IGF 2017 – Best practice forum on cybersecurity

20 Dec 2017 14:00h

Event report

[Read more session reports and live updates from the 11th Internet Governance Forum]

Mr Markus Kummer, Coordinator for 2016 IGF BPF Cybersecurity (Chair) described this year’s Best Practice Forum as a continuation of efforts from previous years.  

Mr Maarten Van Horenbeeck, Fastly, Chairman FIRST.org (Moderator) in introducing the panellists pointed to some core lessons that were learned from previous BPFs.

  1. It is difficult to get multistakeholders to engage in incident response teams.
  2. Definitions are a concern: what exactly does an incident response team do?

As a result, the discussion was widened to include what cybersecurity means for different stakeholders

Mr Brian Gutterman of the IFG Best Practices Forum, in describing the work of the BPF indicated that the team communicated largely via WebEx and used mailing lists. He also noted that a decision was taken that the process had to be multistakeholder based. Thus, open calls for contributions were made via the IGF website. Contributions, which came from civil society, the technical community, and governments, included comments on

  1. How essential it is to have the involvement of all stakeholders in cybersecurity.
  2. The need for understanding and respecting the expertise of others.
  1. The need for a clearer definition of cybersecurity as the term is loaded with context from government and commercial interests.
  2. How the IGF offers an opportunity to redefine a common goal towards understanding and cooperation on cybersecurity issues.
  3. The importance of the community promoting a robust, timely, and effective sharing of information.
  4. Security awareness as the key to building a secure internet ecosystem.

Mr Richard Leaning, RIPE NCC, began his presentation by asking what cybersecurity is. He referenced a definition from a glossary published on 23 November 2016 by the National Cybersecurity Centre in the UK which defines cybersecurity as ‘The protection of devices, services and networks and the information on them from theft or damage.’ He further noted that a lot of emphasis is being placed on things or devices and not much on the human element. He said that this BPF should also focus on the human elements of cybersecurity.

Mr Matthew Shears, Head of Global Internet Policy and Human Rights at the Center for Democracy and Technology and  Co-chair of Working Group 1 of the Freedom Online Coalition, listed some of the key learnings:

  1. The importance of capacity building.
  2. The importance of stakeholder engagement and collaborative trust.
  3. The ability to put oneself in the shoes of the other stakeholders, and understand the issue from their perspective.

Ms Isabel Skierka, researcher at the Digital Society Institute (DSI), noted the need to distinguish between the different forms of security, what is going to be protected, and who is going to protect it. She also noted that the discussion should be framed from the perspective of both public security and individual security. These perspectives underscore the importance of the need to value many different stakeholders.

Ms Grace Githaiga, co-convener of the Kenya ICT Action Network KICTANet, in speaking on the Kenyan experience noted an increase in cybersecurity incidents, especially through mobile money transactions, bank systems, and government systems. She noted that online platforms are being used for terrorism and recruiting. This has presented a lot of challenges that people are not prepared for. Githaiga indicated that this results in kneejerk responses usually in the form of legislation that is introduced without relevant consultation among stakeholders. This creates further challenges in balancing the legitimate need for security and safe and secure platforms. GIthaiga also pointed to a lack of coordination on cybersecurity frameworks, under-resourced teams, and gaps in capacities.  She concluded by indicating that KICTANet is collaborating with global agencies in developing multistakeholder frameworks.

Mr Belisario Contreras, Cyber Security Program Manager at the OAS, commented that cybersecurity is part of the IGF agenda as it is very relevant for Internet governance, infrastructure, and its overall impact on democracy and human rights. He pointed out that it is very important to establish an understanding and identify a common ground to be able face these threats. Contreras noted that cybersecurity means different things in different regions. It could mean a focus on cybercrime for some and on terrorism-related activities for others. This understanding is necessary for us to move forward with specific actions and is essential for any negotiations or any kind of agreement.  Contreras referenced the OAS report that points to a lack of awareness campaigns. He further indicated that this awareness could be promoted by NGOs. Civil society and the technical community can try to focus on relevant topics such as privacy, freedom of speech, and critical infrastructure protection, topics that are important to everyone.

Mr Hiroshi Esaki, a professor at the Graduate School of Information Science and Technology at the University of Tokyo, spoke about the experience in Japan from a grassroots perspective as well from the top down. He said that there is a shared focus on IoT technology; instead of operating in silos there needs to be greater interoperability. He further commented that there needs to be security by design and that in implementing security we need to think globally and implement locally. He described security measures as an investment in the improvement and future of society.

Hiroshi also posited that the focus should be on the improvement of human life and business and not just on technology.

A comment was made from the floor that care needs to be taken in defining cybersecurity as every country has a perception of what cybersecurity is. The speaker contended that countries should come up with their own definition. What is important is to provide a framework of understanding so that we can have the kind of practices at international level that facilitate cooperation and standard respect at local level.

Mr Segun Olugbile, Co-Coordinator for 2016 IGF BPF Cybersecurity and the Nigerian Cybersecurity Council, noted that one cannot build a multistakeholder platform or a cybersecurity national strategy by creating a document and strategic plans and expect that people will follow them. He explained that in Nigeria, government agencies were brought together to create a common interagency understanding. The private sector domains were also consulted. This resulted in an understanding of the issues from each other’s perspective.

He contended that what is required is harmonisation to arrive at a national vision for cybersecurity that will also lead to the inclusive participation of all stakeholders.

Mr Matthew Shears, Director for Global Internet Policy and Human Rights activities at the Center for Democracy and Technology’s (CDT) and Chair of the Freedom Online Coalition called for focus on the intersection between cybersecurity and human rights issues. He pointed to freeandsecureonline.com which defines cybersecurity from a human rights perspective and has published several draft recommendations.

Mr Duncan Hollis, Professor of International Law at Temple University, Philadelphia, commented that instead of focusing on definitions, we should define the risks. Can we catalogue the risks and values? He also asked if there were alternative ways of breaking open the conversation rather than continuing to cling to one definition.

Topics identified for further investigation or discussion include:

  1. Room for security awareness
  2. User knowledge gap
  3. Child online protection and online safety
  4. Cybersecurity frameworks
  5. Transparency of private sector cybersecurity
  6. BPF for arrangement of security services
  7. Formulating and implementing national cybersecurity
  8. Connecting cybersecurity to the SDGs, identifying the nexus

A comment from the floor urged attendees not to reinvent the wheel but rather to use existing material that has already been published and work to improve it. Reference was made to the Whitehouse Commission on Cybersecurity which recently published a report. The speaker also asked for a greater focus on responding to attacks as well as best practices for dealing with insider threats.

In the closing comments Githaiga asked that the group consider recommending that the multistakeholder approach be used whenever cybersecurity legislation is being implemented.

by Trevor Phipps

[Read more session reports and live updates from the 11th Internet Governance Forum] Mr Markus Kummer, Coordinator for 2016 IGF BPF Cybersecurity (Chair) described this year’s Best Practice Forum as a continuation of efforts from previous years.   Mr Maarten Van Horenbeeck, Fastly, Chairman FIRST.org (Moderator) in introducing the panellists pointed to some core lessons that were learned from previous BPFs.
  1. It is difficult to get multistakeholders to engage in incident response teams.
  2. Definitions are a concern: what exactly does an incident response team do?

As a result, the discussion was widened to include what cybersecurity means for different stakeholders

Mr Brian Gutterman of the IFG Best Practices Forum, in describing the work of the BPF indicated that the team communicated largely via WebEx and used mailing lists. He also noted that a decision was taken that the process had to be multistakeholder based. Thus, open calls for contributions were made via the IGF website. Contributions, which came from civil society, the technical community, and governments, included comments on
  1. How essential it is to have the involvement of all stakeholders in cybersecurity.
  2. The need for understanding and respecting the expertise of others.
  1. The need for a clearer definition of cybersecurity as the term is loaded with context from government and commercial interests.
  2. How the IGF offers an opportunity to redefine a common goal towards understanding and cooperation on cybersecurity issues.
  3. The importance of the community promoting a robust, timely, and effective sharing of information.
  4. Security awareness as the key to building a secure internet ecosystem.
Mr Richard Leaning, RIPE NCC, began his presentation by asking what cybersecurity is. He referenced a definition from a glossary published on 23 November 2016 by the National Cybersecurity Centre in the UK which defines cybersecurity as ‘The protection of devices, services and networks and the information on them from theft or damage.’ He further noted that a lot of emphasis is being placed on things or devices and not much on the human element. He said that this BPF should also focus on the human elements of cybersecurity. Mr Matthew Shears, Head of Global Internet Policy and Human Rights at the Center for Democracy and Technology and  Co-chair of Working Group 1 of the Freedom Online Coalition, listed some of the key learnings:
  1. The importance of capacity building.
  2. The importance of stakeholder engagement and collaborative trust.
  3. The ability to put oneself in the shoes of the other stakeholders, and understand the issue from their perspective.
Ms Isabel Skierka, researcher at the Digital Society Institute (DSI), noted the need to distinguish between the different forms of security, what is going to be protected, and who is going to protect it. She also noted that the discussion should be framed from the perspective of both public security and individual security. These perspectives underscore the importance of the need to value many different stakeholders. Ms Grace Githaiga, co-convener of the Kenya ICT Action Network KICTANet, in speaking on the Kenyan experience noted an increase in cybersecurity incidents, especially through mobile money transactions, bank systems, and government systems. She noted that online platforms are being used for terrorism and recruiting. This has presented a lot of challenges that people are not prepared for. Githaiga indicated that this results in kneejerk responses usually in the form of legislation that is introduced without relevant consultation among stakeholders. This creates further challenges in balancing the legitimate need for security and safe and secure platforms. GIthaiga also pointed to a lack of coordination on cybersecurity frameworks, under-resourced teams, and gaps in capacities.  She concluded by indicating that KICTANet is collaborating with global agencies in developing multistakeholder frameworks. Mr Belisario Contreras, Cyber Security Program Manager at the OAS, commented that cybersecurity is part of the IGF agenda as it is very relevant for Internet governance, infrastructure, and its overall impact on democracy and human rights. He pointed out that it is very important to establish an understanding and identify a common ground to be able face these threats. Contreras noted that cybersecurity means different things in different regions. It could mean a focus on cybercrime for some and on terrorism-related activities for others. This understanding is necessary for us to move forward with specific actions and is essential for any negotiations or any kind of agreement.  Contreras referenced the OAS report that points to a lack of awareness campaigns. He further indicated that this awareness could be promoted by NGOs. Civil society and the technical community can try to focus on relevant topics such as privacy, freedom of speech, and critical infrastructure protection, topics that are important to everyone. Mr Hiroshi Esaki, a professor at the Graduate School of Information Science and Technology at the University of Tokyo, spoke about the experience in Japan from a grassroots perspective as well from the top down. He said that there is a shared focus on IoT technology; instead of operating in silos there needs to be greater interoperability. He further commented that there needs to be security by design and that in implementing security we need to think globally and implement locally. He described security measures as an investment in the improvement and future of society. Hiroshi also posited that the focus should be on the improvement of human life and business and not just on technology. A comment was made from the floor that care needs to be taken in defining cybersecurity as every country has a perception of what cybersecurity is. The speaker contended that countries should come up with their own definition. What is important is to provide a framework of understanding so that we can have the kind of practices at international level that facilitate cooperation and standard respect at local level. Mr Segun Olugbile, Co-Coordinator for 2016 IGF BPF Cybersecurity and the Nigerian Cybersecurity Council, noted that one cannot build a multistakeholder platform or a cybersecurity national strategy by creating a document and strategic plans and expect that people will follow them. He explained that in Nigeria, government agencies were brought together to create a common interagency understanding. The private sector domains were also consulted. This resulted in an understanding of the issues from each other’s perspective. He contended that what is required is harmonisation to arrive at a national vision for cybersecurity that will also lead to the inclusive participation of all stakeholders. Mr Matthew Shears, Director for Global Internet Policy and Human Rights activities at the Center for Democracy and Technology's (CDT) and Chair of the Freedom Online Coalition called for focus on the intersection between cybersecurity and human rights issues. He pointed to freeandsecureonline.com which defines cybersecurity from a human rights perspective and has published several draft recommendations. Mr Duncan Hollis, Professor of International Law at Temple University, Philadelphia, commented that instead of focusing on definitions, we should define the risks. Can we catalogue the risks and values? He also asked if there were alternative ways of breaking open the conversation rather than continuing to cling to one definition. Topics identified for further investigation or discussion include:
  1. Room for security awareness
  2. User knowledge gap
  3. Child online protection and online safety
  4. Cybersecurity frameworks
  5. Transparency of private sector cybersecurity
  6. BPF for arrangement of security services
  7. Formulating and implementing national cybersecurity
  8. Connecting cybersecurity to the SDGs, identifying the nexus
A comment from the floor urged attendees not to reinvent the wheel but rather to use existing material that has already been published and work to improve it. Reference was made to the Whitehouse Commission on Cybersecurity which recently published a report. The speaker also asked for a greater focus on responding to attacks as well as best practices for dealing with insider threats. In the closing comments Githaiga asked that the group consider recommending that the multistakeholder approach be used whenever cybersecurity legislation is being implemented. by Trevor Phipps