconsistency and unpredictability, but is at odds with the sort of a fundamental tenet of human rights law. And I think the second challenge we see in Article four is the criminalization of offenses and this criminalization. of offenses committed through information and communication technology systems is ambiguous. It’s just ambiguous. And it doesn’t really tell you in which circumstances cyber means should actually be unlawful. And this idea of commission through the use of information could encompass just a whole range of conduct and interactions. And that some of those could be intentional. Some of them might not be. Some of them might be unconscious, indirect, or even offline connections with information and communication systems. And I think this is really, really problematic from a fundamental criminal law perspective and a human rights perspective, because it undermines that absolute obligation in international human rights law of legal certainty. If you are to be made the subject of a criminal offense, you need to know what offenses, they have to be clearly defined in advance in a way that you could regulate your conduct so you don’t end up being in violation of the law inadvertently. And I think that’s just simply not the case here. Individuals may end up being in violation, not just because the law is not clear, but because it suits states to have the law unclear, because that actual level of uncertainty actually puts individuals, and I would say particularly human rights defenders and other civil society actors, on the defensive and therefore preemptively regulating their conduct for fear that they might run afoul of something that’s not clear. And I think what we might end up with is considerable variance at national level about what kind of offenses are produced at national level, a kind of a way that you get double criminality. And when we get to the parts of the treaty that deal with extradition and mutual assistance, actually you run into even further complicated problems. And I do want to flag that I think between the cyber crime offenses, Articles 7 to 12, are really quite problematic. It’s really not clear. When you look at the nature of these offenses, again, they appear to be overbroad and capitalist. or a range of conduct that not, in fact, that that’s not, in fact, sufficiently serious to warrant criminalization. But actually, these offenses risk targeting a whole range of other actors. And the actors I want to highlight are those actors like whistleblowers being criminalized or those engaged in disclosure of information that expose illegality or fraud. It risks criminalizing those who take action to prevent crime. It risks criminalizing ethical hackers, cybersecurity researchers and those who are in the work in the digital infrastructure ecosystem to actually protect us. And probably the most and most substantial fear that I think previous comments have picked up also is the danger that this kind of criminalization is going to get at protest and freedom of expression online. And I also think I’d want to endorse the comments about the lack of sufficient safeguards and conditions of safeguard and the risks that this pose for civil society actors. I also want to pay attention to the way in which the general human rights safeguards that we find in chapters two, five, six and seven are simply inadequate, because actually, when you look at the treaty, it looks like a Swiss cheese. You get like human rights language in one piece, but not in others. And I think that should provoke our curiosity and reflection on why human rights clauses were put in some places and not in others. And I think the lack of consistency of human rights safeguards throughout the treaty. So, for example, their exclusion in chapter two or the limits on it in chapter seven and chapter six tell us, in fact, that again, there really was a Swiss cheese effort here to not ensure consistent human rights safeguards across the board, but to do a pick and choose a kind of an a la carte menu of human rights protection in the treaty. I also want to highlight. Chapter 7, and I want to particularly flag Article 35, which is the general principle on international cooperation, where there’s simply no mention of human rights. And I think this point that you’re leaving out human rights protection in those places, particularly in the context of transnational repression, where we see the gaps in protection being particularly problematic, their exclusion here underscores this broader problem of an unwillingness by states to address the actual practice of transnational repression, which is increasingly being framed under the language of assistance and cooperation among states. And again, brings us back to this human rights, this sprinkling of human rights, the human rights light approach. Two final comments on human rights lacuna I would include is Article 34, the limits on assistance and protection of victims, where again, the failure of the treaty to implement existing and growing human rights law on the rights of victims is simply not present. We see the same in Chapter 6 on prevention measures, where we see actually a failure to implement the massive advantages that are massive and protections that we’ve seen developed over several decades. And I close by just saying that the one of the parts of the treaty that concerns me most is the focus on technical assistance and capacity building under Chapter 6, which refers to training, exchange of information, technical assistance and technology transfers between states. And again, the striking absence of fundamental human rights activity protections in these activities stress to us the ways in which human rights entirely sat at the margins of the conversations in this treaty, weakening it in fundamental ways, but also having the reverse. effect of weakening back to the fundamental human rights treaties, the absence of their inclusion in this important step by states to regulate the cyber arena. So let me stop there and thank you for your time.

Joey Shea: Thanks very much, Fionnuala, for those important remarks. I want to turn now to Nick, if we could get Nick up on the screen from our technical team. Nick, can you hear me all right? Nick, if you can hear us, we’re working to get you up on the screen, but just as we’re working to do that, Fionnuala had mentioned the impact of the treaty on cybersecurity And I know throughout the course of your work, you work very closely with cybersecurity researchers. So I’m wondering if you could, when we finally get you up on the screen, if you could sort of discuss and give us your thoughts on the importance and value of protecting these researchers and why the convention may be harmful for their work. And just give us one moment as we try to bring you up on the screen. Can you hear me okay? In the meantime. To our technical team, Nick is down at the bottom. There we go. Well, thanks again. We have you up on the screen now, Nick. So again, that question, could you just sort of touch on the importance of cybersecurity researchers throughout the course of your work and how the treaty may be harmful to their work?

Nick Ashton-Hart: Thank you very much. I think that’s actually the very first point. I want to address them. You can spend a long time talking about the problems of the convention, but this is one of the two most important areas for us anyway. And thank you for inviting, thank you for organizing a session on this subject at the IGF and for the invitation to speak on it. I should say out front that the Cybersecurity Tech Accord, along with the global business community very broadly has publicly opposed signature ratification or accession to the convention of the text as it stands, along with a very broad array of civil society and voices. It’s been said more than once that throughout the negotiations, there was such unanimity across the board from business and civil society that none of us had ever seen that level of agreement before, which unfortunately the negotiators did not take really enough of a warning from. As you mentioned, there is considerable additional legal risk from cybersecurity researchers, for cybersecurity researchers in the convention. The article on illegal access requires countries to criminalize accessing computer systems without permission of the system’s owner using the same language that the Budapest Convention uses, but without the context of the explanatory report to Budapest, which makes clear that actions which are in the public interest should not be criminalized, meaning that security researchers, investigative journalists, whistleblowers and others are at risk of criminal prosecution in this convention in a way that is not the case in Budapest. Without the work that security researchers do, criminals and others will find it easier to exploit vulnerabilities, to breach sensitive systems, spread malware and engage in ransomware. other attacks. And those risks become even more important when you consider the red teaming that is needed to test AI systems for bias, but also to to test that guardrails against misuse of those systems work not only in the languages of those of those who develop the systems, but in global language sets, for example. Some member states have said publicly that security researchers are protected because of the reference to them in Article 53, three E of the convention. But this is simply not true. And a plain language reading of that article will tell you that it’s not true. Because all that it does is recognizes the importance of security researchers. It does nothing to protect their work. And you don’t have to take our word for it. The global security research community wrote a letter to the negotiators in February, warning them that the convention endangered their work. Unfortunately, the negotiators did not act in any way to address that problem. It allows authorities to force any personal company to facilitate access to computer systems, or stored electronic data in Article 28.4, which you’ve heard about from others today, in a manner that is far broader than Budapest. The Office of the UN High Commissioner for Human Rights has warned that this would directly threaten the global availability of encrypted communications and encrypted services, which we agree with that assessment. And undermining encryption threatens the safety and security of citizens globally. Government and or private sector technology workers on holiday with access to secure systems could be compelled to provide access to those systems, and system owners would not know until it was too late. On safeguards as they relate to the private sector. Many powers in the convention, as you’ve heard, are from Budapest and other treaties, generally verbatim. The safeguards and protections were copied and generally weakened. Many states, OECD states, have said the convention sets new standards for safeguards because it contains protections that are new to international criminal justice law, which is true but misleading because the foundational protections in the convention are weaker than prior instruments, not stronger, and those foundations undermine the new protections which rely on them. In particular, Article 24.2 is copied from Budapest and is an essential foundation of all other protections. In Budapest, all parties must have these procedural law protections, but in this convention those protections are to be, quote, in accordance with and pursuant to the domestic law of each state party, end quote, meaning they are essentially optional. Procedural law is absolutely fundamental to users and human rights, but also to firms because these are the provisions that allow service providers to go to court to contest requests for user data when we think they’re unlawful or disproportionate. They are what requires a state to ground requests in applicable law and which provides for warrants rather than simply allowing a demand for data without judicial authorization. In many countries, you’ve heard in detail earlier in this session from the previous speakers, warrants aren’t required to demand data from service providers. Requests are kept secret and providers may not object to them. Several UN member states at the committee level and at the third committee, when it was adopted by the first stage of UNGA, stated on the record that they will treat every safeguard provision in this convention as entirely subject to their own discretion. to their existing national legislation. This means we do not have to guess whether this convention will be abused. States have told us that they will do so on the record multiple times before the convention has even been adopted by the UNGA plenary. While the convention requires confidentiality in the operations of its powers in eight articles, it requires transparency in none. States may use the convention’s powers, all of them, in perpetual secrecy. What this means is that firms operating globally will get demands for data which must be kept secret, and there will be no recourse to courts to push back against them, even if the firm knows they’re breaking the law in a different jurisdiction if they grant the request. This will all be legitimized because a treaty with the UN’s name on it allows for it to happen. I wanna talk about something in addition today which we haven’t talked about yet and which doesn’t get enough attention, which is the convention’s provisions on asset seizures and forfeiture. The Budapest Convention does not have these provisions. As said by the Council of Europe in its briefing to Budapest member states on 4th July of this year, and I quote, “‘Risks arising from the current draft text “‘of the convention are stemming from provisions “‘on money laundering and asset forfeiture. “‘In some states, targeting assets is a primary means “‘to target opponents or businesses “‘and to restrict fundamental rights. “‘This entails the risk of abusive criminalization, “‘investigation, or seizure of assets. “‘For example, the combination of broad jurisdiction “‘with low thresholds for liability of legal persons, “‘low threshold and intense standards “‘for participation and attempt “‘could elevate non-criminal and unintentional conduct “‘by service providers to a predicate offense “‘and lead to the.’ freezing of assets. Or for political reasons, individuals and organizations may be targeted for fraud, and their assets may then be confiscated domestically or via international cooperation. All of what you’ve heard today begs a question of, why didn’t these many problems get addressed during the negotiation, especially given stakeholders were in the back of the room consistently raising them? The answer is that the process allowed for voting on the substance. This is a major and terrible precedent. Treaties have been previously decided by consensus. Negotiators on OECD states were always worried that they didn’t have the votes for more robust safeguards. We know this because they told us again and again whenever we proposed fixes to these problems. It turns out that they were wrong. And we know this because Iran demanded several votes to remove safeguards and human rights provisions in August before the convention was adopted. And the most votes they could get in favor of this was 31 when they needed more than 90. In short, we recommend that all states not sign or ratify the convention now. The UNGA resolution adopting it will authorize the current negotiating committee to develop a protocol. And we believe national negotiators should be tasked with fixing the problems in the convention during that negotiation. And if they are successful, then states could join the convention and the protocol together. We know we will get better results this time, or we can, because of Iran with its votes showed that the opponents of safeguards and rule of law protections don’t even have a quarter of the votes that they need. That’s all I have time for. But I look forward to the discussion and the questions.

Joey Shea: Thank you, Nick, for that intervention. We’re nearing the end of our time, so I want to open it up to the floor in the room first. We have at least one question online, but I just want to see from our audience here if there’s any questions to our panelists about the treaty and the rights implications globally and also in the various case studies that were presented today. No, if there’s no questions from the room, I know that we have one question online. So, from Monica through our Zoom call here, Monica asks to our panelists, how would human rights codified in national basic fundamental law prevent authorities from a country to transfer data to another treaty signatory? So, Deborah, do you want to?

Deborah Brown: I can start, and I’m very happy for others to weigh in as well. So the treaty does include an article that allows governments to refuse to provide mutual legal assistance on human rights grounds. I’ll read, I think it’s 4022, I’ll read the text now, it says nothing in this convention shall be interpreted as imposing obligations to a foreign mutual legal assistance if the requested state, meaning the state who receives the request for evidence, has grounds to believe that this request has been made for the purpose of punishing a person based on their sex, race, education, religion, nationality, ethnic origin, or political opinions, and it goes on a bit on that. So there is, as we said, this treaty provides flexibility, and as Fanula put it, it’s like Swiss cheese. You see human rights sprinkled in here and there, you can read into it, if you’re really committed to not allowing the treaty to be abused, there are ways you could use it and justify refusing cooperation. The point is, it doesn’t require states to refuse cooperation. They need to be proactive about it. So there’s both a reality, like from what we heard from Lina and from Virgiana, there’s countries around the world who expressively don’t want to respect human rights and are looking for ways to engage in repression, transnational or otherwise. And there’s no shortage of evidence to provide the negotiators reasons to provide stronger human rights protections. And there’s also a practical issue here. This essentially creates mutual legal assistance treaties globally. So rather than on a bilateral level or multilateral level, it’s basically would, for all signatories, require mutual legal assistance, and not for a specific set of crimes, but for crimes based on domestic law with a prison sentence of four years or more. So effectively, you’re going to have a massive number of requests coming in. And to be able to find the requests that one can interpret as posing an obligation of providing substantial grounds for belief that the intention of the request was to repress human rights is a lot of ifs. Firstly, to find the case, to be looking for the case, the purpose of punishing or prosecuting a person on the basis of these protected classes is a high threshold. And it’s all voluntary. Again, it provides flexibility to do so, but no requirement to do so. And so between the high volume of requests that will be incoming to already overloaded mutual legal assistance authorities, and just the reality that a lot of governments are looking for ways, there’s been numerous reports in recent years on transnational repression by Human Rights Watch, by Citizen Lab, by Freedom House that are showing clear trends. So rather than responding to those trends and creating a stronger threshold, this treaty essentially gives a lot of latitude for governments to find ways to cooperate. So I think I answered the question as to how one could find a way in the treaty, but I think the reality is that those are going to be the exceptions, not the rule.

Joey Shea: Deborah, I’m wondering if any of our panelists online would like to weigh in, and perhaps our tech team, who seem… To no longer be here could help them help us get them on the screen But to our online panelists we can hear you so if you want to intervene Please go ahead while we try to get you up on the screen So as we’re So we do have one more question from Yeah, so we have one question from from the audience here, but we’re I’m gonna pass the mic

Audience: It’s an internet governance forum that beleaguered by lots of technical challenges, that’s very not funny anyway Basically all of the speakers. My name is Khaled Mansour. I serve as a member of the Oversight Board for META And my question is all of you paint a very bleak picture that the train has left the station. It’s racing Basically a 40 countries Sign or ratify this treaty. It’s done. It’s a done deal. So what can be done to convince?

Joey Shea: Oh He’s in the IT booth, so I’m gonna take over moderation I’m seeing Nick on the screen, which is convenient because I think Nick has some thoughts on this but also happy to hear from others

Nick Ashton-Hart: But it’s it is like the key question I think the first thing is to remember that in in this in In international judicial cooperation a great deal of the data that most of the country needs is located in a relatively few jurisdictions The u.s. In particular. We have already said that they have no plans to seek ratification or to sign the convention in any reasonable, in any, they’re not going to do it soon, at the very least, they’re going to wait and see what countries do, but the EU has not, the EU commission has said that they want to sign and ratify and the commission, the parliament has to agree to this, so there’s an opportunity for Europe not to do that because Europe is the the next most popular destination to get data from. Throughout the negotiations, we were told by many developing states who genuinely want to cooperate on cybercrime, on actual cybercrime, that the US and the EU member states joining was of fundamental importance because that’s where the data, most of the data they needed is, so were those states to team up and use the protocol negotiations to address some of these issues, they, we know they have the numbers because of the voting situation that I just recounted for you, but we know that they would have support from many other states who need them to join the treaty for it to be a viable instrument, so I think, I think really now is the key is to get, is to get, to get member states to say that they’re not going to sign, they’re not going to sign or ratify the convention as it stands, they supported its adoption, but they’re not going to join it and they’re going to use the protocol negotiations to, to address its flaws. It’s worth pointing out that the reason protocol negotiations exist at all in this is because the many, the many states who are of a more autocratic bent insisted on having protocol negotiations because they want to go and add even more crimes and even more scope to the convention, which makes it doubly important for OECD member states and, and their allies to say well that’s not going to happen, in fact the opposite’s going to happen, we’re going to make this about. about an actual cybercrime and an actually workable result that all states who genuinely want to work on cybercrime will participate in, which I think also goes to the question, Monica, that you asked, or part of the question that you asked. But I don’t see any other, the only other thing that could be done to address the convention is to work through the conference of the parties once it has entered into force, once 40 states have ratified it. And that’s far more, far less likely to have a successful result than the protocol negotiations allow for.

Joey Shea: Thanks, Nick. It’s very concerning to note about how ratification may lead to authoritarian states adding even more crimes to the treaty. I want to go back to Lina for just one moment. We only have a few more minutes left in our session. There’s been a lot of discussion about transnational repression and how the treaty can facilitate and contribute to transnational repression. Could you speak a bit about the sort of history of transnational repression in Saudi Arabia and the gaps in the domestic law here, and how the treaty may interact with those gaps in domestic legislation to perhaps lead to further transnational repression? And also, in case we don’t have time, I’d encourage you to also speak, given that there’s so many policymakers in the room here today, folks from industry and government, what your message is with regard to the treaty on their engagement going forward as ratification comes.

al-Hathloul Lina: Thank you, Joey. That’s a lot to cover, but I’ll try my best. Just maybe, first of all, regarding transnational repression, I mean, what we have been monitoring are different trends. So it’s usually either the government collaborating with other governments in order to commit human rights violations. So, for example, I mentioned the case of my sister who was arrested, but before being arrested, she was actually kidnapped from the UAE with the help of the UAE government, the Emirati government, and brought back to Saudi Arabia and then forcibly disappeared in Saudi Arabia. So we see directly transnational repression with the collaboration of two states. But there are also other kinds of transnational repression, also linked to the digital rights. There’s also the use of spyware technologies, including Pegasus, for example, for numbers. And we have it, I mean, the founder of Al-Qais, has been targeted by Pegasus and is now trying the company and the state in UK courts. So this is also considered as transnational repression. And you also have, I mean, we have to remind this here, but the killing of Jamal Khashoggi in a Turkish consulate, in the Saudi consulate in Turkey, for example. So there are different ways we could describe transnational repression. And it’s mostly done through digital technologies. For Saudi, I mean, when we speak about national laws. What has to be known is, first of all, you don’t have a general penal code. But we do have, for example, two important laws for the topic is the first, the Saudi cybercrime law, and the second one is the anti-terrorism law, which are both used to silence civil society and to criminalize any remaining free speech. For the cybercrime law, we have, it’s problematic in its Article 3 and Article 6. So first, Paragraph 5 of Article 3 punishes any person who publishes defamatory content using various information technology devices with imprisonment for a period of up to one year or a fine of up to $130,000. So we see that usually what consists of what is defamatory is very broad and vague, and can be sometimes also just the comment on someone’s appearance on television, for example. We also have Article 6, so Paragraph 1 of Article 6 punishes any person who produces, prepares, or stores material impeding on public order, religious values, public morals, or privacy through an information network or computer with imprisonment, again, for up to five years and a fine, and or a fine of up to $800,000. And again, here in this definition, everything is very vague, and anything can be considered as impeding public morals, and we’ve seen it in our monitoring. and monitoring work as well. And then, so a person can be charged on the cybercrime law, but also at the same time for the same case on the anti-terrorism law. And what’s very problematic with the anti-terrorism law is really it’s Article 1, the mere definition of what is terrorism. It’s too broad, very vague. We have seen, again, also people getting charged with the anti-terrorism law just for tweets, in which sometimes it’s also commenting social issues that have no link to terrorism whatsoever. And so we have cases where people have been charged with cybercrime law, with the anti-terrorism law. And then, because the judge has so much discretion in Saudi courts, they can add also, for example, two, three years of prison based on the judge’s discretion. So these are the main three laws and, yeah, and use of discretion by the judge in Saudi courts that I would say are the most problematic ones. Thank you. I don’t know, can you maybe just remind me the last part of your question?

Joey Shea: Yeah, the last part of my question, Lina, was any sort of anything you wanted to say to the policy makers here in the audience. We have folks from government and industry here, and any sort of recommendations you would have for them on how they should be engaging with the treaty going forward as it moves towards ratification with respect to human rights?

al-Hathloul Lina: Yeah, I mean, the first thing really is to listen to civil society. I think, I mean, we are discussing now this treaty. Haiti, in Saudi Arabia, when no Saudi civil society can really be present. So I think that the first step is really to be supportive of civil society being present in these spaces in order to really understand what’s at stake. I mean, we cannot just regulate such topics without knowing what’s at stake. And I think that everyone in this room, in your room, Joey, and everyone else, realizes how dangerous it is. It’s not even ratified that I cannot be there in person. So I think that everyone has the duty, really, to push for civil society to be present, to be protected in discussing these topics, and that it should not be seen as a bubble, because it will backfire. I mean, it is against everyone’s interest to have these discussions behind closed doors and not seeing the consequences it could have on everyone.

Joey Shea: Thank you very much, Lina. We just have a few moments left, so I want to actually put that question to the rest of our panelists. Maybe we can start with the rest of our online panelists, Nick or Virgiana, if you have any recommendations for the folks here in the room with how they can engage with the ratification process.

Veridiana Alimonti: I can start, and, well, considering everything that we discussed so far, the way that we see and, of course, EFF also opposes signature ratification and accession to the text as it is now, and have been urging states to vote no when the UNGA votes the UN cybercrime. treaties, so policymakers and industry that are part of this panel and have been listening to our discussion, we would like to extend the call to pay attention to the concerns that we shared here. At this point of the vote in the General Assembly, and nonetheless, if the text passes and we have it, then it’s the process inside each country where policymakers and industry are also to point out these concerns and in another state where this is being discussed internally, if it passes, as it is, what would be a problem in our perspective. To discuss the least harmful way to incorporate this internally, considering the mace and the human rights safeguards a la carte that we mentioned in this panel that should be embraced in each context that this treaty goes on, but what I would like to highlight is that in our position or in our view, we shouldn’t get, in the FF’s view, we shouldn’t get to the point of incorporating this treaty into national law with its current text. We should be able to make its safeguards more robust globally as the investigative powers are robust right now globally. So that’s it. Thank you for the opportunity to be part of this discussion and to share. our thoughts about the cybercrime convention.

Joey Shea: Do you have anything closing to add in terms of advice for the folks in the room? And we just have a few moments, so we’ll keep it short, Nick, and then we’ll close with Deborah. Nick, can you hear us? If you have any closing remarks, please go ahead.

Nick Ashton-Hart: Sorry, I thought it was like a general call. I didn’t hear it was me, because you’re quite faint for some reason on my end. I mean, nothing in particular you haven’t heard. I mean, I hope people who aren’t familiar with this are concerned. You should be. And the best thing that people can do is communicate to their governments what their concerns are and ask that they not be willing to sign this until improvements are made and to engage actively in the forthcoming negotiation process on the protocol to make that possible, because that’s really the only practical way that there is to change the content of the convention. Otherwise, it would be only five years after the convention enters into force could the conference of the parties entertain amendments to it. And I think by then, it would be very difficult to get much support for amending it again. So this is really the time is to not sign it and for states to remain engaged in the process. And this time around. work with civil society and the private sector and come up with proposals in advance that the back of the room can actually support and to be bold, because the states who need the data and the states who have the data are far and away enough to get meaningful changes adopted over the objections of the relatively small number of states who are on the other side of all of the issues that you’ve heard today. That’s the good news. There isn’t a majority for a lot of these provisions. Now we know that, and we should take advantage of that knowledge to change the text.

Deborah Brown: I know we only have three minutes left, so I’ll try to be quick just to build on what Nick was saying. The protocol is an important opportunity. It’s worth mentioning that even if a state hasn’t ratified the treaty, they can participate in those negotiations, as opposed to the conference of state parties. That is an argument both to not ratify, but also to participate in the protocol. This was a relatively open process for a multilateral treaty negotiation, meaning that civil society and industry were in the room, though a lot of these concerns that have been raised today we had proposals to address. I think there’s a gap there also with the UN Office of the High Commissioner for Human Rights, which had very tangible expert advice on how to plug the human rights gaps in this treaty. Moving forward, there’s been ideas floated by the US and an explanation of a position to have a legislative guide or implementation guide. To really lean on the expertise within the UN system would be incredibly important for that. Also, to listen to national stakeholders or in the case of the EU, regional stakeholders. Of course, each member state has a different process to get to ratification, and it’s really important to listen to domestic stakeholders on how to whether they support the treaty and what action to take and within the context of the EU it’d be wonderful if there was an opinion requested by the European Court of Justice and also to listen to request and consider recommendations or opinions from the EU data protection supervisor who had issued an opinion on a draft version of the text which was quite critical. So I think I will end there. I think we’re more or less at time. Joey, any final remarks?

Joey Shea: Just to say thank you to all of our panelists online for participating in this important discussion and especially to Lina who really should be here in the room with us today and again just to emphasize how important her voice is and the voice of Al-Qist and other Saudi human rights organizations are and how unfortunate it is that they are not able to be with us here today. But thank you everyone for joining us and yeah I hope you have a wonderful rest of your IGF. you you you

Agreement Points

The UN Cybercrime Treaty lacks adequate human rights safeguards

Deborah Brown

Fionnuala Ni Aolain

Nick Ashton-Hart

Veridiana Alimonti

Treaty provides broad surveillance powers without adequate safeguards

Treaty lacks consistent human rights protections throughout

Treaty allows for secret surveillance and data collection

Treaty could facilitate cross-border surveillance and data sharing by repressive regimes

Multiple speakers agreed that the UN Cybercrime Treaty does not provide sufficient human rights protections and could enable abuse of surveillance powers.

The treaty poses risks to cybersecurity researchers

Nick Ashton-Hart

Deborah Brown

Treaty criminalizes accessing systems without permission, endangering security researchers

Lack of protections for security researchers threatens discovery of vulnerabilities

Speakers highlighted the potential negative impact of the treaty on cybersecurity research, which could hinder the discovery and reporting of vulnerabilities.

Similar Viewpoints

These speakers advocated for not ratifying the treaty in its current form and suggested using future negotiations and stakeholder engagement to address its flaws.

Nick Ashton-Hart

Veridiana Alimonti

Deborah Brown

States should not sign or ratify the treaty as it stands

Use protocol negotiations to address flaws in the treaty

Engage with domestic stakeholders on ratification decisions

Unexpected Consensus

Broad agreement across civil society and business sectors

Nick Ashton-Hart

States should not sign or ratify the treaty as it stands

The speaker noted an unprecedented level of agreement between civil society and the business community in opposing the treaty, which is significant given these groups often have divergent interests.

Overall Assessment

Summary

The speakers largely agreed on the inadequacy of human rights protections in the UN Cybercrime Treaty, its potential for abuse, and the need for significant improvements before ratification.

Consensus level

High level of consensus among the speakers, implying a strong unified critique of the treaty from various perspectives (human rights, cybersecurity, legal). This consensus suggests a need for substantial revisions to the treaty to address these shared concerns.

Different Viewpoints

Approach to addressing treaty flaws

Nick Ashton-Hart

Veridiana Alimonti

Use protocol negotiations to address flaws in the treaty

Treaty lacks consistent human rights protections throughout

Nick Ashton-Hart suggests using protocol negotiations to fix treaty flaws, while Veridiana Alimonti emphasizes the need for more robust global safeguards rather than incorporating the current text into national law.

Unexpected Differences

Overall Assessment

summary

The main areas of disagreement revolve around the specific approaches to addressing the treaty’s flaws and the level of engagement with different stakeholders in the process.

difference_level

The level of disagreement among the speakers is relatively low. They largely agree on the fundamental issues with the treaty but have slightly different emphases on how to address these issues. This general consensus implies a strong united front in opposition to the treaty as it stands, which could be significant in influencing policy decisions and future negotiations.

Partial Agreements

All speakers agree that the treaty has significant flaws and should not be ratified as is, but they differ on the specific actions to take. Nick Ashton-Hart suggests using protocol negotiations, Veridiana Alimonti opposes incorporation into national law, and Deborah Brown emphasizes engaging with domestic stakeholders.

Nick Ashton-Hart

Veridiana Alimonti

Deborah Brown

States should not sign or ratify the treaty as it stands

Treaty lacks safeguards against misuse for political persecution

Engage with domestic stakeholders on ratification decisions

Similar Viewpoints

These speakers advocated for not ratifying the treaty in its current form and suggested using future negotiations and stakeholder engagement to address its flaws.

Nick Ashton-Hart

Veridiana Alimonti

Deborah Brown

States should not sign or ratify the treaty as it stands

Use protocol negotiations to address flaws in the treaty

Engage with domestic stakeholders on ratification decisions

Key Takeaways

The UN Cybercrime Treaty provides broad surveillance powers without adequate human rights safeguards

The treaty could facilitate transnational repression by authoritarian regimes

The treaty poses risks to cybersecurity researchers and their work

There are significant concerns about the treaty’s vague language and deference to domestic laws

Civil society and industry groups broadly oppose ratification of the treaty in its current form

Resolutions and Action Items

Policymakers are urged not to sign or ratify the treaty in its current form

States are encouraged to use upcoming protocol negotiations to address flaws in the treaty

Governments should engage with domestic stakeholders and civil society on ratification decisions

Unresolved Issues

How to effectively balance cybercrime prevention with human rights protections

How to ensure the treaty cannot be misused for political persecution

How to protect cybersecurity researchers while criminalizing malicious hacking

How to address the treaty’s broad scope and vague definitions of crimes

Suggested Compromises

Use the protocol negotiations to strengthen human rights safeguards while maintaining core cybercrime provisions

Develop implementation guidelines with input from UN human rights experts to mitigate potential abuses

Allow states to opt out of certain provisions that may conflict with domestic human rights protections

The UN Cybercrime Treaty, as it currently stands, is excessively broad and it reduces significant legal uncertainty. It provides states with the tools to leverage high-level, intrusive domestic and cross-border surveillance powers to address a vaguely defined list of criminal offences. This vague framing risks becoming a serious weapon in the hands of governments that are already using cybercrime laws to suppress dissent.

speaker

Lina al-Hathloul

reason

This comment succinctly captures the core problem with the treaty – its vagueness and potential for abuse by repressive governments.

impact

It set the tone for much of the subsequent discussion about the treaty’s flaws and dangers, particularly for human rights defenders and dissidents.

Article four requires wholesale and indiscriminate potential extension of every offense under every convention without close drafting scrutiny of whether it’s appropriate or possible or even necessary. And what more particularly what the human rights implications of that are adverse consequences of doing that would be.

speaker

Fionnuala Ni Aolain

reason

This comment highlights a specific and critical flaw in the treaty’s drafting that could have far-reaching consequences.

impact

It deepened the analysis by moving from general concerns to specific legal issues, prompting more detailed discussion of the treaty’s text and implications.

We know we will get better results this time, or we can, because of Iran with its votes showed that the opponents of safeguards and rule of law protections don’t even have a quarter of the votes that they need.

speaker

Nick Ashton-Hart

reason

This comment provides a strategic insight into how the treaty could potentially be improved, offering a glimmer of hope in an otherwise bleak discussion.

impact

It shifted the conversation towards potential solutions and next steps, rather than just focusing on the problems with the current treaty.

The protocol is an important opportunity. It’s worth mentioning that even if a state hasn’t ratified the treaty, they can participate in those negotiations, as opposed to the conference of state parties. That is an argument both to not ratify, but also to participate in the protocol.

speaker

Deborah Brown

reason

This comment offers a practical strategy for engagement with the treaty process, even for states with concerns.

impact

It provided a concrete action item for policymakers and stakeholders in the audience, shifting the discussion from analysis to potential action.

Overall Assessment

These key comments shaped the discussion by first establishing the serious flaws and dangers of the UN Cybercrime Treaty, then delving into specific legal and procedural issues, and finally exploring potential strategies for improvement and engagement. The conversation progressed from outlining problems to proposing solutions, providing a comprehensive overview of the treaty’s implications and possible ways forward for concerned stakeholders.

How can the protocol negotiations be used to address flaws in the UN Cybercrime Treaty?

speaker

Nick Ashton-Hart

explanation

Nick suggested using the upcoming protocol negotiations as an opportunity to fix problems in the convention, which is important for improving human rights protections.

What are the potential impacts of the UN Cybercrime Treaty on cybersecurity researchers?

speaker

Joey Shea

explanation

Joey asked about this specifically, highlighting the importance of understanding how the treaty could affect the work of those who help protect digital systems.

How can civil society be more effectively included in discussions about the UN Cybercrime Treaty?

speaker

Lina al-Hathloul

explanation

Lina emphasized the need for civil society participation to fully understand the treaty’s implications, which is crucial for developing balanced policies.

What steps can be taken to prevent the UN Cybercrime Treaty from facilitating transnational repression?

speaker

Joey Shea

explanation

Joey asked about this in relation to Saudi Arabia, highlighting the need to address potential misuse of the treaty for human rights abuses.

How can policymakers and industry engage with the ratification process to address human rights concerns?

speaker

Joey Shea

explanation

Joey asked this to all panelists, indicating the importance of finding ways to improve the treaty during its implementation phase.

What are the implications of the treaty’s provisions on asset seizures and forfeiture?

speaker

Nick Ashton-Hart

explanation

Nick raised this as an area needing more attention, suggesting it could be used to target opponents or businesses and restrict fundamental rights.

How can states effectively use the human rights provisions in the treaty to refuse cooperation on abusive requests?

speaker

Monica (audience member)

explanation

This question addresses the practical application of human rights protections in the treaty, which is crucial for preventing misuse.

Summary

This discussion focused on protecting Internet data flows and addressing challenges in trade policy initiatives. Panelists explored how data localization laws and restrictions on cross-border data flows threaten the open, globally connected nature of the Internet. They highlighted concerns about how such policies can negatively impact privacy, free expression, and economic growth, particularly for small businesses and network operators in developing countries.

The speakers emphasized the need for evidence-based policymaking and standardized practices for data protection and security. They discussed tools like the Internet Society’s Impact Assessment Toolkit to help governments understand the consequences of their policies on Internet infrastructure. The importance of involving diverse stakeholders, including network operators, small businesses, and civil society, in policy discussions was stressed.

Panelists noted the challenges posed by the intersection of digital trade issues with national security concerns, which has led to increased restrictions. They called for greater collaboration between the digital and trade communities to address misconceptions about data flows and sovereignty. The discussion highlighted the need for more research on the economic impacts of data localization, especially in developing countries.

Participants agreed on the importance of raising awareness about how restrictions on data flows threaten the Internet’s existence. They suggested engaging with international development banks and national policymakers to promote informed decision-making. The discussion concluded by emphasizing the need for collaboration among all stakeholders to maintain free data flows and shape the future of the Internet and digital trade positively.

Keypoints

Major discussion points:

– The importance of protecting cross-border data flows and resisting data localization policies that threaten to fragment the internet

– The rise of digital sovereignty and data localization laws as threats to an open, globally connected internet

– The need for evidence-based policymaking and impact assessments to understand the effects of data flow restrictions

– The role of trade agreements in protecting cross-border data flows and the recent U.S. reversal on this issue

– The importance of including diverse stakeholders (e.g. small network operators, businesses) in discussions about data flows and trade policy

The overall purpose of the discussion was to examine threats to cross-border data flows, particularly in the context of trade policy, and explore ways to protect an open, globally connected internet while addressing privacy and security concerns.

The tone of the discussion was largely analytical and collaborative, with experts sharing insights from different perspectives (e.g. human rights, trade policy, internet governance). There was a sense of urgency about the threats to cross-border data flows, but also optimism about potential solutions through multi-stakeholder collaboration and evidence-based policymaking. The tone became slightly more concerned when discussing geopolitical tensions and national security issues near the end.

Speakers

– Nermine EL Saadany: Moderator, Regional Vice President at the Internet Society

– Natalie Campbell: Director and Senior Director, North America at the Internet Society

– Mahroz Khan: Cross-border Expansion Manager at the Digital Cooperation Organization (DCO)

– Jennifer Brody: Deputy Director of Policy and Advocacy for Technology and Democracy, Freedom House

– Sabhanaz Rashid Diya: CIGI Senior Fellow and founder of the Tech Global Institute

– Farzaneh Badiei: Founder, Digital Medusa

Additional speakers:

– (Audience member): Senior Project Manager at the Council of Europe

– Dana Kramer: Representing Canadian NRI (youth and national)

– Milton Mueller: Professor at Georgia Institute of Technology’s Internet Governance Project

Protecting Cross-Border Data Flows: Challenges and Solutions in Internet Governance

This discussion, moderated by Nermine EL Saadany of the Internet Society, brought together experts from various fields to explore the critical issue of protecting cross-border data flows in the face of emerging challenges, particularly in trade policy initiatives. The panel examined how data localisation laws and restrictions on cross-border data flows threaten the open, globally connected nature of the Internet, and discussed potential solutions to address these challenges.

Key Threats to Cross-Border Data Flows

The panellists unanimously agreed that data localisation laws pose a significant threat to the open Internet. Natalie Campbell from the Internet Society highlighted how these laws threaten global connectivity, while Jennifer Brody of Freedom House emphasised that such laws enable government surveillance and control. Sabhanaz Rashid Diya, a CIGI Senior Fellow, pointed out that the recent US reversal on cross-border data flow policy encourages data localisation, further exacerbating the problem.

Farzaneh Badiei, founder of Digital Medusa, drew attention to the impact of data localisation on small network operators and meaningful connectivity. This perspective was particularly valuable in highlighting how these policies affect not just large corporations, but also smaller players in the digital ecosystem.

The discussion also touched on the concerning trend of trade agreements no longer prioritising or including strong protections for cross-border data flows. Both Natalie Campbell and Mahroz Khan from the Digital Cooperation Organization expressed worry about this development, noting that it poses significant risks to the open Internet. Khan specifically mentioned ongoing discussions at the World Trade Organization (WTO) and the shift in the US position on cross-border data flows.

Impacts of Restricting Cross-Border Data Flows

The panellists explored various negative impacts of restricting cross-border data flows. Nermine EL Saadany emphasised how such restrictions fragment the Internet and hinder economic growth. Jennifer Brody highlighted that data localisation laws impede access to information and communication, raising serious human rights concerns. She also discussed Freedom House’s work on internet freedom and its relevance to this issue.

An audience member raised the possibility of tariffs on digital services being used as retaliation in trade disputes, adding another layer of complexity to the issue. Milton Mueller, a professor at Georgia Institute of Technology, brought attention to how national security concerns are increasingly being used to justify digital trade restrictions, particularly in the context of US-China geopolitical rivalry.

Approaches to Protect Cross-Border Data Flows

The discussion then shifted to potential solutions and approaches to protect cross-border data flows and maintain an open Internet. Natalie Campbell advocated for the use of the Internet Society’s Internet Impact Assessment Toolkit to evaluate policies affecting cross-border data flows. She provided specific examples of how this tool has been used to assess the impact of proposed legislation on Internet infrastructure in countries like Ecuador and Kenya.

Farzaneh Badiei suggested standardising data protection and security practices globally as an alternative to data localisation. This approach aims to address security concerns without resorting to harmful localisation policies. She also emphasised the importance of involving small network operators in these discussions.

Several speakers emphasised the need for more comprehensive research and evidence gathering. Mahrooz Khan called for gathering evidence on the economic impacts of data localisation, especially in developing countries. He also highlighted the work of the Digital Cooperation Organization (DCO) in developing digital trade policies and promoting cross-border data flows.

Sabhanaz Rashid Diya stressed the importance of involving diverse stakeholders, including small businesses, in policy discussions. Jennifer Brody proposed engaging international development banks on data protection issues, highlighting the need to incorporate data protection expertise in development projects.

Natalie Campbell emphasised the importance of raising awareness that data flows are crucial for the Internet to exist, suggesting outreach to national decision-makers on this issue. She mentioned the role of Internet Society chapters in raising awareness about internet threats at the local level.

An audience member brought up the Council of Europe’s Convention 108 and the Budapest Convention as potential models for international cooperation on data protection and cybercrime issues.

The moderator concluded by emphasising that collaboration among all stakeholders is key to maintaining free data flows and shaping the future of the Internet and digital trade positively. The discussion highlighted the need for continued dialogue, evidence-based policymaking, and more research on the economic and societal impacts of data localisation policies.

In summary, this discussion provided a comprehensive overview of the challenges facing cross-border data flows and the open Internet. It highlighted the complex interplay between technical, economic, legal, and human rights considerations in this domain, and proposed various approaches to address these challenges while preserving the fundamental openness and global connectivity of the Internet.

Nermine EL Saadany: Thank you, everyone. Please confirm that you hear me online. Okay. Yes, perfect. So good afternoon. It’s a pleasure to be here with you today. My name is Nermin El Saadani. I am the regional vice president at the Internet Society, and I will be moderating this very interesting session today about protecting Internet data flows and trade policy initiatives. I think the rapid globalization of the digital economy has transformed the way we conduct business and the way we communicate and innovate. As data becomes an increasingly valuable asset, it is imperative to ensure the free flow of cross-border data. However, there is a rise of protectionist measures and data localization policies that threaten and fragment the Internet and might hinder the economic growth. So in this session, we will be delving into the critical issue of protecting the Internet data flows in the context of trade policy initiatives. I have with me online and as well on-site a very distinguished panelist whom I cherish being with and among because of their expertise, and I think the session will be very, very interesting. And without further ado, I would like to introduce our first speaker online, Ms. Nathalie Campbell, the director and senior director, North America at the Internet Society. And allow me, Nathalie, to address the very first question in our session. Why removing, in your opinion, Internet protections for cross-border data flows against mandated data localization and electronic transmission threaten the Internet? You have the floor, Nathalie.

Natalie Campbell: Thank you, Nermeen, and thank you, everyone, so much for joining us today. It’s really an honor to be here and to speak to you all about this really concerning issue. So at the Internet Society, you know, we’ve been paying attention to different threats to the Internet over the last several years. And, you know, we pay extra attention when we observe threats that would impede the Internet at the infrastructure level, but specifically in terms of what it needs to exist. Over the last several years, I think it’s no surprise to everyone here that there’s been increasing threats of fragmentation to the Internet, and often these come from governments who are trying to address different issues on the Internet, and doing so without considering what the Internet needs to exist in the first place. So the Internet Society and our mission for Internet for Everyone, we work as a resource with governments, and we help them understand the impact of different decisions on the Internet and how to mitigate harm with tools like our Internet Impact Assessment Toolkit. But today we’re here to talk about a newer challenge that is more difficult to tackle and to steer different actors in the right direction because of the secretive nature of these initiatives and the lack of transparency to different folks in this process. And that’s the threats emerging in trade initiatives to the Internet’s promise of global connectivity and specifically open data flows. So the Internet Society, we’re not a trade expert, but we started paying attention to this issue because it is an Internet threat that we spotted in 2023 when we started seeing talks about certain Internet protections that were being advanced in the World Trade Organization’s joint statement initiative on e-commerce. We started paying attention when certain protections for open data flows and pushing back on mandated localization, when that became deprioritized and ultimately there was a lack of consensus. on these protections that are crucial to the internet and its global connectivity, things that needs to exist in the first place. So this is why we started paying attention to this issue and why we’re so happy to have an opportunity to speak with everyone here today about it, because we believe that, open data flows are not just a nice to have, the internet needs these to exist. And the fact that these protections are no longer prioritized in trade initiatives, this is a worrying signal to countries around the world that very much rely on open data flows for digital trade to be successful in the first place. If we’re no longer thinking about the fact that these need to be prioritized as a protection, then that poses a risk to the internet because countries who are involved in these trade initiatives might otherwise not be prioritizing this when they’re thinking about their own different approaches to national regulation. And specifically we’re worried because as many countries around the world don’t have approaches to data governance, they might be looking towards restrictions to data flows or mandated data localization in the name of privacy and security, but we know that these are not actually helpful to both those goals and are actually very harmful to the internet’s infrastructure and what it needs to exist in the first place. So that’s kind of why we were hoping to help share these concerns with folks here today and to have a conversation with participants to not only share awareness about our concerns, but also to brainstorm what can be done to help steer countries in the right direction to protect things that are crucial to the internet and what can we do to support different actors to ensure that trade initiatives are also prioritizing protections for the internet, especially given the lack of visibility that folks have into these conversations. What can we do together? Thank you.

Nermine EL Saadany: Thank you so much, Nathalie, for setting the scene for our discussion and let me take from what you have said and maybe just take a minute to explain again to our audience because I see some new folks entered the room. Our session today will tackle protection of trade and the data flow and cross-border data and it will be divided into two parts. Part one will be the panel that we are having now, very distinguished panelists we are having online and on-site and then the second part we will have some robust kind of discussion where the experts will share some views as well and definitely in between we will listen to your views and maybe take some questions and answers. And from what Nathalie has said and maybe I would refer to my colleague on the left, Mr. Mahrooz Khan, cross-border expansion manager at the Digital Cooperation Organization, the DCO, and from your expertise, Mahrooz, the reaction of the countries on the threats and how they look at the threats that the trade can face and what is the impact on SMEs in specific.

Mahrooz Khan: Thank you so much and I really appreciate this opportunity to be here and I would like to congratulate the Internet Society for organizing this discussion and from where I’m coming from, I’m a trade and investment lawyer trained at WTO and then UN International Trade Center, so I’m coming from that dimension, but specifically here at the Digital Cooperation Organization I’m working on the nexus between the digital policies and the trade policies through various of its programs. The DCO is a new intergovernmental organization with 16 member states spanning across three different continents, so we have a good mix of member states from Europe, from Africa, as well as Asia. So I would like to actually start the premise that there is actually discontent between trade community and the digital community and it has been lagging for decades. When we talk about, as Ms. Nettly actually mentioned, that this new topic actually started coming to the conversation in the digital community in 2023. So actually, let me actually specifically lay out what actually happened in 2023. In 2023, United States stated its position that it will not support its argument and it will not enter into any legally binding agreement which guarantees cross-border data flows. And then it got into news because then it also had that catchy name, tariffs. So custom duty cross-border data flows, but in addition to that, there was a threat that custom duties would be applicable to the electronic transactions. And here, let me also bring you the background. This discussion has been happening in the trade community. Back in 1998, there was a committee formed on electronic transactions where the countries agreed that they will not impose any custom duties on electronic transactions. That was a temporary moratorium. It has been renewed again and again and recently, since the last four years, it has been extended on a bi-yearly basis, twice, during the ministerial conference of WTO. The committee at the WTO, there was no agreement on any other issue apart from the moratorium, so it did not produce anything. So what happened was, a group of countries, specifically 91 countries representing 90% of the global trade, started to negotiate on a plurilateral trade agreement where US, being this big supporter of open cross-border data flows, proposed its position that we need to have open cross-border data flows, the data localization requirements must be minimized, and then there must be a strong position on source code sharing. So later on, what happened? So the conversation started back in 2017, the country started negotiating. Then in 2023, United States stated its position, it is backing off, and then it got into news, and how it is going to impact the digital community. So where do we stand today? We do not have an internationally legally binding instrument at any stage which guarantees open cross-border data flows. This position was actually taken by US at the WTO. However, they have backed down. Amongst these 91 countries, nine of them dropped, including United States. So the latest agreement that we have amongst the 82 countries is that there must be facilitation of electronic commerce, and the language of the treaty is not much legally binding. And they have taken out cross-border data flows, the data localization requirement, and the source code. At the DCO, what we did, looking at these developments, we actually assessed where the countries stand today on these digital trade policies. And we actually collected regulations across 16 member states that actually accounts around 2,500 regulations. So in order to move towards the next direction, we need to know where we stand today. So we collected this assessment, and then we also did a survey with the business firms who are involved in digital trade, trying to understand their experience to actually connect the dots. Moving forward, we will be actually sharing a high-level trends analysis that shows the developments of digital trade. The importance of this discussion, we are connected with our moderators today through Zoom. That would mean additional imposition of taxes, but then how those taxes would have to be paid, the speakers connected in different jurisdictions, from Canada to UK and other jurisdictions, how that has to be implemented. So this topic actually creates more regulatory uncertainty. That also means Ms. Nermeen, who has actually come from Egypt, she’s able to call her family through WhatsApp. That means that won’t be possible, or that might not be possible. We do not know. And for the private sector, and here the major issue comes, the private sector, especially for the small, medium-sized enterprises, it will become a hurdle. We need open cross-border data flows that allow small businesses, and in the new digital economy, it allows small businesses to provide their goods as well as services and expand into different regions. The uncertainty on this issue would mean, and without any agreement between any countries, that would mean we are uncertain about the future. So there needs to be actually discussion. The original point that I mentioned, the discussion between trade community and the digital community, and the countries need to actually start monitoring the impact that it will have on their businesses, on their economy, and moving forward, any new shape that our economies can take. I’ll stop here.

Nermine EL Saadany: Thank you. Thank you so much, Mahmoud. It’s very insightful. And we will move to our next speaker online, Ms. Jennifer Brody, Deputy Director of Policy and Advocacy for Technology and Democracy, Freedom House. And I think, Jen, from your own experience, access to information and communication technologies nowadays has becoming an essential matter for more inclusive society and become more and more related to human rights. So if you can share from your experience, your thoughts about that, please. Jen?

Jennifer Brody: Sure, my pleasure. And thank you so much for having me here today. It’s a real honor and a pleasure. First off, just to share, if you’re not familiar, Freedom House, we are the oldest human rights and democracy nonprofit in the United States, founded in 1941. We produce the report that many of you may be familiar with called Freedom on the Net. It surveys essentially the state of internet freedom in over 70 countries around the world, working with local country analysts. At Freedom House, we first engaged in this topic after the US government, the USTR, reversed its longstanding cross-border data flows policy in the World Trade Organization talks in October, 2023, that the panelists who spoke before me alluded to. Like ISOC, we are not digital trade experts. Instead, for Freedom House, we are human rights experts. So I will be speaking specifically to the human rights impacts of these policy reversals. So first, I want to touch on data localization laws, which is a result of reversing or helps encourage… Sorry, I’m on my first cup of coffee. So reversing a longstanding cross-border data flows policy helps encourage data localization laws. So what are these data localization laws? They place personal data firmly within reach of governments, creating unique risks for people’s privacy, free expression, access to information, and other fundamental freedoms. These implications are especially problematic in authoritarian contexts where there exists weak rule of law. So to zoom in and provide one example, if we’re looking at Rwanda, in Rwanda, the government mandated that companies store data… locally, which left personal data easily accessible in an environment in which authorities have embedded agents in telecommunications companies and use data from private messages to prosecute defenders. And now to zoom out, Rwanda’s approach is quite similar to China’s authoritarian approach to data governance. And I will underscore Rwanda is not an outlier. Governments around the world are seeking to repress dissent by surveilling their people’s digital communications. In fact, over 78% of the world’s internet users live in countries where simply expressing political, social, and religious viewpoints leads to legal repercussions. And I can say we expect this problem to only be exacerbated with the forthcoming UN Cybercrime Treaty. Happy to discuss that more later. So now just a few notes on how this policy reversal of cross-border data flows impacts internet fragmentation or leads to it rather. So first just some background. We know that at multilateral forums, the Chinese government has been working alongside like-minded governments to divide the global internet into state-run enclaves that can be more easily monitored, censored, and controlled. Unsurprisingly, Chinese officials view the World Trade Organization as yet another forum to assert their approach. In negotiations over electronic commerce rules, the Chinese delegation has, for example, advocated for the need to consider internet sovereignty as a legitimate public policy objective. From Freedom House’s perspective, we’re based in Washington, DC, where I’m coming to you from earlier this morning. It is deeply concerning that the United States, once a leader of the interoperable free and global internet, is arguably inching towards China’s internet sovereignty. And this is happening at a time when the world needs the United States to stand up for a free, open and global internet now more than ever before. Indeed, Freedom House’s Freedom on the Net report that I mentioned earlier, found in its most recent edition that came out just a few months ago, the report found that internet freedom declined for the 14th year in a row. So we’re really facing dire circumstances. On a fragmented internet, people have limited access to information from foreign sources, which is especially critical in closed spaces. And just to provide a concrete example, Wikipedia, the free encyclopedia that we all know and love, and is run by the nonprofit Wikimedia, they cannot afford to comply with data localization laws, because they require setting up expensive data collection and storage facilities. So if Wikipedia can’t operate, people, their right to information is essentially undermined because they cannot access this resource. Also, on a fragmented internet, people may struggle to connect with loved ones abroad, and may face barriers to organizing online with communities around the world. For example, in Uzbekistan, due to Skype and Twitter’s non-compliance with the data localization law, authoritaries temporarily blocked these and other popular platforms, and this severely limited people’s ability to communicate and access information. And I will stop there. Thank you.

Nermine EL Saadany: Thank you so much, Jen, and thank you so much for accepting our invitation while it’s very early at your end. We much appreciate it. I would refer now to my panelists on my right, Subhanaz Rashid Daya, CIGI Senior Fellow and the founder of the Tech Global Institute. We have been listening, Daya, a lot about data localization and how this can impact free trade and cross-border data and so on, and I would like to listen to your views on that regard, please. Thank you.

Sabhanaz Rashid Diya: Thank you, Ramin, and it’s very good to be here with a number of experts, both on-site and online. So I am Subhanaz Rashid Daya, and I’m a Senior Fellow at the Center for International Governance Innovation, which is a think tank out of Canada, as well as I am part of the Tech Global Institute, and we primarily work with global majority countries around technology policy issues. And I think I just wanted to build on what my last speaker said around data localization laws kind of cropping up across the world, particularly in authoritarian regimes and the challenges around it. But I think if you can kind of take a step back and really start kind of questioning or interrogating how this really came about beyond some of the trade agreements, in the sense that I think there’s been a perpetual conflation of concepts such as sovereignty and cross-border data flows and kind of treating it as a binary framework in terms of, you know, if there’s data flows happening, then a country’s sovereignty is being questioned. Similarly, there’s also a conflation of ideas between cybersecurity and cross-border data flows. sense that, you know, if a country wants to have a more cyber resilient ecosystem, then they’re better off having local localized data centers or local data storage mandates in order to be able to protect their people in a more meaningful way. And I think these sort of frameworks and we oftentimes, you know, don’t want to kind of indulge too much in analogies, but these sort of binary frameworks have really fueled a lot of frustrations and misconceptions and interpretations among governments around the world, where they are more and more inclined towards data localization mandates. And we’re seeing increasingly these sort of laws being cropping up around the world, but particularly in global majority countries, which already have resource constraints and many of these countries where there’s very serious concerns around speech, privacy and people’s civil rights. If I could just build on that a bit more further, I think, you know, and I think Farzana is gonna talk a little more about the role of civil society in terms of how we’ve been divided since 2017, building on what Mehrot said in terms of what kind of that looks like. But, you know, civil society in the global majority really understand that the intent behind it is kind of what Jen has alluded to in terms of that law enforcement wants increasingly access to personal data to be able to control population and to be able to, you know, infringe upon their speech rights. And with the expansion of transnational private sector, that need has become even more, even greater. And they feel that there’s a very strong, and they feel the only way to kind of access the data is by having these mandated local data storage provisions. I think the other way we have seen it also come up is, you know, oftentimes there’s also frustrations among law enforcement domestically in terms of how they, in terms of, you know, just genuine crimes and the very complex process they have to go through with, you know, with MLATs and other kinds of data sharing agreements with other countries. And that complex process has really also made it difficult for them to access user data. So there’s a number of other sort of, I would say, equities at play, both political and national security equities at play that have led to this proliferation of data localization laws across the world. Some of this is, some of these are genuine challenges and some of these are more political challenges or there’s a need to control. But I think it is important to be able to place the expansion of data localization mandates within this political context in order to better understand why it’s happening in the first place. In other areas, we’ve seen it really kind of come up is within bilateral and multilateral funding instruments. And we’ve seen areas where, for example, there is a need to push towards more increased cybersecurity measures. And many countries interpret that as local data storage measures because the way they can ensure cybersecurity in their minds is by having local data storage measures. And so we have seen this come up in many of the debt conditionalities from the World Bank and the IMF groups. We have seen it come up in some of the bilateral aid functions as well in terms of where we see a lot of push toward a lot of conflation between cybersecurity and localization mandates, particularly in the global majority. I can also, I think if you have a second round to where we’re gonna talk about where we see opportunities with the multilateral instruments as well. But I just wanna give a bit more background in terms of where we are seeing it coming up, why it’s coming up on the various equities that has led to this happening. And of course, with the US kind of backing down on their position on cross-border data flows, it has, I would say, exacerbated these tensions even more because now in the absence of an internationally legally binding agreement around cross-border data flows and the various existing and new challenges around technology, data transfer, cybersecurity and online safety, we’re left in a limbo where civil society and communities with a global majority are stuck with these multilateral localization laws that have made it extremely difficult for them to express themselves, protect their privacies and exercise their civic rights. Thank you.

Nermine EL Saadany: Thank you so much, Daya. And I’m sure that we will have some questions from the floor to continue our discussion as well. But let me refer to last but not least, our online panelist Farzana Badia, PhD founder, Digital Medusa. And Farzana, you will speak with, I will reflect on the digital sovereignty and we will continue with the three threats on technical community and the ability of countries to develop data governance policies. Farzana.

Farzaneh Badiei: Thank you, Nani. And thank you for for the invitation. Just for those who don’t know, I’m. I have been working on internet related issues and governance and infrastructure for over for over a decade, and I started Digital Medusa to protect and defend the internet. It’s very similar to Internet Society’s mission. But I think we need multiple organizations to actually do that in such a junction. So one of the. So this kind of like advocacy against free trade and digital free trade. We saw that happening in like around. So it started happening around 2014 when there was this TPP trade trade negotiations were going on. And there were several civil society organizations and individual scholars that believe that free trade, a digital free trade. It actually hampers that digital sovereignty and privacy of people because nation states cannot cannot come up with their own data protection laws and also labor. There were a few labor unions that that believe that because of this digital free trade agreement, the labor rights were not being protected, especially in the global south. And like the conversation was ongoing and since. Well, digital trade. like free trade and digital trade has been like a sub topic of conversation for 20 years, as Mahrooz also mentioned, more than 20 years, 25 years. So, but one of the, but as Trump got elected in 2017, he wanted to renegotiate NAFTA and kind of created this chaos that everybody got worried that we might actually lose this protection for cross-border data flow. And one of the things that was very interesting was that so we gathered together, civil society gathered together to, like we issued statements on how cross-border data flow is very important for protecting human rights, but also defending and protecting the global cross-border data flow. And so for a few years, we, it was okay, but then there was this urge of digital sovereignty brewing among many nation states. And they believe that they can assert their sovereignty by localizing data and usually going after or going against the principles that made the internet happen, which is like global cross-border data flow with no discrimination. And so, and to our surprise, in 2022, we saw another surge of advocates that, that advocated, that told USTR in its consultations that free trade agreements, especially when it comes to digital issues and like big tech, it’s always like there’s also this search towards like attacking big tech for good reasons. But here, I will explain why we went the wrong path. But there were, so they advocated for not having digital free trade clauses in different trade agreements because of the labor rights, because they believe that data protection cannot happen if there are these free agreements. And also there was also a copyright issue that they thought that these advocates thought that the free trade agreement can actually take away, like they wanted stronger intellectual property, which is very much like has been hampering cross-border data flow and fair use for a long time. So anyway, we saw this and they successfully in a way managed to convince USTR to backpedal the clause that is very important for cross-border data flow. And the reasons that I think that the reason for being successful was first of all, this urge that they wanted to fight with big tech and that they did not understand the implications of this work on internet infrastructure. structure and global connectivity, that you are not only hampering big tech’s operation, you’re also hampering the operation of the network operator, that small network operator, that needs to rely on foreign services to provide connectivity. Also, there was this misconception that data protection laws cannot happen if you have a free trade clause, which is, I don’t know why this misconception keeps happening. I don’t want to deny it, but I haven’t seen enough evidence about it. And also, of course, the talk about digital sovereignty and all the nation states want to, one way or another, to assert their digital sovereignty. And most of the time, that is not to protect their citizen, but it’s to protect their power and control. And now we are in this mess. So I think that, so I’m going to discuss, yes, sorry, by USTR, I mean US trade representative. And so in the next segment, I’m going to discuss a little bit how, on a granular level, not having free trade agreements that facilitate cross-border data flow can actually have an impact on network operators, which we have kind of overlooked because the focus has been always on how to get big tech to be more accountable. And we have not looked at what sort of effect our advocacy will have on these network operators. Thank you.

Nermine EL Saadany: Thank you so much, Farzana. And here comes the time where we open the floor for discussion. I have with me as well my colleague, John Morris, online to help with the chat. questions that we received and as well Israel Moses here in on the ground to help with the session with the panelists or I mean the questions from the floor. So, John, do we have any questions over the chat, please?

John Morris: We don’t yet, but please, for the folks online, please post your questions and we’ll come to you.

Nermine EL Saadany: And I encourage as well. Yes, please.

Audience: Hello, I hope you can hear me. My name is Mark Taylor. I’m a senior project manager at the Council of Europe. I work for the Secretariat of Convention 108 and Convention 108 plus, which is the Council of Europe’s data protection convention. It’s based on human rights, democracy, rule of law. And it’s the oldest convention in this field and now is updated some time ago. One of the important aspects of it is that it does have the principle of free cross-border data flows as part of it. And I see here now twice, I think I’ve heard it, states struggling to come up with their own laws. We’re here to help with these kinds of things. And now, if people agree with the Council of Europe’s approach, of course, I mean, if they don’t, then that’s their deal. But there are two conventions I can think of that are relevant here. The Budapest Convention, which is a convention against cybercrime, global convention, anyone can join it, and Convention 108. Perhaps the panelists have some thoughts on this, because it is also part of a kind of a regional fragmentation. I had a lightning talk on Sunday about standardizing definitions in data transfers. I think it’s one of the ways of getting there, because increased data flow actually, logically, at least in my mind, reduce the need for data localization. If there are agreements for law enforcement, et cetera, to access data across borders, then there’s no need for them to shut themselves off from the rest of the world. That’s all. Thank you.

Nermine EL Saadany: Thank you so much for your question. Daya, maybe you can reflect, if you’d like.

Sabhanaz Rashid Diya: I’ll have to reflect very briefly on that, unless my speakers online would also like to chime in. I think I completely agree in terms of the Convention 08 and the Budapest Convention, providing very useful frameworks for that. But I think, to your point about why are not more nation-states approaching for help, I think there is a fundamental, a couple of underlying, I would say, values misalignment. But more important than that, I think there’s also political misalignment, in terms of, especially within the global south. I think Farzana very eloquently explained the history of the genesis of it, and particularly within global south communities, global south governments, and this urge to fight big tech. But I think there’s also an urge to fight Westphalia, and there’s an urge to fight global north hegemony. And I think in many ways, even if the Budapest Convention is there, it is universal, anybody can join it. I think those kinds of political tensions, geopolitical strifes, have led to countries less willing to approach those for help, and rather go for their own data localization provisions, even if they’re imperfect. And yes, countries do struggle to come up with a data protection regime that makes sense. And I think you really got to the crux of it, in terms of really having standardization of definitions, standardization of transfer clauses, what enables a transfer versus what does not enable a transfer, what are the conditions for access to data, and how do we really build a comprehensive human rights framework, and due diligence across the transfer pipeline, and across the data sharing pipeline. But I think there continues to be those kinds of sort of values, misalignment, political misalignment, that leads to it. And I think that’s also the reason why we see the UN Cybercrime Convention Treaty also come up, because of the fundamental values misalignment in that space. But yeah, happy to kind of take this offline, but those are some of my initial comments.

Nermine EL Saadany: Thank you so much, Daya, thank you. Anyone else from our panelists would like to reflect on that before we refer to the second speaker, our second question? I think you need to open the mic. Hello?

Mahrooz Khan: Yes. Great. Thank you so much for actually mentioning those conventions. I’m well aware of the Budapest Convention, not the other. So you see, there needs to be this technical exchange of information that needs to happen there. Specifically, and there are actually regional approaches, but when it goes to international legislation, so the health and security development congress said, for example, today I think that there’s a possibility that imperatives will have to be changed because they’ve been so ambiguous. So I would like to hear from each side, so indirus and infection screening of the epidemic will be determined. There needs to be a technical exchange kind of approach that will go ahead now and be considered in the next level. So we need that kind of. So for any decision to be made, we need the evidence. And I think the most important, what I want to say is that for policymakers, they need to make informed decisions. And I think we jump directly, the negotiators jump directly towards legalizing their understanding. And I think we miss the steps of learning what would be the impact. And I think many developed countries do it, but not developing countries, so then they are uncertain. Okay, what would be the impact if I enter into international legally binding contract? Why it’s happening at WTO? That goes against, again, why the reason the WTO was able to be created, the original idea from 1947 did not crystallize until 1996, but because of injection of intellectual property policy area into this space. And why that space? Because that provides a legally enforceable mechanism. It provides that platform. That’s why it has been negotiated. And just to reference what US position was original for cross-border data flows, the data flows, no party shall prohibit or restrict cross-border transfer of information, including personal information by electronic means, if this is for trade. So I think we need to move towards informed policy decisions, and we need to learn on these fronts.

Nermine EL Saadany: Thank you so much. I think we have a question here.

Audience: Yes, please. My name is Dana Kramer, representing my NRI, both youth and national for Canada. I was wondering about, like, there are a lot of tariff threats right now that are occurring out of the United States, and we don’t know whether or not these threats will materialize. And I’m from Canada, so we’re quite sensitive to it at the moment. And I was curious about, does the panel think that we might see increased threats for tariffs on digital services, for instance, as a mechanism to fight back against some of these US-imposed tariffs, because they do have so many technology companies that have global reach? Or would that be a misalignment of understanding some of your arguments today? Thank you.

Natalie Campbell: Thank you so much. Nathalie, do you have a reflection on that? Go ahead. Sure. Thanks. Hi, Dana. I’m also from Canada, and I’ve also been paying attention to those suggestions recently about tariffs. I do think that the suggestion of imposing tariffs is one thing when we’re talking about bringing commodities from one country to another. The fact that that has translated to the idea of electronic transmissions is really problematic because the internet has no borders. So that’s where my concerns would be. And we have seen these conversations happening, as Meraz mentioned, at the World Trade Organization. The fact that some countries would like to see tariffs on electronic transmissions, that would be a source of revenue for some of these countries. I think that’s how they’re looking at it. And so I do think it is important, as we raise awareness about these threats, that that is something that is highlighted. Cross-border data flows, that’s not a commodity. The internet’s not a commodity. We can’t regulate the internet like a commodity. Open data flows and electronic transmissions, these are needed for the internet to exist in the first place. And the minute that you put any kind of barrier to access, whether it’s a tariff or a regulation restricting what we can share online and what moves across borders, that becomes a problem for the internet. That becomes a problem for all of us here relying on the internet to be able to connect with one another. And essentially what it’s doing, it’s placing national borders online and making the internet not seamless, making it complex. So I do think that’s a really good question and underlines the importance of hopefully some of the solutions that we can brainstorm in the next portion. of this event on how can we get that message across, how can we help governments and folks involved in trade initiatives, how can we help them understand that we can’t be considering these things if we want the internet, which digital trade needs to be successful in the first place, we want that to continue to exist.

Nermine EL Saadany: Thank you so much, Nathalie. And I think if we don’t have further questions from the floor, either online or on site, maybe we can start our second part, because this will be another interesting segment of our discussion today, as we will be tackling the very important questions, how can we help? How can we collaborate with our different hats to stop trade policy changes that can hinder the internet? In this part, I would actually pose a question, and I will refer to my panelists to reflect on that questions with their own hats and their own expertise. So our first question in that sense will be, how can we steer countries towards data governance approaches that address privacy security concerns while protecting the open globally connected, secure, and trustworthy internet? And if I can put you, Jennifer, to be our first reflector on that, Jen?

Jennifer Brody: Yes, happy to jump in. Thank you for the question. So yes, we know that, as has been discussed, to protect cybersecurity, right, to enhance data sovereignty, as folks like to call it, data localization laws are often implemented. You know, often, not always, sometimes arguably, right, with good intentions, but if we don’t have strong laws in place, like comprehensive data protection laws that are human rights centric. More often than not, they result in, you know, extremely harmful surveillance that undermines many, many human rights. And I’ll just, just on this topic, I wanted to share, there’s an academic scholar, Anupam Chander. He wrote an excellent piece called Data Nationalism that essentially debunks the arguments that, you know, data localization helps enhance cybersecurity and protect citizens. I just dropped that article there if anyone is interested. So anyway, I would love to, you know, hear, hear from folks in the room. How do we encourage companies or countries around the world, rather than, you know, localizing data, pursuing alternative mechanisms, you know, to allegedly protect their people? Right at Freedom House, we’re very strong advocates of comprehensive data protection laws. So I would love to kind of open it up to the floor to see, to see what folks think. And then before I do that, I’ll also share one other Freedom House resource. I wanted to develop something shorter and pithier for this. We didn’t have the bandwidth at the organization, but just another great resource for this group. My colleague some years ago, before I started at Freedom House, actually wrote a fantastic report called User Privacy or Cyber Sovereignty. So, essentially unpacking many data localization laws around the world and talk and walking through their impacts on human rights from the freedom of expression, right to assembly, association, assembly, which could also serve as a good resource and local advocacy. So I will stop there.

Nermine EL Saadany: Thanks a million, Jen. And I’m not sure if you’d like to maybe interact. So if you have any reflections on what Jen has already mentioned, we can pause and take some questions. And if not, maybe we can continue to our next reflection on my question and then we can. go back to you and hear your views as well. So maybe Farzana, you can reflect on the question if I may ask you. Yes, go ahead.

Farzaneh Badiei: Oh, sorry. So is this like about my prompt? Yes, it is. Yeah, all right, great. So I just, I don’t want to blabber on, so I just want to say like the wording that the framework. So one of the things that I see is being the problem and this is why we’re not agreeing on a lot of things among ourselves and in policymaking is that we have not really nailed down all the impact, adverse impact of blocking cross-border data flow. I mean, we have worked on it, but we have to show how that network operator that lives in a small island and uses the infrastructure, the data infrastructure that is not on that island, how data operation can be affected and how it hampers the meaningful connectivity for their users. And when I was talking to different network operators, especially people from those operators from those islands told me that this could raise an important risk for their operations. So I think that also there’s another example of, this is a trade barrier, but when we say that, when we kind of like do not liberate cross-border data flow, Then we’re talking about restrictions on data flow for DNS, like Domain Name System Resolvers, which is one of the critical parts of the Internet. Today, all of us have used DNS resolvers to connect. These trade barriers, they could also create some ambiguity of whether, can I provide my DNS resolver services to other nations and other people, and then people in countries that need access to DNS resolvers that operate stable and functional, then they might not be able to use it. I think that these case studies should be brought up more, and we need to really assess the impact. Internet Society has a really great Internet impact assessment tool that we can use and measure the impact of these trade agreements that do not facilitate cross-border data flow anymore, on access to the Internet and global cross-border data flow. This is my suggestion because I don’t really care whether we protect the Internet by trade agreements or anything else. What we care about is to keep the Internet global and interconnected, and facilitate data flow. Trade agreements, until now, have been the critical mechanism that facilitated this. So it is not that we are protecting, we are being like free trade advocates. And so it’s just that it’s one of the main tools that have allowed us to bring the internet to everyone. So if they have other solutions, if there are other solutions, then I’m all ears. But also we need to address concerns that we kept talking about, like data protection. I think Council of Europe suggestion is very relevant. We need to standardize our practices, our security practices, our privacy practices globally so that communities don’t feel left behind and just go against cross-border data flow to solve their issues. So I just wanted to put that out there. I think that these are like some of the suggestions that I’ve been thinking about. I think we need more interaction with network operators, especially from the global South with people who provide critical infrastructure and see how we can also address the concerns that are raised by the labor unions and others that how we can actually solve those problems without affecting cross-border data flow.

Nermine EL Saadany: Thank you so much, Deir. That’s much appreciated. And Natalia, I think it might be within the context that you shed some light on the toolkit and maybe you can give us some examples as well about how this works.

Natalie Campbell: Sure, thank you, Nermeen. So I mentioned it before, but one of the ways that the Internet Society works with governments to help them understand how to support the Internet and mitigate harm of unintended consequences when they’re going about regulation is we help them use our Internet Impact Assessment Toolkit, which Farzana just mentioned. And what this does is it helps governments understand what the – and anyone who uses the toolkit – understand what the Internet needs to exist in the first place. It lays out a framework of not only what do we need to think about when we want to make sure that we’re protecting the Internet’s foundation, things like data flows that are critical to it existing in the first place, but also what should we think through when we’re developing policy to ensure that we’re working towards an Internet that is open, globally connected, secure, and trustworthy. So we make ourselves available to work with governments who want advice on whether they’re headed in a direction that supports the Internet and to think through the different aspects of the framework, which has helped us mitigate a lot of negative impact to the Internet proactively in many countries around the world. But the value of this toolkit is that when we mentioned before about governments thinking about things like mandated localization or data flow restrictions, they’re often – they have a mindset for privacy and security. What our toolkit does, it helps countries understand how that’s a myth. And I can give a really concrete example. I recently had the opportunity to travel to Oman for this very reason, doing a workshop about our toolkit with some government departments there. I was a little bit surprised when I arrived, you know, in trying to get to the hotel and curious about why a – like Uber wasn’t in a country. And I came to understand that the transportation department has data localization laws, meaning that personal information has to be stored within a country of Oman. But at the same time, there’s another rule in a country that any service or person in a country needs a license to use things like encryption, which we know is a foundation of security online into protecting our data and keeping it private and secure. So I thought to myself, well, this is a really interesting example of how countries who might be thinking about things like mandated data localization as privacy and security enhancing is actually a myth because if I’m a company such as Uber, am I really going to want to expand my services in a country where I can’t use encryption to secure any kind of personal data at all that has to be stored within a country? And the risks of not only exposing personal data to whoever might want access, not just the government, but with encryption, anyone who wants access could get access. That was a very clear, I guess, a way to help folks locally understand how often when we’re talking about these issues in the name of privacy and security, it’s actually counterintuitive and not helping us get closer to that direction at all. So that’s the value of tools like our toolkit, and one way that I think that is useful to think about when we’re talking about how do we steer countries in a direction that supports the internet. If trade initiatives were to also think about how to make use of these tools, I think it could also be a valuable way to. help folks understand how do we go about initiatives and even just the value of the internet to digital trade in the first place. Thank you. Thank you so much

Nermine EL Saadany: dear. Mahrooz, can you reflect and can we take the last comment from your side on that question so that can we move to the other one. Definitely. Thank you so much

Mahrooz Khan: again and I totally agree with the references made by the earlier speaker Ms. Farzana and Ms. Natalie. So we need to know where we stand before we make our decision. I would state that again. First on the regulatory side and secondly we need to talk, the governments need to talk to the businesses how it is going to impact them. The fact that we are importing any goods, importing any services, there is a reason for that because it is better service, it is better good, it has a price competitive advantage. So once we put tariffs or new regulatory barriers to external goods and services, it also impacts our own consumers and looking at the impact of the previous US tariffs threat had on their own development of industry. We have create great example there. What happened with the steel industry? Has it developed? Is it good for the local consumers? Not. And one of the earlier questions made by is are the new tariff threats real? They are very real. They are not just used in the debate of the digital economy, they are used for other purposes as well. For example, tariffs threat posed by the United States when the European Union announced its digital services taxation in the earlier Trump term, and so moving back from tariff threats to actually what can be done. So the governments need to actually do their regulatory assessment, they need to talk to the business in an organized way, and here the role of international organization. Societies need to help the governments, specifically because of the reasons, because I find bureaucrats do not have that much benefit in doing more work than what they are actually mandated to do. The next step would be, so a country needs to look internally, talk to their private sector in an organized way, where it can be actually monitored. For a given sector, this policy position will have this impact. For another sector, this will be the impact. And then move towards actually cooperation amongst other countries, because a country on its own is not sufficient. As Ms. Netanyahu actually gave the example of Oman, I had a similar experience there two weeks ago. And another example was shared about Rwanda, the data localization in Rwanda. And there we have another project on how we can actually increase investments in the digital space of Rwanda. And there, from the evidence we found, well, they have to loosen out their data localization requirement. And what we know right now is actually the government, after having seen the evidence, they need to attract investors. They need to attract big tech for the betterment of their economy. So now they’re rethinking, okay, how can we actually adjust those rules? So with better informed policymaking decision and with the help of international organizations and the society, we can actually move towards that transition.

Nermine EL Saadany: Thank you so much, Mahmoud. If we have any reflections as well from the floor, that would be the time that we can maybe open the floor for some discussions and reflections. Online, Maurice, do we have any? No questions have come up online. Okay, so maybe we can move to our second prompt or the second question. And I can pose the question here as, how can the participants actually work on these issues in their own countries or organizations? So, Leah, maybe you can start.

Sabhanaz Rashid Diya: Definitely. Thank you. I think many of the strategies were alluded to by my previous speakers, but I think one of the things that, and I think it’s also quite central to the IGF, but generally even in. in this particular conversation is the role of having diverse voices in this conversation, right? So Farzana talked about small network operators within the global majority. If I look around the room or even outside, there aren’t as many network operators even present here, but we’re having these conversations here. And even in the WTO and many of the negotiations, we don’t see that voice or that perspective. Similarly, small business owners, small business enterprises, who again rely on open cross-border data flows to be able to conduct the business, they’re also not represented. So I think there is a very serious role in which we have to think about the decision-making around whether we want to support cross-border data flow or not, what is the localization mandate, the stakeholders, whether it’s consumers, whether it’s network operators, whether it is small business owners, whether it’s civil society, whether it’s a technical community. I think these stakeholders are often missing from these conversations and it becomes very much limited or very narrowly focused. I think the other thing that I think Amaros alluded to was this debate between the digital community and the trade community, but I would actually expand the debates even within the digital community and even within the trade communities around these various issues, but also again, the broader connectivity community has also been kind of excluded from any of this. I think, again, given the interconnectedness that we live in, there’s a real, I would say there’s a real need in terms of, one, involving not just more diverse stakeholders within national boundaries, but also internationally having other stakeholders in place and kind of engaging them because so much of the technologies are interconnected, so much of the trades are about sort of the cross-border piece. And I think there’s new challenges and new dichotomies at play that mandate a much broader conversation. So that’s one. I think the second is in terms of where we see how sort of participants here can contribute. I think Farzana kind of, and I also have with Mehros sort of got into it in the sense that we really have to be very clear about exactly what we’re asking for and what the clear messagings are. And whether if, and you know, because there’s so many different kinds of equities at play and because there are so many different kinds of messaging around it, I think that makes the conversation even more challenging to navigate. So really asking, you know, what specific aspects of trade, what specific aspects of interconnect, what specific aspects of cross-border data flows, how do we want it, what the impacts are. And I think there’s some really important work that has been done by researchers in the past that really talks about some of the impact, but really crystallizing what the asks are and what the impact is, is really, really important to move this conversation forward because otherwise it becomes either too heavily focused on trade or too heavily focused on internet sovereignty, or digital sovereignty. And I think that does a disservice to, I think both sides of the aisle. And the last piece I was gonna say is just reference from some research. I think Nigel Corey, I remember when we were looking into the data localization mandates in Vietnam and Pakistan and some of it in Bangladesh, which is my country, you know, a lot of the work that was done at the time we were looking, we were trying to find research that would help us understand what really is the impact of data localization and what really is the impact of that on businesses and on network operators. And, you know, lo and behold, there really wasn’t any research available at the time for global majority countries. Nobody could crystallize the exact GDP impact, the exact trade impact, the exact sort of purchasing power impact that these kinds of agreements and these kinds of moves would have. And we had to end up commissioning that kind of research to come up. So in the absence of data and research that actually can inform policy decisions, we, again, we go back into. these binary dichotomies, binary debates, these values misalignment without any concrete data to actually back any of the policy decisions. So I think there’s a real necessity for evidence in this space. It is a longstanding debate, but the way the debate has evolved recently is very much on, I would say, perceptions and misconceptions versus actual hard data pointing in very specific directions. And I think there’s a very important contribution from participants here, but also across the various communities that I’ve mentioned in terms of driving that data collection and evidence gathering to inform decisions. Thank you so much.

Nermine EL Saadany: Thank you. Maybe I can refer to you again, Mahmoud, for quick reflections and as well maybe final comments, and then we will move to the other panelists as well as we are wrapping our session.

Mahrooz Khan: Hello. Yes. Great. Thank you so much again, and I would actually quickly sum up because I have actually talked a lot in this conversation today. So again, I was actually, this is what is the next way forward, actually collecting the right evidence. And just to share, you shared another example, and okay, what is digital trade? The data on this does not exist. WTO, World Bank, IMF, they have collated together, and right now they are assessing the methodologies. So a lot of work needs to be done there in that dimension to actually really see what is the impact of this. And secondly, what is the main agenda? What should be the main agenda of like all these different spheres? I would say sustainable development, and there we cannot just have free trade agenda. We cannot just have, just for the sake of open internet. Open internet is good for the society. It is good for the consumers. It is good for the producers. It provides economic opportunities, but on the other hand, we also have to be careful about environment. We have to be actually thinking holistically. And I would say a lot of work needs to be done at the evidence level, and here the role of technical agencies is to actually prepare those kind of tools, those kind of actually methods that could actually help the governments. For example, as you mentioned, Internet Society’s toolkit that I think could be a really good tool. And then the main agenda with the final destination for sustainable economic development. I don’t think I have anything else to add here. Thank you. Thank you so much.

Nermine EL Saadany: May I go back to our online panelists and maybe Farzana, you would like to reflect on as well, maybe final comments from your side, please?

Farzaneh Badiei: Yeah. So actually, Professor Muller just told me that he’s in the room. And in 2017 at Internet Governance Project at Georgia Tech, we started working on digital free trade issues. And we also came up with a special issue on digital trade. And we wanted to raise awareness about the importance of the issue. But at the time, nobody, like we couldn’t believe that the U.S. government would back Penzl from the cross-border data. But we did raise concerns because as I mentioned, there were like renegotiations of free trade agreements. And so all I’m saying is that we need to see what has been done in the past, what sort of academic work has been done in the past, what sort of advocacy has been done in the past and gather those documents and work that has been done, especially in academia and civil society organizations. And so not to start anew, but also see what sort of new issues have raised so that we can tackle them. But as I said, we are here to raise awareness and we are here to defend and protect the free global internet. And if like, well, one of the main ways to do that was to have the free trade, free digital trade clause, in these free trade agreements. And we have to, in our advocacy, while we have to address the concerns of data protection and security, we should also think about alternatives to free trade agreements and see what else can facilitate cross-border data flow. Because unfortunately, the enemies of the internet are multiplying year by year from the states to businesses that they want digital sovereignty, they want to fight with the big tech at the cost of free and open internet. And I think that a lot of it is because they don’t understand the implications of having a restricted internet that is not connected globally. And we can learn lessons from countries that actually block their citizens from the global internet and raise awareness. Thank you.

Nermine EL Saadany: Thank you so much, Farzana. Jen, final remarks from your side as well, please.

Jennifer Brody: Yeah, thank you. Just quickly, I just want to pick up on something that Diya mentioned regarding the importance of the international development banks in these conversations, right? The World Bank, the regional development banks, like the Inter-American Development Bank. We’re thinking about advocacy. We were chatting about how these actors are incredibly important to include in these conversations. And when evaluating, for example, helping a country build a national database, from what I understand, they’re lacking data protection experts, folks who… how to center human rights and in cybersecurity policies, etc. So just to flag for kind of the global community working on these issues, that’s a target that I’m quite interested in engaging, and I think there’s a lot of potential there. Thanks, Jen. Natalie?

Natalie Campbell: Thank you. I want to highlight a point that Dia made earlier that I think is extremely important. We’re talking about digital trade initiatives, but this isn’t a digital trade problem per se. We’re talking about an existential threat to the internet. And I think that reminding people, and when we are raising awareness about this issue, that we have to lead with that. And it might be difficult or even impossible for some of our audiences and different stakeholders to engage in trade initiatives. But what we can do is raise awareness with our own national decision makers who are part of these conversations. Luckily, organizations like the Internet Society has over 110 chapters around the world who are helping to expand our reach in raising awareness about this existential threat to the internet. They are a voice for the internet, both of policymakers, but also in terms of helping to gather other local partners and stakeholders who can make our collective voice louder. Our chapters are already using things like our Internet Impact Assessment Toolkit to help decision makers avoid harm to the internet on national policy, including on data governance legislation. But what we need to do, I think, is to be talking to more folks who are involved in these trade initiatives and helping them to understand as well that we’re not just worried about an aspect of digital trade here, we’re worried about an existential threat to the internet. folks understand how the Internet works and why data flows aren’t just a nice to have, they are crucial if we want an Internet. I think that’s going to be increasingly important going forward and something that we can all do and you know work throughout our own various audiences and organizations to help make sure that we’re all working together to protect the Internet. Thank you so much

Nermine EL Saadany: Nathalie. I would ask the floor if there is any reflections before we close. Would you like to say anything Dr. Muller?

Milton Muller: Hello everybody, I’m Milton Muller. I’m at the Georgia Institute of Technology’s Internet Governance Project and former colleague of Farzana in both ICANN and IGP. I think the point that I haven’t heard that probably needs to be brought to your attention is the the intersection of these trade issues with national security. For about 80% of the time national security is an excuse for restricting trade but in the context of geopolitical rivalry between the US and China it has become a very powerful excuse. I don’t know when you have a president that imposes tariffs on Japanese and the Canadians and refuses to allow a buyout of US steel by the Japanese on the grounds of national security. You have to wonder if he’s thinking about the Japanese and Canadians as enemies or what. But in the digital economy the situation is extremely dire. Every form of digital service, digital product application is now perceived as a national security threat. So it’s not just data flows, it’s the battery storage systems, the electric vehicles because they can see things and they might be sending data back to China. Of course we have the TikTok ban but we have cables and telecom service licenses being taken away from people who had them because they are Chinese companies. So the political environment around digital trade has been completely blown up by the national security issue and that means you’re dealing with slightly different dialogue and a different set

Nermine EL Saadany: of constituencies. Thank you so much Dr. Mueller and thank you for being here. I think our time is out and I would like to thank all the panelists and the audience for the valuable contribution. I think collaboration is the key. This is my take, collaboration among all stakeholders so that we can maintain the data flow freely and to maintain or to shape the future of the of the internet and the trade in the best possible way. Thank you so much and looking forward to meet you again online and off-site. Thank you. You

Agreement Points

Data localization laws threaten the open internet

Natalie Campbell

Jennifer Brody

Sabhanaz Rashid Diya

Farzaneh Badiei

Data localization laws threaten global connectivity

Data localization laws enable government surveillance and control

Data localization laws impede access to information and communication

Data localization hampers small network operators and meaningful connectivity

Multiple speakers agreed that data localization laws pose significant threats to the open, globally connected internet by enabling government control, impeding access to information, and hampering network operations.

Lack of protection for cross-border data flows in trade agreements

Natalie Campbell

Mahroz Khan

Trade policy changes are deprioritizing protections for open data flows

Lack of consensus on data flow protections in trade agreements is concerning

Speakers highlighted the concerning trend of trade agreements no longer prioritizing or including strong protections for cross-border data flows, which poses risks to the open internet.

Similar Viewpoints

These speakers emphasized the need for more comprehensive research, evidence gathering, and diverse stakeholder involvement to inform policy decisions on data flows and localization.

Sabhanaz Rashid Diya

Mahroz Khan

Jennifer Brody

Gather evidence on economic impacts of data localization

Engage international development banks on data protection issues

Involve diverse stakeholders like small businesses in policy discussions

Unexpected Consensus

Importance of standardizing global data protection practices

Farzaneh Badiei

Jennifer Brody

Standardize data protection and security practices globally

Engage international development banks on data protection issues

Despite coming from different perspectives, both speakers highlighted the need for global standardization of data protection practices, which is unexpected given the usual emphasis on national sovereignty in data governance discussions.

Overall Assessment

Summary

The speakers generally agreed on the threats posed by data localization laws to the open internet, the concerning lack of protections for cross-border data flows in trade agreements, and the need for more research and diverse stakeholder involvement in policy-making.

Consensus level

There was a high level of consensus among the speakers on the main issues, particularly on the threats to the open internet. This strong agreement suggests a unified concern in the internet governance community about current trends in data localization and trade policies, implying a potential for coordinated advocacy efforts to protect cross-border data flows.

Different Viewpoints

Role of trade agreements in protecting cross-border data flows

Natalie Campbell

Farzaneh Badiei

Trade policy changes are deprioritizing protections for open data flows

Trade agreements, until now, have been the critical mechanism that facilitated this

While Campbell expresses concern about trade policy changes deprioritizing protections for open data flows, Badiei emphasizes that trade agreements have historically been crucial in facilitating cross-border data flows.

Unexpected Differences

Approach to addressing data localization concerns

Farzaneh Badiei

Natalie Campbell

Standardize data protection and security practices globally

Use Internet Impact Assessment Toolkit to evaluate policies

While both speakers aim to address data localization concerns, their proposed approaches differ unexpectedly. Badiei suggests global standardization of practices, while Campbell advocates for using a specific toolkit to evaluate policies.

Overall Assessment

summary

The main areas of disagreement revolve around the role of trade agreements, the specific impacts of data localization, and the best approaches to address these issues.

difference_level

The level of disagreement among the speakers is moderate. While there is a general consensus on the importance of cross-border data flows and the risks of data localization, speakers differ in their emphasis on specific aspects and proposed solutions. These differences reflect the complexity of the issue and the need for a multifaceted approach to addressing cross-border data flow challenges.

Partial Agreements

All speakers agree that data localization laws are problematic, but they focus on different aspects: Brody emphasizes human rights concerns, Diya highlights the impact of US policy reversal, and Badiei focuses on the effects on small network operators.

Jennifer Brody

Sabhanaz Rashid Diya

Farzaneh Badiei

Data localization laws enable government surveillance and control

US reversal on cross-border data flow policy encourages data localization

Data localization hampers small network operators and meaningful connectivity

Similar Viewpoints

These speakers emphasized the need for more comprehensive research, evidence gathering, and diverse stakeholder involvement to inform policy decisions on data flows and localization.

Sabhanaz Rashid Diya

Mahroz Khan

Jennifer Brody

Gather evidence on economic impacts of data localization

Engage international development banks on data protection issues

Involve diverse stakeholders like small businesses in policy discussions

Key Takeaways

Data localization laws and restrictions on cross-border data flows pose a significant threat to the open, globally connected internet

Trade policy changes deprioritizing protections for open data flows are concerning for internet governance

Data localization often enables government surveillance and control rather than enhancing privacy and security

Restricting cross-border data flows can hinder economic growth, especially for small businesses and network operators

There is a need for more diverse stakeholder involvement and evidence-based policymaking on digital trade issues

Resolutions and Action Items

Use tools like the Internet Impact Assessment Toolkit to evaluate policies affecting cross-border data flows

Raise awareness with national decision makers about the importance of cross-border data flows for the internet

Gather more evidence on the economic impacts of data localization, especially in developing countries

Engage international development banks on incorporating data protection expertise in their projects

Unresolved Issues

How to balance national security concerns with maintaining open cross-border data flows

How to address privacy and security concerns without resorting to data localization

How to effectively involve diverse stakeholders like small businesses in trade policy discussions

How to create standardized global practices for data protection and security

Suggested Compromises

Focus on standardizing data protection and security practices globally rather than localizing data

Consider alternative mechanisms to data localization for addressing privacy and security concerns

Involve both digital and trade communities in policy discussions to bridge divides

We started paying attention when certain protections for open data flows and pushing back on mandated localization, when that became deprioritized and ultimately there was a lack of consensus on these protections that are crucial to the internet and its global connectivity, things that needs to exist in the first place.

speaker

Natalie Campbell

reason

This comment highlights a critical shift in trade policy that threatens the fundamental architecture of the internet. It frames the issue as an existential threat to global connectivity.

impact

This set the tone for the discussion by emphasizing the high stakes and urgency of the issue. It led to further exploration of the political and economic factors driving this policy shift.

Data localization laws place personal data firmly within reach of governments, creating unique risks for people’s privacy, free expression, access to information, and other fundamental freedoms. These implications are especially problematic in authoritarian contexts where there exists weak rule of law.

speaker

Jennifer Brody

reason

This comment connects trade policy to human rights concerns, broadening the scope of the discussion beyond economic considerations.

impact

It shifted the conversation to consider the societal impacts of data localization laws, particularly in authoritarian contexts. This led to further discussion of the tension between national sovereignty claims and human rights.

There’s been a perpetual conflation of concepts such as sovereignty and cross-border data flows and kind of treating it as a binary framework in terms of, you know, if there’s data flows happening, then a country’s sovereignty is being questioned. Similarly, there’s also a conflation of ideas between cybersecurity and cross-border data flows.

speaker

Sabhanaz Rashid Diya

reason

This comment insightfully unpacks some of the conceptual confusions driving restrictive data policies. It challenges simplistic narratives about data sovereignty and security.

impact

This comment deepened the analysis by highlighting the need for more nuanced understanding of these concepts. It led to discussion of how to address legitimate security concerns without resorting to harmful data localization policies.

The intersection of these trade issues with national security. For about 80% of the time national security is an excuse for restricting trade but in the context of geopolitical rivalry between the US and China it has become a very powerful excuse.

speaker

Milton Mueller

reason

This comment introduces the critical dimension of national security concerns driving trade restrictions, particularly in the context of US-China rivalry.

impact

Though coming late in the discussion, this comment shifted focus to the geopolitical drivers of trade policy, adding another layer of complexity to the analysis. It highlighted how national security concerns are reshaping the digital economy landscape.

Overall Assessment

These key comments shaped the discussion by progressively expanding its scope from technical internet architecture concerns to human rights implications, conceptual clarifications about data sovereignty, and finally to geopolitical dimensions. They moved the conversation beyond surface-level trade policy issues to explore deeper societal, political, and security implications of data flow restrictions. This multifaceted approach highlighted the complexity of the challenge and the need for nuanced, collaborative solutions that balance various stakeholder concerns.

How can we standardize data protection and security practices globally to address concerns without restricting cross-border data flows?

speaker

Farzaneh Badiei

explanation

This is important to help communities feel included and prevent them from opposing cross-border data flows as a solution to their issues.

What is the specific impact of data localization mandates on businesses and network operators in global majority countries?

speaker

Sabhanaz Rashid Diya

explanation

There is a lack of research on the exact GDP, trade, and purchasing power impacts of data localization in these countries, which is needed to inform policy decisions.

How can we involve more diverse stakeholders, such as small network operators and small business owners, in discussions about cross-border data flows and trade policies?

speaker

Sabhanaz Rashid Diya

explanation

These voices are often missing from policy discussions but are crucial for understanding the real-world impacts of data flow restrictions.

What alternatives to free trade agreements can facilitate cross-border data flows?

speaker

Farzaneh Badiei

explanation

With challenges to traditional free trade agreements, it’s important to explore other mechanisms to protect open data flows.

How can we engage international development banks like the World Bank in conversations about data protection and human rights-centered cybersecurity policies?

speaker

Jennifer Brody

explanation

These institutions play a significant role in shaping policies in developing countries but may lack expertise in data protection and human rights considerations.

How does the intersection of national security concerns with digital trade issues impact cross-border data flows and internet governance?

speaker

Milton Mueller

explanation

The increasing use of national security as a justification for trade restrictions in the digital economy is changing the political landscape around these issues.

Summary

This panel discussion focused on safeguarding critical infrastructure beyond borders, exploring how diplomatic and technical communities can collaborate to address cybersecurity threats. Experts from various regions shared insights on protecting transnational critical infrastructure like energy grids, subsea cables, and satellite systems.

Key points included the need for stronger cooperation between national technical and diplomatic communities to enable better international collaboration. Panelists emphasized the importance of capacity building, particularly in developing countries, to enhance cybersecurity capabilities. The discussion highlighted the interconnected nature of critical infrastructure across borders and sectors, necessitating a coordinated approach to protection.

Speakers noted the evolving threat landscape, with cyberattacks on critical infrastructure potentially having far-reaching consequences for international peace and security. The importance of regional cooperation and harmonization of approaches was stressed, particularly in Africa’s energy sector. Panelists also discussed the role of public-private partnerships in infrastructure protection, given the increasing privatization of critical assets.

The discussion touched on the need for clear national frameworks defining critical infrastructure and roles of different stakeholders. Awareness-raising about transnational critical infrastructure was identified as a crucial first step for many countries. The panel concluded by calling for increased multistakeholder dialogues and capacity development initiatives to enhance the protection of critical infrastructure across borders.

Keypoints

Major discussion points:

– The importance of protecting transnational critical infrastructure, especially in sectors like energy and telecommunications

– The need for greater collaboration between technical and diplomatic communities at national, regional and international levels

– The value of capacity building and information sharing to strengthen cybersecurity for critical infrastructure

– The role of regional frameworks and harmonization in protecting cross-border infrastructure

– Opportunities for multi-stakeholder cooperation to improve critical infrastructure resilience

Overall purpose:

The goal of this discussion was to explore how diplomatic and technical communities can work together more effectively to safeguard critical infrastructure across borders, using concrete examples from different regions to identify challenges and best practices.

Tone:

The tone was collaborative and solution-oriented throughout. Speakers shared experiences openly and built on each other’s points constructively. There was a sense of urgency about the need for greater cooperation, but also optimism about the opportunities to make progress through multi-stakeholder efforts.

Speakers

– Marie Humeau: Moderator, working at the Dutch mission in Geneva on digital and cyber issues

– Orhan Osmani: Head of the Cyber Security Division at the ITU Telecommunication Development Bureau

– Shariffah Rashidah Syed Othman: Director of Policy and International Cooperation at the National Cyber Security Agency of Malaysia

– Towela Nyirenda-Jere: Head of the Secretariat at the Africa-EU Energy Partnership

– Franziska Klopfer: Principal Project Manager for Cyber Security Governance at DCAF (Geneva Center for Security Sector Governance)

– Wenting He: Associate Researcher with the Security and Technology Program at UNIDIR

– Tereza Horejsova: Senior Outreach Manager at the Global Forum for Cyber Security Expertise

Additional speakers:

– Audience member: Unnamed person from Austria who asked a question

Safeguarding Transnational Critical Infrastructure: A Multifaceted Approach

This panel discussion, moderated by Marie Humeau from the Dutch mission in Geneva, explored the challenges of protecting transnational critical infrastructure and the potential for collaboration between diplomatic and technical communities to address cybersecurity threats. Experts from various regions and organisations shared insights on safeguarding critical assets that span national boundaries.

Key Threats and Vulnerabilities

The panellists highlighted the increasing vulnerability of critical infrastructure to cyberattacks, with potentially far-reaching consequences for international peace and security. Wenting He from UNIDIR emphasised the particular vulnerability of subsea cables and satellite systems, while Towela Nyirenda-Jere from the Africa-EU Energy Partnership stressed the growing importance of energy sector interconnections as targets. Shariffah Rashidah Syed Othman from Malaysia’s National Cyber Security Agency noted that attacks on critical infrastructure could have cascading effects across borders.

The discussion underscored the interconnected nature of critical infrastructure across borders and sectors, necessitating a coordinated approach to protection. Shariffah Rashidah provided a thought-provoking perspective, noting that critical infrastructure “does not exist in vacuum” but relates to the specific risks and defining characteristics of each country. She elaborated on Malaysia’s approach, which involves the National Cyber Coordination and Command Center in defining and protecting critical infrastructure.

International and Regional Cooperation

Wenting He discussed the UN Open-Ended Working Group (OEWG) and its emphasis on the risks of malicious ICT activities targeting critical infrastructure. Shariffah Rashidah highlighted the ASEAN Cyber Cooperation Strategy, including the establishment of the ASEAN Regional CERT, as an example of regional cooperation. Towela Nyirenda-Jere stressed the need to incorporate cybersecurity considerations in Africa’s continental power systems master plan.

The importance of regional cooperation and harmonisation of approaches was a recurring theme. Franziska Klopfer from DCAF, working specifically in the Western Balkans region, emphasised the value of informal networks between national Computer Emergency Response Teams (CERTs) in building trust.

Bridging Technical and Diplomatic Communities

A central theme was the urgent need for stronger cooperation between national technical and diplomatic communities. Orhan Osmani highlighted a “huge gap” between these communities at the national level, which he argued “blocks future collaboration on an international level”. Shariffah Rashidah proposed developing institutionalised training programmes in cyber diplomacy for diplomats before their international postings, including initiatives like the Women in Cyber Fellows program.

Capacity Development and Awareness Raising

Capacity development, particularly in developing countries, was identified as crucial for enhancing cybersecurity capabilities. Orhan Osmani suggested changing the term “capacity building” to “capacity development” and highlighted the ITU’s focus on the Global South. Tereza Horejsova from the Global Forum for Cyber Security Expertise emphasised the importance of involving the technical community in policy dialogues and capacity development initiatives for developing countries.

Franziska Klopfer raised the important point that awareness-raising about transnational critical infrastructure is a crucial first step for many smaller countries that may not be fully aware of their role in or dependence on such systems.

Multistakeholder Cooperation and Public-Private Partnerships

The panel emphasised the role of public-private partnerships in infrastructure protection, given the increasing privatisation of critical assets. Towela Nyirenda-Jere advocated for structured public-private partnerships. Tereza Horejsova called for increased multistakeholder dialogues and more meaningful involvement of the technical community in these discussions.

Challenges and Future Directions

Wenting He highlighted the ongoing challenge of attribution in cyberattacks, emphasising the need for continued research and international cooperation in this area. Shariffah Rashidah mentioned the upcoming final discussions of the OEWG and the focus on developing a permanent mechanism for cybersecurity at the UN.

The panel concluded by calling for continued efforts to strengthen collaboration between states and the technical community, explore multistakeholder dialogues on protecting transnational critical infrastructure, and work towards developing more effective international mechanisms for addressing cybersecurity challenges in critical infrastructure protection.

Marie Humeau: Yeah. Good morning. Thank you very much for being here. My name is Marimo. I’m working at the Dutch mission in Geneva on digital and cyber issue, and I’m very pleased to be your moderator today for this session on safeguarding critical infrastructure beyond borders. Actually, the entire idea behind this session is really to look at how we can better work between the diplomatic and the technical community and how to strengthen those efforts with a very concrete example on the critical infrastructure. So through this concrete example, we would like to look at the different region, and we have esteemed experts on our panel to help us guide through how it’s working today, how the diplomatic and technical community are working to address the threats that they are facing and how in the future we should really endorse those relation to make our cyber environment even more resilient. So as you know, there’s malicious activities that are targeting critical infrastructure. Unfortunately, those activities can have a spillover effects, and we really need to work on fostering resilience and cyber resilience. For this, we need to build capacity, we need to increase those collaboration, and really this relation between the diplomatic and the technical community is key, and that’s what we’re going to try to explore. At the moment, we are still like working a bit in silos, but we have seen some changes in the past, and we are hoping with our experts on the panel to explore how from their perspective they’ve tried to address those issues and they’ve tried to reach the gap between the technical and the diplomatic community. We will guide you through three different themes. So just so you’re aware before we start, there is a journey that we are going to have together. We will first look at the cyber threats, and then the policy response that we have now, and then the opportunities for a greater collaboration. So on the panel that I’m very pleased to moderate, we have Mr. Oran Osmani, who is with us online. He is the head of the cyber Security Division at the DITU, the International Telecommunication Union in the Telecommunication Development Bureau. So he’s leading lots of capacity building around the world on the cyber activities. We will also have Sharifa Rashida Syed Othman, Director of Policy and International Cooperation at the National Cyber Security Agency of Malaysia. And she really has a specific role because she is sitting in a technical agencies, but she’s also following lots of those UN development and discussion. So she is, I would say, one of the incarnation of how you can also make the link between the technical and the diplomatic community. We will also have Dr. Tawela Nirendra Jere, Head of the Secretariat at the Africa-EU Energy Partnership. And we also have Franziska Klopfer. She works at DCAF, the General Geneva Center for Security Sector Governance. And she is the Principal Project Manager for Cyber Security Governance. She works a lot in the Western Balkans. So we already have like different perspective and we know how crucial it is at the regional level, not only at the international level, but to work together. And it will be interesting to see if there are some differences in the approach that are being adopted in the different region. And then finally, we have Ms. Wenden He, Associate Researcher with the Security and Technology Program at UNIDO. And she has been, she’s like an expert on those issues. So she will provide us also with a great scene setter before we all dive into the discussion. And then, because the panel wouldn’t be like finalized with Tereza Oriyezova, she’s Senior Outreach Manager at the Global Forum for Cyber Security Expertise. And that will help us make the most out of the discussion and everything that we will hear in the next in the next hour. So, so, so those are my, my, my, my panelists and we will together like go through this journey on on where we are what has been done and also where we can do better and improve our work together. So, as I said, we will follow like the three steps approach. And we will start with actually going through the ICT threats framework, and then how this, this, this, the threats are really targeting critical infrastructure and how it impacts international peace and and security. So for this I’m going to first ask wanting to give us a bit of a scene center about what are the different components of critical infrastructure that facilitate the provision of essential services across borders. So what are the issue, like with the jurisdiction, but also what kind of type of stress, and how you’ve seen the evolution of, of the, the landscape, but also how can those malicious activities actually impacts international peace and security. So the floor is yours to like give us a bit of a background.

Wenting He: Thank you so much Murray. I hope you can all hear me and these are very important questions. While critical infrastructure designations vary across jurisdictions, there is this broad recognition of certain sectors as critical or important. So this includes energy transportation telecommunications commercial and financial systems, among other things. Many of these sectors provide essential services across national borders, for example, transnational energy pipelines operates national regional and international critical information infrastructure, in particular, refers to information and communication systems and networks, whose disruption or damage, who severely impact essential societal functions. So, this type of infrastructure. includes subsea cables, satellite systems, and cloud infrastructure, such as data centers. All of which support critical information and communication services across multiple states. For the interest of time, I will focus on subsea cables and satellite systems. But if you are interested in, you know, the cloud side of things, Unidear is publishing some reports on this topic very shortly. So please check out our website. So it’s no exaggeration to say that subsea cables really form the backbone of global communication. They transmit over 95% of international data traffics. And they enable reliable, efficient, cost-effective data transfers between data centers globally, which supports cloud services that we are all benefiting from. However, these cables are particularly vulnerable to physical threats. According to the International Cable Protection Committee, so each year, approximately 150 to 200 cable faults occur globally, primarily due to accidental human activities such as phishing and anchoring. Additionally, cable infrastructure also faces cyber risks. And this include potential hacking of the remote network management systems used for monitoring and managing cable activities. Satellite systems also play a very critical role in global communication. They provide internet connectivity in, you know, like large areas of the globe, particularly in remote or underserved areas. However, over, you know, recent- years, disruptions to space assets are becoming increasingly common. Potential threats include denial of service attacks, command injection, malware, signal interference, and physical damage to the satellite components. So in terms of the evolving threat landscape, attacks on international critical infrastructure and critical information infrastructure can disrupt essential cross-border services with increased complexity and impact. This challenge is especially pronounced in the increasingly digitalized world where such attacks, especially those targeting critical information infrastructure, including the relevant ICT supply chains and service providers, can significantly amplify both the reach and consequences of malicious activities, thus making such actions, thus making this type of infrastructure a compelling target for attackers. Additionally, the transnational nature of this infrastructure adds further complexity to its protection, making international collaboration a very essential element of effective safeguards and responses. And I know we will delve into this further and I will, so now I will turn to the, you know, the international security and peace implications of malicious activities targeting transnational CI or CII, so critical infrastructure and critical information infrastructure. Well, I don’t know how familiar you are with, you are familiar with, you know, the ongoing processes at the UN on cyber security, but the ongoing UN Open-Ended Working Group or OECD. BWG on ICTs through its annual progress reports emphasize that malicious ICT activities targeting critical infrastructure and critical information infrastructure can have cascading effects at national, regional and international levels. Such activities can pose heightened risks to populations across regions and can be also escalatory. In particular, the OEWG highlighted the need to secure subsea cables and satellite communication networks from malicious activities, which could cause significant disruption and damage to telecommunications and also potentially affect the technical infrastructure essential to the availability and integrity of the internet in large areas of the globe. Subsea cables have historically been targeted during conflict as a means to disrupt an adversary’s communication. For instance, at the beginning of the First World War, one of the British military’s first moves was actually to sever Germany’s undersea telegraph cables. Today, subsea cable networks have become increasingly complex and interconnected, transmitting vast volumes of data for both military and civilian purposes. Malicious attacks on these dual-use critical infrastructure pose significant risks to global connectivity, but also to international security. Attribution challenges further complicate the issue as it is often very difficult to determine who is behind the cable damages. This uncertainty could… to lead to accusations and potentially escalating tensions between states, even when the disruption may in fact be unintentional. So in the current environment of heightened geopolitical tensions, national security surrounding subsidy cables can drive further technological competitions over cable ownership, construction, and lending points, with important implications for global and also regional stability. Furthermore, satellite systems also play a very vital role in armed conflict, supporting critical military functions, including communication, navigation, and also intelligence gathering. Attacks targeting satellite networks and ground stations have the potential to disrupt adversaries, critical military operations, thus increasing the likelihood of such actions in conflict scenarios. Moreover, due to the dual use and transnational nature of satellite services, cyber attacks can have far-reaching consequences. This impact may extend far beyond the warring parties to affect also civilians and civilian services internationally and across sectors. I will stop here, Marie, and over back.

Marie Humeau: Thank you very much, Wenting. So now we kind of have the parameters of the journey we are going through, but like as in any journey, there’s unexpected things that can happen. So I would like to ask my panelists, I know we’ve prepared some questions, but if you feel the willingness to interrupt or to ask other questions or compliment what is being said, please feel free. We’re looking at you also on the screen. So just like wave, and then we will give you the floor accordingly. But as any journey, it’s always more interesting when- it’s when everybody can participate. So maybe I will now turn first to Rashida. And maybe you can give us a bit of your perspective actually from the Asian Pacific region and what kinds of threats you’re like experiencing on critical infrastructure and the potential impact of cyberattacks targeting such sectors on a national and regional level. So the floor is yours Rashida. And thank you for joining us because I know you’re not also on the same time zone.

Shariffah Rashidah Syed Othman: Thank you very much. A very good afternoon here but I just want to flag everyone that currently there is an azan for the prayer time in Malaysia where I could not lower the volume. It’s in the building. If it’s okay with the audience I can proceed or else can I just wait for just one minute to make sure this ends. If it’s okay for all of you.

Marie Humeau: It’s as you prefer. Honestly it’s part of the journey I guess. So if you want to do it now please feel free. The sound is good on our side.

Shariffah Rashidah Syed Othman: All right. So of course let me just if it’s okay can I just wait because it’s quite very loud here. So I will continue. Thank you very much. I’m sorry.

Marie Humeau: So I see Tawela has now joined online. So maybe we’ll start our journey with Africa then. And then if Tawela can you just maybe share with us your experience on So I see Tawela has now joined online. So maybe we’ll start our Africa’s energy sector. And could you. She will need permission to speak.

Towela Nyirenda-Jere: Hi. Good morning. Good afternoon. afternoon. Oh, yes. Now it’s working. We can hear you. Yes. Okay. My apologies. I’ve been struggling a little bit with the connection on this side. But I’m definitely happy to be joining you all. Let’s see if I can turn on my camera. Yes. We can hear you. Now we can see you. Perfect. Well, thank you for doing this. So maybe you can give us a bit of your experience from the African energy sector. Thank you very much. And good morning, again, to everyone. Good afternoon, as well. And fellow panelists, likewise. So I’m joining you from Addis Ababa in Ethiopia. And for those that may not know, I am currently now leading the Africa-EU Energy Partnership, which looks at promoting collaboration between the two continents on issues relating to energy and adjust energy transition. I think in terms of this topic around critical infrastructure in Africa, and very, very specific in terms of the energy sector, I think one of the things that is very evident, perhaps is that within the ICT ecosystem, the issues around critical infrastructure are well known and well discussed. And perhaps in energy, the conversation is a little bit different, but at the same time, needs to be brought perhaps to the same level as the discussions that we are having in the digital space. So when you look at Africa’s energy landscape, currently, of course, we know that, you know, 55 member states, five geographic regions, each of which has their own systems and ways of connecting and interconnecting through the different power pools that exist. And what has been done now is that the level of the EU is that there is an effort now to look at interconnecting the entire continent by really putting in the relevant infrastructure that would connect countries and regions. At the same time, looking at the harmonization of the different regulatory elements that would make that possible. And the whole idea is to be able to facilitate the flow of energy across the continent, and beyond in terms of meeting Africa’s energy needs, but also being able to then export excess capacity outwards. What this then means is that there’s a lot of emphasis being put on these interconnections that are cross border and trans boundary. And when we start talking about this particular interconnection, and the idea that we will need some form of smart grids to be able to manage this whole system, issues around being able to then define critical infrastructure in the energy sector become important, because these cross border links are very critical in so far as making the system work. At the same time, the aspects of cybersecurity and how we secure that infrastructure also become very important. And these are some of the things that in my previous job at AUDNEPAD, we had looked at as we were developing this continental power systems master plan. And one of the recommendations we made was to from the very beginning to incorporate this understanding of cybersecurity, and the need to make sure that within the energy sector, we were actually also looking at developing adequate capacities in terms of cybersecurity. So I think where we are now is that as a continent, there hasn’t yet been any kind of overarching framework, so far as critical infrastructure from an energy perspective. And that is one of the things that we will start looking at now. Different countries, of course, have some policies that are looking at critical infrastructure. South Africa is a good example. I believe Kenya is also another example. And the idea then would be that to learn from these experiences. to look at regional frameworks and then ultimately to have a continental framework that looks at critical infrastructure from the perspective of the energy sector. Back to you, Marie.

Marie Humeau: Thank you very much, Dawila. I think it’s, as you said, that the more you interconnect with those critical infrastructures such as the energy, the more also you will need each other to make sure that those cyber threats do not impact your network as well. So, thank you very much for sharing your initial perspective. And maybe now, I think, Rashida, you can provide your perspective from the Asia Pacific. Thank you very much.

Shariffah Rashidah Syed Othman: Thank you very much, Marie, for the introductions. And I also want to thank Wenting for giving and setting the scene and also has given a perspective of the ongoing discussions at the OEWG as well as the development and what actually the importance of critical infrastructure that strengthens international peace and security. And also, to allow that actually explain in terms of how energy sector is important and the initiative that has been done. And earlier, Marie introduced me that I came from an organization that implements cyber security. And also, I also want to acknowledge this is an opportunity and also benefits that I got from the Women in Cyber Fellows where I think GFCE is also actually facilitating this hosting and facilitating this event. And because of that, it actually made me understand and also a learning experience as well in terms of connecting between the importance of how national levels need to implement the framework of responsible state behavior and how best we can. do that in actionable item or actionable action. So coming back to the questions earlier regarding critical infrastructure sectors across border in Asia-Pacific region, I think earlier Wenting described about two things, which is the subsea cables as well as the satellite system, which I think it is global to any other region of the world. But one thing that I also want to connect and relate what actually happened at national level, which I think Toela mentioned specifically on energy. Because one is we hear earlier, depending on the country, how actually they determine the critical infrastructure and the critical infrastructure does not or CII does not exist in vacuum. It actually relates to the risk that the country face and also what actually define the country, the country’s importance. For example, in Malaysia, for our cyber security act, we define critical infrastructure, 11th sector in our cyber security act, we define infrastructure as a computer or computer system, which destructive disruption or destruction of the computer or computer system would have a detrimental impact on the delivery of any services essential to the security, defense, foreign relations, economy, public health, public safety and public order of Malaysia, or on the ability of the federal government or any of the state’s governments to carry out its function effectively. And coming back to the sector specific of critical infrastructure, even at national level, they actually exist vertically and horizontally. In terms of horizontally, for example, energy, regardless how strong our subsea cable, how strong our satellite system, if energy is out, you cannot even operate the cyber environment. That’s how the importance of the interdependency of each and every critical infrastructure. At the same time, depending on which part of the world you are, if the energy comes from the water, hydro or water will become another part of important things of the country and goes back to what is the resource of the energy. Coming back to how actually we develop and how actually at ASEAN Pacific and why actually specifically in ASEAN, how we put the importance of critical infrastructure in ASEAN, we actually have produced an ASEAN Cyber Cooperation Strategy, where in the strategy, one of the dimensions, it says about advancing cyber readiness cooperation, where two important things being put. One is the SERT cooperations and coordination, where recently we have established and launched our ASEAN Regional SERT together with all ASEAN member states. And secondly, of course, the focus is on the coordination of regional CII protection. So in a nutshell, the discussions that happening at the UN actually complements the work that we do at national level. And having been in an organizations that actually do both, we actually work together with our Ministry of Foreign Affairs and see how this thing can actually interconnected, interdependency, and also it will reflect not only at national level, regional level and at the global level. Apparently, I will stop here.

Marie Humeau: Thank you very much, Rashida. And thank you for sharing your personal experience as well. I think you are a good example on how the technical community and the diplomatic community, as well as we should look at the national, regional and international level altogether. And I think you made a great point about the complementarity of those different approaches. As well, I think one important point about how you at national level define critical infrastructure. I think that’s also an important point for each and every one of us to better understand what other countries and what critical infrastructure on top of what we are discussing at international level. So maybe we will move on in our journey to Actually, and what you mentioned, Rashida, with your national experience, I think, and your regulatory framework, is actually the perfect path through our next step in our journey, which is really looking at the policy responses and the lesson learned from good practices on the protection of critical infrastructure. I saw you, Oran, I think I saw some of the ping that you did popping in onto our screen that we have here. So I feel like you are now, like it’s time for you to step in and then to tell you a bit more about how to strengthen the protection of transnational critical infrastructure. Is there a scope for the diplomatic and technical community to work together to actually mitigate those ICC incidents? Oran, the floor is yours.

Orhan Osmani: Thank you, Marie, and good afternoon and good morning to everyone. It’s a pleasure to be on this panel. I think, you know, as your question points, is there a scope between diplomatic and technical community to work together to mitigate these incidents? I think there is always, if there is a will, always there is a way to do things. So I think, you know, I stand by that. But I think what we need to do is basically, probably we need to take a step back and on national level, connect these two communities, because we see huge gaps between diplomatic and technical community on national level. And that one basically blocks the future collaboration on international level. So, you know, if we are clear on national level, where we stand in terms of cybersecurity from diplomatic and technical point of view, I think we can basically strengthen collaboration and we can work together towards, you know, an understanding that, you know, some of the critical infrastructures which serve the essential services in the countries needs to be protected and they must be protected. Because, you know, we are talking about, you know, people who are now, I know more and more people are on. medical devices which you know basically the life-supporting devices and know any energy let’s say any energy attack it attacks those devices we are keeping people alive so I think you know we need to we need to really we need to be have compassion towards those those people I think we need to promote more let’s know what is at risk there and I think you know besides you know I think you know I heard venting she was talking about you know mainly focusing on on state state to state challenges they have on on but also we have the big group of those who are making money than all the cyber criminals who are basically it’s a big industry so it’s is bigger than anything and and cybercrime threats are bigger than any natural disasters around the world so basically no it’s something we need to deal with and I think we need to increase more and more collaboration between technical community but also diplomatic community probably also what we need to work on on on more is attribution because you know often you know this is my personal view I see often the attributions happen very quickly but from technical perspective you know I understand you know to attribute an attack to someone is going to be very challenging because you know you need to have more more evidence you need to spend more time to ensure that you know that the attribution is correct and know when you attribute something to someone which is not which is not kind of true or it’s or it’s misleading then the challenge is basically collaborating how to work together so I think you know we need to work more on capacity development so basically I mean often I I go against the term of capacity building because capacity buildings we build capacity where there is no capacity but I think now we need to continue development because I think you know all regions have capacity but we need to continue development of the capacity so you know probably we need to change the language how we approach and another thing you know which I think we can strengthen protection of critical infrastructure is that know if government community and member states work together in terms of you know, collaborating and kind of, you know, coordinating the activities, aligning each other, you know, how we can, how we can work together and basically, you know, support the development of the world, because I think, you know, I mean, we are having all these national and transnational conflicts. But I think, you know, something which is coming after all the world is the climate change. And I think, you know, we need to we need to promote more of, you know, actually what is happening to us as a world, and probably, you know, the political tensions we will reduce, and we can work better on cybersecurity and other and other challenges we face as a world. So I think, you know, probably, you know, this is my input. I don’t know, let’s see, you know, how conversation goes. And I’ll probably add and chip in with other views. Thank you.

Marie Humeau: Thank you, Orhan. So it’s, it’s about strengthening our capacity. But, and also, I think, indeed, the link between the technical and the diplomatic community, sometimes we don’t speak the same language. So it’s also about, I guess, strengthening our common understanding of each other, and maybe learning how to, like speak the language of all the others. So you can work better together as well. And thank you very much for for this perspective. I think we will now in our journey throughout the world, jump into the Western Balkans region with with Francisca. And you have been working with the technical community, the certs in that region, and you’ve helped him set up informal networks, where actually it’s about like getting to know each other, building trust, sharing information. And I think that’s relates a bit to what Aran was saying also about the need for, for, for, for to build on our capacity and also to better exchange information. Can you tell us a bit more about how can such networks of technical experts help protect the critical transnational political infrastructure?

Franziska Klopfer: Thank you very much, Marie. And Hello, everyone. Very pleased to see you, see you again. Indeed, we have my organization, the Geneva Center for Security, the governance have been working for quite some time in the Western Balkan region in Europe. And one of the areas that we work with is organizing regional events for national certs. And indeed, this has helped through a long term process to facilitate communication and build trust. And now led to what one can describe as an informal network of where the staff of this certs communicate. I want to kind of take up on what the previous speakers have said, that there is a lot that can be done by different communities. And I think it is important definitely to see the potential of the technical community to also get involved in, you know, transnational international processes. But I think it is very important to to then go back to see, as Arhan had said, what’s happening at the national level. Because these certs, they also they cannot work in a vacuum. They cannot do diplomacy or in a vacuum. They are part of a national structure where they, I think, have a, for example, the certs have a very interesting role that they can play. They are usually in countries, either the certs or the national cybersecurity agencies, in charge of also supporting and coordinating with critical infrastructure and critical information infrastructure. So they are really there to support and to help them and to enforce cybersecurity standards and also to exchange information and information that might have also received from friendly neighbors on cyber threats. But I think this cannot be done. in a vacuum or outside of diplomatic processes, as you know. I mean, we’ve talked quite a bit about agreements, bilateral or regional or international, about coordination between different countries on protecting of CII. And I think this is, we know that there are different actors involved in it and there’s on the one hand the diplomatic community and then technical community can come in with their expertise. But it is very important that in a country, the roles of diplomats, of technical community, or for example, CIRTS and other actors are clearly defined. And it’s clear what the role they play in, for example, in this process of protecting transnational critical infrastructure. And that it’s also clear how they communicate, coordinate and communicate with each other. Because as has already been mentioned, I think this is a big problem. You have different actors working on similar topics, but there’s no clarity about how they should cooperate. They often don’t even meet regularly in meetings. So I think that’s one of the areas, but when we talk about also capacity building or capacity development, that we should not see these different actors in isolation. But I think part of the capacity development would be to strengthen the links, clarify roles and responsibilities and strengthen links between those different stakeholder groups at national level.

Marie Humeau: Thank you, Franziska. I think the message is clear that we need to strengthen our capacity, everyone’s capacity also at national level first. And then that would also allow for better engagement, I think at regional and then international level. But let’s put everything one step at a time and start with the strengthening at national level of this collaboration also between the technical and the diplomatic community. Maybe I’ll move back to Willa. and look at from your perspective on the Africa’s energy sector. Can you share with us some good practices, good example at your level, at the African Union level, and what kind of further steps would you think governments and industry stakeholders in the region can take to better protect the energy infrastructure? I think it’s always good to have a look at concrete sectors. So Tovela, the floor is yours to share your perspective on this.

Towela Nyirenda-Jere: Thank you very much. Maybe let me just start by appreciating I think Rashida’s intervention and especially the idea of the fact that critical infrastructure perhaps will be looked at and prioritized differently within different member states and regions, depending on what is obtaining in the region and also in terms of how regions work and are organized. And I think also to Orhan’s point about the fact that capacity building but maybe enhancing and going further in terms of capacity endowments and looking more at very deliberate strategies for capacity development I think are very important points. So I think turning to the case of Africa and looking at good practice and maybe trying to do a bit of a balancing act between the energy sector but also all the other infrastructure sectors as well. I think one thing that I would cite as good practice that I think this is also to Rashida’s point but also in terms of the way Africa works and is structured is the idea of really being able to foster and promote regional cooperation and harmonization across the different regions because that then makes it easier when we now want to start implementing different policy frameworks if there is some way in which there’s a bit of harmonization but also that there is some cooperation. Within the energy sector. Of course, there’s, and as with other sectors, there’s a myriad of stakeholders that are involved in all of this. So you will have utilities at the national level, you have the power pools, you have the regional economic communities, you have other private sector entities perhaps that are responsible for grid development. And then obviously you have the African Union itself. So there is a need for a very balanced cascading of cooperation, both from top going down, but also from the bottom going up. And being able to structure this in a way that makes sense, I think is important. And I think for the energy sector, I think Africa has managed to do this in a very coherent way by bringing together all these different actors to look at the sector critically and identify the different areas where harmonization and standardization is needed, but also establishing the relevant cooperation frameworks. When we now look maybe very specifically at the issues of cybersecurity, I think we’re all aware that the African Union has its convention on cybersecurity and personal data protection, which has now entered into force, and which also sets, I think, a very good framework in terms of how the continent wants to approach issues of cybersecurity, issues of privacy, issues of data protection. And I think what is important then as we move forward is making sure that this convention is seen not as an ICT instrument or an ICT device, but that it really has importance across the entire infrastructure landscape, and obviously beyond when we start looking at just general issues of people’s day-to-day lives as well. To the point about capacity and the capacity endowments, really, when we now look at how we operationalize the convention, again, very important to make sure that we’re not losing sight. of the fact that in addition to the digital cyber experts, if I can call them that, that we need to make sure that our experts that are managing our different utilities, whether it’s in water, whether it’s in energy, and those that are managing our other infrastructure, you know, in terms of transport, in the water sector, that all of these are adequately equipped with the understanding of, you know, cyber security measures, but also that there is some element of coordination and cooperation across the different sectors within countries at regional level, and then also at a continental level as well. And then lastly, I think that, you know, in terms of the practice, I think the GFCE perhaps mentioned this a little bit, just in terms of this idea of being able to provide a framework where one can actually have a way in which to match the capacity needs in terms of cyber capacity building, and linking that to where expertise and experts lie and being able to make those connections and offer that platform that enables this flow of expertise and experts between regions and between countries, so as to enhance the cyber security posturing across the globe. Back to you.

Marie Humeau: Thank you very much, Jawila. I think you, you, you, you touch upon another important point is also sharing best practices across sectors, and it’s that the cooperation need not only to happen between the technical community and the diplomatic community, but also across sectors, because the more we get connected, the more we rely on each one sector rely on the other. But also, I think each sector can learn from the best practice of the other. And I think you point out your best practice from the energy sector, and I’m pretty sure a lot of other sectors can learn from how you are trying to like put things together and to be able to share better the information to make your, your infrastructure also more resilient. And I think that’s exactly what we are. trying to do here and I can I can see on the screen of one thing that they’re already some exchange of of willingness to exchange information about what everyone is doing so I think that’s the objective is really to share our experience here, and to connect and continue that discussion also after after this session so I’m quite excited about what I see on the screen on my left. And it’s not only happening in the room. So maybe we’ll guide you through the next step in our, in our journey which is our nearly final stop, because we will then open the floor to everyone to ask questions, but apparently someone wants to take the floor. Yes, Rashida please do.

Shariffah Rashidah Syed Othman: Thank you very much, Marie, I just want to just connect and give some response with regards to Francisca’s views as well as Toela. About the importance of structuring and position. While we are talking about the technical community in terms of sets and giving them a proper place at the national level, as well as how Toela mentions the importance of making sure that the things are being interconnected in such a way, where I think the experience that we took in terms of making sure the discussions between the technical people and diplomat, as well as the people that look into the policy at national level. This is also the experience that we got from the exposure from the learning curve that we got from the OEWG, and other activities that we, we see at national level, as well as at regional level, specifically on the third part. the chief executive of my organization, the National Cyber Security Agency, has the responsibility to maintain the National Cyber Coordination and Command Center, which is our national CERC, and the act actually give an importance of the designation of sector lead, where they are being empowered to designate the national critical infrastructure with the processes, then they are a compulsory notification of incident, where the coordination can actually be swiftly being done at national level. This is also complement the works that, and the development that is happening at national level, where the national CERC, which is the NC4 itself, is also being submitted at the UN OEWG as the technical global point of contact. This is where I think the learning curve our country takes in terms of understanding and connecting the dots between the discussion with the technical people, the policy people at the domestic level, as well as the diplomat that works at the United Nation. Another part that I also want to touch is the opportunity that we have in terms of capacity building, where one of the thing that we managed to work together, especially with UNIDIR, and at national level, we get a blessing from our management to do that, where we will develop and institutionalize a proper training in our institute that train the diplomat before they are being stationed internationally in terms of cyber diplomacy or tech diplomacy, so that the people that face when they go overseas, the diplomat have the clear understanding of when to connect the dots and how actually they can bring back the discussion that they see and they negotiate at any platform, bilaterally or multilaterally, back to the organization. in organizations that look and lead national cybersecurity initiative at national level.

Marie Humeau: Thank you. Thank you very much Rashida. I think indeed it’s important to know who to contact and where in those points of contact are key and crucial. And thanks for sharing your best practices. I think your point about capacity building and the training of diplomats is an amazing one. And I’m very pleased as well that our co-organizer today are being mentioned by so many of you on their best practices as well, because I do think that UNIDIR and GFCE are doing lots of work to try to strengthen those capacity as well. And indeed, the women in cyber, we can see here that we have quite a panel with lots of women. So it’s also nice to see this because it’s not always the case, but thank you around for bringing a bit of men balance in this discussion as well. So maybe, or no, no, yes. I know sign on it from the virtual room, but so maybe we’ll, yeah. Maybe we’ll step in in our last topic. And before I give the floor to everyone and to some questions. So maybe what are the, so we will step in for the future and where we are heading next step in our journey. So maybe, Francisca, you want to start with what are the opportunities for greater cooperation? And do you see, I think you started like answering that question a bit already, but do you see like ways to reach out and to set up mechanism to better be prepared and equipped for those, for greater collaboration? And that includes also the role for the multi-stakeholder community in those discussion.

Franziska Klopfer: Yeah, I think that’s a really good question. I think that’s a really good question. I think that’s a really good question. I think that’s a really good question. I think that’s a really good question. Yes, I think we’ve spoken quite a lot about this already, so I’ll keep it short and I think maybe just a very practical step, and Rashida already mentioned it, I think a very good first step would be when you do training of cyber diplomats, actually one of the most essential things, make them aware of what’s happening in their country, who’s in their country, who they need to coordinate with, who they need to consult, also to establish national priorities, because these are the national priorities that we will bring to the international discussions, including discussions on CII, and also engage with the multistakeholder community in order to identify indeed and to work with CII. I think I’ll leave it at that in the interest of time, just two first practical steps that I would recommend to take.

Marie Humeau: Thank you. I think we are running, we only have a few minutes left, so maybe what I’ll do, if that’s fine, I’ll look at the room and see if there are some pressing questions coming from the room. Yes, I see a gentleman at the back. Excuse me? Mike, yes, please. Thank you. It’s coming from you, Ben. No, Mike. Thank you.

Audience: Hello. Yes, so I’m into you from Austria, and I’m curious to know how many of you, so I guess that you’re coming from, each of you are coming from different countries, so how many of you have seen policy documents that actually addresses transnational critical information infrastructure and talk about whether your government is allowed to or planning to attack in case of emergencies or in case of contingencies, especially if it’s relevant? if you have seen any documents published by the military administration. So is your country, especially the military department, allows or take into consideration the possibility they would be able to attack critical influence structures in other countries?

Marie Humeau: Is there any question also on the chat? No? Okay. So maybe we’ll take your question. And because we also have two minutes left, at the same time, I’ll ask the speakers to answer your question and then to give their final remarks before Theresa wraps it up and do our photo album of our journey together. So maybe I’ll give you the floor one by one, and then you can address the question that has been asked. But also you can bring us a bit of your flavour, and Francisca, you’ve already started to do so, on what are the opportunities in the future, be it at national, regional, or at international level, for greater collaboration? But also, what can stakeholder bring to the table in terms of the protection of critical infrastructure, and the importance of actually this multi-stakeholder cooperation that is needed to be better equipped and to have a more resilient critical infrastructure? Maybe I’ll start at the bottom right with Oran, and then I’ll go to Toela, to Francisca, and to Rashida and Francisca. So Oran, you have the floor.

Orhan Osmani: So can you hear me, I think? So I think the question of the gentlemen, honestly, I don’t have an answer, because ITU is a government agency, so we keep supporting member states to build the capacity. So… know, we are focused on Global South, where we, you know, run cyber drills, where we bring communities together, so technical communities. Now we are trying to bridge the gaps, bringing diplomatic community to our meetings and have a discussion among them. So in principle, you know, I don’t have an answer for him on that regard. But you know, all comes down to, you know, collaboration, information sharing. So we have often, you know, even countries which are aligned to each other, they don’t share all the information. So basically, you know, I think, you know, I think quite a lot needs to be done, I think, trust needs to be built. And so we need to we need to work around around that. So I think, you know, the opportunities are there to to increase collaboration, but are we going to take and take action on really putting the citizen at the center, because I think, you know, what is happening now we are putting at the center other things. But if you put the citizen at the center, you know, those who need the essential services, those who benefit from those essential services, and those who contribute back to the society, I think, you know, then I think quite a lot of things can be solved. But you know, I’m very idealistic in that regard. So I think, you know, I’m not sure, you know, what, what would work the best, but you know, we keep continuing to work together with a global South building the capacity which is needed to support the digital developments of the countries. We, you know, help women in cyber, through mentorships, through capacity building, and so on. I mean, a lot to be done, honestly, you know, a lot to be done. And we need to sit down as development agencies or partners or stakeholders on building capacity, developing capacity. So we need to sit down and kind of decide who’s going to be doing what, because I think a lot of duplication of efforts is happening in on the same area. So I think we need to kind of spread the net and try to cover most we can, because the resources are limited in terms of financial and human. And I think, you know, can be done a lot if just there is a will to sit down and lower our egos and work together. I mean, that’s, that’s all. Thank you.

Marie Humeau: Thanks. Thanks, Oren. So I think And as you said, a lot needs to be said and done, but we are also pressured with time. So I will give each of you 15 seconds, and then, Teresa, I can wrap up. I’m really sorry, but maybe we can have another session on the next IGF to continue the discussion, because apparently so much needs to be done and so much needs to be said. And we are seeing this initial cooperation that are taking place now. So maybe, Doela, if you can give us in 50 seconds a short snap of what you think we should be doing.

Towela Nyirenda-Jere: Okay. Thank you very much. Very quickly, I think, as we see now that there’s a large move towards privatization of a lot of infrastructure, whether it is in-country or transnational infrastructure, this means then that, on the one hand, there will be a need for stronger collaboration between private sector and governments through very structured PPPs that focus on this issue of the protection of that infrastructure, but at the same time, governments, I think, need to then continue setting the container in terms of the relevant policy and regulation mechanisms, but making sure that these are things that can be implemented and that are enabling the protection of the infrastructure, but also, I think, as Aura has said, making sure that we’re not losing sight of putting people at the center of what we’re doing. Thank you.

Marie Humeau: Thank you, Doela. Rashida, you have 15 seconds.

Shariffah Rashidah Syed Othman: I’m going to be short and quick, but I just want to touch on, just now earlier, we mentioned about OEWG discussions. So one of the things that we are doing right now, we are in the final lap of the OEWG. The central of the discussion before next July is to ensure what will be the future permanent mechanism, where we want to actually, together with all the states, to develop a permanent mechanism on how we want to position cybersecurity at the UN. This is where an important discussion starts, where actually we want to position the stakeholder so that they can contribute. to execute effectively in the permanent mechanism that we wanted to do. One thing we talk a lot today is about energy from where if we want to talk about energy, be sector specific, bring the right stakeholder, bring the right skill, then we can solve the right specific question in sector specific problems at the at that level that it can be escalate at regional and national level.

Marie Humeau: I’m going to pass it over to Francesca.

Franziska Klopfer: And just to add to what everything has been said, maybe go back to the beginning. I think there’s still also some work to be done to just raise awareness of the existence of this transnational critical infrastructure and a lot of I think smaller countries might not be aware or they might not be aware of where these often these critical national transnational infrastructure on their protection. So I think that’s a good step for the very very beginning. That’s still I think necessary.

Marie Humeau: Thank you Francesca. I will give my last words to to Teresa. But before this, I would like to thank all the panelists for being with us and sharing your your expertise. And this is just the beginning. But I’ll give the floor to to Teresa.

Tereza Horejsova: Thank you, Mary. So we put this session together because we thought there was a lack of understanding of what benefit involvement of the technical community can have in multistakeholder dialogues on these topics. We have felt from our experience that sometimes these multistakeholder consultations have been more a tick-the-box approach, which is not what we want, because they are stakeholders in addition to the myriad of other stakeholders as was already said at this session. So we hope that this technical community can get involved, especially next year, in the in the regulational dialogues. We had some great examples from from Africa. Africa, from Asia, from Western Balkans, with some concrete challenges, including the definition on the national level of what is actually critical infrastructure, some efforts for regional cooperation as well. So I will not be able to go through all these details, but if you allow me, there are a few kind of calls for action that I think can shape the continuation of our discussion on this topic. The first is that we do need to strengthen the collaboration between states and the technical community, and we will be able to explore more in detail how, be it third-to-third cooperation or in the framework of the open-ended working groups. We do need to build capacities, especially for developing countries. We have heard the capacity building or capacity development, as Orhan clarified, has been coming up in the discussion in relation to these topics. And another idea that I think we can play with is how can we further convene multistakeholder dialogues on protecting transnational critical infrastructure, which is something that we will look into and we will try to come up with some ideas, be it in the form of a series of workshops or other initiatives. So I will have to stop here because I know we are over, but thank you very much for being part of this.

Marie Humeau: Thank you and have a good day. Thank you so much. Thank you. Bye-bye. Thank you. Bye-bye. Thank you. Bye-bye.

Agreement Points

Critical infrastructure protection is crucial for international security

speakers

Wenting He

Towela Nyirenda-Jere

Shariffah Rashidah Syed Othman

Orhan Osmani

arguments

Subsea cables and satellite systems are key vulnerable components

Energy sector interconnections are increasingly important targets

Attacks on critical infrastructure can have cascading effects across borders

Cybercrime threats to infrastructure are greater than natural disasters

summary

Speakers agree that protecting critical infrastructure, including subsea cables, satellite systems, and energy interconnections, is vital for international security due to their vulnerability and potential for cascading effects across borders.

Need for collaboration between technical and diplomatic communities

speakers

Shariffah Rashidah Syed Othman

Orhan Osmani

Franziska Klopfer

Tereza Horejsova

arguments

Cyber diplomacy training for diplomats is crucial

Bridging gaps between technical and diplomatic communities

Value of informal networks between national CERTs to build trust

Need to involve technical community in policy dialogues

summary

Speakers emphasize the importance of fostering collaboration and communication between technical experts and diplomats to address cybersecurity challenges effectively.

Similar Viewpoints

Both speakers advocate for structured cooperation mechanisms, either at the regional or international level, to address cybersecurity challenges more effectively.

speakers

Towela Nyirenda-Jere

Shariffah Rashidah Syed Othman

arguments

Need for regional cooperation and harmonization of approaches

Permanent UN mechanism for stakeholder contributions on cybersecurity

Unexpected Consensus

Citizen-centric approach to infrastructure protection

speakers

Orhan Osmani

Towela Nyirenda-Jere

arguments

Putting citizens at the center of infrastructure protection efforts

Structured public-private partnerships for infrastructure protection

explanation

While coming from different perspectives (ITU and energy sector), both speakers emphasize the importance of considering citizens’ needs and involving the private sector in infrastructure protection efforts.

Overall Assessment

Summary

The speakers generally agree on the importance of protecting critical infrastructure, the need for collaboration between technical and diplomatic communities, and the value of regional and international cooperation mechanisms.

Consensus level

There is a moderate to high level of consensus among the speakers on the main issues discussed. This consensus suggests a shared understanding of the challenges and potential solutions in protecting transnational critical infrastructure, which could facilitate more coordinated efforts in policy-making and implementation at national, regional, and international levels.

Different Viewpoints

Focus of capacity building efforts

speakers

Orhan Osmani

Towela Nyirenda-Jere

arguments

We keep supporting member states to build the capacity. So…know, we are focused on Global South, where we, you know, run cyber drills, where we bring communities together, so technical communities.

Need for regional cooperation and harmonization of approaches

summary

Orhan Osmani emphasizes capacity building focused on the Global South through cyber drills and bringing technical communities together, while Towela Nyirenda-Jere stresses the need for regional cooperation and harmonization of approaches in Africa.

Unexpected Differences

Overall Assessment

summary

The main areas of disagreement were subtle and primarily focused on different approaches to capacity building and bridging gaps between technical and diplomatic communities.

difference_level

The level of disagreement among the speakers was relatively low. Most speakers presented complementary perspectives on protecting critical infrastructure and enhancing cybersecurity cooperation. The differences in approaches reflect the diverse regional and organizational contexts of the speakers, rather than fundamental disagreements on goals or principles. This low level of disagreement suggests a general consensus on the importance of protecting transnational critical infrastructure and the need for multi-stakeholder cooperation, which is positive for advancing global cybersecurity efforts.

Partial Agreements

Both speakers agree on the need to connect technical and diplomatic communities, but they propose different approaches. Orhan Osmani suggests bringing diplomatic communities to technical meetings, while Shariffah Rashidah Syed Othman emphasizes specialized training for diplomats in cyber diplomacy.

speakers

Orhan Osmani

Shariffah Rashidah Syed Othman

arguments

Bridging gaps between technical and diplomatic communities

Cyber diplomacy training for diplomats is crucial

Similar Viewpoints

Both speakers advocate for structured cooperation mechanisms, either at the regional or international level, to address cybersecurity challenges more effectively.

speakers

Towela Nyirenda-Jere

Shariffah Rashidah Syed Othman

arguments

Need for regional cooperation and harmonization of approaches

Permanent UN mechanism for stakeholder contributions on cybersecurity

Key Takeaways

Critical infrastructure like subsea cables, satellite systems, and energy grids are increasingly vulnerable to cyberattacks with potential cascading effects across borders

There is a need for greater collaboration between technical and diplomatic communities to address cybersecurity threats to critical infrastructure

Regional cooperation and harmonization of approaches is important for protecting transnational critical infrastructure

Capacity building and training, especially for developing countries, is crucial for improving critical infrastructure protection

Multistakeholder cooperation, including public-private partnerships, is necessary for effective protection of critical infrastructure

Resolutions and Action Items

Explore ways to strengthen collaboration between states and the technical community, including through CERT-to-CERT cooperation

Look into convening multistakeholder dialogues on protecting transnational critical infrastructure, possibly through a series of workshops

Work on developing a permanent UN mechanism for stakeholder contributions on cybersecurity issues

Unresolved Issues

Specific mechanisms for improving information sharing between countries on critical infrastructure threats

How to effectively involve the technical community in policy dialogues beyond a ‘tick-the-box’ approach

Ways to address the duplication of efforts in capacity building initiatives

How to balance national security concerns with the need for international cooperation on critical infrastructure protection

Suggested Compromises

Focusing on putting citizens and essential services at the center of critical infrastructure protection efforts rather than solely on national interests

Developing structured public-private partnerships that allow for private sector involvement while maintaining government oversight on critical infrastructure protection

We need to take a step back and on national level, connect these two communities, because we see huge gaps between diplomatic and technical community on national level. And that one basically blocks the future collaboration on international level.

speaker

Orhan Osmani

reason

This comment highlights a fundamental challenge in addressing cybersecurity issues – the disconnect between technical and diplomatic communities at the national level, which hinders international cooperation.

impact

It shifted the discussion towards the importance of national-level coordination as a prerequisite for effective international collaboration on cybersecurity.

Critical infrastructure does not exist in vacuum. It actually relates to the risk that the country face and also what actually define the country, the country’s importance.

speaker

Shariffah Rashidah Syed Othman

reason

This insight emphasizes the contextual nature of critical infrastructure, highlighting that its definition varies based on each country’s specific risks and priorities.

impact

It broadened the conversation to consider how different countries might approach the protection of critical infrastructure based on their unique circumstances.

We need to promote more let’s know what is at risk there and I think you know besides you know I think you know I heard venting she was talking about you know mainly focusing on on state state to state challenges they have on on but also we have the big group of those who are making money than all the cyber criminals who are basically it’s a big industry so it’s is bigger than anything and and cybercrime threats are bigger than any natural disasters around the world

speaker

Orhan Osmani

reason

This comment broadens the scope of the discussion beyond state-to-state challenges to include the significant threat posed by cybercriminals, comparing it to natural disasters in terms of impact.

impact

It expanded the conversation to consider non-state actors as a major threat to critical infrastructure, adding complexity to the discussion of protection strategies.

Part of the capacity development would be to strengthen the links, clarify roles and responsibilities and strengthen links between those different stakeholder groups at national level.

speaker

Franziska Klopfer

reason

This insight emphasizes the importance of clear roles and communication channels between different stakeholders at the national level as a key aspect of capacity building.

impact

It refocused the discussion on the need for structured coordination and clear responsibilities among various actors involved in protecting critical infrastructure.

We will develop and institutionalize a proper training in our institute that train the diplomat before they are being stationed internationally in terms of cyber diplomacy or tech diplomacy, so that the people that face when they go overseas, the diplomat have the clear understanding of when to connect the dots and how actually they can bring back the discussion that they see and they negotiate at any platform, bilaterally or multilaterally, back to the organization.

speaker

Shariffah Rashidah Syed Othman

reason

This comment introduces a concrete solution to bridge the gap between technical and diplomatic communities through specialized training for diplomats.

impact

It provided a practical example of how to address the disconnect between technical and diplomatic communities, moving the discussion towards actionable solutions.

Overall Assessment

These key comments shaped the discussion by highlighting the complex, multi-faceted nature of protecting critical infrastructure across borders. They emphasized the need for better coordination between technical and diplomatic communities at both national and international levels, the importance of context-specific approaches to defining and protecting critical infrastructure, and the necessity of capacity building that includes clear role definition and specialized training. The discussion evolved from identifying challenges to exploring potential solutions, with a focus on practical steps to improve collaboration and communication between various stakeholders.

How can we better structure and position the technical community (e.g. CERTs) at the national level to improve coordination with diplomats and policymakers?

speaker

Franziska Klopfer and Shariffah Rashidah Syed Othman

explanation

This is important to improve communication and coordination between technical and diplomatic communities at the national level, which can then enhance international cooperation.

How can we develop more comprehensive training programs for diplomats on cyber diplomacy and technology issues before they are stationed internationally?

speaker

Shariffah Rashidah Syed Othman

explanation

This is crucial for ensuring diplomats have a clear understanding of cyber issues and can effectively engage in international discussions and negotiations on these topics.

What are effective ways to raise awareness among smaller countries about the existence and importance of transnational critical infrastructure?

speaker

Franziska Klopfer

explanation

This is important because many smaller countries may not be aware of their role in or dependence on transnational critical infrastructure, which is crucial for effective protection efforts.

How can we better coordinate capacity building efforts among development agencies and partners to avoid duplication and maximize impact?

speaker

Orhan Osmani

explanation

This is important for making the most efficient use of limited resources in building cybersecurity capacity globally.

What mechanisms can be developed for stronger collaboration between private sector and governments through structured public-private partnerships focused on critical infrastructure protection?

speaker

Towela Nyirenda-Jere

explanation

This is crucial as there is a trend towards privatization of infrastructure, requiring new forms of cooperation to ensure protection.

How can we design a permanent mechanism at the UN level for positioning cybersecurity that effectively incorporates multi-stakeholder contributions?

speaker

Shariffah Rashidah Syed Othman

explanation

This is important for ensuring long-term, structured global cooperation on cybersecurity issues, including critical infrastructure protection.

Summary

This discussion focused on preparations for the WSIS Plus 20 Forum High-Level Event in 2025, which will review 20 years of progress since the World Summit on the Information Society. Participants emphasized the importance of maintaining the multi-stakeholder approach that has been central to WSIS, while also adapting to new technological developments and challenges. Many speakers stressed the need to avoid duplication of efforts, particularly in light of the recently adopted Global Digital Compact (GDC).

There was broad agreement on the continued relevance of the WSIS action lines, though some suggested updates may be needed to address emerging issues. Several participants highlighted the importance of inclusivity, calling for greater involvement of voices from the Global South, rural communities, and youth. The need to address persistent and new forms of the digital divide was a recurring theme.

Speakers from various UN agencies, governments, civil society, and the private sector shared their perspectives on priorities for WSIS beyond 2025. These included focusing on sustainable and ethical technology use, enhancing digital skills, and leveraging ICTs for development. There were calls to better integrate the implementation of the GDC with existing WSIS mechanisms.

The discussion also touched on procedural aspects, such as the open consultation process for shaping the agenda of the 2025 event. Overall, participants expressed a strong commitment to building on WSIS achievements while adapting the process to address current and future digital challenges in an inclusive, rights-based manner.

Keypoints

Major discussion points:

– The importance of maintaining the multi-stakeholder and inclusive nature of the WSIS process as it moves beyond 2025

– The need to avoid duplication between WSIS and other initiatives like the Global Digital Compact, and instead build on existing frameworks

– Updating the WSIS action lines to address new technologies and challenges while maintaining their technology-neutral approach

– Increasing focus on issues like digital divides, rural connectivity, gender gaps, and youth engagement

– Streamlining implementation efforts and maximizing limited resources

The overall purpose of the discussion was to gather input from various stakeholders on priorities and considerations for the WSIS+20 review process and high-level event in 2025, as well as the future of WSIS beyond 2025.

The tone of the discussion was largely collaborative and forward-looking. Participants expressed enthusiasm for the WSIS process while also highlighting areas for improvement and evolution. There was a sense of urgency about making the most of limited time and resources to address critical digital issues. The tone became more action-oriented towards the end, with specific suggestions for new initiatives and calls to submit formal input.

Speakers

– Gitanjali Sah – Organizer of WSIS Forum

– Thomas Schneider – Ambassador of Switzerland

– Torbjörn Fredriksson – UNCTAD representative

– Cynthia Lesufi – South Africa representative, Council Working Group on WSIS and SDGs

– Anriette Esterhuysen – Association for Progressive Communications

– Meni Anastasiadou – International Chamber of Commerce

– Mina Seonmin Jun – South Korea representative, Council Working Group on WSIS and SDGs

– Felix Nyström – Swedish Ministry of Foreign Affairs

– Craig Stanley-Adamson – Head of Internet Governance, UK Department for Science, Innovation and Technology

– Wallace S. Cheng – Global Ethics representative

– Halima Ismaeel – Secretary General’s Youth Advisory Board member

Additional speakers:

– Cedric – UNESCO representative

– Yuping – UNDP representative

– Delfina – United Nations University representative

– Moaz – Saudi Arabia representative

– Mike Walton – UNHCR representative

– Rian – Brazilian Association of Internet Service Providers

– Paola Galvez – Youth representative from Peru

– Fawad Bajwa – Digital Dera representative from Pakistan

Expanded Summary of WSIS Plus 20 Forum High-Level Event Discussion

Introduction

This discussion focused on preparations for the WSIS Plus 20 Forum High-Level Event, scheduled for July 7-11, 2025, at Palexpo in Geneva. The event will review 20 years of progress since the World Summit on the Information Society. The dialogue brought together representatives from various UN agencies, governments, civil society organisations, and the private sector to share perspectives on priorities for WSIS beyond 2025 and shape the agenda for the upcoming event.

Key Themes and Agreements

1. Multi-stakeholder Collaboration and Inclusivity

There was broad consensus on the importance of maintaining and enhancing the multi-stakeholder approach that has been central to WSIS. Speakers such as Thomas Schneider, Ambassador of Switzerland, emphasised that multi-stakeholder collaboration is crucial for WSIS implementation. This sentiment was echoed by other participants, including Anriette Esterhuysen from the Association for Progressive Communications, who highlighted the importance of intergenerational and inter-institutional collaboration.

The discussion underscored the need to raise inclusiveness to a new level. Wallace S. Cheng from Global Ethics advocated for supporting local innovation, particularly in the Global South. Halima Ismaeel, a member of the Secretary General’s Youth Advisory Board, stressed the importance of engaging youth and focusing on emerging technologies. Other participants called for including the voices of refugees, displaced persons, and small and medium enterprises in the WSIS process. Fawad Bajwa suggested highlighting rural communities’ struggles to connect to the internet at the WSIS Forum.

2. WSIS Action Lines and Their Continued Relevance

Several speakers emphasized the ongoing importance of the WSIS action lines. While there was agreement on their continued relevance, discussions touched on potential updates to address new technologies and challenges. Gitanjali Sah noted that UN agencies are updating WSIS action lines based on their expertise. Some participants, like Renata, argued for the need to update the action lines, while others cautioned against duplicating efforts with other initiatives.

3. Global Digital Compact (GDC) and WSIS

The relationship between the recently adopted Global Digital Compact (GDC) and the WSIS process was a significant topic of discussion. Moaz from Saudi Arabia emphasised the importance of avoiding duplication with GDC implementation. Other speakers suggested using the WSIS framework to implement the GDC, with Torbjörn Fredriksson from UNCTAD advocating for leveraging existing UN mechanisms for this purpose.

4. Digital Rights and Equality

Several speakers emphasised the need to focus on digital justice and human rights in the digital context. Anriette Esterhuysen highlighted the importance of addressing the gender digital gap, a point that resonated with other participants. Paola Galvez, a youth representative from Peru, proposed creating a specific action line on addressing the gender digital gap. Felix Nyström stressed the importance of human rights mainstreaming in new initiatives.

5. Implementation and Resource Allocation

The discussion touched on practical aspects of WSIS implementation, with several speakers emphasising the need to streamline efforts and maximise limited resources. There were calls to focus on financing mechanisms for digital development and to set concrete targets for financing digital infrastructure in the developing world. Mr. Hossain highlighted the role of the Inter-Islamic Development Bank in supporting ICT development.

6. Role of UN Agencies and International Cooperation

Torbjörn Fredriksson emphasised the importance of UN agency collaboration in WSIS implementation and highlighted the role of the Commission on Science Technology for Development (CSTD) in the WSIS follow-up. Mina Seonmin Jun, the South Korea representative, highlighted the role of regional cooperation in advancing WSIS outcomes.

Open Consultation Process and Future Directions

Gitanjali Sah, the organiser of the WSIS Forum, explained the open consultation process for shaping the WSIS Forum agenda. She encouraged participants to submit proposals and suggestions for the WSIS+20 Forum agenda through this process by March 14. Sah also mentioned plans for a hackathon and the need for incubators for young innovators.

Thought-Provoking Comments

Several comments stood out for their potential to shape future discussions:

1. Thomas Schneider’s call to concentrate resources and build on the WSIS process in an inclusive and efficient manner.

2. Nandini from IT4Change’s emphasis on governing the internet as a global public good.

3. Anriette Esterhuysen’s reminder of the unique collaborative potential of WSIS across diverse stakeholders and geographies, and her suggestion to include the Tunis Agenda outcomes, particularly financing mechanisms, in the WSIS Forum structure.

4. Paola Galvez’s specific proposal for an action line on the gender gap.

Conclusion and Next Steps

The discussion highlighted the ongoing relevance of the WSIS process while also emphasising the need for evolution and adaptation. Key takeaways include the importance of maintaining multi-stakeholder collaboration, avoiding duplication with other initiatives like the GDC, enhancing inclusivity, and updating WSIS action lines to address new challenges.

Moving forward, participants suggested several action items:

1. Organising consultative sessions and brainstorming workshops at the WSIS Forum to gather stakeholder input on future directions.

2. Submitting proposals and suggestions for the WSIS+20 Forum agenda through the open consultation process by March 14.

3. Considering the inclusion of a specific focus on the gender digital gap in WSIS action lines or declarations.

4. Exploring ways to better include rural community perspectives in the WSIS process.

5. Integrating discussions on emerging technologies and their impact on digital development.

The discussion set the stage for continued dialogue and negotiation in the WSIS+20 review process, with a clear emphasis on collaboration, efficiency, and inclusivity in shaping the future of global digital cooperation and development. The upcoming WSIS Forum, which will also celebrate ITU’s 160th anniversary, promises to be a pivotal event in advancing these goals.

Gitanjali Sah: and also to all the virtual participants who have joined us today. We do know that many of our colleagues who couldn’t be here are with us virtually. So this is an open forum. If you notice on the website, we’ve listed quite a few speakers, but those are all of those who wish to make interventions. We already listed them as speakers online. So please do feel free to make your intervention once the co-organizers and co-hosts have spoken. So the idea of the meeting is to provide you with an update of our preparatory process for the WSIS Plus 20 Forum High-Level Event. It’s co-hosted with Switzerland, so we are very happy to have Ambassador Schneider with us, and it’s co-organized by ITU, UNESCO, UNDP, and UNCTAD in collaboration with more than 40 UN agencies who are working closely with us, and I can see many of you in the room. So thank you for being here with us. Before I begin to provide updates, I’d like to invite Ambassador Schneider, our co-host, to please welcome us and to give us some more information about what Switzerland is preparing for the event. Over to you, Ambassador.

Thomas Schneider: See how this works, yes. So good morning, everyone. As we all know, it is just a little over 20 years ago at the first summit of the Information Society in December 2003, where not just the representatives of all nations, but also lots of other stakeholders gathered together in Geneva and agreed on a shared vision for inclusive, people-centered, and development-oriented. information and digital society. In addition, we formulated 11 action lines and some other concrete targets that should help us to work toward this vision. And we have created various processes for dialogue, cooperation and partnership among all stakeholders in their respective roles. And this has allowed us to learn from each other. Today, however, we are not at the end of our work in cooperation, but still at the beginning, because new tools like digital platforms, social media, new technologies, including AI and the use of data have emerged and are promises, but also a new pitfall. So this means for us a call for even greater and more inclusive cooperation for improvement and strengthening existing mechanisms. 2024, we are at an important point in time in setting the course for the near future. The meeting on the Alps 10 meeting, which adopted the Stampaolo guidelines and the WSIS plus 20 forum high-level event this May in Geneva, which took stock of the implementation of the WSIS action line. But then we also have, as we all know now, the agreement on the Global Digital Compact, which should outline shared principles for an open, free and secure digital future for all. But this is again not the end. It is rather the beginning of a process that should lead us to some bigger decisions, even bigger decisions at the end of next year, because next year we’ll have the WSIS plus 20 overall review by the UN General Assembly at the end of the year. But before that, we’ll have a number of events and processes that run up to this. There’s an important meeting of the CSTD, the UN Commission on Science and Technology for Development, which has a key role as focal point for the UN system-wide follow-up to the WSIS. And of course, we do have important events. Facilitated by the ITU, UNESCO and other specialized agencies together with other partners which should all contribute to an inclusive WSIS plus 20 REU process where all voices from all regions over the world should be heard. We as Swiss have supported WSIS since 2003 and will continue to support all actors and processes that cooperate constructively to develop and implement WSIS goals. We are looking forward for this year’s WSIS plus 20 forum high level event that is taking place from 7 to 11 July in Geneva again like last year in parallel with the AI for good summit. Both events will be co-hosted by Switzerland and the ITU and its partners. Because there were so many people wanting to participate at these events, this year we had a queue that was going from the conference center to the Place des Nations which is something I have never seen before in Geneva. The whole thing will be moved to Palexpo which is a small place 5 minutes or 10 minutes away by bus or 5 minutes by train near the airport where we have much more space to accommodate all people wanting to participate physically and of course it is also possible to participate online. I think the most important of all these processes and the criteria that all the processes and events that we have leading up to the WSIS plus 20 REU for us is really inclusivity. We do not want just to hear a few voices from a few powerful stakeholders. For us it is important to give room. that as many stakeholders can express their views, their needs, in particular the ones that may not have the resources to follow everything. We really have to be mindful to support those stakeholders that are less resourced, that are struggling to keep up with everything that’s going on. And this again is why we strongly support the San Paolo guidelines, to support stakeholders that are normally not sitting at a table, that are normally not heard. For us it’s like this is the measurement for all the processes that we are seeing, that it’s not just something that we call multi-stakeholder approach, but it’s something that is actually a true, inclusive and meaningful multi-stakeholder approach involving everybody in their respective roles into these processes. Because we believe this is the only way to find and identify solutions that actually create win-win situations for us all and not just for a few. Thank you very much.

Gitanjali Sah: Thank you very much, Ambassador Schneider, and also for highlighting the real multi-stakeholder philosophy of the WSIS process. It’s really in the DNA of the WSIS process and we must continue to strengthen the WSIS Forum as a platform for this kind of engagement. And for those of you who haven’t read the chair’s summary from the high-level event this year, I’d like to encourage you to read it. It’s a really beautifully written document which also talks about the WSIS+. So please do have a look at it and do refer to it in your considerations of WSIS Beyond 2025. I’d now like to invite Cedric from UNESCO to give us a little bit of UNESCO’s perspective to the whole review process and some of the important timelines that we must consider.

Speaker 1: Thank you so much. Yes, now you can hear me. So let me start by thanking the co-hosts, Switzerland, but also ITU, for preparing for the last high-level event, but also for the next one. We will be co-organizing together with UNDP, with ACTAT, and for your remarkable leadership and commitment to this work. I have here a full speech prepared for the ADG, he has speech writers, but I’m asked to be short, and some of the elements actually Thomas covered already. For us, the multi-stakeholder nature of WSIS, I need to emphasize that, is really important, and I’m very happy to see such a full room here, and Torbjörn committed already early up in Geneva, online too, as one of our partners. What I found an interesting fact in the speech is that since 2009, over 120,000 participants from 160 countries participated, which is really impressive, and of course we have now the task of the WSIS review, but also of implementing the GDC, building on the existing WSIS mechanisms. And so that will be helpful for this kind of translation of the GDC into reality too. So UNESCO is fully committed to support this process. We are also working with all stakeholders to prepare for a conference, which was initially announced for mid-February, but is moved now to 4th, 5th June. I wanted to share that with you. I have a few flyers here on AI and digital transformation in the public sector, which is part of the WSIS plus 20. and I am pleased to listen to you mainly now and hand back over the mic to Gitanjali and ITU.

Gitanjali Sah: Thank you so much, Cedric, and thank you for being brief because the whole purpose of this meeting is to listen from stakeholders who are present here. Yuping, I’d like to invite you to say a few words from UNDP.

Speaker 2: Thank you so much, Gitanjali, and recognizing the need to be brief, I’m just going to say that, again, we’re so honored as UNDP to be here. As Ambassador Schneider said, we have new challenges, that’s the Global Digital Compact, but what is really very important and critical to the conversation is the fact that the WSIS outcomes and the action lines are so much more relevant today than ever before, and so we’re looking forward to the WSIS Plus 20 review as a chance to reflect on all these new developments while reaffirming the importance of what has brought us all together here today, of deep commitment to multi-stakeholderism, being open and inclusive, focusing on those who are most in danger of being left behind, and overall, and in essence, the most enduring importance of the WSIS process and the IGF itself. This is all in line with how UNDP sees a rights-based, inclusive approach to digital transformation and working together with everyone to ensure that digital is an empowering force for people on the planet. It’s an honor to be here with our fellow UNGIS and WSIS co-chairs. We’re at Switzerland, and the organizers, we look forward to having you as all part of this process, and we stand ready to fully support it.

Gitanjali Sah: Jiubing, Torbjörn couldn’t join us here physically, but he’s there with us virtually for all our WSIS sessions. Thank you so much, Torbjörn. Can I please invite you to say a few words as UNGTAD, over to you.

Torbjörn Fredriksson: Thank you, Geetanjali. Hello, participants, colleagues and friends. Good morning to you from Geneva. I also wish I would be with you in Riyadh on this important week. Let me start by thanking ITU for all its preparations for the next WSIS Forum 2025 and for rebranding it to the WSIS plus 20 high-level event. I think it’s going to be the 16th time that we hold this together now in Geneva. Many thanks also to Switzerland for co-hosting the event. From the perspective of the UN trade and development, this is a very valuable opportunity for achieving an in-depth, multi-stakeholder and constructive dialogue on every relevant aspect of the 20-year review of the WSIS. The recent adoption of the Pact for the Future and the GDC add food for thought in this context. It is essential that the commitments made by member states in the GDC can feed into the discussion on the WSIS plus 20 review and any decision on what will come after and at the end of 2025. At the same time, as we consider how best to support the implementation of the GDC, we need to fully harness the existing mechanisms that we have already set up as a result of the WSIS. This includes the very good division of labor that is established in the WSIS outcome documents, the Partnership on Measuring ICT for Development, the UN Group on the Information Society, the ITU stock-taking database and various other initiatives. And in the case of UNCTAD, we can also leverage the E-Trade for All initiative as well as E-Trade for Women in this context. The Commission on Science Technology for Development, which is responsible for the overall follow-up on the WSIS implementation, was also given a new role in the GDC. I would urge all stakeholders this year to focus attention on what should be done to make sure that we achieve effective results from these various mechanisms and forums. Our collective work towards building a, as we said, a people-centered, inclusive and development-oriented information society is far from complete. Digital and e-commerce device, for example, remain very wide and some are actually growing. In the coming years, we need to give added attention to how to make the digital economy and society more inclusive and more sustainable. The WSIS plus 20 high-level event here offers a very good platform to explore the ways we should go to meet this challenge. We look forward to co-organizing it together with ITU, UNESCO, and the UNDP co-hosted with Switzerland. Thank you very much.

Gitanjali Sah: Thank you, Torbjörn. I’d now like to move on to my presentation. If you put it in full screen, so we could put it in full screen, presentation. Okay. So, thank you very much and the clicker doesn’t seem to work. Okay. So, colleagues, just a gentle reminder, who in the room are very familiar with the WSIS process, but just to remind you of the important milestones that have brought us here in 1998, in ITU’s plenipotentiary conference in Minneapolis. Tunisia proposed this framework of the WSIS process in 2001. There was a UN General Assembly resolution that requested that WSIS is organized in the two phases, one in Geneva and first one in Geneva, that came up with the Geneva Plan of Action, and the other one in Tunisia in 2005. We started with the cluster of WSIS related events. So, this was the WSIS forum, which was rebranded into the WSIS forum in 2006. We had the UNGA overall review in 2015, where our mandate was decided to be updated till 2025. In 2020, of course, also in 2015, we had the SDGs. So we started aligning the WSIS goals. 2025, we will have the WSIS high-level event. We will have the UNGA review. So the resolution says that there should be a high-level event. And of course, there will be a resolution that will be adopted in 2025, which will then highlight the future of the WSIS process beyond 2025. So the governance structure of WSIS, you often hear this myth in New York that WSIS doesn’t have a governance structure. Of course it does. And it starts in New York. We have the UNGA resolutions. We have the ECOSOC resolutions. This chief executive board, through the organizations group on information society, the CSTD, the annual WSIS forum, the annual IGF, the UN agencies mandated to implement the WSIS action lines, UN regional commissions on the ground, WSIS prizes, WSIS stock-taking database, the partnership, which is so crucial, UN-DESA, UNESCO Statistical Committee, ITU, and so on and so forth, and the WSIS special initiatives. We are guided by our WSIS action lines. And if you look at the WSIS action lines, it’s a beautiful framework that covers the entire gamut of information and communication technologies, right from ICT infrastructure to cybersecurity to e-governance, and the beautiful framework that each UN agency, based on their respective mandates, actually lead the implementation of the action lines. For example, ITU leads ICT infrastructure, cybersecurity, capacity building with UNDP. and e-business is done by UNCTAD, along with UPU and IDC. Of course, UNESCO has several action lines that cover the whole knowledge society’s part. So it’s a beautiful framework of the UN in action. So a lot of work is being done there. There are more than 30,000 projects aligned with the sustainable development business action lines in the WSIS stock taking database. Now, as all the panelists before me said, multi-stakeholderism is the key principle of the WSIS framework, the UN framework called WSIS. If you look at it, we have our UN colleagues, we have the countries, we have young people who are following it. We have representatives from the technical community, the civil society, private sector, all have played a very passionate role in the implementation of the WSIS action lines since its inception. So we want to keep the spirit and the momentum alive. So this is our wheel of implementation. I already touched upon it. The WSIS action lines, WSIS forums, stock taking, UNGIS, great implementation action wheel, which is already working very well, and all stakeholders are working together to implement it. Now, we heard about the GDC and the GDC, we are very happy that it has been endorsed and it’s already in action, but just we have a lot of similarities with the WSIS process, you know, capacity building, protection of human rights, innovation, knowledge sharing, ethical use of technology, AI inclusivity, bridging the digital divide, promotion of international cooperation. So you can clearly see that, of course, there was always an alignment and the UN group has actually worked on a matrix which is available online. to map the WSIS process and the 2030 agenda with the GDC principles and the existing framework that is already available to implement the GDC. The UNGIS group, those of you who have not heard of it, we are a group of UN agencies and the chief executive board ensuring that digital always remains an important mandate in all of our agendas. So what have we achieved since 2003? You know WSIS has targets. If you go to the WSIS outcome documents, we have very basic targets. Connecting the schools. So if you look at the Giga maps, 280,000 plus schools are connected but we really need to do a lot more work. 65% of women are using the internet. 79% of youth are using the internet. We are working with WHO to collect the data for how many hospitals are connected and 5.5 billion people are online. So these are great achievements but we need to address the gaps, you know, and the new gaps also that have been coming up. So WSIS has continuously evolved with, you know, emerging technologies. You know, the action lines have provided a very very sound framework to include and adapt to the emerging trends in technology. So save the date. Ambassador Schneider already informed us we are moving to Pal Expo Geneva 7 to 11 July. Please do book already if you can because you can cancel them later in case your plans change but do book them because last year some of you did have problems when you waited till the last minute. So please do book them. Do register soon. Registration will be open and as WSIS is a UN process we will have accreditation and visa support from Switzerland. So we are working on all of that closely with and it will be all available very soon. So our objectives, you know, this year, we use the WSIS plus 20 high level event to kind of look at what we’ve achieved in 20 years. But next year, we should definitely look at beyond. We really want more consultative sessions, more outcomes, and really concrete actions and suggestions from all stakeholder communities, the private sector, civil society, technical community, governments, UN system, what are we doing beyond 2025? So we really need to start thinking and engaging. So our agenda is built through an open consultative process. This is one of the venues where you have to provide your suggestions, but there is an online form that you should be filling up and submitting your suggestions until the 14th of March. So based on this, we will be building our agenda and program. So the open consultation process, the next one would be in February, 11th of February at the ITU headquarters. After that, in April, we still don’t know the date. And then on 10th of June, we will be having the final brief. Draft agenda, this is how it kind of looks like, very, very draft Monday. So we are still waiting for the inputs through the open consultation process, but this is kind of the skeleton and we will upload this presentation on the website so you can take it from there as well. Consisting of high-level tracks, interactive sessions, WSIS prizes, hackathons, ambassadors and regulators roundtables, the UN in action exhibitions, and of course, the 20-year celebration. We must celebrate what we’ve achieved. Key topics that we hear of, the Youth Day, Halima, our youth envoy. more about it. This is plus 20 review, business and academia roundtables, the gender track, extremely important for all of us here. UN focus on the implementation of the action lines and civil society roundtables. So high level track, as every year we will have head, we are also looking at the participation of heads of states this year. We have received several, you know, we have received several interests I can say, because we will also be celebrating the ITU’s 160th anniversary during the AI for Good and the WSIS high level event. So of course you heard about the database, this is a beautiful database by the people and for the people, we are just the means to, you know, we’re just providing a platform, it’s searchable by all these categories, it’s really a wealth of information about what’s going on in the ground. The WSIS prizes, I can already see so many of you have been champions and winners sitting in this room, please do not forget to submit before the deadline, it’s 10th of February. Very interesting, we want to capture your WSIS story. So please participate in this campaign, it’s a social media campaign, join us on what WSIS has done to impact you or the lives, your lives or your organization’s lives in 20 years. So we did have this story from Marcus, but it doesn’t work, can we try it once please? Colleagues, could we try to see if you could click on play and if people can hear it? Can you hear it? Okay, so I’ll leave this presentation online, we had Marcus’s story and we have Wendy’s story from the Dominican Republic about how WSIS has impacted their lives and their organization’s course, of course. So, colleagues, WSIS is extra budgetary at the ITU. We always look for partnerships, and in terms of the partnerships, we do give visibility at the WSIS Forum. So we are very thankful to those of you who have already confirmed your sponsorships for WSIS. I don’t think I can take your names yet because the agreements are being signed, but thank you so much. You know who I’m talking about. Some of them are still open, so please do get in touch with me in case you would like to be visible at the high-level event. Again, a quick reminder for the calls, the open consultation process. If you want workshops, exhibition spaces, if your high levels are coming, please do inform us. The WSIS stock-taking database, register your new projects there. The WSIS prizes, the deadlines coming up, photo contest, which I didn’t talk about, but we have a really wonderful repository of photos from the ground, of people implementing WSIS on the ground. So if you’d like to use it for your presentations, for your reports, please feel free to use them. The WSIS special prizes, hackathon, we are planning to do a hackathon on gender-disaggregated data on health, and if any of you are interested in it or have other suggestions, please contact us. So I’ll stop here now. Well, there are some slides on the review, which I can probably go through very quickly, but I’ll leave this presentation online. So some of the important timelines identified during our weekly meetings, we have a joint preparatory process of ITU, UNESCO, UNCTAD, UNDP, and UNDESA. The milestones, of course, starting in SDG Digital in 2023, it goes on. The next one would be the IGF in Norway, then the CSTD review, the Paris phase, 4th to 5th June. Cedric spoke about Geneva WSIS plus 20 high level event and culminating in New York. All of us are already doing a lot of work, the ITU already has a Secretary General’s roadmap for WSIS plus 20, the UNESCO has a report of the DG and the CSTD will come up with the WSIS plus 20 report very soon. Maybe I can then very smoothly pass on to Cynthia if our chair would like to explain.

Cynthia Lesufi: Thank you and good morning to everyone. Yes, colleagues, you will recall that in the 2024 council, the council members adopted a resolution and in that resolution we included an invitation to contribute their views on the work of the ITU in the WSIS plus 20, relating to the review of the WSIS action lines and in that resolution we also approved a timeline and in terms of that timeline, the ITU was supposed to issue an online form which was indeed launched in August 2024 for all stakeholders to then respond to the call and the deadline for that is the 31st of January 2025 and following that we then had the first physical meeting which took place in October 2024 of the council working group WSIS and SDG and the next item will then be happening in February 2025 with the council working group on WSIS and SDG holding its second physical meeting and then we will then move to the 7 to 11 July 2025 where we will be having a side event during the WSIS plus 20. a high-level event in 2025. Thank you.

Gitanjali Sah: Thank you, Cynthia and South Africa for being such a close partner of the process. Also, just to remind all of you, the UN has been working on updating the action lines in terms of content. So each UN agency, based on their expertise, has already updated the action lines based on the evolution of the context, the 20 years of achievements. I would really like to encourage you to visit the page on WSIS Forum, WSIS Plus 20, and have a look at this wonderful work that our colleagues have done. We are now opening the floor, of course, and passing on to our vice chair, South Korea, from Council Working Group on WSIS and SDGs. Mina, the floor is yours.

Mina Seonmin Jun: Thank you, Kitanjali. I was going to share a bit of the updates in our region with you. So as you know, Asia-Pacific regions are large and diverse, both geographically and culturally. So it includes advanced economies and less developed countries, and as well as nations with unique geographical challenges, as you know. The small island developing countries and the land of developed countries. So this diversity creates a unique digital landscape for offering both significant opportunities and challenges. So we all work together. So we all put our work together. So over the past 20 years, this region has made a significant progress in advancing the WSIS outcomes, thanks to the collective efforts of member states, and ITU, and other WSIS co-positors, and then many other stakeholders. So this collaboration has led to remarkable achievement in ICT infrastructure development, digital inclusion, and adoption of emerging technologies. So I will continue to explain more at our next session, but I just want to briefly share with you. Thank you.

Gitanjali Sah: Thank you so much, Meena. Also have Brett. She, APC, has been leading the work on the ground, so much of research, so much of implementation on digital for development, ICTs for development.

Anriette Esterhuysen: Over to you, Anne-Marie. Thank you very much, Gitanjali. Association for Progressive Communications is an international network of member organizations from around the world. We work in around 70 different countries, and we have been part of the WSIS process from the outset. We are a co-facilitator, which I think is quite a unique little bit of history that we sometimes forget, that the non-state actor and a non-UN agency as a co-facilitator, together with the ITU. I just think for civil society, particularly those from the global south, this is a very good opportunity. Can you hear me? To refocus, can you hear me now, on what is so unique about the WSIS vision, is that it integrates a human rights-based approach to development, to social and economic justice. It is about a people-centered information society, not a digitally-centered information society. Already, APC, along with IT for Change, has initiated a new forum called the Global Digital Justice Forum, which is bringing together primarily, but not exclusively, civil society from the global south. to use this opportunity to launch a revived digital justice agenda. I think WSIS is also for us, as a multi-stakeholder community, an opportunity to find the kind of community and collaboration, the North-South, business, tech, civil society, UN, government solidarity, which I think is important. It’s not just about multi-stakeholder collaboration, it’s also about international collaboration and international solidarity. Just to say that I think, I mean, one proposal I would make, I think it’s incredible that you’ve already, that UNGASS has already done this analysis, that combines the GDC objectives with the WSIS action lines. And one suggested, we’ll submit it, but I want to make it now already. I think, to think of using the WSIS forum, to have your high-level component, which is so useful to bring governments to the WSIS forum, but to have an event design approach, where you actually work, rather than have lots of workshops, to bring the community together, to validate the work that the action line facilitators have done, in updating the action lines, to assess how that relates to the GDC objectives, and have maybe an open space or a thematic track proposal, where instead of people just all presenting their own workshops, they actually assess, analyze, what have we achieved, where are the gaps, and then look at those action line updates that the UN agencies have prepared, and comment critically and creatively on those, so that we leave the WSIS forum, not just with a set of discrete workshops, but active output, that can inform both GDC implementation and the WSIS Plus 20 review.

Gitanjali Sah: Thank you very much, Anurag. Indeed, we were thinking of doing that, some knowledge cafes, brainstorming sessions with the Action Line facilitators and this community to look at all this work that has been done. So thank you, but please do submit it through the form as well. Is Cheryl here? I do not see her here, but Cheryl from USCIB, because she had no. Could you please check if she’s online, Cheryl? In the meanwhile, we’ll move on. I can already see many here. Many represents ICC, International Chamber of Commerce. This has been the private sector arm of the WSIS process right since its inception. So many, what are your plans and what is the vision of ICC for WSIS beyond? Over to you.

Meni Anastasiadou: Thank you, Gitanjali. And yes, as we just said, I’m from the International Chamber of Commerce. I’m a digital policy manager representing ICC and we are the international business organization. We represent over 45 million businesses across 170 countries and this has been a very long process that we have been part of since the outset and we value extremely from a private sector perspective. We will be at the WSIS Forum next year. Of course, it’s a crucial year as we are preparing ourselves ahead of the WSIS Plus 20 review and we’re really looking forward to make sure that we bring them at sector, make sure that all the people are and we really ensure a strong, let’s say, preparation ahead of the review. So there are a few considerations that we really consider, let’s say, crucial and ahead of the WSIS Plus 20 review. On the importance of the information technologies and the Internet and how those really hold enormous potential for social and economic growth. And of course that this potential, this very potential can only be unlocked when there is multi-stakeholder collaboration across governments, civil society, business, the technical and the academic community. And those all have held true through WSIS, through the WSIS Forum that really tracks the progress made over the past year since the WSIS first took place in 2003 and then in 2005. And we really do see the WSIS Forum as a valuable component in the process of really tracking the progress made and making sure that we are headed to the right direction. So again, as business, we are really taking our role seriously in advancing the WSIS Action Lines and we will make sure to be present at the WSIS Forum to work with the governments on the ground, to work with all the stakeholders on the ground, to inform and partner together, to inform the process and partner together for really ensuring outcomes that serve everyone’s interests. So just to reiterate our support for the WSIS Forum next year, we will be there and we’re looking forward to the discussions that will be taking place. Thank you, Vitanjali.

Gitanjali Sah: Thank you so much, Mani. We look forward to the private sector brainstormings and the consultative sessions. So Cheryl is from the United States Council for International Business. She was supposed to be here, but she’s not here. But they have already informed us that with you, they will be doing some consultative sessions, bringing the business perspective to the WSIS Beyond 2025. So thank you so much for being here with us. I also see Renata from Brazil. Renata is also our vice chair representing the region. So Renata, some perspectives from your region, please.

Speaker 3: Hi, good morning for all. Actually from, can you hear me? Yes? Sorry, because my channel just changed here, sorry. From our perspective, we are also aligned about the need to update the action lines for this moment now, so we have new and emerging technologies that we need to be considered, and also the sustainable and green technologies, all of these I think that we have to consider to make a good WSIS plus 20. And about the collaboration, I also believe that the multistakeholder environment is important, and the collaboration between government and private sector and civil society, they are all very important to continue to have a unique, open, free internet. That’s our goal that we believe. So I think that it is. Thank you very much. Thank you, Renata. We have a remote participant who wants to say something. Nandini, our remote participant. Nandini, if you could please bring her in. Hi, are you able to hear me? I can hear you. Yeah, I am Nandini from IT4Change. Thank you for the opportunity to contribute to this session. So we just wanted to say that in the context of the GDC adoption and when we are going into the WSIS plus 20 review in this context, there are a set of issues which we feel the review process needs to look at. To begin with, I think it’s important to again put on the table that the foundational principle is of governing the internet as a global public good and not as a utility. And this issue should be brought up again. And the second issue is that when we look at the question of the digital divide, we see that the digital divide is continuing to yarn wide. And today, there are not just divides in connectivity. But there are also new divides in data capabilities, and the opportunity to design concrete targets for financing for development mechanisms to build digital infrastructure in the majority world must be put back on the table. When we look at the action line on the ethics in the information society, we need to reinvigorate this to look at how we can protect and promote human rights in the digital context, effectively in the context of market concentration and corporate accountability for human rights violations in digital value chains. Finally, we need a data and AI constitutionalism at the global level urgently, and the issue of digital gene sequences and digital biopiracy, and how this is changing the implementation of the biodiversity convention today is a good exemplar for this. And how do you govern cross-border data flows from a development justice basis, and you reconcile the political quest for digital sovereignty as infrastructural autonomy with data and AI standards development processes, these issues become important. Considering that many of the issues are now channeled through enhanced cooperation processes for which the Global Digital Compact has paved the way, I think it’s absolutely essential given this is digital multi-stakeholderism principle to look at how we can expand the role of the UN Internet Governance Forum, and how can IGF fulfill the mandate given in paragraph 72 of the business document in this new context. This might become a critical issue for us to discuss towards the business review. Thank you so much.

Gitanjali Sah: Thank you. I would now like to invite Mr. Hossain from the Inter-Islamic Development Bank. Over to you, sir. Okay, so,

Speaker 4: thank you, first of all, for inviting. the Islamic development to this open concentration process and as one of the MDBs we are so concerned about the ICT and digital sector and the bank has drafted its ICT sector policies which have four main pillars including infrastructure and regulations and mainstreaming ICT in all development sector and this is the pillars of the of the policy is fully aligned with the forces action plan and if you see the listed action lines in the first presentation and our main focus areas is fully aligned with this action lines of forces we see that the partnership is a key success because as an MDB we found that there is huge requirements in terms of finance and private sector involvement is a must and because of that especially at the south-south institutions we are having 57 member countries most of the member countries in the south so we see that capacity building and development regulations for promoting private investment is a key and because of that we have many programs in the capacity development and in development the capacity and the regulations of the least developed countries to promote the private investment in the sector and also we have some modality for the partnership and sharing of expertise from the countries in the north or even in the south to some of the least developed countries in this sector So, with that, we see that private investment and development of regulations in addition to building some of infrastructure is the key for development of this. Thank you so much. Thank you.

Gitanjali Sah: Thank you, sir. And we look forward to seeing you at the forum. Sweden has the floor, Felix, over to you. Thank you. It’s working. Hi, everyone.

Felix Nyström: My name is Felix from the Swedish Ministry of Foreign Affairs, based in – you can’t hear me. Like this. It’s better. Good. Thank you. Based at our mission in Geneva. From our side, obviously, we fully support the multi-stakeholder model embodied through the WSIS process and the IGF and are excited about the important WSIS events and milestone of 2025. A lot of momentum in this process now since the adoption of the GDC, which Sweden was proud to co-facilitate together with our friends from Zambia. As you may know, the modalities of the new Office for Digital and Emerging Technologies, the follow-up of what was called OSET, is now being discussed and debated in New York. From our perspective, it’s important to avoid duplication, as we’ve heard from others here in the room. There is already a lot of important work being done by various UN agencies, and as I said, we want to avoid duplication in that regard. Additionally, another priority for us is is the, what’s the word, ensuring, I mean, human rights mainstreaming across these new initiatives being taken. We’re excited about the new AI dialogue that was proposed in the GDC and AI panel, and importantly also the new AI advisory board envisioned to be organized by the OHCHR. So that’s it for me. Thank you.

Gitanjali Sah: Thank you very much, Felix. I think UK has the floor. Craig. Thank you, Kisanjali. Good morning, everyone.

Craig Stanley-Adamson: My name is Craig Stanley-Adamson. I am the Head of Internet Governance at the UK Department for Science, Innovation and Technology. My comments are largely around the process, particularly in the run-up to the high-level events next year, but I would like to touch upon a couple of the points that have been made today. First of all, just to say that I fully agree with my Swedish colleague and many others around the room about avoiding the duplication of the GDC, but of course we accept that WSIS will play a strong role in implementing this process, as well as delivering its other processes such as the SDGs. I want to touch upon some of the comments that are made on the action lines. Whilst these are obviously crucial, and of course these were made 20 years ago, we should be a little bit cautious about how we approach them. For example, they were designed as deliberately agile and tech-neutral at the time, which means that they can stay current to this present day and beyond. So instead, we need to look at how we frame the outcome of WSIS document around the impacts of these technologies in a particularly future-focused and action-oriented way, which can also ensure that these action lines remain current going forwards beyond 2025. So touching upon the process that we were talking about earlier, and thank you Gitanjali for your presentation. and the UK hugely welcomes the fact that the UN family is fully joined up during this process, which is a great start. We obviously fully support the multi-stakeholder process and participation behind this, and I think for us the crucial element to this alongside all of these events that are going to take place over 2025 is the role of the co-facilitators. Of course they’re not permed, they don’t know who they will be just yet, but whoever they are will play a key role in this process. So one thing that I think could be really important for the high-level event in July next year is for them to be present at this event alongside all the other events that are taking place, including the IGF. They need to make sure that they get a true audience with the multi-stakeholder community, and I think one thing that’d be really crucial as well, and this would be interesting to get views from UN agencies, is whether they can work together with the co-facilitators to ensure that there is some form of issues paper to be presented at either the UN IGF or the high-level event in July, so that’s not just countries but all stakeholders have an opportunity to comment ahead of the process that will take place later in the year. So yeah, thank you very much.

Gitanjali Sah: That’s a wonderful idea, Craig, and I’ve put up the timeline slide and I missed that part, Craig, so thanks for bringing it up. The appointment of the co-facilitators is like, it should have been done yesterday perhaps, so it’s really urgent and that would be really a nice direction that the WSIS process would take, so we’re all waiting for that actually, yeah. I’d now like to invite Global Ethics, Mr. Wallace, and Global Ethics, it’s a baby of the WSIS, right? Tell us more about it.

Wallace S. Cheng: Thank you, thank you very much, Chidangali. As you said, for some of you who are not familiar with Global Ethics, Global Ethics is a foundation based in Geneva with global presence. We started as one of the outcomes of WSIS with the objective to promote access to knowledge and ethics of ICT. So I just want to make one point to compliment what we have heard, is that inclusiveness was highlighted in the beginning of the process, and 20 years later, I think the inclusiveness need to be raised to a new level. Not go beyond from workshops and dialogues, but move to encourage, support local innovation. For example, we thought about how we can, someone already mentioned how we can identify the gaps of those local innovation in Global South, how to build a matchmaking platforms between Global South and North, between business and civil society, between innovators, local innovators, and with philanthropy, with government, with multilateral banks. I think my, just to conclude, I think there’s opportunity for us, all work together to raise the inclusiveness to a new level. Thank you.

Speaker 5: Oh, Wallace, if you could just pass the mic to Samia, World Bank, she’s just behind you. Samia? Okay, Samia. Oh, it’s for me. Yes. It’s, yeah, but I’m not World Bank. Yes. Well, is Samia in the room? Apologies, too many. Okay, so. In any case, in one, just one minute, just to say that I’m from UNEWGO, not from World Bank, but yes, we fully support, we have been cooperating strongly in all these processes. We will keep doing the same. We are living a crucial moment. We need indeed, and a lot of colleagues already mentioned in the room, we need to create some organization and create some clarity about all these instruments. can be used to achieve what we want. I think this is one of the strongest messages that I’ve been hearing since the beginning of this event. Thank you very much.

Gitanjali Sah: Thank you very much, Delfina, from United Nations University. Apologies for that. We also have Halima, our Secretary General’s Youth Advisory Board member. So Halima, what’s the youth perspective you want to bring in and how can we make our Youth Day at the WSIS Forum more active and action-oriented?

Halima Ismaeel: Thank you for your invitation in this room. And I would appreciate the Youth Day that will be during the IGF during the WSIS next year. I have two concerns to be raised. Firstly, the first thing is the digital devices rely on scarce resources, contributing to a digital e-waste crisis with inadequate recycling efforts. So I think WSIS must recognize the role of reusable global goods in achieving these goals. I think WSIS and the WSIS process should focus on this thing. The second thing I want to mention is the WSIS process is always focusing on AI and IoT. There are new emerging technologies to be focused on, like the digital twin technology and biofiber technology. For example, when I’m working on submarine cables, if any cables need maintenance, there is a technology to auto-repair the damage of the cable. So I think we should focus on this thing. The third technology I want to mention is subspeed spectrum management. I think this is a modern topic that we should focus on. So, I think engaging youth in Davos is a good thing, and thank you.

Gitanjali Sah: Thank you so much, Halima. You brought so many important points into the conversation, so please submit your inputs through the open consultation process, because that’s how the agenda is built. It has a bottom-up approach, and oh, hello, Maud, I just noticed that you were here. Thank you. Thank you for joining us, and as the host, Maud, and always one of the strategic partners of the WSIS forum, Saudi Arabia, would you like to please say a few words?

Speaker 6: Thank you so much, Chitangeli, and good morning, everyone. It’s good to be here with you, and I see many familiar faces here in Riyadh. I welcome all of you again, and I hope all of you enjoy your good time. Of course, the GDC and the WSIS, it’s a very critical subject at the moment, and as we heard already, the GDC was adopted with a very ambitious target and objective, and we wasn’t expecting such a successful outcome from the United Nations. I’m sorry, I’m not feeling comfortable to talk from that point. So the challenge, in my point of view, is the implementation part of the Global Digital Compact. So if we leave that section of the GDC, it’s not clear who exactly will implement and follow up that process. So we have… the WSIS process, namely the IGF, the WSIS Forum, we have the CSTD, we have the TechInfo in New York, and of course we have the many United Nations agencies. All of them will contribute to implementation of the GDC. But here we have the risks. We have the risk of duplication, we have the risk of wasting the financial and the human resources from all sides, from the United Nations side and from the whole stakeholder, the private sector, the civil society. So it will be quite difficult for all of us to streamline and to follow up the implementation of the GDC. So now we have the WSIS Plus 20 review. I think it’s crucial for us, all of us, all the stakeholder, to make sure the main objective of the GDC, it should be implemented somehow with the WSIS review process. This is good for all of us to make our life much easier, to have a single window to follow up, to participate, to contribute. And of course, the many agencies and the TechInfo could be a part of this. So as you say, Gitanjali, many expertise, there will be assignment for the co-facilitator. And from my point of view, it’s good to focus. One of the good aspects to be focused on is how to streamline or how to maximize the collective efforts between the different GDC. I’m sorry, Gitanjali, dear colleague, I wasn’t prepared to take the floor, but this is a valuable chance to take any deliverable. Thank you so much.

Gitanjali Sah: Thank you very much, Moaz. And Saudi Arabia has had a very crucial role in the WSIS process, the success of the 20 years of implementation, so thank you very much for that. Ambassador Schneider, you want to?

Thomas Schneider: Yes, thank you. And I think it is very obvious looking at this or listening to the discussion. that the expectations are very high, also diverse, that we have a limited amount of time and a limited amount of resources to actually accomplish what we are hoping or trying to achieve. So I think it is, and just to follow up on what our Saudi colleague has said, we need to concentrate and focus resources, we need to try and bring the different threats together. Of course you can’t, there’s no one-size-fits-all, but I think it is crucial that we build on the existing structure, on the expertise of the UN specialized agencies in their fields, with their partners in all the countries and the network that has been grown, facilitated by a number of partners over the past 20 years, that the political vision of the GDC, if we create a new structure to try and implement this, it will take us another 10 years just to create the structure, so we have to, we have no choice, than building on the WSIS process in an inclusive way, and inclusive and efficient, sometimes not easy to combine, but I think we have to find a way. We have 20 years of experience with the WSIS framework, we know more or less what works, what is more difficult, and really have to concentrate on using this framework. In terms of substance, we will not have too much time to discuss about how do we, which action lines we need to transform or renew, but we may have to have some discussions on this, so that the framework is up to date, but I agree with many that it’s actually fairly technologically neutral, so we may not have to reinvent the wheel, but there are some new issues also identified in the GDC, but this is already being mainstreamed into the work of the ITU, of UNESCO, UNDP, of other institutions. We just need to bring this together in an open and transparent way. It’s not going to be easy, but I think together we can do it, we have to do it. Thank you very much.

Gitanjali Sah: Thank you, Ambassador Schneider, and for the passion. And you can, this is the reason why the WSIS process is so effective because of the passion of all the stakeholders working for more than 20 years. And we were reminded in the previous session, you know, we started from community radios, the open source movement, narrow casting, like basic technologies, you know, and we moved to AI, meta. So it’s really the world has evolved. And because of this passion and hard work of the community here. Sir, you had asked for the floor. Please introduce yourself.

Audience: Qusayr Shati from Kuwait. First, I would like to commend my dear colleague, Thomas Snyder. He’s 20 years my colleague, but I forgot his name. And we’re getting older, Thomas. We’re getting older. And of course, let me second the comments that has been said from our dear brothers from Saudi Arabia on focusing and concentrating the efforts. And of course, it was the comments also supported by my dear colleague, Thomas. In that regard, I just need a clarification. You have mentioned that there will be open consultations in 11th of February. And that consultation will be during the working group meeting on the WSIS and the SDG, the IT working group meeting. Usually the working group meeting is only for member states and sector members. Is the open consultation on 11th of February that will take place in Geneva will be multi-stakeholder or it will be only, just a clarification.

Gitanjali Sah: Thank you, sir. So basically we use the opportunity of all of you being in Geneva and we will have like one hour outside the council working group to expand it to the community to be present. So it will be not part of the council working group on WSIS and SDG. Yes, you can just come, you can just come for the meeting. I had seen a hand here and then I’ll move to Anirudh. Did you raise your hand, sir, or was it, okay, Giacomo. Thank you.

Audience: Giacomo Mazzone, I’m co-chair of the Policy Network for Meaningful Access at the IGF. I want to elaborate on what has been said by previous speakers, and it’s about the future of the process WSIS plus 20. Within the WSIS process, you are doing the same reflection that we are doing within the IGF. In the IGF, we are discussing not only about the renewal of the mandate, but about the change of the mandate. And I think that the change of the mandate could be an opportunity to reinforce the strength of the relationship between the WSIS and the IGF. There is a similar process going on within UNGIS on that. Good morning, everyone. Mike Colton from UNHCR, UN Refugee Agency. Just say we welcome this process, really looking forward to supporting as much as we can. With UNHCR’s digital strategy, its digital protection, its digital inclusion, and really information integrity is becoming more and more important. So with 120 million displaced and many stateless as well, we’d love to work with you to see how we can build those voices into the conversation, both at the event and leading up to the event. So happy to help and happy to build that in to get a truly multi-stakeholder approach here. Thank you.

Gitanjali Sah: Thank you, Mike. We really hope to see more of this work at the WSIS Forum. We have been connecting the refugee centers to the WSIS Forum in the past, and that’s been really successful. So that would be great if we could continue that and strengthen it. Thank you so much. Okay, Anirudh. And then we’ll take one last speaker, please.

Anriette Esterhuysen: Thanks very much for letting me speak again, Gitanjali. I just was inspired by Halima, and Mohad, and Thomas, that it is about not duplicating and not having poor use of resources, but it’s also about connecting people. It’s people and the institutions that they are in that implement, and I think what we have of the WSIS, I just look at this room, I see Tijani, I see Desiree, I see Fouad, you all know who you are, Raquel, there are many of you, Avis, who have been with this process since 2003, 2005, and are you not hearing me? Sorry. We’re hearing you twice. Yes, we are hearing you twice. Is there another mic around? You know what, this is amazing. Sorry, apologies. And I think that the power of WSIS is that you have this continuity, you have older people, and they are in this room because they are working, they are implementing on the ground. And then I’m here, we work a lot in spectrum and dynamic management about spectrum and with community networks. When I hear Halima talk about the power of undersea spectrum, I think that’s incredible. Small island developing states, what is there? There’s a potential. And I think we do need to bring new voices in, we do need to innovate, but I think our real power is this intergenerational, inter-institutional, and I suppose also inter-tech, the fact that the WSIS represents people that are still working in basic digital equality and access, but also engaging with new and emerging challenges. But then I just wanted to make one other reflection, which is more procedural. The WSIS has two outcome documents. It has the Geneva documents, the plan of action, which has the action lines. It also has the Tunis agenda, which includes financing mechanisms. And I’m just, of course, on internet governance. And I’m just wondering if we can’t this year in the WSIS Forum include those action lines in quotation marks, they’re not called that, those outcome areas and gender, how we design and structure the event. Because I think there is a concern about financing mechanisms, it’s in the pact for the future. It’s mentioned in the Global Digital Compact as well.

Gitanjali Sah: Thank you, Anirudh. All these comments are very well taken, but please submit them through the open consultation process. There’s a form. This is absolutely transparent because once we receive your request, it is put into the agenda of the event. And we also reflect all these inputs online. So we really want it to be like this transparent bottom-up approach. So submit all these inputs into the open consultation process. So, Anirudh, thank you. So, any last speaker? Okay, yes, sir. Thank you.

Audience: I think driving home the new faces approach, then we started participating in the WSIS only a few years ago. My name is Rian. We are from the Brazilian Association of Internet Service Providers. So small operators. And we really would like to participate in the consultations and make sure we’re also bringing the small and medium enterprises approach and view to the WSIS as well, because we play, at least in Brazil, we play a very important part, not only on ICT, but on infrastructure as well.

Gitanjali Sah: Thank you so much. This has been an important track at the WSIS Forum, small and medium enterprises. So you’re most welcome. We also do a hackathon every year, like I mentioned. So we have many innovations coming up and we are looking for incubators as well for all those. So if any of you are interested in incubators. incubating these really young, interesting talents that come out of the hackathons. We’ll be very, very happy to connect all of you. I maybe will close with the young lady I met during breakfast and she’s doing such amazing work, mentoring young women and girls over to you in Peru and in Paris.

Audience: Thanks so much. Good morning to everyone. My name is Paola Galvez. I’m Peruvian. I’m still young. And under the UN definition, I’ve been participating in the Youth Observatory of ISOC. I was Youth Ambassador in 2019. And I want to bring the perspective of South America as a Peruvian living now in Paris, but contributing from the Latino perspective. There is a lot to do still in terms of our future digital era. I truly believe that the future of the AI is in our hands. I think the Council of Europe AI Convention, it’s a huge milestone and sets the first step of having global standards on AI regulation. But there is a lot to do. And when I met Jiteng Ali during breakfast, she gave me a light in terms of, Paola, we need to think beyond 2025, right? And with that being said, the gender digital gap, it’s a topic that was brought by Ms. Doreen, by our host, our minister that did an amazing presentation on the Open Ceremony. So the numbers are there. I will not repeat them. But what can we do for that? My small piece is, yes, mentoring girls, because I do think we need to change the mindset so that they can go out of school thinking, yes, I can be part of the STEM sector. But if it’s possible, I would like to raise my voice and ask all the ambassadors that are here and policymakers so that we can have an action line on gender gap. I think it’s necessary, I have not seen it in WSIS, if it’s not in the declaration maybe having as an annex or I don’t really know the exact word the policy can make but let’s think about gender gap as a very important topic because only three out of ten professionals working in AI are women. The data that is being used to train the AI systems are not representative so please and we don’t need to be ambassadors or representative to make a change in that right so if in our respective roles we can do something like mentoring kids or sending proposals to consultations. I just finished the UNESCO AIRAM consultation process in Peru so there’s something we can do, let’s do it because those small steps make a change.

Gitanjali Sah: Thank you so much for this space. Thank you very much, we’ve actually run out of time

Audience: but very short, very short. Good morning, this is Fawad Bajwa, I’m from Pakistan. I had an organization which is called Digital Dera which connects rural communities to the internet and helps them capitalize on the power that the internet has brought. I’ve been with this community for over 20 years now, as old as the WSIS process. So over the years one thing we’ve you know there’s so many developments, so many representatives like you know all my friends over here including Thomas but one community which still feels left out is our rural communities and our rural community in my part of the world is 65% of the population. So a few years back when we went down to connecting these villages to the internet, we found that there was so much talent and so many perspectives that have never been heard. The review process also encourages us to look at, you know, what things have been either left out, been neglected, or haven’t been adequately included. And those are our rural communities. I would request the host country, as well as, you know, the international stakeholders, to have specific, you know, a village or an activity over there, which highlights the rural struggle to connect to the internet. Despite our 4G, 5G, 6G efforts, rural communities still, to date, remain disconnected. And they require an extraordinary attention, because they’re the other billions that we’re trying to work for and connect. So their representative is a must. The second thing I would like to offer is, I’ve been part of the National Incubation Centers in Pakistan, and the United Nations Population Fund and ITU, mentoring for startups. So I’m connected to that network, and I can volunteer and offer you that possibility for mentoring the kids, the youth, to actually build initiatives for the next 5-10 years, that would have a huge impact on the future of WSIS. Thank you.

Gitanjali Sah: Thank you very much. We’d like to end our session here, but in the same room at 11.30, we have an ITU session led by South Africa and our vice chairs. So please do be there in the same room at 11.30. Thank you so much. Bye-bye. Sorry to interrupt you, did you see I sent you a message? Yeah, I’m just reading it now. I haven’t seen it in so long. I mean, why the IGF and things are not mentioned? Why is IGF not here for this? What do you mean with that? Oh, the meaning of that is that the IGF, we’ve also been saying that the IGF needs to connect with business plus trade. But the IGF plays a very passive role in this. It plays a very passive role. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. . . . . . . .

Agreement Points

Importance of multi-stakeholder collaboration in WSIS implementation

Thomas Schneider

Renata

Anriette Esterhuysen

Multi-stakeholder collaboration is crucial for WSIS implementation

Need to update WSIS action lines to address new technologies and challenges

Importance of intergenerational and inter-institutional collaboration

Speakers emphasized the critical role of inclusive, multi-stakeholder collaboration in implementing WSIS goals and addressing new challenges.

Need to avoid duplication and streamline efforts in implementing Global Digital Compact

Craig Stanley-Adamson

Speaker 6

Torbjörn Fredriksson

Importance of avoiding duplication with Global Digital Compact implementation

WSIS framework should be used to implement Global Digital Compact

Need to leverage existing UN mechanisms for GDC implementation

Speakers agreed on the importance of using existing WSIS frameworks and mechanisms to implement the Global Digital Compact, avoiding duplication of efforts.

Importance of inclusivity in the WSIS process

Wallace S. Cheng

Halima Ismaeel

Unknown speaker

Unknown speaker

Need to raise inclusiveness to new level by supporting local innovation

Importance of engaging youth and focusing on emerging technologies

Need to include voices of refugees and displaced persons

Need to include small and medium enterprises perspective

Multiple speakers emphasized the need for greater inclusivity in the WSIS process, including youth, refugees, SMEs, and local innovators.

Similar Viewpoints

Both speakers argue for leveraging the existing WSIS framework and expertise rather than creating new structures for implementing digital initiatives.

Thomas Schneider

Speaker 6

Importance of building on existing WSIS structure and expertise

WSIS framework should be used to implement Global Digital Compact

These speakers emphasize the importance of addressing human rights and equality issues, particularly gender equality, in the digital context.

Anriette Esterhuysen

Unknown speaker

Need to focus on digital justice and human rights in digital context

Importance of addressing gender digital gap

Unexpected Consensus

Focus on rural communities in WSIS process

Unknown speaker

Wallace S. Cheng

Importance of including rural communities in WSIS process

Need to raise inclusiveness to new level by supporting local innovation

While most discussions focused on global or urban perspectives, there was an unexpected emphasis on including rural communities and supporting local innovation, highlighting a shift towards more inclusive development strategies.

Overall Assessment

Summary

The main areas of agreement include the importance of multi-stakeholder collaboration, leveraging existing WSIS frameworks for new initiatives like the Global Digital Compact, and enhancing inclusivity in the WSIS process.

Consensus level

There is a moderate to high level of consensus among speakers on these key issues. This consensus suggests a shared vision for the future of WSIS, emphasizing collaboration, efficiency, and inclusivity. However, there are still diverse perspectives on specific implementation strategies and priority areas, indicating the need for continued dialogue and negotiation in the WSIS+20 review process.

Different Viewpoints

Approach to updating WSIS action lines

Renata

Craig Stanley-Adamson

Need to update WSIS action lines to address new technologies and challenges

Importance of avoiding duplication with Global Digital Compact implementation

While Renata emphasizes the need to update WSIS action lines to reflect current technological advancements, Craig Stanley-Adamson cautions against duplicating efforts with the Global Digital Compact implementation.

Unexpected Differences

Focus on specific technologies

Halima Ismaeel

Anriette Esterhuysen

Importance of engaging youth and focusing on emerging technologies

Importance of intergenerational and inter-institutional collaboration

While both speakers emphasize inclusivity, Halima Ismaeel unexpectedly focuses on specific emerging technologies, while Anriette Esterhuysen emphasizes broader intergenerational collaboration.

Overall Assessment

summary

The main areas of disagreement revolve around the approach to updating WSIS action lines, the integration of the Global Digital Compact, and the focus on specific technologies versus broader collaboration.

difference_level

The level of disagreement is moderate, with most speakers agreeing on the overall goals but differing in their approaches. This suggests a need for further discussion and coordination to align strategies for WSIS implementation and review.

Partial Agreements

All speakers agree on leveraging existing WSIS structures for future implementation, but differ in their emphasis on how to integrate the Global Digital Compact with existing mechanisms.

Thomas Schneider

Speaker 6

Torbjörn Fredriksson

Importance of building on existing WSIS structure and expertise

WSIS framework should be used to implement Global Digital Compact

Need to leverage existing UN mechanisms for GDC implementation

Similar Viewpoints

Both speakers argue for leveraging the existing WSIS framework and expertise rather than creating new structures for implementing digital initiatives.

Thomas Schneider

Speaker 6

Importance of building on existing WSIS structure and expertise

WSIS framework should be used to implement Global Digital Compact

These speakers emphasize the importance of addressing human rights and equality issues, particularly gender equality, in the digital context.

Anriette Esterhuysen

Unknown speaker

Need to focus on digital justice and human rights in digital context

Importance of addressing gender digital gap

Key Takeaways

The WSIS+20 review process is seen as crucial for shaping the future direction of digital cooperation and development

There is strong support for maintaining the multi-stakeholder approach of WSIS

Participants emphasized the need to avoid duplication between WSIS and the Global Digital Compact implementation

Inclusivity remains a key priority, with calls to better engage youth, rural communities, and underrepresented groups

There is a need to update WSIS action lines to address new technologies and challenges while building on existing frameworks

UN agency collaboration and leveraging existing mechanisms are seen as critical for effective implementation

Resolutions and Action Items

Organize consultative sessions and brainstorming workshops at the WSIS Forum to gather stakeholder input on future directions

Submit proposals and suggestions for the WSIS+20 Forum agenda through the open consultation process by March 14

Appoint co-facilitators for the WSIS+20 review process as soon as possible

Consider including a specific focus on the gender digital gap in WSIS action lines or declarations

Explore ways to better include rural community perspectives in the WSIS process

Unresolved Issues

Specific mechanisms for implementing the Global Digital Compact through existing WSIS frameworks

How to effectively update WSIS action lines without a complete overhaul

Balancing inclusivity with efficiency in the multi-stakeholder process

Addressing financing mechanisms for digital development in the Global South

Role of the Internet Governance Forum (IGF) in relation to the WSIS process moving forward

Suggested Compromises

Use existing WSIS structures and expertise to implement the Global Digital Compact rather than creating new mechanisms

Focus on updating the framing and impact assessment of WSIS action lines rather than completely rewriting them

Balance high-level government participation with increased engagement of grassroots and underrepresented stakeholders

Leverage both UN agency resources and private sector investments to address digital development financing gaps

We need to concentrate and focus resources, we need to try and bring the different threats together. … we have to, we have no choice, than building on the WSIS process in an inclusive way, and inclusive and efficient, sometimes not easy to combine, but I think we have to find a way.

speaker

Thomas Schneider

reason

This comment synthesized many of the previous points about avoiding duplication and leveraging existing structures, while acknowledging the challenges of balancing inclusivity and efficiency.

impact

It helped refocus the discussion on practical next steps and the need to build on existing WSIS processes rather than creating new structures.

To begin with, I think it’s important to again put on the table that the foundational principle is of governing the internet as a global public good and not as a utility. And this issue should be brought up again.

speaker

Nandini from IT4Change

reason

This comment reframed the discussion around fundamental principles, challenging participants to consider the core purpose of internet governance.

impact

It broadened the scope of the conversation beyond practical implementation to include philosophical considerations about the nature of the internet.

I think WSIS is also for us, as a multi-stakeholder community, an opportunity to find the kind of community and collaboration, the North-South, business, tech, civil society, UN, government solidarity, which I think is important.

speaker

Anriette Esterhuysen

reason

This comment highlighted the unique collaborative potential of WSIS across diverse stakeholders and geographies.

impact

It reinforced the importance of inclusivity and multi-stakeholder approaches, setting the tone for subsequent comments about representation and participation.

The WSIS has two outcome documents. It has the Geneva documents, the plan of action, which has the action lines. It also has the Tunis agenda, which includes financing mechanisms. And I’m just wondering if we can’t this year in the WSIS Forum include those action lines in quotation marks, they’re not called that, those outcome areas and gender, how we design and structure the event.

speaker

Anriette Esterhuysen

reason

This comment brought attention to often-overlooked aspects of the WSIS process and suggested concrete ways to incorporate them into future events.

impact

It prompted consideration of how to more holistically represent WSIS outcomes in future forums and potentially influenced the structure of upcoming events.

But if it’s possible, I would like to raise my voice and ask all the ambassadors that are here and policymakers so that we can have an action line on gender gap.

speaker

Paola Galvez

reason

This comment made a specific, actionable proposal to address a critical issue (gender gap) within the WSIS framework.

impact

It focused attention on the gender digital divide and potentially catalyzed support for concrete action on this issue in future WSIS processes.

Overall Assessment

These key comments shaped the discussion by repeatedly emphasizing the need for inclusivity and multi-stakeholder approaches while also pushing for concrete actions and structural changes. They helped evolve the conversation from general updates and reflections to more specific proposals for the future of WSIS, particularly in areas like gender equality, rural connectivity, and leveraging existing frameworks. The comments also highlighted tensions between efficiency and inclusivity, and between practical implementation and broader philosophical principles, encouraging a more nuanced and comprehensive approach to WSIS’s future.

How can we ensure effective implementation of the Global Digital Compact (GDC) while avoiding duplication of efforts and wasting resources?

speaker

Moaz (Saudi Arabia)

explanation

This is crucial for streamlining efforts and maximizing the collective impact of various initiatives related to digital development.

How can we update the WSIS action lines to address new and emerging technologies while maintaining their tech-neutral nature?

speaker

Craig Stanley-Adamson (UK)

explanation

This is important to ensure the WSIS framework remains relevant and adaptable to future technological developments.

How can we incorporate the Global Digital Compact objectives into the WSIS review process?

speaker

Moaz (Saudi Arabia)

explanation

This integration is essential for creating a cohesive approach to global digital development.

How can we expand the role of the UN Internet Governance Forum (IGF) to fulfill the mandate given in paragraph 72 of the Tunis Agenda?

speaker

Nandini (IT4Change)

explanation

This is important for strengthening the IGF’s role in the evolving digital governance landscape.

How can we address new digital divides in data capabilities and design concrete targets for financing digital infrastructure in the majority world?

speaker

Nandini (IT4Change)

explanation

This is crucial for ensuring equitable digital development globally.

How can we create a data and AI constitutionalism at the global level?

speaker

Nandini (IT4Change)

explanation

This is important for establishing global norms and standards for data and AI governance.

How can we govern cross-border data flows from a development justice perspective?

speaker

Nandini (IT4Change)

explanation

This is crucial for balancing data flows with development needs and digital sovereignty.

How can we raise inclusiveness to a new level by encouraging and supporting local innovation in the Global South?

speaker

Wallace S. Cheng (Global Ethics)

explanation

This is important for fostering innovation and development in underrepresented regions.

How can we address the digital e-waste crisis and promote the role of reusable global goods in achieving WSIS goals?

speaker

Halima Ismaeel (Youth Advisory Board)

explanation

This is crucial for ensuring sustainable digital development.

How can we incorporate emerging technologies like digital twin technology, biofiber technology, and subspeed spectrum management into the WSIS process?

speaker

Halima Ismaeel (Youth Advisory Board)

explanation

This is important for keeping the WSIS process up-to-date with technological advancements.

How can we include the voices of displaced and stateless people in the WSIS process?

speaker

Mike Walton (UNHCR)

explanation

This is crucial for ensuring truly inclusive digital development that considers vulnerable populations.

Can we create a specific action line on addressing the gender digital gap?

speaker

Paola Galvez

explanation

This is important for focusing efforts on closing the persistent gender gap in digital access and skills.

How can we better include rural communities in the WSIS process and highlight their struggle to connect to the internet?

speaker

Fawad Bajwa

explanation

This is crucial for addressing the digital divide between urban and rural areas.

Summary

This panel discussion focused on closing the gender digital divide and promoting women’s inclusion in technology and digital spaces. Participants from various sectors, including government, international organizations, and civil society, shared insights and experiences.

Key barriers to closing the gender digital divide were identified, including lack of access to digital skills training, cultural and social norms discouraging women from tech fields, and lack of trust in women’s capabilities in the tech sector. The panel emphasized the need for multifaceted approaches, including regulatory frameworks, financial mechanisms, and community-driven initiatives to address these challenges.

Several concrete initiatives were highlighted, such as Namibia’s efforts to use existing infrastructure like libraries and post offices for digital skills training, and Estonia’s early digitalization journey that included creating computer classes in schools. The importance of role models and mentorship for women in tech was stressed, as well as the need to encourage women’s entrepreneurship in the sector.

The discussion also touched on the role of international frameworks like the EU Gender Action Plan and the Global Digital Compact in promoting gender equality in digital spaces. Panelists called for collaboration between public and private sectors, as well as civil society, to create inclusive digital policies and initiatives.

The panel concluded with calls to action, including encouraging girls to pursue STEM fields, supporting women-led tech initiatives, and ensuring online spaces are safe and respectful of human rights. Overall, the discussion emphasized the critical importance of closing the gender digital divide for inclusive economic growth and social progress.

Keypoints

Major discussion points:

– The persistent gender digital divide and barriers to women’s participation in technology

– The need for multi-stakeholder collaboration between government, private sector, civil society and communities to address the digital gender gap

– The importance of role models, education and skills training to empower women and girls in tech

– Regulatory frameworks and policies to promote gender inclusivity in the digital space

– Community-driven and bottom-up approaches to digital development that center women’s needs

Overall purpose:

The purpose of this panel discussion was to examine the challenges of the gender digital divide and explore solutions and best practices for promoting women’s inclusion and empowerment in the digital economy and technology sector.

Tone:

The overall tone was serious but optimistic. Speakers acknowledged the significant challenges but shared inspiring examples of progress and expressed determination to continue working towards gender equality in tech. There was a sense of urgency but also hope that through collaborative efforts, the digital gender gap can be closed.

Speakers

– Anda Bologa: Moderator, Center for European Policy Analysis

– Christophe Farnaud: EU Ambassador to Saudi Arabia

– H.E Emma Inamutila Theofelus: Minister for Information and Communication Technology, Namibia

– Roy Eriksson: Global Gateway Ambassador, Finland

– Kedi Välba: Chair for Europe of the D4D Hub Private Sector Advisory Group and CEO of Aktors

– Radka Sibille: Digital Counsellor at the EU Delegation to the UN, Geneva

– Ravin Rizgar: Founder and Director of Suli Innovation House

– Valeria Betancourt: Programs Manager, Association for Progressive Communication

Additional speakers:

– Peter Zanga Jackson Jr. : From Liberia

– Damilare Oydele: Works with Library Aid Africa

– Catherine Mumma: Senator from Kenya

Closing the Gender Digital Divide: A Multifaceted Approach

This panel discussion, moderated by Anda Bologa from the Center for European Policy Analysis, brought together experts from government, international organisations, and civil society to address the persistent gender digital divide and explore strategies for promoting women’s inclusion in technology and digital spaces.

The Scope of the Problem

EU Ambassador to Saudi Arabia, Christophe Farnaud, set the stage with sobering statistics, noting that globally, there are 244 million more men than women using the Internet. Moreover, women comprise only about 25% of the tech workforce, with an even starker disparity in leadership positions where women hold only 11% of executive roles. These figures underscored the urgency of the discussion and the need for concerted action across multiple sectors.

Key Barriers to Closing the Gender Digital Divide

Participants identified several significant barriers hindering women’s participation in the digital economy:

1. Limited Access to Digital Skills Training: H.E Emma Inamutila Theofelus, Namibian Minister for ICT, emphasised that the lack of opportunities for girls and women to learn essential digital skills is a primary impediment to closing the gender gap.

2. Societal and Cultural Barriers: Minister Theofelus also highlighted the religious and cultural obstacles that discourage girls from pursuing technical fields, noting that such career choices are often viewed as anomalies.

3. Lack of Trust in Women’s Capabilities: Ravin Rizgar, Founder and Director of Suli Innovation House, pointed out the pervasive lack of confidence in women’s abilities within the tech sector.

4. Underrepresentation in Leadership Roles: Radka Sibille, Digital Affairs Advisor at the EU Delegation to the UN in Geneva, stressed the shortage of women in tech leadership and decision-making positions.

5. Structural Discrimination: Valeria Betancourt, Programs Manager at the Association for Progressive Communication, highlighted the persistent structural discrimination and exclusion faced by women in the tech industry.

Strategies and Stakeholder Roles for Promoting Women’s Inclusion in Tech

The panel discussed various approaches to address these challenges and highlighted the crucial role of different stakeholders:

1. Targeted Education and Training: Minister Theofelus advocated for providing coding camps and digital literacy programmes specifically for girls, emphasising the importance of encouraging STEM education at every opportunity, including informal settings.

2. Leveraging Existing Infrastructure: Several speakers suggested utilising existing facilities like libraries, schools, and post offices to deliver digital skills training and provide internet access points, with Estonia cited as a successful example.

3. Creating Supportive Ecosystems: Ravin Rizgar emphasised the importance of establishing women-focused innovation hubs and support networks, as well as building trust between the private sector and women in tech.

4. Promoting Women’s Entrepreneurship: Kedi Välba, Chair for Europe D4D Hub private sector advisory group and CEO of Actors, stressed the need to boost women’s entrepreneurship in the tech sector.

5. Implementing Inclusive Regulatory Frameworks: Valeria Betancourt called for gender-inclusive regulatory frameworks to enable diverse models of connectivity provision, including community-owned infrastructure.

6. Government Initiatives: Minister Theofelus shared Namibia’s efforts to provide digital infrastructure and training.

7. Private Sector Partnerships: Roy Eriksson, Global Gateway Ambassador from Finland, emphasised the importance of private sector involvement in funding and supporting women in tech.

8. Community-Driven Approaches: Betancourt advocated for bottom-up, community-driven approaches to technology adoption that centre women’s needs and incorporate feminist principles in tech development.

9. Multi-Stakeholder Collaboration: Välba highlighted platforms like the D4D Hub that facilitate cooperation between different sectors to promote gender equality in digital development.

10. International Frameworks: Sibille discussed the role of initiatives like the EU Gender Action Plan in promoting gender equality in digital spaces.

The Global Digital Compact and Gender Equality

Radka Sibille highlighted the significance of the Global Digital Compact, currently being negotiated at the UN level, in addressing gender equality in tech. This compact aims to outline shared principles for an open, free, and secure digital future for all, with a strong emphasis on bridging the gender digital divide.

Importance of Women’s Empowerment in the Digital Economy

Speakers unanimously agreed on the critical importance of women’s digital inclusion:

1. Economic Benefits: Christophe Farnaud emphasised the potential economic gains from increased women’s participation in the digital economy.

2. Role Models: Roy Eriksson stressed the need for more women role models in tech to inspire the next generation.

3. Online Safety: Radka Sibille highlighted the importance of addressing online safety and human rights issues for women in digital spaces.

4. Improving Women’s Lives: Valeria Betancourt discussed the potential of digital technologies to enhance various aspects of women’s lives when developed with feminist principles in mind.

5. STEM Education: Minister Theofelus emphasised the importance of encouraging girls to pursue STEM education and careers at every opportunity.

Conclusions and Call to Action

The panel concluded with a strong consensus on the need for multifaceted, collaborative approaches to close the gender digital divide. Key takeaways included:

1. The necessity of multi-stakeholder collaboration between government, private sector, civil society, and communities.

2. The importance of community-driven, bottom-up approaches that put women at the centre of digital inclusion efforts.

3. The need to address deep-rooted cultural and societal barriers discouraging women from tech fields.

4. The critical role of targeted initiatives to support women’s digital skills development and entrepreneurship.

The discussion ended with calls to action from each panelist, urging all stakeholders to work together in implementing concrete measures to promote women’s inclusion in the digital economy. These ranged from providing targeted skills training and creating more inclusive regulatory frameworks to fostering women’s leadership in the tech sector and ensuring that digital technologies are developed with women’s needs and perspectives in mind.

Anda Bologa: . . . . . . . . . . . . . . . . . . . Good morning everyone once again. I’m Anda Bologa. I’m with the Center for European Policy Analysis, moderating this panel today. Thank you so much for joining. You made the right decision despite the fierce competition today. Our goal is to have a serious policy discussion on a very important topic, but at the same time kickstart this day with the right energy. Thank you so much for joining again. I will introduce now our distinguished panel and the keynote speaker. We have with us today Christoph Farnot, the EU ambassador to Saudi Arabia. He will set the stage for our conversation today and he has seen a lot in his long career as a diplomat and he knows very well that diplomacy, much like technology, is about bringing people together and this is what we’re trying to do today with this panel. Next we have Minister Emma Teofelis. She’s the Namibian minister for ICT and she is a bit of a rock star of this conference. With everyone that I spoke mentioned her. It’s extremely impressive. She’s one of the youngest ministers in the world and she also shows with her work that leadership is about determination and vision. Thank you so much for joining us today. Next we have Ambassador Roy Ericsson. He’s the Global Gateway ambassador from Finland and we talk a lot about building bridges at this conference and we use it as a metaphor, but Ambassador Ericsson is here to remind you that the Global Gateway Initiative is doing it quite literally and he will tell us more about it and tell how those projects are also open to everyone, including women. Thank you so much for joining us. Next we have Kedi Välba, Chair for Europe D4D Hub private sector advisory group and CEO of Actors. She comes from Estonia and as you probably all know in here, digitalization in Estonia is more than a buzzword. It’s a way of life and she She’s the one to tell us about how private sector and public sector come together and how ideas come into action. Thank you so much for joining us. Next, we have Radka Sibile. She’s the Digital Affairs Advisor at the EU Delegation to the UN in Geneva. I think each and every one of you that interacted with the UN knows how overwhelming this interaction can be with such a massive organization. Luckily, we have Radka here and she can make complex things seem simple and clear. Thank you so much for joining us and tell us more about how the EU there tries to turn commitments into real-world change for women. Thank you so much. Next, we have Ravin Rizgar. She’s the Founder and Director of Suli Innovation House. She is not only talking about innovation, she’s building it. She’s extremely impressive and she will talk to us about the initiatives that bring technology to women in the MENA region. Next, we have Valeria Betancourt. She’s the Programs Manager, Association for Progressive Communication. She will tell us how the magic happens at the community-led initiatives and innovation. Very much looking forward to hear about that. Our session will deal with data, women and inclusivity. We hear a lot about the digital divide at this conference and at other conferences. It’s important to remember that it’s not just about who gets online, but also who gets seen and how gets opportunities. Because algorithms that are trained on biased data, for instance, are showing higher-paying jobs ads to men rather than to women. The facial recognition systems that are flawed disproportionately fail women of color. These are just a few examples, but I’m sure we will kick-start a very robust and interesting conversation today. Understand that these aren’t just glitches. They’re just symptoms of deeper inequalities. That being said, I’ll leave it to the panel. First and foremost, I welcome to the stage our keynote speaker, Ambassador, the floor is yours.

Christophe Farnaud: Thank you very much. Rockstar Minister, dear colleague Ambassador, excellencies in the room, distinguished guests, ladies and gentlemen, good morning. It’s a real pleasure to open this session today with you. Gender equality, as you know, is a priority for the European Union. And as we all know, it is a multidimensional issue, from education to work, from health to decision-making, and of course, digitalization. And the thing is that the gender-digital divide remains a significant obstacle to achieving, including economic growth and equality. To launch the discussion, let me start with statistics. According to ITU, worldwide, in 2022, 69% of men were Internet users, compared with 63% of women. This means that globally, there are 244 million more men than women using the Internet. Moreover, recent statistics show that women comprise only about 25% of the tech workforce. This disparity is even bigger in leadership positions, where women hold only 11% of executive roles. In a nutshell, the digital gender gap, despite progress, persists, and closing it by investing in women is not only fair, it’s also the smart thing to do. Again, according to UN estimates, if women’s exclusion from the digital sphere was ended, some $1 trillion could be added to the GDP of low- and middle-income countries. However, women still face challenges to access the Internet, to develop digital skills, and therefore, use digital tools. This is also why gender equality is a core ambition for the European Union. Women are agents of development and change. First, the EU has adopted a gender action plan. now in its third edition, to promote gender equality and women’s empowerment. In particular, the plan states that 85% of all new actions in external relations of the EU will contribute to gender equality. As regards digitalization specifically, it promotes equal access and participation in shaping the digital landscape, from policy framework to infrastructure, from development of skills to financial access. Second, the EU Global Gateway Strategy, it aims to accelerate the twin green and digital transitions with partner countries. It promotes a human-centric and inclusive model of digitalization. Its ambitious targets can only be met by acting together in the Team Europe approach, with the Member States of the European Union and other stakeholders, in the spirit of this conference here at the IGF. Third, of course, gender is well mainstreamed in the EU Digital4Development Hub, a strategic multi-stakeholder platform that fosters digital cooperation between Team Europe again and its partners. Amongst others, the D4D Hub aims to ensure women and girls are a privileged target of our digital development cooperation. In the framework of this working group, we, together with Member States, focus our attention on the skills women need to take leadership positions in digital, and on fighting cyber violence, among other things. Today, we have put together an inspiring panel, representing all sectors, public, private, civil society, where men are a visible minority, obviously, good luck, coming from around the globe. They will share with us best practices, lessons learned and success stories. We definitely want to work together on recommendations to move forward. So without much further ado, I will give you back the floor, and wish you all success in your exchanges. Thank you very much.

Anda Bologa: Thank you so much, Ambassador. Thank you to the fantastic panel and before we kickstart the conversation, thank you to the European Commission and the D4D hub and to all our partners that are in this room today and in the cyberspace for championing this cause and for making this discussion possible. I thought that in order to kickstart the conversation in a more energetic way, I will give you 30 seconds to each speaker for a first question and I want to hear from you one thing, your elevator pitch, to what’s the biggest barrier to closing the gender digital divide. But 30 seconds and then we will deep dive into a broader conversation. Minister, can we start with you? Thank you.

H.E Emma Inamutila Theofelus: Thank you very much and a very good morning to everybody. Very happy to be here. Well, it’s very difficult to condense it in 30 seconds but I’ll try. I think the biggest barrier to ensuring that we close the digital gender gap would be the opportunity for girls and women to actually learn the skills they need. There are so many impediments to them being able to access the material they need to ensure that they get online and basic skills to actually be familiar with the Internet and we experience this a lot in Namibia in the Ministry of ICT that there is a fear of the unknown. Somebody who is not exposed to a smartphone or online spaces, they immediately say, I have lived without it for so long, why do I need it now? But not understanding the opportunities that come with it I think is the biggest barrier because once they understand the opportunities, there becomes a demand. They want to know more, they want to learn more and they demand more from the state, from civil actors to actually make it possible that the right infrastructure is in place. That smartphones are cheaper, that data is cheaper and that they get to learn the right skills to be online actors. Thank you.

Roy Eriksson: Thank you so much, very comprehensive. Ambassador Ericsson? Well, I would like to echo what the Minister said and I think also one big stumbling block is the mental kind of thinking that the Internet and digitalization is concerning only men and we do not see what possibilities women have and that’s why I’m very grateful to be part of the Global Gateway and different projects where we take for granted that women are also included in the project. We listen to what their needs are and also try to promote that, yes, we’re building connectivity but it is not connectivity per se, it is so that you can use it. So you can, for example, start a micro company like we have in Africa, good examples of women when they have the possibility to connect with the world. So they have small companies making clothes or home cooking or something. So it’s empowering women if they just get over the first threshold and get online.

Anda Bologa: Thank you so much. Can we hear from Kedi Välba?

Kedi Välba: Yes, thank you. I try not to repeat what the others have already mentioned, but as one of the things I see as a big barrier is the access to services. First of all, which we see is a problem in many countries and also that we don’t teach young kids or girls ICT skills. And this is what we are trying to solve in Estonia with different educational programs for girls to be included in ICT world, to teach them technological knowledge and so on, so that they would have more interest in the field in the future as well. Thank you.

Anda Bologa: Thank you so much. Can we hear from Ratka Sipile? 30 seconds.

Radka Sibille: Is it now on? Okay, thank you. Thank you so much. Good morning. I think one of the issues, I totally agree with all that has been said, and one of the issues that I would add is the lack of women at the decision-making and policy-making tables. I mean, here we have a fantastic panel, which is very pro-women, but this is still very much an exception and not a rule. And especially in the tech force, the situation looks a whole lot different when you talk about technologies. And so I think we need more women at the table when these decisions are made so that they already contain from the beginning the gender lens and the considerations of how they will impact women and all genders. Thank you.

Anda Bologa: Thank you so much. Can we hear from Ravin Rizgar? The floor is yours.

Ravin Rizgar: Good morning, everyone. Good to be here with you. So in terms of working closely with women, I would say it’s about trust, because tech force is quite dominated by men. And when it comes to women trying to find a place in the digital economy and trying to work and find employment opportunities, there’s no trust between the private sector or the companies in the capacity of women in that area. That’s why, despite taking, you know, upscaling in that sector, they would still have lower opportunity of finding employment opportunities. That’s why they think that, okay, why would I learn this if I’m not going to find a job with it, if I’m not going to make it to the market? So we need to try to push and build that trust among the private sector companies, that women can also be in positions where they can actually succeed in the digital economy.

Anda Bologa: Thank you so much. And to close this round of the first question, can we hear from Valeria Petancur, please?

Ravin Rizgar: Thank you very much. I hope you can hear me. Obviously, I agree with everything that has been said, but in the context of Latin America and the Caribbean, which is still the most unequal region in the planet, I think the main barrier has to do with a real recognition that the gender-digital divide is just an expression of persistent structural oppression and exclusion and discrimination. And I think the fact that this is not taken into account in the development of digital policies… Thank you so much.

Anda Bologa: Thank you.

H.E Emma Inamutila Theofelus: Thank you so much. because, obviously, we need a growth, because I think the point I’m trying to make is, in the informal settlements, there are the margins of cities and towns, but not necessarily have access to the services of the new cities and towns. And so we need to advance the high-level skills, because we want to actually run a small business and business online. And we still need a piece of technology, just to be able to navigate the smartphone and email address, social media platform. Not only in the market, but also in business, in Facebook and Twitter. So we really try to see how good the business we can. So some people need to move from this stage to the next stage to see the results. And we do that in three ways. One, it starts off with the idea of bringing up the youth and young people, trying to give literacy training to young women in the country. We do it for six regions in the country. And now that, of course, T14Hub has gone out, we’ve now adopted the program internally in the country, and we have expanded it across the whole country. And in doing so, we have now created a literacy framework, a national literacy framework, to see what is going on in the country to help us in this organization to enhance the skills. And we go back to the original one thing, helping people with training. That’s what you need. And we try to give you, and we’re moving on. So we try to step it up. It’s practically impossible. And this is really going back to the basics. So in the short program, I think, just in the administration, you can see we’ve trained 100 girls, 100 women. Let’s just create one framework and then train where they are. We say, just the next. So if you know the basics, it’s the next person, and the next person teaches the next person. So that’s one way. The second way is we have coding camps because we’re trying to introduce coding as a subject in our schools. But as a ministry of ICT, we have now started coding camps for girls only. And we got the first one we did with the United Nations, the commission on Africa. It was such a huge success. We got to where we think that we’re only teaching coding to girls. It’s an intentional position and so we want to start with girls. We’ll probably expand in the future and we want to continue teaching girls coding. So let’s say you’re doing this one program and it addresses everybody. It’s multifaceted. You have to constantly change the program as you go to different areas. You change the program and when you go to a different area, you change the program again. to change the program again. And in fact, we will try to reduce the amount of time and the skills necessary for women and girls.

Anda Bologa: I would like to move to Ambassador Erikson. And if you can give us the elevator pitch of what is the Global Gateway and then address in a more complex manner, how does it build infrastructure that is gender inclusive? And maybe you can give us an example of a concrete project in that sense. Thank you.

Roy Eriksson: Thank you. First the pitch on Global Gateway, and then I will attempt to also talk about how we can close the gender divide for an inclusive economic growth. And from there, coming back to Global Gateway. Global Gateway is an initiative launched by the European Union and the Commission end of 2021. And the aim is to mobilize 300 billion euros for infrastructure projects in emerging markets. I have to underline it says mobilize 300 billion euros. It doesn’t mean that there is 300 billion somewhere in a magical purse, but we are trying to mobilize the private sector with the help of public money to take down the risks of projects so that we have projects that would not be materialized without this initial small help. And Global Gateway is considering investments in five different sectors, digital being one of them. them, then education, health, climate, and renewable energy, and logistics. And for Finland, we have chosen to participate in projects mainly in digitalization, but also education and in lesser mode also on climate and renewable energy. But coming back to the topic, first, of course, I’d like to thank the organizers for giving me the opportunity to take the floor, because this is an important forum that tackles very pertinent issues. Technology has emerged as a key question for global development, including inclusive economic growth. The issue of digital divide is very important, as 2.6 billion people globally still have no access to the Internet. But why is this an issue? It’s because digital data flows in cyberspace, and data is the new oil of the future. If you allow this kind of comparison, yeah, our modern societies, especially urban ones, are more and more relying on the use of digital information, and with access to data, people can improve their lives. The digital transformation presents us with a wealth of opportunities that we need to grasp. At the same time, it presents us challenges that we need to act on, such as gender divide. As we move towards a more connected future, closing this gender gap is crucial for ensuring inclusive growth, and empowering women and girls to unlock their full potential. With growing threats to peace and security, we need to make sure technology is a force for good, and not used as a weapon. to amplify conflicts and create further instability and division globally. The UN and its stakeholders will have a key role in making sure we have the tools to manage this process in the years ahead. The Global Digital Compact provides an important framework for enhancing multilateral and multi-stakeholder cooperation for bridging the gender digital divide and enhancing the rights of all women and girls in the digital world. Finland took part actively in the Global Digital Compact negotiations, stressing priorities such as human rights, improving digital connectivity, governing emerging technology, and addressing the gender digital divide, and investing in education and digital skills. Finland underlines a multi-stakeholder approach in the implementation of the compact. My government sees technology as a key issue for our foreign and security policy. We have a strong focus on digital development in our foreign policy, including increased attention, private sector solutions, and investments. We are committed to work internationally for digital development that is fair, inclusive, and sustainable with respects for human rights and gender equality. We are pleased that our priorities, including addressing the gender digital divide, are being extensively covered within the ongoing IGF. Globally, we are far from reaching the target of universal connectivity as set out by the Agenda 2030. Despite good initiatives and concrete actions, a lot remains to be done in order to tackle this challenge. The Global Digital Compact calls for more cooperation to close the persistent digital especially in remote and underserved areas. In this regard, I want to highlight the need to mobilize more private investments and capital to meet these needs. Without adequate infrastructure in place, the potential of digitalization remains locked in. And we, in Finland, stand ready to contribute to this process. If the time allows, I would like to share with you some concrete examples of our work towards closing the gender divide. As a co-leader of the UN’s Generation Equality Action Coalition on Technology and Innovation for Gender Equality, we emphasize the pivotal role of digital technologies. For the opportunities of technology to be delivered, women and girls must have equal and safe and quality access to digital technologies, as well as the necessary digital skills. Only by having the whole nation, that is women and girls, along men, on board digitally, can the digital economy reach its full potential. Finland has a decades-long tradition in promoting the rights of women and girls in its foreign and development policy. We believe that the multi-stakeholder cooperation is key to achieve this, including engaging the private sector. For instance, through FinFund, Finland’s development financer and impact investor, we invest in technology companies that are committed to advancing gender equality in Africa. Finland funds also various civil society organizations globally. With Finland’s support, civil societies, for example, enhance digital safety of women, human rights defenders, and digital literacy of women and girls. Through the cooperation with UN organizations, Finland supports, for example, the creation of technology harnessing decent work opportunities for women in Tunisia and Morocco. We are also partnering with UNICEF. to develop virtual safe spaces for women and girls at risk. And then coming to the EU’s Digital for Development Hub, or D4D Hub, Finland, alongside other European Union member states and the European Commission, is enhancing digital partnerships globally. This includes boosting joint investments between the EU and partner countries. The D4D Hub’s ambition to contribute to reducing digital divides includes also gender digital divides. Finland takes, for example, part in the Team Europe initiative in Africa, including the Regional Data Governance in Africa initiative. We do not only build physical connectivity, and especially underlining the importance to take connectivity to rural and underserved regions. But on top of that, soft infrastructure is as important. That means that we provide our partners with skills so that they can utilize the new technologies. And in this, especially, a greater importance is given to take women and girls into the picture as well. In development aid, human rights and gender equality are cross-cutting and important themes, and all our projects should have some element of these issues. Lastly, I would like to underline our long-standing support to the IGF, as we are here, but it is also doing a lot of work to promote the access of women and girls to the Internet. And in that way, promoting our common objectives. In this context, I would like to encourage also other partners to step up their support to the IGF and the multi-stakeholder model of Internet governance, which in essence contributes to closing the gender divide. I look forward to the discussion and I’m happy to answer any questions you have, especially regarding Global Gateway. Thank you so much.

Anda Bologa: Thank you so much and thank you for inviting questions on the Global Gateway. I’ll happily intervene in the next round and then open it to the public. What we heard from you is the need for the private sector to step in. I heard this in different forums, but often the private sector is sometimes seen as a stereotypical source of funding. I would like to understand better how else it can step in. I’m sure that KD Valva is best positioned to tell us besides what is expected in many projects, the funding aspect, how else can the private sector contribute to closing the gender digital divide. Maybe you can tell us more concrete examples from Estonia and other examples in terms of leadership of women in board panels and so on. The floor is yours. Thank you.

Kedi Välba: Yes. Estonia’s history is interesting in that sense that we regained our independence in 1991 and this is when Estonia had to kind of invent what we’re going to be or how we’re going to develop. We had very strong leadership and our prime minister and president both were for the way of digitalization. Our journey began about 30 years ago already and this was all collaboration between the private sector, public sector and also including the academia. My company is one of the two companies behind the creation of the Estonia. Union National Data Exchange Platform, X-Road, that is also implemented in several other countries across the world, including Finland. And this is, for example, one very good example of this pure private-public partnership, and also something that is making sure the society is inclusive to all genders and also people with disabilities and so on, because in Estonia currently we like to say that we have 99% of services available online. Actually, it’s very close to 100 now, because the last two services were getting married and getting divorced, that weren’t accessible online yet, but now these services have been digitalized as well. You just need to show up for the final signature to actually make sure you will meet the person before getting married. And this is the interoperability platform in that sense, is something that is a very valuable asset in accessing the digital services, having inclusivity for also women and people in rural areas, because you can have access to healthcare, the financial inclusion, you can start the business from the convenience of your home within like a couple of minutes. It takes a bit more time to open a bank account, but still you’re not dependent in going to some physical office or traveling long distances and also in the very beginning of our developments in Estonia, for example, the implementation of ID card is a very good example, which was also done in collaboration between the private and public sector and the banks and telcos were actually the first private sector institutions to support the government in implementing these solutions and also the banks and telcos were the first ones to take these services into use. For example in Estonia the banks were authorized to issue ID cards also because you don’t have government offices in all of the rural areas but we used to have banks now we don’t have bank offices anymore as well as bank offices are closing down because everything is moving into the digital world so you have offices only in the bigger hubs and if you want to have for example consultation or receiving the loan you can do it all digitally. Another example is for example the certification authority that was providing certifications for digital signature in Estonia the digital signing that you could do at first with the ID card now we also have the mobile application solution the smart ID or also mobile ID and all of those certifications was the examples that we have and that has provided a very good access to services and also we have made ID card mandatory since the age of 16 so all of the citizens or like adult citizens in Estonia have it and this is also a tool which enables you to have access to digital services in the country.

Anda Bologa: Thank you so much we heard so much about access and skills, which brings us to the first part of the panel, where we discussed about the biggest barriers to closing the gender digital divide. And thank you so much for sharing the leadership of Estonia. It’s very inspiring. I experienced it myself. I was in a study visit in there and indeed I could see how digitized is the medical sector and how much access that provides to so many categories of people. We talked about bottom-up initiatives. We talked about very practical private sector, public sector initiatives. And now it’s time to go back to a very high level. I’m afraid. Radka, I’m looking at you. The EU Gender Action Plan was mentioned at the beginning of this conversation. I think it’s important to also understand what are the higher and broader frameworks. So if you can give us the pitch for the EU Gender Action Plan in an understandable way, easy to grasp and at the same time how it interacts with the work of the UN and how is EU at the UN working on gender. Thank you.

Radka Sibille: Thank you so much. Yes, indeed. So the EU Gender Action Plan is already in its third edition. It was launched in November 2020 and it’s basically a very ambitious framework that binds the EU to mainstream gender and to promote gender equality and women’s empowerment in all our actions, including externally in our cooperation with third countries towards the UN, etc. So when it comes to digitalization sector, for instance, we use the Gender Action Plan of the EU to focus on digital skills of women and girls, also in partnership with third countries, as was mentioned, that this was important to promote access to, for instance, financial services, because when you want to launch… a startup or any kind of digital platform, you would need some kind of capital at the beginning. And I was just, you know, in that sense, looking at some statistics and, for instance, the women tech statistics are saying that, unfortunately, only 2.3 percent of women-led startups get venture capital funding. And I think that’s also related to the trust issues that were raised here before. Basically, the prejudice is that women cannot make it in the tech. So we’re trying to address that also through our projects. And last but not least, we are also trying to promote the women entrepreneurship and the women digital literacy skills. One of the projects, for instance, that we have launched successfully is called Vamos Digital in Mozambique, which tries to promote digital skills and coding skills in high schools and with a particular focus on women and girls. So again, this is the gender lens that we try to use in all our projects. So we do have projects, but we always try to look at how women and girls can participate in their projects and try to bring them to the table. When it comes to the UN, it’s really, I’m grateful that you mentioned it, because the UN just agreed, by consensus at international level, the Global Digital Compact, which was adopted by the General Assembly in September. And it has a very strong human rights-based approach to technology in general, basically saying that all our work on digital cooperation needs to be embedded in international human rights law. And in particular, it also mentions the gender equality and empowerment of women as one of the principles. And the European Union, when negotiating the Global Digital Compact, was one of the staunchest supporters of that principle, of the human rights-based approach in general, but also with the focus on women and girls, because we really believe it’s important to have everybody at the table. And now, as we enter collectively in the implementation phase, of the Global Digital Compact. We will have to see how we can work all together, so the EU is trying to do it as Team Europe, but we will need other partners as well to try to implement that and close the gender digital divide before the 2030 SDG summit that is already fast approaching. Thank you.

Anda Bologa: This is an incredibly ambitious target to make it by 2030, but like with many other extreme challenges that we’re facing, it’s important to put our outmost ambition into those goals. And maybe now we heard about innovation and we heard about startups and so much about coding and encouraging women to get into tech, not only coding. So maybe we can hear from Ravin Rizgar and about your work on Soli Innovation House, which is extremely impressive, and maybe you can share with us how did you come up with the idea and what challenges did you encounter and what’s the success story of the Innovation House at this stage. Thank you.

Ravin Rizgar: Thank you for asking this question, because this is actually starting all from my own story, and I do really believe on the point when there is a challenge, when there’s a need, that’s where innovation comes in. You know, I myself, once I graduated, like let’s say as a top student on my class, studying manufacturing engineering and in the tech sector, I tried to find a job in my field, realizing that all the other male classmates found job in different factories, including international ones. And for me, it was just lots of rejection from lots of companies, including the one that they say that they are gender inclusive, saying that, you know, the factory is all men, you cannot make it. we’re afraid, you know, you have the skill, but we are afraid that it would be difficult for you to work within an area that you cannot find other females. It was very disappointing because I believed my skills and I was like, very ambitious wanting to find job. And now that’s all where the idea started looking at all the other female friends and all the other females in the community that they’re all going through the same challenge. So I actually wanted to build a home where we can share our stories, where we can talk about the challenge that we’re facing. Even the ones that they had job, they’re on daily basis being discriminated or they’re being, yeah, somehow, yeah, not compared to the guys where they’re working in the private sector and facing many different problems or they’re being given jobs where it’s not matching their qualification just because of being a female and they want to get some income, they’re forced to do that job. So that’s where the idea started. And I am really thankful to all the companies that they reject me because they are the reason where I am now, you know, founding Sully Innovation House and running it for around three years now, and trying to do capacity building with another 600 women, which I see like right now, more than 300 of them, they found job and they are some of them that they have their own startup. So I’m very thankful to them. And at the same time, right now, they’re sponsoring the programs that we are running, which is very impressive, like making them to come and support programs that is supporting other women. So that’s the story. And in terms of numbers, as Sully Innovation House, as I mentioned, only females through our one of our program, which is targeting women only called leading women, we have upscaled, like skills of women in digital skills, tech skills and also including soft skill for 600 women in which 53% of them they found job. And we’re very happy with the result and we’re planning more to come for 2025. Thank you.

Anda Bologa: Thank you so much. I think the numbers speak for themselves. And thank you so much for sharing your story that I think is extremely inspiring for other people that hear it. And I encourage you to reach out and seek partnerships in this sense. And speaking about community driven approaches, I’m moving now to Valeria Betancourt. And I would like to hear more about her work and how you shape inclusive policies in the Latin American region. And what’s the role of communities and how do you form a community in this space in the first place? Thank you.

Valeria Betancourt: Okay, thank you very much. First, I will be obviously expressing the work that my colleagues and our network does. I think, first of all, it is very important to situate the conversation about inclusion and overcoming the gender digital gap in the moment that we are in. The Global Digital Compact has been mentioned. Obviously, it is going to be, and it provides a very important updated framework of the challenges that we face. But I would also like to bring the attention to another process that in our view represents also the view, the perspective and the challenges of the global south and countries in the region, which is the plus 20 review of the World Summit on the Information Society. And why I mentioned this, because the emphasis is on people. The vision of the WSIS was precisely on people rather than on the digital. And I think it’s time to look again at that vision and to put people and the planet in the center. That vision will have the opportunity also. so to build on community-based approaches, community-driven approaches that in tandem with the gender justice lens, we open much more possibilities for digital policies to recognize, as I was saying, that the problem is a structural battle. So the fact that technologies are enablers of rights, of development, of inclusion, but are also the tools and the spaces that we reach back. And that economic growth equates or equals development and inclusion, but also help us to overcome this assumption that the solutions should come from a single stakeholder. While what we have seen in the practice is that only through meaningful, effective collaboration and alliances and partnerships between the public sector, the private sector, the academia, the civil society organizations, and the communities as central actors, we can actually respond to the particular way in which communities, in which women and girls and non-conforming people experience technology. So I really want to highlight the fact that these bottom-up approaches with the communities at the center are also the way in which these alliances can really respond to meet particular challenges. So there are several examples on how we can place this gender justice and community-driven approach in the core of the interventions oriented to bridge the digital gap. For instance, there are several experiences about women’s circles that are part of decision making bodies, but also decision in relation to how the technology is designed. Not only the governance of the technologies, but also how the technologies are developed and designed in the first place. So sound and solid methodologies to really incorporate those approaches since the beginning, because that’s the only way in which these bottom-up approaches can respond to specific realities and needs if we want to narrow the digital divide. Those will also help to counteract the pin washing that has happened through several interventions that even though they have good intentions are not able because of this distance that they have with the real needs and the particularities of the barriers that women face in order to be able to really overcome those. So I think that’s a good way to do it, and the different stakeholders working together can put the communities in the center and be able to design solutions that could meet the particular needs and contexts.

Anda Bologa: Thank you so much for sharing that, and this panel in itself is an illustration that multi-stakeholder is not just a buzzword. We hear from governments and the actions they take, and we hear how this resonates with the private sector that is equally as keen to invest, for instance, if we take the coding camps. The government is interested. in that. The private sector is interested because inevitably it’s going to have a great workforce. We have innovation houses that just help and empower women and give them the space and the trust to take part in those activities. We have the international institutions that come with broader frameworks. We have the communities that are there. So that’s a very beautiful illustration of how this multi-stakeholderism works in practice and is more tangible than often the words in high-level documents make it seem. So that being said, thank you so much to our public. You’ve been very patient and very interested and now maybe I’ll give the floor to Ambassador Ericsson for a moment and then I’ll open it to the audience in the room and online. Thank you.

Roy Eriksson: Thank you. Just a quick comment listening to this very thin panel. One thing that I think is important is for women to have role models because I know a person, a woman in Finland with a similar background than what you mentioned. She couldn’t get a job in tech sectors and she was frustrated about it and she started a movement called Chicks Can Code and she has organized these workshops and not knowing is there any demand for that, if there would be anybody who would be interested. So she started small and the house was full and then okay well let’s have another one and again the house was full and again and again. So she actually started then her own business and has workshops throughout Finland on how women can also get involved in coding. That it’s not something that you have to have. a Y-gene to do, women can do it as well, and she has been a great successful. So what the bringing in the closing the gender gap, we need good role models. So now girls have seen that she’s been a success, so coding is no longer something is just for boys, girls are interested in that as well. And it has had for the whole of the Finnish economy, a good beneficial outcome, because our gaming sector is now really booming and being successful, but it couldn’t be successful without the women. So that’s just what I wanted to say. Thank you.

Anda Bologa: Thank you so much. And if you allow me to add one more thing, you mentioned role models. And at the same time, we need allies. Often the gender policies are left to the women, and it’s often that they feel the pressure and the responsibility to fight for it. And it’s extremely important to have allies and have everyone get involved in this because the economic benefits and just the benefits of this concern everyone. And thank you for being an ally with us today on the panel. And thank you to everyone in the public that is here. That being said, I’m going to open it to everyone I know we have, including people in the IT industry, especially in the video games. So opening it to the public in the room and online, perhaps we can start with the room. Do we have microphones? Thank you.

Audience: Thank you, Excellency. I feel called up to say a few words because actually, we would also want to continue on this amazing discussion. And I have more even inspiration for upcoming meeting because today at 1545, as the World Intellectual Property Organization, where the UN agency helping the innovators and creators, we will continue on with women in games and apps, innovation, creativity, intellectual property, where we will also have host role models from the industry, industry leaders, but as well as try to highlight one of the important skills that is important in entrepreneurship and games and apps is also the understanding. and how to manage your creativity and innovation and that is done through the intellectual property system and the inter IP tools that we are also trying to highlight and raise awareness and educate about. So of course congratulations just about this event and I feel further inspired by all the words mentioned here today.

Anda Bologa: Thank you so much. We see synergies not only in between the speakers of the panel but also the events today so that’s amazing.

Peter Zanga Jackson Jr.: Thank you so much sir the floor is yours. Good morning everybody my name is Peter Zanga Jackson Jr. I’m from Liberia and I firstly want to thank our panelists for all what they have said but in our intro during the intro one of them said that the tech force is dominated by men. The question is why the tech force is dominated by men? Are men stopping women from getting involved? Is it a behavior of women to not get involved? And so what can we do to get women involved into tech? Because once you use the word tech they say oh it’s for men. Anytime and even in schools when you talk about the sciences, the physics, the physics, the mathematics they say oh it’s for men and so you have limited women participation into technology. Now the challenge is back to them and they need to work on that niche behavior of not getting involved. I believe the more women are involved into technology the tech they will be heard. Okay they will not be marginalized. Things will go the way we all expect it to go. And so I put it to them, what can they do to work on the minds of our girls to get involved? What can they do? This is my question.

Anda Bologa: Thank you so much. Perhaps taking another intervention, and then I’ll bring the question back to the panel.

Damilare Oydele: Thank you so much. I have a question and a comment together. My name is Damilare Oyedile. I work with Library Aid Africa. My comment and question is about empowering women and young girls with digital skills and literacy skills to explore the economic benefits of digital economy, right? And there’s a huge potential here to leverage libraries, to leverage libraries as key partners and access points for digital literacy skills and empowerment, because libraries have already existing libraries to have infrastructure and space to deliver these trainings. And this is something we have done before. In particular, we did this also in Namibia through one of our projects where one of our fellows trained young women in our community on digital literacy skills. Okay, not just that, also empowering librarians and libraries with the skills and infrastructure to deliver this training. Now that we’re trying to scale up this intervention and engagement to build more collaborative libraries, I’m curious to know from the panelists here in the context of what are the pathways here to engage libraries in your plans and collaborative engagement to scale digital skills development and empowerment for women and young girls? Thank you.

Anda Bologa: Thank you so much. An excellent question. Another intervention, please. And then we move to the panel.

Catherine Mumma: Thank you. My name is Catherine Muma. I’m a senator from Kenya. I just want to commend the panel. I think I enjoyed every presentation, acknowledging that world over we are more as women, but we are not as present as we ought to be. And the tech world has run way ahead and left women behind. That is something we need to acknowledge that it has helped to visualize the actual patriarchal concerns that are in societies across the world. I found the solutions you’re giving very, very practical. I think I’ll speak to you, Honorable Minister, from Namibia, what you’re doing can happen in Kenya, can happen in Uganda. The many proposals you’re suggesting, by the way, my daughter is an engineer and she’s just frustrated in some company going through exactly what you’re saying. She’s there, she has capability, but the men won’t trust her to do this. I’ll be happy to just engage with you and back to Kenya. I will take it back to the Kenyan women’s movement to see how we can engage further and help get more women on board. Thank you very much.

Anda Bologa: Thank you so much for this round. We’ll bring it back to the panel and then we’ll open it again to the floor. On top of everything that was said, I also encourage you to approach Ambassador Erickson and talk about Global Gateway and the type of projects that can be financed and the type of projects that can be created under the Global Gateway umbrella. But bringing us back to the first question about how women can get involved and what women must do, perhaps I’ll give the floor to Valeria Betancourt to give us maybe since you have the vision at the community level, you can give us a few clear examples on how to approach and perhaps frame this question. Thank you.

Valeria Betancourt: Absolutely. Thank you very much. First, I think we have to understand what my colleagues of the panel have been saying. The intervention have to be multidimensional and multifaceted. I think first, it is very important to enable regulatory frameworks that allow for the coexistence of different models and different ways to provide connectivity, for instance, because that will also create the conditions through the regulatory and legal frameworks be able to precisely, for instance, deploy community networks and infrastructure that is owned by the community in a way that will have and ensure the financial sustainability, for instance, so the regulatory framework is one level and the possibility, as I am saying, of allowing for the existence of complementary models for bridging the digital gap. Second, I think financial mechanisms, as part of the implementation of the Global Digital Compact, but also the review of the last 20 years of the World Summit of the Information Society, we are kind of witnessing a revamping of the multilateral agenda, including the restructuring of the financial global architecture that has to also kind of mirror what is happening with the financial mechanisms at national level. So, for instance, for the Global South and I guess in many other regions as well, but in Latin America in particular, the role that the universal service funds can play in ensuring the financial sustainability of women-led initiatives, of women-led enterprises based on digital technologies, I think that’s very important. So, ensuring this kind of deep investment, focused investment for ensuring the financial sustainability of community-driven initiatives is very important. Also, there are very important communities that have a very strong feminist imprint in Latin America, that’s the case of community networks in Brazil, in Argentina, in Colombia, in Mexico, that have been able, working together, the community, but also in partnerships, as I was saying, to be able to… put in practice the feminist principles of the internet, for instance, and also some other guidelines that different groups have developed in order to make sure that the digital policies are truly inclusive and gender sensitive. I would like to mention in particular two initiatives that are happening in Latin America. First is a mapping, a kind of mapping of best practices that the Inter-American Telecommunications Commission has started in order to precisely shed some light in terms of what are the best practices to ensure that digital policies are gender inclusive and gender sensitive, so member states have been invited to provide information and with that information to be able to understand what is happening at the level of the community networks and systematize that knowledge and experience. And second there is a very concrete example, a very recent one in Colombia, that there is a partnership between the European Union and Colnodo around a project that is oriented precisely to connect the unconnected in rural areas in the country and it’s interesting to see how that partnership is allowing the intervention in the different levels that I have mentioned, so to be able to encourage and promote a policy dialogue in the country that will help to precisely work at the regulatory framework but also the digital policies that are sustainable in time and that work closely with the communities but also at the community level to be able to deploy not only the infrastructure but also the capacity building programs for women and girls and non-conforming people in order to be able to make most of the use of technologies. So those are the examples that are there, they are very well documented and I think we can build and learn a lot from those experiences in different countries and also regulatory developments in Mexico for instance allowing the existence and the deployment of indigenous community networks, where women have a very central role in the governance of those communities, not only the technical running of the community network, but also the governance of those initiatives.

Anda Bologa: Thank you so much. And before opening it to the panel, maybe I can add something on women getting involved and the regulations. And it sounds very abstract, but in reality, the buzzword of this conference is artificial intelligence. And one way in which artificial intelligence is being used, if there is no regulatory framework to prohibit it, is for employment. But the way artificial intelligence works is an algorithm trained on data. And if historically, this type of jobs, particularly jobs in tech, higher paid, were given just to men, then the algorithm, when it will look through the CVs, it will just take out the best CVs of men. And those women will not receive an invitation to the interview. So this is a very practical way in which having a regulatory intervention in which companies will not be allowed to do that without human oversight, is clearly opening a path for women to be invited to the interview. And then it’s up to them, of course, to be as competitive as males in those positions. But in a very pragmatic way, that’s how through regulatory frameworks, you can control the use of these technologies. And that’s a practical example from the regulatory framework of the EU. But going back to the panel, we heard two questions. If anyone would like to address the first one and speak about libraries, please.

H.E Emma Inamutila Theofelus: Thank you. I also wanted to add something to the first question. And I know it will prolong it because she has really adequately handled it. But I think the reality of the fact is there are religious, cultural barriers to girls even thinking of going into a technical field, even just the discussion in the house. You almost become an anomaly if you want to go outside of the traditional types of employment that you want to have. When I was in high school, between the last two grades, grade 11 and 12, you’re allowed to choose subjects that you want to do, at least three that you want to do. I didn’t want to do home economics, and home economics was you learn how to knit, you learn how to keep a home. I didn’t want to learn that in school, I learned that at home already with my parents and my guardians. I wanted to do computer studies, and in that class of 35 students, we were only two females. Nobody stopped them to choosing computer studies, but already there’s a lot of social engineering from a girl child. Just even the conversations of what is possible, what is not possible, and you might not think it’s, you know, nobody said, no, no, don’t go do that. But it becomes subconscious without you as the person not knowing, and even the people around you not knowing that they’re socially engineering you not to take some of these career paths that are not primarily geared towards girls. So I think it’s a serious conversation we need to have, because before a child decides that at university, I’m going to choose this particular career, somebody should have been in their ear for years and years on the end, telling them what is possible for them and what is not possible for them. So it’s silent. It’s not out there, but it’s what is impacting the performance of girls to get into science and tech, and even in the workplace. There’s social engineering, a lot of intimidation, you know, being a young junior officer and wanting to be an executive, and already the environment is telling you that you might not succeed, even make it to the interview. And I think in this to women in politics, women in business, it’s the same thing just in different sectors, it’s the same thing happening all across patriarchy showing up in various ways so I just wanted to add. onto that response of the question. On the library’s question, I think in our model in Namibia, we’ve realized that every standing asset is an opportunity for us to do the training. We use libraries as a place where we can give computer literacy training. The basics, how to switch on a computer, how to type a CV, how to print. For all of us who might have advanced skills, it might seem like, I mean, how can somebody not know that? But there are a lot of people who do not know that, and that’s why we use the libraries. Secondly, we use what we call ICT centers that we share between the Ministry of ICT and the Ministry of Youth. This is targeted to young people, both male and female, around training. It’s already a standing infrastructure. The government has invested into that infrastructure 15, 20 years ago. We just help refurbish it by putting 1, 2, 3, sometimes even 5 laptops make such a big difference in ensuring that that space becomes as an ICT hub for somebody who wants to learn computer and digital literacy. Then the third place we are now exploring using is post offices. We have post offices almost everywhere in the country, even in the most rural parts of the country. People get mail because that’s the infrastructure that was invested in a few years back. We’re now trying to see how can we ensure at least every post office has a computer or laptop for the community to learn how to use online spaces and impart digital literacy skills. We almost anticipate that we’ll have an even bigger impact to train more women and girls in using computers and using smartphones as a way to ensure that they get the literacy skills. Every standing infrastructure is an opportunity to train. to impart skills. It’s just how policymakers, community actors, private sector come together to use that space to impart those necessary skills. And I’ve challenged our private sector to say, by the year 2030, no person, young and old, should not have basic digital literacy skills in the Namibian nation. We’re only 3 million people. So I can almost believe that by 2030, every citizen must at least know how to use a laptop, must at least know how to use a smartphone to run something, to have an email, to be able to put their business online, how to navigate websites, how to apply for a job online. The basic skills to get somebody from level zero to level one or two or three. And we don’t want to take that for granted. We don’t want that divide to grow bigger. We want to close the gap around digital literacy skills, whether from a gender lens or any other lens possible in the country. Thank you.

Anda Bologa: Thank you so much for your answer. Please.

Kedi Välba: Thank you. When I was going to university, my first degree was business administration and languages. And my uncle told me when he heard that I’m going to attend the university, he said, nonsense, women and business. That’s nonsense. You should find a rich husband, stay at home, have children and not go to the university. So this is what we’re talking about. It’s happening everywhere all over the world. And this is the environment we come from. But I wanted to make an example, also talk about the libraries from Estonia, this is how we actually also started our digitalisation journey, that we created internet access points. We did also use the libraries and we also created computer classes, one computer class to each school all over Estonia and provided computer lessons, not only to the general public, but but also when we’re talking about gender equality, we also need to talk about the elderly and the inclusivity of the elderly, because they also need to access the services. So this is what helped us a lot. And this was also something that was done in collaboration with private and public sectors, largely funded by the private sector, because computers to the schools were coming from the private sector. And this is where I’m also happy to represent the Digital for Development Hub here, which is an initiative or a strategic platform created by the European Union and member states to actually boost the digital transformation and investments around it. And the focus is very human-centric. Also, the gender topic is a cross-cutting topic in all of the initiatives. And I’m very happy to see that. Well, I’m here because I’m representing the private sector advisory group. We also have the civil society advisory group. And I think this is a good example of a platform for collaboration. And we need more of these neutral platforms where we can talk together, the private sector and the public sector, because innovation usually happens in the private sector. But somehow we are afraid of the private sector. We don’t trust the public sector. But we need those collaboration platforms where we can actually discuss with each other. And then we will have better ideas and inclusivity. And also one of my thoughts that I wanted to add here is that we have heard the topic of women having difficulties in entering the job market and tech field and so on. So what we need to do is to boost or encourage the women entrepreneurship, to have more women founders. women founders, women CEOs, and this innovation hub that we have, because women are more eager to take women on board. And this is also what I have seen and mentored young girls a lot, that when they’re ending up in a very men-focused company, then they struggle a lot and they have a lot of issues. Quite a lot they’re seen as an assistant, just bringing coffee. So we need to boost women entrepreneurship, and that will also be something that will make a change. Thank you.

Anda Bologa: Thank you so much. Thank you again for all your interventions. Thank you for your patience and being here. We’re running out of time, so unfortunately we have one last intervention from each panelist. I’ll start with the other worder from which I started, and I will ask you to think of one key insight that you got from this panel and try to perhaps frame it as a call to action. I will start with Valeria Betancourt, please.

Valeria Betancourt: A call to action. Sorry, can you hear me? Yes, a call to action.

Anda Bologa: 30 seconds, please.

Valeria Betancourt: Yes, my call to action could be to precisely take the responsibility that every stakeholder has for ensuring that we can bridge the digital gap. As I was saying, it is not a matter that just one single actor can provide the responses, and I think bottom-up approaches have, I think in history, shown that might be the best possible way, putting people and communities in the center to be able to provide solutions that are meaningful to people, so digital technologies can help improve the lives and open opportunities, not only to enter and to access to economic justice, but also social justice and environmental justice, that for communities is essential in order to also ensure the integrity, safety, and well-being. the well-being of themselves and the planet.

Anda Bologa: Thank you so much. Maybe we can move to Katie-Valbaa in the interest of passing the microphone around. Thank you.

Kedi Välba: Yes, thank you. We have heard a lot of good thoughts here today. And I would just like the conversation to continue in that sense, that it would not only remain a conversation, but we have also very concrete actions following. And under the D4AD Hub initiative, this is something where we’re looking into very seriously, as gender equality is one of the aspects that’s included in every project.

Anda Bologa: Thank you so much. Ambassador Ericsson, 30 seconds.

Roy Eriksson: 30 seconds. Yes, take action. Not just talking about bridging the digital divide and empowering women. When we are doing a project, we really need to look into that, that it is also benefiting women, that everybody is on board.

Anda Bologa: Thank you. Minister?

H.E Emma Inamutila Theofelus: If all of us at the IGF, it means that we have a role to play in our communities. We are respectable people. There are people who value us. So everywhere you go, let it be a church in your community, at a family gathering, at a wedding. Encourage the young girls to take up STEM fields, encourage them to go above and beyond the normal norm, encourage them to explore job careers, study careers in the tech field, because your word could actually be an encouragement for that young girl or that young woman to actually want to consider something like that. So let’s not take words for granted. They go a long way in encouraging people to take up careers that otherwise are against the normal norms. Thank you.

Anda Bologa: Thank you so much. Radka Cibile, 30 seconds.

Radka Sibille: Thank you so much. My call for action would be to make the online space safe and respectful of human rights, just like they should be respected offline. Because if it’s not safe, even if you then bring and connect all those that are un-safe, it’s not safe. It’s not safe. It’s not safe. It’s not safe. It’s not safe. It’s not safe. It’s not safe. It’s not safe. It’s not safe. It’s not safe. It’s not safe. It’s not safe. connected today, including women, they will be dissuaded in using the online space is if it’s full of harassment, hate speech, misogyny. So human rights online should be protected as they are offline. Thank you.

Anda Bologa: Thank you so much. Robin Ryskardt.

Ravin Rizgar: Is seen like other stories like mine happening in Finland and other areas of the world is like quite making us all to work on empower. So we have to empower women and continue this in every part of the world. And please, if you have a friend, a family member, that’s female and trying to start something, either they’re either a startup or a community initiative, just show support. Even if it’s just a few words of encouragement, that would be really appreciated. So just keep supporting. Thank you.

Anda Bologa: Thank you so much. Thank you to the wonderful public today and the panelists. And I encourage you to go to them, speak up and look for partnerships and multi stakeholder perspectives. Thank you. Transcribed by https://otter.ai Transcribed by https://otter.ai

Agreement Points

Lack of access to digital skills training for women and girls

H.E Emma Inamutila Theofelus

Ravin Rizgar

Kedi Välba

Limited access to digital skills training for women and girls

Creating women-focused innovation hubs and support networks

Providing coding camps and digital literacy programs for girls

Multiple speakers emphasized the importance of providing targeted digital skills training and support networks for women and girls to bridge the gender digital divide.

Societal and cultural barriers hindering women’s participation in tech

H.E Emma Inamutila Theofelus

Ravin Rizgar

Kedi Välba

Societal and cultural barriers discouraging girls from tech fields

Lack of trust in women’s capabilities in tech sectors

Promoting women’s entrepreneurship in tech

Speakers agreed that societal and cultural barriers, including lack of trust in women’s capabilities, discourage women from entering and succeeding in tech fields.

Similar Viewpoints

Both speakers highlighted the systemic nature of gender discrimination in the tech sector, emphasizing the need for structural changes and increased representation of women in leadership roles.

Valeria Betancourt

Radka Sibille

Persistent structural discrimination and exclusion

Lack of women in tech leadership and decision-making roles

Both speakers emphasized the importance of multi-stakeholder collaboration, particularly involving the private sector, in addressing the gender digital divide.

Roy Eriksson

Kedi Välba

Private sector partnerships to fund and support women in tech

Multi-stakeholder collaboration platforms like D4D Hub

Unexpected Consensus

Importance of community-driven approaches

Valeria Betancourt

H.E Emma Inamutila Theofelus

Community-driven approaches to technology adoption

Leveraging existing infrastructure like libraries for digital skills training

Despite coming from different backgrounds (civil society and government), both speakers emphasized the importance of leveraging community resources and bottom-up approaches in bridging the digital divide.

Overall Assessment

Summary

The speakers generally agreed on the need for targeted interventions to support women in tech, the importance of addressing societal and cultural barriers, and the value of multi-stakeholder collaboration. There was also consensus on the economic benefits of closing the gender digital divide.

Consensus level

High level of consensus among speakers, with complementary perspectives from different sectors (government, civil society, private sector) reinforcing the urgency and multifaceted nature of addressing the gender digital divide. This consensus suggests a strong foundation for collaborative efforts to promote women’s inclusion in the digital economy.

Different Viewpoints

Primary barrier to closing the gender digital divide

H.E Emma Inamutila Theofelus

Ravin Rizgar

Radka Sibille

Valeria Betancourt

Limited access to digital skills training for women and girls

Lack of trust in women’s capabilities in tech sectors

Lack of women in tech leadership and decision-making roles

Persistent structural discrimination and exclusion

While all speakers agreed that barriers exist, they emphasized different primary factors contributing to the gender digital divide.

Unexpected Differences

Overall Assessment

summary

The main areas of disagreement centered around identifying the primary barriers to closing the gender digital divide and the most effective strategies to address these barriers.

difference_level

The level of disagreement among speakers was relatively low. Most speakers presented complementary rather than conflicting viewpoints, focusing on different aspects of the same overarching issue. This suggests a multifaceted approach may be necessary to address the gender digital divide effectively.

Partial Agreements

All speakers agreed on the need for targeted initiatives to support women in tech, but proposed different approaches ranging from education programs to entrepreneurship support.

H.E Emma Inamutila Theofelus

Ravin Rizgar

Kedi Välba

Providing coding camps and digital literacy programs for girls

Creating women-focused innovation hubs and support networks

Promoting women’s entrepreneurship in tech

Similar Viewpoints

Both speakers highlighted the systemic nature of gender discrimination in the tech sector, emphasizing the need for structural changes and increased representation of women in leadership roles.

Valeria Betancourt

Radka Sibille

Persistent structural discrimination and exclusion

Lack of women in tech leadership and decision-making roles

Both speakers emphasized the importance of multi-stakeholder collaboration, particularly involving the private sector, in addressing the gender digital divide.

Roy Eriksson

Kedi Välba

Private sector partnerships to fund and support women in tech

Multi-stakeholder collaboration platforms like D4D Hub

Key Takeaways

The gender digital divide remains a significant obstacle to achieving economic growth and equality globally

Barriers to women’s digital inclusion include lack of access to skills training, cultural/societal barriers, lack of trust in women’s tech capabilities, and underrepresentation in leadership roles

Multi-stakeholder collaboration between government, private sector, civil society and communities is crucial for bridging the gender digital divide

Empowering women in the digital economy has significant economic and social benefits

Community-driven, bottom-up approaches that put women at the center are most effective for meaningful digital inclusion

Resolutions and Action Items

Use existing infrastructure like libraries and post offices to provide digital skills training to women and girls

Implement coding camps and digital literacy programs specifically for girls and women

Promote and support women’s entrepreneurship in the tech sector

Ensure gender inclusivity is incorporated into all digital development projects and policies

Encourage girls to pursue STEM education and careers through mentorship and positive messaging

Unresolved Issues

How to effectively address deep-rooted cultural and societal barriers discouraging women from tech fields

Ways to increase women’s representation in tech leadership and decision-making roles

Methods to build trust in women’s capabilities within male-dominated tech sectors

Strategies to make online spaces safer and more respectful for women

Suggested Compromises

Balancing the need for rapid digital development with ensuring inclusivity and gender sensitivity in all initiatives

Finding ways for public and private sectors to collaborate effectively despite potential mistrust

According to ITU, worldwide, in 2022, 69% of men were Internet users, compared with 63% of women. This means that globally, there are 244 million more men than women using the Internet. Moreover, recent statistics show that women comprise only about 25% of the tech workforce. This disparity is even bigger in leadership positions, where women hold only 11% of executive roles.

speaker

Christophe Farnaud

reason

This comment provides concrete statistics that highlight the scale of the gender digital divide, setting the stage for the urgency of the discussion.

impact

It framed the subsequent conversation by emphasizing the magnitude of the problem and the need for action across multiple sectors.

I think the biggest barrier to ensuring that we close the digital gender gap would be the opportunity for girls and women to actually learn the skills they need. There are so many impediments to them being able to access the material they need to ensure that they get online and basic skills to actually be familiar with the Internet

speaker

H.E Emma Inamutila Theofelus

reason

This insight identifies a key root cause of the digital gender divide – lack of access to skills and learning opportunities.

impact

It shifted the discussion towards practical solutions and the importance of education and skill-building initiatives.

Estonia’s history is interesting in that sense that we regained our independence in 1991 and this is when Estonia had to kind of invent what we’re going to be or how we’re going to develop. We had very strong leadership and our prime minister and president both were for the way of digitalization. Our journey began about 30 years ago already and this was all collaboration between the private sector, public sector and also including the academia.

speaker

Kedi Välba

reason

This comment provides a concrete example of how a country successfully implemented digital transformation through multi-stakeholder collaboration.

impact

It introduced the importance of political will and cross-sector partnerships in driving digital inclusion, influencing subsequent discussions on policy approaches.

I think first, it is very important to enable regulatory frameworks that allow for the coexistence of different models and different ways to provide connectivity, for instance, because that will also create the conditions through the regulatory and legal frameworks be able to precisely, for instance, deploy community networks and infrastructure that is owned by the community in a way that will have and ensure the financial sustainability

speaker

Valeria Betancourt

reason

This insight highlights the importance of flexible regulatory frameworks in enabling diverse approaches to digital inclusion.

impact

It broadened the discussion to include policy and regulatory considerations, emphasizing the need for adaptable approaches that can accommodate community-driven solutions.

There are religious, cultural barriers to girls even thinking of going into a technical field, even just the discussion in the house. You almost become an anomaly if you want to go outside of the traditional types of employment that you want to have.

speaker

H.E Emma Inamutila Theofelus

reason

This comment brings attention to the deep-rooted societal and cultural barriers that contribute to the gender digital divide.

impact

It deepened the conversation by highlighting the need to address underlying social norms and expectations, not just technical or educational barriers.

Overall Assessment

These key comments shaped the discussion by progressively broadening its scope from identifying the problem (using statistics) to exploring its root causes (lack of skills, cultural barriers) and potential solutions (multi-stakeholder collaboration, flexible regulatory frameworks). The conversation evolved from a high-level overview to a nuanced exploration of practical, policy-oriented, and societal approaches to bridging the gender digital divide. This progression allowed for a comprehensive examination of the issue, incorporating perspectives from government, private sector, and civil society representatives.

How can libraries be leveraged as key partners and access points for digital literacy skills and empowerment for women and young girls?

speaker

Damilare Oydele

explanation

Libraries have existing infrastructure and space to deliver digital skills training. Understanding how to engage libraries in plans and collaborative engagements could help scale digital skills development for women and girls.

What can be done to work on the mindset of girls to get them more involved in technology?

speaker

Peter Zanga Jackson Jr.

explanation

There is limited women’s participation in technology fields. Understanding how to change perceptions and encourage more women to enter tech is important for increasing diversity.

How can regulatory frameworks be developed to allow for complementary models of connectivity provision, including community-owned infrastructure?

speaker

Valeria Betancourt

explanation

Enabling diverse connectivity models through regulation could help bridge the digital divide, especially for women and underserved communities.

How can financial mechanisms like universal service funds be leveraged to ensure sustainability of women-led digital initiatives?

speaker

Valeria Betancourt

explanation

Targeted financial support is needed to sustain community-driven and women-led digital projects over time.

How can partnerships between government, private sector, and communities be formed to utilize existing infrastructure (like post offices) for digital skills training?

speaker

H.E Emma Inamutila Theofelus

explanation

Leveraging existing infrastructure through multi-stakeholder partnerships could expand access to digital skills training, especially for women.

How can women’s entrepreneurship in the tech sector be boosted to create more opportunities for other women?

speaker

Kedi Välba

explanation

Increasing the number of women founders and CEOs in tech could help create more inclusive work environments and opportunities for women in the sector.

Summary

This discussion focused on cybersecurity capacity building and the challenges of effectively sharing and utilizing existing resources and information. Participants explored the problem of abundant but often overlapping or inaccessible cybersecurity capacity building resources. They emphasized the need for tailored, context-specific approaches rather than one-size-fits-all solutions.

Key points included the importance of collaboration between stakeholders, including governments, private sector, and civil society. Participants stressed the need for bespoke capacity building programs designed in consultation with recipient countries. The discussion highlighted challenges such as language barriers, limited access to technology, and budget constraints in implementing effective cybersecurity initiatives.

Speakers emphasized the importance of follow-up and impact assessment in capacity building efforts. They suggested that qualitative measurements, such as scenario-based exercises, could be more effective than quantitative metrics in evaluating cybersecurity preparedness. The need for a whole-of-nation approach to cybersecurity, involving various sectors of society, was underscored.

The discussion also touched on the importance of making cybersecurity information accessible and relatable to different audiences, including youth and healthcare workers. Participants agreed on the need to demystify cybersecurity and make it more approachable through popular culture and practical, hands-on experiences.

In conclusion, the discussion highlighted the complex nature of cybersecurity capacity building and the need for coordinated, inclusive, and context-aware approaches to effectively address global cybersecurity challenges.

Keypoints

Major discussion points:

– The problem of overlapping and fragmented cybersecurity capacity building resources and initiatives

– The need for better coordination, collaboration and information sharing among stakeholders

– The importance of tailoring capacity building efforts to local contexts and needs

– Challenges in measuring impact and success of cybersecurity initiatives

– The value of practical exercises and simulations to test preparedness

The overall purpose of the discussion was to explore strategies for improving cybersecurity capacity building efforts globally, with a focus on addressing gaps, avoiding duplication, and ensuring resources reach intended audiences effectively.

The tone of the discussion was constructive and collaborative throughout. Participants shared insights from their diverse perspectives in a spirit of mutual learning. There was general agreement on the key challenges and a shared commitment to finding solutions. The tone became more action-oriented towards the end as participants discussed concrete ways to measure impact and move forward.

Speakers

– Carina Birarda: Introduced the session

– Wim Degezelle: Consultant with the IGF Secretariat, supporting the Best Practice Forum

– Josephine Miliza: MAG member and co-facilitator for the BPF cybersecurity

– João Moreno Falcão: Lead facilitator for the youth standing group, cryptography researcher

– Yao Amevi Sossou: Coordinator of U5GF in Benin, part of DC in data-driven health technology

– Tereza Horejsova: Senior outreach manager for the GFCE (Global Forum on Cyber Expertise), former MAG member

– Dino Cataldo: Chief Information Officer of the UN Pension Fund, IGF MAG member representing intergovernmental organizations, co-facilitator of BPF on cybersecurity, co-lead of dynamic coalition on blockchain assurance and standardization

– Mevish P Vaishnav: President of Academy of Digital Health Sciences, represents dynamic coalition in digital health

– Brendan Dowling: Australian ambassador for cyber affairs and critical technology

– Oktavía Hrund Jóns: MAG member, co-chair of BPF on Cybersecurity

– Hariniombonana Andriamampionoma: Co-facilitator of BPF on cybersecurity, manager for Elio Star Wars

Cybersecurity Capacity Building: Challenges and Strategies for Effective Implementation

This report summarizes a discussion on cybersecurity capacity building, focusing on the challenges of effectively sharing and utilizing existing resources and information. The session, introduced by Carina Birarda, brought together experts from various sectors to explore strategies for improving global cybersecurity capacity building efforts.

Problem Statement and Context

The discussion began with a clear problem statement: despite an abundance of cybersecurity capacity building resources, there is a significant issue of information overload and lack of targeted resources. Brendan Dowling, the Australian ambassador for cyber affairs and critical technology, highlighted that many existing capacity building programmes have been untargeted and inappropriate for specific contexts. He emphasized the need for tailoring programs to individual country needs, considering factors such as existing capabilities, cultural context, and specific requirements.

Yao Amevi Sossou, Coordinator of U5GF in Benin, underscored the importance of accessibility and localization, particularly in the African context. Sossou pointed out that the most common tool for internet access in Africa is the mobile phone, suggesting that capacity building efforts should consider this reality. He also emphasized the critical role of language and cultural context in developing effective cybersecurity initiatives, highlighting the need for resources in local languages and consideration of cultural nuances.

Mevish P Vaishnav, representing the dynamic coalition in digital health, emphasized the critical nature of cybersecurity in healthcare data protection, illustrating the need for sector-specific approaches in capacity building efforts.

Improving Access and Coordination

A significant portion of the discussion centered on strategies to improve access to resources and enhance coordination among stakeholders. Brendan Dowling expressed a commitment to using existing mechanisms and processes, such as the Global Forum on Cyber Expertise (GFCE) and Partners in the Blue Pacific, to avoid duplication of efforts.

Tereza Horejsova, senior outreach manager for the GFCE, stressed the importance of information sharing and coordinating efforts. She highlighted the GFCE’s Cybil Portal as a crucial tool for sharing project information and avoiding duplication. Horejsova shared insights from recipient countries, noting that they often feel overwhelmed by multiple, uncoordinated capacity building initiatives, emphasizing the need for better organization among donors and implementers.

João Moreno Falcão, lead facilitator for the youth standing group, highlighted the need for basic resources such as computers and internet access for effective cybersecurity learning, particularly for youth engagement.

Follow-up and Impact Assessment

The discussion emphasized the importance of follow-up and impact assessment after capacity building initiatives. Yao Amevi Sossou stressed the need for ongoing evaluation beyond initial project timelines and budgets. Brendan Dowling advocated for qualitative measurement through exercises and simulations, arguing that this approach is crucial for testing preparedness and capacity effectively.

Tereza Horejsova suggested tracking project growth and coverage in databases as a quantitative approach to impact assessment. Mevish P Vaishnav recommended regular auditing and sharing of best practices across countries, highlighting the value of continuous learning and improvement in cybersecurity practices.

Holistic Approach to Cybersecurity

The discussion underscored the necessity of a holistic approach to cybersecurity. Brendan Dowling advocated for a whole-of-nation approach involving multiple stakeholders, including government, industry, and community sectors. This perspective was complemented by Tereza Horejsova’s emphasis on trust-building and cross-sector collaboration.

Oktavía Hrund Jóns, MAG member and co-chair of BPF on Cybersecurity, stressed the importance of focusing on both reactive and proactive approaches to cybersecurity. She emphasized the value of practice and continuous learning in building robust cybersecurity capabilities, and the need for consistent, inclusive approaches to capacity building.

Key Takeaways and Action Items

1. Tailor capacity building programs to specific country needs, considering cultural context and existing capabilities.

2. Utilize existing coordination mechanisms like the GFCE and Partners in the Blue Pacific to avoid duplication of efforts.

3. Encourage stakeholders to share project information on platforms like the Cybil Portal for better coordination and resource allocation.

4. Develop more inclusive and accessible capacity building programmes, considering language barriers and cultural contexts.

5. Implement regular follow-up, auditing, and impact assessment of cybersecurity initiatives through qualitative and quantitative methods.

6. Foster greater collaboration between different sectors and stakeholders in cybersecurity initiatives.

7. Adopt a holistic, whole-of-nation approach to cybersecurity capacity building, involving multiple stakeholders.

The discussion concluded with a recognition of the complex nature of cybersecurity capacity building and the need for coordinated, inclusive, and context-aware approaches to effectively address global cybersecurity challenges. Participants emphasized the importance of continued dialogue and collaboration to refine strategies and improve the effectiveness of cybersecurity capacity building efforts worldwide.

Carina Birarda: Hello everyone. Ladies and gentlemen, estimated colleagues, and participants. It’s a pleasure to welcome you to the Best Practices Forum on Cybersecurity Capacity Building, part of the Internet Governance Forum 2024 here in Riyadh. Thank you, host country. Our goal today is clear, to explore, develop, and share strategies to strengthen global cybersecurity capacity. Session overview, introductions, past achievements, and 2024 discussion context. Problem statement, define key challenges in capacity building. Expert panel, insight, experiences, and contribution from the room. Objectives, redefine the problem statement, identify best practice forum, and actionable solutions. Define next step to move from dialogue to action. Thank you for showing to us your work and experience matter. Thank you.

Wim Degezelle : Thank you, Karina, for this introduction. And welcome all to this session of the Best Practice Forum on Cybersecurity Capacity Building. Can you move to the next slide, please? Or do I have a remote? Okay. These are the session outline and objectives Karina discussed with you already, so I don’t think it’s necessary to go through them again. So, also for my part, I hope that we had a very interactive and very interesting session. But I’m, first of all, let me present myself. My name is Wim Duggezelle. I’m a consultant with the ICF Secretariat, supporting this Best Practice Forum. So, that’s why I prefer to give the introduction, and then afterwards, leave to the colleagues, the colleagues co-facilitator of the Best Practice Forum, and the distinguished panelists we invited for this meeting. Next slide, please. First of all, what is a Best Practice Forum? You might have seen in the agenda or on the ICF website that there is something called intersessional activities. These are a number of activities that start, kick off at the beginning of the year, and work, have discussions during the year in function of the ICF meeting that comes at the end of the year. This allows to do a little bit more preparation than a normal workshop. And this also allows to collect information, different views from stakeholders, which are then combined and published in a report after the meeting and is sent out for further work. This is not the first Best Practice Forum on cybersecurity. As you can see on the screen, there have been BPFs on cybersecurity for the last seven years almost, between 2018 and 2023. The Best Practice Forum on cybersecurity, they have been with a different focus before that, but between 2018 and 2023, the ICF Best Practice Forum has focused on norms and norms agreements in cybersecurity. I’m not going to dive into detail, but I really would like to list what we did in those years, because they are also based on discussions with the different stakeholders, with the communities, and these reports are still available on the ICF website. They looked into norms and norms agreements from different aspects. Amongst other, how norms are developed, how norms are made into practice. One year, there was a very interesting question that was dealt with. The question, if you look back to specific cybersecurity events that happened in the past, before a specific norm was voted or agreed, would it have made a difference? That was a very interesting story. Another interesting discussion or research we did in the past couple of years was looking outside the realm, or outside the sector of cybersecurity, and look in other fields where there also are norms and norms agreements, and see if lessons could be learned for cybersecurity norms. But this is the past work. These outputs, I really invite you, if you’re interested, to look at them, because they’re very interesting and a very good read, especially as a background. They’re still available on the website. Now, today, the next slide, please. After all those years talking about norms agreements, there was a feeling, well, maybe we have said enough or finished that topic. And in the beginning of this year, the ICF always sends out a request for topics that should be on the agenda. That is a request for topics that inform the general agenda for the meeting, also had informed the choice of the different main themes for this year. But in this call for input, cybersecurity and trust came out as one of the paramount concerns in the community, which was a clear indication that the ICF, in its program, should pay attention to it. Of course, cybersecurity, cybersecurity and trust is an enormous broad topic. Therefore, the people behind and people proposing this best practice forum said it might be interesting to look into capacity building. Capacity building that helps to build cybersecurity, helps to enhance cybersecurity and trust online. So the proposal for this best practice forum was submitted and agreed here in Riyadh in the beginning of the year in February, where the ICF Multistakeholder Advisory Group met. And after that, the work plan, one of the first things the BPF did was to organize a meeting to discuss its own work plan, to discuss the idea to have this BPF. And I mention here because that was a very interesting step or an important step this year. The next slide, please. Because the fact that the BPF took its initial plan and moved and used that to organize its first meeting was very important to get input from the community on what it was planning to do. And it dramatically changed, well, dramatically might sound a bit, let’s say, too dramatic, but it really changed the course of what was planned. Because the initial idea was for the best practice forum to look into cybersecurity capacity building, what is available online, sorry, what is available in terms of specific training, in terms of specific offers, and do a kind of general mapping, mapping of training, mapping of resources available, a mapping so that it would be possible to look for gaps, to look for opportunities, and then provide that to the community. But very early, one of our first calls, one of our first meetings we had, we got some pushback coming from the community and community participants saying, well, but this is already being done. There is already a huge amount of information out there. There are mappings of cybersecurity capacity initiatives, there are inventories, there are organizations providing this type of work already. To that extent, that it might be difficult to find the specific information you need. It might be difficult for a government, an organization, or a person that says, well, I would need to build some capacity in my organization on cybersecurity, but I don’t really know where to go because there’s too much information. And this was a start for a completely other discussion within the best practice forum, and the discussion that led to the session today. It was, how do we deal with this exact situation? And this led to the formulation of a problem statement that you see on the screen, and that will be the main topic or the start for the discussion today. I will read it out. So this discussion we had on the program for the BPF this year led to the problem statement saying that while various mappings, inventories, and initiatives provide a wealth of information on cybersecurity capacity building, different offerings Then this information they may overlap overlaps and gaps in information may exist or exist And the information and therefore the information may not reach a tight target audience effectively and With this I want to leave it there Go to the next slide, please Because the nice thing as an introduction is you can really come up with a problem with a problem statement and then you can hand over To the panel to discuss and come up with conclusions and the question to solve it But for that I give the floor to the two moderators who are also Co-facilitators and the panel. I think the most easiest is everyone introduces himself or Herself and that might be the best. So thank you for me, and I’m looking forward to a very interesting discussion

Josephine Miliza: Thank You Wim for that great Introduction to our discussion today. My name is Josephine Miliza. I am a MUG member and also a co-facilitator for the BPF cybersecurity Really happy to be joined today by a great panel And we’ll be going into the discussion shortly But before that, I’d like to welcome all the panelists and my co-moderator to introduce themselves starting from my far right left

João Moreno Falcão: Hello everybody My name is João. I’m The lead facilitator for the youth standing group, I’m and I’m also a cryptography researcher

Yao Amevi Sossou: Hello, my name is Yao. I’m from Benin I’m the current coordinator of the U5GF in Benin and also part of the DC in data-driven health technology from the International works. I also been working sometime in the BPF. Nice to be here

Tereza Horejsova: Good afternoon My name is Tereza Horejsova senior outreach manager for the GFC the global forum on cyber expertise and also a former Mac member

Dino Cataldo: Good afternoon. My name is Dino the large from the chief information officer of the United Nation Pension Fund and Within the IGF I play several roles. I represent the intergovernment organization in the multi-stakeholder Advisory group. I’m a co-facilitator in the best practice forum on cybersecurity and Co-lead of the dynamic coalition on blockchain assurance a standardization. Happy to be here

Mevish P Vaishnav: Good evening everyone. I’m Mevish P Vaishnav from India President of Academy of Digital Health Sciences and I represent dynamic coalition in digital health over you Pleasure to be you

Brendan Dowling : Hello, I’m Brendan Dowling, I’m the Australian ambassador for cyber affairs and critical technology

Josephine Miliza: Thank you, and I’d also like my colleagues who are joining us online Octavia and Yubonana to introduce yourselves, please

Hariniombonana Andriamampionoma: I’m from Madagascar. This is my fourth year co-facilitating the BPF on cyber security I’m the manager for Elio Star Wars And I’m really happy to moderate this session online. I would like to thank our panelists And welcome everyone who’s joining this session Thank you Good evening, everyone. My name is Yubonana. I’m from Madagascar

Oktavía Hrund G Jóns: And Octavia shrimp with Bernard Jones Calling in from Iceland This I sit on the mag as well. And this is my my first year on the mag Although I’m a long-term mag or IGF participant I’ve had the absolute pleasure of also being a co-chair of this best practice for Cybersecurity and I’m very excited and happy to to spend the next hour with you all

Josephine Miliza: Thank you so much and yes Getting into the conversation today and our first question is how does the problem statement? Resonate with all your own experiences or perspectives. Do you find that in your context? Do you find that it resonates with your context? Is there something missing or that we overlooked as we are coming up with it? I’ll settle Brendan, please

Brendan Dowling : Thank you. I think the problem statement is valid it captures that there is a Huge proliferation of information about cybersecurity Capacity building, but it’s often not bespoke. It’s often not targeted to Recipients and in our experience that is the most important element. We have seen cyber attacks cyber crime Worsened substantially in our region. We’ve seen Australia and New Zealand Southeast Asian nations Pacific Island nations hit by really disruptive cyber attacks So there is a huge amount of interest and drive to raise cybersecurity and to raise cyber resilience We’ve implemented some very substantial capacity building programs in recent years But we’ve often found that they can be untargeted Inappropriate and we’ve committed to doing better with our partners about Working with them in dialogue to figure out what the right approach for that country for that context for that situation is What that means is in our capacity building work in the Pacific it is very Bespoke to that country it can involve incident response work when there’s a major disruptive cyber attack it can involve Upgrading hardware and software To ensure that pirated software or out-of-date servers are not in use it can involve Developing legal frameworks or national strategies or training to develop computer emergency response teams so every capacity building program that we roll out is designed in consultation with The recipient country and is shaped according to their needs interests and their situation So I think it’s a really positive thing that we have a much more substantial effort in cybersecurity capacity building out there for me the most important consideration is adjusting and tailoring to the particular circumstances of the country organization or partner that you’re working with

Moderator: Fantastic, thank you so much. I

Mevish P Vaishnav: Think the healthcare data is the major important part of individuals and it is a personal information So we need to take care of it And the best practices is the one where we can collaborate and work together on the cyber security part

Moderator: Thank you and to Teresa I know that when we started to have the conversation you G CFE have done amazing work and you’re actually one of the people who pointed to us that yes these resources exist But we need to redefine what really the problem statement is. So what are your reflections? Based on the work that you do over this year and also looking into next year

Tereza Horejsova: Yeah, thank you very much Josephine Two things that resonated with me when we started having this conversation a few months ago First of all, I think the IGF is a natural space to have discussions on capacity building And I feel that it hasn’t been used this space as much as it could have so the fact that the best practice forum on Cyber security decided to focus on capacity building is I think something to really applaud And second from my organizational point of view from from the global forum on cyber expertise We try to make the overview of what’s available What capacity building projects are happening as easy? to find as easy to grasp as possible so that we can serve as a resource for donors for Implementers when they are planning their projects to kind of build on what has been done already to Eliminate duplication of efforts and to simply use resources as efficiently as possible We also try to do it Sensitively To tailor to each region what ambassador has already already stressed through our regional hubs Including in the Pacific where we really try to use the knowledge from the regions themselves to provide even better overview of Of all the capacity building projects and activities now how we do it might not be perfect that’s why having a discussion on you know, what what is most useful and what is most efficient and Comparing with other resources that are available Is extremely useful for us the primary resource that the GFC uses is the so-called civil portal Which is available for free online on? www civil portal org And there we really try to also engage The various actors to help us find and provide us information That we can put up on the portal in a very simple overview that anybody can use as a go-to resource But we hope that the discussion we are having tonight a discussion. We’ve been having with you over So I think it’s very important to have this kind of information, this kind of information in the past months will help us fine-tune it and make it even more useful. Thank you.

Moderator: Fantastic. And Yael? Thank you very much for the floor.

Yao Amevi Sossou: I concur a lot with all what the previous speaker have discussed already about the importance of the topic. At the Dynamic Coalition on Data-Driven and Data-Driven Health, we are moving towards a more data-driven health, especially when it’s come to health care facilities and health care access. We are moving toward a more e-driven health access around the globe. But we need to make sure that health care practitioners also have capacity-building opportunities to have to strengthen the knowledge on how to use the data and how to use the data to make it more accessible. So, the other aspect also we’ve been stressing is accessibility on those available capacity, especially when it’s come to young people and under-served communities, especially in African region. You know, in Africa, we have thousands of languages. There’s nowhere to mention that. So, we need to make sure that we have the capacity-building opportunities to make it more accessible to young people. And the most common used tool to access internet in Africa is a mobile phone. And our people, like, population are not really educated on how to prevent those bridges on how to protect the information, and one best practice, I think, is to use the mobile phone. So, we need to make sure that we are addressing those issues in the spoken language people who understand like the native languages, what the word capacity-building, for example, means in Swahili, would not resonate to someone if you’re not actually altered in the mother language, they would not be able to use the mobile phone. So, we need to make sure that we have the capacity-building opportunities to make it more accessible to young people.

Wim Degezelle : And the most common used tool, I think, is the mobile phone.

João Moreno Falcão: So, we need to make sure that we have the capacity-building opportunities to make it more accessible to young people. So, we need to make sure that we have the capacity-building opportunities to make it more accessible to young people. So, one of the practices that we really need to find these gaps is to use these structures we have and attract people that are in our front line of education. So, I see here a lot of representatives of strong organizations, but we lack the capacity-building opportunities to attract people that are in our front line of education. So, we need to give these contents to these persons, and we need to coordinate with them, because cybersecurity is a very extensive area, and we really need to show that this is possible to the people that we have. So, we need to make sure that we have the capacity-building opportunities to attract people that are in our front line of education, and we need to show also that we have a multitude of tasks inside of cybersecurity, and we can accommodate and train the workforce to work with this.

Josephine Miliza: Great, and, yes, so I think we have a consensus in terms of the problem and the problem, and we need to be very careful in terms of the gaps in terms of the target audience, and now we are getting into discussing how do we fix these issues, and I’ll hand over to my co-moderator, Dino, to take us through the next round of questions.

Dino Cataldo: Thank you very much, Josephine. So, as you alluded to, we look at the problem, and now we would like to solicit from our colleagues, from our partners, from our stakeholders, how we can fix it, how we can address this issue. So maybe I can start with you, Teresa, given your point of view in an institution that basically conducts regular research, consolidated best practices, from your point of view, what can be done to avoid duplication, and, at the same time, how can we make sure that the best practices that we have, the best practices that we have, that they may exist in these resources?

Tereza Horejsova: Thank you, Dino. To have a conversation, yes. So that’s definitely the starting point. We have already acknowledged that there are several resources and portals that map things that might be similar, but not exactly. The worst thing that could happen is that the best practices that we have, the best practices that we have, the best practices that we can share from our experience is the cooperation, and almost integration, if you wish, between the Sibyl portal and the UNIDIR cyber policy portal. What’s that about? I’ve already mentioned that at Sibyl, basically, we try to map resources, tools, and especially projects that have been implemented or are currently being implemented in the field of cyber crime in Cambodia. So, basically, UNIDIR has a very useful resource, the UNIDIR cyber policy portal, which basically kind of gives, as a one-stop shop, a good overview of the cyber security situation in various UN member states. Now, we would agree that it’s very useful when you look at projects, because, at Sibyl, you have a lot of information, a lot of data, a lot of information about the situation of cyber crime in Cambodia, yes, and then you would get this information. Wouldn’t it be helpful to, at the same time, get inputs on what is the situation in cyber security in this given country that the UNIDIR portal maps? So, this is common sense, and that’s why we went ahead, and obviously, there was also the issue of the technical limitations of the portal. So, there is a lot of information that can be fixed. That’s maybe the simplest part of the puzzle, I would say. But this obviously was preceded of months of conversations and exchanges on complementarity and how one portal can benefit from another so that the end user has the best experience possible.

Dino Cataldo: Thank you very much. I would like to ask Ambassador Dowling, we saw the point of view of those working on creating the knowledge and facilitating. Maybe from your point of view as a potential user, how do you find, if I may qualify the question, the ability to share information? Do you find that you use these mechanisms? Do you find that you can still be improved?

Brendan Dowling : I think it’s about committing to use those mechanisms. So, we find the GFCE to be a very useful coordinating body to make available information through the regional hubs. So, I think that is useful. However, from the government perspective, I think it’s very important for us to be able to share that information. Obviously, we saw a country, and I will not name them, prepare a capacity building project, decide the terms of that project, decide when and how it would be implemented, and presented it without talking to the recipient country. Now, if you look at the GFCE, you will see that it’s not duplicative. So, there has to be a commitment to use the mechanisms. In the Pacific, we have set up the program known as Partners in the Blue Pacific, which is expressly about donors coming together, talking to recipient countries, and doing that deconfliction. Annually, we hold the Pacific Cyber Capacity Building Open Conversation, including with the UN bodies, including with the private sector. So, for me, I don’t think we need more mechanisms. We don’t need more processes. We need to commit to using the existing processes and to saying when we find those points of misalignment or duplication, that we will adjust our programming accordingly. Sometimes, donor countries can be focused on their own internal processes for budgeting and programming and not allow that flexibility to adjust as is needed. So, I think it’s really incumbent on us to be willing to listen and to be flexible when we hear the response.

Dino Cataldo: Perfect. Thank you very much for that feedback. Madesh, maybe I can also ask for your feedback vis-à-vis your specific domain or specific industry. You’re talking about digital data health, related to health. How do you find this sharing of information be working, and especially the identification of potential gaps about capabilities?

Mevish P Vaishnav: I would say if there’s no capacity, there’s no security. So we need to get trained, upskill ourselves in capacity building. And it is very crucial because the health care workers need to know how to protect data. And that’s why at Academy of Digital Health Sciences, we are providing trainings to nurses, the pharmacists, the health care frontline workers, so that they are aware how to protect the data. And sharing information, we need to be careful. Misinformation should not go out. That’s very crucial.

Dino Cataldo: Thank you. Misinformation, definitely. And hot topic. Maybe if I can pass to our speaker, Joelle. You were talking about already before about issue related to languages. What else can you add from your perspective?

Yao Amevi Sossou: From my perspective, what I could add more apart from the language issue would be most of the capacity building initiatives that I’ve seen, they are budget constraints. They have simply a limited period of budget. And then in time, they are limited. And after the capacity building, what is the next step? So I think in that direction, we should find a way for follow-up on those different initiatives so that they, of course, in the mapping process, we find what should not be replicated and what should be strengthened. And from lesson learned, we could be more equipped, both the capacitors and also the people that are acquiring those capacities. And also toward the young people, which are the most vulnerable, specifically young women. Those are the critical masses that need to be really, really addressed because they are more vulnerable, I think. And trainings and best practices should be refined in a way that they are specifically targeting their specific needs. And I want also to commend the work the GFCA is doing in that direction as well. And I also want to commend the work in the IGF. ISOC Benin is doing that direction with some online capacity, awareness raising on cyber security threats, educating young people, especially young girls, how they can secure their data on the phone, for example. And yes, one key element also, we need to prevent misinformation. How to combat that? We need collective efforts. We need to build trust on what is shared. And we need mechanism to prove that the informations that are out there are reliable and not posing a threat to anybody. Thank you.

Dino Cataldo: Thank you very much. So we see already complementing element from misinformation to lesson learned. Maybe, Joao, will you give us also your perspective from the youth?

João Moreno Falcão: OK. Sure, thank you. So I would like to bring something that really made me into cyber security, which is popular culture. So we are having these kinds of projects to try to bring people to capacitate them into cyber security. And we can use the popular culture that solidified in our mind what is cyber security to invite these people to participate. Because at the same time that they made a dream for a lot of people, they also created a barrier that people said, OK, this is movie thing, so I will not be able to be this person. But we could work on demystifying that and really approaching these people to be part of the cyber security ecosystem. And the other thing that we also need to acknowledge that to learn cyber security, you need basic means to learn. So most of the people that are now in the field were self-taught, but we have several projects that try to bring these people. And what they need is access to this content, like computers or internet, and also sometimes physical access to devices. Like in my example, the only thing that made me into cyber security was that I went to an event and they had a industrial device. And this was the first time I could try to interact with one and learned my way into hacking it. So this was a wonderful experience, and I couldn’t have the opportunity if I wasn’t there. So we need to think about this. The requirements are not as complex as other areas of knowledge, but we also need to acknowledge to offer this structure to the people learning.

Dino Cataldo: Thank you very much, Joao. You actually anticipated the elements of my next question. Again, going back to restarting with Teresa, what can be done to ensure that the message, the resources, are getting to the intended audience? And especially in those situations, those environments where there are less possibilities, where there is a less mature infrastructure, less access limitation, I would say, in accessing internet, in accessing the necessary resources.

Tereza Horejsova: Yeah, thank you. Maybe on the first part of the question, something that we have discovered when collecting information and trying to provide those resources online was that sometimes we have faced a bit of reluctance to actually have information shared. It’s maybe a natural instinct that everybody would like to receive information, but not necessarily seeing the benefit in providing the information. Sometimes we have, is the sound OK? Because I hear like a terrible echo. Maybe I should remove this. My earring fell off. OK, it’s starting, right? Sorry. So for instance, natural instinct could say I shouldn’t share too much about what I’m planning to do, because maybe it will cost me a project I could otherwise get. Or I shouldn’t share that much about what I’m planning to do as a donor, let’s say, in the next three years. Because I don’t know, somebody else might do it. But I think we need to kind of change the narrative a little bit that by sharing information to the extent possible, I am, of course, aware it’s not always realistic. Everybody wins. And who wins ultimately are those that we are trying to assist, the recipients. Because it’s not fair towards them if the efforts, let’s say, are uncoordinated or if an implementer comes and isn’t aware that the same project has been implemented by somebody else two years ago. Or like Ambassador gave the example that some projects would be basically designed without consulting those that it should benefit. This is wrong, and it’s not fair. And then we are kind of just doing things to tick the box. I’ve implemented the project, and I’ve used these resources that were made available. But what was the impact? Could the impact have been bigger? So I just would like to challenge ourselves to really think that, OK, if I share, I’m not going to lose. And that goes for all stakeholders involved. Maybe another note that I can add, sometimes when we have had conversations with recipient countries, even sometimes it was really voicing concerns like, please organize yourselves. We cannot handle our capacity is already limited. And if we have everybody coming to us separately, trying to do their project, we are overwhelmed as well. It would help us tremendously if there was a bit more coordination. And what’s one simple step closer to better coordination is exactly to have these resources available so that anybody can consult them.

Dino Cataldo: Thank you, Teresa. So maybe just to jump immediately to Joel, what is your experience in this access to resources and the ability to coordinate?

Yao Amevi Sossou: I think regarding access to those resources, the key challenges I would say that this way is ability first to, as Joel mentioned, basic to hardware access, for example. People have difficulty to have access to hardware that will bring them to be in contact with the information that should be shared. And another element, I still keep stressing it, is how we convey the information to the recipients. are the capacity building developed inclusive enough and are there, as Elin mentioned, are there in a collaborative way done, like for example, if each and every country have their own capacity building programs sometimes, and I mentioned earlier, they are most, in most cases, budget, they are budget constrained and they have limited amount of time to process. How do we follow up is really key, I’m saying and stressing that again. We need to assess and then we need to follow up impact on impact of those capacity building so that we know from key projects what are the different gaps that need to be addressed with the next round of trainings, and then from there, we become ourselves more resilient and people are more equipped and enough ready to face the challenge that’s out there. Internet is free for everybody, but it’s also have some challenges that not everybody could be able to face alone.

Dino Cataldo: Thank you. I very much like the term that you use. It’s not much about quantity. Sometimes these initiatives are measured between input and output, but you talked about impact, measuring the impact, and that, it will be a segue to the last question. Thank you very much for participating in this concert. Maybe if I can go back to Ambassador Dowling and hear from your perspective as a government representative, what are the critical success factors, maybe in your country, have worked in reaching the intended audience?

Brendan Dowling : I think we have a very substantial experience in Australia. We have, for many years, prioritised cyber resilience as a core part of our economic agenda, as a core part of our national security agenda, so we have many lessons that we have learned in what we have adopted in the capabilities that we’ve built, which we do try to offer as experience for the positives, for the negatives, to share with countries, particularly in our region. I think we have found the most important lesson is that this has to be a whole-of-nation approach. Talking about building cyber resilience, talking about building cyber capacity, has to involve industry, it has to involve the community, it has to be something that is bought into, rather than just as a government program. Most infrastructure, most businesses, most community capabilities are operated by non-government actors, so engaging a whole-of-nation response is, I think, the crucial lesson. That means when we engage in capacity building work, we talk not just to government players, we talk to private sector operators who run civilian infrastructure, we talk to educational institutions, schools, universities, we try to engage across the breadth of society. Cyber is not a technical issue, it is not a government issue, it is a whole-of-nation issue. I think our lesson and experience is the criticality of engaging a broad range of actors when we try to build that cyber resilience.

Dino Cataldo: Thank you very much. Very well noted, the emphasis on partnership and collaboration, public-private. Thank you so much for emphasising that. So Mitesh, your experience from the digital health sector.

Mevish P Vaishnav: In digital health, if you see, every country is trying to secure their data, but there are challenges that are coming up. So we need to be prepared through upskilling ourselves, and that is why we are developing courses in it.

Dino Cataldo: Thank you. Very good to know you’re already working on it in a specific sector. So last question for each one of the participants, and maybe just looking at the time to be, if possible, maybe a little bit more brief. Teresa, we’re starting with you. So we already alluded to what can be done, what should be done, what has been done. How can we measure it? What kind of indicators can be utilised to measure the impact of the cyber security capability project initiatives and programmes?

Tereza Horejsova: Yeah, for instance, for Sibyl, it’s very simple. We can measure how many projects we have there, how it’s growing, what’s the trend. And of course, you know, the more comprehensive coverage we have, the more kind of thorough picture can be provided to anybody who uses the portal. So I would also use this opportunity to encourage everybody here, if you’re working on a cyber capacity building project, check it out, if it’s on Sibyl. If it’s not, we do a lot of our kind of desk research and try to identify the missing projects, but we also rely, and we in particular rely, on actually the implementers, donors and others to share with us the information so that this puzzle is a bit bigger. So if we can internalise that when you’re working on something, that you just quickly check if it’s there and just drop us an email, that would be good, yes. And then we will get to over 900 projects and we have at this moment, you know, a much more interesting number.

Dino Cataldo: Thank you very much. So important. So getting feedback. Joel, what about your experience in measuring the impact?

João Moreno Falcão: Yeah, well, cybersecurity is an odd field because despite other knowledge fields that we can teach and then see how much they learned, when we teach something, there’s someone trying to overcome what you teach. So this makes our lives much harder because we can teach a technique, something, and then in the next day, someone will create another one that will overcome what we teached. So seeing this, I believe we can go to a strategy to understand like the necessities and needs of a specific community and understand if what we teach them really made the difference. So what you establish first was accomplished later.

Dino Cataldo: Thank you very much. Joel, would you like to add your experience?

Yao Amevi Sossou: I think in this regard, what I could suggest would be combining efforts is key. We need to combine different effort and different experience, like what we, one organisation struggle with a capacity in a certain community might be some lesson to be learned from another organisation in another part of the world. And we need to find a way to collaborate so that we have bigger impact and then it becomes easier to assess the impact what I’m stressing so far.

Dino Cataldo: Thank you. So I started to see that the picture and the life cycle, let’s learn impact, consolidation of best practices and databases. So maybe Ambassador Dowling, if you can also share with us your experience in measuring the impact.

Brendan Dowling : Sure. It’s very difficult. I think we all struggle to measure what success in cyber security looks like. How do we know our programs are working? We know that cyber incidents are getting worse. We know that in spite of all our efforts and doing the right thing, we will see more incidents because threat actors are getting more capable, more sophisticated. So measurement can’t be about fewer cyber incidents. I think in cyber security, qualitative measurement is really crucial. For me, testing through exercises is one of the most effective ways to qualitatively test whether your arrangements, your capacity, your preparedness have improved. We’re big advocates for getting everyone in a room, government, private sector, civil society running exercises, testing what your response mechanisms look like, how they operate. It’s better to learn where your failings are in an exercise than in a real incident. We consider ourselves a relatively mature cyber-capable nation, and yet when we run exercises on our electricity sector, our airports, on our government systems, we always find a range of ways where we still have gaps, where we still have shortcomings. I think that qualitative approach in a partnership, open, transparent way to test out what your responses are like, rather than tell yourself, we’re good, we’re prepared, actually road test it and say, here’s where our gaps are, here’s what we need to address. For me, that’s the most important thing.

Dino Cataldo: Thank you. Another critical element of the lifecycle of the simulation, exercising and testing. So thank you so much for that. So Meebish, last but not least, what about your experience in the health industry? What can be used as an indicator that, indeed, this initiative are producing expectation, meeting expectation?

Mevish P Vaishnav: So I think we should have every six months auditing should be done. And training in cybersecurity is something that will help us to understand from other countries we can learn. So best practices from other countries can be shared. And that is how collaboration is important. The best practices of every country. Like, if you have faced an issue, maybe I would learn from it, and I would not face the same issue. So that’s how we should work and collaborate. And IGF is a platform where we can collaborate. So many countries come together. That is how we can try to, if you see, the hackers are more organized than us. So we need to be careful of that. If quantum computing gets democratized, we will be vulnerable. So we need to take care of that.

Dino Cataldo: Thank you. We can open a completely new session on quantum computing debates. So thank you very much. And thank you for the reference, too. As a former auditor, I really appreciate that acknowledgment. So with that, I would like to pass the floor to Octavia that is going to provide a summary and conclusion of this very interesting, engaging session. Octavia?

Oktavía Hrund G Jóns: Thank you so much, Dino. I would like to see, am I audible? You can hear me? Yes, you are. Fantastic. What an amazing group of people and interesting discussion. I want to go over some of the things that sort of came up and also look at what we, in the best practice forum, could be looking at after this IGF and going forward. In terms of the statement and sort of how our experts looked at that, I think one of the things that really stood out is context and experience. It really is important. So most of our experts did agree with the problem statement and the necessity of it. However, a red thread throughout is that we have many platforms and we have many places. We have a lot of coordination and collaboration that exists. We have to commit to using that. And one of the points that came up is that the IGF could or actually should be used more as a venue for this capacity building. We have to work together. We have to trust and share, which is extremely important on many aspects, but also across sectors. Holistic approaches to security, particularly cybersecurity, it’s not a problem for just companies, private sector, government, individuals. We have to look at both reactive and proactive approaches on multiple levels. I thought it was so interesting to get the health sector perspective. Critical infrastructure as well is made up of individuals. So that’s one of the things that I think came out of the comments that we had on the problem statement. Accessibility and, dare I say, localization is, of course, key. We know this, and somehow we have to hold ourselves to a slightly higher standard than we are right now. Accessibility comes in many forms, as our experts on stage mentioned, because it’s not just about giving access or resources to youth. One of the things that came out of the fixes that I really appreciated is the accessibility doesn’t have to be a threshold or a high level. It simply can be access to information, knowledge, even a device that allows you to become curious and understand your context and your role in a much larger picture. So the consistency in the manner in which we treat not just programming, but activities and projects in cybersecurity is what makes it successful. That’s one of the key elements to the fix, if you like. All of these are guided by conversations, and these conversations need to be done from a point of trust, and it needs to be done across sectors. And it needs to include as many stakeholders as possible. Even some of the low-hanging fruits, interoperability was mentioned as a fairly low-hanging fruit. However, not even those are possible without multiple conversations where we come together and understand the importance of hearing most, or at least as many voices as possible. Interesting for me as a cybersecurity professional is to hear that a lot of the things we’re talking about relate to ecosystems and PDCA, for those of you that know the Plan, Do, Check, Act. It’s not enough to come in and do one thing. It’s not enough to have a training, as our colleagues mentioned. We have to do training, and we have to do follow-up. We have to ensure that the ecosystem of knowledge continues regardless of one person, one community, or even one specific government in place. So we have to commit to the use of these mechanisms that are in place already. We have to, as implementers that come into a context, also understand that we are depleting valuable and necessary resources by constantly going in and inventing the wheel when the wheel is probably already there, perhaps even a really good bicycle or a Ferrari. So understanding that it’s not us first, it is us, the community, first is one of the things that felt very fundamental to our conversations on the fix. A couple of last things. Low resource environments. It’s difficult to prioritize. So how do we do that? Some of the things that came up was not just coordination, but inclusivity and collaboration in a way that is consistent. And that means localization, not just of materials. It means accessibility understood from multiple levels. And that has to do with equity. It has to do with gender. It has to do with age. It has to do with all of the other elements that we know so well from a lot of the work that we do and a lot of things that guide us to spaces like the Internet Governance Forum. Stakeholders, participatory approaches. I’d like to end with something that I thought was very important when we talked about indicators. Because it’s not just numbers. We know that. The thing that we need to be very, very, that we have to emphasize continuously is that it’s a practice. Whether that is allowing more funding or resources to making scenarios, to training, whether that is allowing for follow-up, allowing for more flexible ways in which that we teach people all around the world in very different environments how they can understand their role. If you’re a healthcare worker, it’s not enough to get a regulation or get a don’t-do list. It needs to be relatable to your role and it needs to be understood from the position of where you are and what you have the agency to affect to allow for us to be slightly more secure or at least resilient as we together tackle these huge but very important foundational things that allow us all to be safer, not just online but in reality. I hope that sort of captured, there are so many more things that I’d like to mention and so many good points, including I’d like to mention the demystification of cybersecurity. So on that note, I would like to thank you all for allowing me to summarize these points together and give it back to my colleagues on stage.

Dino Cataldo: Thank you very much, Octavio, for this real-time summarization, very comprehensive, very detailed. Thank you so much. So thank you to all the distinguished speakers that have shared with us their knowledge, their experience, their wisdom. Thank you to my colleagues, co-facilitator, Josephine and Jon Bonanna. And of course, thank you to Wim, the Giselle coordinator, subject matter expert on this event. I don’t know, Wim, if you would like to have some closing remarks.

Wim Degezelle : No, no closing remarks. I just want to make sure that you don’t forget to thank you, Dino, for moderating also part of the session. So thank you all.

Agreement Points

Need for tailored and context-specific capacity building approaches

Brendan Dowling

Yao Amevi Sossou

Tereza Horejsova

Need for tailored capacity building approaches

Importance of accessibility and localization

Importance of sharing information and coordinating efforts

Speakers agreed on the importance of designing capacity building programs that are tailored to the specific needs, contexts, and languages of recipient countries or communities.

Importance of collaboration and information sharing

Brendan Dowling

Tereza Horejsova

Yao Amevi Sossou

Commitment to using existing mechanisms and processes

Importance of sharing information and coordinating efforts

Combining efforts for broader impact assessment

Speakers emphasized the need for better collaboration, information sharing, and coordination among various stakeholders to improve the effectiveness of cybersecurity capacity building efforts.

Challenges in measuring impact of cybersecurity initiatives

Brendan Dowling

João Moreno Falcão

Tereza Horejsova

Qualitative measurement through exercises and simulations

Assessing community needs and outcomes

Tracking project growth and coverage in databases

Speakers acknowledged the difficulties in measuring the impact of cybersecurity initiatives and suggested various approaches to assess effectiveness, including qualitative measurements and tracking project growth.

Similar Viewpoints

Both speakers emphasized the importance of involving multiple stakeholders and conducting follow-up assessments to ensure the effectiveness of cybersecurity capacity building efforts.

Brendan Dowling

Yao Amevi Sossou

Whole-of-nation approach involving multiple stakeholders

Need for follow-up and impact assessment of initiatives

Both speakers highlighted the importance of cross-sector collaboration and trust-building in addressing cybersecurity challenges, particularly in sensitive areas like healthcare data protection.

Mevish P Vaishnav

Tereza Horejsova

Relevance of cybersecurity in healthcare data protection

Importance of trust-building and cross-sector collaboration

Unexpected Consensus

Role of popular culture in cybersecurity education

João Moreno Falcão

Oktavía Hrund Jóns

Leveraging popular culture to attract youth to cybersecurity

Emphasizing practice and continuous learning

There was an unexpected consensus on the potential role of popular culture in attracting youth to cybersecurity and the importance of practical, continuous learning approaches. This highlights a novel approach to cybersecurity education that combines cultural relevance with hands-on experience.

Overall Assessment

Summary

The main areas of agreement included the need for tailored capacity building approaches, improved collaboration and information sharing, and the challenges in measuring the impact of cybersecurity initiatives. There was also consensus on the importance of involving multiple stakeholders and addressing specific needs of different sectors and communities.

Consensus level

The level of consensus among the speakers was moderately high, with most agreeing on the fundamental challenges and necessary approaches to cybersecurity capacity building. This consensus implies a shared understanding of the complexities involved in cybersecurity education and the need for diverse, collaborative strategies to address these challenges effectively. However, there were some variations in the specific focus areas and proposed solutions, reflecting the multifaceted nature of the topic and the diverse backgrounds of the speakers.

Different Viewpoints

Approach to measuring impact of cybersecurity initiatives

Brendan Dowling

Tereza Horejsova

João Moreno Falcão

Qualitative measurement through exercises and simulations

Tracking project growth and coverage in databases

Assessing community needs and outcomes

Speakers proposed different methods for measuring the impact of cybersecurity initiatives, ranging from qualitative exercises to quantitative tracking of projects and community-focused assessments.

Unexpected Differences

Focus on specific sectors in cybersecurity capacity building

Mevish P Vaishnav

Brendan Dowling

Relevance of cybersecurity in healthcare data protection

Whole-of-nation approach involving multiple stakeholders

While most speakers discussed general cybersecurity capacity building, Mevish P Vaishnav unexpectedly focused specifically on healthcare data protection, contrasting with Brendan Dowling’s emphasis on a broader, whole-of-nation approach.

Overall Assessment

summary

The main areas of disagreement centered around methods for measuring impact, approaches to coordination, and the specificity of focus in cybersecurity capacity building.

difference_level

The level of disagreement among speakers was moderate. While there were differing perspectives on specific approaches and focus areas, there was a general consensus on the importance of cybersecurity capacity building and the need for improved coordination and information sharing. These differences in approach could lead to varied strategies in implementing cybersecurity initiatives, potentially resulting in a diverse range of solutions but also possible challenges in creating a unified global approach to cybersecurity capacity building.

Partial Agreements

All speakers agreed on the importance of coordination and information sharing, but differed in their emphasis on using existing mechanisms versus creating new follow-up processes.

Brendan Dowling

Tereza Horejsova

Yao Amevi Sossou

Commitment to using existing mechanisms and processes

Importance of sharing information and coordinating efforts

Need for follow-up and impact assessment of initiatives

Similar Viewpoints

Both speakers emphasized the importance of involving multiple stakeholders and conducting follow-up assessments to ensure the effectiveness of cybersecurity capacity building efforts.

Brendan Dowling

Yao Amevi Sossou

Whole-of-nation approach involving multiple stakeholders

Need for follow-up and impact assessment of initiatives

Both speakers highlighted the importance of cross-sector collaboration and trust-building in addressing cybersecurity challenges, particularly in sensitive areas like healthcare data protection.

Mevish P Vaishnav

Tereza Horejsova

Relevance of cybersecurity in healthcare data protection

Importance of trust-building and cross-sector collaboration

Key Takeaways

There is a wealth of cybersecurity capacity building information available, but it often lacks proper targeting and coordination

Tailored, context-specific approaches are crucial for effective cybersecurity capacity building

Accessibility and localization of resources are key challenges, especially for underserved communities

Cross-sector collaboration and a whole-of-nation approach are essential for building cyber resilience

Measuring the impact of cybersecurity initiatives requires both quantitative and qualitative methods

Regular follow-up, assessment, and knowledge sharing are necessary for continuous improvement

Resolutions and Action Items

Commit to using existing coordination mechanisms like the GFCE and Partners in the Blue Pacific

Encourage stakeholders to share project information on platforms like the Cybil Portal

Develop more inclusive and accessible capacity building programs, considering language and cultural contexts

Implement regular auditing and testing of cybersecurity measures through exercises and simulations

Foster greater collaboration between different sectors and stakeholders in cybersecurity initiatives

Unresolved Issues

How to effectively measure the long-term impact of cybersecurity capacity building initiatives

Addressing the challenge of limited resources and prioritization in low-resource environments

Finding ways to sustain capacity building efforts beyond initial project timelines and budgets

Balancing the need for information sharing with potential security concerns or competitive interests

Suggested Compromises

Combining efforts and resources from multiple organizations to achieve broader impact and more comprehensive assessment

Balancing standardized approaches with localized, context-specific implementations of cybersecurity capacity building

Using both technical and non-technical methods to engage diverse audiences in cybersecurity education and awareness

We’ve implemented some very substantial capacity building programs in recent years But we’ve often found that they can be untargeted Inappropriate and we’ve committed to doing better with our partners about Working with them in dialogue to figure out what the right approach for that country for that context for that situation is

speaker

Brendan Dowling

reason

This comment highlights the importance of tailoring cybersecurity capacity building efforts to specific contexts rather than using a one-size-fits-all approach. It demonstrates a shift in thinking towards more collaborative and customized solutions.

impact

This comment set the tone for much of the subsequent discussion, emphasizing the need for bespoke, context-specific approaches to cybersecurity capacity building. It led to further exploration of localization and accessibility issues.

We need to make sure that we have the capacity-building opportunities to make it more accessible to young people. And the most common used tool to access internet in Africa is a mobile phone.

speaker

Yao Amevi Sossou

reason

This comment brings attention to the specific needs of young people and the importance of mobile technology in Africa, highlighting the need for targeted and accessible capacity building approaches.

impact

It shifted the conversation towards considering specific regional and demographic needs, leading to discussions about language accessibility and the use of popular culture in cybersecurity education.

Sometimes when we have had conversations with recipient countries, even sometimes it was really voicing concerns like, please organize yourselves. We cannot handle our capacity is already limited. And if we have everybody coming to us separately, trying to do their project, we are overwhelmed as well.

speaker

Tereza Horejsova

reason

This comment provides a crucial perspective from recipient countries, highlighting the challenges they face in coordinating multiple capacity building efforts. It underscores the need for better coordination among donors and implementers.

impact

This insight led to a deeper discussion about the importance of coordination and information sharing among different stakeholders involved in cybersecurity capacity building.

I think in cyber security, qualitative measurement is really crucial. For me, testing through exercises is one of the most effective ways to qualitatively test whether your arrangements, your capacity, your preparedness have improved.

speaker

Brendan Dowling

reason

This comment introduces a practical approach to measuring the impact of cybersecurity capacity building efforts, moving beyond quantitative metrics to emphasize the importance of qualitative assessment through exercises and simulations.

impact

It shifted the discussion towards more concrete ways of evaluating the effectiveness of cybersecurity initiatives, leading to a broader conversation about impact measurement and continuous improvement.

Overall Assessment

These key comments shaped the discussion by moving it from general observations about cybersecurity capacity building to more nuanced considerations of context-specific approaches, accessibility, coordination challenges, and practical impact measurement. They helped to highlight the complexity of the issue and the need for multifaceted, collaborative solutions that take into account the perspectives and needs of all stakeholders involved. The discussion evolved from identifying problems to exploring concrete strategies for improvement, emphasizing the importance of tailored approaches, better coordination, and ongoing assessment in cybersecurity capacity building efforts.

How can we improve the accessibility and localization of cybersecurity capacity building resources?

speaker

Yao Amevi Sossou

explanation

Addressing language barriers and making resources accessible to underserved communities, especially in Africa, is crucial for effective capacity building.

How can we better engage and train frontline educators in cybersecurity?

speaker

João Moreno Falcão

explanation

Involving educators is essential to reach a wider audience and make cybersecurity education more effective.

What mechanisms can be developed to ensure follow-up and long-term impact of capacity building initiatives?

speaker

Yao Amevi Sossou

explanation

Many initiatives are budget-constrained and time-limited, so ensuring continued impact is important for sustainable capacity building.

How can we leverage popular culture to demystify cybersecurity and attract more people to the field?

speaker

João Moreno Falcão

explanation

Using popular culture references could help make cybersecurity more approachable and inspire more people to enter the field.

What are effective ways to measure the impact of cybersecurity capacity building initiatives?

speaker

Dino Cataldo

explanation

Developing appropriate indicators to assess the effectiveness of capacity building programs is crucial for improvement and justification of resources.

How can we improve coordination and information sharing among donors and implementers of cybersecurity capacity building projects?

speaker

Tereza Horejsova

explanation

Better coordination could reduce duplication of efforts and improve the overall impact of capacity building initiatives.

What strategies can be employed to ensure cybersecurity capacity building reaches and engages the whole of society?

speaker

Brendan Dowling

explanation

A whole-of-nation approach involving government, industry, and community is necessary for effective cyber resilience.

How can we prepare for the potential vulnerabilities that may arise if quantum computing becomes democratized?

speaker

Mevish P Vaishnav

explanation

Anticipating future technological developments and their impact on cybersecurity is important for long-term resilience.

Summary

This panel discussion focused on global approaches to AI governance, with particular emphasis on perspectives from the Global South. Experts from various regions discussed the challenges and opportunities in developing AI regulatory frameworks that respect human rights and cultural diversity.

The discussion highlighted the African Union’s recent adoption of a regional AI strategy, which aims to promote ethical AI use aligned with the continent’s development goals. Challenges faced by African countries in implementing AI governance include infrastructure limitations, skills shortages, and the need to address unique socio-economic issues.

In Asia, a more cautious “wait-and-see” approach was noted, with most countries opting for soft law and best practices rather than hard regulations. The importance of addressing existing digital divides and human rights concerns before fully embracing AI was emphasized.

The European Union’s AI Act was presented as a pioneering regulatory framework, balancing innovation with fundamental rights protection. Its potential influence on global AI governance through the “Brussels effect” was discussed, along with the challenges of exporting such a politically rooted framework to other regions.

The geopolitical aspects of AI governance were explored, including the role of organizations like G20 and BRICS in shaping policies. The need for collaboration between Global North and South was stressed, with human rights proposed as a universal language for developing inclusive AI governance frameworks.

The discussion concluded by addressing the challenges faced by Global South countries in regulating technologies primarily developed outside their jurisdictions. Participants emphasized the importance of leveraging existing legal frameworks and regional collaboration to effectively participate in global AI governance discussions.

Keypoints

Major discussion points:

– Different regional approaches to AI governance, including the EU AI Act, African Union strategy, and developments in Asia

– Challenges faced by Global South countries in developing AI governance frameworks, including lack of infrastructure and technical capacity

– The need to center human rights in AI governance approaches rather than just focusing on risk

– Geopolitical tensions shaping AI governance and the potential for fragmentation of approaches

– The role of the private sector and need for corporate accountability in AI governance

Overall purpose:

The purpose of this panel discussion was to examine global approaches to AI governance, with a focus on perspectives from the Global South. The panelists aimed to highlight emerging approaches from different regions and discuss challenges and opportunities for more inclusive AI governance frameworks.

Tone:

The overall tone was academic and policy-oriented, with panelists providing expert insights from their regional perspectives. There was a collaborative spirit, with panelists building on each other’s points. Towards the end, the tone became more urgent in discussing the need for Global South countries to move beyond being consumers of AI and become active contributors to global governance frameworks.

Speakers

– Melody Musoni: Digital Policy Officer at the European Centre for Development Policy Management, moderator of the panel

– Jenny Domino: Non-resident fellow at the Atlantic Council’s Digital Forensic Research Lab, Senior Case and Policy Officer at the Oversight Board at META, PhD candidate at Harvard Law School on global governance of technology

– Lufuno T Tshikalange: Expert in cyber law, founder of Orizo Consulting specializing in data privacy, cyber security governance, and ICT contract management in South Africa

– Gianclaudio Malgieri: Associate Professor of Law and Technology and board member of the eLaw Center for Law and Digital Technology at the University of Leiden Law School, Co-Director of the Brussels Privacy Hub, Managing Director of Computer Law and Security Review

Additional speakers:

– Dr. Sabine Witting: German lawyer and Assistant Professor for Law and Digital Technologies at Leiden University, co-founder of TechLegality consultancy firm

Global Approaches to AI Governance: Perspectives from the Global South

This panel discussion brought together experts from various regions to examine global approaches to AI governance, with a particular focus on perspectives from the Global South. The panellists explored the challenges and opportunities in developing AI regulatory frameworks that respect human rights and cultural diversity, highlighting the need for inclusive and collaborative approaches to global AI governance.

Regional Approaches to AI Governance

The discussion revealed significant variations in regional approaches to AI governance:

1. African Union: Lufuno T Tshikalange highlighted the African Union’s recent adoption of a regional AI strategy in August 2024, aligned with the continent’s Agenda 2063 and digital transformation strategy. This strategy aims to promote ethical AI use in line with Africa’s development goals while addressing the triple challenges of inequality, poverty, and unemployment.

2. Asia: Jenny Domino described a more cautious “wait-and-see” approach in Asia, with most countries opting for soft law and best practices rather than hard regulations. This approach reflects a desire to observe the outcomes of regulatory efforts in other regions before implementing comprehensive frameworks.

3. European Union: Gianclaudio Malgieri presented the EU AI Act as a pioneering regulatory framework, which has evolved from a product safety tool to a fundamental rights tool. The Act attempts to balance innovation with fundamental rights protection and includes a list of prohibited practices. The potential influence of the EU AI Act on global AI governance through the “Brussels effect” was discussed, along with the challenges of exporting such a politically rooted framework to other regions.

4. Council of Europe: The panel discussed the Council of Europe AI Convention, which focuses on public sector AI and its potential relationship with the EU AI Act.

Challenges in Developing AI Governance Frameworks

The panellists identified several key challenges faced by Global South countries in developing and implementing AI governance frameworks:

1. Infrastructure limitations: Lufuno T Tshikalange emphasised the lack of necessary infrastructure in many developing countries, including inadequate internet access and insufficient data for training models, which hinders their ability to fully engage with AI technologies and governance.

2. Skills shortages: The need for technical expertise and capacity building in AI-related fields was highlighted as a significant challenge for many Global South countries.

3. Existing digital divides: Jenny Domino stressed the importance of addressing existing digital divides and human rights concerns before fully embracing AI governance.

4. Measuring risks to fundamental rights: Gianclaudio Malgieri pointed out the difficulty in quantifying and measuring risks to fundamental rights when developing risk-based approaches to AI governance.

5. Limited leverage over tech companies: An audience member raised the issue of Global South countries having limited influence over tech companies based in other jurisdictions, making it challenging to enforce regulations effectively.

Human Rights-Centred Approach

A recurring theme throughout the discussion was the importance of centring human rights in AI governance approaches:

1. Universal framework: Jenny Domino proposed human rights as a potential universal language for developing inclusive AI governance frameworks that could be understood across different regions and political contexts.

2. Balancing risks and rights: While the EU AI Act was praised for attempting to balance risks and rights, there was debate about whether a purely risk-based approach was sufficient to protect fundamental rights.

3. Corporate accountability: The discussion touched on the need for mechanisms to hold companies accountable for adverse human rights impacts caused by AI systems, drawing parallels with the UN Guiding Principles on Business and Human Rights.

Geopolitical Aspects of AI Governance

The panel explored the significant role of geopolitics in shaping AI governance approaches:

1. G20 and BRICS: Melody Musoni highlighted the potential for organisations like G20 and BRICS to influence global AI governance discussions and policies. South Africa’s G20 presidency was mentioned as an opportunity for collaboration in AI governance.

2. Political standpoints: Differing political views on issues such as social scoring were noted as factors shaping diverse governance approaches across regions.

3. Fragmentation concerns: Jenny Domino emphasised the need to consider geopolitical tensions and the potential fragmentation of internet governance when developing AI governance frameworks.

Collaboration and Inclusivity

The panellists stressed the importance of collaboration between the Global North and South in developing effective AI governance frameworks:

1. Moving beyond consumer status: Lufuno T Tshikalange urged Global South countries to leverage their skills and case studies to contribute actively to global AI governance discussions, rather than being mere consumers of technology and regulation.

2. Regional collaboration: The potential for regional bodies like the African Union to increase leverage in regulating multinational tech companies was discussed.

3. Inclusive dialogue: The need for diverse voices in shaping AI governance was emphasised, with calls for the Global South to be seen as contributors rather than subjects of discussion.

Practical Approaches and Future Directions

The discussion highlighted several practical approaches and unresolved issues that require further attention:

1. Building on existing frameworks: Panellists suggested focusing on existing laws (e.g., data protection, criminal law) as a starting point for regulating AI in countries with limited capacity.

2. Influence of EU AI Act: The potential impact of the EU AI Act on other regions was noted, with the Brazilian AI Act mentioned as an example of its influence.

3. Achieving a universal approach to AI governance while respecting regional differences

4. Effectively regulating AI in developing countries with limited leverage over tech companies

5. Balancing innovation with protection of fundamental rights in AI governance

6. Measuring and quantifying risks to fundamental rights in AI systems

The panel concluded by emphasising the need for continued dialogue and collaboration to address these challenges and develop more inclusive and effective global AI governance frameworks.

Melody Musoni: Hi, Dr. Sabin, everyone. Hi, everyone. Hi, everyone. Hi, everyone. Okay. I have very good morning, everyone. Okay. Can you hear me. Can you hear me. Good morning, everyone. Welcome to our panel discussion where we are going to be talking about a global South perspective on AI governance. My name is Melody Musoni, I’m a Digital Policy Officer at the European Centre for Development Policy Management and I am going to be moderating this session together with my co-moderator Dr. Sabine. Dr. Sabine Wietzing is a German lawyer and an Assistant Professor for Law and Digital Technologies at Leiden University in the Netherlands. She’s also the co-founder of TechLegality, a consultancy firm specializing in human rights and digital technologies. And the purpose of our panel discussion is basically to have a conversation around the global approaches to AI governance and especially the emerging approaches that we see from the global South. And I think this conversation and this discussion is quite critical as we are at a point where we are setting international standards on AI governance and these standards tend to be set by the global North countries. But as of late we have seen global South countries pushing back and also demanding for fair and equal representation of their cultural and social norms and values when it comes to developing of AI frameworks. So there is also a question of whether it’s possible to even have an international framework on AI governance that is representative and reflective of all the different or diverse cultures that we have and the different political, economic and political and social contexts for different countries. And I guess one of the outcomes that came from the Summit of the Future being the Global Digital Compact is that more and more countries are making that commitment to enhance international governance of AI for the benefit of humanity. and our quote from the Global Digital Compact, it says, for a balanced, inclusive, and risk-based approach to the governance of AI, with the full and equal representation of all countries, especially developing countries, and the meaningful participation of all stakeholders. So I think that the future of AI governance is also being shaped by the geopolitics and the geopolitical competition, especially of the superpowers that we have, the U.S. and, example, China. And, of course, because of that AI race, we need to also start thinking about the implications on that, on how global South countries actually approach the question of AI governance. And, of course, the governance of AI will likely be shaped by aspirations of AI sovereignty or tech sovereignty, and very little to do with the promotion and protection of human rights. So in this panel discussion, we are going to try to answer three policy questions. The first one is, what regulatory approaches to AI are being adopted by the global South, and do these approaches advance the protection of human rights? And the second policy question is, what challenges are being faced by the global South in developing their AI governance framework? And the last question is, what are the implications of different regulatory approaches on AI development and deployment in the global South? That being said, I am joined on this panel by a panel of brilliant experts who will be representing different regions. We have a colleague representing Africa, China, talking about Africa, Latin America, Asia, and Europe. So maybe I’ll start with the introductions. Sitting with us today, we have Jenny Domino. She’s a non-resident fellow at the Atlantic Council’s Digital Forensic Research Lab. and a Senior Case and Policy Officer at the Oversight Board at META, where she oversees content policy development concerning elections, protest, and democratic processes. She’s also completing her PhD at Harvard Law School on the global governance of technology. So welcome, Jenny.

Jenny Domino: Thank you.

Melody Musoni: And then online, we are joined by advocate Lufuno Chikalange, who is a distinguished expert in cyber law and the founder of Orizo Consulting, a firm specializing in data privacy, cyber security governance, and ICT contract management in South Africa. She has over 10 years of multidisciplinary experience in the ICT sector and is recognized as one of Africa’s top 50 women in cyber security. So welcome, advocate. And we are also joined by Gian Claudio Malgheri. He’s an Associate Professor of Law and Technology and a board member of the eLaw Center for Law and Digital Technology at the University of Leiden Law School. He’s also the Co-Director of the Brussels Privacy Hub and the Managing Director of Computer Law and Security Review. So welcome, panelists. So I guess I’m just going to jump right into our discussion, and I’m going to start with advocate Lufuno to shed more light on the development of AI governance, especially on the African continent. What you see is some of the challenges that African countries are experiencing when they are developing their AI frameworks as well. You can go ahead.

Lufuno T Tshikalange: Thank you, Dr. Melody, and thank you for having us here today. In Africa, we do now have a regional artificial intelligence strategy. which has been developed this year, 2024. And it was adopted by the African Union Executive Council in August, 2024. And currently we are participating within the auspices of African Union Commission to contribute to the strategy implementation plan for the next five years, which will be 2025 to 2030. So this strategy is seeking to ensure that we have appropriate establishment of AI governance and regulations and to ensure that we accelerate the AI adoption in key sectors like agriculture, education, and health. And this is aligned to the agenda 2063 and the digital transformation strategy that we had adopted earlier. It is also promoting the creation of an enabling environment for an AI startup ecosystem and also to deal with issues of skills and talent development, which is not just AI skills shortage, but ICT across the board, we have a shortage of skills. And it is also promoting a grassroots research and innovation partnership in AI, which is important for us if we were to participate meaningfully in the digital economy and more importantly in the AI economy. The important part is that the implementation of this strategy is going to be based on ethical principles. which respects human rights and diversity, and also ensuring that we have appropriate technical standards for AI safety and security. So the approach that this AI strategy have taken is a multi-pronged approach, emphasizing that the regulatory framework is flexible, agile, adaptable, context, and risk-based, because it’s important that we do not do cut and paste, though the development of this strategy did learn from the EU, the OECD, and other regions, but the intention is to make sure that the strategy is responding to our own unique challenges. Importantly, the triple challenge, the inequality, poverty, and unemployment. It is also emphasizing that the approach be multi-tiered and is collaborative. The strategy goal is to promote human-centric approach, which is very important that the technology is developed as a tool to assist our developmental goals, not to exploit the people or violate the people’s human rights. And at the same time, it is also very strong on security by design, and ensuring that there is accountability and transparency in both the design and deployment of AI, systems. The strategy highlights the needs to make sure that mechanisms throughout the AI life cycle, life cycle, they. mitigate potential harms from AI technologies while we foster responsible development and use of AI across Africa. It is important to note, as I’ve mentioned earlier, that the AI strategy is not a standalone, but it is a part of the broader digital transformation strategy. So even the priorities that are in the strategy are derived from the digital transformation strategy, which is also informed by the agenda 2063. So the intention is not to have an AI strategy for the sake of it, but to have an AI strategy that will respond to our unique challenges, stimulating our economy and promoting the integration that is a target for the agenda 2063, and ensuring that we generate inclusive economic growth and stimulating job creation, and that there is the holistic approach to digital revolution for socioeconomic development that meets the needs of Africans. Other important baseline policy frameworks include the AU Convention on Cybersecurity and Personal Data Protection, which is commonly known as the Malabo Convention. The current challenge that we have is that the Malabo Convention has been adopted in 2014, came to effect June last year, but is yet to be implemented. We also have the AU Data Policy Framework, which has an expanded framework in terms of how effective data governance can be. to be achieved even as we implement imaging technologies like the the AI. So we have our priorities and guiding principles that are provided by the strategy which is local first people centered and human rights and dignity. It’s everywhere in this strategy because it’s important that as we. Technology or advance. We are not violating human rights like the right to privacy as they have charter and different constitutions in in in states in Africa. Peace and prosperity is also one of the reason or the principles that will be governing this strategy. Inclusion and diversity. As we said that we are struggling with triple challenges, one of which is inequality. Exacerbated by a lot of. Divides digital divide information, divide infrastructure device and a number of device that makes the technological development and even within Africa which is even worse. If we then have to compare ourselves with other regions, and it also promotes ethics and transparency as one of the principles. Cooperation and integration as AI or any other implementation of imaging technologies cannot be done inside. We have to do it in collaboration with each other. So we say that the AI governance conversion is in what conversation is important to us because of the seven aspirations that we need to achieve according to agenda. 2063 and the SDGs that correspond with the same. Our key concerns, however, is the misuse of intellectual property and the potential for misinformation threatening our societal cohesion and democracy, lack of infrastructure. And we also are considering barriers that may make AI adoption a bit of a challenge, including inadequate internet access, insufficient data for training models or unstructured data, limited computing resources, and us not having sufficient skills. So the risk that we have identified and will be addressed fully in the implementation plan includes environmental risks, system level risk like the biasness that may come with the AI systems, structural risk like your automation, which might increase disparities that we have and inequalities, cultural and societal risk because heritage and culture as we advance into the world of technologies. So we are working on strategies that will help us ensure that so our triple challenge and other challenges as identified in the agenda 2063, we are not now creating more challenges for ourselves. We have examples that we will be looking at in terms of case studies that can help us accelerate the implementation and adoption of AI within the African region. as Algeria, Egypt, Benin, Mauritius, Rwanda, and Senegal are already leading in the space, having their own to deal with the identified objectives within their own countries.

Melody Musoni: So, should we continue? Okay, it seems like we have lost our advocate, Lufuno, but from what she was sharing, she was giving an overview of what is happening in Africa, particularly with the continental AI strategy and how it connects with the broader vision of Agenda 2063 and the digital transformation strategy, as well as drawing examples of some of the African countries that are actually developing their own national AI frameworks. So, I guess I’m going to come to you, Jenny, to talk more about the case of Asia. I remember last year at the IGF, we were in Kyoto, and Japan was sharing its role in the shaping of the international frameworks on AI through the Hiroshima AI process and how it shaped the G7 AI principles. And now we are here in Saudi Arabia, and they also developed the Riyadh charter on AI principles for the Islamic world, which is aimed at aligning AI frameworks with Islamic values and principles. And as someone who has been doing work on AI governance, Do you see an emerging of different approaches on AI governance and do you see these approaches promoting or upholding human rights in your perspective?

Jenny Domino: Can you hear me? Yeah? First of all, good morning everyone. I’m happy to be here just to qualify that I’m speaking in my personal capacity and my views don’t necessarily reflect the views of the organizations I represent. To answer your question, I echo what Advocate Lufuno already mentioned and discussed. In Asia, by and large, we see more of a wait-and-see approach. So we don’t have anything that comes close to the EU AI Act in terms of hard law, in terms of regulation. So there are draft legislative initiatives. There’s the ASEAN guidance. So more on best practice approach or soft law approach rather than hard law that we see so far in Asia. Draft laws in Japan, Korea, Thailand, and other countries. And what I see as a common thread among all these various initiatives is it has overlaps with the EU AI Act, for example, in terms of risk tiering, right? With minimal risk, limited risk, up to high risk. There is a lack of centering of human rights and many human rights groups have actually called this out, including in the EU AI Act, that the focus on risk tends to eclipse the focus on rights. And I think there’s something here that we can learn from platform governance, from governing social media platforms. We’ve seen how emerging technology, when I speak about social media… from decade ago, more than a decade ago, there was a lot of excitement, there was a lot of hype, and the lack of centering of human rights actually led to a lot of human rights violations. The UN fact-finding mission on Myanmar many years ago in 2018 identified Facebook being used by ultranationalist monks and military officials in Myanmar to incite violence against an ethnic minority. And this is just to give you an example of how if we don’t center human rights when we talk about AI regulation, whether it’s legislative or policy, then it could be misused. And we already see this happening, for example, in the use of generative AI in conflict settings. And as you said, Melody, there is a lot of geopolitical tensions happening around the world, a lot of armed conflict situations happening around the world. One of the things that we need to think about also is how AI technology can be used. Another thing that I want to emphasize also is, you know, when we speak about AI, AI encompasses a broad range of uses and purposes. So there are more traditional AI uses, for example, in content moderation of social media platforms. They use automated technology to enforce their rules on social media in taking down things like misinformation or hate speech. There are, you know, so there is that, but then there’s also more emerging technology such as generative AI, like chat GPT, and many of the issues that involve these technologies, Advocate Lufuno already mentioned, and I won’t be repeating that here. Except to emphasize that there is a divide in terms of basic infrastructure, on the one hand, inequality. So you can’t really, so I, one of the things that I’m worried about is the hype surrounding AI, again, tends to overlook many infrastructure problems that we still see in Asia in developing countries. And we can’t really think about AI uptake in these countries until we solve basic issues like access to education and digital education. And then on the other hand, we also have existing human rights issues in many countries in the world, including in Asia. We see internet shutdowns, website shutdowns. So if these things are not even addressed, we can’t really talk about AI as a shiny, it’s a shiny new thing, but we haven’t really addressed existing issues concerning the internet. And so I think that’s something that I want to highlight in this conversation. And as Advocate Lufuno also mentioned, we need to center stakeholders, but actually in the human rights framework, it’s rights holders. Who are the communities affected by this technology? and who are we leaving out? Who are we including in the conversations that must happen? I’ll stop here.

Melody Musoni: Thank you so much for your contribution. I guess you have actually raised something that I was talking about earlier coming here, that now we are just talking about AI, AI, but we are forgetting about the important issues, the foundation of AI, issues on digital infrastructure, for example, accessibility to the internet and things like that. So AI is coming in and creating further divide and our focus is now on AI governance, overlooking some of the existential problems that we already face. I’m going to come to Gian Claudio to talk more about the developments that are happening in Europe. I’m sure everyone has heard about the EU AI Act, but what exactly is this Act about? And perhaps you can also touch more on the Council of Europe and the developments that are happening within the Council of Europe in developing another framework on AI and making that distinction because we tend to be confused, like what is the EU AI Act and what is the Council of Europe framework on AI governance as well. So over to you, Gian.

Gian Claudio: Thank you very much. I hope you hear me well. Yeah, good. So yeah, indeed, the AI Act was a bit everywhere in the, I think, in the discussion because all countries, all other countries might refer to the AI Act as a model or as a non-model. So I think I would like to start from the, yeah, maybe the history, the legislative history of the AI Act very briefly. Then we see the mission of the law and the structure in comparison with the other laws. that we have in Europe also regulating AI-related aspects, and maybe, indeed, a focus on the AI Convention and interplay between the AI Act and the AI Convention. Now, doing everything in seven, 10 minutes is impossible, but we will try to do some highlights. Okay, so the AI Act, indeed, is the oldest, sorry, the first AI regulation we have in the world. Of course, we had already some AI-related views in many countries, including Europe, but the AI Act has this ambition to regulate artificial intelligence as a whole. It took three years, more than three years, from the initial text of the European Commission to the final approval, so from April 21 to August 24. August 24, the first of August 24 is the entry into force, but then we have more, you know, a different timing from entry into force for different companies, different kind of entities. At the same time, I was hearing that, for example, the Asian approach is wait and see, and in Europe, we don’t have that approach. Why so? I think the main point is that sometimes, wait and see is too late, because, so we usually have this, there’s this narrative also for big tech, et cetera, right, that it’s better to first let innovation go, and then we can regulate. Then, of course, I think the European Union took a different position, also because sometimes, if we let innovation go, if we let companies go, et cetera, then the consequence might be that, the consequence might be that, indeed, the harm already produced, human rights and fundamental. And sometimes these technologies create dependency on society. So society and individuals might depend on these technologies. So it might be the case that it’s too late or too big to, you know, to sanction, too big to fail. This was happening, for example, to generative AI system like OpenAI, but also to some chatbots. But going zooming a bit more in the structure of the AI act. So I would like to say that the AI act has this difficult balancing between risks and rights. And in particular, also, it is this particular development because it was initially considered as a product safety tool. So something more related to consumer protection or product safety, which is also touching consumer protection. And indeed, it was proposed. This is also interesting to notice that the European Commission has different DG, different Directorate General. And this was not proposed by DG Justice, which is usually the part of European Commission responsible for rights, fundamental rights, liberties, etc. But it was proposed by DG Connect. So it was also interesting that it was developed really as a technological safety tool. Then during the negotiations, both at the European Parliament and also the Council, during these three years, the AI act became something else. It became a fundamental rights tool. So we still see, like, the structure and the DNA of the product safety directive, product safety regulation, and then with a lot of fundamental rights in it. But it’s not a tool for individual rights, it’s a tool for protecting fundamental rights through risks, so this is important. And I think this is one of the main merits of the AI Act, because the AI Act takes some choices. It’s not leaving everything to the decisions of companies or the decisions of member states. There are some political choices about risk to fundamental rights that the AI Act takes. And it’s the first and only time, now we see that other laws like the Brazilian AI Act, I don’t want to talk about other regions, but just to say it’s the first time and maybe the only case in which we have a list of prohibited practices. And this brave choice was a political choice. This was part of the most problematic section of the negotiations. So what was the choice in terms of prohibited practices of AI? So for example, social scoring on AI is prohibited. Manipulation or let’s say exploitation of manipulation for special vulnerabilities is prohibited. We have also special prohibitions for emotional recognition for workers and students in school and in the workplace. But also we have the special prohibitions related to law enforcement and to the use of biometrics. So this is a list, I cannot go through the list, it’s a long list with a lot of exceptions. But I think then what’s important to know… is that in addition to this unbearable risks list, we have also high risk. For high risk, the approach is allowance, so they are allowed, but there’s a lot of governance duties that are considered. One of the main governance duties is that, of course, these high risk systems need to have a data governance plan, need to check their bias, and so to have a system to limit or delete biases. Of course, you cannot delete bias. You can mitigate certain sense of biases. Then, you know, so there are different other rules like human oversight, interpretability, and so on. Then there is an area for limited risk in the AI Act, and the final area of protection is about general purpose AI. General purpose AI. So there’s a parallel regulation in the whole law. The whole law is very big. It’s 112 articles. It’s huge, but just to say, there is a parallel also chapter about general purpose AI, that aims to regulate also generative AI, and they are divided for systemic risk and non-systemic risk. So the generative AI, which produce systemic risk and generative AI, that does. Just to say, I think the balancing with innovation was also really in mind of the legislators, in particular the council, and in particular some parties of European Parliament. So the conclusions on, there is a whole chapter on how AI for innovation should be considered. So I think one of the main aspects of the innovation part is that there are some rules for SMEs, so more than medium enterprises, but also there are some protections, specific protections for the training of AI. with exceptions to the data protection rules. And this is called the regulatory sandboxes, if it’s for public purposes. Okay, of course, I cannot say more on the AI Act, it’s huge, there are so many things I didn’t mention, but just a couple of more minutes to contextualize the AI Act in the broader EU picture, and then the AI Convention about the Council of Europe. So just to say that the AI Act is not the first piece of legislation to regulate AI-related elements or AI-related societal aspects in Europe and in the European Union. Already the GDPR, the first data protection rules that we had on a regional perspective in the world was regulating several aspects about AI. For example, Article 22 is about automated decision-making, but also there’s the definition of profiling, there are many transparency rules. Connected to the GDPR, we have the Digital Services Act, which regulates digital services for online platforms, and also the use of AI, recommender systems, online behavioral advertising using profiling. So there’s a lot also related to AI in the Digital Services Act, which was approved 2022. Digital Markets Act, a bit also, so also regulating big platforms in the digital market. Then we have, of course, Data Act, DGA, et cetera, but just to say it’s not in the silo of just AI Act. And then we have AI Liability Directive that has been proposed that would be probably never accepted because, as you know, the European Union has a compact, which is a big process, and we already know that the Council of Europe, in particular France, are against this Liability Directive because now there’s this wave of, you know, we regulate it too much, we need to have more innovation. France, in particular with Macron, was very concerned about not adding new rules. But actually the AI Liability Directive is just the final element of the AI Act, it’s connected. It’s just providing some exemptions and rules for liability when the AI Act is violated. Okay. But just to say, this is a very, very broad picture. Then 30 seconds of the AI Convention and I will stop. So the Council of Europe this year, actually a few weeks ago, finally approved also the AI Convention. It’s interesting to notice this is not just a regional act, because many other countries that are not part of Europe and not part of European Union, like not part of let’s say political and geographic Europe, are also members of, so are also signatory members. For example, the United States are signatory of the AI Convention. But also we have other countries in the Caucasian, et cetera, for example, just to mention Georgia is a signatory, et cetera. So the AI Convention is similar to the AI Act in terms of, you know, definition of AI. They both take the OECD definition of AI. But it’s different in terms of scope. The AI Convention, so the Council of Europe AI Convention, just regulates public sectors AI. So the use of AI by public sectors. But the member states can also opt in for private actors regulating AI, sorry, providing and deploying AI. Then another important thing is that the AI Act regulates deployers and providers of AI, while the AI Convention just regulates the whole, I mean, not just, but regulates the whole life cycle of AI. So from the very first phase of elaboration to the final elements of the commercialization of AI. So there is this difference. I think this is, these are all some of. the main, let’s say, difference that they have. Also, the AI Convention doesn’t have a list of prohibitions. Then maybe the open question, and I will leave with this question, is whether the AI Act can be a European Union implementation of the AI Convention, because we know that the AI Convention is an international treaty, why it should be implemented by signatories, should be implemented by Member States, while the AI Act is a law of a legal system, which is European Union. So even though the AI Act was approved before the AI Convention, the AI Act might be an implementation of the AI Convention in Europe. And this is an open question that we are still working on. Thank you.

Melody Musoni: Thank you so much, Gian-Claudio, for your contribution. And I guess the points you raise, especially on the roadmap and the discussions leading to the EU AI Act, is something that I find relevant, especially in the African context, where there is a push to regulate, but not taking our time to actually have these negotiations, to actually understand what our approach is. And I always give the EU processes as an example, that it took over three years for you to be where you are with the EU AI Act. And I guess the issues that you also raise on AI, that it’s not just the EU AI Act that’s regulating AI Act, we have the Digital Services Act, the Digital Markets Act, and the GDPR, which also in a way regulate AI, is also important to our approaches to understanding AI governance and regulation. And of course, the distinctions between the Council of Europe framework and the EU AI Act, I think it’s also quite important for me as someone who is learning more about the EU processes and what’s happening with the Council of Europe. So I’m going to change things a bit because one of our speakers was not able to join. So before we go to a second round of questions for the panelists, I wanted to find out from the audience online and here, if you have any questions to our panelists based on what they have already contributed before we move on to the next segment of our discussion. Online?

AUDIENCE: Melody, if I may, just maybe one of the things that I always ask myself, and I know I should know the answer to that, but I don’t. And it might also be interesting for others. I think this risk-based approach, Jean-Claude, that you were talking about, risk to what? So because I think in the EU-AI Act, as you have said, it started as a product liability framework and then later on we infused it with fundamental rights left, right and center, or we tried at least. But so the EU-AI Act looks at risk to what and who is determining, or what was the discussion around these different risk categories? How was that assessed? Maybe you can tell us a little bit more about it. Because Jenny also said that Asian countries are also looking at this kind of tiered approach to risk, and maybe we can hear then from Jenny a little bit more about what the discussions are, how to determine risk and think about these different categories. So maybe Jean-Claude, and then Jenny, you could follow. And then Advocate Lufuno also from maybe the EU perspective.

Gian Claudio: Yeah, sure. Thank you. Great question. Of course, this is a bleeding spot of the legislation about technology, I would say, in Europe, because already in the GDPR, we had this problem. Because the GDPR was one of the first… I think, to first introduce the concept of risk to fundamental rights. What is a risk to a right? Risks come from business management doctrine, let’s say, while fundamental rights come from human rights and fundamental rights analysis. And they are based on very, very, very different mental frameworks, intellectual frameworks. Risks can be measured and controlled. Fundamental rights are moral boundaries that are difficult to conceive and consider as a measurable element. They are usually not measurable, they are qualitatively measurable, if we can say that, but not really quantitatively. So this was a big problem we already had in 2016 with the General Data Protection Regulation. And then it went on because the Digital Services Act has similar problems for risk assessment. And then now the AI Act. So I would say that the idea is risk to fundamental rights is a short answer, but then how can we measure it, how can we analyze it? So I think one of the ambiguities of the law is that also in Article 1, Article 1 says that the AI Act aims to regulate and to protect fundamental rights, health, safety. And it’s always, I’m always a bit skeptical, always, I have to say, a bit critical when you put health and safety as something different from fundamental rights, from the health and safety as part of a bigger understanding of fundamental rights. And then Article 1 goes on and says fundamental rights, especially democracy. But democracy is not really a part of fundamental rights charter. If you do counter-left democracy, you will not find much. much. So it’s a bit of a paradox that health and safety are considered as something else than fundamental rights. And democracy is considered part of that. Of course, we know that they’re all connected, right? They’re all under the same approach. So just to say, there are, of course, political choices to be made, because when you go from fundamental rights to applications and prohibitions, we cannot leave everything to just private accountability. So I think the important thing is that the regulator said, for me, I don’t know, mental integrity means this. And so they prohibited manipulation and expectation of vulnerability. So just to make an example. And yeah, I think, and I will conclude with this. I, with a colleague in Ultrex, Cristiano Santos, we did some research on how we can really measure risk to fundamental rights, in particular, the severity element. And now we are working with an NGO, ECNL, to try to understand how to really do that. So we published an article this year, to try to understand how the subjective use of marginalized groups, for example, can participate, can inform the discussion of how to measure fundamental rights severity. So the risk severity, okay. And how other elements like adverse effects, but also violation of laws, because this, we have usually these big discussions in Europe. Some people say that risk to fundamental rights is just a violation of the law. But this is a bit limited, because it’s just yes or no. The question is black or white. It’s difficult to measure. Other people say that we should measure the adverse effects. But to measure the adverse effects, you would need something quantifiable like property or health, you know, and then you reduce all violation of fundamental rights. of privacy, et cetera, it’s reduced to what the psychologist or a psychiatrist or an economist would measure, not what a real human rights expert measures. So this is a bit the open issue, I guess, but this is bigger than just AI.

Jenny Domino: Yes, thank you. So in the Asia Pacific region, so what I see in terms of risk, it’s sort of similar to the EU AI Act. So there are prohibited uses that are enumerated, for example, in the ASEAN guidance on AI governance and ethics. There is not a lot of articulation on risks to whom, to answer your question, Sabine. And then when it comes to human rights, there’s not a lot of mention of it, if at all. And also with stakeholder engagement or rights holder engagement. Before I delve further into this, I want to just make a note about the earlier panelists about the race to regulate. And I think what’s so interesting to me about this framing is that in this race, who is competing against whom and who is left out. So if we’re thinking about the global South, right, developing countries, I agree that we need to hold tech companies accountable. At the same time, we also need to think about the geopolitical tensions, right? How are we looking at all these competing regulatory initiatives and who is left out from this race, right? Why is it even framed as a race, right? Because a race means there’s going to be a winner in terms of the, or a leader in terms of regulation. But we have to be thinking about this from a global perspective because the internet is global. There will be overlaps. We don’t want fragmentation. And my worry is that that if we don’t even have a unifying framework, and if we’re thinking about this as a race to regulate, then there will be people at the bottom and people on top. So I just wanted to push back a little bit on that framing because it’s interesting to me as somebody coming from the Philippines. And so back to the human rights discussion, I think what’s interesting about corporate accountability, I do agree that we need to hold corporations accountable, tech companies accountable. But I see the discussion here as sort of mirroring the history of the UN guiding principles on business and human rights. That’s the whole reason why the UNGPs were formed because many multinational companies decades ago were operating in developing countries. And what do you do when the human rights violators sometimes are the government actors, right? And that’s why I really do believe that government regulation is warranted. They provide the minimum baseline, but over and beyond that, there are many, many issues that we wouldn’t want governments to regulate under human rights law. So just to give you an example, and I’m using examples from my own experience in content moderation and in platform governance because that’s what I’m most familiar with. So for example, Article 19 of the International Covenant on Civil and Political Rights guarantees freedom of expression of persons. And under Article 19 of the ICCPR, there are areas where you can limit freedom of expression, right? But this whole treaty, this Article 19 was designed to hold state actors accountable. So all treaties are state-based, right? It’s based on the idea that we need to guarantee fundamental rights of persons against their government. And so Article 19 provides the minimum exceptions, right? But what we call in content moderation, there are so many issues that we call lawful but awful. So these are like speech, for example, misinformation. Do we really want governments to legislate a way prohibited false content, right? There are so many human rights groups criticizing fake news laws several years ago that were coming out in different countries around the world, right? Or hate speech, hate speech. I know in certain countries, there are hate speech laws in other countries. There are no hate speech laws regardless, right? So there are, what I’m saying is that there are issues. And that’s what I was talking about earlier when I say AI is all-encompassing. It affects so many different rights, so many human rights. So when we’re thinking about what do we want to regulate? What do we want our governments to regulate? What do we want corporate actors to do above and beyond regulation, above and beyond government regulation? Why? Because under human rights law, there are so many areas of human rights that we wouldn’t want governments to regulate. And one example of that is speech, right? So how do you then regulate that? like Gen AI companies, right? Because you wouldn’t also want the curb expression for satire or for condemning human rights abuses. So we want companies to go beyond what regulation requires, right? And so I think that I see this as complimentary. And for example, in the platform governance space, I think that’s how I see the oversight board is doing its job. It’s not meant to replace government regulation as it should be, it shouldn’t. But at the same time, there are many areas concerning countries around the world where we need companies to step up because we can’t just rely on governments to do their job. So I think that’s what I really want to, I want to nuance this discussion a little bit about regulation and the race theory.

Melody Musoni: I’m not sure, advocate Lufuno, do you want to chip in?

Lufuno T Tshikalange: Can you hear me?

Melody Musoni: Yes, and then we have another two more questions in the audience, you can go ahead.

Lufuno T Tshikalange: Okay, thank you. Hopefully I will finish what I’m saying this time around. In terms of the risk identification from how I’ve understood the approach of the African Union Commission in the development of the artificial intelligence strategy and how even we are doing our own policy framework in South Africa, it’s more human centric. So the technology for the people, not people for technology is the mantra that I believe is coming through a lot to ensure that human rights are respected and reading through them. the Continental Artificial Intelligence Strategy, you see that there is a lot of references to human-centric development and respect and protection of human rights, which is also one of the eight principles for our strategy. So I believe that this approach was because the strategy is based on the Human Rights Charter, the AU Human Rights Charter, and a number of constitutions around the African region. So the risk is to the people. If we do not have ethical behavior and we have technology, people for technology instead of technology for the people, meaning that technology is a tool of advancing our lives and helping us to move out of poverty, inequality, and unemployment, and we are now being made a commodity, that is what the strategy was, by all means, trying to avoid, that the technology is here to enhance, not necessarily to abuse anything or take advantage of anything. So rise to privacy, environmental rights, issues of climate change, that’s why they were identified, because they impact on human rights at individual level. And though there are other issues that were related to economy, the important part was that the risk will be to the consumers of these technologies and they need to be protected. from any risk or harm that may come out of it. So I believe that was the approach to make sure that this strategy is human rights centric and whatever that comes out of the technology itself, it is advancing the human rights, not necessarily violating the same. So I do hope that makes sense. And also the 2063 agenda. Agenda 2063 also says that our development must be human centric. So everything that we have from a policy perspective, it is putting human rights at the center of everything. Thank you.

AUDIENCE: Ends up. We cannot hear. Rely on ISO 31,000 is what they see as the kind of framework for risk assessments. And I think in a lot of tech companies, there’s a compliance team, which is different to the human rights team. And the compliance team are thinking about business risks. And so I think what we need to do is to map what are the risks to the business of having an adverse impact on human rights? Is there an accountability mechanism? Will there be some kind of legislative or regulatory risk? Is there some consequence? Or is there going to be a requirement in legislation or in regulations to provide a remedy to victims of adverse human rights impacts? Because without that, I think there will be a nice human rights department. maybe produce human rights impact assessments, but there’s not really any real consequence. And unless there’s a real consequence to the business and it’s seen as a business risk, I don’t think we’re going to see a lot of change. Thanks very much, first of all, for the insights from all the regions about AI regulation in the different jurisdictions. And I would like to draw the attention a little bit more to some technical requirements. If we look at the technical realities, we currently see around 140 large language models on the globe. More than 120 of them are coming from the US, then you have 20 from China, and all the rest is shared between a tiny numbers of jurisdictions. In practice and beyond any regulatory approaches, that means that a huge number of countries, including the European Union, is dependent on large language models from other regions, from the US and from China. And if we speak about fundamental rights and how we can guarantee access to this technology and fundamental rights when using AI, I think one important aspect is digital sovereignty. To what extent are countries in the position to train AI models as the basis for every AI system themselves? And the fact is that even in Europe, we have not the data center capacities and computing power capacities to train European AI models, which means we are dependent on AI models, large language models from other regions. I think this is a very important factor also in the light of access to AI in developing countries because for them it might be even more challenging to build up the data center and computing power infrastructure to be sovereign and to train AI models themselves. And yeah, I think that’s an important factor for the discussion. A unified AI regulatory framework would be an important aspect. but it won’t work if we do not have the same conditions for training AI models in all regions over the globe. Thank you.

Melody Musoni: Questions?

AUDIENCE: Yes, so I have a question here from Advocate Nusipro. How do we ensure within AI paradigm that the same infrastructure service providers that operate transnationally sustain quality provisions across all jurisdictions in line with human rights protocols? So I guess it goes back to the question around accountability across country borders. I think Jen, you spoke about that a little bit. Maybe anything you wanna add to that?

Jenny Domino: Yeah, of course. Thank you. Maybe I’ll just quickly comment on all the questions and comments. So on remedy, I completely agree. And I think what is, I’m afraid that my answer is more of a question, which is what would constitute sufficient remedy, right? If there is an adverse human rights impact, there is an affected community, what would be remedy in this regard? And again, the UN Guiding Principles was constructed at a time when they were contemplating a different kind of industry, not a tech industry, not a cross-border tech company that may not be within the regulatory jurisdiction the country concern. But yeah, I guess that would be, it’s just an addition. It’s more like what would be good remedy. And again, with respect to platform governance in Myanmar many years ago, when the UN identified Facebook as inciting violence, there were some groups in Bangladesh in the refugee camps that wrote to Facebook saying, you know, give us money, help us, you know, build a life here because your platform was partly used to this, to cause this, what is happening to us. And Facebook said no, saying that they’re not a charity organization, right? And I think that raises at the very least interesting questions about what would constitute remedy? And from a legal standpoint as well, how do you attribute causation or, because again, we’re talking about liability and that’s a different framework altogether from the contribute costs and link to framework under the UNGP. So I think all of this is really interesting as a matter of law, and I don’t have easy answers for that as well, but just to complicate the discussion further. On the second comment, I completely agree. I just want, what I want to add there is the training, the labeling, the labor, the labor aspect of this. And I think this is something that we haven’t discussed yet, right? How are developing countries involved in the training of this data, in the labeling, right? Because cheap labor, again, it’s in the developing countries. Again, we see this in content moderation, we see this in AI as well. And the question there is what are these governments in developing countries doing to regulate that, to regulate labor when there are not even adequate labor protections in many parts of the world? Yeah, so I forgot the third question, quality assurance, right? Across, so yeah, so I think that’s why it’s still very relevant to try to articulate more detailed guidance from the UN Guiding Principles on Business and Human Rights. And I know that the UN-BTEC project has been leading this initiative. So, no easy answers, but I think that the relevant organizations at the UN, but also civil society groups are doing what they can to help articulate more concrete guidance to ensure quality.

Melody Musoni: Thank you so much, Jenny. I guess for the sake of our time, we need to go to the second round of questions. I see there are still more questions online. We’ll try to attend to them at the end of our session. So, the next question that I’m going to ask, I guess I’ll direct my question to Gian-Claudio. One of the policy questions that have been coming up, especially within the African context after the EU adopted the EU AI Act, was the externalization of that framework. And I guess it’s coming from a point where when the GDPR was adopted, most African countries felt that they were being pushed to adopt a similar framework within their regions, so as to comply with the EU and to be able to do business with the EU. And I was wondering, in the context of the EU AI Act and the provisions that we have, does it have the same extraterritorial effect similar to the GDPR? And do you see many countries, for example, emulating the EU AI Act and adopting similar frameworks in their own national legislative processes? Or do you see it very different because it’s very different from the GDPR?

Gian Claudio: Yeah, sure. Great question. And I think it’s connected to some of the other points and questions that were raised in the first round of questions. So, it’s also for me an opportunity to connect on that. So, I think there are two separate aspects to consider. One is the real scope, like the extraterritorial, potential extraterritorial scope of EU law, in particular the AI Act. And the second point is the possible Brussels effect, to name a book by Anno Bradford, so how the Brussels effect that we have for the GDPR, the emulation by other countries and systems might happen also for the AI Act. So, I think these are two separate questions, but connected. And also connected to some of the elements or questions that were raised before, for example, about how can we have a homogeneous regulation of AI if then we have countries that cannot have data centers or cannot have a general purpose AI. But this is connected because, of course, if we just regulate generative AI, we know that generative AI is produced and developed mostly in the US, we need to have some rules for the application, for the, let’s say, extraterritorial application of the law. The AI Act follows that approach. So, for example, if you commercialize in Europe, but you have produced somewhere else, but you commercialize in Europe, then you have to follow the rules of the AI Act. The GDPR went even broader because for the GDPR, even if you just monitor behaviors of people in European Union, or if you offer services even for free to people who are in the European Union, the GDPR was applicable. And this was also, and this is, I think the two parts are connected, right? The fact that the extraterritorial and the law and the process effects are connected because the more extraterritorial… territoriality you have in the law, the more you are pushing other countries to have similar systems in order to be adequate. Adequate is the term that is used by the European Commission to analyse the compatibility of other legal systems to the European data protection system. So just to say, I think the scope and the particular scope of the AI Act tries to go beyond what’s just in the borders of the European Union, but of course this is not easy. About the Brussels effect, this is mostly a political analysis. So what do we expect? Do we expect that other countries will follow the AI Act as it happened with GDPR? And this is also connected by a comment about a race between the first and the last, and what do we do? So I think of course it’s not a race to be the best country, the best region, and I think this is very important that there is a big risk of legal colonialism that Europe can have, like Europe going to impose laws to other countries. So of course this is a risk, and this is not something that we want. I don’t think we should push for Europe to dictate the legal agenda to all other countries, right? This is not what we want. At the same time, if these laws are pro-human rights and pro-fundamental rights, then it’s also, I think, a good thing if the Brussels effect takes effect. So I mean, if other countries copy the European Union for prohibiting exploitation of migrants, or for example, a full laissez-faire approach to bias and discrimination online or to human oversight, then it’s good if other countries maybe copy European Union in that. And we already see that happening a bit. We have indeed, I was mentioning the Brazilian AI Act. It was approved by the first chamber two weeks ago. And it really reflects the European Union AI Act in the structure, in the design duties, in the governance, in the prohibitions. It reflects a lot. And it reminds how the LGBP or GDPR, which is the general data protection law in Brazil, reflects the GDPR. So I’m just saying this is possible, but there is a big caveat, a big difference. It’s difficult to export the AI Act from one point of view. The AI Act is highly rooted on political considerations that cannot be easily exported. Because for example, even the prohibition of social scoring was written having in mind examples from China, etc. So there are political considerations of what the risk to human right is. And also the same idea of fundamental rights is not applicable all over the world. So while the GDPR could be exported, I’m using the word exported, which is very brutal, but just to say the image that we have, it could have been reapplied or reproduced in other regions, because it was based on some principles that are not so difficult to reproduce in other regions. For example, a purpose limitation or storage limitation. These are kind of technical principles, right? The AI Act is rooted. on fundamental rights, in a way. And fundamental rights are not, in particular the Charter of Fundamental Rights, just applies to the European Union. So, you know, this is maybe one of the major obstacles of the Brussels effect. But we can wait and see, because I was, when we were preparing this panel, I hadn’t read the Brazilian law. And now I read it and they say, oh, it’s very similar to the AI. So I can say that even though in principles it’s difficult, in practice, I see that the Brussels effect is already maybe taking effect.

Melody Musoni: Thank you for that Gian-Claudio. And I think earlier we were talking about the geopolitics and how it also kind of shapes the approaches that we adopt when it comes to AI governance, for example. And I think that what you mentioned about, especially with the social scoring in the position that the EU AI Act adopted is just one example. So I’m going to come to advocate Lufuno again, looking at this whole geopolitics and how it’s actually shaping our approaches to AI governance. You are sitting in South Africa, and as of this month, South Africa has taken over the G20 presidency. And there are quite high and big expectations for the continent, for both South Africa and the African Union as members of the G20. And a lot are seeing it as an opportunity for Africa and South Africa to promote and to advocate for inclusive digital development.

Lufuno T Tshikalange: I can’t hear you, Dr. Milode. Technico. Okay, you were at…

Melody Musoni: Can you hear me now?

Lufuno T Tshikalange: Yes, I can hear you. You were at G20 promoting Africa and it’s cut.

Melody Musoni: Yes, so I was saying that there are big expectations that with South Africa now taking over the G20 presidency and the AAU being a member of the G20, we should see more and more conversations and discussions around digital development and AI governance. And I also mentioned that South Africa is also a member of the BRICS plus economic block who are also shaping AI policies. And what I wanted to ask you is, do you think that global South countries are able to develop maybe an alternative to what we have in the EU AI Act? Do you see us global South countries developing an alternative approach to AI governance? If so, what do you think that would actually look like?

Lufuno T Tshikalange: Thank you. Yes, we are the president for the G20 at 2025 years and the AU is a member which is an exciting opportunity for us and the theme is sustainability, equality and I am missing one word in that theme. I believe that we need to take an advantage of the G20 which I’m personally within our consultancy already doing that looking at the issue of proposing the establishment of the cyber diplomacy for the G20 and obviously, to ensure that we are assisted in a sense, as I said, that collaboration is very important. So this G20 will help us to ensure that we collaborate better and we find ourselves in terms of the principles that we want to see informing the conversation of AI governance. I don’t necessarily see us cutting and pasting the EU AI Act, but I believe that the EU has really set an example that we can study and see what lessons can be learned moving forward. And I believe, if I’m not mistaken, the EU Commission is also part of the G20 alongside the African Union. So I am seeing an opportunity that we are not competing as to who can do better than who, but we are bringing our resources together to make sure that the world becomes a better place for everyone. And I believe if we form appropriate collaborative relationship during our presidency, that we can then have opportunities to have skills exchange programs where some of the African talents can be sent to the global north to learn the skills that we naturally just didn’t manage to develop as our R&D is not very good. But I believe that there are a lot of opportunities that can be derived out of this. We’re not doing well in our cyber security space. Our cyber security posture as Africa is not something to brag about. And we are having some of the strong countries within the G20 that are doing well in that space. So I am seeing that if we really use this opportunity, there is a lot of advantages from where I am seated. And the expectations are big for sure, because we were also doing a panel at the South African Science Forum, which happened first week of December. And there is a lot of expectations that the presidents set out and the minister of Department of Science and Innovation and Technology set out for us to be able to achieve and taking advantage of us having the G20 presidency. So I hope I’m answering your questions, but a lot of challenges that we have, if we can master the collaboration approach, I believe this one year of presidency will leave us having achieved more. Thank you.

Melody Musoni: Okay, thank you, advocate. And I’m gonna come to you, Jenny. I think you already touched on this and you were kind of asking us, like, why are we competing? Okay, I’m gonna come to Jenny and coming back to… to the discussion on AI governance and you were mentioning about the race that why are we competing? And if we are competing, there’ll be winners and there will be losers. Technical team, can you help us with the audio for the online participants? Okay. So, the way I see it, maybe because I’m moving from law and moving more into policy and public policy and I see a lot of influence that is coming from different political actors on how we approach AI governance. So, just giving the example that Ajaan Claudio gave with the EUA Act and the social scoring that it’s considered as high risk. It’s definitely not allowed in terms of the regulation in Europe but yet we see other regions like China where they still have social scoring. And I think those different political standpoints are definitely going to shape the future of AI governance. In September, there was the China Africa Summit and one of the declarations and the commitments that China and Africa made was we need to support each other on discussions on AI governance. For example, on global AI governance discussions. And already that is an indication that we are going to a place where we are not going to have one uniform regulatory framework on AI governance. And my question to you is how do you think we should be able to achieve a more universal approach to AI governance or AI regulatory frameworks? And where do you actually see us moving from here? What should we start prioritizing? What kind of discussions do we need to start having where we are able to say, these are our this is our baseline or these are our minimum standards that we expect to see in different frameworks, whether it’s being adopted by the African Union, it’s being adopted in Latin America, what kind of conversations should we start having and what kind of principles should we see in these frameworks and in these discussions on AI governance?

Jenny Domino: Such a big question. I feel like if I know the answer to this, we can all go home and there would be no IGF next year because we won’t have a need for it. So my short answer to this question is, I think human rights really provides a common language. The UN Special Rapporteur on Freedom of Expression referring to platform governance at least, has described human rights as offering a universal language that everybody can understand regardless of where you are in the world, regardless of the political situation in that country, the people in those country understand a rights framework. And that’s why I think human rights groups have been criticizing the more risk-oriented approach to AI governance as opposed to a rights-centric framework. And I know that that answer can be also seen or perceived by some as naive or too idealistic, but I actually think it is pragmatic because first of all, it’s something that is understandable to everyone. It’s something that civil society and underrepresented regions can use that kind of language when talking about the risks, the harms posed by AI technology. So I think that’s something that we should aim for, to bring back human rights front and center in AI governance.

Melody Musoni: Okay, thank you so much. So we need to prioritize human rights protections in our frameworks on AI. I see we have four minutes left. I wonder, do we have questions from the audience online and here?

AUDIENCE: Thank you for the wonderful thought provoking conversation. I wanted to ask, I only attended half of the session. So if this is repeated, you don’t need to answer it. I wanna understand when the Global South regulates or writes policies for the internet and digital technologies, they are writing policies to govern companies and organizations that exist outside of their jurisdiction most of the time. And what we see in the EU and generally in China and the US, that they are writing policies and regulations for their own leverage points and their own companies and their own markets. So when the Global South comes and writes their own policies, even when it comes to Africa, it has a huge population, a young population, and they’re consuming a lot of these technologies. They don’t have as much leverage points. And perhaps the IGF is a great space for us to collaborate to prioritize some of the things that the Global South can add. So what are these advantage points that the Global South needs to capitalize on and bring to the conversation where we can contribute to the conversation with the EU experts? I think one of the things that really makes the EU a stronger market is because they have a lot of experts who are very capable in terms of collaboration, in terms of having the organizations and the funding that enables them to make huge leapfrogs. in terms of knowing what exactly can serve the political organization and also civil society organizations and so on. So what do we need to do in the global South? What do we need to leverage? And what should we prioritize? And what should be the things that we focus on in order to help us have a productive conversation with the global North counterparts? Thanks. I take this one. So you raise an important question. I think it’s one of the questions that we always raise when we are talking about regulation of AI, especially in Africa to say, what are we regulating? And do we even have the institutional capacity to go after big tech? And in some of the conversations we have is the question of what are we regulating? And what we have is they don’t have any legal presence in a lot of countries. For example, META, you have offices in South Africa, Kenya, and Nigeria. So if there is unlawful processing of data in another country that doesn’t have data protection laws, they are not protected. And just to give an example on data protection, one approach was perhaps it makes sense from a regional perspective, if we can collaborate as a continent and have one regulatory body that represents the interests of everyone else. I remember in 2017 with the Cambridge Analytica crisis that South Africa was able to take further action against META, Facebook at the time because they already had a regulator. And similarly, I think there were discussions with Kenya as well. So learning from that example to say… for countries that already have this institutional capacity.

Lufuno T Tshikalange: Thank you, Melody, I’ll take it.

Melody Musoni: You can. Yes, at the moment with AI, it’s very difficult. We always have these conversations and my position is rather let’s start with the low hanging fruit, the data protection laws that we have and trying to see what are the laws we can kind of extend. For example, from a criminal law perspective, we’re talking about misinformation, hate speech. We already have some laws that to some extent cover issues where AI is being used for misinformation. So from a criminal law perspective, you extend the law, deletional perspective, you extend the law. So there are different ways of regulating AI without particularly having a specific law because at the moment, we definitely don’t have that capacity in the framework to go after the big tech if they are not in our countries. I don’t know, Jenny or Advocate Lufuno, if you want to contribute more on the global South. One minute each. I’ll start with Jenny and then Lufuno, you can go immediately after. Do we have our questions online as well? Advocate Lufuno, can you hear us?

Lufuno T Tshikalange: Yes, I can hear you.

Melody Musoni: Thank you. You can go ahead.

Lufuno T Tshikalange: Oh, I thought you said Jenna was going first.

Melody Musoni: Thank you.

Lufuno T Tshikalange: Yeah. I believe that from the global South perspective, just to remind you, one minute. Yes. Wrap up in one minute. From the Global South perspective, I believe that we do have enough skills and case studies that we can collaboratively use to combine our resources and come out of the consumer status that we have been for so long. We need to work towards coming into the table not as a subject matter of discussion but as a contributor. Thank you.

Melody Musoni: Okay. Thank you so much. I see we have run out of time, but I would like to take this opportunity to thank our speakers both online and here with us, as well as thanking you, the audience, for participating in our discussion. Feel free to come and engage with the speakers who are here if you have additional questions. So let’s give a round of applause to our brilliant speakers. Thank you.

Agreement Points

Need for human rights-centered approach in AI governance

Jenny Domino

Lufuno T Tshikalange

Gianclaudio Malgieri

Need for human-centric approach centered on human rights

African Union developing continental AI strategy aligned with Agenda 2063

EU AI Act as first comprehensive AI regulation, balancing risks and rights

The speakers agree on the importance of prioritizing human rights in AI governance frameworks, emphasizing a human-centric approach that balances risks and rights.

Challenges in infrastructure and skills for developing countries

Jenny Domino

Lufuno T Tshikalange

Existing human rights issues and digital divides need to be addressed

Lack of infrastructure and skills in developing countries

Both speakers highlight the challenges faced by developing countries in terms of infrastructure, skills, and digital divides that need to be addressed alongside AI governance.

Similar Viewpoints

Both speakers emphasize the challenges and importance of incorporating human rights considerations into AI governance frameworks, highlighting the difficulty in quantifying these rights within a risk-based approach.

Gianclaudio Malgieri

Jenny Domino

Difficulty in measuring and quantifying risks to fundamental rights

Need for human-centric approach centered on human rights

Both speakers recognize the significant role of geopolitics and differing political standpoints in shaping AI governance approaches globally.

Melody Musoni

Jenny Domino

Differing political standpoints (e.g. on social scoring) shaping governance approaches

Need to consider geopolitical tensions and fragmentation of internet governance

Unexpected Consensus

Collaboration over competition in AI governance

Lufuno T Tshikalange

Jenny Domino

Need for collaboration rather than competition in governance approaches

Need to consider geopolitical tensions and fragmentation of internet governance

Despite representing different regions, both speakers emphasize the importance of collaboration over competition in AI governance, which is somewhat unexpected given the often competitive nature of international relations and technology development.

Overall Assessment

Summary

The main areas of agreement include the need for a human rights-centered approach in AI governance, addressing infrastructure and skills challenges in developing countries, and recognizing the impact of geopolitics on governance approaches.

Consensus level

There is a moderate level of consensus among the speakers on key issues, particularly on the importance of human rights and the challenges faced by developing countries. This consensus suggests a growing recognition of the need for inclusive and rights-based approaches to AI governance globally, which could potentially influence future policy discussions and international cooperation in this field.

Different Viewpoints

Approach to AI regulation

Jenny Domino

Gianclaudio Malgieri

Asia taking a “wait-and-see” approach with soft law and draft initiatives

EU AI Act as first comprehensive AI regulation, balancing risks and rights

Jenny Domino describes Asia’s cautious approach with soft law, while Gianclaudio Malgieri highlights the EU’s comprehensive regulation through the AI Act.

Focus on risks vs. rights in AI governance

Jenny Domino

Gian Claudio

Need for human-centric approach centered on human rights

EU AI Act as first comprehensive AI regulation, balancing risks and rights

Jenny Domino advocates for a human rights-centered approach, while Gianclaudio describes the EU AI Act’s attempt to balance risks and rights.

Unexpected Differences

Perspective on global collaboration in AI governance

Jenny Domino

Lufuno T Tshikalange

Need to consider geopolitical tensions and fragmentation of internet governance

Need for collaboration rather than competition in governance approaches

While both speakers advocate for collaboration, Jenny unexpectedly emphasizes the need to consider geopolitical tensions, whereas Lufuno focuses more on the benefits of collaboration without explicitly addressing these tensions.

Overall Assessment

summary

The main areas of disagreement revolve around the approach to AI regulation (comprehensive vs. wait-and-see), the focus on risks vs. rights, and the perspective on global collaboration in AI governance.

difference_level

The level of disagreement among the speakers is moderate. While there are clear differences in approaches and focus areas, there is also a shared recognition of the challenges facing AI governance globally. These differences reflect the complexity of developing a unified approach to AI governance across diverse regions and highlight the need for continued dialogue and collaboration to address global challenges while respecting regional contexts.

Partial Agreements

All speakers agree on the need to address fundamental challenges in AI governance, but they focus on different aspects: Jenny on existing human rights issues, Lufuno on infrastructure and skills gaps, and Gianclaudio Malgieri on the difficulty of quantifying risks to rights.

Jenny Domino

Lufuno T Tshikalange

Gianclaudio Malgieri

Existing human rights issues and digital divides need to be addressed

Lack of infrastructure and skills in developing countries

Difficulty in measuring and quantifying risks to fundamental rights

Similar Viewpoints

Both speakers emphasize the challenges and importance of incorporating human rights considerations into AI governance frameworks, highlighting the difficulty in quantifying these rights within a risk-based approach.

Gianclaudio Malgieri

Jenny Domino

Difficulty in measuring and quantifying risks to fundamental rights

Need for human-centric approach centered on human rights

Both speakers recognize the significant role of geopolitics and differing political standpoints in shaping AI governance approaches globally.

Melody Musoni

Jenny Domino

Differing political standpoints (e.g. on social scoring) shaping governance approaches

Need to consider geopolitical tensions and fragmentation of internet governance

Key Takeaways

Different regions are taking varied approaches to AI governance, from comprehensive regulation (EU) to wait-and-see approaches (Asia)

There is a need to center human rights in AI governance frameworks rather than focusing solely on risk-based approaches

Developing countries face significant challenges in AI governance due to lack of infrastructure, skills, and leverage over tech companies

Geopolitics and differing political standpoints are shaping approaches to AI governance globally

Collaboration rather than competition is seen as key for effective global AI governance

Resolutions and Action Items

None identified

Unresolved Issues

How to achieve a universal approach to AI governance while respecting regional differences

How to effectively regulate AI in developing countries with limited leverage over tech companies

How to balance innovation with protection of fundamental rights in AI governance

How to measure and quantify risks to fundamental rights in AI systems

Suggested Compromises

Using human rights as a universal framework for AI governance that can be understood across different regions and political contexts

Focusing on extending existing laws (e.g. data protection, criminal law) to cover AI issues rather than creating entirely new AI-specific regulations in developing countries

Collaborating at regional levels (e.g. African Union) to increase leverage in regulating multinational tech companies

I think this risk-based approach, Gianclaudio, that you were talking about, risk to what? So because I think in the EU-AI Act, as you have said, it started as a product liability framework and then later on we infused it with fundamental rights left, right and center, or we tried at least. But so the EU-AI Act looks at risk to what and who is determining, or what was the discussion around these different risk categories? How was that assessed?

speaker

Audience member

reason

This question challenges the fundamental approach of risk-based AI regulation and prompts deeper consideration of how risks are defined and assessed.

impact

It led to an in-depth discussion on the challenges of measuring risks to fundamental rights and the potential limitations of a risk-based approach to AI governance.

I see the discussion here as sort of mirroring the history of the UN guiding principles on business and human rights. That’s the whole reason why the UNGPs were formed because many multinational companies decades ago were operating in developing countries. And what do you do when the human rights violators sometimes are the government actors, right?

speaker

Jenny Domino

reason

This comment draws an insightful parallel between AI governance and existing frameworks for business and human rights, highlighting the complex dynamics between corporations, governments, and human rights.

impact

It broadened the discussion to consider the roles and responsibilities of different actors in AI governance, particularly in the context of developing countries.

The AI Act follows that approach. So, for example, if you commercialize in Europe, but you have produced somewhere else, but you commercialize in Europe, then you have to follow the rules of the AI Act. The GDPR went even broader because for the GDPR, even if you just monitor behaviors of people in European Union, or if you offer services even for free to people who are in the European Union, the GDPR was applicable.

speaker

Gianclaudio Malgieri

reason

This explanation clarifies the extraterritorial scope of EU regulations and their potential global impact, which is crucial for understanding the implications of EU AI governance on other regions.

impact

It sparked a discussion on the potential for a ‘Brussels effect’ in AI regulation and the challenges of exporting EU-style regulations to other contexts.

I believe that from the global South perspective, just to remind you, one minute. Yes. Wrap up in one minute. From the Global South perspective, I believe that we do have enough skills and case studies that we can collaboratively use to combine our resources and come out of the consumer status that we have been for so long. We need to work towards coming into the table not as a subject matter of discussion but as a contributor.

speaker

Lufuno T Tshikalange

reason

This comment challenges the narrative of the Global South as merely consumers of AI technology and regulation, asserting their potential to contribute meaningfully to global AI governance discussions.

impact

It shifted the conversation towards considering how the Global South can actively shape AI governance rather than simply adopting frameworks from other regions.

Overall Assessment

These key comments shaped the discussion by highlighting the complexities of AI governance across different regions and regulatory frameworks. They prompted deeper consideration of how risks and rights are balanced in AI regulation, the challenges of applying regulations across borders, and the need for inclusive global dialogue that recognizes the potential contributions of the Global South. The discussion evolved from a focus on specific regulatory approaches to a broader consideration of how to achieve a more universal and equitable approach to AI governance that respects human rights and addresses the needs of diverse stakeholders.

What would constitute sufficient remedy for adverse human rights impacts caused by AI systems?

speaker

Jenny Domino

explanation

This is important to determine how to hold companies accountable and provide appropriate compensation to affected communities.

How can developing countries be involved in the training and labeling of AI data in a way that ensures fair labor practices?

speaker

Jenny Domino

explanation

This is crucial to address potential exploitation of workers in developing countries and ensure ethical AI development practices.

How can we ensure quality provisions for AI services across all jurisdictions in line with human rights protocols?

speaker

Audience member (via Advocate Nusipro)

explanation

This is important to maintain consistent standards and protections for users of AI systems globally.

How can countries in the Global South develop the necessary infrastructure and computing power to train their own AI models and achieve digital sovereignty?

speaker

Audience member

explanation

This is crucial for ensuring countries are not dependent on AI models from other regions and can develop AI tailored to their specific needs and contexts.

What should be the baseline or minimum standards expected in AI governance frameworks across different regions?

speaker

Melody Musoni

explanation

This is important for establishing a common ground in global AI governance while allowing for regional variations.

What are the advantage points that the Global South needs to capitalize on and bring to the conversation on AI governance?

speaker

Audience member

explanation

This is crucial for ensuring the Global South has a meaningful voice in shaping global AI governance and addressing their specific needs and concerns.