WS #81 Universal Standards for Digital Infrastructure Resiliency

Summary

This discussion focused on building universal standards for digital infrastructure resilience. Participants explored the need for global standards while acknowledging the importance of localized implementation. They emphasized the critical role of data sovereignty, integrity, and protection against emerging threats like cryptojacking and quantum computing risks. The conversation highlighted the importance of multi-stakeholder collaboration, involving governments, private sector, academia, and international organizations in developing resilience frameworks.

Key challenges discussed included rapidly evolving threats, human error, and the need for flexible, agile policies that don’t become obsolete quickly. Participants stressed the importance of capacity building and continuous skill development to address the human element in cybersecurity. They also noted the need for a risk-based approach in developing resilience frameworks, incorporating threat modeling and scenario planning.

The discussion touched on the role of existing standards like ISO, while considering the need for new, more comprehensive frameworks that address the unique challenges of digital infrastructure. Participants agreed on the importance of starting with a clear definition of the problem and creating action plans with measurable outcomes. They also highlighted the need for diversity in technologies and systems to avoid single points of failure.

The session concluded with a call to action, emphasizing the need to move beyond conversations to practical implementation of resilience standards. The participants agreed to compile the discussion into a white paper to serve as a reference for countries and regions seeking to enhance their digital infrastructure resilience.

Keypoints

Major discussion points:

– The need for universal standards for digital infrastructure resilience

– Challenges in developing and implementing resilience standards across different countries

– The importance of multi-stakeholder collaboration in shaping standards and policies

– Emerging threats to digital infrastructure and strategies to address them

– Balancing universal standards with localized implementation

Overall purpose/goal:

The purpose of this discussion was to explore challenges and opportunities in securing critical digital infrastructure, with the aim of developing ideas for universal standards and best practices that could be adapted by different countries. The panel sought to produce insights that could inform a white paper on digital infrastructure resilience.

Tone:

The tone was largely collaborative and solution-oriented. Panelists built on each other’s points and acknowledged the complexity of the issues. There was a sense of urgency about the need to act, balanced with recognition of the challenges involved. The tone became slightly more pointed when audience questions challenged some assumptions, but remained constructive overall.

Speakers

– Genie Gan: Director of Government Affairs and Public Policy, Kaspersky; Moderator

– Aderonke Sola Ogunsola: Head of Policy and Process Review, Corporate Planning Strategy and Risk Management Department, Nigerian Communications Commission

– Pawan Anand: Major General Dr., Director of United Service Institution of India, PhD Guide and Mentor at the National Defense College

– Alaa Abdulaal: Chief of Digital Economy Foresight, Digital Cooperation Organization

Additional speakers:

– Dino Cataldo Dell’Accio: Chief Information Officer, UN Pension Fund; involved in Best Practice Forum on Cybersecurity, leading Blockchain Dynamic Coalition on Assurance and Standardization

– Unnamed audience member: Asked question about institutions for developing standards

Digital Infrastructure Resilience: Building Universal Standards at IGF 2023

This discussion, part of the Internet Governance Forum (IGF) 2023, explored the challenges and opportunities in securing critical digital infrastructure, with the aim of developing ideas for universal standards and best practices that could be adapted by different countries. The panel sought to produce insights that would inform a white paper on digital infrastructure resilience.

Panelists and Their Backgrounds:

– Genie Gan (Moderator): Head of Government Affairs and Public Policy for Asia Pacific at Kaspersky

– Aderonke Sola Ogunsola: Head of Cybersecurity at the Nigerian Communications Commission

– Major General Dr. Pawan Anand: Senior Fellow at the United Service Institution of India

– Alaa Abdulaal: Senior Policy Advisor at the Digital Cooperation Organization

Key Themes and Discussions:

1. Threats to Digital Infrastructure:

The panel discussed various threats, including:

– Human error and skill gaps

– Rapid technological changes

– Economic and technological disparities between countries

– Physical threats to infrastructure

Specific examples were cited, such as the Singapore banking transaction disruption and a US-based cybersecurity company incident, highlighting the real-world impacts of these threats.

2. Multi-stakeholder Collaboration:

There was strong agreement on the importance of collaboration between governments, private sector, civil society, and international organizations. Ogunsola stressed the need for engagement from all stakeholders to develop effective standards. Abdulaal highlighted the key role of the private sector in innovation and capacity building, while also noting that international organisations can facilitate cooperation.

3. Regulatory and Standards Development:

The panel discussed the need for universal standards that are flexible enough to be adapted to different contexts. Ogunsola emphasized that universal standards are “not negotiable” but implementation may require customization. Anand concurred, stating that standards should be universal, but regulations need to be flexible to allow for innovation.

Challenges in developing and implementing standards included:

– Keeping pace with rapid technological advancements

– Addressing economic and technological disparities between countries

– Establishing common definitions and language around digital infrastructure resilience

Policy examples were discussed, such as Nigeria’s Cyber Security Act 2025 and critical national information infrastructure order.

4. Capacity Building and Human Resources:

Ogunsola emphasized the critical importance of capacity building and continuous skill development in ensuring digital infrastructure resilience. She highlighted human error and lack of skills as major threats to resilience.

5. Risk-based Approaches and Threat Modeling:

Dr. Anand and an audience member advocated for adopting risk-based approaches and incorporating threat modeling in developing resilience frameworks. This was seen as crucial for creating effective and adaptable standards.

6. Ethical Use of AI in Cybersecurity:

Anand highlighted the growing importance of AI in cybersecurity and stressed the need for ethical and responsible use of AI in this context.

Audience Engagement:

The discussion included valuable input from audience members, including:

– A challenge to the premise of developing new standards, pointing out existing ISO standards

– The need for a common language and universal definitions for concepts like Digital Public Infrastructure (DPI)

– Advocacy for risk-based approaches in resilience frameworks

Unresolved Issues and Future Directions:

Despite the productive discussion, several issues remained unresolved, including how to develop standards that remain current given rapid technological changes, and how to address economic and technological disparities between countries in implementing standards.

Conclusion and Next Steps:

The panel agreed on the urgency of moving from dialogue to action in enhancing global digital infrastructure resilience. Genie Gan outlined specific next steps, including compiling the discussion into a white paper to serve as a reference for countries and regions seeking to enhance their digital infrastructure resilience.

The moderator noted time constraints of the discussion, emphasizing the need for continued dialogue and action on this critical topic.

Genie Gan: Can you do it again? Yes, I’m done. Alvar, wait, wait, wait. Wait, wait. Wait, wait. Wait, wait, wait. Wait, wait, wait. Wait, wait, wait. Stay with me. I’m actually going to assist. I’m going to do it soon. I think I’ll just wear it. Of course, yes. I’m doing that. Is it channel zero? Just checked up over there. So, channel one? One, huh? Okay. We should start, right? Okay, we’ll start in one minute. Alright. I’m just going to silence my phone. I know. Thank you for watching. Okay. Are we ready? Yeah, sure. Okay. Right. Good morning, everyone. We are seated in Riyadh at the Internet Governance Forum. Okay, sure, sure. Two minutes. We’ll start in two minutes, I’ve been told. Channel one. Okay. Okay. Okay. All the speakers are on site. I’m sorry. Sorry. We can start now. Okay, thank you. Good morning, everyone. From wherever or good afternoon or good evening from wherever in the world you’re dialing in from. Thank you for attending today’s session on building universal standards for digital infrastructure resiliency. My name is Jeannie Gan and I am the director of government affairs and public policy from Kaspersky. And I’m your moderator for today. We’re here today to discuss the challenges and opportunities of securing the backbone of a modern digital economy. Our critical infrastructure, including data centers, cloud services, and other foundational digital assets. Of course, we all know that cybersecurity and resilience of critical information infrastructure, CIIs, have become well-established requirements over the years. However, as the digital landscape evolves, we actually need to broaden our focus to include not only the security of information and data, but also the physical and operational resilience of the digital infrastructure that house these information and data. When we started conceptualizing this workshop early this year, we were using an example of how an outage of a major data center in Singapore actually disrupted 2.5 million banking transactions across Singapore’s largest banks. Citibank, DBS, to show how vulnerabilities in digital infrastructure can have far-reaching consequences even when it’s not triggered by any cyber attacks. But of course, its close linkage to cyber security was not immediately obvious as well. And then in July, everything all changed when a rogue software update by a US-based cyber security company led to the crippling of up to 8.5 million computers worldwide which were using Microsoft systems. And suddenly, many people realized how resilience requirements which apply in the cyber security industry could apply to digital infrastructure. And governments around the world were beginning to recognize this even before the incident. For instance, Singapore is studying the introduction of a digital infrastructure act going beyond cyber security to address a broader set of resilience risks ranging from misconfigurations in technical architecture to physical hazards such as fires, water leakages, and cooling system failures. The UK government from the other part of the world also has launched a public consultation on enhancing the security and resilience of its data infrastructure. And these developments marked the beginning of a global shift towards more comprehensive frameworks for digital infrastructure resilience. So, well, since conversations in this area are still pretty new and early stages, I think we’re in early stages, right? And there is a chance for the IGF to sort of shape some best practices and common standards. That’s our goal today, to brainstorm ideas. And really, we have today with us speakers from around the world from different regions. and we hope to brainstorm ideas that will help shape the future of digital infrastructure best practices. We have regulators as well, industry leaders and experts from academia to discuss these critical issues and collaborate on creating a white paper that we hope to produce at the end that will serve as a reference for countries developing laws and regulations to strengthen digital infrastructure resilience. So let me now quickly introduce our speakers after this context setting. First of all, I think I’ll start from my right on the far end. We have Ms. Adoronke. She is Head of Policy and Process Review, Corporate Planning Strategy and Risk Management Department at the Nigerian Communications Commission. She’ll speak about the role of national cyber security and digital infrastructure governance, particularly in Nigeria. And then I have Major General Dr. Pawan Anand, who is Director of United Service Institution of India and a PhD Guide and Mentor at the National Defense College. He will share insights from India, focusing on the challenges and threats to digital resilience, particularly in rapidly developing countries. And on my left, that’s Ms. Alaa Abdulal. She is Chief of Digital Economy Foresight at the Digital Cooperation Organization. She’ll discuss the role of the DCO, Digital Cooperation Organization, in shaping and enhancing digital infrastructure, both in the Kingdom of Saudi Arabia and internationally. So for today, we will explore several key topics throughout, focusing on three main themes. First, threats to digital infrastructure, we’ll discuss the latest threats to digital infrastructure, their economic and social impact, and how different countries are responding with new standards and regulations. And of course, the second theme will be multi-stakeholder collaboration, which I think is a running theme as far as the UN and IGF context is. We’ll encourage the exchange of expertise among all stakeholders, government, industry players, academia, and all that. And of course, lastly, we’ll talk about the regulatory and standards development, focusing on the importance of international standards for digital infrastructure, particularly and examine how best practices from cybersecurity can be adapted to this domain. So let’s kick off with some initial thoughts from our panelists. I’ll ask each of you to provide maybe a brief impulse statement, not more than two minutes, based on some following questions. Maybe we’ll start with Aderonke. So, Ronke, in your opinion, is digital infrastructure a universally accepted term? And could you also maybe give us a brief overview of the role of Nigeria’s NCC in digital infrastructure resilience?

Aderonke Sola Ogunsola: Thank you, Jeannie. Good morning, everybody. And thank you, Kaspersky, for sponsoring this conversation. I’d like to start by saying that this topic is timely, considering that it has a lot of interplay regarding development of standards, corporations, and what have you. In the course of reviewing this topic, there was a statement by Sharon and Karin Rudler, some sociologists. And what did they describe infrastructure as? It struck me. It says infrastructure was described in a provocative manner as something. that remains invisible until it’s broken down. So let’s just look at a picture. We all wake up this morning, our emails are not sending, we can’t connect, people cannot even see us all over the world. We can’t do any transactions. I’m sure everybody will go like, what’s happening here? So that’s the perspective. Infrastructure as the bedrock is the underlining framework for digital connection. So having said that, looking at universal, is digital infrastructure universally accepted? I think that’s yes. It’s a universally accepted term because when you look at different organizations, the ITU sees it as an enabler for provision of digital access. The OECD reviews it as an example for social economic development.

Genie Gan: Sorry, give me a moment. I think we need some help here. Ronke’s audio is coming on and off. Can we maybe switch a mic for her, please? Or we can let them, maybe you use that first. Sorry, is it off? No, it’s not that, it’s. I think you used that mic first. Just let me switch that up for you. Can you hear me now? Yes, now it’s okay, yeah. Please. Okay. Now it’s good, yep.

Aderonke Sola Ogunsola: All right, so do I start all over again or just continue from the Nigerian perspective? Yes, just the Nigerian perspective. So as a regulator, I work for the Nigerian Communications Commission and we are the regulator for the telecoms communications industry in Nigeria. Basically, we oversee the technical and economic regulation of the industry. And coming from the perspective of digital infrastructure, the Commission was established by an act of the Parliament, and we have amongst various powers or functions to facilitate and enable an environment. One of the things we are looking at is promoting digital infrastructure. We have various actions or interventions that we have taken, such as providing licenses for infrastructure development, operational spectrum licenses. We also, currently in Nigeria, we have our Cyber Security Act 2025, and part of what was identified was the critical infrastructure, and digital infrastructure was part of what was identified. In addition to this, I hope you can hear me? Yes. In addition to this, a critical national information infrastructure order was recently launched. What is it looking at? It’s because we have identified as a nation the importance, the sensitivity of the infrastructure. I believe, in my opinion, that we have moved beyond cyber security to cyber or infrastructure resilience. It’s the ability for us to bounce back if there’s any attack. Jeannie did talk about the Singaporean experience, but if you also cast your mind back earlier in the year, and the SG, ITU did mention it, about the submarine cable cut. It affected a lot of countries around the West African coast. But the good thing was Nigeria, and I would give kudos to my organization, we had always been proactive in our regulations. that our operators had, you know, resilience in their network, risk management is something that we saw, and also we ensured that they have a network. How do they survive if there’s any attack? So for Nigeria, we did not really feel the impact, but the West African coast did have their internet connectivity shut down for a while, and Nigeria has eight submarine cables landing in its shore. So you can imagine the amount of data network structure that we have, and the ITU also acknowledges that say nothing less than 90 or let’s say 80 to 90 percent of data connectivity is carried on the submarine cable internet connectivity and all of you. And because of this, the commission, Nigeria, is passionate about ensuring resiliency. So we are also part of the working group that was established by ITU. The Honorable Minister of Communications from Nigeria is a co-chair for the corporation to work on developing standards for this, as in me, developing universal standards for digital infrastructure. For me, it’s something that’s, it’s timely. It is expedient for us to look at it holistically, and we have pockets, national, like I mentioned, experience. We also have regional and group interventions, but like the SDG or what they do, I’m not sure we have something that’s universally in everyone. So well done to Kaspersky for sponsoring this, and I think it’s a conversation that is timely. Thank you. Thank you, Ronke. In fact, in your very short impulse statement, you’ve already touched on all three themes. You’ve discussed the threats to digital infrastructure, and I love the submarine cables example that affected West Africa. That was a fantastic illustration, actually, and also about some multi-stakeholder collaboration and efforts already. So maybe I’ll now turn to Ala. So the DCO, as we all know, plays a significant role in shaping and enhancing digital infrastructure internationally. So could you perhaps take a couple of minutes and share the goals of your organization in this area and what efforts are being made in addressing digital infrastructure residents? Switch it on. Yes, we can hear you now.

Genie Gan: Okay, thank you.

Alaa Abdulaal: Thank you very much, and I’m very honored to be part of this panel with you all. So the Digital Cooperation Organization, just to start, we represent 16 member states, having an 800 million population, and our goal overall is to make sure that every person, nation, and business has a fair opportunity to participate. As you have said, Janine, now we are in a world of digital economies accelerating very quickly. So our organization really focuses on giving that fair opportunity for everyone to be part of this growth of the inclusive digital economy. And for that, we have mentioned now, and even my colleague here mentioned, how important is it to have the right infrastructure and have access to that infrastructure from businesses, from governments. And what we are doing at DCO is that we are promoting the use of having the development of resilience framework. those specifically in the response of the increasing risk that is coming on the digital infrastructure. We are giving guides and advices to all our member state, putting all the stakeholders on one table. So what happened during what you have mentioned in July, one of the fastest response that we have done is that we gathered all our member states on one table to discuss the issue that has happened with the faulty deployment and the outage and how did it impacted each and every nation? What was their lesson learned? What can we do together? What are some of the missing regulations in some of the countries that can other can be shared? And this is why, and we are the digital cooperation organization, we believe in the cooperation and we believe that also this is, it should be in a multi-stakeholder approach and also looking not only at infrastructure because again, infrastructure is one layer, but even as you have mentioned, we have services, operations that are running those infrastructure. Okay, do the people have the right skills? And capacity to be educated, to run those infrastructure with the advancements of different technologies. Now, when infrastructure is varying from supercomputers that are supporting AI, that is even bringing different layer of risks. So by focusing on providing the right information, by putting all the right stakeholders and bringing countries together, we are aimed and focused to really enhance the digital infrastructure of our member states and even contribute to globally to all countries. Excellent. Thank you. Thank you for that. I like the point that you made about infrastructure being overlaid with systems and then, of course, capacity. And then maybe we can talk a little bit about capacity building later, because that’s the human element too.

Genie Gan: So now I’ll turn to Major General Pawan. From your experience, what are the main threats and challenges to digital resilience, particularly in India and other leading economies?

Pawan Anand: Thank you, Jeanne, and thank you, Kaspersky, for getting us all together on this interesting subject. So, well, to my mind, firstly, I’m from the USA, the United Service Institution of India, and we do a lot of emerging technologies work with the National Cyber Security Coordinator, the National Security Council, Ministry of Electronics and IT, the Ministry of Internal Affairs or Home Affairs, and, of course, with the Defense and the Defense Cyber Agency. It’s actually interesting that India today is in every conversation that takes place globally on anything to do with digital, because India has gone deeply digital. And with the Honorable Prime Minister of India offering the DPI, the Digital Personal Infrastructure, for almost all the Global South countries, literally, India seeks to help the Global South in coming up with their DPI. So that having been said, what’s the main threats and challenges that we are looking at? And I would start with the main thing, and that is sovereignty of data. And everything hovers, perhaps, around that. You may have all your infrastructure in place. You may have the storages. You may have the transit points. You may have the networks. You may have the processing infrastructure. But at the end of it, it’s the data which really counts. it’s that’s the thing that makes the May go. So if money makes the May go, it’s data that makes the May go here. The data sovereignty to my mind is something that we really need to keep in mind and India is very cognizant of that. We are, of course, would like to have all our data onshore in India, which perhaps is not totally possible at this minute because we don’t have the entire capacity to be able to store that kind of data. So obviously much of it is offshore. And when it’s offshore, and if we don’t have the capacity to keep the data, we don’t have the skills as Aala had brought out as yet, we would be looking at the legal implications of keeping your data offshore. And that’s something that the DPDP Act that we’ve come out with in 2023 really looks into. And I’ll come to that sometime later in our conversation. The second most important thing is integrity. So we have to look at integrity of data in storage and integrity in transit. Both of these are very important to us because wherever the interfaces happen, wherever there is a joining of networks, wherever there is a joining up with the storages, that is the point where we find vulnerabilities occur. So as your digital penetration increases in India, the contact surfaces increase and the attack surfaces increase. And I think the final point that I’d like to make quickly is that when it comes to emerging tech, AI in cybersecurity begins to get more and more important for us. So the ethical use of AI and also the responsible use of AI is so important. We would look at accountability, wherever AI is used, whether it is for cyber or for protecting infrastructure physically or digitally. we would have to look at interpretability as well, because you should be very clear as to what exactly is coming out of that and how it is protecting your infrastructure. I think also what we’ll have to keep in mind is supply chains, and we’ll talk about that later, but supply chains could be compromised, and that is one huge threat that we need to keep in mind. Today, at the end of it, with all the infrastructure that has come up, DPI that has come up in India, we have now become the 10th most vulnerable country in the world to digital assets. And I see that coming up further and further. And you can make out also by the increase in the number of cyber attacks. Maybe I could give out those figures, but that’s pretty obvious, that the number of attacks are going up geometrically every year. So I pause here and come up with some more thoughts

Genie Gan: later on. Thank you. Thank you. When you say rank number 10, I think what came to my mind was that this is really the kind of ranking we don’t want on top, right? But thank you all for your thoughts. I think it’s time for us to turn to the moderated discussions. We do have a set of policy questions that we will like discussed today and to explore with our speakers. So please, however, feel free to jump in if you’ve got thoughts to add on to whatever that other speakers are saying. But of course, please help me to keep your interventions concise and short, yeah, not more than two minutes maybe. So first, maybe I’ll get Ronke to take a first question. Do we need universal standards of resilience or is it… the case that every country’s digital infrastructure has unique needs that require a customized approach, right? So how should we balance these two perspectives of having something universal versus something that’s highly customized? What are your thoughts?

Aderonke Sola Ogunsola: Yeah. Okay. So for me, universal standards is not negotiable. I think it’s something that’s meant to be open and something that needs to be adopted. Like I did say earlier, you can start from the regional level. But like what we have done in Nigeria, I will use my national perspective, and maybe because we also boast of the largest economy in Africa, our numbers speak, our economies speak, especially our interventions when it comes to development of digital infrastructure in Africa. So back to universal standards. Yes, we do need one. What we have also done in Nigeria is to come up with a critical national information infrastructure order. It outlines strategies, methods, or would I say activities or actions by several stakeholders on how to tackle. When General Powell was speaking, he did talk about the physical protection of infrastructure. We have our own vulnerabilities back home, issues regarding vandalization of structures and all of that. So when you look at it from that perspective, you drill down, you need to look at how you protect that. And from the national to the regional, how do we come up with KPIs, standards? What works for Nigeria may not work for Ghana because of our peculiarities, but you cannot undermine that. The reason why all of us are here in this room is because the infrastructure, digital infrastructure matters to us and we’ve identified the need to see how we can continuously sustain it. So that’s the conversation around the room, whether it’s services or whether it’s whatever that runs on the infrastructure. So you move from regional and we look at the universal perspective. The IT is already working on the submarine cable resiliency, just to guide against what happened. Singapore has probably come up with their own solutions and the DCO also is sharing experiences. So in summary for me, it’s home growth to regional and universal. And at the universal level, I would like to liken it to the SDG. It can be adopted amongst all nations and the children will definitely go back home. So when you say, you talked about does it require a different approach? Implementation may require different approach, but the standards can be global. And this conversation I could detail and probably develop a white paper, but about adopting, having more stakeholders, especially policy level to look at it critically and see how we can run with it. Thank you. I like that response. Thank you for putting it across so elegantly because really standards can be universal and they need to be. It’s like what we have at the UN with the SDGs. Indeed, I think that’s a… pretty apt parallel that you’ve drawn. But of course, drawing experiences at the regional level and also having implementation localized. I think that’s excellent. I think that has helped us to set the stage. I’m not sure if other speakers have anything to add. Dr. Pawan. I totally agree with what Adharanka said. I mean, she really built it up from bottom to top and took the whole width of the subject. But I just want to add here that when we talk about universal standards, standards would be something that we should all be, should be all able to take on because if we don’t do that, we would be not able to connect globally. So those universal standards, I think, are so important. At the same time, when it comes to bringing in regulation, I think we need to be a little careful. So while we set standards, we will have to be careful about compliances and we need to differentiate between the two because the moment you bring in compliances and those compliances become too stringent, then there is a fear of stifling innovation. So we need to find that balance between compliance and innovation and we need to differentiate between standards and compliances.

Genie Gan: Okay. Thank you. Thank you for those remarks. I am going to move. I’m going to ask maybe Alaa a next question. What do you think are the biggest challenges in adopting universal resilience standards that we have been talking about for the most part, especially in developing regions? How can we make sure these standards are accessible and scalable in different parts of the world? And if you could maybe draw some experiences from working in DCO. Thank you. I think we have a lot of challenges in that, several key challenges. from economic and technological disparities between countries, different countries. So, let’s look at it, and even it has been mentioned by my colleagues here. Different countries have different level of readiness. Some of them, even at a stage that they lack infrastructure by itself, not only having it resilience enough. And this goes to having lack of financial support and technological support. Another aspect is also, we talked about it when I mentioned in my key or first opening, which was capacity building. Again, for a country to start adopting standards, are they ready for those standards? Do they have the right human capital to understand the standards, to apply them, to make sure that they are customized in the right way?

Alaa Abdulaal: Definitely, it’s very useful to have a framework and standards for everyone to adopt. But again, there will never be a one-size-fits-all. There will be a need of cascading to the needs of the country, to their status. But it’s very good to have that solid foundation that unifies everyone. And this is why having those right human resources and experts is very crucial on a national level, which will really make sure that it’s being adopted in the right way and implemented in the right way. Another aspect, one of the challenges is As I said, is those standards flexible enough to fit the current status of that country? What is the flexibility of those standards? And maybe another aspect that one of the challenges is currently every country is tackling this challenge by their own, even from only a government perspective, not looking at, okay, what can the private sector provide? What can the academia provide? Again, academia can provide a lot of research and understanding of those standards in coming up with the right ways. Are we putting all those people on the same table? Are they having the conversations? Is it a government approach or is it a multilateral approach, a multi-stakeholder approach? I think all of those challenges is being in the way of us, first of all, having the right standards in place to adopting them and then even measuring their impact and the way that they are executing. Thank you. You have covered several very good points. Again, I think we are seeing this recurring issue or question to do with the human capital and their ability to appreciate the issue, apply the standards, and of course, to rightly implement them in a way that makes sense in their home countries. And even, let me add, because there is a very important point from until we all reach that universal standard, okay, things are accelerating very quickly. Are those standards agile enough? In fact, too fast. Exactly. We are talking about AI. We are even now talking about computers. quantum computing. Again, this is adding another layer of complexity from a security perspective, from an infrastructure perspective. Again, until we reach that agreement on those are the universal standards, we will be in another point of era that we need to make sure that this is another layer of challenge that we really need to start thinking of to move fast. Can we build something that is agile enough to take that very fast advancements that we are moving in?

Genie Gan: It’s great that you point this out because Dr. Pawan and I were just having a chat yesterday after hearing some sessions in the opening segment of IGF and we’re just saying that, you know, shortly after this whole global digital transformation movement and then we have got AI and now already we’re into quantum computing. It’s like we’re trying to play catch up all the time. And I think that is definitely a theme that we need to come back to about how we can seek to remain agile and fast enough to respond, to have standards or laws or policies that actually respond to real issues, real questions that are evolving faster than we would like. I totally agree. It’s all the time a game of catch and most of us

Pawan Anand: would agree on some points and we would have disagreements in some areas and I think the solution lies in quickly reaching the places where we have consensus and issue them as some sort of a guideline or at times even as a regulation where we all agree and then we can keep resolving what we don’t agree upon. So I think when we come together to put to talk about these issues, we need to be very clear. Where is it that we’ve quickly found a consensus and let’s start implementing that as quickly as possible. And the rest, we will work on. At the same time, when we’re working on those, the difficult areas, where consensus is a little more difficult, we need to bring in the new technologies also that start influencing. So perhaps that is the only way that we can remain in the picture.

Alaa Abdulaal: Otherwise, compliances or consensus will always be so far behind. And they really like the word we. You have meant we, we have to work together, we have to agree, because yes, it’s not one person or one nation or one country. I think it is the core of it is that we are working together on it.

Genie Gan: And I also like how he says, we just need to get started. Let’s just stop talking about this and let’s just do it. All right, so I just wanna stay with Dr. Pawan and I would like to ask the next question. How can governments be equipped in digital resonance? What policies, regulations and codes of conduct, as you may like to put it, need to be adopted to ensure a secure infrastructure across healthcare, governments, finance, CIIs and data centers? So that’s really a tough one because when you formulate policy, you have to take so much into consideration.

Pawan Anand: And just to tell you how tough it’s been in India, but it’s been a very short-footed move, we came up with the DPDP Act. And we started talking about the Digital Personal Data Protection Act in 2016. We finally came out with drafts in 2022. It was given out to the public, there was blowback, there was a lot of feedback. They went out with the second bill, that was about six months later, there was a bigger blowback. And finally, you know, the DPDP Act came into existence in the mid of 2023. It may have been late, but it was there and it’s for sure. It is yet to be fully operationalized because there are certain rules which are being worked out and there are about a set of 20 to 22 rules which are going to come into place. So it just gives you a sense as to how you go about making policies with keeping in mind various stakeholders throughout the country and abroad. But I think what really gave us a big boost across the globe was that COVID-19 gave us all a real wake-up call because we all went digital and suddenly all of us realized that we need to have certain policies in place where we are able to converse digitally and of course transfer data digitally. We’ve seen how it’s impacted public services. We’ve also seen to the extent how it’s started impacting elections as well. So during COVID, there were certain elections in Europe which had to be postponed. Even the US and India elections which were held later on were impacted somewhat by this kind of digital interventions which were happening and the influence that it played. I think how you can strengthen the policy structure for this is you have a digital-first approach for public services. So this needs to be built up with almost all within the country and outside the country. We also need a remote-enabled kind of a structure in our policies so that everybody is able to work somewhat remotely and that it is controlled. Of course, everybody needs to give a higher priority to digital infrastructure. So with these three in, connectivity between various digital infrastructures would bring us into a complete picture. So policy has to hover around all of these. Not to forget what we spoke earlier, physical protection of our digital infrastructure. So we have to look at the housing of the infrastructure, underground, a distributed infrastructure, how to protect it physically, how to, it’s not disrupted, how to ensure it’s not interdicted physically. And then of course, during transit. And finally, I think we need to look at third party risks and how these will be managed as technology innovations take place. So all in all policies will have to be whole of government. Now, when it comes, let me just take two examples and to bring out the difference. You know, the United States has in healthcare, has those guidelines for HIPAA. And these are very stringent guidelines which have been brought in for various healthcare, for protection of healthcare and digital information. On the other hand, they also have the SSA 18, where they have certain reports, SOC 1, SOC 2, SOC 3 reports, where these are standards by which you would expect certain reporting to happen in financial transactions. Now, in India, we are very clear that we follow the SSA guidelines. And so our reporting in SOC 1, SOC 2 and SOC 3 is fully in place. So we expect all financial transactions to be fully transparent, to be fully controlled. On the other hand, when it comes to healthcare, and the US has the HIPAA, India has come out with its own standards. And that is, we call it Disha. a basically digital infrastructure in health care. But it leaves a lot of space open for data to be utilized. So you can’t have a universal standard, as per us, in that. But we would say that we’ve left a lot of space open for data to be utilized for research. So we don’t mind our data being used for research, but private data has to be kept in place. So it’s a little more nuanced, if you ask me. And that is the kind of nuance that we need to have so that we are able to utilize digital infrastructure and data to its fullest for innovation.

Genie Gan: Yeah, back to you, Jamie. Thank you. Thank you for that. And I think just one point of clarification, when you talked about third party risks, you are basically talking about different people in the ICT supply chain, right? OK, cool. Now, I think questions are coming. Yeah, please. No, I’m just going to say that questions are starting to come in. But I think let’s go with the flow. I quite like the flow. Please, Edoronke.

Aderonke Sola Ogunsola: I just wanted to add one or two points to what Jennifer said when it comes to how governments need to be equipped with developing policies regarding digital resiliency. So for me, I look at it as sometimes people may see resiliency as being subjective based on levels of development and technology or infrastructure availability. In some cases, issues of topography, weather, may also serve as a point of focus for us to consider. because we did talk about the physical protection on the ground, how do we store this infrastructure. Some places it’s nearly impossible, it’s a Hukulink tax for the infrastructure to be protected in case of being resilient. Then also for the Nigerian perspective, because I’m a regulator, we’ve come up with various policies. We have a Nigerian national broadband plan that helps us to fashion out stages, phases on how to ensure integrity, resiliency, recovery plan, standards for infrastructure across the country. Then like I did say, the critical national infrastructure information order did engage or gives plan for various stakeholders. I recall you did say it’s a private sector aware, the academia, all those are also included. It’s a model maybe for national level, regional or even other countries that may want to look at it. If we say we are looking at or developing standards, we are that proactive. I also want to say perhaps that’s part of what gave us that resilience, so to speak, from the submarine cable breakdown or cut. For regulations as well, we keep doing catch-up, it’s a cliche, but is it something that we want to look at? Can we get to a level where we start considering standards or policies or regulation that can be self-regulated? Maybe we come up with soft laws as regulators, thinking outside the box to speak to these global standards, or universal standards we are looking at, rather than putting laws or regulations like General Powell did say that stifle innovation.

Alaa Abdulaal: I think there is one important point also that I want to build upon because it has been mentioned again, we cannot protect ourselves and be 100% resilience, but we as a country and even internationally, we always have to have like the right response plan for those such emergency. Yes, every country they have their recovery plans, incident response plan, but even I believe from an international level, or even sometimes on a regional level, we really need to have that set up in the right way for to have that immediate exchange of experience, immediate exchange of what did this country do to come back or recover from a specific incident. I think this is a very important point that we should consider specifically if we are talking about government being digitally resilient. And when you talk about the exchange, let me just clarify what you mean is that cross jurisdictional learning. Exactly. And that communication that takes place, I presume

Genie Gan: effectively through platforms such as DCO. So that’s great. Thanks a lot. And now there is actually, I know I’m sort of messing up with the order a little bit, but it’s really just to maintain that flow, because we have a comment from a member of the audience. I’m going to read it. And then I have a small question, which I may want to pose it to Ella. So the comment comes from Vahan. from RIPENCC. And he says, coming from different sessions at IGF, there is a feeling that we still don’t have a universal understanding of what is this DPI. I think Dr. Paola mentioned DPI. Neither the universal approach to what is a core, technical core or public core of the Internet. To develop standards, we should use the same language and have a universal agreed definition of these terms. So let us start from Internet and define what is important for us, what is a core and how we can protect it and ensure the resilience of it. So I think what he is really talking about is to have a common language that we speak when it comes to this topic. So my question is really, how can we begin to shape this common language? Any insights? Maybe Alla can start.

Alaa Abdulaal: Yes, definitely. And I totally agree with his comment. And before I answer this question, let me give you our challenge at DCO when we started. Our organization is focused on digital economy. And when we first started, okay, what is the definition of digital economy? Is there a universal understanding of what does it mean? What does it encompass? So I totally agree with him. The first point is to define and put in a framework the understanding of what we are trying to solve. This is the first, let’s say, ABC in any even research. When you start conducting a research, you really identify what is the question that you want to answer? What is the scope? What is in the scope? What is outside that scope? So, and for us to reach that, we need to sit together, as it’s a we problem that we need to solve. Because again, I can come up with my own definition, that you can come up with your own definition and understanding, but then what is the whole purpose? What is the mischief? Exactly. Yeah. So, we really need to bring all the stakeholders from government, private sector, academia on different region, on different countries. And I believe this is the role of, for example, our organization and other organization where we can bring all of the stakeholders in one table to start defining the definitions of what do we want to solve and then putting an action plan to actually come up with different solutions. Yeah. Yeah. Just wanted to add to this.

Pawan Anand: I think it’s a fair point, which has come from the person who made the comment. But when it comes to digital infrastructure, I think a reasonable amount of definition is in place, especially the technical definitions are, I think, across the globe, quite reasonably understood by all. Probably where the difference comes in is when you talk about policy. And there, the cultural difference begins to play. So there may be a few issues where the lexicon needs to be clarified in some cases when it comes to policy. But on the tech side, I think we are okay. In any case, at the moment, when it comes to AI and when it comes to responsible AI, we are still working out a lexicon. And when AI comes into digital infrastructure and cyber resilience, I think it will get more complicated. So there is definitely a need for some of that lexicon to be firmly put into place.

Genie Gan: I hope it’s not an interrogation. No, it’s not. Definitely not. I’m a lawyer, but I will not interrogate you, not today. What novel threats actually should public and private organizations, because obviously Dr. Pawan, you have experience from both ends, so what novel threats should public and private organizations be looking out for, and what strategies or technologies should be implemented to protect against these emerging threats?

Pawan Anand: So you asked novel threats, so everybody knows about how ransomware is in place, and millions have been paid out in various countries, so fine. So the threats are ransomware, there is a huge threat of DDoS attacks, so ransomware, DDoS attacks, APTs, APTs residing in all our computers, ready to give information all the time back to whoever’s placed them in our computers and in our servers. So I mean, these are the standard threats that we all know about, but what’s novel about some of them? We’re looking at cryptojacking, which seems to be now the more current threat which has come up, as more and more people get involved with cryptocurrencies, you’ll get more and more of these problems coming up. And God forbid when we have quantum coming in, then your blockchains are going to get compromised very easily, and crypto is going to face huge threats. So by that time, hopefully crypto would have also evolved, and blockchains would have evolved to take on the quantum threat. So there’s the speed of compute that quantum will bring in, will actually be a huge game changer, and it’s not coming now, but it’s coming in another… maybe 5-10 years. If the US and China are at about 1200 cubits, India is just struggling with 14 cubits at the moment. But India is really working on it and I think we’ll be there very quickly, especially as soon as we get our cryogenics in place. Another one would be border gateway protocols. I think everywhere, every country has their own kind of protection for border gateways. But these protocols need to be in place internationally, otherwise they’re bound to get compromised. And if that happens, then you’ll have a lot of data and a lot of information which either gets disrupted or gets diverted or is routed through somewhere else and then comes, so therefore fully compromised. Another threat I think is this watering hole attacks, which is very simple to understand. I mean, you just create, there are those places where everybody visits and those are the areas that need to be protected. So somewhere or the other we need to make sure that the usual watering holes are well protected and we have our policies in place for that. I mean, there could be, there will be as many novel threats as there are brilliant minds in the net and on the dark net. So I really won’t be able to give you something comprehensive on that, but this gives you a sense as to where we are heading.

Genie Gan: Thank you for those insights. I think they’re very interesting. Yes, please, Frankie.

Aderonke Sola Ogunsola: General has spoken from the technical side. Very technical. I like it. So I look at human error threats. Human capacity or human resources is usually key, whether organisation, government, nation. So another threat based on the speed and advancements of technology will be human itself. And like Alla said, if you do not have adequate skills, you are vulnerable, no matter what technical structure we put in, you still have the human interface. So I believe at public level, private levels and even organizational levels, your human capacity needs to be updated and sensitization of cyber security or cyber protection needs to be consistent is not something you should leave open. Because once your human resource or capacity is vulnerable, you’re as good as exposed. Then for the policy level, another threat I may see may be inflexibility in regulation and policies. So as governments moving forward, it is expedient for us to rejig or rethink or reopen our minds to regulations. We know, like General Pond did also say, that we should be careful so regulation would not stifle innovation. The advancement is unprecedented, the speed, but we should also come up as be responsive as policymakers to think outside the box. What kind of policies do we put in place? Yes, put up different structures, but how do we make sure it’s not obsolete on arrival? Yeah, obsolete on arrival. Of course, yes, please. I don’t, she’s absolutely right, the policy, policy in itself, if you don’t formulate policy, it’s a threat.

Pawan Anand: So, you know, in some ways, the focus is very narrow at times, because we tend to focus on protection. We tend to focus on disaster recovery, but there is very little focus because it requires money, it requires investment, it requires time and it requires skill at the initial stages to bring it in. So I think Kaspersky is in this business and I would really recommend that most of us, even though it would require time and effort to invest in the initial protection, it’s really important. That has to be prioritized by governments, by companies, by the KMPs, the key management personnel, it has to be prioritized by the financial guys.

Genie Gan: Thank you, thank you for that. I want to maybe ask Ronke, from the perspective of a regulator, what metrics do you think should be used to evaluate the effectiveness of resilience standards and how can organizations continuously improve their practices? So I can hear myself now.

Aderonke Sola Ogunsola: So what metrics? I think it should be homegrown or industry grown for metrics because we’ve had conversations talking about uniqueness of different experience. For me, our metrics would be measuring the quality and experience and residency recovery plan or disaster management ability or plans. for different providers and government itself. So, how do you develop these metrics? It needs to be analytical and scientific, so to speak, because it has to be measurable and it’s something that needs to be adaptive. The technical people will definitely play a huge role in developing these metrics, but as a policy regulator, you should also be open to providing guidelines, so to speak, or coming up with frameworks that can be easily adopted and adaptable. Metrics should not be cast in stone. It should be something that you can review from time to time based on maybe advancement or change in technology or infrastructure expandment or when you expand or update or create your infrastructure. So, these metrics, it’s something for me that should be measurable, but it needs to be something that’s acceptable, developed by stakeholders, so to speak, and we cannot undermine the role of the multi-stakeholder engagement in promoting common good. Thank you for that.

Genie Gan: So, Alaa, how can we then ensure that, and that’s really because I’m tapping on your experience dealing with multi-stakeholder engagements and all that, how can we ensure that all stakeholders, whether they’re governments or they’re private sector or civil society and so on, are actively engaged in the development of digital resilience standards? What role does each play? Because it’s hard to handle. Everyone has got a different set of expectations or interests, and sometimes… they don’t agree. Oftentimes they disagree. So, tough job.

Alaa Abdulaal: So, look, I think we have touched upon this during all our questions and our discussions. Yes, every group has its own role, but again, I think it’s a shared responsibility between all groups. But majorly governments are responsible for shaping and setting the regulations and policies and making sure and frameworks that are needed to be digital resilience. And this responsibility of creating the rules and regulations, it shouldn’t be only that government should do, but they should involve the private sector in the process, the civil society also in the process to make sure that whatever they are coming up with from a regulation and policy, it is impactful and also can be executed easily. The private sector, when we look at the private sector, I think we know the private sector is the hub of innovation. They come up with the technologies, they are aware of all the new technologies and advancements that are happening. They are shifting the gears on the AI, on the computing power, quantum computing. So, it’s very important for them always to have that also conversation with the government. It’s very important for them to keep updating from a cybersecurity perspective and also support in the capacity building, the capacity building of human resources from a government perspective also, to have that support to the government. Again, also private sector can help a lot from a partnership in providing the right funds with the cooperation of the government. Again, as I said, I believe it’s, yes, every group have its role, but it’s a shared responsibility. And then we come to civil society and international organizations, the role of academia, the think tanks, where the research, the hub of the research, the hub of how to think of the new innovations, how we can come up with the right set of standards with all supported, but with the right data. This all comes from the civil society. Last but not least, international organizations, let’s say that we are the connector. We are the one who can put everyone together, try to find the common voice, try to unify the effort, try to find the synergies, because again, we need to look at where are the synergies in every group, in the government group, even the private sector group and the civil society group, from a research aspect, from a funding aspect, from a policy and regulation aspect. So for this all to happen, it needs really an effective engagement between those different stakeholders. It needs cooperation and collaboration. It means that we need a continuous dialogue, an open dialogue. We have mentioned this before, we are facing a new or a very quick era of things that are very developing and accelerating very quickly. So if we do not put our hands together, we will not be able to survive those changes. Be agile enough and be prepared. We are looking at different building blocks, infrastructure as physical infrastructure. The doctor mentioned the data aspect of it. We mentioned the human resource aspect. We mentioned services. It’s a huge, big ecosystem connected to each other. We cannot look at one building block by itself or one group by itself. Rather, we have to look at it as a whole and really adopt that effective communication with those different groups.

Genie Gan: Thank you for that. So everything from the definition of the problem to coming up with the resources, whether it’s thought leadership, research, or financial support, all the way to deriving at implementable solutions, we need that input from different segments of our ecosystem. Right. I got that. If speakers have nothing else to add, I would like to move on to a next question. Doctor, yes, please. No, please jump in. Thank you. I’m sorry for always cutting in. No, don’t be.

Aderonke Sola Ogunsola: I like what Alao said about effective engagements, because that’s what has been on my head for a while. How do we move it from talks? We keep having all this conversation, IGF level, UN level, like you did say, GSMA, IETF, just name it. But how do we move it? And we also need to start focusing on conversation and make sure that we engage the right person. We did say earlier that we just need to move. But how do we move and move effectively? I totally agree with you. you. And I think this also goes to back when we when we talked about, let’s have a definition of the problem. Yes, then let’s

Alaa Abdulaal: put an action plan on what do we need to solve, then let’s all sit on that table and try to solve it. Conversation for this, the sake of conversation and dialogue will not take us anywhere. It needs really to be structured with a specific goal with a specific outcome that we want to reach. And then after that, also with a specific measurement, that our conversation and outcome and that we wanted, is it the correct one? Are we progressing in the right way? Again, with all this acceleration, and the thing and how things are really changing quickly, we really need to always to revise ourselves and and see how effective the current solution that we are doing are really impacting the progress that that we are aiming to.

Genie Gan: Okay. I think also today’s workshop and this dialogue that we’re having, I was hoping to produce a white paper that sort of captures our key highlights from today’s discussion, learnings. Well, I definitely learned a lot. And I think we’re learning from one another. And with this white paper, I’m hoping that we could gain some traction as well from the international audience that we have. And from there, work towards that common goal to find solutions that we can develop in order to galvanize everyone. And then from there, with these universal standards, be able to find ways that individual countries can customize for their own needs. I think this is a good start. I am mindful of time. I have only about 12 minutes left. I would like to ask a couple more questions before we do a summary of our discussions today. If I may, let me turn to Dr. Pawan with this question. How can resilience standards be designed not just for immediate response, but also to support long-term recovery after a disruption? What mechanisms should be in place in order to ensure organizations can bounce back effectively? I think the most important point here is to have a risk-based approach.

Pawan Anand: Therefore, going by the discussion that just took place between Alaa and Aderonke, I would say clearly that we need to have a framework which can be put in place, which talks about a risk-based approach in various sectors where we have our digital infrastructure and the resilience that we need to bring it to it. Going technically, of course, we would have to have a backup strategy. So wherever problems happen, we are able to recover from whatever losses have taken place. We have to have a constant update. Much of the time, we find that our softwares are outdated, our systems are outdated, and that’s why there is loss of data. There is outage time, so to say. We need to work around that to see that we are up to date when it comes to all our technologies. You can’t underestimate the skilling aspect. So, quite obviously, we have to bring people up to speed when it comes to the latest skills of this. So, the main things I would say is following a risk-based approach, create a framework, make sure that you have your backups, make sure you have a rehearsed strategy to bounce back. And that rehearsal part of it needs to be done very carefully because most of the time, again, organizations tend to feel that it’s going to take time away from the real work. And, you know, therefore, they just give it a bit of a lip service. And, of course, the human aspect is the final aspect. So, if people have to be trained, cyber hygiene has to be understood by everyone, they have to make sure that there is controlled access, that everybody understands the risks that the whole organization runs, how they personally run risks. I think we would be able to be in a situation where we don’t suffer from these threats.

Alaa Abdulaal: If you allow me to add, thank you. You have mentioned a very important point when we talk about recovery plans. I think it’s very important to think of the single point of failures that every country and system have, and not only looking at it from a backup perspective, but also having diversity of technologies and systems, not relying on a specific vendor, not relying on one company by itself. You need to really think of having that diversity of system and even looking at open sources because this will really make you build a very solid backup plan as well. as mentioned, because it’s very critical. We need to think out of the box regarding the regular recovery plans that we have, just having a backup, a disaster recovery from an infrastructure perspective, to really thinking of diversifying the systems, the technologies that we are using and even looking at open source.

Pawan Anand: Yeah, I think the best example I can give of something like this, what we just spoke of, is what happened in Denmark 2023, right? So over a period of about three months, there were repeated cyber attacks on their national IOT, critical information infrastructure, to the extent that even some of the dams or the dikes that they were working on, sorry, the dams that they were working on came under threat and they went immediately into island mode. And it took them a long time to get back onto the net. But they had their systems in place and literally people pulled out their cars and drove down and started operating systems physically. So quite obviously, they had worked it out well. But these are recovery plans which need to be very firmly put in place so that you don’t suffer outages. Okay. Okay, we’ve got people from the audience pinging us to say we want to ask questions. So quick ones. 10 seconds. Also, ensure that your infrastructure, you have redundancy and excess capacity, in addition to open source and not a single point of source. So it won’t hit you so hard if all these are put in place. And you also ensure that your infrastructure has enough capacity for redundancy. So if one goes down, you have that space like backup for your resilient buffer. Yeah, yeah. Cool. Thank you. Thank you, speakers. I’m gonna

Genie Gan: take a pause and take questions from the floor. I think some people pinged us. in the Zoom chat to say that. I think this gentleman, can we pass him a mic? No mic or you can, we can pass you a mic. Yeah, please. Thank you. Switch it on. Can you hear me now? Yes, perfect. Thank you very much and congratulations for the great talk.

Audience: My name is Dino Delaccio, I’m the Chief Information Officer at the UN Pension Fund, and I’m here in the IGF, I’m involved in the Best Practice Forum on Cybersecurity, and also leading the Blockchain Dynamic Coalition on Assurance and Standardization. Pleasure to meet you, sir. Likewise. So, I actually wanted to share a comment, because in my specific role in blockchain, what I’m facing is the lack of standards. And I want to be a little bit provocative in your case. I think that in the area of infrastructure resiliency, we do have universal standards. The ISO standards, for years, the whole series, ISO 27001, the 22301, I’m also an ISO auditor, are very well established, and ISO is represented by the National Standards Institute of each country in its technical committee that also is open to various stakeholders. So, is there here a risk to duplicate something, and instead to focus on something that already exists, should we instead focus on threat models? Because the way to translate standards into those specificities that we alluded to before in each country is actually to look at which risk each country is exposed to, because not all countries are exposed to the same risk. And maybe focus on threat modeling and risk assessment rather than reinventing a new standard.

Genie Gan: Thank you. I think it’s an excellent question. Any takers? I totally agree with you.

Pawan Anand: Everything you said made sense. So blockchain certainly would require standards. And I think we need to get down to defining those. But you talked about threat modeling and risk. That’s exactly what I meant by a risk-based framework as well. So each one of these will have to, whether you talk about infrastructure resilience, whether you talk about cybersecurity, you talk about AI, in each of these and across these domains, we’ll have to create frameworks. And that will have to be risk-based. The threat models you talk of will come from scenarios. And you need to keep building scenarios from where the threats emerge. And based on those scenarios that you game out, you’ll be able to actually see what kind of frameworks will have to be built around them. So I totally agree with you on that. And the way to go about it is what I just said. Anything else to add, ladies?

Genie Gan: All good? All right. Thank you. Thank you, sir, for that question. And remark, actually. Those are very good comments as well. Anyone else has got questions? I’m just… Yes, please, sir. You need the mic? Maybe just share the mic. Thank you. Am I being heard? Perfect. Okay. Sure.

Pawan Anand: Just to follow on what was just raised there, and what Dr. Pawan said about a risk-based approach to establishing standards, and we’re talking about universal standards here. The ISO standards came from somewhere. They were developed through some institutional framework. And the question would be, in taking the risk-based framework, are we identifying the institutions or the… the partners maybe that have to come together to develop the relevant universal standards for resiliency, that the various scenarios that we’re identifying need basically, right? I came in a bit late, so I don’t know if one of you are talking about institutions or anything like that before, but maybe in answering some of this, we could try to identify the ways forward. Who are the people who would like to take action on these things?

Aderonke Sola Ogunsola: Thanks. All right, so thank you for your comments. So I’ll start with the last speaker. I recall one of the goals for this conversation is to come up with a white paper. We’ve identified, I believe that’s why we’re all here. We’ve identified that perhaps we do need a universal standard. How do we go about this? I recall that Adela also did say that once we identified that we now move forward to practicality and that’s the next phase. We look at who are all the stakeholders involved. It’s not going to be lopsided conversation, but this is getting the conversation going. Yes, we do recognize the ISO standards and I like that you did say it comes, so the standards are developed by institutions. So what are the roles of these various institutions? I recall also did say earlier on that we have different pockets, regional pockets, national pockets, industry pockets, having conversation, having standards to address or even their own actions to address different issues regarding infrastructure resiliency. The fundamental point for me conclusively is Do we need to develop standards or a framework or measurable actions that would ensure universal resiliency of this infrastructure? Yes. Have we seen trends move from just developing cyber security frameworks to cyber resiliency? Because these threats will continue to come, networks will break, human capacity may fail or human error would occur. But how do we ensure that universally what happened with CrowdStrike, what happened with the submarine cable for the African region does not repeat itself? Jeannie, thank you.

Genie Gan: Thank you. Thank you for those remarks. I will, I have one minute left before some people have to run off. I will summarize our conversations in one minute and then we’ll call it a day, okay? So basically I think what we managed to discuss and agree on is that we do need universal standards which will form, which basically are a common language that we need to develop. And of course, how do we do that? How do we do that will be that we start by asking ourselves what exactly is the mischief or the problem that we’re trying to solve, the why, right? And then with these universal standards as a galvanizing, well, a galvanizer for everyone, we also will have to tap on shared experiences. And that is where the multilateral network, regional and international cooperation from within the community, cross-jurisdictional learnings will come in to play. I think we could also benefit from some use cases, learn from past experience, and then also coming down to the local level to make sure that we have localized implementation and solutions which will work for the individual countries in a customized manner. And that’s simply because nothing is one-size-fits-all. We also discussed some challenges that we could possibly be faced with and already are facing, which basically will be the very fast-evolving threats that are facing the world today, from a technical perspective or from a human element perspective, because humans can be the weak link, which is why we also touched on capacity building. And of course, lastly, the policy element, which basically the usual problem is that, like what Rongke had said, it usually becomes obsolete upon arrival. So we have to try to avoid that and make sure that the policies, the frameworks that we put in place are agile enough to respond or be an effective tool that can help us to respond better to evolving threats, which are fast and furious. And of course, lastly, I think a takeaway, again, I’m saying this again, Dr. Pawan had said that we really just need to get started. We just need to get started. So what we’ll do in terms of next steps is that we will compile today’s discussions into a white paper. And hopefully this will serve as a guiding reference for countries, for regions seeking to enhance their digital infrastructure resilience. And of course, thank you, everyone, for being a part of this panel discussion and important conversation. And we really look forward to continuing our work together to shape a more resilient digital future. Thank you. Well, my ears are hurting. Be there. Thank you. Have a good day. Thank you. Good bye. Bye. Bye. Bye. Bye. Bye. Bye. Bye. Bye. Bye.

Agreement Points

Need for universal standards with flexible implementation

Aderonke Sola Ogunsola

Pawan Anand

Alaa Abdulaal

Universal standards are necessary but implementation may require customization

Standards should be universal but regulations need to be flexible

Universal framework needed but must be adaptable to each country’s status

All speakers agree on the need for universal standards for digital infrastructure resilience, but emphasize the importance of flexible implementation to accommodate different national contexts and needs.

Challenges in keeping standards current with rapid technological changes

Pawan Anand

Alaa Abdulaal

Rapid technological changes make it difficult to keep standards current

Economic and technological disparities between countries pose challenges

Both speakers highlight the difficulty of maintaining up-to-date standards in the face of rapid technological advancements and disparities between countries.

Similar Viewpoints

Both speakers emphasize the importance of human capacity building and skills development in ensuring digital infrastructure resilience.

Aderonke Sola Ogunsola

Alaa Abdulaal

Human error and lack of skills are major threats to resilience

Private sector plays key role in innovation and capacity building

Unexpected Consensus

Multi-stakeholder collaboration

Aderonke Sola Ogunsola

Alaa Abdulaal

Pawan Anand

International organizations can facilitate cooperation between stakeholders

Private sector plays key role in innovation and capacity building

Despite coming from different sectors (government, international organization, and academia), all speakers unexpectedly agreed on the importance of multi-stakeholder collaboration in developing and implementing digital infrastructure resilience standards.

Overall Assessment

Summary

The main areas of agreement include the need for universal standards with flexible implementation, recognition of challenges posed by rapid technological changes, importance of human capacity building, and the necessity of multi-stakeholder collaboration.

Consensus level

There is a high level of consensus among the speakers on the fundamental aspects of digital infrastructure resilience. This consensus suggests a strong foundation for developing universal standards, but also highlights shared challenges that need to be addressed collectively.

Different Viewpoints

Approach to universal standards

Aderonke Sola Ogunsola

Pawan Anand

Universal standards are necessary but implementation may require customization

Standards should be universal but regulations need to be flexible

While both speakers agree on the need for universal standards, they differ in their emphasis. Aderonke focuses on customization in implementation, while Pawan stresses the need for flexible regulations to allow innovation.

Unexpected Differences

Existence of universal standards

Aderonke Sola Ogunsola

Alaa Abdulaal

Pawan Anand

Audience

Universal standards are necessary but implementation may require customization

Universal framework needed but must be adaptable to each country’s status

Standards should be universal but regulations need to be flexible

Existing ISO standards may already provide universal framework

While the main speakers discuss the need for developing universal standards, an audience member unexpectedly points out that ISO standards may already provide a universal framework, suggesting that efforts to create new standards might be redundant.

Overall Assessment

summary

The main areas of disagreement revolve around the approach to universal standards, the balance between standardization and flexibility, and the recognition of existing standards.

difference_level

The level of disagreement among the speakers is moderate. While there is a general consensus on the need for universal standards or frameworks, there are varying perspectives on implementation, customization, and the recognition of existing standards. These differences could impact the development and adoption of universal standards for digital infrastructure resilience, potentially leading to challenges in creating a globally accepted framework.

Partial Agreements

All speakers agree on the need for universal standards or frameworks, but they have different perspectives on how to implement them. Aderonke emphasizes customization, Alaa focuses on adaptability to each country’s status, and Pawan stresses the need for flexible regulations to allow innovation.

Aderonke Sola Ogunsola

Alaa Abdulaal

Pawan Anand

Universal standards are necessary but implementation may require customization

Universal framework needed but must be adaptable to each country’s status

Standards should be universal but regulations need to be flexible

Similar Viewpoints

Both speakers emphasize the importance of human capacity building and skills development in ensuring digital infrastructure resilience.

Aderonke Sola Ogunsola

Alaa Abdulaal

Human error and lack of skills are major threats to resilience

Private sector plays key role in innovation and capacity building

Key Takeaways

Universal standards for digital infrastructure resilience are needed, but implementation may require customization for different countries

Major challenges include human error, rapid technological changes, economic disparities between countries, and lack of common definitions

Multi-stakeholder collaboration involving governments, private sector, academia and international organizations is crucial

A risk-based approach focusing on physical protection, disaster recovery, and threat modeling is recommended

Existing ISO standards may already provide a universal framework that can be built upon

Resolutions and Action Items

Compile the discussion into a white paper to serve as a guiding reference for countries seeking to enhance digital infrastructure resilience

Start working on developing universal standards and frameworks rather than just continuing discussions

Unresolved Issues

How to develop standards that remain current given rapid technological changes

How to address economic and technological disparities between countries in implementing standards

How to establish common definitions and language around digital infrastructure resilience

Which specific institutions or partners should lead the development of universal standards

Suggested Compromises

Adopt universal standards but allow for flexible implementation based on each country’s unique needs and risks

Use existing ISO standards as a foundation but adapt them for digital infrastructure resilience

Balance regulation with allowing room for innovation in the private sector

Infrastructure was described in a provocative manner as something that remains invisible until it’s broken down.

speaker

Aderonke Sola Ogunsola

reason

This comment provides a thought-provoking perspective on infrastructure, highlighting its critical yet often overlooked nature until problems arise.

impact

It set the tone for discussing the importance of digital infrastructure resilience and why it needs attention before crises occur.

We need to broaden our focus to include not only the security of information and data, but also the physical and operational resilience of the digital infrastructure that house these information and data.

speaker

Genie Gan

reason

This comment expands the traditional view of cybersecurity to include physical infrastructure, introducing a more holistic approach.

impact

It broadened the scope of the discussion to include physical and operational aspects of digital infrastructure resilience, not just data security.

When it comes to emerging tech, AI in cybersecurity begins to get more and more important for us. So the ethical use of AI and also the responsible use of AI is so important.

speaker

Pawan Anand

reason

This comment introduces the critical intersection of AI and cybersecurity, highlighting ethical considerations.

impact

It shifted the conversation to include emerging technologies and their ethical implications in digital infrastructure resilience.

Universal standards is not negotiable. I think it’s something that’s meant to be open and something that needs to be adopted.

speaker

Aderonke Sola Ogunsola

reason

This strong stance on the necessity of universal standards challenges the idea that each country needs a completely unique approach.

impact

It sparked a discussion on balancing universal standards with local implementation needs.

Are those standards agile enough? In fact, too fast. Exactly. We are talking about AI. We are even now talking about computers. quantum computing.

speaker

Alaa Abdulaal

reason

This comment raises the crucial question of whether standards can keep pace with rapidly evolving technology.

impact

It introduced the need for agility and future-proofing in developing digital infrastructure resilience standards.

I think in the area of infrastructure resiliency, we do have universal standards. The ISO standards, for years, the whole series, ISO 27001, the 22301, I’m also an ISO auditor, are very well established… Should we instead focus on threat models?

speaker

Audience member (Dino Dell’Accio)

reason

This comment challenges the premise of needing new universal standards and suggests a focus on threat modeling instead.

impact

It prompted the panel to consider existing standards and shifted the discussion towards practical implementation and risk assessment approaches.

Overall Assessment

These key comments shaped the discussion by expanding its scope from traditional cybersecurity to a more comprehensive view of digital infrastructure resilience. They introduced considerations of physical infrastructure, emerging technologies like AI and quantum computing, and the need for agile, universally applicable standards. The discussion evolved from defining the problem to exploring practical implementation challenges, balancing universal standards with local needs, and considering existing frameworks. The audience input near the end prompted a reflection on whether new standards are needed or if the focus should be on applying existing ones through threat modeling and risk assessment.

How can we develop a common language and universal definitions for digital infrastructure and related concepts?

speaker

Vahan from RIPENCC (audience member)

explanation

A universal understanding of terms like DPI (Digital Public Infrastructure) and core/public core of the Internet is needed to develop effective standards and ensure all stakeholders are on the same page.

How can we move from conversations to effective action in developing and implementing digital infrastructure resilience standards?

speaker

Aderonke Sola Ogunsola

explanation

There is a need to translate discussions into concrete steps and engage the right stakeholders to make progress on digital infrastructure resilience.

How can we design resilience standards that support long-term recovery after disruptions?

speaker

Genie Gan (moderator)

explanation

Understanding how to create standards that address both immediate response and long-term recovery is crucial for comprehensive digital infrastructure resilience.

How can we ensure that resilience standards and frameworks remain agile and responsive to rapidly evolving threats?

speaker

Alaa Abdulaal

explanation

Given the fast pace of technological change and emerging threats, it’s important to develop standards that can adapt quickly.

What role can open-source technologies play in enhancing digital infrastructure resilience?

speaker

Alaa Abdulaal

explanation

Exploring the potential of open-source solutions could provide additional options for creating diverse and resilient digital infrastructure.

How can we better integrate threat modeling and risk assessment into the development of digital infrastructure resilience standards?

speaker

Dino Dell’Accio (audience member)

explanation

Focusing on specific threats and risks faced by different countries could help tailor universal standards to local needs.

Which institutions or partners should be involved in developing universal standards for digital infrastructure resilience?

speaker

Unnamed audience member

explanation

Identifying the key stakeholders and institutions needed to create and implement universal standards is crucial for moving the process forward.