US may be preparing for further sanctions for Chinese hackers and companies, ahead of the meeting of the heads of two states in end September
US may be preparing for further sanctions for Chinese hackers and companies, ahead of the meeting of the heads of two states in end September
Rueters reports that the expected EU's Network and Information Security Directive, to be drafted this Autumn, will include tough security measures and reporting of breaches to national authorities imposed also on digital platforms (such as search engines, social networks, e-commerce sites and cloud computing providers)
The UN Group of Governmental Experts on information security agreed on a substantive consensus report which contains norms for cyberspace, including that nations should not intentionally damage each other’s critical infrastructure or CERT with cyberattacks, and and should assist other nations in investigating cyberattacks and cybercrime in their territories
Cybersecurity is among the main concerns of governments, Internet users, technical and business communities. Cyberthreats and cyberattacks are on the increase, and so is the extent of the financial loss.
Yet, when the Internet was first invented, security was not a concern for the inventors. In fact, the Internet was originally designed for use by a closed circle of (mainly) academics. Communication among its users was open.
Cybersecurity came into sharper focus with the Internet expansion beyond the circle of the Internet pioneers. The Internet reiterated the old truism that technology can be both enabling and threatening. What can be used to the advantage of society can also be used to its disadvantage.
Today, the cybersecurity framework includes policy principles, instruments, and institutions dealing with cybersecurity. It is an umbrella concept covering (a) critical information infrastructure protection (CIIP), (b) cybercrime, and (c) cyberconflict.
As a policy space, cybersecurity is in its formative phase, with the ensuing conceptual and terminological confusion. We often hear about other terms that are used without the necessary policy precision: cyber-riots, cyberterrorism, cybersabotage, etc. In particular, cyberterrorism came into sharper focus after 9/11, when an increasing number of cyberterrorist attacks were reported. Cyberterrorists use similar tools to cybercriminals, but for a different end. While cybercriminals are motivated mainly by financial gain, cyberterrorists aim to cause major public disruption and chaos.
Cybersecurity is tackled through various national, regional, and global initiatives. The main ones are described below.
At national level, a growing volume of legislation and jurisprudence deals with cybersecurity, with a focus on combating cybercrime, and more and more the protection of critical information infrastructure from sabotage and attacks as a result of terrorism or conflicts. It is difficult to find a developed country without some initiative focusing on cybersecurity.
At international level, the ITU is the most active organisation; it has produced a large number of security frameworks, architectures, and standards, including X.509, which provides the basis for the public key infrastructure (PKI), used, for example, in the secure version of HTTP(S) (HyperText Transfer Protocol (Secure)). The ITU moved beyond strictly technical aspects and launched the Global Cybersecurity Agenda. This initiative encompasses legal measures, policy cooperation, and capacity building. Furthermore, at WCIT-12, new articles on security and robustness of networks and on unsolicited bulk electronic communications (usually referred to as spam) were added to the ITRs.
A major international legal instrument related to cybersecurity is the Council of Europe’s Convention on Cybercrime, which entered into force on 1 July 2004. Some countries have established bilateral arrangements. The USA has bilateral agreements on legal cooperation in criminal matters with more than 20 other countries (Mutual Legal Assistance in Criminal Matters Treaties (MLATs)). These agreements also apply in cybercrime cases.
The Commonwealth Cybercrime Initiative (CCI) was given its mandate from Heads of government of the Commonwealth in 2011 to improve legislation and the capacity of member states to tackle cyber crime. Dozens of partners involved with CCI assist interested countries with providing scoping missions, capacity building programmes, and model law outlines in the fields of cybercrime and cybersecurity in general.
The G8 also has a few initiatives in the field of cybersecurity designed to improve cooperation between law enforcement agencies. It formed a Subgroup on High Tech Crime to address the establishment of 24/7 communication between the cybersecurity centres of member states, to train staff, and to improve state-based legal systems that will combat cybercrime and promote cooperation between the ICT industry and law enforcement agencies.
The United Nations General Assembly passed several resolutions on a yearly basis on ‘developments in the field of information and telecommunications in the context of international security’, specifically resolutions 53/70 in 1998, 54/49 in 1999, 55/28 in 2000, 56/19 in 2001, 57/239 in 2002, and 58/199 in 2003. Since 1998, all subsequent resolutions have included similar content, without any significant improvement. Apart from these routine resolutions, the main breakthrough was in the recent set of recommendations for negotiations of the cybersecurity treaty, which were submitted to the UN Secretary General by 15 member states, including all permanent members of the UN Security Council.
A series of blog posts which explore the main dilemmas surrounding the Apple-FBI case. In these posts, three fictitious characters, Privarius, Securium, and Commercias talk about encryption, privacy, and security.
This blog post outlines trends and main actors in cybersecurity capacity building.
The latest edition of glossary, compiled by DiploFoundation, contains explanations of over 130 acronyms, initialisms, and abbreviations used in IG parlance. In addition to the complete term, most entries include a concise explanation and a link for further information.
The book, now in its sixth edition, provides a comprehensive overview of the main issues and actors in the field of Internet governance and digital policy through a practical framework for analysis, discussion, and resolution of significant issues. It has been translated into many languages.
The paper, elaborated by Microsoft, proposes a three-part organising framework for the cybersecurity norms dialogue: offensive norms, which are applicable to nation-states and concern self-restraint in the conduct of cyber operations; defensive norms, which are relevant to both governmental and non-governmental actors and adress defensive measures against nation-state activities in cyberspace; and industry norms outlining industry’s role in mitigating the risks facing technology users from nation-state activity in cyberspace.
The study looks into how much of a role security and privacy played in people’s decisions to use a mobile instant messenger.
The paper, elaborated by Microsoft, recommends six cybersecurity norms with the intention of reducing the possibility that information and communications technology (ICT) products and services are used, abused, or exploited by nation states as part of military operations.
The paper presents the results of an analysis of ten web standards with respect to two generic security goals: new web mechanisms should not break the security of existing web applications, and different newly proposed mechanisms should interact with each other gracefully.
The study provides an overview of the international dialogue on establishing norms of state behaviour and confidence-building measures (CBMs) in cyberspace. It offers a comparative analysis of the leading international and regional political documents outlining cyber-norms, CBMs to reduce conflict stemming from the use of ICT, and capacity-building efforts to strengthen co-operation on cybersecurity. It discusses how they could further influence each other, and notes several specific directions that further developments could take.
The report outlines predictions of the development of the technology, media, and telecommunications sectors in 2017. It covers issues such as: biometric security, distributed denial of service attaches, self-driving vehicles, 5G networks, machine learning, and Internet of Things as a service.
The report provides a snapshot of the state of deployment of DNSSEC as of the end of 2016. It addressed two main aspects for deployment of DNSSEC: DNSSEC signing (how many zones are signed using DNSSEC and have a chain of trust back to the DNS root), and DNSSEC validation (what recursive resolvers support DNSSEC, and how many clients are using DNSSEC-validating DNS resolvers).
This technical report analyses the compatibility or complementary of the Council of Europe Convention on Cybercrime (Budapest Convention), and the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), in order to facilitate support to African countries in the reform of their legislation on cybercrime and electronic evidence. The report is based on a study by Zahid Jamil for the GLACY+ (Global Action on Cybercrime Extended) Project.
The report provides an overview of the US Department of Commerce’s policies in the field of digital economy over the course of the Obama administration. It covers area such as: management of the Domain Name System, privacy and security online, innovation and emerging technologies, and access and skills.
The report, prepared by the Global Commission on Internet Governance, outlines a series of recommendations to policy makers, private industry, the technical community and other stakeholders on modalities for maintaining a ‘healthy Internet’. It tackles aspects such as: the promotion of a safe, open and secure Internet, human rights for digital citizens, the responsibilities of the private sector, safeguarding the stability and resiliency of the Internet’s core infrastructure, and improving multistakeholder Internet governance.
The report, based on a survey of 1200 IT decision makers, looks at trends in the adoption of cloud computing within enterprises, and it explores issues related to cloud security (cloud security technologies, encryption, data loss prevention, etc).
Read the executive summary of the report.
Cyberspace has become an essential component of modern society, yet its merits are accompanied by threats. The number of reported cyber-incidents has increased the need to build cybersecurity competences, especially for protecting the critical infrastructure.
The study Cybersecurity Competence Building Trends, conducted by DiploFoundation’s researchers Vladimir Radunović and David Rüfenacht, analyses measures that ten OECD member states have applied to promote competence building in the field of cybersecurity. The study was commissioned by the Federal Department of Foreign Affairs of Switzerland.
The increasing dependence of the corporate sector on the Internet has also created a demand for qualified labour, which is being recognised by states as a possible driver for employment, economic growth, and global competitiveness. All the studied countries are developing the means to transform their national labour markets to meet this changing environment.
Eight dominant cybersecurity competence-building trends were identified in the study, and clustered within two categories:
The first category includes measures such as: governmental support for university programmes; regional partnerships between research labs and multinational companies, aimed at increasing the country’s or region’s competitiveness in global cybersecurity markets; partnerships between universities and state security institutions; and university labelling programmes aimed to better correlate the curricula with the needs of public institutions.
One key trend in the second category is the collaboration between public institutions and professional certification bodies, leading to a soft standardisation of the minimum knowledge and ability requirements for cybersecurity personnel.
Other trends include: measures to improve the competences of the private sector, especially small and medium enterprises and operators of critical infrastructure; cybersecurity training for decision-makers, managers, and senior executives; as well as the development of cybersecurity-related job descriptions, and the definition of the required knowledge training for such jobs.
The study concludes by saying that the identified trends lead not only to the development of national competences for responses to cyber-threats, but also to the consolidation of cutting-edge cyber-industries that increase the competitiveness of states in the global cyber-markets.
This report analyses threats, attack patterns, and common strategies used to attack Internet of Things technologies employed in the automotive industry.
The study analyses the different approaches the EU member states take to protect their critical information infrastructures, and makes recommendations to EU member states and the European Commission on how to improve critical information infrastructures protection (CIIP) in the European Union.
The report analyses a number of global risks (such as tensions between countries, unresolved crises, terrorist attacks, cyber fragilities), and looks into how these could evolve and interact in the next decade. The breakdown of critical information infrastructure and networks and large scale cyber-attacks is included among the most concerning global risks for 2016.
The document, produced as part of the IGF 2015 inter-sessional work, looks at misconceptions around the role and responsibilities of Computer Security Incident Response Teams. It also provides successful examples of new forms of cooperation and outreach that CSIRTs could engage into, in order to be better heard within the wider Internet governance community.
The report outlines several predictions for technology developments in 2016. It focuses on: 5G, big data, Internet of Things, the customerisation of software, and market convergence.
This report examines and documents evolutions and emerging opportunities and challenges in the digital economy. It provides a comprehensive overview of the digital economy, including matters of infrastructure, policy, net neutrality, development, privacy and security.
This report focuses on mobile Internet, its trends and growth, benefits, challenges and recommendations.
The report provides an assessment of Internet security and best practices for mitigating online threats (malware and botnets, phishing and social engineering, attacks against domain names and IP addresses, mobile and voice threats, threats associated to hosting and cloud services, and online harassment).
The report measures the level of cybersecurity development of ITU member states, with a focus on five areas: legal measures, technical measures, organisational measures, capacity building, and international cooperation.
The study explores current and future security challenges facing enterprise and government organisations in the Internet of Things market.
The report argues that cyber capacity building is crucial for development. It outlines challenges to implementation and identifies indicators of success and failure.
Individual chapters in this brief report focus on developing capacity in cyberspace, human rights in cyberspace, strengthening cybersecurity capacity, growing cyber resilience, countering cyber poverty, and cybersecurity capacity building.
The document, produced as part of the IGF 2014 inter-sessional work, provides an overview of the roles and responsibilities of Computer Security Incident Response Teams (CSIRTs), and looks at both accomplishments and challenges facing their activities.
The objective of the session was to discuss the meaning of digital citizenship; define the level of e-accessibility, obstacles, and risks; and explore issues such as the creation of secure digital identity and of a borderless digital society.
The moderator of the session, Ms Birgy Lorenz (PhD, Scientist at Tallinn University of Technology Centre for Digital Forensics and Cyber Security (project Cyber Olympic)), presented the Estonian digital society model.
Mr Alex Wellman (Head of Marketing, Estonia Investment Agency), elaborated on Estonia’s e-residency programme, the advantages for business, the benefits from digitalization, and the difference of the initiative from countries providing tax benefits.
Ms Clara Sommier (Analyst, Public Policy & Government Relations, Google) emphasised the importance of accessibility for all in a digital society, along with the openness of the Internet, finding your voice online, and the ability to empower the disadvantaged and get them in the mainstream.
Ms Sandra Särav (PhD candidate at University of Lausanne, Switzerland) stressed that trust is the key to digital citizenship. She also emphasized the need for global citizenship.
Ms Marianne Franklin (PhD, Professor of Global Media and Politics, Goldsmiths University of London, UK and the Co-Chair of the Internet Rights and Principles Coalition at the IGF) noted that migrants, refugees, and asylum seekers need to be considered when discussing citizenship. It is important to define the digital citizen and to understand the issues holistically. She questioned whether digitisation or citizenship comes first. Franklin believes that the design of any digital framework for citizenship is critical and should not be restrictive. She emphasised the importance of design of the systems and the importance of having alternatives in order to avoid overreliance on one system. On the question of cross-border digital citizenship, it is important, she said, for countries to agree on some underlining principles.
To address the issue of digital skills of older people, Mr Haris Kyritsis (Greek Safer Internet Centre youth panel) shared the example of youngsters having digital skills, teaching older generations how to use this platform. Sommier suggested using a blend of online and offline options. Sarav emphasised showing and teaching elders how to use the Internet.
Mr Raed Yakoub (Research Associate at Goldsmiths, University of London) added that there may be different ways in which a group of people may be discriminated against owing to requirements for different identification and authentication documents than the ones they have. He proposed creating e-societies and e-residents as ways to encourage inclusion.
There was also a discussion between Sarav and Wellman on the advantages and disadvantages of having a single identity to stop digital threats.
On the question of the possibility of setting up a scrutinising body to ensure citizen data is not abused by any government, Sarav suggested the need to recognise cross-border interoperable services while Sommier suggested sharing only legitimate data with governments on a case-by-case basis.
Responding to the question of youth participation and their lack of trust in government, Sommier noted that e-participation is important, but that a suitable space needs to be created so that the voice of the youth can be heard. Such an initiative she believes needs to be taken at the political level. Kyritsis believes that digital citizenship can be an option to engage the youth. Franklin added that participation needs to be encouraged in many ways and on many levels. Having youth role models was also a suggestion.
Responding to the question as to what would be the perfect digital society, Sarav suggested the existing one, as there cannot be anything which is perfect; for Kyritsis, it is one where privacy and security issues are addressed; for Sommier it is when the Internet is open and everybody can access it safely. Wellman suggested looking at things from a higher level, while Franklin will be satisfied when citizenship is defined as inclusive participation and success is measured in terms of inclusion of disadvantaged in the society.
Ms Oliana Sula (Lecturer at Faculty of Business, Universiteti "Aleksander Moisiu" Durres) summarised the discussion, stating that the Estonian model can be termed as a best practice. She noted that models need to be customised and there is a need to make different systems more interoperable. Models should define digital citizenship and distinguish it from digital residency as well as define digital inclusion and how to address the disadvantaged to improve digital participation and regulating competition.
Members of the At-Large Advisory Committee (ALAC) and the Regional At-Large Organisations (RALO) leadership discussed policy and process issues related to the At-Large Community, which represents the interests of end-users.
The two-part session was chaired by Mr Alan Greenberg (Chair, ALAC).
Speaking in a private and personal capacity, Mr Göran Marby (Chief Executive Officer and President, ICANN) shared his experience from Sweden regarding the topic of universal connectivity. He gave a short background on Sweden and said that 100 years ago, Sweden was one of the poorest countries in the world, but has since become one of the richest, with a high living standard. Unlike its neighbours, Sweden was not invaded during the Second World War, which means that its industry was not affected by the war. That is when they started manufacturing and doing things together, and the country thrived.
When he worked at the Swedish telecom and postal regulator, Marby's and his team’s main obligation was to provide connectivity. There is a regulation in Sweden that states that everyone must have access to the Internet. By the time he left the post, only 250 households out of 4.5 million lacked connectivity. This was attributed to the Swedish Broadband Forum, which Marby referred to as a ‘turning point’. Participants were encouraged to come up with a strategy for the Domain Name Systems (DNS), IPv6 and other related topics if they were to succeed in universal connectivity. Marby also talked about the Fibre to the village concept, which targeted 280 municipalities. About 170 municipalities funded their own fibre connections and built them themselves. He added that people tend to fund projects or give money when there are benefits. On the issue of spectrum and who it belongs to, he said that they decided that it was an asset to the people, and that its value of that should go back to the people. He said that first, they needed to increase or maintain competition, and second they needed to use it to get coverage. These two points would ensure that they get the money. Currently 80% of Sweden has mobile coverage, the remaining areas which are not covered are places like national parks and reserves. Marby's advice is to do things together, as a joint effort, ‘you have to sit with people and work with them’ in order for the project to succeed.
The meeting went on to discuss the At-Large Summit (ATLAS) III that will take place in March 2019 in Kobe, Japan, during ICANN64. ATLAS is a global general assembly, held once every five years. The first ATLAS was in Mexico City in March 2009, the second was in London in June 2014. Session attendees were tasked with thinking of criteria for selecting participants for the 2019 ATLAS. There were also discussions about the fact that many At-Large Structures (ALSes) seem not to be active, and that there is a need to make them so. Additionally, members agreed that newcomers should be encouraged to participate while other already active participants should get funds to attend the summit.
Mr Patrik Fältström (Chair, Security and Stability Advisory Committee (SSAC)) gave an update of the SSAC's activities. According to its charter, SSAC focuses on advising the ICANN community and Board on matters relating to the security and integrity of the Internet’s naming address allocation systems. Expertise of the committee ranges from addressing and routing, to DNS, DNS Security Extensions (DNSSEC), domain registry/registrar, DNS abuse, etc. Since 2002, the SSAC has produced 97 publications in the form of reports, advisories, and comments. Outreach is a major function of the SSAC.
Currently, the SSAC is looking into name space issues, harmonisation regarding Internationalized Domain Names (IDNs), organisational review – external and internal, and rate limiting issues, among others. Fältström also shared current and future milestones, which include contributions to the Work Stream 2 (WS2) of the Cross Community Working Group on Enhancing ICANN Accountability (CCWG Accountability). WS2 was launched after the Internet Assigned Numbers Authority's (IANA) stewardhip transition, to continue addressing ICANN accountability topics. Work Stream 1 (WS1), finalised before the transition, focused on mechanisms enhancing ICANN accountability, which was required to be in place or committed to, within the time frame of the transition.
Regarding security concerns of end users, especially since At-Large represents the interest of end users, Fältström said that digitalisation of society is happening, things are moving to the cloud, and there is business evolution. These things require Internet Protocol (IP) addresses. He thinks that there is not as much effort being put into building a robust Internet, as there is in building applications and solutions. Fältström finished by saying that DNSSEC is important for ICANN.
Mr Göran Marby, CEO and President, Internet Corporation for Assigned Names and Numbers (ICANN), delivered the final keynote speech of the tenth edition of EuroDIG. Marby reflected back on the time he lived and worked in Tallinn, and said that Estonia has made noteworthy progress since then. According to him, it was the power of the Internet that made the fast positive change over the last twenty years possible.
EuroDIG 2017 brought up the timely discussion on how we use the Internet, reminding us that it is not a natural resource, but one that the whole community has to take care of. In 2016, ICANN and the Internet Society celebrated the twenty-fifth birthday of the Internet and the progress end-users experience today. Marby focused on several points correlated with the discussion during the event.
First, he emphasised that partnerships and the multistakeholder model are at the centre of ICANN’s work and provide for the interobjectivity of the Internet. The Internet needs of one end-user differ from those of another, and only interobjectivity can provide co-operation.
Second, in order to protect this interoperability, Marby stressed the importance of technology and the underlying functionality that enables the operation of the Internet. ‘We are not the Internet, but we are what controls it’, Marby said. In regards to technical operability, he mentioned the importance of the Domain Name System Security Extensions (DNSSEC), and reminded the audience about 11 October 2017 as a milestone for ICANN, when the new Key Signing Key (KSK) rollover will take place.
Third, Marby addressed the negativity surrounding the current discussion on the Internet, and reminded us of its positive sides. ‘The Internet is not done’, Marby noted, and expressed ICANN's goal of connecting an additional 1.5 billion users worldwide with the current 4 billion connected users. In his view, the key for the future of the Internet is recognising the users' local needs. The future Internet will be both local and global, Marby concluded. Lastly, he reminded us once again that the Internet is not a natural resource, and has to be updated, mended, and fixed all the time by the whole community.
The President of Estonia, Ms Kertsi Kaljulaid, started the conference with welcoming remarks.She noted that we are all connected – by optical cables and computers – but mostly by our faith in human development and freedom. We believe in free and fair elections, the rule of law, an independent judiciary, and human rights and freedoms. In modern society, free Internet is fundamental as it affects culture, the economy, communications, governance systems, and international relations.
Nonetheless, security should not be used to restrict the freedom of expression since security and freedom are not mutually exclusive, she emphasised. Securing online interactions is a precondition for enjoying Internet freedom. She gave the example of Estonia which balances between security and freedom through providing a network of public and private e-services based on a secure online identity. The country is also proud to be, as per Freedom House, the first in the world in Internet freedom.
Kaljulaid highlighted that today, much of the world’s commerce and communications pass through the Internet and hence the benefits of e-services outweigh the investment costs to create and maintain them. Estonia provides effective e-services that save 2% of the GDP. In this regard, she further referred to the World Bank 2016 report, which underscored that connectivity does not inevitably result in digital dividends. Digital technology transforms societies if supplemented by policies that support digital adoption.
Finally, she mentioned that Estonia will take EU presidency soon. Their presidency has a strong digital agenda that focuses on strengthening the single digital market, increasing solutions for cross-border e-services, and facilitating strategic discussion among member states as a cybersecurity strategy is expected in 2017.
The President of Lithuania, Ms Dalia Grybauskaite, commenced by noting that digital society is more competitive and democratic because it allows citizens to express their opinions. However, it remains a tool for European integration, and competitiveness depends on the political will to integrate. ‘A lot of people look to us because we should not only lead, but also help other countries. We have many events in this area and we hope that they do not only demonstrate our knowledge but also our willingness to introduce all areas of our life including digitisation and Internet’, she alluded. Europe is used to living in this environment, but it is also realistic about the threats entailed. Such risks should be challenged, not only through military exercises and deterrence, but through developing capacities and being innovative, competitive, integrated and knowledgeable. She finally said that she hoped that the Estonian presidency will take the lead on that.
The final remark was made by Ms Sandra Hoferichter, Secretary General, EuroDIG Association, who provided an overview of the history of the Internet policy dialogue in Europe. In 2008, EuroDIG was one of the first initiatives to discuss Internet governance after the establishment of the global IGF. What started as the idea of ten enthusiastic individuals in a café in Paris, four months later led to a meeting hosted by the Council of Europe, to discuss the potential of this dialogue. Now, there are more than twenty national and regional Internet governance initiatives across Europe, committed to the multistakeholder model.
In her talk, she noted that although many governments in Europe and around the world are committed to multistakeholderism, it is not considered to be the model of the future and forums like this are sometimes questioned vis-à-vis the impact they make. In many parts of the world, legislation is made without consultations with the relevant stakeholders. The digitisation in our life sometimes happens without an option to opt out. Yet, most users do not really see the need to be engaged in Internet governance. It is thus the aim of EuroDIG to raise awareness of the challenges ahead and to facilitate discussions, but not to finalise them. Over the past years, the discussions at EuroDIG focused on the European digital single market and industry 4.0. However, recent developments have shown that some people fear the digital revolution that goes along with the loss of their workplace and privacy. Therefore, ‘we are here looking at the digital future from a different angle, to discuss the promises and pitfalls’, Hoferichter concluded.
The session, moderated by Ms Tatiana Tropina, Max Planck Institute for Foreign and International Criminal Law, and Mr Vladimir Radunović, DiploFoundation, focused on how security threats change the cybersecurity landscape and influence the perceptions and actions of different stakeholders. Tropina instigated the discussion by asking the panellists to pinpoint the cybersecurity challenges in their respective fields.
Ms Sally Wentworth, Vice President of Global Policy Development, Internet Society, provided a global perspective noting that in an increasingly compelled security environment, security could hinder interoperability and lead to potential fragmentation. The importance of laws and norms was emphasised by Ms Marina Kaljurand, Former Foreign Minister of Estonia, Chair of the Global Commission for the Stability of Cyberspace, who explained that governments should lead through a multistakeholder approach. In the same vein, Mr George Jokhadze, Cybercrime Programme Office, Council of Europe, identified key challenges: first, regulations, in terms of drafting new rules and laws but also applying old laws, such as the Convention on Cybercrime; second, awareness of law enforcement agencies and citizens; and third, international co-operation and collaboration with technology companies such as Facebook, Google, Microsoft. On the other hand, Ms Kaja Ciglic, Director, Government Cybersecurity Policy and Strategy, Microsoft, pointed out that the challenges are not specific to Europe, but they are global. On top of them is the security-centred approach, adopted by many governments. Additionally, basic security measures and awareness can help avoid some challenges and create tech-savvy citizens.
Radunović then put forward another question: who should protect cyberspace? The government, industry, technical community, and/or users? Mr Chris Buckridge, RIPE Network Coordination Centre, explained that there is no single answer. The government clearly has a role but they do not have the required technical expertise. This led Tropina to further ask: who should lead the multistakeholder model? She noted that during the CyCon 2017, it was said the governments are mastering cyberspace but not the protection of cyberspace. In response, Kaljurand underscored that cybersecurity is part of national security and hence citizens expect the state to handle that. However, it is a responsibility shared between governments (which have the biggest share), the technical community, industry, and civil society. But governments have to lead since it is the duty of governments to ensure security, the integrity of data, and authentication of people. Wentworth further asserted that leadership depends on the issue at hand. For example, the industry should lead on issues related to innovation and scaling networks to meet future demands.
When the floor was opened for discussion, the audience spoke about the role of government, but also the industry that should provide reliable products, and end-users who should be educated. Some explained that governments have a duty to provide protection and raise awareness. However, it was mentioned that some governments are not trustworthy, as they could represent a threat rather than provide protection.
To address the question of whether technology, regulation, or social contracts/norms can protect cyberspace, Ciglic pointed out that, on the one hand, the fast pace of technology challenges the capacity of governments to provide the necessary protection. On the other hand, security attacks harm businesses and hence more investment in security is important. Building trust in the online environment is therefore important for businesses to operate. Jokhadze added that cybersecurity is not only about protecting citizens, but equally about punishing wrongdoers.
Radunović asked: Do we need more regulations? In reply to this, Wentworth alluded to the possible tools to deal with security. Technology is constantly evolving and policy should also be evolving to address issues as they come up. In addition, consumers should demand security and privacy as their entitled rights. Tropina, however, argued that consumers do not demand security as they look for what is cheapest. Consumers thus need more security raising awareness. Finally, Kaljurand highlighted that experts have provided interpretations of international laws to cyberspace and hence governments have to decide how to take them forward. Ciglic noted that Microsoft has been active in international cybersecurity norms for five years; not focusing on content regulations but on limiting specific sets of government behavior.
Opening the session, co-moderators Mr Dirk Krischenowski, dotBERLIN GmbH & Co. KG, and Ms Maarja Kirtsi, Estonian Internet Foundation/.ee, explained that the discussion will focus on issues related to innovation and competition on the domain name market, especially in the context of new generic top-level domains (gTLDs), launched by the Internet Corporation for Assigned Names and Numbers (ICANN) in 2014.
To kick-start the debates, Krischenowski gave an overview of a study conducted by ICANN on competition, consumer trust, and consumer choice in the domain name market. Some of the main findings of the study: new gTLDs contributed to the growth of the market; the sales channel integrated the new gTLDs quickly and lead to much greater consumer choice; many new registrar operators entered the market, especially in former under-developed markets; the number of registry operators increased by a factor of 60; typical TLDs are niche, targeted, and geographic TLDs. Overall, the New gTLD Program has lead to a dramatic increase in consumer choice, a modest increase in competition, and minimal impact on consumer trust.
Ms Elena Plexida, European Commission (EC), talked about the evaluation and revision process that the EC has launched with regard to the regulations for the .eu TLD. She explained that the .eu TLD was formally established by Regulation 733/2002, while EC Regulation 874/2004 set the rules for the registry and the .eu. The .eu TLD was delegated by ICANN in 2005. As the market has continuously changed, these regulations have become outdated, have generated administrative challenges and need a revision. Issues to be analysed during the evaluation process include: whether the .eu objectives have been achieved (to boost e-commerce and empower end-users to create a European digital identity), the legal separation between registry and registrars, whether the registry should be more active in other Internet governance areas (and how).
Mr Jörg Schweiger, DENIC e.G./.de outlined one issue of concern for the domain name industry: How to make sure that domains do not subsurface, in the sense that they exist from a technical point of view, but users are not really aware of them? The industry has been constantly looking for the ‘killer application’ to address this issue. He pointed out that one way to make domain names more attractive could be to build on the discussions about self-determination, sovereignty, and identity. The main objective of .de now is to retain as many domain names as possible, and that the direction the registry is growing in is not necessarily related to innovation per se, but rather to having a secure domain name space.
Ms Lianna Galstyan, Internet Society Armenia, said that the .am registry never had an objective to have a high number of domain name registrations, but rather, to give the community the possibility to register domain names under .am. The same rationale was also behind the launch of the Armenian Internationalised Domain Name (IDN).
Mr Ardi Jürgens, Zone Media OÜ, pointed out that domain names do not exist in a bubble; they are part of a system which includes resources and applications. A healthy growth in the demand for domain names could result in applications and people using domain names for creating value, either for them or society. In the search for a ‘killer application’, the industry should look at young people and try to find a way to create value for them within the domain name space. Compared to social media platforms, domain names have the main advantage of being under the control of the registrant, and this is something that the industry should try to communicate better.
Mr Andrea Beccalli, ICANN, discussed examples of innovation in the DNS, such as the new gTLDs, the introduction of IDN TLDs, and the DNS Security Extensions (DNSSEC). Even the community work on developing the rules and processes for the New gTLD Program can be seen as a form of innovation. Schweiger, however, argued that the new round of gTLDs does not necessarily means innovation, as it was simply presenting what was on the market already – TLDs. Moreover, most business models surrounding new gTLDs are similar to what had been on the market before their introduction, with only a few exceptions.
Security in the domain name space was mentioned during the discussions as an area that deserves more attention. There are troubling correlations between new gTLDs and ‘innovation in crime’, and there are service providers who have blocked all new gTLDs from their servers due to security concerns. Innovation on the security front should be a priority for new gTLDs. Privacy is also an issue that requires increased attention, as users are more and more demanding in this regard.
The risk of cybersquatting was also raised as an issue of concern for new gTLDs, with regard to the protection of trademarks. It was said that the current protection mechanisms (such as the sunrise period allowing trademark holders to register relevant domain names, and mechanisms for rights enforcement post domain name registration) are helpful, but not sufficient. Such issues are currently analysed within the ICANN framework.
At the end of the session, a point was raised – that it is not actually clear what is innovative in the domain name space, as TLDs have been in place for many years and they are basically the same ‘technology’ or ‘tool’ that they have been since the creation of the DNS.
The objective of the session was to discuss the basic technical concepts which are the building blocks for cybersecurity discussions.
The session was initiated my the moderator, Mr Chris Buckridge, External Relations Manager, RIPE Network Coordination Centre (RIPE NCC), who stressed the need to understand the technical concepts at work in order to understand the building blocks for contributing to the cybersecurity discussions. In addition to the technical community, other stakeholders also need to understand what happens on the Internet and how it happens.
Mr Patrik Fältström, Manager Engineering, Research and Development at Netnod, Stockholm University, elaborated on the meaning of time, noting that the measurement of time is dependent on accuracy and precision. Based on requirement, organisations need to choose between accuracy and precision. He added that time stamps need to be accurate, especially for events happening in distributed systems. While new technologies such as 5G clocks need to be more accurate, there are challenges owing to the differences in time scales, even within the same time-zone.
Answering a question about Galileo, the global navigation satellite system, vis à vis the Global Positioning System (GPS), he clarified that the former is more modern, however it is very similar to the GPS system.
Responding to a question on the Netnod system, Fältström explained that the Netnod system does not allow access from outside, as redundancy is important for resilience when it comes to security issues.
Fältström explained the importance of replaceability, redundancy, and having multi-vendors that are informed on the way the system works. Moreover, consumers should have the option to choose which service or vendor they want to use.
Mr Marco Hogewoning, External Relations Officer – Technical Advisor, RIPE NCC, pointed out that while most people treat cybersecurity as a technical problem, it is much more than that. He added that although technology can secure the systems, there is a cost associated with building the systems and a need for willingness to apply the solutions. He further added that as cybersecurity is a broad subject, it needs the involvement of all stakeholders, even when the solutions are being designed. He further stressed the importance of looking outside the cause and complexity of cybersecurity, for a more simplistic solution.
Hogewoning indicated that laws today are mostly reactive, and it is important to invest in preventive security, educate people, build quality products and pay the price of the product. He went on to say that it is important for people to report cybersecurity breaches, in order for Computer Emergency Response Teams (CERTs) across the world to provide reports which are meaningful and functional and can help in the discussions.
Ms Marjolijn Bonthuis Krijger, ECP, reiterated that while technical skills are important, it is equally important to have knowledge about cybersecurity and teach self, employees, community Members, and young children about it.
Mr Peter Koch, Policy Advisor at DENIC, emphasised the need for standards. While the complexity in standards today leads to challenges in deployment and their misinterpretation, it is important to learn from mistakes and not repeat them.
He further stressed the fact that no software is bug-free today, especially as software has dependencies on the building blocks, which may have bugs that are harder to fix. Even operating system software has an option to review codes, and security software operating systems have been reported to have bugs. It is therefore important for organisations to invest money and manpower to review software in order to fix the bugs. Moreover, there should be an incentive among users to upgrade the existing versions. He also added that security is like an organisation and demands attention, and that the human factor should not be ignored.
One of the paradoxes of data society is that there is not enough data about data society itself. Numbers are used without the necessary rigor. For example, estimates of damage from cybercrime range from tens to hundreds of billions. The volume of e-commerce is also estimated to have a very wide range.
The session on Global Survey of Internet User Perceptions provided a fresh breeze by presenting data from 24 225 Internet users from 24 countries on Internet Security & Trust. This global survey was conducted by the Centre for International Governance Innovation, IPSOS, Internet Society, United Nations Conference on Trade & Development (UNCTAD), International Development Research Center (IDRC).
The presenters summarised the main findings of the survey which led to discussion:
1. There is greater online trust in developing than developed countries
Some argued that developing countries are in an ‘early growth’ phase. Others questioned whether the amount of trust in developing countries is proportional to the lack of information and awareness of risks.
2. There is greater trust in the Internet industry (ISPs, online services) than in governments
The most trustworthy actors are Internet service providers (66%) and online banks (65%). Internet users have least trust in the responsible behaviour of foreign governments (43%).
3. The trust in their governments varies greatly
81% Indonesian survey respondents trust their government to act responsibly online. On the other side of the scope is Mexico, whose government enjoys the trust of only 25% of the survey’s respondents.
4. A lack of security is the main source of distrust
According to the survey, most Internet users do not trust the Internet because it is not secure (65%). The lack of trust is slightly lower when it comes to the reliability of the Internet (40%).
5. Cybercrime is the main concern
6. Changes in online behaviour could lead towards more trust
45% of the survey’s respondents avoid opening emails from unknown e-mail addresses. This is becoming part of the global digital hygiene. Most panellists during the discussions highlighted change in online behaviour as one of the main ways towards increasing both security and trust on the Internet. For ISOC, increasing the cybersecurity culture is one of cornerstones of the concept of collaborative security. The survey shows particularly noticeable changes in online behaviour in Latin America.
7. Economic patriotism online
Internet users prefer to buy goods and services from their own country even if they have a chance to buy them from abroad via e-commerce platforms.
8. Digital policy
The survey identifies the following issues as the main concern for Internet users: consumer protection, protection of data privacy, and protection against cybercrime. The discussion focused on two ways for strengthening digital policy space: government regulation and ‘policy by design’. For example, an Internet Society representative argued that privacy-by-design, in particular encryption, could be a solution for data protection and privacy.
This session addressed the concern over the rise of cybercrime and its consequences for privacy and security online, as well as the resulting lack of trust among consumers and governments to adopt digital technology. The topic was introduced by the moderator, Ms Cécile Barayre, Economic Affairs Officer at UNCTAD, who stressed the transformational nature of e-commerce, generating both opportunities and challenges.
Barayre then went on to introduce H.E. Ms Rahman Ahmad Khan, Minister of State for Information Technology and Telecom, Pakistan, who outlined some of the critically important areas for addressing cybercrime:
According to Ahmad Khan, users must have the same rights and protection online as they do offline in order for user trust to be restored.
Next, Prof. Ian Walden, Queen Mary University of London, addressed the legal aspects of responding to cybercrime. For state response to be effective, there needs to be a harmonisation of criminal justice systems, for example around the Council of Europe’s Budapest Convention, and criminal justice relations need to be regulated in such a way as to enable the co-operation between law enforcement agencies. Policing cyberspace should focus on prevention and disruption, rather than prosecution, and needs to happen in collaboration with third parties, such as service providers and the Internet industry. Effective cybersecurity strategies need to address prevention and cultural shifts to change the culture of insecurity. Finally, legal and regulatory responses should include criminalising conduct, enhancing law enforcement powers (while taking into account the need to safeguard privacy rights), and putting into place cybersecurity frameworks that include prevention and permit active defence.
With a view from the private sector, Mr Yuejin Du, Vice-President of Alibaba Security, outlined the key cybersecurity challenges:
To combat these challenges, Du provided several examples of the technological measures taken by Alibaba Security, as well as its efforts to build a ‘security alliance’ with other actors in the e-commerce ecosystem. Finally, co-operation with law enforcement is inevitable.
Zooming in on one solution against cybercrime, Prof. Nir Kshetri, Bryan School of Business and Economics, University of North Carolina, explained the role of blockchains in strengthening security of the Internet of Things. He compared the potential of blockchains with cloud-based services, and highlighted their decentralisation as a particular advantage. Another solution was provided by Mr David Satola, Lead ICT Counsel, World Bank, who introduced a portal for capacity building for emerging countries, available at www.combattingcybercrime.org. Its aim is to enhance the capacity in developing countries of the policy, legal, and criminal justice aspects of building an enabling environment to combat cybercrime. The portal consists of a toolkit, an assessment tool, and a virtual library. Mr Gustav Lindstrom, Head of the Emerging Security Challenges Programme, Geneva Centre for Security Policy, presented a similar project: the National Cybersecurity Strategy (NCS) Guide. This project is spearheaded by the ITU in collaboration with 14 partners from different sectors, and aims to produce a reference guide for developing and implementing a national cybersecurity strategy. The guide covers the overarching principles of a NCS, an overview of good practices, and a practical guide for the strategy formulation process.
Finally, Ms Marilia Maciel, Digital Policy Senior Researcher, DiploFoundation, presented the trends, challenges and opportunities of capacity development in cybersecurity. First, she highlighted the changing social context in which individuals and societies are becoming cyber-dependent. As digital services become increasingly complex, complete security will never be possible and risk will always be present. Therefore, it is key to make the environment around cybercrime more secure. She pointed at the surging number of bilateral agreements on cybersecurity, as well as some of the multilateral instruments in place, which all refer to the need for capacity building.
She then presented a number of lessons learned from DipoFoundation’s capacity development initiatives:
Finally, she introduced the Digital Commerce course developed by the Geneva Internet Platform, the International Trade Sector, CUTS, and UNCTAD.
The eleventh Symposium of the Future Networked Car took place on 9 March 2017, during the 87th edition of the Geneva International Motor Show. The Symposium was jointly organised by the International Telecommunication Union (ITU) and the United Nations Economic Commission for Europe (UNECE). The main objective of the event was to offer a platform for a fruitful discussion among different stakeholders – vehicle manufacturers, governments and Information and Communications Technology (ICT) industries – on the future of vehicle communication and automated driving.
The session started with opening remarks from Mr Malcolm Johnson, Vice Secretary-General at the ITU, who stressed the importance of bringing together multiple stakeholders in order to foster technological innovation. In particular, he underlined the crucial role of the ITU as a UN-mandated agency that has successfully brought together and facilitated the convergence between two communities: industry and ICT sectors. The Symposium has seen growing participation in the last years, and has attracted more than 170 participants in 2017.
Ms Eva Molnar, Director of the Sustainable Transport Division of UNECE, joined Mr Johnson in stressing the importance of co-operation, not only between different industry sectors, but also between different agencies – as is the case with the ITU and UNECE. In particular, her speech approached vehicle automation from a regulatory perspective: she reasoned on the relevance of the existing legal conventions vis-à-vis the latest technological changes and pushed for the development of harmonised regulations.
The event comprised five thematic panels, each discussing a specific aspect of vehicle automation.
The Executive Roundtable reflected on the advantages and challenges that automatic driving will bring to individuals and societies once such technology is spread on a larger scale. All speakers talked about the necessity of harmonising the standards regulating such technology among different countries.
In particular, Mr Anders Eugensson, Director of the Governmental Affairs Department at Volvo Car Group, analysed the benefits of automated driving for individuals in terms of costs, liability and accuracy of data. With the development of such technology, customers would purchase automated driving packages that would cost less than a car. Moreover, he considered that cars will operate autonomously, and, in case of accidents, the responsibility would not rely directly on customers. Finally, thanks to cloud connectivity technology, the data available to the car system will be more accurate.
The Second Panel reflected on the benefits of fifth generation mobile networks or wireless systems (5G) for the development of automated driving. The speakers agreed on the crucial role of 5G technology for automated vehicles, especially in terms of connectivity and communication among units. Mr Peter Vermaat, Chair of the Connected Vehicle Working Group at the Wireless World Research Forum, considered that as opposed to a cloud computing type of connectivity (i.e. storing and accessing data over the Internet), Peer-to-Peer (P2P) computing (interconnected communication among peers, i.e. automated vehicles) allows for increased safety and improved efficiency of communication, and reduces the need for infrastructures.
The Third Panel discussed how Artificial Intelligence (AI) will change current transport systems. All the speakers built their discussions on the benefits of automated driving discussed by the previous panellists. Furthermore, they focused mainly on the possible risks to individuals from the deployment of AI. They assessed such risks in terms of security (protection from cyber-attacks), personal data protection (privacy concerns) and social economic externalities (loss of jobs in the car industry or transportation sectors).
The Fourth Panel focused on the relationship between connected vehicles and automated driving. The panellists discussed the co-dependency of connectivity and automated driving: having accurate communication systems among vehicles is crucial for the development of automated driving systems on a larger scale. David Holecek, Director of the Connected Products and Services Division at Volvo Car Group, concluded that connectivity, autonomous driving and AI are the cornerstones that will develop the concept of fully autonomous cars rather than autonomous driving in the future.
The Fifth Panel concluded the session by focusing on the cybersecurity threats to automotive systems. The speakers discussed the consequences that connectivity has in terms of individuals’ security in particular. Based on an interconnected system, automated vehicles operate in a constantly-hostile environment, susceptible to hackers’ attacks, resulting in financial cyber ransom, car theft and loss of control over the vehicle.
The 47th WEF Annual Meeting, which took place in Davos-Klosters, Switzerland, on 17‒20 January, brought together leaders from across business, government, international organisations, academia, and civil society, to discuss several digital policy issues.
The future of the digital economy was an overarching theme for many sessions, exploring aspects such as the digital transformation of industries, the fourth industrial revolution and its implications (in areas such as gender equality and jobs), steps for shaping national digital strategies, the need for shared norms and rules for the digital economy, and trust-based collaboration among stakeholders. Security and crime in the digital era were part of the discussions, with a focus on multistakeholder approaches for tackling cybercrime, the cyber resilience of critical infrastructures, cyberwar and forms of manifestation, and terrorism in the digital age. During the meeting, WEF launched a report on Advancing Cyber Resilience: Principles and Tools for Boards. Prepared in collaboration with the Boston Consulting Group and Hewlett Packard Enterprises, the report outlines a series of principles and tools for companies to tackle cybersecurity risks and ensure the resilience of their information infrastructures.
The advancements in the field of Internet of Things (IoT) and artificial intelligence (AI) were also looked at during this year's WEF meeting, as participants explored policy implications and outlined the need for principles and standards to ensure that IoT and AI products bring benefits to society as a whole, while minimising the risks (in areas such as social inclusion, privacy, and security). Trustworthy online information, a topic that has attracted a lot of attention lately, was also discussed, with a focus on possible modalities for balancing freedom of expression with the need to educate users on how to differentiate between real and misinformation.
In addition to contributing thir views to these and many other discussion tracks, WEF participants used the meeting as an opportunity to launch new initiatives and agree on future actions. In one such example, major financial service providers (e.g. Mastercard, Visa, and Paypal), global IT and telecom companies (e.g. Ericsson and GSMA), and intergovernmental organisations (e.g. the United Nations Development Program and the United Nations High Commissioner for Refugees) agreed on six principles on public-private cooperation aimed at facilitating digital cash payments in crisis-affected populations.
As has been the case at many other high-level events recently, the Agenda for Sustainable Development also featured high in Davos. On a more general level, world leaders discussed the challenges of globalisation and the increasing anti-globalisation trends. Many of the debates revolved around the need to identify modalities for reforming the governance of globalisation processes, with a view to improving them and making them better suited to contribute to global growth and development.
The 2017 United Nations Office at Geneva (UNOG) and the Geneva Centre for the Democratic Control of Armed Forces (DCAF) seminar discussed the topic of Violent Extremism Online – A Challenge to Peace and Security. The three-hour session started with an introduction by Mr Michael Møller, Director General of UNOG concerning the importance of eradicating violent extremism online as a challenge for peace and security. As he indicated, the risk to further violence arises and the Internet needs to be protected from terrorist attacks. He also mentioned the crucial role of the next Internet Governance Forum (IGF), to be held in Geneva in December 2017, in the fight against violent extremism online which would be, as he stated, ‘a major opportunity to tackle the issue in the International Geneva’.
Mr Adam Deen, Senior Researcher and Head of Outreach at the Quilliam Foundation, the first speaker of the session, focused his presentation on the ideology and the underlying reasons which led to the creation of the Islamic State (ISIS). As a former member of an Islamist extremist organisation himself who utilised universities for recruitment, he perceives the creation of ISIS as a logical result of 20 years of hidden groupings all over the world which today broadly use the Internet for the recruiting process. He also considers that the use of the Internet for recruitment purposes is a strong advantage for terrorists, given its anonymity, its interactivity which spreads contagious ideas faster, its accessibility, and, most importantly, its inexpensive fees.
Deen underlined the strong power of online interactivity which helps terrorists to easily provide their own religious instruction, reports from battles, interpersonal communications, threats against western countries, and pictures of the daily life of a terrorist with the aim of normalising them and creating a sense of belonging and camaraderie. According to research carried out by the Quilliam Foundation, approximately 1000 pieces of media content are provided each month by ISIS. He added that most of the content focuses on mercy, redemption, and camaraderie, notions that are already strongly present within the Muslim community and exploited by ISIS through personal grievances used to manipulate the recruits and increase the sense of belonging. He regrets that the interactivity as such also contributes to a form of clustered discourse which leads to extremism, since there is no time given for debate and for ideas to evolve.
One of the main highlights of Deen’s speech concerned the dehumanisation of the victims which, as he stated, is also part of the ideology supported by ISIS. He explained that the ideology as such creates a barrier between believers and non-believers and rationalises the violence. In his opinion, this facilitates the preparation of attacks and eradicates a possible mutual coexistence between believers and non-believers since the recruits do not see themselves as part of a society as a whole but as part of a transnational community that stands out from the rest of the world.
Deen’s speech also focused on the concept of pre-propaganda, which in his opinion forms the root of the extremism we face today and the main reason behind the creation of ISIS. In his own words, ‘ISIS did not create extremism, extremism created ISIS.’ He said we cannot count on the disappearance of ISIS to put an end to the ideology. In his opinion, the ideology as such needs to be made irrelevant or obsolete.
For the second part of the session, the panel on Violent Extremism Online was moderated by Ms Anne-Marie Buzatu, Deputy Head of Public-Private Partnerships Division at DCAF, who underlined the importance of practical solutions to put an end to the development of ISIS and violent extremism online.
Ambassador Kok Jwee Foo from the Permanent Mission of Singapore to Geneva stated that we live in a fragmented world which also allows the establishment of sophisticated and violent transnational communities such as ISIS to propagate a message and pursue a political goal. He added that Singapore has also been confronted by recruits willing to join ISIS and underlined that the battle against ISIS concerns everyone and needs to be addressed by multiple stakeholders. Part of his speech focused on the diversity of Singapore and the need to establish concrete policies to preserve the common space and to ensure an openness to all religions. He stressed that efforts at deepening multi-racial and multi-religious harmony is a never-ending endeavour.
In an effort to ensure inclusion and counter extremism, two policies have been established in Singapore. The Religious Rehabilitation Group (RGG) was launched in April 2003 by the Muslim community and academics to combat misinterpretations promoted by self-radicalised individuals and those in support of ISIS through media content. SG Secure is an initiative put in place by the Ministry of Home Affairs to promote community vigilance, cohesion, and resilience against global terrorism on the rise and to apply concrete measures. One of these measures consists of visiting every single home in Singapore to raise awareness of security and to encourage families to participate in this programme. Ambassador Foo concluded by underlining the importance of such policies and the need to find the right balance between security, freedom of expression, and international cohesion.
The second panellist, Mr Adam Hadley, Project researcher and associate at the ICT4Peace Foundation, presented an overview of the foundation’s activities, findings, and recommendations on counter terrorism. As part of its activities in 2016, phase one analysed threats regarding the use of technology by terrorists and scoped out practical measures. Three global workshops were organised to include various stakeholders from the private and public sectors. The outcome report, published in December 2016, entitled Private Sector Engagement in Responding to the Use of the Internet and ICT for Terrorist Purposes, provides an overview of the current threat assessments, emerging or potential threats, and responses from technology companies involved in several initiatives such as the Global Network Initiative (GNI) based on United Nation and human rights principles. The initiative targets four areas in particular: development of guidance systems, building of training capability and legal teams, cooperation with Internet referral units (IRUs), and investment in counter narrative to support civil society.
Another important point in Hadley’s speech concerned the active role of technology companies such as Facebook, Microsoft, and Twitter which publish transparency reports and deliver information about requests for the takedown of online content from governments all around the world. He also stressed the urgent need to create frameworks respecting human rights and mentioned some concerns about the legitimacy of the private sector and the capacity of small companies to develop policies to challenge the use of the Internet by terrorists.
Several recommendations have been established by the ICT4Peace Foundation including the will to build on existing initiatives, to support dialogue regarding a normative framework through a multistakeholder approach, to encourage coordination, to establish global knowledge sharing and a capacity-building platform focused on policy and practice, to build the capacity of small tech companies, to support data-driven research on effectiveness, and to promote digital literacy. The conclusion of the speech focused on the foundation’s plans for 2017 which provide the inclusion of more multistakeholders in the fight against violent extremism online and the establishment of a platform which aims to share global knowledge on emerging practices, norms, standards, and policies that have been developed on the subject matter.
The final speaker, Mr Mark Stephens, International Human Rights Advocate, CBE, and Independent Chair of the Board of Directors of the GNI, presented the work of the GNI which brings together ICT companies and investors willing to forge a common approach to freedom of expression online. The GNI focuses on two elementary human rights - freedom of expression and the right to privacy - principles that are designed to protect citizens and to prevent any serious consequences of a breach of these rights. Stephens added that one of the GNI’s main concerns is the impact of laws which would tend towards improper protection of freedom of expression. This concern led to the development of various recommendations from the GNI regarding consistency with human rights norms that governments should respect, including the fact that human rights’ restrictions should be established in a clear and precise law that is proportionate and necessary. He added that governments should not impose liability on intermediaries.
In the second part of his speech, Stephens stressed the role of ICT companies and the fact that most of them are more restrictive and efficient in their policies than parliaments are in their laws. He concluded by stating that the true challenge is that the issue at stake is larger than companies or governments; this also underlines a need for international cooperation between stakeholders in the protection of essential rights such as freedom of expression and the right to privacy.
The panel discussion was followed by a Q&A on the proper use of terms such as ‘Islamic’ which can be misused, the role of different stakeholders in the fight against ISIS, and the importance of tackling the issue with concrete measures to promote tolerance and coexistence between religions.
The handbook, structured around 10 major challenges in big data security and privacy, gives an overview of best practices that should be followed by big data service providers to fortify their infrastructures. Each of the 100 best practices presented, an explanation is given on why the practice should be followed and how it can be implemented.
The guide explores risks and opportunities associated with the Internet of Things, and provides a framework with recommendations for securing the IoT.
The set of guidelines contain recommendations on how to mitigate security threats and weaknesses in Internet of Things services. It includes guidelines for service ecosystems, endpoint ecosystems, and network operators.
The tutorials are intended to provide Internet users with a better understanding of the online and mobile threats, including spam, malware, malicious websites, spyware, etc.
The document provides guidelines for public and private organisations when plannins and organising the selection and validation of smart city technologies. It describes the types of testing and assessments to consider in order to select the most secure vendors and technologies.
The report provides an overview of the Internet security threats landscape in 2014
The document provides guidance for the secure implementation of Internet of Things (IoT)-based systems. It provides an overview of IoT security challenges threats to individuals and organisations, and outlines several security control mechanisms that could be used to mitigate such challenges and threats.
The fact sheet is intended to explain DNSSEC in simple terms.
The page provides brief monthly reports on online threats such as spam, web attacks, malware, and phishing.
A series of best practices and white papers produced by the Messaging Malware Mobile Anti-Abuse Working Group, and aimed at providing the technology industry, as well as users, with recommendations and background information to improve messaging security and address online, mobile, and telephony threats such as spam, malware, etc.
The Best Practice Forum (BPF) on cybersecurity was an opportunity to link various communities, and mainly focused on discussions about the multistakeholder process (Best Practice Forum on Cybersecurity - Creating Spaces for Multistakeholder Dialogue in Cybersecurity Processes) and again looked at how to define cybersecurity from various perspectives (Best Practice Forum - Cybersecurity). Several other sessions also shared useful experiences from developing coun- tries in capacity, especially with regard to Computer Emergency Response Team (CERT) capabilities (Cybersecurity - Initiatives in and by the Global South - WS26) and awareness-raising campaigns (What Makes Cybersecurity Awareness Campaigns Effective? - WS113).
The role of the technical community and the private sector was outlined in assisting the implementations of cyber-norms and confidence-building measures by the UN, regional organisations, and governments. While the IGF was seen as the place to encounter all stakeholders, and the proposal made that a dedicated (possibly even main) session is scheduled at IGF 2017, it was suggested that the Internet governance community meets the security community within the framework of the Global Conference on Cyber Space (GCCS) in 2017, with support of the Global Forum on Cyber Expertise - GFCE (NetGov, Please Meet Cybernorms. Opening the debate - WS132).
The contribution of cybersecurity to economic development and the overall SDGs was recognised, and the roles the OECD and World Bank could play were emphasised (How do Cybersecurity, Development and Governance Interact? - WS115). The need to incentivise the Internet industry in implementing high Internet standards was noted, and the GFCE was suggested as a forum for discussion (Building Trust and Confidence: Implement Internet Standards - WS240). Security of the IoT was underlined, as was the strong link between human rights and encryption (On Cybersecurity, Who Has Got Our Back?: A Debate - WS196). A clear link between cybersecurity and human rights was reiterated throughout several sessions, and particularly by the contributions of the Freedom Online Coalition - FOC (Open Forum: Freedom Online Coalition - OF27).
As the demands of ICT-related SDGs need to be met with capacity-building initiatives, cybersecurity was identified as one of the eight core digital skills people need in the twenty-first century. Internet Governance, Security, Privacy and the Ethical Dimension of ICTs in 2030 (session 150) suggested that the interpretation of vast amounts of information and big data that Internet of Things (IoT) will bring could result in an innovative multi-trillion-dollar economy. Examples of solutions that can both boost the economy and increase security were raised in From Cybersecurity to ‘Cyber’ Safety and Security (session 172); these included the use of social media for managing disasters.
Ensuring trust in cyberspace through collaboration between governments, the industry, and users was outlined as fundamental for utilising economic opportunities necessary for fulfilling the SDGs during discussions in Action Line C5 (Building Confidence and Security in the Use of ICTs) - National Cybersecurity Strategies for Sustainable Development (session 120). Such cooperation in the area of cybersecurity, however, should be built on trust between the public and private sectors. A Trusted Internet Through the Eyes of Youth (session 151) warned that trust on the Internet is highly fragmented due to the diverse interests of stakeholders, and especially due to surveillance programmes. Multistakeholder dialogue and shaping policies by consensus were mentioned as ways to strengthen mutual trust.
When it comes to practical suggestions for improving cooperation in cybersecurity, panellists of session 120 also suggested cooperation in incident response that can include both compulsory and voluntary reporting on cyber-incidents. Session 170 on The Contribution IFIP IP3 Makes to WSIS SDGs, with an Emphasis on Providing Trustworthy ICT Infrastructure and Services invited companies to invest more in education, professionalism, and security. Providing good quality legal and technical information and data to decision-makers was added to the list of suggested measures by the discussants of session 172.
Various emerging risks were also discussed in several sessions. Session 172 raised concerns about the emerging face of terrorism which increasingly uses new technologies including commercial drones.
Session 150 warned that big data should be accompanied by ‘big judgment’ and awareness of communities of the risks of ‘uberveillance’ - becoming possible due to brain-to-computer interfaces (BCIs) and and sub-dermal implants - that can have an irreversible impact on society. On the other hand, session 120 commented on encryption as a useful concept that can enhance individual security, and suggested that law enforcement agencies can benefit greatly from other digital evidence.
With a rise in cybercrime and a sharper focus on cybersecurity by policymakers worldwide, it is no surprise that the issue was discussed at great length during the IGF 2015. Cyberattacks, which are on the rise and are evolving with the growth in infrastructure, mobile money transfers, and social media, affect the economic growth and sustainable development of many countries. The real economic cost of cyberattacks is considerable. However, as the discussion during Managing Security Risks for Sustainable Development (WS 160) concluded, it was hard to identify and calculate the cost of each cyberattack due to multiple tangible and intangible effects, with one of the consequences being the limited availability of global statistics on cyberattacks.
With regard to cybersecurity strategies, the speakers made reference to the OECD’s recommendation on Digital Security Risk Management for Economic and Social Prosperity which seeks to ensure that risk management is considered an important facet when decisions are made on digital issues. They said, however, that existing cybersecurity strategies are too focused on technology and are missing the human element. In Commonwealth Approach on National Cybersecurity Strategies (WS 131), the speakers agreed that cybersecurity should be tackled by governments in partnership with the private sector, regulators, and other governments. It requires legal frameworks, the use of technology to enforce cybersecurity, harmonisation of regional laws, and cooperation among states to tackle cross-border cybercrime.
The issue of trust (as well as other issues, such as privacy and freedom of expression, which are discussed below) was a main theme that intersected with security. Discussed predominantly during the main session dedicated to Enhancing Cybersecurity and Building Digital Trust, the panel agreed that multistakeholder approaches and private-public partnerships should be used to address the challenges. ‘If you want total security, go to prison’, said one panellist. On the other hand, surveillance and censorship cannot be used to justify cybersecurity. Surprisingly, a panellist in Cybersecurity, Human Rights and Internet Business Triangle (WS 172) revealed that 80% of actionable intelligence comes from publically available resources.