Roundtable

Experts convene at GFC webinar to advance collaborative cyber capacity building efforts

During an in-depth webinar hosted by the Global Forum on Cyber Expertise (GFC), members of Working Group A and Working Group B convened to discuss the critical importance of collaborative efforts in advancing cyber capacity building. Klee Aiken from FIRST underscored the need for operational experts in Working Group B to engage with their policy-focused counterparts in Working Group A, who are involved in strategy development and UN discussions. Aiken highlighted the Geneva Dialogue as an exemplary initiative that brings together stakeholders from various sectors to inform and engage in the normative discourse of cybersecurity.

Anastasiya Kazakova from the Diplo Foundation provided an extensive overview of the Geneva Dialogue, detailing its origins in 2018 and its mission to clarify the roles and responsibilities of different actors in cyberspace to enhance security and stability. She emphasized the collective acknowledgment of the importance of cyber norms and the necessity for translating diplomatic agreements into practical policies and actions.

Kazakova presented the first chapter of the Geneva Manual, which focuses on norms related to supply chain security and the reporting of ICT vulnerabilities. The manual reflects a consensus on the significance of cyber norms and the substantial role attributed to the private sector in their implementation. It also recognizes civil society’s critical function in raising awareness about cybersecurity issues and influencing policy and corporate governance.

The discussion then addressed the challenges stakeholders encounter in implementing agreed-upon cybersecurity norms. These include the absence of universal evaluation criteria, emerging regulations, conflicting data protection requirements, and a lack of trust in national authorities for information sharing. Kazakova highlighted the importance of informal communication channels in managing critical incidents and exchanging vulnerability information, noting experts’ surprise at the efficacy of such channels.

Participants engaged in a robust discussion, debating the need for an international approach to protect critical infrastructure and whether there are sectors or dependencies that should be newly categorised as critical. The dialogue touched upon the definition of critical infrastructure, with suggestions for a common understanding and methodology to identify what constitutes critical infrastructure in different countries. The role of governments in enhancing transparency and leading by example in implementing norms was also a focal point.

The webinar culminated in breakout sessions where participants role-played as National Cyber Security Agencies and critical infrastructure facilities. They were tasked with discussing scenarios and questions to further explore the implementation of norms and protection strategies. Although the outcomes of these sessions were not detailed in the transcript, the exercise was designed to foster a deeper understanding of the complexities involved in protecting critical infrastructure.

Noteworthy observations from the webinar include the recognition of the dynamic nature of cyber threats, the need for ongoing dialogue and collaboration among all parties involved, and the importance of considering regional and international impacts when defining critical infrastructure. The discussions underscored the evolving challenges in cybersecurity and the imperative for multi-stakeholder engagement to effectively implement cyber norms and protect critical infrastructure.

Klee Aiken:
Good morning, afternoon and good evening everyone we’re just going to give folks a couple of minutes to log on before we get started, but we’ll get going pretty soon. Thanks for joining. Hey folks, thanks for joining. We’re just going to give it one more minute. I hope our Swiss-based colleagues can forgive me for using a little bit more lenient timing. Cool. Hello, everyone. Welcome to our latest collaboration between the GFC Working Group A and Working Group B. I’m Clay from FIRST, and it is my absolute pleasure to lead Working Group B, along with my colleagues Manuel, Mark, and Viljas. Working Group B is focused on critical infrastructure protection and cyber incident management. Our group is really made up of operational folks who like to come together as a community, talk shop, and just work on our corner of cyber capacity building. While us operational folks like to come together and talk shop, of course, we cannot work alone or in isolation. The work in incident management and the work in critical infrastructure is impacted by policy, by strategy, and even the discussions at the UN. Of course, in the other way, policy, strategy, and norms discussions that aren’t informed by the operational reality will be pretty hard-pressed to be able to achieve the intended goals of those activities. That’s why we’re really excited today to be bringing together the folks from Working Group B with the folks from Working Group A, who really focus a lot more on that policy side, that strategy side, and that UN side. That’s one of the great and great features of the Global Forum on Cyber Expertise, that multi-stakeholder cyber capacity building space where we can all discuss these great issues. One initiative that is kind of exemplary in bringing together stakeholders across the spectrum, particularly in the norms space is the Geneva Dialogue. So it’s been a really great privilege to be able to work with Vlada, Nastia and Serge on today’s webinar. The Geneva Dialogue brings together the wider stakeholder community to better understand, engage and inform these norms discussions and particularly the actioning and the implementation of these norms. So really excited for today’s session. We’ll start first with a bit of a discussion before we dig deep into a more interactive activity that I hope many of you will be able to stick around from. And I hope as a group that we can take a feather from the Operational Working Group B community and go a little bit more informal, encourage you to turn on your cameras, ask questions and let’s dig into the issues. And it’s especially exciting to dig into the case studies that we’ll be working on later. So on that note, I’ll hand it over to Nastia to take it away and kick us off.

Anastasiya Kazakova:
Thank you so much. It’s a great pleasure to be here, represent our team. And I’m also glad that a search trust is also here. So we hopefully will have a really good session to share with you what we’re doing and also to hear your input and the feedback which was also very important for us. I’ll start sharing my screen, just a second. So hopefully you could see it as well. Just quickly introduce myself as well. I’m working in the Diplo Foundation. I’m somebody diplomacy knowledge fellow there. And as I mentioned, I’m a part of a small team who leads the Geneva Dialogue. And a few words what to expect from today’s session. So I’m a professor at the Diplo Foundation. I’m also a member of the Diplo Foundation and I’m also a member of the Diplo Foundation So a few words, what to expect from today’s session. So first. I’ll be glad to share with you all who we are, what Geneva Dialogue actually does. We will then invite you all for the roundtable discussion and we’ll share with you some of the initial questions in the agenda. And later we will have a short simulation slash game. So you will be split in two groups and hopefully we’ll have fun, but I will explain the rules a little bit later. So Geneva Dialogue is an international process, which was created by Switzerland and implemented by Diplo Foundation. It was created in 2018 and since then the main goal was to explore which roles, responsibilities different actors have in cyberspace to ensure the security and stability of cyberspace. So basically the main question was, who does what to ensure greater security for us all? Since then, since 2018, there have been several phases we separately discussed responsibilities and good practices of industry in the way how industry reduces vulnerabilities and develop secure by design digital products. And the final report, which we published in 2020, is pretty good collection of such practices from several industry players who represent different sectors in different countries. Last year, we started a new phase and invited over 50 non-state stakeholders or representatives from the private sector, from civil society, from academia and technical communities. So basically all multi-stakeholders. And our goal was to specifically focus on what actually all these stakeholders feel about the existing and agreed cyber norms that have been again agreed by states, how they can implement these norms, why they can implement them, if there’s a case and which good practices we can collect from all of them to inspire others beyond our community. then it won’t be peer-to-peer. One of the main questions that we had, what are they specifically expected to do to implement the norms? More specifically, in cases where a critical vulnerability in digital products or in ICTs exists and poses a security threat to users or even to national security or international security, our question was, who actually is expected to take an action to lead to minimize the security risk for others? And who is responsible for mitigating vulnerabilities through supply chains? There might be so many different actors also involved from different parts of the world. Our other questions were all about the role of those who usually distance themselves from, let’s say, technical cybersecurity. And we asked if there is a role for civil society, for academia, for policy experts to implement these roles as well. Of course, one of our initial guesses was that those stakeholders are actually quite helpful to raise awareness across the users or even be the voice in a dialogue with the governments and companies. But we still found that many of them felt that they had little to contribute to the discussions on norms, which are typically seen as requiring technical expertise. Further, we asked if users, those who use digital products and users as well, have a role to play in implementing the norms. And what kind of roles they can play while still users being stuck in a choice between convenience, better performance, features. and security and safety on the other side. Our question was also, can there be no choice for them? Can users actually demand more security along with a better functionality of digital products? How this could be possible? What kind of the incentives could be further created for the industry? How can users actually be more demanding security from industry, from the private sector? We were also very much interested to explore the role of the open source community of those developers who have enormously influenced our life in the digital space, but yet often, they are not a part of the discussion. And when I say enormously influenced, well, I think it’s a common fact that more than 80% or someone would say more than 90% of all modern digital products that we use, they consist of the open source projects. And in most cases, those projects are developed for free or voluntarily. So if there’s a vulnerability in a code, should these people who actually produce the code for free be engaged and how? What kind of the expectations we may have for them, we as a users or industry? Last but not least, the question we were interested to ask experts of the Geneva Dialogue, what expectations they might have from industry, sorry, from governments. While we didn’t aim to discuss the roles and responsibilities of governments, because this is mainly what governments and states do within other forums, specifically within the UN, we were still interested to learn the views, the expectations of all of these multi-stakeholders about the governments, what they can or can’t do to implement all of these norms. So we brought a very diverse group of experts, as I mentioned earlier, around 50 organizations from around the world. and experts who participated on the personal capacity. And we introduced the framework. We took as a starting point in the framework that had been agreed by states, the framework of responsible state behavior, the 11 norms, but also we’ll look at all other relevant regional and multistakeholder normative frameworks that might be helpful for our discussions. But the GGE framework was kind of a starting point for us. And we decided to focus on two norms for Asteroid only. The choice was quite obvious because earlier I mentioned that Dialect already discussed the role of industry. We published a compilation of good practices to secure the design of digital products and reduce vulnerabilities in them. And we also decided to take sort of the gradual approach to study the norms step-by-step. So for Asteroid last year, we focused on the two norms related to supply chain security and reporting of ICT vulnerabilities. From how these norms are formulated, it’s obvious that states are expected to lead and implement them. However, the 2021 report of the group of governmental experts provided a really important clarification language for each norm where states clearly outlined that private sector and civil society at least are those relevant actors to implement the norms. Still, the question was, what specifically they are expected to do? So we started our work to collect all possible views and we kind of were ready to learn that there might be some areas where the expert that we invited would disagree. And I just want to highlight that this was our intention to actually capture all possible views, kind of the feedback from all of the stakeholder community to other stakeholders who are not part of the Dialect, but also to states, to other relevant policy makers and decision makers in this regard. were not aiming to produce a consensus report. What actually was really important for us is to see where actually people might be raising really important questions without necessarily actually having the answers to all of these questions. But still, for our work last year, we started to kind of structure the work and see, first of all, in several pillars, which were later produced in the first chapter of the Geneva Manual, the comprehensive guidance where we publish all of these discussions with the experts about the implementation of the norms by non-state stakeholders. And the pillars include, first of all, basically, we wanted to explore what kind of the responsibilities and roles stakeholders identify, and this is the what element. Then we wanted to further explore what are the actions and which incentives exist, the why element, which challenges may exist for the implementation of the norms, and this is the challenges pillar. And most importantly, we wanted for the manual also to be a place for good practices, so all other stakeholders can actually have the opportunity to check real examples and hopefully be further inspired to make their contributions to the implementation of the norms. And I would just like to briefly share with you the results of the first chapter that we published at the end of the last year, the first chapter of the Geneva Manual that was actually focusing mostly on the two norms and some of the areas where we definitely see the agreement across all of the stakeholders. So, first of all, all experts that we invited recognized the importance of all norms, even they had no idea about them before. And I think that’s really, really important, especially to kind of hear this validation of the importance of this diplomatic agreement. from industry, from people who are actually really, really far from cyber diplomacy discussions. At the same time, we heard that most of the experts highlighted the importance of translating all of these diplomatic agreements into more practical actions, sort of the policies, laws, and good governance frameworks. The private sector was understood to play a major role to implement these two particular norms. And if you check the manual, you will probably see that the content that we wrote attributing to the private sector, to the industry, is far larger than to any other stakeholder group. But still, at the same time, civil society has also been considered and accepted as a stakeholder group to play an important role to raise awareness for those less technical, but also really critical nuances related to human rights, to privacy, to data protection, and data security. So particularly, civil society was also highlighted as the stakeholder group who really helps to put necessary pressure on both companies and governments to ensure better policies, those policies that actually could be helpful to translate those diplomatic agreements. I mentioned earlier that we also specifically looked at the open source community and what kind of a contribution they can make to implement the norms. So most experts agree that they should not be held accountable for vulnerabilities in the free products. It’s roughly the responsibility of those who produce the final end product. But still, experts emphasize that it’s really important to further engage those people. And create further instruments, frameworks, mechanisms to support them, be further educated about the security practices and embracing more security while they develop the code for free. I also mentioned that while we did not discuss the role of responsibility of states in the governments, we raised the questions what expectations different stakeholders might have from governments. So obviously, governments were expected to lead by example in implementing these norms, including through creating inclusive and enabling regulatory and policy environment, but also through enhancing transparency in the way how governments actually deal with vulnerabilities that either discovered by them or reported by other stakeholders to them. Last but not least message is, of course, about geopolitical challenges, technological competition in implementing and discussing these two particular norms related to supply chain security and vulnerabilities. And specifically, with regard to the norm on supply chain security, the experts emphasized the need for a global approach to implement this norm, the approach that would actually hopefully result in the development of a common criteria, universal criteria to ensure the supply chain security. And now you could actually see a further presentation of the final work that we published within the first chapter of the Geneva Manual. So this is the perspective of mostly industry and technical community, some of the challenges that we heard that might still exist for them to implement these norms. So you see, we highlighted here the feedback such as the lack of universal aggregate evaluation criteria to implement the norm of supply chain security, the point that I just mentioned. Emerging regulations that may mandate the report of unpatched vulnerabilities, which is seen by industry and some private sector actors as a risk, security risks. Further challenges related to cybersecurity. and labeling, namely, if you are a small or medium enterprise who may lack capacities to do it. Conflicting data protection and localization requirements across different jurisdictions as a negative factor for those industry players who exist across multiple jurisdictions. And lack of trust to national authorities, particularly to share vulnerability information or incident information with them to implement these norms. From the other perspective, the views from the users, which includes civil society, policymakers, customers, so we also managed to hear some of the challenges that they outlined to implement the norms. One of the most evident is the information asymmetry, as we heard from some of the users, which means that they don’t have sufficient information and skills to measure a secure product, to understand what is a secure product, what is a less secure product. This information is usually in the hands of the industry and private sector. The lack of the implementation of security by design, security by default practices in the digital products have been also cited as one of the negative factors to advance the implementation of these norms. While labels and certifications have been cited as positive developments, still some of the experts have highlighted that they cannot guarantee 100% security. So it’s still a lot of work should be done despite the levels of certification achieved by developers of the products. Some concerns were also evident about the security of data, which might be collected and processed by different private sector actors in cloud across different jurisdictions. And one of the challenges that I also put here on the slide, end-of-life and end-of-support gap, which is the feedback that we heard from those users who feel that they are not secure. that it might be forced to change the products faster than they actually want, and the development that may still exist in the industry, once the products actually might be changed, or they update, or the version of the product might be changed, the older versions may be no longer supported by the software developers. Thus, again, consumers will be further forced to spend more money and change the products. And this kind of the security also a dilemma for both consumers, but I believe for those who develop the products too. So this is just the two slides to show you how diverse different views we collected, we managed to collect, inviting really diverse stakeholders to the dialogue. But despite of this, I mentioned earlier that we also wanted to explore some of the questions, even though we would not be able to find all the answers. And here are some of the examples of the questions that we actually haven’t managed to solve, and they still remain open to us to discuss further. The examples include, particularly the first question, while we heard from some stakeholders that, indeed, to implement the norm related to supply chain security, it’s important to develop common global rules that might be applicable across multiple jurisdictions. But the question, is it really possible, given the current geopolitical situation, technological competition? And if yes, what kind of the international platform or any other platform might be appropriate for discussing these possible global rules? So we published, as I mentioned, the results of discussing of the first two norms for us last year. The first chapter of the manual was published in December 2023. And we continue discussing other norms. And specifically this year, we took three norms for our discussion. I highlighted them here on the slide, and thematically, while they’re very close to what we discussed last year, thematically, they present a little bit new challenge, a little bit bigger challenge for us. We focus on the critical infrastructure protection-related norms. So there’s norm 6, 7, and 8 on the infographics on the slide. What also we thought that might be helpful while discussing the critical infrastructure protection-related norms is to focus on the confidence-building measures, not a pillar in the UN substability framework. CBNs is a pretty new concept for many experts of the dialogue, but still, we believe that it might be really, kind of, really connected and important in discussion of the norms. So this year, we hope to discuss further the feedback to collect different good practices that might exist to implement these norms, and at the end of the year or early 2025, to produce the next chapter of the Geneva Manual, which will focus on critical infrastructure. And on the final slide, I really welcome everyone to get engaged, to be a part of the dialogue, because we invite all passionate experts that might be interested to contribute, or if you know some of the experts that might be interested, so feel free to drop an email to us and get in touch with us. So really, we’d like to keep the dialogue, keep the conversation flowing, and incorporate as many views as possible from different parts of the world. So truly, in this regard, Geneva Dialogue serves as a global platform for many stakeholders. I’ll pause for a few seconds, just to see if there are any questions. Don’t be shy, if there are any questions, feel free to raise your hand, because I will have some of the questions to you further in the session.

Klee Aiken:
I might kick it off, Nastya, if that’s okay?

Anastasiya Kazakova:
Yeah, sure.

Klee Aiken:
Since we have our wonderful colleagues from Working Group A with us, I was wondering if you could share a bit of the reaction and feedback that you’ve gotten from folks within the UN discussions around the UNGG or OEWG to the last report, as well as some of the focus areas that y’all are looking at now. Did you hear the question? I was just asking if you could share a little bit about the feedback and reaction that you’ve gotten from folks who have been part of the GGE and OEWG processes to the last report, also the focus areas that the group’s looking at now.

Anastasiya Kazakova:
From the GGE, that would be quite difficult, because the GGE includes mostly states, and we intentionally decided to invite all the non-statistic holders, kind of provide a them also platform for discussion of this matters. Um, so my answer would include several elements from one side. We’ve managed definitely to include those who are really active in the processes, those multi-stakeholder segments within the OWG process, for instance, and, um, have a really good knowledge of the framework of the current status and the inputs were really, really helpful because they had already the experience in dealing with this issues and discussing directly either with other stakeholders or with the States. Um, but, uh, that was really interesting also to see the interaction between those more knowledgeable experts and people who really have zero, um, knowledge about the cyber diplomacy and cyber stability framework. But, uh, at some time they have, they may have a bigger knowledge about the technical security or some technical concepts. So the interaction between them was really fascinating. Um, and I think we’ve really, really tried to build more sort of trust in our meetings to manage that these people actually started to start speaking the same language. Um, we managed though, to validate some of the inputs that we’ve produced within the first chapter of the manual with, uh, with, um, delegations with some of the delegations, we organized the side event to the, um, open-ended work group earlier this year in March in New York. Um, then we also organized a side event within the OSC to hear also the feedback from some of the delegations within the OSC and the questions and probably sort of the feedback, how could we further develop a bigger, um, focus on the link between the norms and CBMs and the work that we do. Um, but yeah, I think the, probably there’s no end to learn even more what in the way, how could we further improve the work that we do? So hopefully today that will be another example when we hear the feedback from, from the, some of the representatives of the. delegations. If there are no further questions at this point, so I’ll start sharing my screen again. So hopefully you could see it. We prepared a few questions for you to hear your views with regard to the new topic for us, which is the critical infrastructure protection, as I mentioned. While we keep the focus on the content that we produced last year within the first chapter of the manual, the norms on supply chain security and vulnerabilities, the three new norms for us on the critical infrastructure protections, again, are kind of the new area. So there are a number of the questions that we explore. We understand that the focus is really, really big, and there’s been a lot of discuss in the field of the critical infrastructure protection, a lot of published, but still there are some of the nuances that we try to find to explore further. And hopefully, again, today’s session would be one of the such places to do so. I put some of the questions here on the slide, but further questions you may find in the agenda. So particular, the questions that we try to explore while still critical infrastructure protection is an area which is implemented at the national level. The designation of the critical infrastructure is the prerogative of national states. We feel that it might be some examples of the infrastructure that might have regional or international impact. And one of the questions that we have for our experts, and we have for you today, if you feel there might be a need for an international approach to protect critical infrastructure, and if so, why there might be such a case, and maybe you have… have any thoughts on that. Another angle that we try to also explore while unpacking these norms, whether there might be some missing sectors or dependencies that might be actually or should be categorized as critical, given the rapid development of technologies that we see, including artificial intelligence, or any other cases, the past two years have been marked with a high-intensified situation and a conflict in different parts of the world. So what are there any types of the infrastructure that should now be considered as critical as well? The first question is, of course, whether critical infrastructure should be off-limits for cyber warfare, for cyber conflict, and how can cyber operations avoid critical infrastructure? The norms also cite the necessity, let’s say, for states to collaborate, to cooperate with each other through regional international arrangements to respond to ICT incidents affecting critical infrastructure. And we’re also interested to learn more, what are the popular, most utilized examples of such work in regional international arrangements? So if you have any thoughts on this, that might be also helpful to hear. And finally, the final question that I put here. So we learned that some states still keep the list of critical infrastructure sectors as secret due to national security concerns. But transparency has been cited by stakeholders as really an important factor to help implement these norms, to be more involved in the implementation of the norms. And our question is, how can stakeholders actually support states to increase transparency in the way how they approach the critical infrastructure protection and any other related efforts? So these are. questions for the roundtable, feel free to raise your hand, to share your views, and if you have any questions as well, feel free also to paste them and share them in the chat.

Orhan Osmani:
Anastasia, just a question from my side, are you expecting us to respond to those questions now, or you want us to separate, to go into the groups and discuss and come back?

Anastasiya Kazakova:
Thank you, thank you for clarification. Yes, this is a question to discuss right now, before we move to the game simulation.

Orhan Osmani:
Okay, I don’t know, maybe I can just touch on the number four. Some examples, basically, what we are doing at ITU is that when we are doing the cyber drills, we see a number of things happening there. We see confidence building measures and how countries are kind of coming together and learning, because also some scenarios involve some critical, essential infrastructure. We demonstrate through the exercise to say, okay, this infrastructure was attacked, and these were damages on the population or on citizens or in medical institutions and so on. So basically, people can understand that when that one happens, something happens behind. You’re not protecting only the system, but you’re protecting more than the system, you’re protecting human lives, you’re protecting different things. So I think those exercises help to build those networks and people get together. They learn together and they understand that certain behaviors affect the system. the one who is responding to incident, but also those creating those attacks also, they also affect on the other side. So I think that’s basically something it’s interesting to share and maybe include in the studies that coming together as countries, irrespective to political views and agreements or disagreements, but on technical level, I think also first community offers quite a lot of collaboration there, but also IQ plays a role, but I think together with first, we bring this spice together and kind of we work and kind of enhance that, but I think we should not stop, we should continue doing that. And I think it’s a good example of working together on different levels to respond to those incidents. Thank you.

Anastasiya Kazakova:
Thank you so much. Yes, indeed, regarding first, it’s definitely one of the first probably examples that come to our minds and we’re glad to have some of representatives of first to share this inputs to the dialogue, but yeah, thank you so much. Thank you.

Klee Aiken:
I guess since you all mentioned first already and thanks Orhan for the shout out, but also kicking off the conversation. I think that’s one of the more interesting kind of inputs that Geneva Dialogue can have for some of the UN processes is that when folks are talking about arrangements to respond to ICD incidents affecting critical infrastructure, folks are often looking at the more formal agreements and structures and national point of contact networks and things like that. But a lot of that work is happening through those person to person relationships like Arhan mentioned, or through informal channels or semi-formal channels that have existed in the operational space. And I think it’s really important to consider that when developing the norms, when implementing the norms, and especially when implementing confidence building measures to make sure that these new measures, these new. regional, international arrangements and structures and secretariats and whatnot, kind of take a do no harm approach to some of the more ongoing operational stuff that is what’s working now.

Anastasiya Kazakova:
Yeah, indeed. Thank you so much, Klee. It was really probably my personal, so kind of surprised to hear from some of the experts within the dialect of the importance of all the informal channels, first of all, in dealing with the critical incidents or just incidents or exchanging vulnerability information because those informal channels can be really helpful to utilize in the sphere where trust is really so critical and so important. So while you have some kind of history of relationship with people that you trust, so those channels might be really helpful and be more effective to use to address the incidents. Any other views to the questions here on the slide? Maybe you would have some examples from your own countries at the national level of the good practices to implement all this free related norms or in the way how, what is the national approach from your country to operationalize the norms and to protect critical infrastructure?

Orhan Osmani:
It seems that, you know, some of us have to… come twice to this. Maybe, maybe I’ll kind of attempt on the first one, you know, I think, you know, doing something on international level would be very difficult. But I think, you know, what we can do, as a community, we can define some of the some of the essential infrastructures or critical infrastructures which affect citizens and, and life of people. And I think, you know, if we can do and publish this something, you know, which can be overall, we can agree as a community to build something comprehensive, I think that would be probably the approach. But to build something, you know, where, you know, really, you know, talking about critical infrastructure in general, because somebody might have critical infrastructure as let’s say, sugar industry in the country is critical infrastructure. So, you know, I think, probably that’s going to be affecting the economy, but I would focus on critical infrastructure affecting lives of people. And that could be common for all of us, you know, that would be something we can work as a group and come up with something around that and produce. But overall, I think would be will create lots of challenges and kind of barriers for us to produce something comprehensive, something useful. I know, these are my thoughts. But you know, I think I would like to hear from others, but I think Thank you.

Anastasiya Kazakova:
Thank you so much, Orhan. You mentioned that there might be some types of the infrastructures or the examples, maybe you would share some of the first examples that come to your mind.

Orhan Osmani:
I think, you know, basically, you know, what are the infrastructures I would think about to come up with something common things is transport, you know, I know, electricity, you know, hospitals, you know, emergency services, you know, people responding to, to, to kind of natural disasters and so on. Because, you know, give you an example, if there is a natural disaster, somebody disrupts the communication, people won’t be able to respond to certain places where people need help. So I think, you know, those are the things, you know, we can, we can kind of listen and talk about, but maybe, you know, we cannot go into kind of critical infrastructure, let’s say, you know, for some countries, critical infrastructure is, you know, from military weapon productions and so on, but that’s critical to them, but not basically to the rest of the world or something which is common around the world. I think, you know, we need to focus on common things, not really to go specifically for country critical infrastructure because all those differ from country to country. That’s my thoughts. Thank you.

Anastasiya Kazakova:
Yeah, yeah, yeah. That’s absolutely makes sense. That interesting that you mentioned the transport, healthcare and other sectors. We ask similar questions within first meetings this year and our experts have first single out digital sectors. I would call them like that. ICT infrastructure, cloud services as the ones that would actually probably require more international efforts to protect since they span across different jurisdictions and might be critical for lots of lots of countries and might have really regional impact if something happens to this kind of the infrastructure. But this is some of the first views that we heard from the experts.

Orhan Osmani:
Yeah, I think it’s good.

Linda Karcanaj:
If I can say something, this is Linda from Albania. I think Orhan is very right. We should come up with common examples of the critical infrastructure and probably a common methodology how we consider critical infrastructure in each country. What you said is very generic. To say that cloud will be considered a critical infrastructure is something very generic. Cloud is in the same point of view, like we have our hardwares and our servers for different systems. So cloud becomes critical infrastructure where you host a system which is considered critical for the country. Like for example, e-prescription. Here in Albania, we have from several years e-prescription online only, which means that if that system is down, the people will not have their prescription to get medicine. And if that happens, they will die. So it’s a critical infrastructure. We consider critical infrastructure that instance in cloud where we have that system. So we have to connect the infrastructure of hosting with the system itself. Doesn’t matter if that infrastructure is on-prem or on cloud. So we cannot talk in general regarding the cloud. So what I’m proposing is the same as Rohan mentioned, working groups which will come up with a discussion of what is considered critical infrastructure in different countries. So we can have a common understanding and probably during the exercise, we can think of adding in each country additional critical infrastructure that are coming as important in our discussion. Thank you.

Anastasiya Kazakova:
Thank you very much. Thank you so much. Any other views?

Speaker Lawrence:
Hi, Anastasia. Lawrence here from FAST. I hope I’m audible. Joshua, please go ahead. I would just like to weigh in in regards to how we identify critical infrastructure. I forgot to mention that I’m part of the African regional liaisons at FAST. So my feedback as far as our critical infrastructure will be, instead of us trying to come up with examples, which I think might not really scale, I think the previous speakers have alluded to this. My approach will be, can we come up with guidelines that now each country can use to basically identify what critical infrastructure is? infrastructure is it to them. If I could speak, for example, if I’ll speak from an African context, knowing that Africa is very broad. We have certain countries that will treat their mobile money networks as critical infrastructure and they’re given higher priority, even better than some law enforcement agencies. But then you go to different countries where power transport utilities are given a higher score from a, they’re actually classified as critical infrastructure and mobile money, not so much. So if we take that examples approach, we might find ourself in a box from my point of view. However, if we take a guideline point of view, so a critical infrastructure, it must meet these specific threshold. Then based on that, we can maybe now come up with examples, even that I don’t see it scaling. I’ll just say guidelines are better than from those guidelines, the various stakeholders we serve are able now to make their own decision based on their context and say, okay, based on this guideline, which more or less we agree with, these and these and these are sure or qualifies to be a critical infrastructure. In a recent capacity development initiative here we are doing, one of the challenge, one of the question that we received from internet service providers was whether fiber, the networking fiber, if that should be classified as critical infrastructure. Now, for the last three or so weeks, we had some major fiber cuts affecting the African region. Now, certain countries were thrown under the bus in that because of those fiber cuts, a lot of operations were not able to go. on effectively. Now, should we now classify fiber technology or fiber cables as critical infrastructure? I was given another case here, a specific whereby you find that 50 kilo vandalized. Now if that is treated as a critical infrastructure, it also means that law enforcement will pay more attention to it. Even the fines are very huge to deter vandalism of a critical fiber cable. But at the moment, fiber cable, as much as it’s very cool, ensures almost everyone has affordable internet, it’s not critical infrastructure. So if anyone vandalizes that, they are probably going to be given a slap on the wrist and they will still come and continue with vandalizing that kind of infrastructure. So does it become critical infrastructure? And if you say fiber is not critical infrastructure, what happens to countries who have been using fiber for the longest time? Do they now need to also classify it as a critical infrastructure? I thank you. That will be my, just wanted to share that with the team.

Anastasiya Kazakova:
Thank you very much, Lawrence. That’s I think really valuable to hear. Thank you so much. I also see the comment from Serene regarding the, that each country has its own criteria for defining what constitutes critical infrastructure. And here’s a support to what Orhan said before, that starting with common critical infrastructure would be an effective icebreaker. I’m looking at the time, I guess we have a little bit of time to hear a few more reflections, so feel free to raise your hand. And otherwise we will proceed with the simulation with the game. So, no photo views. All right. Um, we’re prepared for you. So, our colleagues will split you randomly into groups and colleagues from GFC will help to facilitate one of the group, while in the other I will be the facilitator. So, the agenda includes the, the key messages and the questions but I will just briefly explain what you may expect. So basically we will play in the shoes of the two different actors of the National Cyber Security Agency and at the same time the critical infrastructure facility. Each group will receive its own master kind of the context, the situation. So, your goal will be to discuss to read first of all the message and then to discuss the questions. We will have also the time to approximately 30 minutes to make the notes and after that we’ll get back to the plenary to the main room to exchange the summary of the discussions, and for the debrief. So just a quick call if anybody has any questions before we move to the breakout sessions. All good, then I hope that’s all clear. Don’t worry if you have feel free to use the chat and Manuel from the GFC will take the group with the National Cyber Security Agency and I will lead the group with the critical infrastructure facility. So colleagues. I guess we’re ready. Thank you.