Building Capacity in Cyber Security

Tomoo Yamauchi

The Japanese government has implemented a comprehensive three-year cybersecurity strategy, with the latest one being decided in 2021. This strategy highlights the importance of addressing cyber threats and promoting secure digital practices. It was established around the same time as the digital agency to promote digital transformation (DX) and shortly after the Tokyo Olympics.

Japan is actively engaged in capacity-building initiatives, particularly for ASEAN countries. It promotes cybersecurity initiatives in ASEAN countries such as Indonesia, Brunei, and Thailand. These initiatives aim to enhance the cybersecurity capabilities of these nations. A prime example is the establishment of the ASEAN Japan Cybersecurity Capacity Building Center (AJCCBC) in Bangkok. The AJCCBC provides cybersecurity exercises and games to increase capacities, specifically targeting the younger population. As of August this year, a total of 1,200 individuals have participated in these activities.

Moreover, Japan is collaborating with other countries, including the United States and Australia, to strengthen cybersecurity capacity building. These collaborations involve discussions on expanding the activities of AJCCBC to other ASEAN countries. This partnership highlights Japan’s commitment to fostering international cooperation and partnerships for achieving cybersecurity goals.

Governments worldwide need to determine relevant policies and enact them to improve cybersecurity. Once policies are established, there is a need to fill them with sufficient content and launch initiatives such as the HACCBC, a technical capacity-building initiative. This approach ensures a comprehensive and structured approach to cybersecurity.

In addition to policymaking, it is crucial for policymakers to enrich and enhance their content for better understanding. Ten working groups exist between ASEAN and Japan policymakers, reflecting their commitment to sharing knowledge and expertise for the benefit of all.

To ensure the effectiveness of cybersecurity initiatives, it is essential to expand the target countries and achieve more global coverage. Although ASEAN countries and Japan are currently the focus, some countries are still missing from these efforts. By expanding the target countries, a more comprehensive and inclusive approach can be adopted to address the global cybersecurity landscape.

The sustainability of policies, programs, and activities is necessary for long-term success. This requires engaging the private sector and fostering collaboration. The involvement of the private sector brings additional resources, expertise, and innovation to cybersecurity initiatives. Furthermore, the expansion and advancement of capacity-building activities are needed to meet the growing demands and evolving cyber threats globally.

In conclusion, the Japanese government has taken significant steps in formulating a three-year cybersecurity strategy and actively engaging in capacity-building initiatives. Collaboration with other countries, the establishment of the AJCCBC, and the focus on policymaking and program sustainability are all indicative of Japan’s commitment to strengthening cybersecurity. The expansion of target countries and global coverage, as well as engaging the private sector, are crucial for achieving comprehensive and effective cybersecurity outcomes.

Speaker

Ladies and gentlemen, thank you for attending the Building Capacity in Cyber Security session. The session, moderated by Mr. Peter Stephens from the Organisation for Economic Co-operation and Development (OECD), aims to shed light on the significance of enhancing cybersecurity capabilities.

As technology advances and our world becomes increasingly digitised, the threat of cyber attacks looms large. It is essential, now more than ever, to strengthen our defences against malicious actors seeking to exploit vulnerabilities in cyberspace.

Mr. Stephens, joining us remotely from Paris, brings extensive experience and knowledge in the field of cybersecurity. His presence adds immense value to this session as he will provide valuable insights and perspectives on how countries can effectively build capacity in this critical area.

The main focus of this session is to explore the various strategies and measures countries can undertake to bolster their cybersecurity capabilities. These strategies may include, but are not limited to:

1. Developing robust national cybersecurity policies and frameworks: It is crucial for countries to establish comprehensive policies and frameworks that address cyber threats, promote awareness, and encourage collaboration between the public and private sectors.

2. Investing in advanced technologies and tools: Keeping up with the rapidly evolving cyber landscape requires continuous investment in cutting-edge technologies and tools capable of detecting, mitigating, and preventing cyber attacks.

3. Strengthening institutional capabilities: Building capacity in cybersecurity involves equipping institutions such as law enforcement agencies and regulatory bodies with the necessary resources, expertise, and skill sets to proactively combat cyber threats.

4. Promoting international cooperation: Cyber attacks transcend borders, making international cooperation imperative. Sharing information, best practices, and collaborating on joint initiatives can significantly enhance our collective resilience against cyber threats.

This session will also shed light on emerging trends and challenges in cybersecurity, such as the increasing sophistication of attacks, the rise of state-sponsored cyber activities, and the potential impact of emerging technologies such as artificial intelligence and the Internet of Things.

In conclusion, this Building Capacity in Cyber Security session serves as a platform for engaging with experts and policymakers to share knowledge and best practices in this critical domain. By bolstering our collective cybersecurity capabilities, we can effectively protect our societies, economies, and critical infrastructure from the ever-evolving cyber threats we face today and in the future.

Kana Shinoda

Code Blue is an international cybersecurity conference held annually in Tokyo. This year, the event celebrates its 11th anniversary. The conference serves as a platform that brings together professionals from different fields, such as technical, law and policy, and cybercrime, to discuss and address cybersecurity issues. Notable keynote speakers, including Mikko Hipponen from Finland and Sergei Korsunsky, Ambassador of Ukraine to Japan, contribute to the event’s success and reputation.

Code Blue offers a diverse range of sessions, with a total of 35 sessions and 42 speakers, covering various topics related to cybersecurity. Additionally, the conference hosts three contests, as well as Capture the Flag (CTF) challenges and car-hacking villages, which provide practical experiences and opportunities for learning and skill development. The event also places significant emphasis on youth involvement, offering U25 youth sessions, a scholarship programme, and opportunities for students to work at the event. This commitment to engaging young people reflects the organisers’ dedication to nurturing future cybersecurity professionals and cultivating interest in the field.

Furthermore, the summary highlights the importance of collaborations and international platforms like Code Blue and the Global Cyber Security Camp (GCC) for boosting cybersecurity. GCC is a one-week training camp specifically designed for Asian youth, with participation from countries such as Japan, South Korea, Taiwan, Singapore, Australia, Malaysia, Thailand, and Vietnam. The camp effectively combines academia and industry to equip young individuals with the necessary skills and knowledge in cybersecurity. Moreover, GCC employs a successful model based on a security camp in Japan, which has been in operation for over 13 years.

Notably, the Asian team has demonstrated exceptional success in the International Cybersecurity Challenge (ICC), consistently excelling in the attack and defence category. In previous ICC events, they secured second place overall in Athens, Greece, and third place overall in San Diego, USA. These achievements showcase the talent and prowess of the Asian cybersecurity community and emphasise the importance of continued support and investment in this field.

The summary also highlights the ongoing nature of cybersecurity and the significance of leveraging artificial intelligence (AI) for political purposes and improving basic security measures. Furthermore, it raises the issue of duplication of content across countries in cybersecurity training and suggests the need for a unified platform. This single platform would help avoid unnecessary duplications and make training materials more easily accessible and digestible. The argument advocates for collaboration and highlights the benefits of such a platform in ensuring efficient dissemination and uptake of cybersecurity knowledge.

Overall, the summary provides a comprehensive overview of Code Blue, GCC, and their significance within the cybersecurity landscape. It highlights the value of international platforms, youth involvement, collaboration, and ongoing investment in cybersecurity for a safer digital environment.

Christopher Painter

Cybersecurity capacity building is crucial for addressing international cyber threats and unlocking the benefits of Information and Communications Technology (ICT). It is integral to all types of infrastructure projects and plays a vital role in ensuring a secure and resilient digital economy.

The Global Forum on Cyber Expertise (GFC) is a key player in cybersecurity capacity building. It aims to strengthen capacity building efforts, avoid duplication of work, and improve efficiency. The GFC coordinates cybersecurity capacity building projects and serves as a clearinghouse, connecting countries in need with donors and implementers. With approximately 200 members and partners, including around 60 countries, civil society, and industry, the GFC prioritizes expanding global cooperation, regional coordination, and a demand-driven approach.

The importance of cybersecurity capacity building is gaining recognition in national and international development agendas. Efforts are being made to elevate cybersecurity as a priority through initiatives like the upcoming conference in Ghana. A high-level global cybersecurity capacity building agenda is also being called for to enhance efforts worldwide.

However, challenges exist in effective capacity building. Policy and political buy-in are significant challenges, as support from policymakers and leaders is crucial. Additionally, breaking down silos between different cybersecurity communities, including technical, policy, development, and security communities, remains a persistent obstacle.

Capacity building should not be an afterthought; it is critical for the growth of economies and societies. Emphasizing a multi-stakeholder approach involving governments, civil society, and private industries has proven to be beneficial. Collaboration enables better policy-making and ensures sustainable programs with continued political buy-in.

Efficiency and coordination are essential for effective capacity building. Promoting information sharing platforms and organized working groups, exemplified by the efforts of the Global Conference on Cyber Capacity-Building and the working groups of the GFC, have shown effectiveness.

Addressing the gap between cybersecurity needs, available resources, and effective delivery is crucial. The demand for capacity building is high, but currently, insufficient resources are allocated to meet these needs. Bridging this gap is necessary for successful cybersecurity capacity building efforts.

One concern is the tendency to quickly shift focus to new technological developments like Artificial Intelligence (AI) without adequately addressing existing cybersecurity issues. While AI holds promise, it is important to prioritize resolving existing threats and capacity building efforts before shifting attention.

In conclusion, cybersecurity capacity building is essential for addressing international cyber threats and harnessing the benefits of ICT. Organizations like the GFC play a vital role in strengthening capacity building and promoting global cooperation. However, challenges such as policy and political buy-in, resource allocation, and breaking down community silos persist. A multi-stakeholder approach, sustainability, and effective coordination should be prioritized for successful capacity building programs. Additionally, existing issues should be addressed before diverting focus to new technological developments like AI.

Peter Stephens

The analysis presents several arguments related to cyber security and capacity building. One argument emphasizes the global nature of cyber security, highlighting the need for international cooperation. This argument is backed by the example of the Mirai attack in 2016, which compromised 600,000 devices in Germany, Brazil, Colombia, and Vietnam. The attack serves as evidence that cyber security is a transborder problem requiring collaborative efforts between nations.

Another argument focuses on the importance of capacity building and preparedness for future threats in cyber security. The development of international norms and the implementation of effective policies are highlighted as crucial in addressing market failures and strengthening cyber security. These points underscore the need for continuous improvement and proactive measures to safeguard digital systems and networks.

The analysis also stresses the significance of a diverse workforce in the field of cyber security. It provides an example of the cyber workforce strategy in the United States to support this argument. Having a diverse workforce is seen as important for fostering innovation, creativity, and resilience in tackling cyber threats. This highlights the need for inclusivity in the industry and how diversity can enhance the field.

A key challenge identified in the analysis is the gap between policy makers and cyber security professionals. Bridging this gap is considered essential for effective policy development and implementation. The historical lack of collaboration between these two groups is viewed as a contributing factor to the challenges faced in cyber security.

Additionally, the analysis emphasizes the value of competitions and war games in boosting regional cyber capacity. It highlights a presentation by Mr. Yamauchi, which underscores the importance of such activities in strengthening cyber capacity. This argument highlights the role of experiential learning and practical training in the field of cyber security.

The Global Conference on Cyber Capacity Building and the CIBIL program are highlighted as initiatives that can facilitate resource access and partnerships between policy makers and experts. The conference, scheduled to take place in Ghana in November, is expected to contribute to the sharing of knowledge and best practices in cyber capacity building. The CIBIL program allows policy makers to access pre-existing materials, aiding them in policy development and decision-making processes.

Other noteworthy findings from the analysis include the importance of a demand-based approach in addressing cyber capacity building challenges and breaking down silos between communities. The analysis also emphasizes the need for better amplification and scaling of successful initiatives.

In conclusion, the analysis underscores the interconnected and transborder nature of cyber security, emphasizing the need for international cooperation. It highlights the importance of capacity building, a diverse workforce, bridging the gap between policy makers and professionals, and the role of competitions and war games in building cyber capacity. The Global Conference on Cyber Capacity Building and the CIBIL program are identified as facilitators of resource access and partnerships. The analysis also emphasizes the importance of a demand-based approach, breaking down silos, and amplifying successful initiatives in addressing cyber security challenges. It suggests that efficient use of resources and generating political will are key factors in ensuring a stronger and more secure cyber landscape.

Christopher Painter :
.

Speaker:
Hi everybody, we are starting it. My name is So thank you very much, ladies and gentlemen, for attending this Building Capacity in Cyber Security session. The moderator of this session is Mr. Peter Stephens, he’s from the OECD, and he will be participating online from Paris. So Peter, can you hear us?

Peter Stephens:
Yes, I can hear you. Okay, great. Good afternoon, everyone. So if you’re ready, the floor is yours. Thank you very much, and welcome everyone to this session on Capacity Building on Cyber Security. As was said, my name is Peter Stephens, and I’m at the OECD looking on digital security, and today we’ve got a fantastic panel. So before we start, can I please pass over to introductions? Can I please pass to Ms. Shinoda, please?

Christopher Painter :
Me first? Yeah, I’ll just say my name. I’m Kana Shinoda, and I’m from Code Blue. Thank you. I’m Chris Painter. I’m the president of the Global Forum on Cyber Expertise, former U.S. government cyber diplomat among other things, so very nice to be here in Japan.

Tomoo Yamauchi:
I am Tomo Yamauchi, Director General for Cyber Security at Ministry of International Affairs and Communication, NYC, Japan.

Peter Stephens:
Thank you very much, and it’s a great pleasure to have such a fantastic group of panelists today. We all know that cyber security is very much an international problem that requires a lot of international partnerships in order to respond to them. We know that cybercrime is interconnected, and the way that technology can be weaponized across borders is an ongoing challenge. If we just take one example of the Mirai attack in 2016, we saw that 61 simple username and passwords was able to compromise 600,000 devices across Brazil, Colombia, and Vietnam, and then those products were able to be weaponized to damage and cause harm in the U.S., Liberia, and also in Germany. Governments can operate in isolation, and we need to work in partnership with one another to boost resilience from cyber threat, and we know that this issue continues to evolve. What is an issue now will not be an issue forever, and more problems will continue to come. So there is a need for all countries to adapt and to prepare for those future threats within new and emerging technologies. As we know, there’s a lot of interest now in artificial intelligence and also as things develop in quantum as well. So there’s a really important question about how can we build capacity in two ways. So I always think about capacity building as a combination of the cross-country capacity building, which is how can high-capacity countries support lower-capacity countries, and that’s the supporting to the development of international norms, as well as helping governments to set the foundations by delivering meaningful policy to address market failure and promote strong cybersecurity practices. There’s also a challenge of how can we move from strategy to the delivery of law in countries, and how can we implement government approaches to help set those expectations on industry, which of course all operate globally. As well as the regional component, there’s also an important component, which is about how can we help time-based capacity building? How can we prepare for the future? How can we make sure that we have sufficient skill sets and a diverse group community of people who are working in cybersecurity? I most recently was at a DEF CON conference in the United States, and there was a really passionate discussion around the distinction between cybersecurity skills and also how can we prepare for the workforce? How can we make sure that more people are able to find the right roles in cybersecurity to help them to make big impact and to help support industry and also the wider economy? We saw that already with things like the cyber workforce strategy in the United States, but also there’s a need for further partnerships between these communities. I know that there’s a lot of work helping to bridge the gap between cybersecurity professionals and also policy makers who historically have not worked in partnership, perhaps through a number of different reasons, which we might go into. I think it’s really interesting to see how that is continuing to evolve and that relationship changing. I’m looking forward to hearing from participants about that as well. As we say, we have a one-hour session here today. We will have three presentations from each of our panelists before going into 20 minutes of discussion, and then there will be five minutes of questions and answers towards the end. If you do have questions, please do make a note of them, and there will be time for them at the end of the session. Without further ado, I would love to pass over to Chris Painter, who’s president of the GFCE, the Global Forum on Cyber Expertise. What I’d really love you to do, Chris, if you could tell us a bit more about the work that the GFCE is doing and how it is supporting policy makers to address cybersecurity threats around the world.

Christopher Painter :
Great. Thank you, Peter. First, let me just say how much of a pleasure it is to be here and be back in Japan, which I’ve, especially when I was with the U.S. government, had worked with a lot over the years and really valued that interaction on cyber security, other kinds of cyber issues. Thank you to our hosts. I know how much work it is to put on something like this, so thank you for that. I really appreciate it. Let me just put the first slide up that I have, or someone put up the first slide. Okay, there. When I think about cyber capacity building, I think it’s really foundational to everything we’re trying to do, not just to fight threats online, of which there are many and growing, but also it’s a foundation for achieving all the good things. All the digital economy, digitization, all the things we talk about, and it will empower countries and empower individuals. Cyber security, having good cyber security is key to that, and having capacity building to enable countries to do that is also very important. Let’s go to that next slide. The GFC is basically an organization that was set up as a response, an international response to this global challenge, because many countries and individuals and organizations around the world are now faced with these threats, but don’t really have the capability to deal with them. This is particularly true in the global south, the global majority, who are dealing with these issues. Again, it’s really their economies are depending on it. It’s meant to close the cyber security capacity gap, because there is a large one between more developed countries and less developed countries, but even within the developed countries, there are gaps that need to be addressed. The point of the GFC is to help countries and organizations put foundational building blocks to help with cyber resilience. We use cyber resilience because that phrase, I think, has more currency, more buy-in from communities outside the cyber sphere, the development sphere and others. Peter mentioned sometimes the breakdown between policymakers and technical experts. Certainly that’s there, but there’s also, I think, a breakdown between different communities of interest, people who do economic policy, people who do security policy, people who are in the development community, traditional development community like the SDGs, and folks who do cyber security capacity building. We can’t afford those communities to be different. They need to be brought together. We identify successful policies, best practices, ideas so that we can both share them between regions and individuals, but also in countries, but also multiply their effect on a global level. Go to the next slide. Basically, the GFC, which is an organization of now 200 members and partners, including about 60 countries, including Japan, the U.S., and many others, civil society, industry, a true multi-stakeholder organization. The overall vision is to fully reap the benefits of ICT through a free, open, peaceful and secure digital world. The mission is to strengthen cyber security capacity building and do that. What we try to do, and this is really important, and this is something I saw when I was in the government, is the resources are pretty slim in this area. Often what happened is five different countries would train the same five people in the country over and over and over again, or not really ask them what they needed, and therefore the resources were somewhat misspent by duplicating efforts and not really having a strategic plan in place. One of our core things is to avoid that duplication, to help coordinate projects, and really coordinate these efforts. Also, to help improve the efficiency and effectiveness of products, both by coordination but also being able to share knowledge more fully among different stakeholders, and then map and then fill capacity building gaps, which is critically important, too. Then finally, to help develop research, to look up where the gaps are, see if we can commission research and projects. We have a research agenda, a clearinghouse, so if a country says, we need help with X, we match that country with donors and implementers who are part of the GFC community. Knowledge sharing we do through a portal, which I’ll talk about in a second, and coordination is really our raison d’etre. Next slide. The key things I had mentioned, the research agenda is what I just mentioned, is commissioning research that fills the gaps where we identify gaps in the mapping that’s done through the various people in the GFC community. The clearinghouse is where a country says, I need help. For instance, we’ve had a country come to us recently, an African country, saying, I need a national strategy. There are lots of national strategies out there, there are lots of best practices, which we provide to them, but we can also match them with people who can really walk them through and help that process and make sure it’s sustainable. The CBL portal, which is at www.cblportal.org, which is open to everyone, all of you can look at this, which is a collection of now hundreds of best practices, other documents along a number of different areas, both regionally searchable, but also more broadly in various national strategies, diplomacy, cybercrime, incident response and certs, standards. All of those are mirrored in that portal, and I recommend it to all of you. Next slide. This is a breakdown of what’s on the CBL portal. As I said, it’s a repository for cybercapacity building projects. It is a central portal. It’s also linked to the UNIDIRR portal, and we cross-link between us some of the work they’ve done. Now, over 200 publications, 830 projects, 120 tools, and over 800 actors, including regional actors, and I think that’s really important because some things are really specific to particular regions, and that helps people really fill the need, the crying need that they have, for more help, and also points them to directions where they can get more help. Next slide. This gives you a regional breakdown, too, from really all over the world. We have projects, actors, and a number of upcoming events. We also have a calendar built on this, which I think helps people see what all the upcoming events, and there are many in this area. Next. Our priorities coming forward are to expand global cooperation, expand our network, focusing on inclusivity from every region around the world, regional coordination to bridge the gap both on a national and global level, and one of the things I’ve heard often is, and this has been a move we’ve been doing, a demand-driven approach, so listening to the people who want the help rather than saying, here’s a program we can give you, or a country saying, here’s a program we can give you, really listening and doing that demand-driven approach, and doing work on regional hubs to do that, and local collaboration by connecting local projects with a larger global GFC ecosystem. Next slide. Part of the way we’ve done that, recognizing that global efforts are important, but you also have to have regional efforts that are more to the ground, closer to the ground, so I just came from Fiji, where we launched our Pacific Hub, former director of the Tonga CERT is running that, it’s for the Pacific Islands, it’s really linked there, and it’s really meant to help their needs, and they particularly are some of the places that said, look, everyone wants to give us aid, but we don’t even have the capacity to deal with that aid because it’s duplicative often, they say, here’s how to build a CERT 101, we get that 12 different times, where we need how to build a CERT 102, and we need to put this in the larger context, so the Pacific Hub, just launched, really look forward to that, we have in Latin America and Caribbean region, we are partnering with the Organization for American States to do a regional hub there, we have an Africa hub and created an Africa Cyber Experts Group, and then the Southeast Asia hub and liaison, we have an ASEAN liaison based in Singapore that’s just starting to work, and I think that’s, again, for this region in particular is going to be really important, working with Japan and other countries to make sure that we’re really listening to the region and amplifying efforts that are out there. Next slide. Which leads me to the last thing I want to touch on. So I mentioned these different communities, the development community, the traditional development community, the cyber community and others, and bringing them together, and we are having a major conference in Ghana and Accra at the end of November, 29th and 30th of November, for several things. One to highlight and elevate this issue of cyber resilience as a priority in international and national development agenda. Now we all know, who deal with this area, that increasingly cyber security undergirds every kind of infrastructure project you can think about, water, power, financial systems, and it’s not giving the attention I think it deserves to make sure that those development projects succeed in the long term with strong cyber security. So how can we bring those communities together to really leverage each other’s efforts and not make these opposing things, but things that are built together, and that’s really the point, the overall point of this, and also to bring more attention to capacity building in the cyber area globally. It’s the first of its kind of event. It’s going to have leaders, decision makers, experts from all over the world. I say it’s hosted in Ghana to be opened by the Ghana president. We’re bringing the development folks in, we’re bringing the cyber folks in, we’re bringing regional efforts, we’re going to have some regional discussions from each of the regions I talked about. It’s really going to be, it’s been a massive undertaking. We’ve been planning it for a while, but I think it’s going to be really important. Next slide. So I mentioned some of the outcomes of this. It really is to elevate and mainstream cyber resilience and capacity building in that development agenda. We want that to be a high-level global cyber capacity building agenda for going forward based on regional agendas. We’re planning on launching something called the, well, I think it’s going to be called the ACRA call right now, we’re still working on the phrasing, which is going to be a set of high-level action item principles. So there are lots of principles out there, including cybersecurity principles that we’ve done, that the UN has done, but really now taking this to the next level in terms of action. And to overall expand the pool of resources, which is still far too limited in this area because the demand is huge, particularly in the developing world. Next. And that’s it. That’s it for me. So really look forward to your participation here today. Look forward to your input. If your country is not a member of the GFC, it’s not hard to join. If your organization is not a member, it’s not hard to join as a member or a partner. We welcome these efforts. We’ve expanded dramatically over just the course of seven years. But this is a really key, as again, as I said, this is foundational to everything else I think we’re trying to do in this space, both positive and fighting threats. So thank you. Thank you.

Peter Stephens:
Thank you, Chris. And that was fantastic to hear about the, first of all, the importance of networks, bringing together the communities from development, typical development communities, as well as cyber communities and more policy folk. How can we make sure that they are working in partnership with one another? But I also really liked what you said about the demand driven approach and thinking about what are the issues that need to be done and how can we help to amplify what has already been done? I think there’s a supposition that you don’t need to start from ground zero. You can build on other people’s work already, and I think there’s a need to do that. I also enjoyed hearing what you said about the importance of regional hubs and the importance of regional development work. And I also would love to pass over now to Mr. Yamauchi, who I know has done a lot of work, particularly with Japan, and how I’d love to hear a bit more about the work Japan has been doing at a regional level to promote more effective technical, strategic, and policy initiatives within cyber security. So Mr. Yamauchi, can I please pass over to you?

Tomoo Yamauchi:
Thank you very much. First of all, thank you everyone here joining this session, on-site and online. And thank you very much for participating in the forum as a member of the host. Next slide, please. For the Japanese government, we have a cyber security strategy every three years, and now the existing strategy was decided in 2021. This was just about when we established the digital agency to promote DX and just after the Tokyo Olympics Games, we have successfully operated the game. We have three major policy pillars, one, two, three, and three, you can see the enhancing initiative from the perspective of the national security. Under these pillars, we have several specific measures, and you can see the number three, the international cooperation and collaborations. In these objectives, the supporting for capacity buildings, we focus the activities for the capacity buildings, especially for Indo-Pacific regions. So, I would like to explain how we extend or have the capacity building activities for ASEAN countries. We have not only the MYC ministries, but also the holistic policy makers in Japan to have the cyber security capacity building activities, and you have several activities from one to ten, and the number five, the capacity building working there. And I would like to emphasize the last column, so you can see the lead countries. Of course, now, Japan has about more than half the items, but you can see Indonesia, Brunei, or Thailand for several items. So, that means the ASEAN countries have a voluntary intention or ability to lead these activities. So, we expect the ASEAN countries have more abilities or incentives to promote such kind of cyber security initiatives. Okay, next slide, please. This, I would like to explain the AJCCBC, the ASEAN Japan Cyber Security Capacity Building Center, established in Bangkok. This is a very busy slide, I’m sorry. The major activities at the center, we have two major pillars. The one is a cyber security exercise, the other is a cyber sea game. The first one, the cyber security exercise, we have originally called the CIDR exercise. This is established and organized for Japanese local government. This is a very realistic exercise, and we revised the CIDR program for the ASEAN countries. And the second one, the cyber sea game, this is in order to promote the activities for younger age, especially for students or the higher educated people. We have conducted, we have been conducting the CTF style contest, and we promote them to have the more advanced capacity in executing such kind of sea games. And now, we have more than 2,000, no, no, no, sorry, 1,200 people participated as of August this year. And now, from this year, from this fiscal year, the centers, the operation of the center was transferred to JICA, subsidiary of the MOFA, the Ministry of Foreign Affairs. And NYC is continuously providing the contents to the centers. And now, we are considering to expand this kind of activities to ASEAN countries, especially for the northern part of the ASEAN countries. Now, we are talking with the neighboring countries, including the United States and Australia, how to operate such kind of activities. Okay, next slide. This is the end of my explanation. And thank you very much for your attention.

Peter Stephens:
Thank you very much, Mr. Yamuchi. And it was fantastic to hear about the work the AJCCBC has been doing, and also the work in CTFs, and the exercises, and how you are helping to scale that across the regional area. It’s a fantastic endeavor, and I look forward to hearing more in the questions afterwards. I’d love to drill down into a bit more detail with Ms. Shinoda, who is the founder of Code Blue Events and Blue Inc. I’d love you to hear a bit more about some of the work that you’re doing at Code Blue Events and helping to build partnerships with the technical community, and also your work with youth development. So, Ms. Shinoda, can I please

Kana Shinoda:
pass over to you? Yes. Thank you. I would like to talk about three projects. One is Code Blue, and then one is JCCC, and then the last one is ICC and ACSC. Okay, Code Blue is an international conference in Tokyo. It’s been, this year, it will be 11th this year, and it will be happening next month. And we invited two keynotes this year, like Mikko Hipponen from Finland, and then Sergei Korsunsky, Ambassador of Ukraine to Japan. Those two will be the keynote, and then we’re going to have 35 sessions and 42 speakers, and also three contests, and then some other CTFs and car-hacking villages, too. So, it’s like a Black Hat and DEF CON mixed conference, and the Code Blue itself is a very top global event, and a workshop, and a contest in cyber security. And it’s been doing, like, first time, it was, like, very technical-oriented, but since we thought we need to mix more law and policy people and cyber crime people, too, I mean, so that’s why we mixed, we built this law and policy track and cyber crime track. That’s why we tried to mix those people all together in the one venue to change the society faster by, you know, let them talk together in the same field. Also, to cultivate the young people, we set up, like, U25 youth sessions, two sessions, and then we created a scholarship. We say the Code Blue Research Grant. If they are really good speakers and really good researchers, we’re going to give them some grants from Code Blue. And also, at the same time, we hired student staff, too. We hired, this year, 34 student staff to involve more young people to the cyber security industries, too. Mostly, like, high school students and university students are coming here, too. They work one day, and then they listen one day. So, they have enough time to talk with speakers and the people at the booth, like, industry people, and also they make friends among those student staff, too, who is coming from all over Japan. The student staff is very popular among the young kids, and we hired only 34 students, but we have three times more applications for it. So, it’s very popular. So, we created Code Blue because about 10 years ago, security in Japan, we kind of, like, I felt like that we have lots of taboos in Japan. Like, they don’t fully open to talk about security. Like, for example, automotive security stuff. Even, like, America, they talk about car hacking stuff already, but in Japanese media, they don’t publish that much about it. So, I tried to make the security bar a little higher in Japan, so that’s why I tried to make it, like, an international conference, English and Japanese equally, and that’s why I named it Code Blue. Code is a technology. Blue is the ocean. All the borders in Japan are on the ocean. That’s why we named it that way. So, that’s about it, and can you do the next one, please? Okay. This is the sponsors for this year. You can see, like, Panasonic, Hitachi, NEC, and then the banks, and lots of Japanese global companies are supporting us, and also some other companies from overseas are also interested, too. So, next slide, please. Ah, can you go back a slide? I forgot to mention. For the supporters, we have automotive association here now. So, yeah, I just want to mention it. Yeah. Can you go? Thank you. This is just a snapshot from the Code Blue. It’s before COVID-19, so that’s why people are so close together. So, you see some people playing with soldering stuff, and they’re making, like, hardware hacking stuff, and then some people are working together, you know, internationally, smiling, and they’re working on the CTFs, and some people are standing and watching about some tools, some tool talks, and we have, at this time, we had about 1,000 people in one room. So, it was COVID-19. So, next slide, please. And this is a part of the snaps also, and because the Code Blue is always happening the Halloween period, so that’s why some people joining with dinosaur suits. So, we’re having fun with that way, and some people, you know, the left down corner, they are playing the CTF very seriously. So, it’s like that. Thank you. Next slide, please. Yeah. So, that’s about Code Blue. So, next one is GCC, the Global Cyber Security Camp. It’s a one-week training camp for Asian youth, and then it’s an Asian version of security camp in Japan. It’s been already five years. Global camp is like, yeah, you see from the left, we have eight countries already. Japan, South Korea, Taiwan, Singapore, Australia, Malaysia, Thailand, and Vietnam. Those are member countries, and we’re going to have Indonesia and India probably from next year, and those are various type of organizations, like from Japan, we have security camp is joining. Security camp is like an NPO in Japan, and then like Taiwan, it’s like a government education project, too, and South Korea also government project, too, and then some others are community, and some

Christopher Painter :
others are university, so it’s very mixed people are supporting and then joining the GCC. Each country selects like six or seven students, and we came all together in one place, and then we do the one-week training, and we give them the one-week training and the whole cutting-edge trainings, too, but at the same time, we have the group work for all students to make them talk a whole entire week. So, for example, group work was like how to foster the friendship among Asian countries or to think of the future careers of themselves, too, and that kind of stuff. Yeah, and then also this is, as I said, it’s a model of the security camp in Japan. Security camp in Japan is held like it’s been over 13 years already. It’s one senior year, and it’s just one week, but I created this one because the security camp is very succeeding in Japan. It’s mixed with academia and industries and then, yeah, and the communities, too, and then the ecosystem working very good. Like, students after graduate, they becoming the trainers or tutors, and so we don’t have to train the trainers, but we, even we, by doing the security camp, they come back to the community because they want to be. So, that’s how it works, and it works like that in GCC. GCC itself is like the students are coming back, and they’re being the trainer and sponsor, and also the staff, too. Now, I’m kind of just a step a little bit aside, and then they let them work. So, they, because of friendship, they work mostly over the countries, okay, and because the cybersecurity is, we’ve been, I mean, teaching kids in the community for a long time, and that’s the nature of the cybersecurity here in the community. So, that’s why, because it’s pretty, because of it, it’s pretty natural for us to get together and teaching them together voluntarily. Okay, next slide, please. And this one is the GCC students. It’s about 50 or 60 size of the class. Yeah, and it’s going to be Thailand in 2024, February. Next one, next one. Yeah, next slide, please. And ICC and GCC, no, ACC and ACSC. ICC is the International Cybersecurity Challenge, and it’s a CTF World Championship where representative teams from the continuous competitions, and it’s actually, the ICC is founded by Anissa, actually. Anissa had ECSC, it’s a European Cybersecurity Challenge. It’s also CTF among European countries. And then, they’ve been doing good, and they’re confident to expand it to the global level, so that’s why they created the ICC in, the first meeting was 2020, February. And then, we started to expand it this way, and we had seven teams from each region, like one from Europe, one from Africa, one from South America, and so on and so forth. And from Asia, we have eight countries. And then, yeah, for next round, we had Thailand last year, but they were kind of decided to leave, and India was part of us, but India has a huge population, so they will make their own team to participate in this one. And then, the final round will be sometime in 2024, and it will be probably in Dubai, in Middle East. We had a Middle East team, but they couldn’t participate in America this year, so probably Middle East, but we haven’t decided yet. Okay, yeah, next slide, please. Sorry, it takes time. This is a team, Asia, from the first ICC, Athens, Greece. And then, on the left side, you see the overall results. Europe was first, Asia was second, and the USA was third. And then, the interesting thing is the Asian team won the attack and defense, and then Japan was second. Even we didn’t have a chance to train the team, and we even didn’t have a uniform all together. But they did a very good job. And next slide, please. And this one was from this year, ICC, held in San Diego in the United States, and supported by US governments. And the result is that Europe is first, and Oceania is second, and Team Asia is third. And for attack and defense, we won the first place again. So maybe because we selected 17 finalists among 14 competitors from the one CTF.

Kana Shinoda:
So that’s why they are really good at attack and defense, I think. Yeah, thank you. Sorry it takes too much.

Peter Stephens:
Thank you very much. That was fascinating, and I can see a lot of consistency with Mr. Yamauchi’s presentation about the importance of war games, and scenario planning, and how can the competitions and CTFs be a helpful exercise to help boost capacity also in a regional level. Thank you so much also to Mr. Yamauchi for presenting about the AJCCBC, as well as to Mr. Painter for talking about the work on the Global Conference on Cyber Capacity Building, which is happening in Ghana in November, as well as the CIBIL program, which sounds fascinating as a way for policy makers around the world to access materials that have already been created, and to build partnerships with experts to help them address their own challenges. And I think the demand-based approach is a really important point. Thank you so much for the presentations. It’s been fascinating for me, and I’m sure it has for everyone else in the audience. What I’d love to do now is to just delve in a bit more detail into some of the challenges that we know exist. You all have a great deal of experience working with partners in cyber capacity building. So what I’d love to ask the panel, perhaps starting with you, Mr. Painter, is what are some of the key challenges that you find when you’re facing regional capacity building initiatives? What are the key challenges that you see coming up again and again in your experience?

Christopher Painter :
Well, one is getting a sufficient level of, I think, policy and political buy-in in the country, because as much as they may need capacity building, if you don’t have that buy-in, you’re not going to have the sustainability. So making sure that it’s not just the experts you’re talking to, although they’re important to talk to, but getting that buy-in at a higher level. That’s one. Resources, as I said, are a continuing challenge, that not enough resources are devoted to this, given the huge demand of countries around the world and the need for better information sharing. So efficiency and coordination is really important, and that’s what we’re trying to do in my organization. But really, expanding that pool, I think, is really important. I think the third one I’d mention is just breaking down the silos I talked about between the technical community, the policy community, the innovation community, the security community, and the development community, and the cyber community. So all of those, I think, are challenges. They’re not challenges that can’t be overcome, but they’re ones that really take concerted effort, because this really is something that’s critical to the growth of economies, of societies, and we need to address it now and not treat it simply as an afterthought, which I think too often we’ve done in the past.

Peter Stephens:
Thank you very much. Would any other panelists like to contribute on that topic? In which case, Ms. Snowder?

Kana Shinoda:
Yeah, I kind of agree with him. The security is a process, and it’s never-ending. So we collaborate together. We have to discuss getting it all together. So I totally agree with him.

Peter Stephens:
Thank you. And so to Mr. Yamauchi, based on the important role of efficiency and helping generate resources and getting that political buy-in, how do you think countries like Japan can support developing countries more as we look to deliver initiatives in cybersecurity?

Tomoo Yamauchi:
Okay. For the government side, I think they need two issues. One is what kind of policies do they need, and the second is how do they make such kind of policies. So once they are determined, I think we have sufficient content filled in the respective policies, and we can make some kind of respective initiative like HACCBC. So in this slide, the HACCBC is a technical capacity building. So before that, we need some kind of holistic capacity building for the government side. That’s my comment. Thank you.

Peter Stephens:
Thank you very much. So I think we’re talking about the important role of foundations in a policy level as well as the technical on top and how we can make sure, to Mr. Painter’s point, we are breaking the silos between those communities more effectively. I think something that’s come across in this panel already is that there is a lot of work that is already happening and lots of different initiatives, whether they are competitions or capacity building conferences or other programs to support partnerships between policymakers. So as we said before, an important part of this is using your existing resources efficiently. So how can we make sure that, given that all of these challenges are global, how can we support and amplify what has been seen to work well? So how can we think what has really worked and what would you like to see amplified at a greater scale? So Ms. Shinoda, can I ask you a bit more about things that you think have really worked and you would like to see grow at a greater scale?

Kana Shinoda:
Yes, since I’m from the community side, I really like to, like Chris mentioned, like mixed people all together. It’s very important. I see that Japan is a really good case too. We are kind of mixing like community and government and academia all together. I’ve seen it. But some countries are having a hard time. I mean, I see some walls that are divided. So person to person or people to people, they talk together, but some countries may need some bridge to work together with government and community because community has lots of resources and trainers and reach to the students too. It doesn’t have to be some developed countries. They are not rich enough to go to school, right? So those people who don’t go to school but they have really good talented people out there so the community can reach there and reach them. And even it’s going to prevent them to go to the underground. So community, government, academia all together working is very good. And if we can, like with help with Chris and Yamanaka-san, we can help them to bridge all together perhaps.

Peter Stephens:
Thank you. I think it’s really coming through as a theme, the importance of building those communities and having networks that bridge existing communities and skill sets. So Mr. Yamauchi, I would love to understand from your perspective how you think the international policy community can help better amplify the success of initiatives that have had impact.

Tomoo Yamauchi:
Thank you. As you can see in slide 2 of my presentation, for example now between the ASEAN and Japan policy makers we have 10 working groups. So it’s important for us to enhance and enrich the content so they can know or they can obtain much more acknowledgement. And secondly, it’s important for us, the so-called teachers, to expand the target countries. So now we see ASEAN countries and the ASEAN countries, but we need to expand the target. So as the previous presenters, they have the global coverage, but from the government side we see some missing countries. So it’s important for us to extend and fill the gap. That’s my comment.

Peter Stephens:
Thank you. Thank you very much. And Mr. Painter, you were talking about the work of CIBL and how that is helping to support policy makers to identify what has already been done in the area that may be of interest to them. Do you have any thoughts about one issue that you think has really seemed to work or one program that’s really worked? You’d love to see amplified more that you can share with us.

Christopher Painter :
So I’d say, just more generally, that having the multi-stakeholder approach has been very helpful because governments are doing a lot of work in this area, but they’re not the only ones. There are civil societies doing a lot of work, private industry has, so bringing them together, I think has been a good way to do that. Another thing that I think we found is the enemy of progress, I think, is one-offs. Just doing things, doing a program and saying, okay, we’re done, and then you come back five years later and then any momentum you’ve built is gone. So I think building that sustainability, which goes to the political buy-in, but also goes into just having a program, creating something that’s sustainable in countries that have really been important, and that’s been good. And you mentioned civil, I think, having that information-sharing platform, but also looking for gaps, and we’re organized around working groups, one on cybersecurity, I mean, one on national strategies, and it has a subgroup on diplomacy, one on incident response and building certs, one on cybercrime, one on standards, and one on awareness training and workforce. Organizing around any of those themes and getting folks to talk about that and sharing what they’ve done has helped a lot, too. So I think all of those have had some real practical benefits, and we want to continue to build on those and make sure that this is not just one-off conversations but a long and sustained conversation, building on all the great work that’s being done in Japan, which the other speakers have talked about, focusing more on the region. I think that’s been very helpful, too. We’re having our annual regional meeting next week in Singapore at Singapore Cyber Week for the ASEAN countries, and so that’s an important way to ground what’s happening globally in a more local environment, and I think that two-way communication has worked and is important as well.

Peter Stephens:
Great. Thank you so much. I’m aware that we’re running quite short on time, so what I’d love to do is now look towards the future because, as we all know, one thing that’s for certain is the future is very much uncertain, and all countries need to develop further capacity to face these challenges, whatever format they may take. So, of course, there’s a lot of interest now in artificial intelligence, but there’s also other questions that are being brought out because of, as we said, the ongoing interconnectedness between all elements of public life, whether that is infrastructure or then moving into the home more broadly. So, Mr. Yamauchi, I would love to ask you, from your perspective, what trends do you think will lead the next three years, and what can policymakers do now to build future capacity in light of these trends?

Tomoo Yamauchi:
Okay. Thank you. Actually, now I see a lot of people participating here, but I think the international collaboration or the capacity-building programs remains still at the early stage. So, we need the expansion or advancement of the capacity-building activities will be needed. I need some kind of sustainability of these policies and programs and activities. So, Chris and Kana-san, we need some kind of the capacity-building in the private sectors, and we need the collaboration between the private sector and the government side, and we need to expand the contents, and we want these many, many countries are interested in these activities.

Peter Stephens:
Thank you very much. Mr. Painter, can I ask you about what you think for the next three years and what policymakers can do now?

Christopher Painter :
Yeah, I mean, first of all, I think we need to do a lot of work just to satisfy the demand we already have. So, not just for the future, but also, look, there’s still a huge gap in terms of needs versus resources versus delivery, and so we need to address that. I think we can leverage some of the challenges that are coming up. I worry sometimes that we turn from one bright, shiny light to the next, and AI is the new bright, shiny light, and everyone’s like, oh, everything’s AI. It is. It’s important. But let’s use that as an action call to say, well, because of the challenges that AI poses and the opportunities, that the kind of basic cybersecurity capacity-building, the basic breaking down the silos between communities is something we need to do now. So, not treat it as just a whole new set of risks and opportunities, but fold it into the conversation we already have to make this, again, stronger and sustainable going forward. So, that is exactly what the Global Conference on Cyber Capacity-Building is meant to achieve, to break down those silos, to have greater attention to this and have that longer-term future view that this is not a separate thing. This is something that is important as we have any of these conversations going forward, as we look at any of the threats, but also the technological developments.

Peter Stephens:
Thank you. Thank you so much. I think your point about leveraging AI as a need to sort of generate political will to help get the basics right is really, really critical. Mishinoda, can I ask you?

Kana Shinoda:
Yes. I kind of agree with the AI stuff, too. And I was fascinated about the US government’s trial, I mean, by the GABA. AICC. Like, it’s a cyber grand challenge stuff. And I love that. I’d love to see the result in two years later. So, and that’s the one. And that’s a trend for the next three years. And then the other one for the Cyber Security Capability-Building is that I like to see… Chris mentioned the duplications. That’s the keyword. I think a lot of countries are, you know, offering a lot of similar trainings to one country, the other country, the other countries. It’s a duplication, I see. And I think we have, like, one platform and then put, you know, the trainings all together. And, like, we have lots of trainers and training contents. Yeah, if there’s one platform, we can collaborate all together on the training contents. In that way, we don’t have to, you know, worry about the duplications. Even the country, developed countries, are having, you know, a lot of time to, you know, digest all the training materials too. So, I’d like to see that one, that kind of collaboration in the next three years.

Peter Stephens:
Thank you. Thank you very much. And I’m aware we’re running very close on time. So, we, I think, only have time, if possible, for one question. Is there any burning questions in the room? So, if not, what I’d love to do is just to round up and say a really huge thank you to our three panelists. So, Ms. Kana Shinoda, Mr. Christopher Painter, and also Mr. Tomoya Yamauchi. Thank you so very much for your presentations and your subsequent conversations. I found that a fascinating conversation. Thank you very much also to the MIC in Japan. And thank you to everyone for joining in person or remotely. I think what came through very closely for me was the importance of everyone mentioned, the importance of networks, the importance of breaking those silos, and how can we support one another as an army of the good and the willing who want to try and support capacity building to help generate political will and also help support the efficient use of resources in this space. I’m really, really grateful, and I know this is a huge task, but one where I think there’s a great amount of how can we support one another, how can we break down those knowledge gaps, and how can we, once again, to help to amplify what works and build towards a more efficient future. So, thank you so very much, everyone, for your presentations. And I look forward to continuing on this journey together. And I wish you all a wonderful day. Thank you so very much.