Cybersecurity 2.0 – leveraging the multistakeholder model to develop and deploy cybersecurity policy

20 Dec 2017 12:15h - 13:15h

Event report

[Read more session reports and live updates from the 12th Internet Governance Forum]

The moderator of the session, Ms Lea Kaspar, Global Partners Digital, spoke about a mapping exercise done by the New America Foundation which found and identified over 400 definitions of cybersecurity. She emphasised the importance to discuss the practical dimensions of the multistakeholder approach in cybersecurity.

Mr Amitt Ashkenazi, legal adviser at the National Cyber Directorate of Israel gave an insight on how the Israeli government frames the cybersecurity discussion and policy within the domestic context. Israeli strategy looks at this task through an interface of relationships which the government has within the domestic cybersecurity mission: 

  • On an institutional level – to set up a new organisation which deals with cybersecurity and cyber attacks, and cyber attackers – something that the state has to do in order to assist organisations. 
  • Help in mitigation of attacks by government – organisations cannot deal with this situation by themselves.  A lot of strong organisations around the world, not talking about small and medium enterprises being hit and they need assistance.

Mr Jonah Force Hill, policy specialist at the US Department of Commerce, NTIA, started his intervention with the main features of the multistakeholder approach:

  • It should be stakeholder driven and not let the organisation convening a multistakeholder process decide where it goes
  • stakeholders that participate should be ones that hold specialised expertise that’s applicable to the challenge at hand
  • transparency – anyone can have access to the deliberations, transcripts of the discussions, videos for those who can’t participate to watch streaming online.  It creates an environment of trust, legitimacy, and accountability
  • consensus-driven

Mr Tobias Feakin,  Australian ambassador for cyber affairs, shared his experience in inventing his own position that  could embody  multistakeholderism in addressing the challenges that Australia was going to face, through its international cyber engagements. He also said ‘we physically relocated our center to a less classified environment to ensure that it was far easier for academia, for the private sector, for just a broader range of stakeholders who understand the technical details of cybersecurity who wouldn’t have been able to engage with us in the past’.

Ashkenazi further provided an example of a multistakeholder project in Israeli cybersecurity. He said it is a  platform, like a social network, in which companies can share information securely called Cybernet. It is open to companies and to the security community, while government moderate that platform. ‘The need for the government to intervene was to create the platform to make sure it’s secure and to create trust, by setting the rules of the road for the use of this platform.’

Hill shared another example. In March 2015 NTIA issued a request for pubic comments – a formal federal government notification process where it put out an open-ended question saying, for any interested party – what are those cybersecurity policy issues where a multistakeholder approach might be beneficial. NTIA received a list of about 12 issues. They started from vulnerability disclosures – ‘it was a transparent process where we actually believed for the first time that hackers and the vendor community came together to come up with public policy solutions for best practices for vulnerability disclosure’. Then NTIA focused on IoT and patchability. He said there  was a need to foster a market that offered more device systems that support security upgrades. Hill said that NTIA is now about to start a new process on software component transparency.  It means to promote transparency of third-party software components including open-source software.

Mr  Jan Neutze, Director of Cybersecurity Policy , Microsoft,  mentioned the  National Institute of Standards and Technology (NIST) cybersecurity framework as an example of bottom-up approach in contrast to previous ones that originated from governmental initiative.

Ms Allison Gillwald, Research ICT Africa, also shared an example from the  Mauritius. ‘We  have been working on a paper that looks at public/private interplays in the case of Mauritius where a very successful cybersecurity and critical information infrastructure regulation and governance framework was set up, leveraging the capacity, particular of a very strong financial sector which had sorted out security issues before government intrvention’.

By Ilona Stadnik