WS #103 Aligning strategies, protecting critical infrastructure

Summary

This discussion focused on strategies for protecting critical infrastructure cybersecurity through international cooperation and multistakeholder approaches. Participants emphasized the need for a holistic approach to address the growing cyber threats to interconnected critical infrastructure systems. Key points included the importance of developing common definitions and standards across jurisdictions to reduce fragmentation, which was identified as a major security risk. Speakers highlighted the crucial role of public-private partnerships and information sharing, while noting challenges around trust and incentives for collaboration.

The discussion explored how capacity building, especially for under-resourced countries, is essential to improve global cybersecurity. Participants stressed the need for policies that enable rather than restrict private sector cybersecurity efforts, particularly around data flows and encryption. The intersection of critical infrastructure with commercial technologies was noted as an important consideration for future-focused policies. Speakers also addressed the role of international norms and agreements in combating cybercrime and promoting responsible state behavior in cyberspace.

There was broad agreement on the importance of multistakeholder collaboration to address the complex challenges of critical infrastructure protection. Participants emphasized that this collaboration must be meaningful and inclusive, ensuring diverse perspectives are incorporated. The discussion concluded with calls for more concrete action to address growing cyber threats, noting the massive economic impact of cybercrime and the urgency of improving global cybersecurity resilience.

Keypoints

Major discussion points:

– The need for a holistic, coordinated approach to protecting critical infrastructure cybersecurity across sectors and borders

– The importance of international cooperation, standards, and capacity building to address cybersecurity challenges

– The role of public-private partnerships and multi-stakeholder collaboration in improving critical infrastructure protection

– The impact of broader technology policies (e.g. on encryption, data flows) on critical infrastructure cybersecurity

– The need to move from high-level discussions to concrete, actionable measures

Overall purpose:

The goal of this discussion was to examine strategies for aligning efforts to protect critical infrastructure cybersecurity across sectors and countries, and to identify key challenges and opportunities for improving critical infrastructure protection through policy, partnerships, and international cooperation.

Tone:

The tone was largely collaborative and solution-oriented. Speakers built on each other’s points and emphasized the need for coordination and joint action. There was a sense of urgency about addressing growing cybersecurity threats, but also optimism about the potential for progress through multi-stakeholder efforts. The tone became more action-focused towards the end, with calls to move beyond conversation to concrete measures.

Speakers

– Timea Suto: Global digital policy lead at the International Chamber of Commerce, moderator of the session

– Rene Summer: Director for Government and Industry Relations at the Ericsson Group, Chair of the ICC Global Digital Economy Commission

– Francesca Bosco: Chief Strategy and Partnerships Officer at the Cyber Peace Institute

– Julia Rodriguez: From the Permanent Mission of El Salvador to the United Nations

– Mr Wouter Kobes: Standardization Advisor for Netherlands at the Standardization Forum

– Mr Chris Buckridge: Senior Strategy Advisor at the Global Forum on Cyber Expertise

– Ms Robyn Greene: Director for Privacy and Public Policy at META

Expanded Summary of Critical Infrastructure Cybersecurity Discussion

This discussion, moderated by Timea Suto from the International Chamber of Commerce (ICC), focused on strategies for protecting critical infrastructure cybersecurity through international cooperation and multistakeholder approaches. The session brought together experts from various sectors to address growing cyber threats to interconnected critical infrastructure systems.

ICC Paper and Key Challenges

Timea Suto introduced an ICC paper on critical infrastructure protection, which outlines key challenges and recommendations for a multistakeholder approach. The discussion highlighted significant challenges, including:

1. Fragmentation and complexity in security (Rene Summer, Ericsson Group)

2. Lack of consensus on defining critical infrastructure (Julia Rodriguez)

3. Misalignment of definitions across jurisdictions (Wouter Kobes)

4. Rapid evolution of cyber threats (Francesca Bosco, Cyber Peace Institute)

5. Intersectionality of the technological landscape complicating policy approaches (Robyn Greene, META)

Multistakeholder Collaboration and International Cooperation

Participants agreed on the crucial importance of multistakeholder collaboration and international cooperation. Key points included:

1. Need for a holistic approach involving all stakeholders (Rene Summer)

2. Importance of public-private partnerships and information sharing (Julia Rodriguez)

3. Multistakeholder input for developing effective frameworks (Francesca Bosco)

4. Challenges around trust and incentives for collaboration

5. Need for regulatory interoperability across jurisdictions (Robyn Greene)

6. Essential role of capacity building, especially for the Global South (Chris Buckridge)

Global Forum on Cyber Expertise (GFCE)

Chris Buckridge highlighted the work of the GFCE in coordinating cyber capacity building efforts globally. He mentioned:

1. GFCE’s role in bringing together governments, private sector, and civil society

2. Focus on practical, coordinated approaches to cyber capacity building

3. The Women in Cyber fellowships program to promote diversity in the field

Standards, Policies, and Regulatory Approaches

The discussion emphasized the importance of standards and policies in addressing cybersecurity challenges:

1. Standards help address misaligned definitions across jurisdictions (Wouter Kobes)

2. Policies should be compatible with internet infrastructure and values (Robyn Greene)

3. Importance of encryption and data flows for cybersecurity

4. Need for privacy-by-design concepts in normative frameworks (Julia Rodriguez)

5. Resistance to unnecessary data retention mandates (Robyn Greene)

Emerging Technologies and Future Threats

Participants explored challenges posed by emerging technologies and future threats:

1. AI-enabled attacks as a growing concern (Chris Buckridge, Francesca Bosco)

2. Potential for fully autonomous cyber attacks (Francesca Bosco)

3. Importance of forecasting future technological needs and threats (Robyn Greene)

4. Need for responsible deployment of emerging technologies

Societal Impact and Broader Policy Implications

The discussion broadened to consider wider implications of cybersecurity failures:

1. Understanding societal impact of cyber attacks on critical infrastructure (Francesca Bosco)

2. Ensuring non-cybersecurity policies are compatible with cybersecurity best practices (Robyn Greene)

3. Cyber Peace Institute’s work on analyzing how cyber threats harm society and impact critical infrastructure

International Initiatives and Tools

Several international initiatives and tools were mentioned:

1. UN Cyber Crime Convention (Robyn Greene)

2. Global Cyber Capacity Building Conference in May in Geneva (Francesca Bosco)

3. internet.nl tool for measuring security standard adoption (Wouter Kobes)

Moving from Discussion to Action

The session emphasized the need for concrete, actionable measures:

1. Encouraging use of tools like internet.nl to measure security standard adoption

2. Need for awareness-raising and knowledge-building on international processes

3. Making it easier for companies to work with and share information with governments (Robyn Greene)

Unresolved Issues

Key unresolved issues included:

1. Achieving consensus on defining critical infrastructure across jurisdictions

2. Balancing security needs with privacy and human rights concerns

3. Addressing residual risks that industry cannot defend against alone

4. Preparing for potential future threats like fully autonomous cyber attacks

Conclusion

The discussion concluded with a sense of urgency about addressing growing cyber threats, balanced with optimism about the potential for progress through multi-stakeholder efforts. The ICC paper presented at the beginning and end of the session provided a framework for ongoing discussions and actions in this critical area of cybersecurity.

Timea Suto: one second, and then we will start. Okay. Now it’s working. Okay. Welcome, everyone. I think we are ready to start. For those of you who might wonder if you are in the right room, this is workshop number 103 at the Internet Governance Forum on aligning strategies protecting critical infrastructure. This is a workshop that we’ve convened with the International Chamber of Commerce and our partners. My name is Timea Suto. I’m a global digital policy lead at the International Chamber of Commerce, and I will be moderating this session today. So why have we chosen to put this topic forward for the IGF? We’ve chosen it because we feel strongly that digital transformation is now part of every country’s development that creates enormous opportunities and enables basically everything from distance learning to economic advances, manufacturing, agriculture, all societal divisions in all sectors of the economy, and that cyber security is central to making this space work. But as we see the cyber space evolving, and it’s the centrality that it has to our everyday lives, it also poses a number of risks, and it needs us all to work together to ensure trust in the digital economy through the protection of the availability, integrity, confidentiality of these most essential infrastructures that make the Internet and digital technologies work and the services that they provide so that they are truly resilient. So that’s all I really wanted to say about the importance of the discussion that will happen today. My role here will be the easy one. I’m just going to ask the questions, but I have a number of experts. both here in the room and online, who will do the hard job in trying to provide some answers to why we need to talk about this, where we are at, and where we’re heading towards. So just for a quick introduction before I hand over, we will have with us, and in the order of which they will be speaking in, Mr. René Sommer, online, who is Director for Government and Industry Relations at the Ericsson Group, and also the Chair of the ICC Global Digital Economy Commission, who will be our keynote speaker today. And then we’ll have a panel of conversation with Ms. Julia Rodriguez-Acosta, online as well. Hello, Julia. From the Permanent Mission of El Salvador to the United Nations. Mr. Wouter Corbes, Standardization Advisor for Netherlands at the Standardization Forum. Mr. Chris Buckridge, to my left, Senior Strategy Advisor at the Global Forum on Cyber Expertise. Ms. Francesca Bosco, online, who is Chief Strategy and Partnerships Officer at the Cyber Peace Institute. And last but not least, Ms. Robyn Greene, sitting in front of me, who is Director for Privacy and Public Policy at META. So without further ado, I think we’re ready to jump in and hear from René, a bit of a keynote address to kick us off and discuss a little bit about what is the current state of play in protecting critical infrastructures and their supply chains and what has ICC done about all this in the recent past. So René, I’m passing it over to you. I hope you can hear us and you’re ready for your keynote. Do we have René online? It seems like his screen might be frozen here. René, can you hear us? Can we try and connect? Hello? René, are you with us? Can you hear me? Can you try and speak? Can you message him, please, to try and speak?

Rene Summer: Can you hear me?

Timea Suto: Yes, we can.

Rene Summer: I can’t hear you in case you’re talking to me.

Timea Suto: Yes, I’m talking to you, but we can’t. Can we make sure that Rene has audio? I’m not apologies for the technical confusion. Or just while we’re trying to figure out, maybe if somebody can put in the chat that he can start his keynote. My apologies for the technical difficulty here.

Francesca Bosco: May I? Can you hear me?

Timea Suto: Yes, I can hear you, Francesca.

Francesca Bosco: I sent him a message. Let’s see if he can see.

Timea Suto: Thank you.

Rene Summer: Yes, I can hear now. Yes, perfect. OK, so Rene, I was just saying we’re ready for your keynote. Great, thank you very much. And great to see that we always have the challenges of technology today as well. So I guess that’s blame on the technology companies. Thank you very much for inviting me today. I’m Rene Summer with the ICC, the Global Digital Commission. And for those who don’t know us, we are representing 45 million companies from about 170 countries. And we are advocating for solutions and for policy recommendations and bring a wealth of experts in our network. So we do take a lot of effort and bringing a lot of expertise to make solid and insightful contributions. So with this in mind, we took some steps and reflected on what is it that we see unfolding, happening in our world today, and what is really at stake before we get into the more of the details of this discussion. And if we move to the next slide, please, I think what we are really concerned with is the current development in our cyberspace. And this is really putting new challenges and risks to our companies, but also goes beyond our companies and has significant impact both on public safety, economic stability and security and national security. And this of course means that more and more focus and emphasis is also put by national policymakers and regulators on the issue of cyber resilience and cybersecurity. So this of course motivated us looking at the next slide then to think more harder on what does this really mean when we not only have this broader picture and context of deteriorating cyberspace, but also that we see increased sophistication in cyber threats. So that means that we see more and more novel threat vectors and actors coming in to that play. And that is coupled with increased interconnectedness between what is ICT and other critical infrastructures. So we see also an expanded threat surface through this dependency. And that of course also means that there will be more and severe consequences if cyber attacks are successful. So this means that with this development and the increased emphasis by policymakers on cybersecurity and resilience of critical infrastructures and the supply chain, there is of course more pressure also on the industry to do more. And this is in many aspects rightly to take place, but it also means that we are facing a number of challenges, not only from a growing burden of compliance. taking off particularly the operators of critical infrastructures, but also these initiatives create challenges in terms of policy and regulation. And this is why we also want to be part of this discussion. So this really brings me to the purpose of why we took the steps we took and the details that we are presenting here today. And if we move to the next slide, please. This is the contribution that we are making here today and share the insights from our working paper on protecting cybersecurity of critical infrastructures and their supply chains. And at this really highest level, what we really want to convey as a key message is that there is a need for a holistic approach. And I will delve into what that means in more detail, but also that we need all stakeholders to be involved and particularly, of course, the governments that have to fulfil their roles as well. We many times hear that cybersecurity is a team sport, which is of course largely true, but there is also distinct roles and responsibilities that each stakeholders need to take and that also includes governments and policymakers. So if we can then move to the next slide and think about what are the dilemmas that we as, on one hand side, industry, but also other stakeholders and governments face in terms of doing more, we have in our paper identified some of the key dilemmas that at least from our end, we see limiting the effectiveness of what can be done more and better to increase the resilience of critical infrastructures. And of course, starting from a policy perspective… One of the challenges we see is that many jurisdictions that have developed critical infrastructure frameworks, which is far from all countries, have taken quite different approaches in terms of definitions and so on and so forth. And this creates at least two challenges. One is the question of policy targeting. If policy targeting differs between jurisdictions, of course, that means different objectives are ultimately being pursued. But secondly, as these frameworks then bend into also obligations and requirements, this brings complexity and fragmentation. And I would really like to undermine all of us here to think about that fragmentation and complexity is the number one enemy of security. This is not just a trade argument. This is really a security argument that fragmentation and complexity are the number one enemy of security posture. Then, of course, some jurisdictions have moved beyond the question of critical infrastructures only and speak of actually the essential services that these critical infrastructures deliver and bring to the public sector, or to the consumers, or to other industries. And I think that is another important element, is that ultimately we are not only protecting the critical infrastructures as policymakers, but the essential services that these render. And it is worthwhile to undermine that distinction as governments and nations move on to develop further frameworks. I think also something which we are trying to address in this paper is the increase interdependency between what has been typically that are seen as the telecom sector or the digital sector, and when those get interlinked, what previously were seen as separate industries being the energy grid, power distribution, and so on and so forth. This interdependency also creates additional risks and threats that need to be considered and addressed. Because of global supply chains and the suppliers that supply the equipment and solutions into these sectors, we also need to think about the global interconnectness and the impacts that may come from these dependencies. So we don’t only see a cascading risks or effects between different national critical sectors, but also from the national arena into the international space when we have also international supply chain. And as all of you well know, cybersecurity does not know any borders. So this, of course, brings additional challenges. I think it is also important to highlight the aspect of third-party suppliers in the supply chain that have been also increasingly targeted by threat actors and become an entry point into impacting critical infrastructures. And here, of course, a number of challenges that we will talk about later need to be addressed, but also important to keep in mind that there are, of course, different type of suppliers and they have different level of maturity. And making sure that we have sufficient capacities and capabilities in the supply chain to address these risks and exposures is extremely important. Which brings me then to, well, how do we move beyond dilemmas? And if we go to the next slide, please. We, of course, took good care… time and effort to think about what are the best industry best practices and what do we see on policy and regulatory side. And by no means this is a unique insight by ICC and its members because of course there is a lot of good work done by others and we have definitely stolen with pride where there are other entities or stakeholders that have put a lot of effort and thought into these questions. And here you can see a number of examples that we have addressed in our paper what we think is important to take on board and how we can also make use of these best practices when I talk more about public-private partnership. And some of these examples here of course such as having comprehensive security measures or strong data backups and so on are fundamental considerations that we believe the industry needs to lead with and it’s necessary part of the solution. But again we also have policy and regulatory approaches that we need to take care about and consider how they impact the culture of critical infrastructures and the operators of those. And it is of course so that as any other industry we talk about the operators of critical infrastructures they also face a number of constraints and that means that when we look at the different regulations and approaches it is important to think about how we make sure that those are effective, targeted and achieve their objectives so that we can work with the scope of trade in the most effective way and achieve the outcomes we I think all are looking forward to achieve which is secure critical infrastructures and the supply chain. So moving beyond this generic state. If we go to the next slide, please. We do, of course, think that there is more to be done and we believe from the industry side there are a number of priorities, thinking about the constraints again. For instance, start with the baseline security requirements first and make sure what needs to be done first is really in place. You don’t need to start with the perfection on day one, but really make sure that the bare minimum is in place and work from there rather than trying to fix everything at the same time. Secondly, I think what is important because of the dependencies I touched upon earlier, it is also important to think about what are the third parties, the supply chain actors doing in terms of contributing to or actually decreasing the security posture of critical infrastructures. So please do keep that in mind. And of course, from a more commercial point of view, partnerships between the critical infrastructure operators and suppliers is key. And that’s something which, of course, needs to be incentivized, but also there needs to be frameworks in place that make sure that, again, the bare minimum at least is achieved. On the policy side, I would say that there are a few things which we already see being developed in several jurisdictions. We see that there are now requirements on suppliers and third parties on how a secure software development process should look like. This is something which I think should be expected. And as we see that more and more sectors are becoming more software driven and software rich, this is definitely an important aspect of security. Speaking also of the supply chain. and where not only resilience, security, but also trust is important, diversification is key. And this is another element of policymaking that we see is developing, that you want to make sure that you have a resilient, secure and trusted supply chain. And then lastly, I think also, or we think that there is an essential aspect of policy to make sure that on one hand side, there are clear roles and responsibilities, but also that cooperation and coordination between the stakeholders is encouraged because we don’t want to see an environment when risk averse behavior stops the behavior of sharing information, being proactive and sometimes even taking risks, especially when we talk about in the heat of the moment when incidents and threats are unfolding and measures need to be taken. So with that, if we can move to the next slide, if we put some of these examples in a kind of a broader or bigger picture, what is it that we are really looking for? And this I think needs repetition and repetition because it takes time from staying this and seeing this being implemented into policy action. But number one, again, there is no single silver bullet here and that’s why we are advocating for a holistic policy that is both well balanced, but also well targeted to make sure that the critical infrastructures and essential services providers and their supply chain are working together towards a set of goals. In the context of collaboration, it is also important that we see that there is both emphasis on enforcement, but also on incentivizing appropriate behavior. And this, I think, is particularly important to keep in mind because cybersecurity is not an end in a sense that we come to a situation where everything is cybersecure. It is a continuous journey. It’s a state that is always on the move. So we will never be done. There is no final checkpoint. And that’s why it’s important to also have incentives for appropriate behavior. Then I think, and this comes back to my initial call, that also governments have a real important role. And while cybersecurity is a team sport, but there is also a clear role for governments. And there are residual risks, even if you develop an appropriate security regulation framework and you take appropriate mitigating measures on board, there will always be residual risks. And this is where governments in particular have a very important role to play. And you see some examples on measures how you can actually address these residual risks. This is something which the industry will not be able to fix. And there are no insurances for this to be taken. And even if so, it doesn’t mean that the negative consequences will not happen just because you have an insurance. So please do think about those as well, how to tackle the residual risk, which is very, very important. If we move to the next slide then, and here I think we have three more slides to kind of go a little bit more into some of the recommendations we have in this paper. From a policymaking perspective, it is absolutely necessary that nations do have an independent, competent cybersecurity agency. This is a competence area that needs to be developed and needs to be present, because as policy makers, you’re not only developing laws, but you’re actually also protecting in real time and take action to deal with incidents. Just having regulation and secure products doesn’t mean that threats will go away. And when developing these national frameworks, the reasons why we speak about holistic approach and a coordination between national cybersecurity agencies and policies is also because one thing is about having a clear framework that we as industry understand what is expected of us. But again, cybersecurity is also something that is happening in real time. We talk about incidents, vulnerabilities, mitigation, and so on, and it is absolutely necessary that there is a clear understanding of who is doing what and when. So that we can also take actions when actually attacks are successful, and we need to recover quickly and get back into operations with minimum damage and consequences. And this of course requires collaboration. So it is important to think about in the regulation that yes, we need enforcement, we need clear rules, but we also need good collaboration between the private sector and the national agencies. And lastly, when we talk about supply chains, again, I think looking at national fragmentation of requirements that breeds complexity, which is the enemy number one of security, international technical standard is a necessary feature of good security posture. If we move then to the next slide, please, which brings me to the international cooperation. Again, it is so that what happens at national level will not be bound by cyber incidents and cyber events from a national perspective. So, to address the issue, for example, of response or the complexity challenges through fragmentation, it is essential that governments do what is achievable in terms of working with their peers and strive to take action internationally and globally to make sure that we can have as much harmonization from the rules, requirements, and the standards so we can create a common platform for addressing challenges, but also work with the complexity and reduce the complexity through fragmentation. Coming back to the residual risks, this is where, of course, governments and nation states play an enormously important role. And this is coming back to the question, how do we address the residual risk? And this is where the international norms centric against 10% sponsored cyber attacks is very important. That may include things like thinking through more, how can we make sure that there is public attribution following incidents, that there is an implementation of robust deterrent measures for cyber attacks, and that we promote collaboration. If we move to the next slide, then, this is really to emphasize, and maybe not to dwell so much on, that, of course, industry collaborating with national stakeholders and international stakeholders is key. You see some examples of that mentioned here, but doesn’t really bring anything new. So in a matter of time, maybe we can skip this slide and then just finish off with that. I hope you find this information of interest and value. We do have a paper available. You have the links, both in English, Spanish, and in Mandarin. We hope that this is going to be an interesting read. If you have any further questions or interest in this information, please feel free to also reach out to the Secretariat of ICC, where we can schedule more interactions. I really hope that this intervention has inspired some of you and I look forward to the discussions that are to follow after my speech. Thank you again for the opportunity and I hope you have fruitful discussions. Thank you very much. Over to you, Timea.

Timea Suto: This was quite a comprehensive introduction and I do hope that it gives food for thought for the conversation that we have planned going forward. Of course, a little advertisement here for the ICC paper. If you come to our booth just outside this room here, we have a QR code from where you can easily download not only this one, but all the other publications that ICC has on cyber issues. But coming back to the conversation and picking up one of the last points that you’ve mentioned here, Rene, the need for collaboration around the protection of cyber security of critical infrastructures, and especially the collaboration in the international space. I’d like to turn to Julia and ask a little bit about how is this going and how are we seeing any barriers that might impede some cross-border collaboration and also what opportunities do you see in aligning national responses to security challenges with international and transnational agreements that we already have in place or we are developing. So, over to you, Julia.

Julia Rodriguez: Thank you so much. Can you all hear me okay?

Timea Suto: Yes, we can.

Julia Rodriguez: Beautiful. Good morning, good afternoon and good evening to all. Thank you so much, Rene, for the thought-provoking presentation. It is a pleasure to join this important conversation from New York very early in the morning. I extend my gratitude to the International Chamber of Commerce for organizing such a time… family and significant discussion, it is truly an honor to share views with such a group of speakers. To set the tone for today’s discussions and in response to the main questions, I would like to begin by highlighting the work that we have been doing at the United Nations regarding the protection of critical infrastructure. This issue is well-developed within the framework of responsible state behavior, which lay out voluntary norms for expected conduct in cyberspace, and the norm related to critical infrastructure emphasize two key principles, the current framework that we have today, more on like kind of positive obligations, the protection of critical infrastructure, and more kind of restrictive obligations in reference to what was just exposed by Rene, kind of like refrain from actions that damage or disrupt such infrastructure, particularly when they impact availability and integrity. And this normative framework is crucial, especially for those infrastructures that provide essential services, including the general availability of the internet itself. So it is worth noting that the importance of protecting critical infrastructure has long been recognized within the United Nations system. For over 20 years ago, this discussion began primarily from a development perspective, but in recent years, it has evolved into a core element of international security. And discussions now recognize that the protection of critical infrastructure is central to maintaining international peace and security, particularly in our interconnected world, where societal well-being cannot be separated from societal, economic, and human rights. humanitarian consideration. So bringing this discussion to the present, right now the UN, the United Nations Open-Ended Working Group on ICT and Security, has made significant progress in advancing this agenda. And one of the recent developments is in the just-published annual progress report in the critical infrastructure sectors that require protection, and now we have an inclusion on sectors that range from healthcare, maritime, aviation, financial services, and energy. And I think that the sectoral approach is a significant step forward, because it acknowledged that protecting critical infrastructure involves cross-border challenges with global implications, and second, because adopting a sector-specific risk-based approach allows for the development of target operational measures that reflect the unique characteristics and vulnerability of each sector. However, we also must acknowledge those barriers that impede cross-border collaboration in cybersecurity, as it was meant from one key challenge lies in the lack of aligned definitions and standards among nations. While the UN’s voluntary norms on responsible state behavior provide a clear framework, differences in national interpretations and legal frameworks often hinder operational coordination. Additionally, of course, there is gaps in trust, misaligned priorities, and the absence of unified approaches to identifying and responding to threats, and this border complicates these efforts that we’re trying to do at the multilateral level. Yet these challenges also… present with opportunities, aligning national responses with international agreement, for example, and not only at the international level, but also at the regional level, the creation of shared understanding on trends and coordinated responses, and of course, that by fostering trust and promoting partnerships, both public, private, and multilateral, we can enhance our collective ability to address the global risk facing critical infrastructure. So this directly addresses the first policy question on cross-border challenge that hinder operability and coordination. And for us, the role of public-private partnership in strengthening safety and security is key. So El Salvador has actively engaged in all the multilateral arena to advocate for concrete implementation measures. And we have emphasized the importance of partnerships and collaboration with service providers, for example, as these are essential to ensure the protection of critical infrastructure. While the understanding of the need for multi-stakeholder collaboration is well-established, we still are facing challenges at the UN for interslating this broad principle into actionable policy-oriented recommendation. So I will stop here, and particularly those colleagues that represent other stakeholders to share current best industry practice. I think that Rene presented some very well recommendations for enhancing cyber resilience, and I remain eager to engage further during the Q&A session and comments. And I thank you so very much.

Timea Suto: Thank you, Julia. We’re gonna return to the room here from the online world, and I’m gonna turn to Vautier here in front of me. We’ve mentioned the role of norms, we mentioned the role of regulations, but I wanted to ask you about standards and protocols that also need to work with jurisdictions, sorry, I think I’m losing my microphone, to make sure that the systems we put in place are actually operational. and we don’t have the fragmentation that Rene was talking about in the beginning. So how do you see that from the point of view of where you’re sitting with the standardization organization in the Netherlands? Yes, thank you very much.

Mr Wouter Kobes: So as part of the Dutch government, we are using standards as a vessel to achieve various goals. One of them is interoperability within government, but also strategic independence from large vendors. And specifically on those standards that address cybersecurity, of course, the security of the government as well. And we actually see that when we are pushing for adoption of these standards, the result is that also other parts of critical infrastructure are positively affected by this, because they start implementing certain standards as well. And I think the interesting connection to the keynote of Rene is that the holistic approach to cybersecurity is also seen through security standards. You have really organizational standards. The well-known are, of course, the ISO 27K1 and 2 standards, which give your organization basically a guideline to implement cybersecurity measures at an organizational level. Then moving on, there are technical standards that, well, each of these standards really serve a goal in actually protecting your organization better or addressing a design flaw of the internet itself in terms of cybersecurity. And I think the benefit of those standards is that it’s quite easy to measure if a standard is adopted or not. And when all that fails, then there are also standardized methods to share information, for instance, between CSIRTs, SOCs, and vulnerable organizations. Think about indicators of compromise, vulnerabilities that have been found within systems. And in recent years, even a standard has been developed where you basically can publish in a standardized way, contact information which can be used by security researchers or ethical hackers to contact you in case if they find you vulnerable. find a security issue in your system organization which was not found in any of your previous efforts to improve cybersecurity. So this is very nice, these are very nice standards to have but of course a standard needs to be adopted before it becomes effective and this is where our main challenges lie and I think in our experience one of the the best methods to actually increase adoption is to show how well standards are adopted within the Dutch government and we we have developed also a tool, a measuring tool for this purpose that actually can report for every website, for every email domain how well the standards are adopted within a certain government organization and throughout presenting these measure results regularly we see over time these important security standards which in return will not solve all the challenges that Rene have laid out as cybersecurity because I completely you are never done with cybersecurity but it it has in fact benefited the security of the Dutch government in that sense and it’s really nice also to have published this measuring tool as an open source project for well basically everyone in the world to to use and to to measure their adoption of these important security standards. So that was my contribution, thank you.

Timea Suto: So I’m going to turn to Chris here on my left because we’re talking here about a holistic approach making sure that things work across borders making sure that we share information, we don’t lose sight, that all takes me into thinking about perhaps we need some capacity building to really enable this whole of society approach that we need to cybersecurity and to mainstream the conversations that we’re having on the cybersecurity critical infrastructures into the general thinking around digital transformation so how do you how does the GFC see that and where do you see it from where

Mr Chris Buckridge: you’re sitting? Yeah so thank you very much Tamea and I mean I so Chris Buckridge I’m here as a senior strategy advisor with the Global Forum on cyber expertise and based on what I already had based on listening to Rene’s keynote there which was wonderful I should apologize in advance because I’m going to go into full marketing mode for the GFC here but I mean I think it’s all it is really relevant and that idea of capacity building is so central to a lot of this. I think Rene’s comment that really resonated me about fragmentation and complexity are the enemy of security is really it’s at the kernel of what the GFC is about and it’s sort of flipping that and saying coordination and clarity are really the fundamentals of security and so the GFC is an organization it’s the platform for international cooperation on strengthening cyber capacity building and expertise globally and it was established in 2015. It’s a multi-stakeholder organization we have around 250 members and partners 88 of those states organize the state nation states 16 international organizations and then the remainder are private sector academia NGOs so it is really quite a broad community a lot of diverse expertise and awareness there and and working together in really a number of ways to try and facilitate essentially that that cyber capacity building CCB and make sure that’s happening in the best way so we do that by connecting sort of the network of implementers donors and those who are in need making sure that they finding each other in the global sense it’s about identifying in developing best practices so there are certain approaches that we know work well and there are other approaches that we try out from time to time and they maybe don’t work as well and so that that’s a really important community activity finding that out learning together and then also I mean highlighting the importance of cyber capacity building it was there in Renee’s presentation as well it that building capacity and building it at the global level not just in you know the global north but also looking to the global south because that the cyber security threats are global is really essential and so I can speak to a few of the different activities that the the GFC has been involved in in in sort of some different aspects different ways in which we’re doing it the first one I’ll mention and Valter spoke about standards there so I won’t say too much about this but the triple I initiative the internet infrastructure initiative is something that GFC has been doing for the last few years or facilitating for the last few years and it’s very much in line with that with promoting and educating about standards like IPv6 DNS sec TLS RPKI DKIM and DMARC so really looking at lots of different elements in the technological stack and standards and how they can be usefully employed and deployed for for better security turning to a slightly different aspect it would be in in terms of thinking about policy frameworks the sort of alignment in in what we’re trying to achieve and I think something useful to highlight there would be the the Accra call which came out in 2023 was an output of the the global conference on cyber capacity building with the first one of those was in Ghana in Accra in 2023 GC 3b we call it which we have yeah regularly get wrong wrong order there so I’m not sure if we’ve made it easier by calling it that but and we have another of those the second GC 3b is going to take place in Geneva in May next year. But that’s really about, again, this sort of coordination. It’s connecting the cyber security and cyber capacity building communities with the development community, with what’s going on in international development. And it’s got really four voluntary, non-binding, but direction-setting actions that people can sign on and commit to and then report on, strengthening the role of cyber resilience as an enabler for sustainable development, advancing the demand-driven, effective, and sustainable cyber capacity building, fostering stronger partnerships and better coordination, very important, and then the last one, which is equally and perhaps even more important than any of them, unlocking the financial resources and implementation modalities. So that’s always the struggle here. I mean, there is governments, private sector, any of these stakeholders have priorities, have limited resources. So making the case that investing in cyber security, investing in capacity building is essential, is a really fundamental element in all of this. And that’s, I think, where the ACRA call is important. The last, I’ll just say one more point here, and it’s kind of tying into what Julia was talking about as well, and particularly in the international cyber diplomacy scene and what’s going on in the open-ended working group. One of the projects that the GFC has been really thrilled to be involved in and coordinating is the Women in Cyber fellowships. And that’s been working with donors, donor states from around the world. At the most recent OEWG meeting, which was just a couple of weeks ago in New York, we actually had 47 fellows from different Global South member states taking part, traveling to New York, taking part in training, but also taking part actively in those OEWG negotiations. And so, obviously, this is wonderful in terms of taking some steps towards gender balance, which is important. But I think also, and really importantly here, is that without that funding, without that project, a lot of what you would have had there in those New York negotiations particularly from Global South countries would not be bringing in subject matter experts. They’d be using their staff in New York. They’d be using their permanent representations, which is great, but to be able to have the subject matter experts there in the room, enriching the negotiation and the discussion around the OEWG is almost, to my mind, the bigger achievement, the bigger important thing that we’re doing there. And then having that expertise filter back to the national level. When they go back to capital, when they go back to their governments. So that sort of level of coordination and capacity building is, I think, really fundamental in achieving, again, what Renee spoke about, the need for some coordination of approach and across different jurisdictions. So I’ll stop there. Thanks, Timea.

Timea Suto: Thank you so much, Chris. A lot in a very short time from what the GFC is doing, and we know that there’s more. But what you told me, the last point, I think it was the most striking. Because if we enable the participation of those who might otherwise not be at the table, it is really the way through which we benefit and can make sure that the policies that we’re thinking about actually work in practice on the ground and they’re actually implementable. And I want to stick with that idea as I turn to Francesca online. Do you talk a little bit about what the Cyber Peace Institute is doing and also how you see the role of stakeholders in these conversations? Especially when we turn to multilateral discussions, we see quite a gap there, but we are here in the heart of multistakeholder at the IGF. So how do we bring those two elements together? Thank you so much. Can you hear me well? Yes, we can. Okay, perfect.

Francesca Bosco: Thank you so much. And thanks a lot for the invite. And it’s an honor to speak today. I’m very sorry not to be able to be there in person. Maybe just a quick remark on who the Cyber Peace Institute is and what we are doing. The Cyber Peace Institute is an international non-profit organization. We are based in Geneva, but the mandate is global. I would say that at the backbone of the expertise of the Institute to analyze how evolving cyber threats are harming society and notably impacting critical infrastructure, specifically in the civilian domain. We provide direct cybersecurity assistance and capacity building, and we advocate for responsible behavior in cyberspace, providing policymakers with data-driven insights. So thank you so much for the opportunity to intervene in this discussion. It’s difficult, I would say, to come after an excellent previous intervention. So I would just maybe share a couple of thoughts when it comes to which are the challenges that we see when it comes to the international approach to protecting critical infrastructures and maybe sharing also a couple of potential ideas on how to address this. Indeed, as René very well highlighted in his remarks, but also Giulia mentioning specifically the UN processes and specifically the open-ended working group discussions, I would say that a couple of significant obstacles that we see are the lack of consensus among the states when defining critical infrastructure. Indeed, the great sectors have been identified, notably the healthcare sector. But, I mean, clearly, then there needs to be also one of the elements that René mentioned, which is moving, let’s say, from policies into action. So first of all, the definition of the… of the critical infrastructure. And the second part that I would like to mention is also the rapid evolution of cyber threats that adds to these challenges. It was hinted by Rene in his initial remarks. But indeed, a practical example that comes to mind is the ransomware attacks on health care systems during the COVID-19 pandemic that exposed the technical vulnerabilities, but also the lack of preparedness, basically, to ensure the service continuity. I’m mentioning specifically the health care sector because I think it is a good example, according to your question, Timea, in where the multistakeholder community can really bring an added value. Because I think that the progress that we saw at the open-ended working group level, so integrating the inputs and the voices of the multistakeholder communities brought to this, basically. And I can tell you from a very practical standpoint, what we did at the Cyber Peace Institute. So the Cyber Peace Institute was launched at the end of 2019, well on time, basically, to start during the pandemic. Which was, on one hand, we transformed it, in a way, into an opportunity. Because the mission of the Institute is to protect the most vulnerable in cyberspace. At that time, the most vulnerable in cyberspace was the health care sector, basically, widely identified from hospitals, to labs, to civil society organizations that were working. For example, when it comes to developing countries, we’re working, basically, to provide essential services. So we took this comprehensive approach. And we tried to understand, OK, how the critical infrastructure are, this critical sector is impacted by cyber attacks. Not so much from the angle of, let’s say, simply, allow me to say, collecting information about the damages, the cost, how many devices were infected. but try to understand what it really means for society. So what is the real impact and the real harm that these attacks are causing to society? Practical example is how many ambulances redirected, how many people could not get the vaccine, and showing this both with, as I mentioned before, a very strong technical analysis to highlight the modus operandi of the malicious actors to identify, let’s say, the critical sectors that are targeted, in which countries, and so on and so forth, but also highlighting this harm aspect and how international laws and norms were violated. So having this all-encompassing view coming from a neutrally independent civil society actors is one of the examples of how we can advance multi-stakeholder cooperation in a very concrete way. And I mean, the platform that we develop is publicly available. We use the same capability to develop the platform to monitor the attacks against the civilian infrastructure in the context of the Ukraine conflict. And I mean, the platform is developed by the Institute, but not in silo, meaning that we’ve been working on this with other civil society partners, with academic partners, with the private sector that is providing key data infrastructure services and expert views. We’ve been socializing this and extensively worked on this also via our engagement at the open-ended working group level. So I think it’s a very concrete example of how the multi-stakeholder collaboration can work. Allow me maybe to just to mention a couple of things when it comes to what we need to do, let’s say, with some some sort of like actions that we can take when it comes to the challenges that we see in international cooperation sectors. Building on the excellent remarks that Julia made, I think there is one point which is, again, as Rene was saying, not just having the norms but operationalize them. And we truly believe that transparency is the way to go. And again, we need to have concrete, actionable measures. And so, for example, we’ve been consistently advocating for voluntary state reporting on what constitutes a critical infrastructure within national frameworks, but also basically to enhance predictability and enable collaborative risk management across borders. Measuring the harms. I mentioned that, for example, in our work regarding the healthcare sector, regarding the civilian infrastructure in the context of the Ukraine conflict, we always add the harms dimension. We develop a specific methodology. And this is really key to understand how the impact is going beyond, let’s say, the pure, I would say, financial monetary damages. But you really need to understand the impact of cyberattacks on society, especially those cyberattacks that are obviously targeting the critical services that are making our societies running. Just a couple of points in terms of key actions. Rene mentioned the emerging technologies. Allow me to say, indeed, it’s a critical area where, obviously, I’m thinking about artificial intelligence, quantum, are bringing amazing opportunities. But at the same time, improper deployment could create new vulnerabilities, especially when we think about a critical infrastructure because still important to remember that many critical infrastructure that we are still seeing today are running on legacy systems, meaning that they were not conceived of basically to be connected just to start with. So this is extremely important to have a sort of like responsible approach in deploying emerging technologies. And then, I mean, I was smiling when Chris was talking about the GC3B because indeed one of my key points was to definitely scalable capacity building specifically for under-resourced communities. And I really appreciated that Julia also mentioned the, let’s say the connection between the, I would say the evolution between the understanding that cybersecurity is a key component of development as well. And to this end, I was encouraging basically the audience as well to build on existing initiatives like the excellent work done by the GFC and the opportunity that we have with the Global Cyber Capacity Building Conference that is upcoming in May in Geneva, really to bridge this gap between cybersecurity and development communities and critical infrastructure protection is one of the, I would say the key pillars. And maybe just to finish, we talk about multi-stakeholder collaborations. I gave some practical examples and I’m happy to, I mean, to dig into this more if I may. And it’s a sort of like a personal mantra. It needs to be meaningful. I mean, multi-stakeholder collaboration means nothing if it’s, I mean, if it’s just on paper or if it’s just to tick the box. And I really like what Renee was mentioning at the very beginning in terms of like partnerships are working where, when basically each partner is providing, let’s say, his or her best, let’s say expertise. to create basically the best solution possible, but according, let’s say, to what they can bring at the table and not simply because they want to be sitting at the table. So I think we need to see multistakeholder collaboration starting valuing much more, which is the impact of a multistakeholder collaboration instead of just having it as a nice to have.

Timea Suto: Thank you so much, Francesca. So we’ve covered quite a bit of ground that Renée started. We’ve heard on the importance of international norms and their implementation. We’ve heard about standards, capacity building, multistakeholder partnerships. So I have one more element that I would like to throw at Robyn and hear a bit of an insight on that, which is what is the role of policies, national policies in this? How do we make sure that policies are responsive to everything that we’ve heard here? What is it that’s out there that is helpful? What is it that we still need? And how do we move towards perhaps a bit more interoperability or harmonization of what’s happening in national context, going back to the initial thought of fragmentation being so harmful to cybersecurity? So a short little question there for you, if you can cover that.

Ms Robyn Greene: Sure, I will do my best. Thank you so much for having me here. I’m really excited to talk about this critical issue. One of the things that I think you’re going to see throughout my comments is how the things that I’m going to be recommending are not only applicable when you’re thinking about critical infrastructure and cybersecurity. I think when we get into the policy space, we really have to confront the fact that critical infrastructure is no longer just critical infrastructure. It is something that intersects with commercial technologies, with everyday sort of technologies and with the people who use those technologies. And as a result of that, one of the first things that we need to do from a policy perspective is to really take a holistic assessment of the technological landscape, as well as the threat landscape, so that we can understand things like what are the kinds of devices that interact with what we consider to be core critical infrastructure. This is especially important as private sector services are increasingly intersecting with or actually building and providing that core critical infrastructure. In addition to that, we need to make sure that policies around cybersecurity for critical infrastructure include security requirements that are technically compatible with the internet infrastructure and consistent with the values of an open, interoperable and secure internet. As I’m going to discuss in more detail a little bit later in my comments, this includes things like not mandating any legal or regulatory threats to key security tools like encryption, such as requiring things of the private sector like building key escrow or other so-called backdoors into encrypted products and services, content scanning and labeling requirements or traceability requirements that undermine encryption. This also includes resisting implementing mandates around private sector data localization and restrictions on private sector data transfers. The other thing that we really need to do is look to the future. What does the future of technology look like? What will future technologies require and how will they intersect with our critical infrastructure? How will the next generation of technologies even potentially replace today’s critical infrastructure? Partnerships with the private sector can be uniquely impactful in helping governments to do this kind of, you know, looking into the crystal ball, if you will. And since private sector entities, technology companies in particular, but also academia and other multi-stakeholder experts are really at the vanguard of these technological advancements and can be uniquely helpful in doing that kind of forecasting so that we can make sure that cybersecurity protections for critical infrastructure aren’t only responding to the threats of yesterday and today, but also preparing for the threats of tomorrow. In addition to that, and this is one of the most important things, and I think one of the greatest challenges that we see in the policy landscape, make it easy for companies to want to work with and share information with governments, cyber threat indicators, that is, and make sure that those relationships with companies are not, you know, the big don’t is don’t establish relationships with private sector on the basis of regulatory threats or threats to services, to their license to operate. Legal frameworks that promote human rights norms, rule of law, and legal predictability, not only in the context of cybersecurity, but also in the context of other policy spaces are the ones that will promote willing collaborations and do ensure that relationships are reciprocal. At the end of the day, the willing collaboration is one of the most important things for private sector partnership with the public sector in critical infrastructure protection, because, of course, you don’t want companies in the position where they’re only focused on checking boxes, and they’re, you know, only doing what they’re absolutely obligated to do. You want companies that are really looking at the holistic cybersecurity and threat landscape and proactively sharing information with governments that they think will really lift all boats, if you will. And so this makes this one of the most important elements of encouraging this willing collaboration beyond not having it be sort of like a mandatory or fear-based mechanism is making sure that these relationships are reciprocal, making sure you’re sharing, governments are sharing information back with the private sector early and often. This not only helps to lift all boats by enabling companies to better protect their clients and users, but it also builds trust and incentivizes these companies to come to the table in the first place. Beyond just reciprocal information sharing, I think the other types of sort of reciprocal partnerships can also include skill building and reciprocal access to technological tools and new technologies. The next thing that I think is going to be really important in having a better policy space that is providing more robust protection for critical infrastructure is actually starting to track the broader policy landscape. And this is something that I sort of touched upon a little earlier in my comments, but we need to really start to internalize the fact that regulatory debates and proposals that are not directly about cybersecurity or about critical infrastructure will inherently affect our ability to protect critical infrastructure in particular. And so, as I mentioned, you know, resisting the impulse to pursue policies that require data localization is, I think, you know, one of the more important things that we can do. At the end of the day, data localization is actually one of the more harmful policies for cybersecurity, not only in terms of like private sector protection of information and things like that, but also in terms of protection of critical infrastructure. This is because it increases costs for companies and for the government, in many cases, to actually apply state-of-the-art cybersecurity solutions. It restricts access to and deployment of those state-of-the-art cybersecurity services and measures, and it limits and disincentivizes regular system updates. It also limits resilience measures, like storing backups of systems in multiple locations. In addition to that, it’s critically important to restrict to, excuse me, resist restrictions on international data transfers for the private sector. When we’re thinking about protecting cybersecurity, information is absolutely essential. And because of how the private sector intersects with critical infrastructure so much, and as I mentioned, in many cases, actually operates or owns critical infrastructure. infrastructure, it’s really important that companies be able to have that global visibility into what the threat landscape is and be able to access information as quickly as possible. One of the most limiting factors to that is restricting the flow of information because that is inherently going to limit your view to the domestic threat landscape rather than the global threat landscape. So encouraging data flows is actually encouraging cybersecurity in many ways. And then finally, resisting the adoption, resisting the impulse to undermine or chill the adoption of end-to-end encryption and quantum resistant encryption. Encryption is by far the most effective tool that we have to protect privacy and security of communications. This applies not only to private communications, but also to government communications and data. And ultimately, any time you see policies or regulations that mandate weaknesses in encryption, even if they are meant only to apply to private sector tools and systems, they inherently wind up intersecting with government and critical infrastructure systems. And so what you wind up doing is actually lowering the global security level of anything, you know, that’s going to be touching those systems. We actually have a very sort of like current, if you will, example that’s also a very stark example, to be honest, of how important encryption is to protecting cybersecurity and critical infrastructure in particular. As folks may be aware of Salt Typhoon, this is a major story in the U.S., but I imagine it’s being followed throughout the world where, you know, foreign spies have essentially taken advantage of vulnerabilities in telecommunications and ISP systems in order to infiltrate those systems. And, you know, while they may have access to be targeting lots of different people’s communications and private data, they are, in fact, targeting government officials. And so this is, you know, one of those examples of how we see the private sector intersecting with critical infrastructure and the government and the need for encryption. The last thing is resisting the impulse to mandate data retention beyond what is necessary. You’re just keeping data that could be useful to, you know, cyber criminals and other malicious actors unnecessarily if you’re imposing data retention mandates that go beyond, for example, what’s necessary for business purposes or what’s necessary for operational purposes, depending on the kind of entity that’s subject to these requirements. The next issue that I think is really important when it comes to the, and this is the last issue, when it comes to the policy environment and protecting critical infrastructure and cyber security of critical infrastructure is international cooperation. This is certainly not surprising, as we’ve heard this many times throughout the panel already, but ultimately this does not just include the sort of traditional types of cooperation around cyber threat information sharing and securing supply chains. It also includes things like regulatory interoperability. Make sure that not only cyber security regulations are interoperable with other regulations from other, like cyber security regulations from other governments, but make sure that non-cyber domestic and foreign regulations that implicate cyber security are compatible with current cyber security best practices. Too often we see, you know, regulatory proposals that are meant to address social concerns like, you know, online safety and things like that, which are critically, critically important, but that would actually wind up doing things like undermining encryption, and this is, of course, incompatible with cyber security and critical infrastructure, cyber security best practices. And so I think, you know, as a global community, it’s incumbent upon us not only to look at the policy landscape through the lens of what is directly affecting critical infrastructure because it is literally regulating critical infrastructure, but what are the secondary and tertiary policies that we’re considering and applying to government and the private sector that could actually still have significant ramifications for critical infrastructure and cyber security globally. In addition to that, addressing cyber crime safe haven jurisdictions is critically important. You know, we need to make it harder and more risky for malicious actors, whether they’re working independently, for criminal organizations, or directly or indirectly for nation states to attack critical infrastructure, particularly as, you know, we see the growing closeness between critical infrastructure and private sector technologies and stakeholders. The U.N. Cyber Crime Convention was originally proposed and promoted by several of these safe haven states, and that’s somewhat ironic, perhaps, but we are sort of in a place now where the negotiation has completed, and parties are going to move to negotiating the modalities for the protocol discussions and the protocols themselves and adoption and ratification of the treaty. Rule of law governments need to prioritize ensuring that the protocols are not only providing for specific procedural and human rights safeguards that weren’t included in the convention text, but also accountability mechanisms to ensure that all parties play by the same rules and that they work cooperatively towards investigating and preventing global cybercrime, not only when it serves their specific geopolitical or national interests. Finally, capacity building is another really important element of international cooperation and private sector, public sector collaboration. This is something the Cyber Crime Convention has a lot of potential to improve, not just as it applies to cybercrime investigation, but also to technically advance the technical skills and practices of other parties to the convention. The technically advanced and well-resourced governments can and should provide material support and technical training to augment the cyber security capabilities and practices of the less resourced and technically advanced nation states that are a party to the convention. I think there’s just, the policy landscape is something that we often think of as being very specific to critical infrastructure or to supply chain or something like that, but one of the things that I think we should really start to focus on as we think about cyber security and critical infrastructure is how the broader policy landscape and how relationships between governments and private sector entities can really impact that space too. Thank you.

Timea Suto: Thank you so much, Robyn. Quite a lot of information in that as well and also exploring in this extra element of cyber security, but actively fighting cybercrime, which we know in the U.N. it’s two separate processes, but in real practice they are, they go hand in hand. We had a second round of questions prepared, but I don’t think we will have time for that. We are 15 minutes away from the end of the session and I do want to turn to the audience as well and hear a little bit if you have any questions, if you have any remarks on what we’ve heard from the speakers before I give them the last word. So anybody, if you have comments online, please put your hand up, we can turn to you or here in the room. Likewise, put your hand up physically and we’ll get you a microphone. So are there any questions or comments? Think you were very comprehensive or very exhaustive, either or the other? Well, if there are. audience has no questions or input, then I think I’ll do a round-robin and then in the very end I’ll get to Rene on the account of first and last words. So in the order that I’ve called you previously, perhaps I can turn to Julia and ask what are your takeaways from this discussion and what is the one element that you think we should take forward as a message from this session for the IGF and for the global multi-stakeholder community

Julia Rodriguez: to ponder upon or perhaps act upon? Yes, thank you. Thank you so much for a great conversation. It has been really interesting. I think that the panel is a proof of why a stakeholder collaboration is crucial because I think that each one of the speakers has contributed with its insights on their competencies. I think it is impossible to summarize, but one of the main things that stuck with me, the importance of standards. From my perspective, these can directly address these mass-aligned definitions that make operationalization a challenge. Capacity building is key across the technical aspects as network security, encryption, incident response, but also from the more social and economic and humanitarian perspective and of course the impact of this cyber diplomacy that we’re trying to develop and great comments on data minimization. I think that we need to incorporate more privacy by design concepts into the normative framework of the United Nations and I think that many of these cyber intrusions at the end affect individuals. So I think this has been very well highlighted by the cyber peace institutes harms methodology. I think it is a great, great takeaway and my one sentence takeaway, it will be multi-stakeholder collaboration is essential to protect And I will stop there. Thank you.

Timea Suto: Thank you so much, Julia. Wouter?

Mr Wouter Kobes: Yes, thank you. Well, hinting on the words Francesca said, I think the Network Information Security Directive, version 2, we have in the EU, does a really nice attempt in defining critical infrastructure. And I think the point of Robyn, where you have to involve your commercial sector as well, is also captured there, because it extends towards the supply chain of this critical infrastructure. So I think that’s a nice attempt, at least by the EC, to define that critical infrastructure. Yeah, I think my giveaway to the audience and the panelists is also to lead by example in adopting internet security standards. So I invite you all to, after this session, navigate to our security adoption tool, internet.nl, and measure your own organization and see where you have room to improve in leading by example in these internet standards. So with that, I would like to thank you all for this very interesting discussion.

Timea Suto: Thank you, Wouter. Chris?

Mr Chris Buckridge: Yeah, thanks, Timea. And thanks for organizing this session and for a really interesting discussion and set of interventions. I was happy not to be the first person here to mention AI. I think too often the conversation seemed to be turning to that. But it is a really interesting and significant point. And I mean, at the OEWG the other week, really every meeting of the OEWG, more member states are highlighting AI as an area of real concern for them. And it makes sense. I know ISC2, I think, did a survey late last year and more than half of CISOs, security professionals, are anticipating AI-enabled attacks or AI-enhanced attacks to be part of what they have to defend against. Now, it’s not entirely clear what’s actually happening and to what extent that’s happening in real life at this stage. And I think there were some states that also made that point. But, I mean, Unity has done a study which sort of really highlights that sort of arms race we’re in where AI is enhancing the abilities of attackers, it’s enhancing the ability of defenders. But that really centers back to the need. for capacity building, it centers back to, that’s great that the defense is sort of continuing to ratchet up along with the attack, but if you’re in the global south, and if you’re not really on that sort of, in on that arms race, you’re becoming increasingly vulnerable to these attacks. So this is not something where we can leave people behind. If you get left behind, you’re going to be a vulnerability, and that’s going to be a vulnerability for the entire system. So we need to be ready to, sorry, invest, sorry, in cyber capacity building. And I mean, to use another very overused term, we need to be agile about that. We need, and I think Robyn mentioned, the changing landscape, the sort of ever-moving landscape that we have in terms of security. That cyber capacity building activity also needs to reflect that. It needs to be ready to engage with what the latest threats are, the latest vulnerabilities are, and to be ready to mitigate that. So it is, as Wouter, I think, also said, a constant. It’s not something where we can say one and done. It’s something we need to keep evolving and working on as time goes on. Thanks.

Timea Suto: Thank you, Chris. Francesca?

Francesca Bosco: Thank you so much. So what was tried me, I mean, I think is, the clear articulation. So thank you so much for the excellent discussion, because I think there was a very good segue among the different speakers. And I think we all reiterated the fact that the dependency is not only from a technical standpoint, but there is a dear need to understand the complexity of the ecosystem when we talk about a critical infrastructure. And I really appreciated the last comment from Robyn, the last remarks from Robyn, specifically on this, how the policies are kind of like intertwined. I also very much appreciated that the, one of the things that I’ve been, I mean, I spent all my life in the country in cybercrime, cybersecurity, misuse of technology, and so on and so forth. And one of the key challenges is always information sharing. It’s doable, but it needs to go both ways. And I think Robyn very well highlighted the fact that it cannot be just, let’s say, private sector vis-a-vis government, for example. But I mean, again, we need to create the ecosystem for the information sharing. So I think this is super important to be stressed. We mentioned several times building capacity, I would say, as very well Chris was mentioning, for now and for the future. Interestingly, I mean, in these days, I’m working on the potential risk of fully autonomous cyber attacks, impacting, for example, critical infrastructure. And indeed, the idea is not only to conceive it, but also to potentially build the capacity for being able to respond. And let me finish maybe with some of the remarks that building on what Rene and Julia also were saying. And again, going back to the idea of the meaningful multi-stakeholder collaboration standards. The standards are key. Or for example, international processes are key. But let’s be honest, not all the actors that should be involved in the multi-stakeholder approach have the means, have the resources, have the understanding on even how to engage. I’m thinking about the civil society difficulties in engaging with the standards bodies, for example. Or I’m thinking about many companies that would like to engage, for example, in the open-ended working group and similar processes, but they didn’t even know where to start, basically. So kudos to the ICC for organizing these panels because I think it’s also, I mean, helping in this direction. But I would say that more awareness-raising and really knowledge-building needs to be done in this sense.

Timea Suto: Thank you, Francesca.

Ms Robyn Greene: We just got the five-minute warning. So I’m gonna be extremely brief, especially since I wasn’t very brief in my initial comments. And I think I’ll just sum everything up with three thoughts. One, keep in mind how intersectional the technological landscape is, and therefore how intersectional we need to think about the policy landscape, and how that will impact the ability for the private sector to partner with government in the protection of critical infrastructure. Two, never ever underestimate the impact of encryption on cybersecurity. the importance of ensuring that all policies protect and promote the adoption of encryption rather than undermining it. And then three, also never, ever, ever underestimate the importance of data flows and the risks of data localization mandates, especially as applied to private sector entities and how that will ultimately lead to ramifications for critical infrastructure cybersecurity. Thank you so much, this has been a great panel.

Timea Suto: Thank you, Robyn. Rene, I give you the first word, I’m going to give you the last word as well. From your keynote speech after hearing all our speakers, what has changed from what you said or what would you like to highlight to build on what you said?

Rene Summer: Thank you, Timea, thank you all. Well, I mean, a lot has been said, so maybe on the margin of what has been already mentioned, I was thinking about what to say and then Elvis Presley’s song came to mind, a little less conversation, a little more action. And I think it falls down that we see the need for more actionable progress. I would really like to stress that many of the threats we see growing are stemming from those residual risks where industry will not be able to defend itself and how to address the residual risks, I think is very, very important. And the cost of inaction here is growing day by day. I think we have seen numbers that the global cost of cyber today is about 11 trillion US dollars that correspond to three G7 countries’ nominal GDP from 2022, I think, meaning Germany, UK and Japan. And we need to change the tide of this development.

Timea Suto: Concise as always, thank you, Rene, but it’s quite powerful as well. As a last word to take away. That only leaves me with one job, is to thanking you all for being here, for accepting ISIS’s invitation for this conversation and for sharing all your expertise and insight with us and with the audience here in the room and online. There will be a report of this session on the IGF website, so we will be. coming to you with that. And, of course, the ICC website is always there, so please take a look at our publications, not only on cyber security, but as Robyn highlighted, we also need to look into what we have done on data issues, especially on government access issues to data. So I’ll leave you with that. Huge thanks to my panelists, and a huge round of applause to all of you who’ve been here. Thank you. Thank you very much. Bye-bye.

Agreement Points

Need for multistakeholder collaboration

Rene Summer

Julia Rodriguez

Francesca Bosco

Ms Robyn Greene

Need for holistic approach involving all stakeholders

Importance of public-private partnerships and information sharing

Multistakeholder input crucial for developing effective frameworks

Intersectionality of technological landscape complicates policy approaches

Speakers agreed on the critical importance of involving all stakeholders, including governments, private sector, and civil society, in addressing cybersecurity challenges and developing effective frameworks.

Importance of addressing fragmentation and complexity

Rene Summer

Mr Wouter Kobes

Ms Robyn Greene

Fragmentation and complexity hinder security efforts

Misaligned definitions make operationalization challenging

Regulatory interoperability needed across jurisdictions

Speakers emphasized that fragmentation in approaches, definitions, and regulations across jurisdictions creates complexity and hinders effective cybersecurity efforts. They stressed the need for alignment and interoperability.

Need for capacity building, especially in the Global South

Rene Summer

Mr Chris Buckridge

Francesca Bosco

Need for holistic approach involving all stakeholders

Capacity building essential, especially for Global South

Multistakeholder input crucial for developing effective frameworks

Speakers agreed on the importance of capacity building, particularly for countries in the Global South, to ensure a more secure global cybersecurity ecosystem.

Similar Viewpoints

Both speakers emphasized the importance of standards and policies that are compatible with internet infrastructure and values, and can help address misalignments across jurisdictions.

Mr Wouter Kobes

Ms Robyn Greene

Standards help address misaligned definitions across jurisdictions

Policies should be compatible with internet infrastructure and values

Both speakers highlighted the need to prepare for future threats, particularly those involving AI and autonomous systems, in the context of critical infrastructure protection.

Mr Chris Buckridge

Francesca Bosco

AI-enabled attacks anticipated as growing concern

Need to prepare for potential fully autonomous cyber attacks

Unexpected Consensus

Importance of encryption for cybersecurity

Ms Robyn Greene

Julia Rodriguez

Policies should be compatible with internet infrastructure and values

Need to incorporate privacy-by-design concepts in normative frameworks

While coming from different perspectives (private sector and government), both speakers emphasized the importance of protecting encryption and incorporating privacy-by-design concepts in cybersecurity frameworks, showing an unexpected alignment on this issue.

Overall Assessment

Summary

The main areas of agreement included the need for multistakeholder collaboration, addressing fragmentation and complexity in cybersecurity approaches, the importance of capacity building (especially in the Global South), and the need to prepare for future threats like AI-enabled attacks.

Consensus level

There was a high level of consensus among the speakers on the major challenges and necessary approaches to protecting critical infrastructure. This consensus suggests a growing recognition of the complexity of the issue and the need for collaborative, holistic solutions. However, specific implementation details and prioritization of actions may still require further discussion and negotiation among stakeholders.

Different Viewpoints

Approach to defining critical infrastructure

Julia Rodriguez

Mr Wouter Kobes

Lack of consensus on defining critical infrastructure

Standards help address misaligned definitions across jurisdictions

While Julia Rodriguez highlights the lack of consensus in defining critical infrastructure as a challenge, Mr Wouter Kobes suggests that standards can help address these misaligned definitions.

Unexpected Differences

Emphasis on encryption

Ms Robyn Greene

Other speakers

Policies should be compatible with internet infrastructure and values

While most speakers focused on broader cybersecurity issues, Ms Robyn Greene placed a strong emphasis on the importance of encryption, which was not as prominently discussed by other speakers. This unexpected focus highlights the potential tension between security measures and privacy concerns.

Overall Assessment

summary

The main areas of disagreement centered around the definition of critical infrastructure, the role of standards, and the emphasis on specific technical aspects like encryption.

difference_level

The level of disagreement among speakers was relatively low, with most differences being more about emphasis and approach rather than fundamental disagreements. This suggests a general consensus on the importance of protecting critical infrastructure, but varying perspectives on how to achieve this goal effectively.

Partial Agreements

Both speakers agree on the need for a comprehensive approach to cybersecurity, but they differ in their focus. Rene Summer emphasizes stakeholder involvement, while Robyn Greene highlights the complexity of the technological landscape and its impact on policy.

Rene Summer

Ms Robyn Greene

Need for holistic approach involving all stakeholders

Intersectionality of technological landscape complicates policy approaches

Similar Viewpoints

Both speakers emphasized the importance of standards and policies that are compatible with internet infrastructure and values, and can help address misalignments across jurisdictions.

Mr Wouter Kobes

Ms Robyn Greene

Standards help address misaligned definitions across jurisdictions

Policies should be compatible with internet infrastructure and values

Both speakers highlighted the need to prepare for future threats, particularly those involving AI and autonomous systems, in the context of critical infrastructure protection.

Mr Chris Buckridge

Francesca Bosco

AI-enabled attacks anticipated as growing concern

Need to prepare for potential fully autonomous cyber attacks

Key Takeaways

A holistic, multistakeholder approach is needed to protect critical infrastructure cybersecurity

International cooperation and alignment of policies/standards is crucial

Capacity building, especially for less-resourced countries, is essential

The broader policy landscape beyond just cybersecurity impacts critical infrastructure protection

Emerging technologies like AI present new challenges and opportunities

Encryption and data flows are vital for cybersecurity and should not be undermined

Public-private partnerships and information sharing are key, but need to be reciprocal

Resolutions and Action Items

Participants encouraged to use the internet.nl tool to measure their organization’s security standard adoption

More awareness-raising and knowledge-building needed on how to engage in international processes

Need to operationalize existing norms and move from conversation to action

Unresolved Issues

How to achieve consensus on defining critical infrastructure across jurisdictions

How to balance security needs with privacy and human rights concerns in policy approaches

How to effectively address residual risks that industry cannot defend against alone

How to prepare for potential future threats like fully autonomous cyber attacks

Suggested Compromises

Balancing enforcement of security requirements with incentives for appropriate behavior

Finding ways for less-resourced stakeholders to meaningfully participate in standards development and policy processes

Considering both cybersecurity and development needs in capacity building efforts

Fragmentation and complexity are the number one enemy of security.

speaker

Rene Summer

reason

This succinctly captures a key challenge in cybersecurity, emphasizing the need for coordination and simplicity.

impact

Set the tone for subsequent discussions on international cooperation and standardization.

We need to really start to internalize the fact that regulatory debates and proposals that are not directly about cybersecurity or about critical infrastructure will inherently affect our ability to protect critical infrastructure in particular.

speaker

Robyn Greene

reason

Highlights the interconnected nature of policies and their unintended consequences on cybersecurity.

impact

Broadened the conversation to consider wider policy implications beyond direct cybersecurity measures.

We tried to understand, OK, how the critical infrastructure are, this critical sector is impacted by cyber attacks. Not so much from the angle of, let’s say, simply, allow me to say, collecting information about the damages, the cost, how many devices were infected, but try to understand what it really means for society.

speaker

Francesca Bosco

reason

Shifts focus from technical impacts to societal consequences, providing a more holistic view of cybersecurity.

impact

Encouraged consideration of broader societal impacts in cybersecurity discussions.

Make sure that not only cyber security regulations are interoperable with other regulations from other, like cyber security regulations from other governments, but make sure that non-cyber domestic and foreign regulations that implicate cyber security are compatible with current cyber security best practices.

speaker

Robyn Greene

reason

Emphasizes the need for regulatory coherence across different domains and jurisdictions.

impact

Highlighted the complexity of policy-making in cybersecurity and the need for a more integrated approach.

We need to be agile about that. We need, and I think Robyn mentioned, the changing landscape, the sort of ever-moving landscape that we have in terms of security. That cyber capacity building activity also needs to reflect that.

speaker

Chris Buckridge

reason

Emphasizes the dynamic nature of cybersecurity threats and the need for adaptable capacity building.

impact

Shifted the discussion towards the importance of ongoing, flexible approaches to cybersecurity.

Overall Assessment

These key comments shaped the discussion by emphasizing the complex, interconnected nature of cybersecurity challenges. They broadened the conversation from technical specifics to include wider policy implications, societal impacts, and the need for international cooperation. The discussion evolved from identifying problems to exploring holistic, adaptable solutions that consider the rapidly changing technological landscape and the need for coherent, cross-sector approaches to cybersecurity policy and practice.

How can we operationalize international norms on cybersecurity and critical infrastructure protection?

speaker

Francesca Bosco

explanation

Moving from policies into action is crucial for effective implementation of cybersecurity measures.

How can we measure and understand the real societal impact and harm caused by cyberattacks on critical infrastructure?

speaker

Francesca Bosco

explanation

Understanding the full scope of harm beyond just technical or financial damages is important for developing appropriate responses and protections.

How can we responsibly deploy emerging technologies like AI and quantum computing in critical infrastructure while addressing potential vulnerabilities?

speaker

Francesca Bosco

explanation

Emerging technologies offer opportunities but could also create new vulnerabilities, especially when interacting with legacy systems in critical infrastructure.

How can we improve engagement and participation of civil society and smaller companies in international cybersecurity processes and standards development?

speaker

Francesca Bosco

explanation

Many stakeholders lack the resources or knowledge to effectively engage in important cybersecurity discussions and standard-setting processes.

How can we address the challenges of cyber crime safe haven jurisdictions?

speaker

Robyn Greene

explanation

Safe havens for cybercriminals pose significant risks to global cybersecurity efforts and critical infrastructure protection.

How can we ensure that non-cybersecurity policies and regulations are compatible with cybersecurity best practices?

speaker

Robyn Greene

explanation

Policies in other areas can inadvertently impact cybersecurity, so a holistic approach to policy-making is necessary.

How can we better prepare for and defend against potential AI-enabled cyberattacks on critical infrastructure?

speaker

Chris Buckridge

explanation

AI-enhanced attacks are an emerging concern for cybersecurity professionals and require proactive preparation and defense strategies.