How do cybersecurity, development and governance interact?

9 Dec 2016 10:00h - 11:30h

Event report

[Read more session reports and live updates from the 11th Internet Governance Forum]

Ms Carolin Weisser of The Global Cyber Security Capacity Centre at the University of Oxford gave a brief overview of the Centre’s Cyber Security Maturity model. The model looks at national cybersecurity maturity from five dimensions, namely education, training and skills, legislation, technologies and standards. This view of cybersecurity is used to assess the level of cybersecurity readiness at the national level. Weisser noted that within the last one and a half years the model has been implemented in some 40 countries and that it allows for informed decisions to be made concerning capacity building for cybersecurity.

Ms Lynn Nguyen, Microsoft, said that coming out of the review of the WSIS process, it was clear that cybersecurity was important, cyber threats was integral and was of major concerns to governments and developing countries. She also pointed to a lack of understanding of the role and value of the multistakeholder process in enabling conversations on cybersecurity as well as what was already achieved through multistakeholder engagement. She described this workshop as an attempt to address some of these shortcomings. Nguyen indicated that in March 2016 the G7 countries released principles and actions on cybersecurity which focused on openness, reliability and security of the Internet as fundamental to achieving the digital economy and in particular the SDGs. In October, the G7 followed up with guidelines for the financial sector. Nguyen called for the discussion to focus on how we can cooperate to develop a harmonised security baseline and security approaches that leverages risk based best practices such as cybersecurity frameworks. She emphasised that the development of a set of international standards and security baselines that form an integral part of the Internet governance conversation and the SDGs discussion would go a long way in assisting us to achieve our goals.

Mr Beliasrio Contreras, OAS, said that in looking at cybersecurity from a development perspective, the OAS focuses on the promotion of national strategies, development of CSIRT, and training. In implementing this approach the OAS has tried to be more inclusive with the involvement of the private sector, academia and civil society. He noted that one of the initial difficulties was measuring cybersecurity quantitatively. The OAS partnered with Oxford University on the development of the maturity model. The report identified that countries were not totally prepared to face cyber threats. The OAS feels that the approach to address this gap should not be a discussion solely based on security but there should be a development and socioeconomic focus. This will make it easier to engage the private sector and the wider community. The OAS is focused on developing national strategies and national policies. The approach taken is to identify projects in different sectors, energy, transportation, finance and point out to the countries that these investments will be at risk without a cybersecurity component.

A speaker from Columbia referenced the three pillars from the UN for sustainable development as economic development, social inclusion and protection of the environment. He said that it was impossible to achieve these without the use of ICT’s. He commented that if citizens do not trust ICTs, the achievement of these goals can be threatened. Cybersecurity gives the confidence in ICTs and that is why it is so important

Ms Natalija Gelvanovska, World Bank, described the World Bank as working to achieve development through the strategic goals of shared prosperity and poverty reduction. She noted that traditionally these do not seem to be linked to cybersecurity. The World Bank conducted a study to explore the Internet as a tool for development and published the World Development report in February and concluded that the Internet can contribute to development and the fight against extreme poverty. The report also concluded that the Internet by itself is not enough. Users need to be enabled to take advantage of opportunities created by the Internet. More effort needs to be made to bring more persons online. She noted that previously the World Bank was focused on projects involving backbone networks and submarine cables. The World Bank is now focused on its Internet broadband project which seeks to connect more rural communities that are traditionally underserved by the private sector. She also pointed out that the World Bank looks at the safety components of the projects it is involved with. She said the World Bank is also interested in the safe use of the Internet, cybersecurity online, especially when dealing with communities with little online skills. The design of cybersecurity capacity program to make sure these users can use the Internet safely and securely in the rural and underserved communities. She noted that the World Bank is looking for opportunities to cooperate on these type of projects as there is a need to have critical mass everywhere on the Internet.

A remote participant, Mr Danil Kerimi, said that as we increasingly become dependent on the Internet and cyberspace,  as a result the nexus between government development and cyberspace needs to be taken seriously.

A Speaker from Columbia noted that countries can use existing international guidelines in their effort to build national programs. He indicated that the publishing of the OECD recommendations last September, was timely as it allowed them to refresh their policy and raise the level of discussion in Columbia and use the opportunity to take these recommendations to the policy makers and to work on fulfilling the committee recommendations.

Nguyen raised the question as to the possibility of developing a toolkit as Oxford Univeristy is implementing the maturity model. She noted that a set of tools that everyone can use for online security safety can complement the capacity maturity model.

Belisario noted that many countries do not have cybersecurity awareness campaigns, thus there is no coordinated message to users. He said that there is a huge opportunity for civil society and the private sector to engage in building awareness. He pointed to a toolkit for building cybersecurity awareness campaigns that was created by the OAS .

A question was posed as to how does one build trust while at the same time admitting that things can go wrong. Belisario noted that the best way to tackle trust issues is to talk to each other to work together. Remove divisions, not just between governments but between actors on all others.

Gelvanovska said that the work starts with awareness campaigns. She noted that it was very important that the issues be discussed at all levels. She said that there was consensus at the international level that there needs to be greater awareness. However, she pointed out that what was missing was awareness on the local level in the remote rural communities.

In responding to a question on the relationship of today’s discussion on issues of surveillance and increased government legislation,  Nguyen said that providers provided end to end encryption, however there needs to be clear legal framework that deals with information requests from governments. Nguyen also noted that Microsoft has published a set of policy recommendations called cloud for global good that speaks to the issue of cybersecurity and governments.

by Trevor Phipps