NRIs collaborative session: European national perspectives on securing critical information infrastructure 

Event report

[Read more session reports and live updates from the 12th Internet Governance Forum]

Ms Sandra Hoferichter welcomed everyone and highlighted the interplay between national and regional sectors.

Dr Tatiana Tropiana, Max Planck Institute, said that the focus would be on how the Internet governance process can incorporate cybersecurity at regional and national levels. The panellists were presented:

Ms Marina Kaljurand, Chair of the Global Commission on the Stability of Cyberspace (GCSC), and former Foreign Minister of Estonia, started by highlighting how cooperation, both between different sectors and internationally, remains integral for cybersecurity of governments in order to ensure that rights are addressed as a result of pressure from civil society. The speaker then shared three norms from the UN Group of Governmental Experts (UNGGE). The first covered the responsibility of the state to protect critical infrastructure while developing shared cultural practices around the critical information infrastructure. The second norm focussed on the shared understanding about limitations on targeting infrastructure in other states, resulting in unintended consequences. The final norm addressed the shared responsibility to provide emergency assistance in the case of hostile actions against critical infrastructure of other states, while respecting sovereignty. Kaljurand concluded that there should be applicability of the existing international legal framework in the cyber domain.

Ms Vanessa Berning, Netherlands Youth IGF, started by pointing out that critical infrastructure regulations can be based on the request of companies to governments. While such legislation places governments at the forefront of securing critical infrastructure, it remains difficult for legislative actors to define what Critical information infrastructure actually is. Hence, legislative measures alone are not sufficient.

Ms Nata Goderdzishvili, Data Exchange Agency, Ministry of Justice of Georgia and Senior Consultant in e-government and Cybersecurity, Georgia (IGF), initially highlighted that shaping and formulating national cybersecurity strategy needs to take into consideration wider national strategy, as cybersecurity is central to providing wider security to government activities. However, as she pointed out, while the governmental/public sector can be legislated for, with the private sector measures need to rely on voluntary cooperation through provision of guidelines for companies. Goderdzishvili concluded by stating that due to private companies being present in the supply chain, it is essential for governments to cooperate with them, which in the Georgian case occurs via cooperative council.

Mr David Rüfenacht, MELANI, Reporting and Analysis Centre for Information Assurance, Switzerland, briefly outlined the problems with the concept of Critical information infrastructure are that as more parts of society become connected to and via internet, the concept covers an ever-increasing number of areas.

Nick Wenban-Smith, Senior Legal Counsel, Nominet and UK IGF, started by outlining how the issue of cybersecurity and critical information infrastructure protection has become a prominent topic in the UK. He pointed out that the majority of high level cyberattacks and threats have been due to lack of awareness and poor individual practices. He also highlighted how the UK government has shifted from a market-led to a government-led process which continues to emphasise resilience-building measures as preventive security measures against potential future threats and vulnerabilities.

Ms Su Sonia Herring, Executive Committee, South Eastern European Dialogue of Internet Governance (SEEDIG), Youth IGF Turkey Coordinator, initially highlighted the need for accountability by governments and private companies when conducting cybersecurity practices. She said that while governments have an important role in providing security by design, it is also necessary to raise public awareness and education levels. However, in all of these security practices, human rights need to be taken into consideration. She concluded by presenting the Turkish situation where the government has been slow to act, and continues to face challenges in implementing agreed policies and strategies.

Mr Fotjon Kostja, Government of Albania, highlighted how cybersecurity is an increasingly significant topic in the region, which reflects the outline of national cybersecurity made in 2014, and the passing of new cybersecurity laws earlier this year. Albania is also seeking to develop practices for securing critical information infrastructure. He concluded by stating that cooperation is important not only across actors at a national level, but also at regional and international levels as a part of the Albanian approach to cybersecurity.

The second half of the event highlighted how cybersecurity due to its nature as a ‘team-sport’, requires and benefits significantly from multistakeholder forums which enable different actors to communicate across policy fields, while bringing alternative approaches to the awareness of others. This is particularly important regarding the input of civil society due to the normally walled-off nature of cybersecurity discussions.

The moderator then thanked the organisers and all of the panellists before concluding the event.

By Arto Väisänen