Nri Collaborative Session Navigating Global Cyber Threats Via Local Practices

Summary

This discussion focused on navigating global cyber threats through multi-stakeholder cooperation, examining how national, regional, and international collaboration can build stronger cybersecurity frameworks while balancing innovation, security, and human rights protection. The panel featured representatives from Internet Governance Forums across Ecuador, Netherlands, Panama, Serbia, and South Africa, moderated by Jennifer Chung from DotAsia.

Carlos Vera from Ecuador IGF emphasized four key principles for addressing AI and IoT cybersecurity concerns: security by design, local empowerment through capacity building, participatory governance involving all stakeholders, and global frameworks adapted to local realities. He stressed that ethics must apply not only to end users but also to governments and companies handling sensitive information. Dejan Djukic from Serbia’s registry operator highlighted the challenge of regulation keeping pace with rapidly evolving technology, noting that community involvement is essential since regulatory responses are often too slow. He illustrated the complexity of DNS abuse mitigation through a recent case involving illegal weapons sales, demonstrating how multi-stakeholder cooperation between registries, registrars, and law enforcement is crucial for effective action.

Lia Hernandez from Panama emphasized that cybersecurity must become a permanent state policy rather than shifting with political administrations, and that legal frameworks need updating to address new cybercrime trends. Dennis Broeders focused on the critical challenge of information sharing for cybersecurity resilience, explaining how various stakeholders—intelligence agencies, companies, and threat intelligence firms—have institutional disincentives to share valuable security information despite its collective benefits. Latty Thlaka from South Africa described their comprehensive national approach including the Cybersecurity Hub and multi-stakeholder structures, while acknowledging tensions between cybersecurity laws and privacy protections. The discussion concluded with consensus that cybersecurity requires inclusive governance, harmonized international frameworks, continuous capacity building, and recognition that defending networks ultimately means defending people, democracy, and human dignity in the digital world.

Keypoints

## Major Discussion Points:

– **Balancing Innovation with Security in Emerging Technologies**: The panel discussed how AI and IoT are transforming communities while creating new cybersecurity risks, particularly for local communities with limited digital literacy. Key concerns include data privacy violations, vulnerable infrastructure in smaller organizations, and the need for “security by design” approaches.

– **Information Sharing Challenges and Incentives**: A significant focus on the barriers to cybersecurity information sharing between organizations, including intelligence agencies, companies, and threat intelligence firms. The discussion highlighted how different stakeholders have conflicting incentives – companies fear reputational damage and liability, while intelligence agencies prioritize secrecy over transparency.

– **Multi-stakeholder Cooperation and Governance**: Emphasis on the need for inclusive, multi-stakeholder approaches to cybersecurity that involve government, private sector, civil society, academia, and local communities. Several speakers stressed that underrepresented groups, including youth and marginalized communities, must have seats at the decision-making table.

– **Regional Variations in Legal Frameworks**: Discussion of how different regions are adapting international cybercrime conventions (Budapest Convention and UN Cybercrime Convention) to local contexts, with speakers noting that “one size fits all” approaches don’t work and that legal frameworks must consider local political, geographical, and economic realities.

– **Capacity Building and Local Empowerment**: Strong emphasis on the need for comprehensive education and capacity building programs that go beyond technical training to include citizens, local leaders, and law enforcement. Speakers highlighted the importance of utilizing local talent from universities and ensuring cybersecurity becomes a sustained state policy priority rather than changing with political administrations.

## Overall Purpose:

The discussion aimed to explore how national, regional, and multi-stakeholder cooperation can build stronger global cybersecurity resilience while balancing innovation, security, and human rights protection. The session focused on examining the tension between cybersecurity legislation and privacy/data protection, sharing best practices from different regions, and identifying actionable approaches for addressing evolving cyber threats through inclusive governance models.

## Overall Tone:

The discussion maintained a collaborative and constructive tone throughout, with speakers building upon each other’s points rather than disagreeing. The atmosphere was professional yet accessible, with moderator Jennifer Chung effectively facilitating engagement between panelists and audience members. The tone became increasingly solution-oriented as the session progressed, moving from problem identification in the early presentations to concrete recommendations and calls for action in the latter portions. There was a consistent emphasis on pragmatism over idealism, with speakers acknowledging the complexities and trade-offs involved in cybersecurity governance while maintaining an optimistic outlook about the potential for multi-stakeholder cooperation to address these challenges.

Speakers

**Speakers from the provided list:**

– **Jennifer Chung** – Moderator, affiliated with DotAsia

– **Carlos Vera** – Executive Director of ISOC Ecuador, affiliated with IGF Ecuador

– **Dennis Broeders** – Professor of Global Security and Technology, Senior Fellow at the Hague Program on International Cyber Security, Institute of Security and Global Affairs at Leiden University, Project Coordinator of EU Cyber Direct, affiliated with Netherlands IGF

– **Lia Hernandez** – Founder of Appendatech, affiliated with Panama IGF, Panamanian lawyer working in Central American region and Spanish-speaking Caribbean

– **Dejan Djukic** – CEO of RNIDS, affiliated with Serbia IGF

– **Latty Thlaka** – Chairperson of the South Africa IGF multistakeholder committee, affiliated with South Africa IGF

– **Bangladesh IGF representative** – Mohammad Abdullah Gono, Secretary-General of Bangladesh Internet Governance Forum

– **Godsway Kubi** – Lead facilitator for online cybersecurity, representing Ghana IGF, online moderator

– **Mary Uduma** – Representative from Nigeria Internal Registration Association, .NG managers

– **Audience** – Dr. Nazar (specific role/title not clearly mentioned)

**Additional speakers:**

– **Emmanuel** – Remote participant who asked questions online (specific role/expertise not mentioned)

# Navigating Global Cyber Threats Through Multi-Stakeholder Cooperation: Discussion Report

## Introduction

This discussion examined building global cybersecurity resilience through multi-stakeholder cooperation, bringing together representatives from Internet Governance Forums across multiple countries. Moderated by Jennifer Chung from DotAsia, the session featured Carlos Vera (Executive Director of ISOC Ecuador), Dennis Broeders (Professor at Leiden University), Lia Hernandez (Founder of Appendatech, Panama), Dejan Djukic (CEO of RNIDS, Serbia), Latty Thlaka (Chairperson of South Africa IGF), with audience participation from Mohammad Abdullah Gono (Secretary-General of Bangladesh IGF), Godsway Kubi (Ghana IGF), and Mary Uduma (Nigeria Internal Registration Association). Godsway Kubi also served as online moderator, facilitating questions from the online platform.

Jennifer Chung opened by highlighting the scale of the challenge: “Global cyber crime is projected to cost 10.5 trillion annually by this year,” emphasizing the need for collaborative approaches to address cybersecurity threats while balancing innovation, security, and human rights protection.

## Key Speaker Perspectives

### Emerging Technology Challenges: AI and IoT Security

Carlos Vera from Ecuador IGF addressed cybersecurity concerns in AI and IoT technologies, outlining four fundamental principles. First, security by design, ensuring cybersecurity is embedded from initial development stages. Second, local empowerment through capacity building, investing in training citizens and local leaders. Third, participatory governance involving all stakeholders. Fourth, global frameworks adapted to local realities.

Vera highlighted specific concerns including data privacy violations in communities with limited digital literacy, vulnerable infrastructure in smaller organizations lacking cybersecurity resources, and trust issues affecting rural communities and minorities.

Significantly, Vera reframed the ethics discussion: “We are talking about ethics, but it’s not only what you as a user can and cannot do. It has to be also with what governments and what companies can and cannot do. They have all the information, they have all the knowledge. They only do not release the final user. So we have to work on ethics also beyond the final users.”

### Information Sharing Challenges

Dennis Broeders identified information sharing as a critical barrier to effective cybersecurity cooperation. He explained how various stakeholders have institutional disincentives to share valuable security information despite collective benefits.

“Sharing would be fantastic. I love sharing, it’s very nice. But institutionally, many of these organisations are biased against sharing. They have no interest in sharing or they have interest in sharing certain things, but not other things,” Broeders observed.

He noted that intelligence agencies prioritize secrecy, companies fear reputational damage from disclosing incidents, and threat intelligence firms view information as intellectual property. However, he highlighted successful models, particularly C-certs and the cert community, which are effective at information sharing due to their health and safety approach rather than security-focused mindset.

Broeders also distinguished between public and private approaches to infrastructure management: “We have larger and larger companies doing things that traditionally were public utilities, but we have put them in the hands of private corporations who do not have a public ethos. They have a private ethos, they’re there to make money.”

### Regulatory Implementation and Multi-Stakeholder Cooperation

Dejan Djukic from Serbia highlighted challenges of regulation keeping pace with rapidly evolving technology. He emphasized that while regulation is necessary, it is often too slow to follow technology evolution, requiring community involvement to fill gaps.

Djukic provided a concrete example involving illegal weapons sales websites, describing a multi-week process involving registrars, police, and prosecutors that demonstrated how multi-stakeholder cooperation between registries, registrars, and law enforcement is crucial for effective action.

He noted that stricter regulations like the NIS2 directive create compliance costs, raising questions about whether expanding reporting obligations will actually create more resilience as intended.

### Global South Perspectives on Policy Continuity

Lia Hernandez from Panama emphasized that cybersecurity must become permanent state policy rather than shifting with political administrations: “It’s necessary that the states establish the issues of cybersecurity or cybercrime like as a state policy. Most of the countries in Central America and the Caribbean, they change of government every four or five years. And for that reason, they also change the priorities.”

Hernandez argued that legal frameworks need updating to address new cybercrime trends and expressed skepticism about existing international conventions, suggesting countries should take the best elements from both the Budapest Convention and UN Cybercrime Convention rather than wholesale adoption.

### Human Rights and Multi-Stakeholder Governance

Latty Thlaka from South Africa described their national approach, including the Cybersecurity Hub and multi-stakeholder structures, while acknowledging tensions between cybersecurity laws and privacy protections. She mentioned specific frameworks including the SADC strategy and AU Malabo Convention.

Thlaka emphasized that “Cybersecurity resilience is not just about defending networks, it’s about defending people, democracy, and dignity in a digital world,” framing cybersecurity as fundamentally a human rights, development, and governance issue.

She described South Africa’s comprehensive legal framework but acknowledged implementation challenges and potential overreach, noting growing tension between cybersecurity laws and constitutional duties to uphold privacy and data protection.

## Audience Participation and Additional Perspectives

Mohammad Abdullah Gono from Bangladesh IGF reinforced the importance of community-based awareness and multi-stakeholder engagement, arguing these approaches are more effective than top-down strategies.

Mary Uduma from Nigeria’s .NG registry emphasized that capacity building with law enforcement is crucial for effective cybercrime response, noting that many law enforcement agencies lack technical understanding necessary to effectively investigate and prosecute cybercrimes.

Online questions facilitated by Godsway Kubi included inquiries from Emmanuel about international frameworks for Global South law enforcement agencies, highlighting the global nature of these challenges.

Dr. Nazar from the audience highlighted that local universities create skilled young people whose talents are underutilized by companies and governments, raising questions about better integrating available local cybersecurity expertise.

## Key Themes and Observations

The discussion revealed several recurring themes. Multi-stakeholder cooperation emerged as essential, with all speakers emphasizing that cybersecurity challenges require collaborative approaches involving government, civil society, private sector, technical community, and citizens.

Information sharing was recognized as crucial but facing significant practical barriers, with institutional disincentives preventing effective implementation despite acknowledged benefits.

Capacity building across all stakeholder groups was consistently emphasized, extending beyond technical training to include broader digital literacy and understanding.

The effectiveness of internet governance organizations, particularly C-certs, was noted as a successful model for information sharing due to their health and safety approach rather than security-focused mindset.

## Different Approaches to Implementation

While speakers agreed on fundamental principles, they offered different perspectives on implementation strategies. Dennis Broeders emphasized the need for regulation when private companies prioritize profit over public interest, arguing that voluntary cooperation has limitations.

Carlos Vera, however, emphasized citizen empowerment and democratic accountability: “We, the citizens, have not to forget that we are the boss, really. If the government doesn’t have the capacity to share the responsibility, the accountability, and the decision-making process, we can change the government. And if the company doesn’t work observing the right condition of the consumers, we can change the company.”

## Conclusion

The discussion demonstrated cybersecurity as a complex challenge requiring coordinated responses across multiple domains. Speakers consistently moved beyond technical solutions to address questions of accountability, democratic governance, and human rights in the digital age.

The session highlighted both the potential for multi-stakeholder cooperation and the practical challenges of implementation, from institutional barriers to information sharing to the need for policy continuity across changing governments. The conversation emphasized that cybersecurity is not merely a technical issue but a governance challenge requiring inclusive approaches that protect both networks and fundamental human rights.

Carlos Vera’s closing emphasis on citizen agency provided a framework for understanding cybersecurity governance as fundamentally about democratic participation and accountability, where citizens have both responsibility and power to influence the future of cybersecurity governance.

Jennifer Chung: My name is Jennifer Chung, I’m with DotAsia, and I’ll be your moderator for today. Just a quick housekeeping note for the people sitting in the U-shape. These mics are pushed to talk, so they’re not the ones that are on the entire time. Just a quick reminder. So, navigating global cyber threats. In an increasingly interconnected world, cyber security challenges are growing in scale and complexity. Global cyber crime is projected to cost 10.5 trillion annually by this year, posing serious risks to institutions, economies, and fundamental rights. So this session is going to look at the good practices and the actual impacts, how national, regional, multi-stakeholder cooperation can build stronger and more resilient cyber security frameworks while balancing innovation, security, and the protection of human rights. We’ll have a key focus on the tension between the cyber security legislation on the one hand, and existing privacy and data protection matters on the other. In some cases, stricter regulations on service providers, such as DNS operators, may also inadvertently undermine effective, rights-respecting security mechanisms that are already in place. We’re going to hear from all the different speakers from NRIs around the world here up on the stage. But, of course, this is a dialogue, and we invite everybody that can see down there. If you’d also like to move up to the U-shape, we really do welcome you. If you’re not comfortable, I think there’s also mics on either side as well. We’d love to hear your thoughts on this. We have an expert panel to set the stage for everyone. I’m going to do a very quick introduction, and then I’m going to go into the policy questions that I will ask them. To my right, we have Mr. Carlos Vera. He’s the Executive Director of ISOC Ecuador. Next to him, we have Mr. Dennis Broeders, the Professor of Global Security and Technology, a Senior Fellow at the Hague Program on the International Cyber Security, and Institute of Security and Global Affairs, Leiden University. He’s also the Project Coordinator of EU Cyber Direct. He’s also affiliated with the Netherlands IGF. Next to Dennis, we have Ms. Lia Hernandez. She is the founder of Appendatech, and she’s also affiliated with Panama IGF. To my left, we have Mr. Dejan Djukic. He’s the CEO of RNIDS and also affiliated with Serbia IGF. And finally, but not least, we have next to Dejan, Ms. Latty Thalaka. She is the chairperson of the ZIA IGF multistakeholder committee and is affiliated with South Africa IGF. So with this illustrious panel, actually, and good NRI colleagues, I’d like to turn first to Carlos to speak really from your point of view, IGF Ecuador as well. In a world where AI and IoT are increasingly shaping our lives, what are the key cybersecurity concerns faced by local communities? And how can we strike a balance between fostering innovation and ensuring security in these emerging technologies?

Carlos Vera: Thank you. Good morning, everyone. And thank you for the opportunity to speak here at the IGF 2025 in Norway. I’m Carlos Vera from Internet Society Ecuador and from IGF Ecuador in Lattyn America. Please allow me to read you to necessary time constraints. As we agree today, AI and IoT are no longer distant concepts. They are in our homes, schools, hospitals, and increasingly in our local governments and public service. This technology offers great potential, but they also bring real cybersecurity risks, especially for local communities. Let me highlight three of the most pressuring concerns. First, data privacy and misuse. IoT devices collect a lot of information about us. But in smaller communities where the digital knowledge may be limited, that data is often collected without real understanding or consent. This creates real risk of surveillance, profiling, or unintentional harm. Second, vulnerable infrastructure. Local authorities and small organizations often lack resources to protect the digital systems. That makes a prime target for cyberattacks, especially ransomware, which can cripple schools, hospitals, or even our water systems. And third, trust and inequality. When AI systems are biased or when IoT systems fail, people lose trust. And those who are already vulnerable, rural communities, minorities, low-income groups, are often the ones most affected. So, how do we move forward? How do we embrace innovation while also protecting our communities? Let me suggest four principles. One, security by design. We must demand that AI and IoT systems are secure from the beginning. Two, local empowerment. We need to invest in training and capacity building, not just for engineers in big tech corporations, but for the citizens, for the local people, for the local leaders. They are the ones who manage, who use, who maintain the system, and they deserve the tools and knowledge to do it safely. Three, participatory governance. That’s what we call and we are talking about all these IGF in Norway, the multistakeholder governance. It is really necessary to participate. We need inclusive process where citizens help shape how AI and IoT are used in our lives. And let me have a small reflection about this. While United Nations, European Commission on Union and ITY, they play a key role in the making of standards of participation in the IGF, we still need more civil society spaces like internet society, when the civil society, the academy, the private sector and the tech community can participate. And four, global frameworks for local action. In this kind of things, in this kind of public policies, in this kind of law, one size fits all doesn’t work. We need to take account of the local community, the necessities and reality. And I have another reflection here about the ethics. We are talking about ethics, but it’s not only what you as a user can and cannot do. It has to be also with what governments and what companies can and cannot do. They have all the information, they have all the knowledge. They only do not release the final user. So we have to work on ethics also beyond the final users. And without security, without cyber security, there is no sustainable innovation. And finally, a call to action. Let’s empower our communities to lead the way. Thank you very much for your question Jennifer.

Jennifer Chung: Thank you Carlos. You brought together actually very, very important points and thank you for setting the scene about that. I think the four points that you gave us to take away is actually very good action points that we need to have security by design, local impairment and participatory governance especially when we’re looking at the multi-stakeholder model here. Actually a quick reflection before I go to our next speaker is this morning I heard at one of the sessions he came up and he said he was a coder and he said I’m here, I’m listening to all these policy people speak but where are the people who make and do and code? We really need to bring in all of these communities that actually can take action from the policy that we’ve shaped here to be able to have real impact. So I think that’s actually very important to have that as well. I’m now going to move on to Mr. Dejan Djukic and I know for RNIDS you are the CCTLD for Serbia and also of course Serbia IGF and maybe a little shift towards that question. Do you think and will stricter regulations on tech service providers really and truly improve overall security? What are the costs for both service providers and end users?

Dejan Djukic: Thank you for interesting question, good afternoon everyone. Regulation is necessary as threat becomes more and more sophisticated every minute but in most cases regulation is too slow to follow technology evolution. We have many examples of that like GDPR now needs two directives so the evolution of regulation and technology are not fast at the same time. So that’s the reason why community involvement is essential. So we cannot sit and wait for the regulator to solve all our problems. raising awareness that is something that we have to do constantly. Improvements are needed, following up to stricter regulation can help us to be the top of our game, perhaps much faster than it’s done nowadays. Five years ago, we didn’t have those sophisticated threats like today. However, TechKip’s security on a top priority reinvents solutions to protect infrastructure and services it provides. That is what keeps our system stable and running. Caution is also needed by all parties, however, especially for lawmakers. In general, it’s really challenging to find balance between privacy and security. When we speak about time age before NIS2 directive, our TLD decided to collect fewer personal data in our database and we came to that solution in cooperation with Data Protection Authority. But now when NIS2 came into force in most countries in EU and we are preparing our local laws, we will have to collect same amount of data as time before of the most probably we collected before. So, when we started first time our domain registration in our TLD, we collected documents and we are allied with GDPR, we decided that no documents are needed to collect. In our zone, abuse is small and we have 150,000 domain registrations and around 100 domain reported abuse in 2024. So, of course, the law applies to everyone, but numbers are cruel sometimes. And definitely there will be cost for users and operators as well. Because operators have to improve their systems, but users also have to be prepared to use those improved systems as well. And when we speak from perspective of DNS operator, established as a private foundation like Serbian TLD, multi-stakeholder cooperation is essentially important. So since we don’t have any executive power regarding fighting abuse and cyber crime, involvement of relevant parties are necessary. So on a local level, we cooperate many with organizations in order to raise awareness. With our partners, we organized many cyber security conferences, workshops, and hackathons. So also in concrete cases of cyber crime, we also need the assistance of relevant authorities. So I can raise an example from a few days ago. It was a situation with several domain names that with the website that are offering illegal weapons on them. Since we are not dealing as a registry with the content, we contacted the registrar to check the registration data. And after the registrar confirmed that data is correct, we couldn’t do much. And we started to communication with the local police, cyber crime police, and after continuous communication of few days and mostly few weeks, they managed to provide public prosecutor order and we finally suspended those several domains used for weapon selling. So that’s just one illustration, an example how cooperation is important and sharing relevant data and knowledge among stakeholders is crucial. Thank you.

Jennifer Chung: Thank you very much, Dejan. You actually touched on a whole host of really critical items that has actually been discussed very much now, DNS abuse, in the ICANN context as well, looking at how it’s not just policymaking in a very narrow scope there, but. In actual practice, registry operators, registrars as well, as well as local jurisdiction, local law enforcement, there is a whole host and chain of how you can actually address and mitigate and report and finally do any takedowns, if that is what it is. I do note that, you know, the original question was asking really about stricter regulations, but you gave us a very comprehensive mapping of what it actually means to the end user, to the operators, and actually for the Internet, I guess, as a whole as well. So thank you for that sharing. So now I’m going to turn over a little bit to policy approaches. I’m going to go over to Ms. Lia Hernandez. So Lia, I guess from your point of view as founder of Epanditec and also from the Panama IGF point of view, which policy approaches can be adopted to effectively educate social media and Internet users to identify and avoid emerging cybercrimes such as online scams and phishing attacks? Lia.

Lia Hernandez: Thanks, Jennifer. Are you hearing me? Yeah. Good morning. Well, good morning. My name is Lia Hernandez. I am a Panamanian lawyer. I’m based in Panama City, but my work is focused more in the Central American region and the Spanish speaker Caribbean. So I’m going to talk based on my experience in my region, mainly in my region and in some countries in Lattyn America, because we have the same issues regarding to the application of cybersecurity or cybercrime standards. And actually, I think that to effectively educate the users on social media, social network, on the Internet is not enough the capacity building. It’s necessary that the states establish the issues of cybersecurity or cybercrime like as a state policy. Most of the countries in Central America and the Caribbean, they change. of government every four or five years. And for that reason, they also change the priorities. So maybe in Panama right now, my hometown, cybersecurity is a priority. But in five years, there’s not going to be a priority anymore because a new government and the EU party arrived to the power. So for that, I think that it’s not enough to say that we have a commitment with the cybersecurity or we have a commitment with the cybercrime. We must really be and incorporate in our agendas the agenda of the governments and the policymakers topics as cybersecurity, digital security, cybercrime. And also, it’s very important to adequate our legal frames war to the new trends on cybercrime times. We have two main cybercrimes conventions in the world, the Budapest Convention and the recently approved United Nations Cybercrime International Convention. I know that not all of us, we are agreed with the test of these two conventions. But most of the governments of our region have approved and have signed Budapest. But till now, they haven’t adequate their local legislation. So for that, I think that it’s necessary to take the best of all of these documents, the Budapest Convention and the UNESCO Convention, and maybe adequate our legal frames war because if we don’t have a crime in our criminal code, it’s very difficult to avoid these kind of conducts in the cyber space. So I also have to say that there is not sufficient the legal frame wars, the reference. We must take actions. We must take action. Stop saying that cybersecurity is the priority in my country. We just educate the citizens, from the kids, to the teenagers, to the senior people, and to explain then how the internet really works. which are the rigs to use the internet for this or this way. And don’t tell them, you shouldn’t do this or you shouldn’t act like this. Because when you talk with the kids and you say don’t do that, they are going to try to do it. So it’s better to explain them how really works the internet and the consequence of they don’t use the internet in the right way. And after that, talking about the good, the bad and the ugly of the internet. And we must educate them so they know how to identify the real risk. So I think that this is my opinion about this question, Jennifer, Mike. Thanks.

Jennifer Chung: Thank you, Lia. Especially bringing up, you know, there is always this shift when you have a shift in administration, there is a shift in priorities. And the fact that we do have the two conventions also doesn’t mean that, you know, it has been reflected in all over, you know, global and I guess to the local jurisdictions and legislations as well. Very important part about capacity building. I think it needs to be done holistically across the board as well. Now we are going to turn over to Dennis, Dennis Broeders. I guess maybe with the context of what you heard from the previous speakers, I don’t know if you can pull this into, you know, your response as well. The question really is how can national and regional multi-stakeholder cooperation help build a stronger global cybersecurity resilience? Dennis.

Dennis Broeders: Thank you, Jennifer. I will try to draw in a few things, but I will focus on a much more smaller, but actually quite big element. So I want to focus on the relationship between cybersecurity, information sharing and resilience. So keeping it a little small. So most countries also internationally say, okay, the value of information sharing is like a mantra, right? Then also the value of public-private cooperation in information sharing. is also a mantra. So I’m talking about the sharing of information about digital vulnerabilities, about incidents, about methods of states and criminal actors, so threat intel in short, right? So everybody realizes the value of information sharing for digital resilience, and yet in practice, it proves to be something that is actually very difficult. I’ve seen many forums also here talking about it. In my country, the Netherlands, every single cybersecurity strategy we had underlines the importance of information sharing, and every single strategy we had says we need to do better, right? So that’s where we are. Most recent cyber strategy, 2022, 2028, again, puts information sharing front and center, and also acknowledges that information exchange is still fragmented, and it undermines the cyber resilience of companies, of organizations, and of society as a whole. And to a certain extent, and I think many people realize that that’s easily explained, right? All the organizations that have information that would affect others, that would benefit others, they also have good or at least understandable reasons not to share that information. So information is often not shared, and there are reasons for that, right? If you look at different organizations, intelligence agencies, right? They have lots of information. They never tire of telling us, right? We know everything, but they have a professional focus on national security that comes with an emphasis on secrecy. They have limited incentive to share information with others. Internationally, they have a quid pro quo relationship with their sister organizations in other countries, and they also have an organizational interest in keeping certain vulnerability behind because they may prove useful for their own work. So transparency there is not optimal, let’s put it that way. Then we have companies, governments, organizations, they all have information that is useful when they have been breached or attacked. Bigger companies will have information about what they see in their own networks that will be useful for others. But when it comes to breaches and vulnerabilities, they also have very little incentive to share. It can lead to reputational damage. It can open them up for claims, for liabilities. So sharing, and also sharing does not necessarily get them any meaningful response from other companies, right? So why share? Then we have threatened our companies, right? The manions of the world, basically. They have a lot of data. They have a lot of information on their clients, mostly. Mostly the big companies do Western big companies, so they have mostly biased information with a Western bias. When you talk to them, they see the value of sharing, but they’re not that eager to share, which is also logical because it’s their business model to use and market that information. So resilience, societal resilience is nice, but profits is better. So no transparency, there’s client privilege, and there’s NDAs on the information. The most effective sharers, hooray for internet governance, I think are the C-certs and the cert community, right? They have a long-standing tradition in the international community of exchanging information, and they see it as a core value to do so, right? So internet governance organizations, they focus on the resilience of the internet as a global network, and they work more along the lines of what you would call like a health and safety approach, right, rather than a security approach, and that does something. Okay, having said that, how do we overcome blockages to information sharing, right? I have a few points to make, three points. So one is a little philosophical in nature, right? So starting where we left off with the C-certs, basically, say, okay, how can we extend the logic of health and safety to more forms of information sharing, right? Can we get more levels or sorts of information in the frame of sort of first medical responders where we try to make sure that the patient is okay rather than into a security frame of mind where we’re looking for, okay, who is at fault, why have they done it, what are the consequences, who is liable, et cetera, right? So there is a balance there to look for. Related to that, because I think these communities are communities of trust, and someone mentioned this before, is how can we create communities of trust? And I think this audience here is probably well aware that certain sectors, for example, like the banking and financial sectors in the Netherlands but elsewhere as well, they have created what they call information sharing and analysis centers, right, the so-called ISACs. In these ISACs, sectors exchange information about incidents, threats, and vulnerabilities. There is no question that banks are each other’s competitors, right? That is clear. But they do have a common interest in sort of keeping the digital financial system as healthy and as well-functioning as possible. So that helps. What also helps is the closed nature of ISACs, right? It’s a closed system, there’s a trust system, there’s even an amber system and a red system, what kind of information gets written down. So it’s a community of trust, but it’s also often facilitated by the government. So this is something where governments can do something. Lastly, and the NIS2 Directive has already been mentioned, there’s always regulation, right? The regulation is not always the best option forward, but for example, in the Netherlands, if we look at the implementation of the EU NIS2 Directive, that will mean that in the Netherlands 5,000 companies will now have reporting obligations and certain obligations to have preventative measures, as opposed to the 200 that were designated like that before. That is a huge difference. The idea is, of course, that this will create more resilience, whether that’s actually the case is something that we will have to see in the future. I’ll leave it at that.

Jennifer Chung: Thank you, Dennis. That was a lot of very good information and a lot to unpack. I’m not even going to attempt to try to summarize any of this before we go to our next speaker, but I think you really highlighted the big problem and the tension between having this information and the incentive to share, and shifting that paradigm to what you mentioned as health and safety instead of liability and faults. I think that really allows us to look at it a little more clearly. I think on the other context, before I go to our next speaker, is this has also played out in the ICANN context for those who do participate in ICANN policymaking, and I guess that community as well. There has been a lot of tension and a lot of urgency from the part of law enforcement. to request for information, but the problem still is how do we authenticate these requesters? How can we make sure that, you know, we have the obligation or, you know, the legal framework to do so and to disclose this information? So thank you very much for highlighting this, you know, very inherent tension between that. Hopefully we’ll be able to dig out some and tease out some possible solutions going forward, but I do see that it is not on one party or two parties, but it is a whole host of considerations. And again, multi-stakeholder is what we’re talking about here. So with our last but not least speaker, I’d like to go over to Ms. Latty Thaka from South Africa IGF. And I’d like to get a little sense of what the best practices are and the impacts, and I think she wanted to give a little bit of thread of the legislation and regulation in South Africa right now and what the recommendations are, I guess, coming forward for cybersecurity and that part from the South African point of view.

Latty Thlaka: Okay. Thank you, moderator. My name is Latty from South Africa. I am the chairperson of the South African Internet Governance Multi-Stakeholder Committee. I think just before I start, I just need to remind us that cybersecurity is not just a technical challenge. It is a human rights development and governance issue. The only way to address it meaningfully is through multi-stakeholder cooperation at national, regional, and global level. So going into best practices, South Africa strongly supports a multi-stakeholder approach to cybersecurity. We collaborate globally and regionally through AU Malabo Convention, the SADC strategy. We also participate in GFCE and ITU’s African initiatives. Nationally, we have built structures like the Cybersecurity Hub, which is a project by the Department of Communications and Digital Technologies. It is a national computer security incident response team project that was established to make cyberspace an environment where we can all safely communicate, socialize, and transact in confidence. This project works with stakeholders from civil society. It works with government. It works with the private sector. It works with the technical community and academia in preventing and responding to threats. Our South African Police Services and State Security Agency also coordinates cybercrime investigations and threat intelligence together with private sector and ISPs. And I think it’s also worth noting that our IGF is also very strong when it comes to addressing and engaging in matters of cybersecurity, where cybersecurity is not just discussed annually or allocated annually. It’s also integrated in all the thematic areas. And I think we’ve also seen firsthand the impact of an action where data has revealed a 22% year-on-year increase in ransomware incidents targeting South African institutions. We have had, I think amongst others, digital fraud in the banking sector. We’ve had ransomware attacks on public institutions. Ordinary citizens are also getting attacked on a daily basis. And in addressing these, we are active in research on cybersecurity. We have a few initiatives, and I’ve already mentioned the cybersecurity hub. We’ve also got the Cyber Command Center, and where legislation is involved, we have a national cybersecurity policy framework, the Cyber Crimes Act, and the POPI Act, the Protection of Personal Information Act. However, we’ve also noticed the growing tension between the cybersecurity laws and our constitutional duty to uphold privacy and data protection, where our Cyber Crimes Act criminalizes malicious activity, while the POPI Act protects personal data. Together, they offer a legal balance, but the test really lies in the implementation, and without proper oversight, there’s a risk of overreach, public distrust, and suppressed digital freedoms. We found that the law enforcement sometimes maybe faces delays due to legal processes required under POPI Act to access digital evidence, and civil society has also raised concerns over potential overreach in surveillance protections of the Cyber Crimes Act. So I think we just need to strengthen oversight mechanisms, such as judicial review for data access, and update laws to ensure proportionality, necessity, and transparency in surveillance. And I think that’s why we’re also just calling for three things. We’re calling for policy coherence, where cybersecurity strategies must go hand-in-hand with privacy protections and rights-based governance. We’re also calling for global and regional collaboration through harmonized laws, shared intelligence, and joint incident response. And we also need to have an inclusive governance where youth, civil society, and underrepresented groups have a seat at the table. Our National Internet Governance Forum has proven that this model does work, and if we don’t act decisively, we risk widening the digital divide, weakening human rights, and undermining regional trust. So we just need to remember that cybersecurity resilience is not just about defending networks, it’s about defending people, democracy, and dignity in a digital world. South Africa is ready to collaborate, we’re ready to lead, we’re ready to learn, and we cannot afford to wait.

Jennifer Chung: Thank you very much, Latty. I think that ending was actually very important for us to remember, and we’re not just defending the networks, we are defending humans. Thank you also for sharing all the work that is being done right now with South Africa. I think, you know, I hear a thread amongst all the speakers that this is a multi-stakeholder effort that we need to address cybersecurity risks, but we need to balance it with privacy and we need to balance it with having inclusive governance where underrepresented groups do have a seat at the table. For the next 20 minutes, we have an open floor, and I think I already see some indications that we would like some, yep, speaking over there. I think this is Bangladesh IGF, Anu, please go ahead, Anu.

Bangladesh IGF representative: Hello, Jennifer, thank you. This is Mohammad Abdullah Gono, Secretary-General, Bangladesh Internet Governance Forum. As cyber threats grow in scale and complexity, it is clear that while the challenges are global, the responses must be grounded in local realities. In Bangladesh, we have witnessed how community-based awareness, capacity building, and multi-stakeholder engagement can help counter cyber threat more effectively than top-down approach alone. The Bangladesh Internet Governance Forum has been working to promote trust, security, and responsible digital practice by fostering collaboration between government agencies, civil society, the private sector, and youth groups. Our local cybersecurity framework are aligned with global norms, but are also tailored to our unique socio-economic and digital context. We believe that regional and local internet governance forums play a critical role in sharing best practice and ensure that cybersecurity is not just a technical issue, but a shared social responsibility. By building resilience from the ground up, we strengthen the global digital ecosystem. Let us continue working together across borders and stakeholder groups to ensure a safe, more inclusive digital future for all. Thank you, Jennifer.

Jennifer Chung: Thank you very much, Anu. I am also going to see if we do have anything online. We do have our online moderator, Godsway, who is checking online. He has reminded everyone who is participating remotely to also indicate whether or not you would like to ask questions or actually give some comments. Godsway, are there any questions and comments, or requests to take the mic?

Godsway Kubi: Hello, everyone. I hope I am audible. Okay, so I am Godsway Kubi, the lead facilitator for online cybersecurity, and also representing Ghana IGF here. I think for now, we don’t have much questions, but I am hoping that before we finish the session, there will be some questions.

Jennifer Chung: Thank you very much, Godsway. I see on the floor, Mary Uduma.

Mary Uduma: Thank you very much for giving me the opportunity to speak. If we are to navigate globally and locally, cyber trade via a local partnership, we have mentioned already the multi-stakeholder process, so there is a lot of collaboration to be done. a lot of capacity building to be done, and a lot of awareness creation. There are some people that are scrupulous and they don’t even know that they are being attacked. So in the password management, cyber hygiene, so those are some of the things, and collaborating with law enforcement. And the law enforcement needs a lot of capacity or capacitation. So capacity building and development with the law enforcement is very key. That’s what we have started in Nigeria, in the Nigeria Internal Registration Association, the .NG managers. We have this capacity building and exchanges and engagement with our law enforcement to be able to bring to fore some of the threats, and they also understand the threats as well. So those are the few things I just want to mention because the panelists, they’ve already mentioned a lot of them. But collaboration, capacity building, sensitization, and engagement with the law enforcement would help us navigate those streets. They are very, very rare. Thank you.

Jennifer Chung: Thank you, Mary. Thank you for sharing the perspective from Nigeria and also, of course, West Africa. I’m looking around the room to see if there’s any hands up. Of course, colleagues who are sitting in front of us, please, you are welcome to come over to the U-shape to take the mics as well. I know there are mics on the side of the room if you would prefer that as well. If not, I’m gonna use a little bit of moderator prerogative. I see Dr. Nazar. Nazar, please go ahead. Nazar, one second, you need to turn on your mic.

Audience: You will not have to use it, touch it, don’t touch. That’s what they’re saying. Thank you so much, Jennifer and team NRIs from all over the globe. My intervention on this front will be let us also focus on the local talents in terms of our universities are creating and co-creating a lot of young people with a lot of skills. And what I find is that the local conception in terms of companies and the governments and even civil societies are not actually using these local talents and the local skills that have been created by our universities. So while we are talking about, you know, combating all these cyber threats, we need to focus using the resources that are there. The young people from the universities, they are very learned on ICTs and cyber security. But the applications and the skills from the local content are not being properly utilized. So I think that will be my contribution so I can also yield time to others to contribute as well. be ensuring that we use the local content that is available to combat both the local and global cyber security threats. Thank you.

Jennifer Chung: Thank you, Nizar. Thank you, Nizar, for reminding us that, you know, we absolutely need to rely on local talent and local content to also combat all of this. I do have one comment online which I’ll go first and then I’ll come to you, Carlos. So, Godsway, please go ahead and read out the question.

Godsway Kubi: Okay. Okay. So, I think Emmanuel is asking, you know, what international frameworks do we have to empower law enforcement agencies in the Global South?

Jennifer Chung: Thank you, Godsway. So, before I go to Carlos, I’m wondering if anybody up here on the panel or anybody in the room would like to answer Emmanuel’s question. The question, again, is, you know, what international framework we have to empower law enforcement agencies in the Global South? Read it again so you have some time to think about the answer. While you’re ruminating on this answer for Emmanuel, I’d like to go to Carlos. Please go ahead.

Carlos Vera: Thank you again. I think that one of the main words or concept we have to have is share. We share the room. We were in the same room yesterday in the main hall with Joseph Gordon Leavitt. And in one moment, the girls were saying aloud, I love you, I love you, I love you. And of course, I said, thank you, thank you. And this nice-looking guy looked at me and I said, let’s share. Let’s share. That’s what we have to say to government, to big tech companies. Let’s share accountability, responsibility, cybersecurity. The decision-making process is a shaded process. That’s why we strongly support the multistakeholder process. and share, share, share. This is the key issue for all of us. Thank you, Jennifer.

Jennifer Chung: Thank you, Carlos. That was a great analogy. Maybe Joseph Gordon-Levitt can solve all our cyber crime and cyber security problems, you know, just drawing the attention and asking everyone that you need to share information. He has a PhD in computer science. We should call him to this room. Maybe that’s how we’re gonna solve all of this, right? He will help us solve the IGF renewal, all of that. Dennis, please go ahead.

Dennis Broeders: Maybe a short comment on my neighbor. Sharing would be fantastic. I love sharing, it’s very nice. But institutionally, many of these organizations are biased against sharing. They have no interest in sharing or they have interest in sharing certain things, but not other things. So we have to realize that while some of these corporations have goodwill, many of them are in the business of making profit and they will share what they need to share. So what we increasingly see now is we have larger and larger companies doing things that traditionally were public utilities, but we have put them in the hands of private corporations who do not have a public ethos. They have a private ethos, they’re there to make money. And we sort of let it happen. That’s one thing, but to sort of rely on ethical frameworks and asking them to share and basically rely on their goodwill, I think is not the way forward. We have seen time and time and time again that when push comes to shove, they will go for the dollar and not for the public interest.

Jennifer Chung: If I may actually ask a follow-up question, because in your first intervention and just now, you said incentives are not there for sharing. What incentives do you think could oblige or could be to incentivize the sharing, I guess, for different parts and different organizations?

Dennis Broeders: I think it varies. I mean, I haven’t thought the whole thing through, but the ISAC example shows you where. Competitors are actually able to agree on some common ground where they say, okay, we all benefit if the larger financial system and the transactions between us are safe, right, that’s something where they go, okay, that’s where we can cooperate. On other things, I think the general rule is when industries start saying, no, we’ll do it ourselves, we’ll self-regulate, we’ll do ethical framework, we’ll do all these things, that means they’re afraid of regulation, right, that’s the only reason they’re stepping forward to do this. That means that regulation may be the way forward, right, so you can’t expect private companies to fully embrace a public task in a public way, right, that’s not what they’re there for, but we have a long history of having private companies subjected to certain rules to make sure the public interest is safeguarded, this is not a new thing, right, we have been doing this for centuries, there is a way of organizing this between public and private parties where you weigh in as a government and say, but this is the public interest, this needs to be safeguarded, so I’m afraid it’s regulation.

Jennifer Chung: That is definitely one answer, regulation does answer certain things, but probably doesn’t encompass everything as well. I’m going to use moderator prerogative to kind of come back to Dejan Djukic because, you know, listening about this and of course being in the DNS industry, being part of CCTLD, I wonder if you have some reactions regarding this because of course .Asia is also a registry operator, we have to follow our jurisdiction, what kind of laws that we need to follow, when we have court papers or court orders to do certain things, that’s how we take action, but perhaps from the Serbian point of view for the CCTLDs, are there similarities, do you have thoughts on this?

Dejan Djukic: Yeah, I still believe that information sharing is important, I gave a recent example from a couple of days ago, so we received a complaint from some international… organization or NGO, I’m not sure at the moment what they are, and they are sending us a couple of emails and notification that they find out that those websites are selling illegal weapons and that there are many of those sites in our zone. So we can easily say to them, send those emails to local police and do whatever you want. But we try to discover our data correct, and we also use our contact in police and public prosecutor office to make them to do something. So without that information, we couldn’t do nothing. Now we have 10 websites down with really illegal content. So without sharing information, we couldn’t do nothing. But I think it’s still important, and I believe it.

Jennifer Chung: Thank you, Dejan. I’m actually having trouble pressing this button here. Having the hot mics the whole time is bad, but not being able to press the mic to actually speak is also bad. So inherent tension, again, with voice. I don’t want to leave the question unanswered that we received online from Emmanuel, but I’m wondering if Leti or maybe Lia would like to address that question. And the question is, you know, what international framework do we have to empower law enforcement agencies in the Global South? And I’m assuming empowering law enforcement agencies, I guess maybe he means how they can take action, because I feel like law enforcement is pretty empowered everywhere. So maybe an adjustment to his question.

Latty Thlaka: Thanks, Jennifer. From my point of view, I don’t like to recommend Budapest Convention or maybe the UN Convention, because I have any consideration of each of these two tests. Actually I think that Budapest Convention was created like a convention for the European Union countries, and some other countries around the world have adapted their legal framework of then, but… For example, the reality of the global south countries are not the same as the realities on cyber security or cybercrime in the European Union countries. So I don’t want to say like you should follow the text of the recommendation of Budapest or the UN cybercrime conventions, I think that we should take the best of both documents and then see what is better or what is what fits in our local legal framework.

Jennifer Chung: Thanks, Lia and Leti, did you want to add to this?

Latty Thlaka: No, I think I share her sentiments, but I think just to add on that, maybe just briefly is that South Africa, we participate in the Global Forum on Cyber Expertise. So I think maybe that could contribute to answering the question.

Jennifer Chung: Yes, pressing the button to actually speak. There is one question that we just received in the Zoom room. So if I could just have Kotswe read out the question, or I think it’s maybe a comment.

Godsway Kubi: Yeah, I think so. OK, so I said, what are the global implications to the varied approaches adopted within the AI posture across EU and the US and implications to service provider certifications? So that’s the first question, and should I read it all or go one after the other? I think this question is quite long. It is quite long, but maybe just read the entire thing with respect to it. OK, OK. The second one states that, what does this mean for global South circummarism of this variable certified services? The implications of this AI posture on the cybersecurity and cybercrime posture is critical for. So I think the first question is, the second one is a follow-up of this first one.

Jennifer Chung: So while our speakers and others in the room think about this, I want to see if there’s any other questions online and in the room.

Carlos Vera: About the law enforcement?

Jennifer Chung: You have one? Okay, please go ahead.

Carlos Vera: Okay. There is a lot of frameworks. Every law is jurisdictional, but in issues like electronic commerce or cybersecurity, we need a legal framework from the United Nations, for example, and they have several committees that work on specializing on this kind of things. So even though the law is jurisdictional, geographically restricted to one country, we need a legal framework, and UNUDI and some of the bodies work all the time providing this kind of legal framework. Thank you.

Jennifer Chung: Thanks, Carlos. I don’t see any more hands or questions in the room. Nazar.

Audience: Yes, I just wanted to add on the Interpol, it’s called the Interpol Cybercrime Directorate for the – there are so many, and even the ITU has one for the – has one framework for the – that can assist the local enforcement agencies, for example. The Interpol Cybercrime Directorate is one of those, and I think Interpol is very known for being intercontinental, interregional, and it plays a part in the local context as well.

Jennifer Chung: Thank you, Nazar, for sharing that and reminding us about this. I think without that, then I’d like to ask our speakers in reverse order, so in the reverse order that I initially asked you to speak. to just do a very quick wrap and really just the one takeaway that you want us to really take away from this session. So I will begin with Latty, please.

Latty Thlaka: I think maybe we’ve also seen from the question that was posed that it is a need for harmonization. So we need to harmonize our laws. We need global and regional collaboration in doing that. And we need to ensure that there is inclusive governance. But I need maybe just to leave us with one thing. And it’s something that I mentioned before is that we need to prioritize human rights when talking cyber crimes, when talking cyber security, because if we don’t, we risk widening the digital divide and maybe weakening human dignity. So let’s not undermine our efforts as a globe, as regions and countries. Thank you.

Jennifer Chung: Thank you, Latty. Dennis, one takeaway?

Dennis Broeders: Yeah, maybe I’ll stick with my theme of information exchange. So I mostly focus on the national level. But if we look at the international level, there is a lot to be gained. I think there really is a lot to be gained. We know it’s possible, right? We have a global community of CSIRTs that are exchanging information in a trust-based system. I don’t know if ISACs, for example, talk to each other in a sectoral way, in a broader sense, probably. This morning, I heard a speaker from Albania saying, okay, they’re really invested in sort of getting more information exchange in a regional way. But I think getting that going and also finding a way to sort of get more private information into that mix, that would be really good, albeit not necessarily easy.

Jennifer Chung: Thank you, Dennis. Lia?

Lia Hernandez: I want to remark that capacity building and regulation is not enough. We should work. It’s like there are not two… topics that we should work separately. We should still increasing the capacities and the knowledge of the population from their kids to the older generations. And that is this. In some countries, any conventions or any regulation has worked. That doesn’t mean that the others, that the regulation, they’re also going to work in your region or your country. We should take of consideration the politically, geographically, and economically context before to adapt or adequate like a regulation in any region of the world.

Jennifer Chung: Thank you, Lia. Dejan Djukic?

Dejan Djukic: Thank you. I believe that permanent activities on improving security of system infrastructure and following actual threats is a good approach. So also raising the awareness together with relevant partners on the local and international level could bring improvements constantly. Regulations, of course, is important, but usually very slow. So all of us have to do more before regulators find out the solutions. Thank you.

Jennifer Chung: Thank you, Dejan Đukić. And I guess I’ll leave the last word to Carlos.

Carlos Vera: Thank you. It’s not easy to get the shaded process from government or from international organizations. But we, the citizens, have not to forget that we are the boss, really. If the government doesn’t have the capacity to share the responsibility, the accountability, and the decision-making process, we can change the government. And if the company doesn’t work observing the right condition of the consumers, we can change the company. We cannot buy their product or service. So we have a real power. We are not only passive actors. We are active actors. And we have to use our power. to also be part of the decision in this kind of things. Thank you very much for everything.

Jennifer Chung: Thank you, Carlos. I do note that, you know, perhaps the person who asked the remote question didn’t actually hear an answer to his question or her question, but we’re happy to take this to the NRI mailing list, hopefully to get further experts to answer this. I’m not going to attempt to summarize what has been a very rich discussion, especially on the many, many issues that, and many, many ways that different NRIs, different jurisdictions, different countries are tackling cybercrime, and on all the mitigation efforts, the inherent tension of info sharing, the actual practices of, I guess, CCTLDs and registry operators, and especially, I would say most importantly, with my bias on, we need to make sure it’s an inclusive governance. We need to make sure the underserved, the voices that always get left behind are not further left behind in this conversation about mitigating, about combating cybercrime and looking at best practices. So with that, I thank you all for your time. Thank you to the panelists. Thank you to the questions. Thank you to all in the room for a great session. Thank you.

Agreement points

Multi-stakeholder cooperation is essential for effective cybersecurity governance

Speakers

– Carlos Vera
– Latty Thlaka
– Bangladesh IGF representative
– Jennifer Chung

Arguments

Need for security by design, local empowerment, participatory governance, and global frameworks for local action

Multi-stakeholder approach is essential for addressing cybersecurity as a human rights and governance issue

Community-based awareness and multi-stakeholder engagement are more effective than top-down approaches

Multi-stakeholder dialogue requires inclusive participation from all communities including technical implementers

Summary

All speakers agree that cybersecurity challenges require collaborative approaches involving government, civil society, private sector, technical community, and citizens rather than top-down or single-stakeholder solutions

Topics

Cybersecurity | Legal and regulatory | Development

Information sharing is crucial but faces significant practical barriers

Speakers

– Dennis Broeders
– Dejan Djukic
– Mary Uduma

Arguments

Information sharing is valued but difficult in practice due to organizational disincentives

Information sharing is essential for combating cybercrime, as demonstrated by recent illegal weapons case

Capacity building with law enforcement is crucial for effective cybercrime response

Summary

Speakers acknowledge that while information sharing is recognized as valuable for cybersecurity, organizations face institutional barriers and disincentives that make practical implementation challenging

Topics

Cybersecurity | Legal and regulatory | Infrastructure

Capacity building and education are fundamental to cybersecurity resilience

Speakers

– Carlos Vera
– Lia Hernandez
– Mary Uduma
– Audience

Arguments

Investment needed in training for citizens and local leaders, not just engineers in big tech

Education should explain how internet works and consequences rather than just prohibiting actions

Capacity building with law enforcement is crucial for effective cybercrime response

Local universities create skilled young people whose talents are underutilized by companies and governments

Summary

All speakers emphasize that comprehensive capacity building across all stakeholder groups – from citizens to law enforcement to local talent – is essential for building cybersecurity resilience

Topics

Development | Cybersecurity | Sociocultural

Regulation alone is insufficient and must be balanced with other approaches

Speakers

– Dejan Djukic
– Lia Hernandez
– Dennis Broeders

Arguments

Regulation is necessary but too slow to follow technology evolution, requiring community involvement

Cybersecurity must be established as state policy rather than changing with government priorities

Regulation may be necessary when industries propose self-regulation to avoid stricter oversight

Summary

Speakers agree that while regulation is necessary, it has limitations in keeping pace with technology and must be complemented by community involvement, stable policy frameworks, and appropriate oversight

Topics

Legal and regulatory | Cybersecurity | Infrastructure

Similar viewpoints

Both speakers emphasize that cybersecurity is fundamentally about protecting vulnerable populations and human values, not just technical systems

Speakers

– Carlos Vera
– Latty Thlaka

Arguments

Trust and inequality issues affecting rural communities, minorities, and low-income groups

Cybersecurity resilience is about defending people, democracy, and dignity, not just networks

Topics

Human rights | Cybersecurity | Sociocultural

Both speakers from the Global South highlight the challenges of implementing and balancing cybersecurity legislation with existing legal frameworks and human rights protections

Speakers

– Lia Hernandez
– Latty Thlaka

Arguments

Legal frameworks need to be updated to address new cybercrime trends and adequately criminalize cyber activities

Growing tension between cybersecurity laws and constitutional duties to uphold privacy and data protection

Topics

Legal and regulatory | Cybersecurity | Human rights

Both speakers express skepticism about relying on private sector goodwill and emphasize the need for accountability mechanisms, though they propose different solutions (regulation vs. citizen action)

Speakers

– Dennis Broeders
– Carlos Vera

Arguments

Private corporations prioritize profit over public interest and cannot be relied upon for voluntary sharing

Citizens have power to change governments and companies that don’t share responsibility and accountability

Topics

Economic | Legal and regulatory | Cybersecurity

Unexpected consensus

C-certs and internet governance organizations are most effective at information sharing

Speakers

– Dennis Broeders
– Jennifer Chung

Arguments

C-certs and cert community are most effective at information sharing due to health and safety approach

DNS abuse mitigation requires complex multi-stakeholder coordination across jurisdictions

Explanation

Unexpected consensus emerged that internet governance organizations, particularly C-certs, serve as successful models for information sharing due to their health and safety approach rather than security-focused mindset. This suggests that reframing cybersecurity challenges in terms of collective health rather than individual security may be more effective

Topics

Cybersecurity | Infrastructure | Legal and regulatory

Local talent and resources are underutilized in cybersecurity efforts

Speakers

– Carlos Vera
– Audience

Arguments

Investment needed in training for citizens and local leaders, not just engineers in big tech

Local universities create skilled young people whose talents are underutilized by companies and governments

Explanation

Unexpected agreement that the focus on big tech and international solutions overlooks significant local capacity and talent that could contribute to cybersecurity resilience. This challenges the assumption that cybersecurity expertise must come from major technology companies or international organizations

Topics

Development | Cybersecurity | Sociocultural

Overall assessment

Summary

Strong consensus emerged around multi-stakeholder cooperation, the importance of capacity building, the limitations of regulation alone, and the need to balance security with human rights. Speakers consistently emphasized that cybersecurity is not just a technical issue but a human rights and governance challenge requiring inclusive approaches.

Consensus level

High level of consensus with complementary rather than conflicting viewpoints. The agreement suggests a mature understanding of cybersecurity as a complex socio-technical challenge requiring coordinated responses across multiple domains. This consensus provides a strong foundation for developing comprehensive cybersecurity frameworks that balance security, privacy, and inclusive governance.

Different viewpoints

Role of regulation versus voluntary cooperation in information sharing

Speakers

– Dennis Broeders
– Carlos Vera

Arguments

Private corporations prioritize profit over public interest and cannot be relied upon for voluntary sharing

Regulation may be necessary when industries propose self-regulation to avoid stricter oversight

Citizens have power to change governments and companies that don’t share responsibility and accountability

Summary

Dennis argues that regulation is necessary because private companies will prioritize profit over public interest and cannot be trusted to voluntarily share information for the public good. Carlos, however, emphasizes that citizens have the power to change both governments and companies through democratic and market mechanisms, suggesting a more optimistic view of voluntary cooperation and citizen empowerment.

Topics

Legal and regulatory | Economic | Cybersecurity

Approach to international cybercrime conventions

Speakers

– Lia Hernandez
– Carlos Vera

Arguments

Legal frameworks need to be updated to address new cybercrime trends and adequately criminalize cyber activities

International frameworks like UN committees provide legal frameworks despite jurisdictional limitations

Summary

Lia expresses skepticism about existing international conventions like Budapest and UN Cybercrime Convention, arguing that they don’t fit the realities of Global South countries and that local legal frameworks should take the best from both rather than following them wholesale. Carlos, however, supports international frameworks from UN bodies as necessary for cross-border issues like cybersecurity, despite jurisdictional limitations.

Topics

Legal and regulatory | Cybersecurity | Human rights

Unexpected differences

Trust in voluntary corporate cooperation

Speakers

– Dennis Broeders
– Carlos Vera

Arguments

Private corporations prioritize profit over public interest and cannot be relied upon for voluntary sharing

Citizens have power to change governments and companies that don’t share responsibility and accountability

Explanation

This disagreement is unexpected because both speakers are discussing the same goal of improving cybersecurity cooperation, but they have fundamentally different views on human nature and institutional behavior. Dennis takes a more pessimistic, regulatory approach based on historical evidence, while Carlos maintains an optimistic view of citizen empowerment and democratic accountability.

Topics

Economic | Legal and regulatory | Cybersecurity

Overall assessment

Summary

The main areas of disagreement center around the role of regulation versus voluntary cooperation, approaches to international legal frameworks, and trust in institutional behavior. Most speakers agreed on the fundamental challenges and goals but differed on implementation strategies.

Disagreement level

The level of disagreement is moderate and primarily methodological rather than fundamental. Speakers largely agreed on the core problems (need for information sharing, multi-stakeholder cooperation, capacity building) but disagreed on the best mechanisms to achieve these goals. This suggests that while there is broad consensus on cybersecurity challenges, there are significant differences in preferred governance approaches that could impact policy implementation and international cooperation efforts.

Partial agreements

Similar viewpoints

Both speakers emphasize that cybersecurity is fundamentally about protecting vulnerable populations and human values, not just technical systems

Speakers

– Carlos Vera
– Latty Thlaka

Arguments

Trust and inequality issues affecting rural communities, minorities, and low-income groups

Cybersecurity resilience is about defending people, democracy, and dignity, not just networks

Topics

Human rights | Cybersecurity | Sociocultural

Both speakers from the Global South highlight the challenges of implementing and balancing cybersecurity legislation with existing legal frameworks and human rights protections

Speakers

– Lia Hernandez
– Latty Thlaka

Arguments

Legal frameworks need to be updated to address new cybercrime trends and adequately criminalize cyber activities

Growing tension between cybersecurity laws and constitutional duties to uphold privacy and data protection

Topics

Legal and regulatory | Cybersecurity | Human rights

Both speakers express skepticism about relying on private sector goodwill and emphasize the need for accountability mechanisms, though they propose different solutions (regulation vs. citizen action)

Speakers

– Dennis Broeders
– Carlos Vera

Arguments

Private corporations prioritize profit over public interest and cannot be relied upon for voluntary sharing

Citizens have power to change governments and companies that don’t share responsibility and accountability

Topics

Economic | Legal and regulatory | Cybersecurity

Key takeaways

Cybersecurity is fundamentally a human rights, development, and governance issue that requires multi-stakeholder cooperation at national, regional, and global levels

Information sharing is critical for cybersecurity resilience but faces significant institutional barriers due to competing interests between intelligence agencies, private companies, and threat intelligence firms

Four key principles for addressing AI and IoT cybersecurity: security by design, local empowerment through capacity building, participatory governance, and global frameworks adapted for local action

Regulation alone is insufficient – it’s too slow to keep pace with technology evolution and must be combined with community involvement and continuous awareness raising

There’s an inherent tension between cybersecurity legislation and privacy/data protection rights that requires careful balance and proper oversight mechanisms

Local talent and university-trained cybersecurity professionals are underutilized resources that should be better integrated into cybersecurity efforts

Cybersecurity must be established as permanent state policy rather than shifting with changing government priorities

The most effective information sharing occurs in trust-based communities like C-certs and sector-specific ISACs that use a health and safety approach rather than a security/liability framework

Resolutions and action items

Continue discussions on the NRI mailing list to address unanswered technical questions about AI posture differences between EU and US

Strengthen oversight mechanisms including judicial review for data access in cybersecurity investigations

Update laws to ensure proportionality, necessity, and transparency in surveillance activities

Invest in capacity building for law enforcement agencies to better understand and respond to cyber threats

Create more sector-specific Information Sharing and Analysis Centers (ISACs) to facilitate trusted information exchange

Develop harmonized laws and shared intelligence systems for regional and global collaboration

Ensure inclusive governance by giving underrepresented groups, youth, and civil society meaningful participation in cybersecurity policymaking

Unresolved issues

How to create effective incentives for private companies to share cybersecurity information when it conflicts with their profit motives

How to authenticate and verify legitimate law enforcement requests for information while protecting privacy rights

How to adapt international cybersecurity frameworks (like Budapest Convention and UN Cybercrime Convention) to fit diverse local contexts and legal systems

How to address the global implications of varied AI governance approaches between regions like EU and US for service provider certifications

How to balance the need for rapid response to cyber threats with the slower pace of democratic regulatory processes

How to ensure continuity of cybersecurity policies across changing government administrations

How to effectively utilize local cybersecurity talent that is currently underemployed by governments and private sector

Suggested compromises

Shift from security/liability framework to health and safety approach for information sharing to reduce organizational resistance

Create closed, trust-based information sharing systems with tiered access levels (amber/red systems) to balance transparency with security needs

Combine voluntary industry self-regulation with targeted government regulation where public interest requires intervention

Take the best elements from both Budapest Convention and UN Cybercrime Convention rather than adopting either framework wholesale

Establish permanent cybersecurity policies that transcend political changes while allowing for adaptive implementation based on local contexts

Balance strict cybersecurity regulations with strong judicial oversight and transparency requirements to protect privacy rights

Integrate cybersecurity considerations across all thematic areas rather than treating it as a separate annual topic

We are talking about ethics, but it’s not only what you as a user can and cannot do. It has to be also with what governments and what companies can and cannot do. They have all the information, they have all the knowledge. They only do not release the final user. So we have to work on ethics also beyond the final users.

Speaker

Carlos Vera

Reason

This comment fundamentally reframes the ethics discussion in cybersecurity by shifting focus from individual user responsibility to institutional accountability. It challenges the common narrative that places the burden of ethical behavior primarily on end users, highlighting the power imbalance between users and institutions that control information and systems.

Impact

This comment established a critical theme that influenced subsequent speakers to address power dynamics and institutional responsibilities. It set the stage for later discussions about regulation, information sharing incentives, and the need for governments to take more active roles in cybersecurity governance.

Sharing would be fantastic. I love sharing, it’s very nice. But institutionally, many of these organizations are biased against sharing. They have no interest in sharing or they have interest in sharing certain things, but not other things… We have larger and larger companies doing things that traditionally were public utilities, but we have put them in the hands of private corporations who do not have a public ethos. They have a private ethos, they’re there to make money.

Speaker

Dennis Broeders

Reason

This comment cuts through idealistic rhetoric about information sharing to expose the fundamental structural barriers. It provides a realistic assessment of why voluntary sharing fails and introduces the critical distinction between public and private ethos in cybersecurity infrastructure management.

Impact

This intervention significantly shifted the discussion from aspirational calls for cooperation to pragmatic analysis of institutional incentives. It prompted deeper examination of regulatory approaches and influenced the moderator to ask follow-up questions about what incentives could actually work, moving the conversation toward more concrete solutions.

It’s necessary that the states establish the issues of cybersecurity or cybercrime like as a state policy. Most of the countries in Central America and the Caribbean, they change of government every four or five years. And for that reason, they also change the priorities… We must really be and incorporate in our agendas the agenda of the governments and the policymakers topics as cybersecurity, digital security, cybercrime.

Speaker

Lia Hernandez

Reason

This comment introduces a crucial but often overlooked dimension of cybersecurity governance – political continuity and institutional memory. It highlights how democratic transitions can undermine long-term cybersecurity strategies, particularly affecting developing nations in the Global South.

Impact

This observation added a temporal and political stability dimension to the discussion that hadn’t been previously considered. It influenced later speakers to think about sustainable, institutionalized approaches rather than just technical or regulatory solutions, and contributed to the broader theme of adapting global frameworks to local political realities.

Cybersecurity is not just a technical challenge. It is a human rights development and governance issue. The only way to address it meaningfully is through multi-stakeholder cooperation at national, regional, and global level… cybersecurity resilience is not just about defending networks, it’s about defending people, democracy, and dignity in a digital world.

Speaker

Latty Thlaka

Reason

This comment fundamentally reframes cybersecurity from a technical domain to a human rights and democratic governance issue. It elevates the stakes of the discussion beyond technical solutions to encompass fundamental values of human dignity and democratic participation.

Impact

This human rights framing became a recurring theme that influenced the moderator’s closing remarks and shaped how other participants discussed the balance between security measures and civil liberties. It provided a moral and ethical foundation that grounded subsequent technical and policy discussions.

We, the citizens, have not to forget that we are the boss, really. If the government doesn’t have the capacity to share the responsibility, the accountability, and the decision-making process, we can change the government. And if the company doesn’t work observing the right condition of the consumers, we can change the company… We are not only passive actors. We are active actors.

Speaker

Carlos Vera

Reason

This comment powerfully challenges the victimization narrative often present in cybersecurity discussions by emphasizing citizen agency and democratic power. It reframes citizens from passive recipients of protection to active agents of change with real power over both governments and corporations.

Impact

As the final substantive comment, this provided an empowering conclusion that tied together themes of accountability, democratic participation, and multi-stakeholder governance. It reinforced the session’s emphasis on inclusive governance while providing a call to action that elevated citizen responsibility and power.

Overall assessment

These key comments fundamentally shaped the discussion by challenging conventional cybersecurity narratives and introducing critical structural and political dimensions. Carlos Vera’s ethics reframing and citizen empowerment messages bookended the session with themes of institutional accountability and democratic agency. Dennis Broeders’ institutional analysis provided crucial realism that moved the conversation from aspirational to pragmatic. Lia Hernandez’s political continuity insight and Latty Thlaka’s human rights framing added essential dimensions of temporal sustainability and moral grounding. Together, these interventions transformed what could have been a technical cybersecurity discussion into a nuanced exploration of power dynamics, democratic governance, and human rights in the digital age. The comments built upon each other to create a comprehensive framework that balanced technical solutions with political realities, institutional incentives with citizen agency, and global cooperation with local contexts.

How can we authenticate requesters of information in cybersecurity contexts, particularly law enforcement requests for data disclosure?

Speaker

Jennifer Chung

Explanation

This addresses the tension between information sharing needs and verification of legitimate requests, which is crucial for balancing security and privacy rights

What are the global implications of the varied approaches adopted within the AI posture across EU and the US and implications to service provider certifications?

Speaker

Online participant (via Godsway Kubi)

Explanation

This question explores how different regulatory approaches between major jurisdictions affect global cybersecurity standards and certification processes

What does this mean for global South circummarism of this variable certified services?

Speaker

Online participant (via Godsway Kubi)

Explanation

This follow-up question examines how varied certification standards impact developing countries’ access to and implementation of cybersecurity services

What international frameworks do we have to empower law enforcement agencies in the Global South?

Speaker

Emmanuel (online participant via Godsway Kubi)

Explanation

This addresses the need for understanding available international cooperation mechanisms for cybercrime enforcement in developing countries

How can we extend the logic of health and safety to more forms of information sharing in cybersecurity?

Speaker

Dennis Broeders

Explanation

This explores shifting from a security/liability mindset to a health and safety approach to encourage more information sharing for collective cybersecurity

How can we create communities of trust for cybersecurity information sharing beyond existing sectors?

Speaker

Dennis Broeders

Explanation

This examines expanding successful models like ISACs (Information Sharing and Analysis Centers) to other sectors and contexts

Whether the NIS2 Directive implementation will actually create more resilience as intended

Speaker

Dennis Broeders

Explanation

This requires future evaluation of whether expanding reporting obligations from 200 to 5,000 companies in the Netherlands actually improves cybersecurity outcomes

How can we better utilize local talent and skills from universities in combating cybersecurity threats?

Speaker

Dr. Nazar

Explanation

This addresses the gap between available local cybersecurity expertise in universities and its practical application by governments, companies, and civil society

How can we ensure that cybersecurity becomes a state policy priority that survives government changes?

Speaker

Lia Hernandez

Explanation

This addresses the challenge of maintaining cybersecurity focus across political transitions, particularly in regions where governments change every 4-5 years

How can we harmonize the best elements of both the Budapest Convention and UN Cybercrime Convention for local implementation?

Speaker

Lia Hernandez

Explanation

This explores creating more effective local cybercrime legislation by combining strengths of existing international frameworks rather than adopting them wholesale