Draft of the new Chinese cybersecurity law posted by the National People's Congress, also seen as strengthening cyberspace sovereignty.
Cybersecurity is among the main concerns of governments, Internet users, technical and business communities. Cyberthreats and cyberattacks are on the increase, and so is the extent of the financial loss.
Yet, when the Internet was first invented, security was not a concern for the inventors. In fact, the Internet was originally designed for use by a closed circle of (mainly) academics. Communication among its users was open.
Cybersecurity came into sharper focus with the Internet expansion beyond the circle of the Internet pioneers. The Internet reiterated the old truism that technology can be both enabling and threatening. What can be used to the advantage of society can also be used to its disadvantage.
Today, the cybersecurity framework includes policy principles, instruments, and institutions dealing with cybersecurity. It is an umbrella concept covering (a) critical information infrastructure protection (CIIP), (b) cybercrime, and (c) cyberconflict.
As a policy space, cybersecurity is in its formative phase, with the ensuing conceptual and terminological confusion. We often hear about other terms that are used without the necessary policy precision: cyber-riots, cyberterrorism, cybersabotage, etc. In particular, cyberterrorism came into sharper focus after 9/11, when an increasing number of cyberterrorist attacks were reported. Cyberterrorists use similar tools to cybercriminals, but for a different end. While cybercriminals are motivated mainly by financial gain, cyberterrorists aim to cause major public disruption and chaos.
Cybersecurity is tackled through various national, regional, and global initiatives. The main ones are described below.
At national level, a growing volume of legislation and jurisprudence deals with cybersecurity, with a focus on combating cybercrime, and more and more the protection of critical information infrastructure from sabotage and attacks as a result of terrorism or conflicts. It is difficult to find a developed country without some initiative focusing on cybersecurity.
At international level, the ITU is the most active organisation; it has produced a large number of security frameworks, architectures, and standards, including X.509, which provides the basis for the public key infrastructure (PKI), used, for example, in the secure version of HTTP(S) (HyperText Transfer Protocol (Secure)). The ITU moved beyond strictly technical aspects and launched the Global Cybersecurity Agenda. This initiative encompasses legal measures, policy cooperation, and capacity building. Furthermore, at WCIT-12, new articles on security and robustness of networks and on unsolicited bulk electronic communications (usually referred to as spam) were added to the ITRs.
A major international legal instrument related to cybersecurity is the Council of Europe’s Convention on Cybercrime, which entered into force on 1 July 2004. Some countries have established bilateral arrangements. The USA has bilateral agreements on legal cooperation in criminal matters with more than 20 other countries (Mutual Legal Assistance in Criminal Matters Treaties (MLATs)). These agreements also apply in cybercrime cases.
The Commonwealth Cybercrime Initiative (CCI) was given its mandate from Heads of government of the Commonwealth in 2011 to improve legislation and the capacity of member states to tackle cyber crime. Dozens of partners involved with CCI assist interested countries with providing scoping missions, capacity building programmes, and model law outlines in the fields of cybercrime and cybersecurity in general.
The G8 also has a few initiatives in the field of cybersecurity designed to improve cooperation between law enforcement agencies. It formed a Subgroup on High Tech Crime to address the establishment of 24/7 communication between the cybersecurity centres of member states, to train staff, and to improve state-based legal systems that will combat cybercrime and promote cooperation between the ICT industry and law enforcement agencies.
The United Nations General Assembly passed several resolutions on a yearly basis on ‘developments in the field of information and telecommunications in the context of international security’, specifically resolutions 53/70 in 1998, 54/49 in 1999, 55/28 in 2000, 56/19 in 2001, 57/239 in 2002, and 58/199 in 2003. Since 1998, all subsequent resolutions have included similar content, without any significant improvement. Apart from these routine resolutions, the main breakthrough was in the recent set of recommendations for negotiations of the cybersecurity treaty, which were submitted to the UN Secretary General by 15 member states, including all permanent members of the UN Security Council.
A series of blog posts which explore the main dilemmas surrounding the Apple-FBI case. In these posts, three fictitious characters, Privarius, Securium, and Commercias talk about encryption, privacy, and security.
This blog post outlines trends and main actors in cybersecurity capacity building.
The latest edition of glossary, compiled by DiploFoundation, contains explanations of over 130 acronyms, initialisms, and abbreviations used in IG parlance. In addition to the complete term, most entries include a concise explanation and a link for further information.
The book, now in its sixth edition, provides a comprehensive overview of the main issues and actors in the field of Internet governance and digital policy through a practical framework for analysis, discussion, and resolution of significant issues. It has been translated into many languages.
The paper, elaborated by Microsoft, proposes a three-part organising framework for the cybersecurity norms dialogue: offensive norms, which are applicable to nation-states and concern self-restraint in the conduct of cyber operations; defensive norms, which are relevant to both governmental and non-governmental actors and adress defensive measures against nation-state activities in cyberspace; and industry norms outlining industry’s role in mitigating the risks facing technology users from nation-state activity in cyberspace.
The study looks into how much of a role security and privacy played in people’s decisions to use a mobile instant messenger.
The paper, elaborated by Microsoft, recommends six cybersecurity norms with the intention of reducing the possibility that information and communications technology (ICT) products and services are used, abused, or exploited by nation states as part of military operations.
The paper presents the results of an analysis of ten web standards with respect to two generic security goals: new web mechanisms should not break the security of existing web applications, and different newly proposed mechanisms should interact with each other gracefully.
The study provides an overview of the international dialogue on establishing norms of state behaviour and confidence-building measures (CBMs) in cyberspace. It offers a comparative analysis of the leading international and regional political documents outlining cyber-norms, CBMs to reduce conflict stemming from the use of ICT, and capacity-building efforts to strengthen co-operation on cybersecurity. It discusses how they could further influence each other, and notes several specific directions that further developments could take.
The report outlines predictions of the development of the technology, media, and telecommunications sectors in 2017. It covers issues such as: biometric security, distributed denial of service attaches, self-driving vehicles, 5G networks, machine learning, and Internet of Things as a service.
The report provides a snapshot of the state of deployment of DNSSEC as of the end of 2016. It addressed two main aspects for deployment of DNSSEC: DNSSEC signing (how many zones are signed using DNSSEC and have a chain of trust back to the DNS root), and DNSSEC validation (what recursive resolvers support DNSSEC, and how many clients are using DNSSEC-validating DNS resolvers).
This technical report analyses the compatibility or complementary of the Council of Europe Convention on Cybercrime (Budapest Convention), and the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), in order to facilitate support to African countries in the reform of their legislation on cybercrime and electronic evidence. The report is based on a study by Zahid Jamil for the GLACY+ (Global Action on Cybercrime Extended) Project.
The report provides an overview of the US Department of Commerce’s policies in the field of digital economy over the course of the Obama administration. It covers area such as: management of the Domain Name System, privacy and security online, innovation and emerging technologies, and access and skills.
The report, prepared by the Global Commission on Internet Governance, outlines a series of recommendations to policy makers, private industry, the technical community and other stakeholders on modalities for maintaining a ‘healthy Internet’. It tackles aspects such as: the promotion of a safe, open and secure Internet, human rights for digital citizens, the responsibilities of the private sector, safeguarding the stability and resiliency of the Internet’s core infrastructure, and improving multistakeholder Internet governance.
The report, based on a survey of 1200 IT decision makers, looks at trends in the adoption of cloud computing within enterprises, and it explores issues related to cloud security (cloud security technologies, encryption, data loss prevention, etc).
Read the executive summary of the report.
Cyberspace has become an essential component of modern society, yet its merits are accompanied by threats. The number of reported cyber-incidents has increased the need to build cybersecurity competences, especially for protecting the critical infrastructure.
The study Cybersecurity Competence Building Trends, conducted by DiploFoundation’s researchers Vladimir Radunović and David Rüfenacht, analyses measures that ten OECD member states have applied to promote competence building in the field of cybersecurity. The study was commissioned by the Federal Department of Foreign Affairs of Switzerland.
The increasing dependence of the corporate sector on the Internet has also created a demand for qualified labour, which is being recognised by states as a possible driver for employment, economic growth, and global competitiveness. All the studied countries are developing the means to transform their national labour markets to meet this changing environment.
Eight dominant cybersecurity competence-building trends were identified in the study, and clustered within two categories:
The first category includes measures such as: governmental support for university programmes; regional partnerships between research labs and multinational companies, aimed at increasing the country’s or region’s competitiveness in global cybersecurity markets; partnerships between universities and state security institutions; and university labelling programmes aimed to better correlate the curricula with the needs of public institutions.
One key trend in the second category is the collaboration between public institutions and professional certification bodies, leading to a soft standardisation of the minimum knowledge and ability requirements for cybersecurity personnel.
Other trends include: measures to improve the competences of the private sector, especially small and medium enterprises and operators of critical infrastructure; cybersecurity training for decision-makers, managers, and senior executives; as well as the development of cybersecurity-related job descriptions, and the definition of the required knowledge training for such jobs.
The study concludes by saying that the identified trends lead not only to the development of national competences for responses to cyber-threats, but also to the consolidation of cutting-edge cyber-industries that increase the competitiveness of states in the global cyber-markets.
This report analyses threats, attack patterns, and common strategies used to attack Internet of Things technologies employed in the automotive industry.
The study analyses the different approaches the EU member states take to protect their critical information infrastructures, and makes recommendations to EU member states and the European Commission on how to improve critical information infrastructures protection (CIIP) in the European Union.
The report analyses a number of global risks (such as tensions between countries, unresolved crises, terrorist attacks, cyber fragilities), and looks into how these could evolve and interact in the next decade. The breakdown of critical information infrastructure and networks and large scale cyber-attacks is included among the most concerning global risks for 2016.
The document, produced as part of the IGF 2015 inter-sessional work, looks at misconceptions around the role and responsibilities of Computer Security Incident Response Teams. It also provides successful examples of new forms of cooperation and outreach that CSIRTs could engage into, in order to be better heard within the wider Internet governance community.
The report outlines several predictions for technology developments in 2016. It focuses on: 5G, big data, Internet of Things, the customerisation of software, and market convergence.
This report examines and documents evolutions and emerging opportunities and challenges in the digital economy. It provides a comprehensive overview of the digital economy, including matters of infrastructure, policy, net neutrality, development, privacy and security.
This report focuses on mobile Internet, its trends and growth, benefits, challenges and recommendations.
The report provides an assessment of Internet security and best practices for mitigating online threats (malware and botnets, phishing and social engineering, attacks against domain names and IP addresses, mobile and voice threats, threats associated to hosting and cloud services, and online harassment).
The report measures the level of cybersecurity development of ITU member states, with a focus on five areas: legal measures, technical measures, organisational measures, capacity building, and international cooperation.
The study explores current and future security challenges facing enterprise and government organisations in the Internet of Things market.
The report argues that cyber capacity building is crucial for development. It outlines challenges to implementation and identifies indicators of success and failure.
Individual chapters in this brief report focus on developing capacity in cyberspace, human rights in cyberspace, strengthening cybersecurity capacity, growing cyber resilience, countering cyber poverty, and cybersecurity capacity building.
The document, produced as part of the IGF 2014 inter-sessional work, provides an overview of the roles and responsibilities of Computer Security Incident Response Teams (CSIRTs), and looks at both accomplishments and challenges facing their activities.
The moderator, Mr Jean Yves Art, Senior Director, Strategic Partnerships, Microsoft, introduced the panellists and said that Microsoft is proposing a Digital Geneva Convention:
1. To protect civilians against state-sponsored cyber-attacks
2. To assist the private sector to detect and respond to cyber-attacks on companies’ infrastructure
3. To protect companies from states launching cyber-attacks using the companies’ infrastructure
4. To set up institutions to identify the sources of cyber-attacks
H.E. Monique TG van Daalen, Ambassador Extraordinary and Plenipotentiary Permanent Representative of the Kingdom of Netherlands to the United Nations and other international organisations in Geneva, gave a state perspective on the Digital Geneva Convention. The economies of states rely on the Internet more and more. Highly digitalised countries want to keep the Internet open. The Netherlands wants to enhance security on the Internet through international cyber diplomacy. Van Daalen said that Microsoft efforts are greatly appreciated in the Digital Geneva Convention debate. But Van Daalen pointed out that the name could bring confusion because to some, it could mean that the 1949 Geneva Convention is no longer valid. With regard to the proposed Digital Geneva Convention, Van Daalen expressed appreciations towards Microsoft’s efforts, but noted that it will be a cumbersome process to debate such a convention. He also pointed out that the Netherlands remains committed to the principles that the rights people enjoy offline must also apply online.
Mr Laurent Gisel, Legal advisor at International Committee of the Red Cross (ICRC), highlighted that the ICRC is responsible for the development of international humanitarian law. The ICRC’s wish is to see that emerging issues be captured in international law to reduce suffering, since new weapons in warfare pertain to technology.
Cyber-attacks used today are criminal acts. Cyber warfare is as much of a concern as any attack on humanity. The use of cyber-attacks on transportation systems, hospitals, and other critical infrastructurescan result in great human casualties. Cyber operations can endanger humans, and the ICRC backs Microsoft’s proposal for international law.
Throughout the 2017 edition of the Geneva Peace Week, it became clear that digital technology has important implications for conflict prevention, albeit in two distinct and contradictory ways. Some sessions identified the ways in which digital technology can assist in the prevention of conflict. They highlighted the potential of e-commerce, big data, artificial intelligence (AI), and geographic information systems. Yet, at the other end of the spectrum, there was a focus on the ways in which digital technologies have given rise to increased threats. How to respond to the risk to cyberconflict? What will happen if new technologies, such as big data and AI, are used for the wrong purposes?
Opportunities for conflict prevention
One of the opportunities posed by digital technology is in the realm of e-commerce. With the launch of the e-caravan for peace, the International Trade Centre and the Permanent Mission of Japan showed that e-commerce can advance economic empowerment, including that of women and migrants in conflict situations. Trade in war zones can be a force for good, and e-commerce can allow for the integration of disempowered communities in the economy.
Gaming is another emerging avenue of contribution to conflict prevention. UNITAR presented its recently developed peacekeeping game Mission Zhobia. Throughout the game, skills and knowledge can be developed and tested in the safe environment of a simulated game. By training on issues such as conflict analysis, engaging stakeholders, building trust and adapting to new challenges, the game teaches key competencies for peacebuilding.
Emerging technologies may have extensive potential in untangling the complexity in which conflicts are embedded. Big data could provide real-time, objective information to conflict analyses and early warning systems, and the visualisation of big data could provide clarity on conflict patterns. Geographic information systems and satellite data – which could be considered one of the earliest forms of big data – can provide important insights in early warning systems and the utility of open source-based information was also discussed. Yet big data can be complex, biased and multi-interpretable, and their collection can give rise to data protection concerns that need to be taken into account. AI systems have turned out to be effective in tackling well-defined problems; nonetheless, their utility in complex settings and social contexts has so far remained limited.
Threats to conflict
One of the recurring themes during the Geneva Peace Week was the search for an appropriate response to the risk of cyberconflict. One initiative was brought forward earlier this year by Microsoft’s President Brad Smith, who proposed a Digital Geneva Convention. The utility of such a convention was discussed during one of the roundtables at the opening of the Geneva Peace Week. Discussants agreed that challenges brought by digitalisation require new norms and regulations. However, due to the important role of non-state actors in cyber warfare and the key concerns regarding the responsibility of the private sector, a Digital Geneva Convention might not be able to solve the key issues.
Further building on this topic, the session on Preventing cyber conflicts: Do we need a cyber treaty?, discussed, among other things, whether the existing legal framework is sufficiently equipped to deal with cyber threats. The panellists agreed that any new convention needs to be drafted with the participation of all the stakeholders and that governments need to take action to address vulnerabilities and externalities. Another session tackled a particular cyber challenge – the creation of a safer Internet for children, dealing with the development of a strategy to combat sexual violence against children.
The topic was concluded with a keynote lecture by Smith, who explained the rationale behind the proposed Digital Geneva Convention, relating it to the history of the establishment of the ICRC and the Geneva Conventions. His keynote was followed by a panel discussion with humanitarian and human rights perspectives and comments from the participants and online audience.
Besides the Internet as we know it today, emerging technologies are giving rise to new threats as well. Big data risks leading to mass surveillance and AI could empower lethal autonomous weapons systems. The face of war and conflict prevention will continue to be affected by technology, highlighting the need to continue the discussion on how to mitigate technology threats while promoting technology as a conflict prevention tool.
The roundtable discussion, moderated by Dr Roxana Radu, Manager at the Geneva Internet Platform and Internet Governance Associate at DiploFoundation, was part of the World Café Reception marking the start of the Geneva Peace Week.
Background: The global Internet regulation is in an ambiguous situation. On one hand, international law applies online, including rules on state responsibility, territorial integrity, non-intervention, and self-defence. On the other hand, there is no agreed practice nor rules on how to apply these rules to Internet disputes. The fast-growing cybersecurity challenges require faster action at an international level. Several calls were made by governments (such as those in the UN GGE) and by the private sector to start a discussion around the norms of behaviour in cyberspace. Among the latter was the recent proposal by Microsoft for a Digital Geneva Convention, which should ‘commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property’. According to this proposal, the Geneva humanitarian conventions provide inspiration for considering the tech sector as neutral, similarly to medical personnel in war zones.
Q1. Is a Digital Geneva Convention needed? Will it solve the issues?
There is a need to have rules for applying existing international law to online matters as well as introducing new rules whenever there are gaps. The open question is whether such rules can be introduced by a Digital Geneva Convention. The predominant view was that such an instrument is not realistic to adopt in the current international atmosphere. Some discussants argued that it is not even desirable. Since cybersecurity conflicts are likely to increase, there will be increased pressure to have some solutions at an international level. The session discussed some alternative solutions that could address two challenges: increase the clarity of applying existing international law and introduce new implementation mechanisms. One solution is the so-called Montreux process for the application of international law to private military and security companies present in an armed conflict, which apply existing rules (humanitarian law) via a multistakeholder implementation mechanism.
Courts are likely to fill this lacuna in global digital governance. For example, the Court of Justice of the European Union has created rules on mass-surveillance, the right to be forgotten, and privacy. Courts are applying rules that were formulated 20-25 years back and may not reflect today’s reality. The challenges of digitalisation – exposing all sectors to rapid tech transformations – make it urgent to agree on norms.
The perceived exceptionalism of the tech sector (limited or no regulation) is increasingly challenged and Microsoft’s initiative appears as a pre-emptive move. Many questions arise around the intent of this proposal, the target audience and the substantive provisions. Participants pointed out that many issues are left out of the discussion, in particular questions of bioweapons further powered by digital innovations, excessive collection and control of data for cybersecurity, as well as the responsibility and accountability of the private sector in these discussions. Relatedly, the increasingly asymmetrical nature of cyber warfare and the role of non-state actors were emphasised, raising doubts about the extent to which a Digital Geneva Convention would solve the key issues.
Q2. Geneva is the world’s humanitarian capital. What can the emerging digital policy field learn from the long history of humanitarian protection?
The Geneva Convention established the standards of international law for humanitarian treatment in war, and the International Committee of the Red Cross (a Swiss non-profit association) was founded as the custodian for the strict implementation of the treaties of the Convention. If we are to have a Digital Geneva Convention as proposed by Microsoft, what existing or new international organisation could take on the role of monitoring the implementation of the convention? The tech sector cannot be treated as neutral when it has vested interests and owns the Internet infrastructure. The participants to the roundtable also expressed concern around the uneven rates of Internet penetration around the world and the position of developing countries in the Digital Geneva Convention discussion. The scale and speed of technological developments should be considered in the approach to the convention, which applies in times of cyber-peace rather than cyber-war. Distinguishing between offensive and defensive attacks in cyberspace and adopting a citizen-centred perspective would also be imperative in order to substantiate the debate.
Welcoming attendants, Dr Roxana Radu, Programme manager, Geneva Internet Platform (GIP), introduced the main idea behind the event: to move cybersecurity discussions from an abstract level to a practical, solution-oriented one, away from politicised and ideological angles. This event is part of the Geneva Digital Talks series initiated on 12 October and co-organised by the Canton of Geneva, digitalswitzerland, and the GIP. Several focused discussions are planned in this series, including dedicated events later in the month on peace and jurisdiction. The spirit of these discussions is open and interactive. Co-organising the event, the Geneva Centre for Security Policy (GCSP) shared the vision for the event. Dr Gustav Lindstrom, Head of the Emerging Security Challenges Programme, GCSP, moderated the first session, focused on current vulnerabilities in cybersecurity.
Mr Martin Dion, Vice President of EMEA Services, Kudelski Security, began by criticising attempts to predict cybersecurity trends. Such predictions, he argued, are based on flawed security reference models, which reflect a lack of understanding within the system. Drawing on three cases (Wannacry/ Petya ransomware; Mirai Botnet; and Equifax/Deloitte breaches), Dion maintained that there is a disconnect between the real problem and how it is perceived. The affected companies spent considerable resources on their security; yet, all attacks could have been avoided by fairly simple measures, such as security patch updates. This, he posited, evinces a cognitive gap. Cybersecurity is conceived as an issue of confidentiality, but is acted upon as a matter of service availability (‘if you have a heart attack, does your privacy matter?’). Inflating the problem, technological solutions continue being developed, to the point of market saturation. However, scientific innovation should not be the main goal. A security system is as strong as its weakest link, and these are its users. To illustrate his provocation, Dion gave one idea and one fact. First, he believes that privacy is ‘an older issue’, since the new, digitally native generation, ‘doesn’t care about privacy’. Second, he stated that there are six times more jobs (90,000) than cybersecurity graduates (15,000) in the United States, his company’s biggest market. These examples, he argued, indicate that we need to address the issue of cybersecurity at its feeblest points: individually and socially.
Ms Päivi Tynninen, Researcher, Threat Intelligence Unit, F-Secure Labs, divided her presentation into three parts. First, she discussed recent supply chain attacks, such as the spy network detected by operation Cloud Hopper, Petya/NotPetya, and the hacking of CCleaner. While explaining Avast’s inability to notice the latter, she noted that since ‘these attacks target organisations through the most vulnerable parts of their supply network, this makes it difficult, even if you are within the industry, to detect threats’. Next, Tynninen assessed the vulnerability of devices connected to the public Internet system, citing the Mirai and ReaperIoT botnets. She also presented original research on information breaches: two-thirds of the stolen data concerned personal information, while the remainder pertained to credit card data. Furthermore, parsing the 30-odd breaches that happened to large companies within the last ten months, Tynninen shared estimates that 90% of them resulted from misconfigurations and years of delayed security updates. Finally, she analysed the issue of spam, observing that, in 2014, it represented two-thirds of the world`s email traffic. She gave as an example spammers’ ability to falsify sender addresses with the John Podesta leaks. Because he responded to a fake Gmail password update request, hackers were able to invade his account. To conclude, Tynninen stated that ‘the Internet is not fit for non-secured services’.
In the ensuing Q&A, speakers were first asked to summarise their recommendations. Dion emphasised the distinction between being a target and being a victim of an attack, extolled netizens to acknowledge their responsibility (and not just their governments’) concerning their security, and proposed that ‘we do the basics’ when it comes to cyber prevention. Likewise, Tynninen also highlighted the need for proper ‘basic hygiene’. She focused on the matters of restricting the upload of unnecessary data and taking the issue of security clearances seriously. Then, the presenters fielded questions on the importance of structural solutions; how regulatory efforts (in particular the EU General Data Protection Regulation) can increase cybersecurity; how big the risk of interstate cyberwar is, and, if the issue cannot be solved immediately, why should society be concerned about it.
The third session of the Geneva Digital Talks (GDT) ‘Preventing Cyber Conflicts: Do We Need a Cyber Treaty?’ was also part of the Geneva Peace Week – a collective action initiative facilitated by the United Nations Office at Geneva (UNOG), the Graduate Institute of International and Development Studies (IHEID), and the Geneva Peacebuilding Platform, in collaboration with the Swiss Confederation.
Dr Jovan Kurbalija, Director of DiploFoundation and Head of the Geneva Internet Platform, welcomed the audience by contextualising the discussion: this event built upon Microsoft president Brad Smith’s call for a Digital Geneva Convention ‘to implement international rules to protect the civilian use of the Internet’.
Dr Eneken Tikk, Senior Advisor at ICT4Peace, launched the panel discussion by stressing that facing existing cybersecurity challenges requires most importantly a mentality shift: technological, legal, and political solutions are ineffective if we fail to keep in mind that such solutions also affect society: ‘peace cannot be indoctrinated but it needs to be discussed as a mentality, as a climate’ – she stated. She further considered that the nature of a possible agreement on cyberconflict needs to be specified. According to her, the discussion should first consider that ‘convention’ as a concept does not simply designate a treaty among states parties, but rather it encompasses a social dimension because after all, it is a social contract. In other words, ‘Do we need a convention? Yes. ‘Do we need a treaty? Not sure’, she affirmed. She further considered that the need for a binding legal agreement depends mostly on whether the existing legal framework is lacking in addressing the issue at stake. The answer to this question requires a cyberconvention feasibility study considering, firstly, the kind of methodology to be chosen (either qualitative or quantitative approach – or both – when current norms are inapplicable) and, secondly, a multidisciplinary approach looking at the different aspects at stake from different points of view (e.g. legal, technical, political) in order to avoid ‘silos-thinking’.
Ms Anne-Marie Buzatu, Deputy Head of the Public-Private Partnerships Division at the Geneva Centre for the Democratic Control of Armed Forces (DCAF) stressed the importance of a multistakeholder approach to the drafting of the convention. As an example, she referred to the Montreaux Document on Private Military and Security Companies signed in 2008 by over 70 countries, upholding the respect of international humanitarian law and human rights law whenever private military and security companies (PMSCs) are present in armed conflicts. Although non-binding, the document is the result of a multistakeholder effort that produced an accountability mechanism through a certification and monitoring process for PMSCs vis-à-vis their relation with governments. She concluded that applied to cyber governance, the ‘Montreaux approach’ would result in ensuring an effective control of all actors involved, i.e. giving governments, information and communications technology (ICT) companies, and users, an equal seat at the discussion table in order to develop codes of conduct and mutual legal assistance agreements.
Dr Richard Hill, independent consultant, concluded the session by considering the vulnerability of the existing computer software used by governments in order to fight terrorism. He warned against the stockpiling of the so-called ‘zero-day exploit’ vulnerabilities by governments, i.e. the time between the discovery of a breach and when it is fixed. For example, the WannaCry ransomware attack originated from leaked NSA stockpile. Hill welcomed Microsoft’s proposal on the grounds that it calls for governments to take action in order to address vulnerabilities and externalities. Joining the previous speakers, Hill praised the need for an agreement but highlighted that this does not necessary entail the need of a new text, because such a convention could be seen as a complement to the existing International Code of Communication of the International Telecommunication Union.
Mr Andy Bates, Executive Director, United Kingdom, Europe, Middle East & Africa, Global Cyber Alliance, introduced the Global Cyber Alliance, and then stated how cybercrime has overtaken normal crime in terms of economic value. Despite the increasing economic risk of cybercrime, he argued that ‘cybercrime is just crime’, pointing out that it is crime adapting to modern tools. In his opinion, the responses should not basically differ too much from the measures taken to address other forms of crime. He highlighted that cybercrime is usually serial in nature, with many criminals potentially using the same vulnerability and being repeat offenders. He discussed the human psychological aspect in the context of phishing and spoofing emails as well as structural issues with the Internet.
He presented a tool called DMARC, which enables individuals and companies to register domains that then establish a handshake between actors to monitor email trustworthiness. In addition, he presented the Internet Immune System, a blacklist given to top level Internet service providers (ISPs) to track pages which contain malware. He argued that ISPs should work towards cleaning up the internet for individuals.
Lastly Bates outlined future scenarios, focussing mostly on the importance of sharing of information across private and public sectors, together with measures that would seek to prevent duplication. In addition to this he mentioned how reporting about cybercrime could be centralised. As a concluding remark he pointed out that individuals need to use common sense and intelligence when addressing cybercrime.
Dr Gustav Lindstrom, Head of the Emerging Security Challenges Programme, Geneva Centre for Security Policy (GSCP), gave a presentation which focussed on the issues and trends for future consideration in the field of cybersecurity. Firstly, he stressed that raising awareness needs to be a constant process. Due to its constantly changing nature, cybercrime should be seen as an emerging threat.
Lindstrom’s second point focussed on the key aspects of evolving technology and services which remain beneficial for us but also pose security challenges. He discussed many developments such as cloud computing, as the cloud is an attractive target for attacks. He described how the cloud can be used to hide malware. In addition to cloud computing, he mentioned how big data, through injecting false data, poses security threats in addition to the privacy issues. He also discussed the issue of 3D printing which can be used to circumvent existing measures, while providing potentially dangerous tools. Circumventing existing measures is also a risk posed by distributed ledger technologies. As a final aspect of this, artificial intelligence and machine learning, despite their ground-breaking advantages, run the risk of being misused and compromised.
The Internet of Things (IoT) can provide benefits, but it also opens the door for many new potential threats. Lindstrom pointed out how the shift in states’ cyber defence and offence poses a challenge. He argued that an increasing number of countries have developed capabilities to move from defence to offence, with roughly 30 countries having dual capabilities, but this number is hazy as is the boundary between defence and offence. As such, Lindstrom suggested, offensive cyber operations will likely increase and cyber weapons might be updated at a fast pace, especially in terms of delivery mechanisms. As a final point, while there are differences in state capabilities, all countries will try to seek to utilise zero-day vulnerabilities to their advantage. He then concluded his presentation by pointing out the increasing role of the private sector in the field, which is not only due to financial aspects but also due to the proliferation of public-private partnerships.
As a practical contribution to a more secure Internet, Prof. Adrian Perrig, Computer Science Department, ETH Zurich, presented his team’s work on the ‘Scalability, Control and Isolation on Next-Generation Networks’ (SCION) architecture. He elaborated on his comments on the previous panel, in which he disagreed with other speakers that humans were the weakest link in cybersecurity and emphasised the relevance of sovereignty matters in light of the ability of a few select (state and business) actors to implement kill switches against entire nations. Perrig illustrated his point with the case of the cyberattack Estonia suffered in 2007. In a more recent example, three weeks ago a Google employee in Japan made a mistake. As a result, ‘half of the country was down for 40 minutes’. If even an honest mishap like that can cause a complex Internet structure such as the Japanese to lose half of its digital capabilities, ‘then we have a problem’.
SCION, Perrig maintained, comes to solve this issue. It was built ‘to ensure the creation of areas of sovereignty where external entities cannot access and thereby disrupt connections’. Its basic approach is to use isolation domains, with routing across a number of autonomous systems. Before SCION was launched, the Border Gate Patrol (BGP) protocol was the only one to operate accordingly. Nonetheless, BGP was subjected to attacks such as prefix hijacking, to which SCION is much more resistant. This happens because SCION’s multi-path routing allows users to not only have a greater selection of paths, but also to control them. Moreover, multi-path routing enables users to prevent the transfer of any data packets from networks that are unauthorised by them. So, even when hackers may have all the necessary information on a particular network to launch an attack, they will be unable to do it, unless their network is authorised.
Showcasing the SCION team’s accomplishments, Perrig mentioned ETH’s partnership with SWITCH, the Swiss national research and educational network. Such endeavor allowed other Swiss universities to enjoy the benefits of the architecture. All that is needed is a special router, which can be installed in 5 minutes. SCION’s dedicated visualisation system can be accessed from a machine as straightforward as a Raspberry Pi. Currently, SCION is present in over 40 campuses around the world. In addition, SCIONLab has already shipped another 50 routers to other universities, in Switzerland and abroad. Another landmark is that one Swiss bank has already changed one of its branches’ network to SCION. These developments evince that, not unlike the replacement of regular phones with smartphones, users have begun to perceive the benefits of SCION in comparison with other network architectures.
To conclude, Perrig challenged the reasoning that humans are the weakest link in cybersecurity. To him, only people can make certain decisions regarding technology with political implications. Nonetheless, the issue lies on the fact that ‘if you make it easier, it will be less effective’. Therefore, it is upon experts to adopt solutions that are both secure and user-friendly.
The ensuing Q&A covered topics such as: whether wide-scale adoption of SCION will demand scalar change in Internet architecture (no, the SCION router is all that is needed, Perrig responded); how does Scion differ from a firewall (it is an ‘implicit firewall’); the energetic efficiency of SCION (it spends 5% less than regular networks, despite being more secure); what incentives users of regular networks have to change to SCION (more secure and path-aware network architecture). Lastly, summarising the benefits of the architecture, Perrig compared cyberattacks to weapons such as missiles, positing that their effects on SCION would be as harmful as ‘a squirt gun’.
The moderator, Dr Jovan Kurbalija, Founding Director of DiploFoundation and Head of the Geneva Internet Platform), highlighted the dichotomy between technological and policy fields in the cybersecurity domain. He then moved on to present the speakers.
Prof. Kavé Salamantian, Computer Science Department, University of Savoie and Senior Researcher, Castex Chair of CyberSecurity, IHEDN Paris, spoke about the semantic difference between cyber-strategy and cybersecurity. When people refer to cybersecurity, they are talking about stability and the status quo through maintenance of existing systems. As security is a more exclusive process, he prefers to use the term cyber-strategy, which, in technological terms, seeks to create measures rather than implement them. Professor Salamantian then pointed out the need to reduce the arrogance and lack of respect between the technical and policy fields of cybersecurity. He recommended this be done by increasing multi-disciplinary and other interactions between the fields, while increasing each other’s knowledge about the other’s field.
Prof. Solange Ghernaouti, University of Lausanne, and Director, Swiss Cybersecurity Advisory and Research Group, stressed the importance of multidisciplinary research and teaching. She said that it is important to incorporate social, economic, and wider policy issues related to the technological aspects and vice-versa. Professor Ghernaouti finished by pointing out that the existing problems in funding and organisations should be addressed while also looking at the importance of cybersecurity in the humanitarian field.
Mr Laurent Ferrali, Director, Government and IGO Engagement, Geneva Office, Internet Corporation of Assigned Names and Numbers (ICANN), stated that ICANN seeks to address the issue of silos by translating business and technological language to governments and vice versa. He emphasised that there is a need for better understanding of the big picture in cybersecurity but that, even with better understanding and threat assessment, the individual and technological issues form the weakest links in the cybersecurity chain. As such there needs to be greater awareness and education about wider cyber hygiene, as we will not have full technological solutions until there is an increase in education. He finished by describing how ICANN needs to be developed to increase coordination, and to bridge the gaps between stakeholders.
Prof. Adrian Perrig, Computer Science Department, ETH Zurich, stated that sovereignty remains the central question in terms of ownership of computational technology. He said that private companies have far-reaching powers to change the rules of the Internet. Governments, however, with increasing cyber-offensive capabilities, have ‘indirect kill-switches’. To address these issues, there need to be technological changes as the current encryption used actually enables the existence of kill-switches. Perrig argued that non-technical issues might not in fact be the weakest link because there are technological measures that enable the placing of humans into the centre of coordinated decision-making in a safer ‘neighbourhood’ or environment.
In the lively discussion, the debate ranged from issues of cyber citizenship to blockchain. Salamantian emphasised the need to re-frame the issues around the interactions and connections between the real and the digital worlds. He also pointed out that we need to have kill-switches in case something goes wrong, with which Perrig agreed while advocating the need for transparency and accountability in their governance. He also pointed out that blockchain is not currently a solution to governance because of issues in the logic of majority. Salamantian and Ghernaouti concluded that there remains a need for further governance and regulatory measures as governments increasingly seek to assert control over the Internet.
The moderator then ended the debate after thanking the audience and panellists.
The ICANN60 Annual General Assembly Meeting had several sessions focusing on Domain Name System (DNS) abuse and mitigation. The first two workshops (WS 1 and WS 2), organised by Mr David Piscitello, Vice President, Security and ICT Coordination, ICANN, were held under the theme ‘How It Works: DNS Abuse’. Piscitello’s presentations explained various ways cybercriminals are using DNS fraud, hijacking via phishing, social engineering, and data breaches, and gave examples of the most prominent cases such as Avalanche and how it was tackled. Piscitello underlined challenges faced by law enforcement agencies, such as jurisdiction, lack of common criminal law, and the slowness of Mutual Law Enforcement Assistance, as criminals operate at Internet pace. Addressing privacy concerns as well as security, he pointed to alternatives such as tiered access to personal data. He mentioned another cause of security vulnerabilities: developers repeating their peers’ previous mistakes such as continuing using lax configurations.
The Domain Name Abuse Reporting System (DAAR) which uses public, open, and commercial sources such as DNS Zone data, WHOIS data and reputation blocklist (RBL) was the focus of the ‘Abuse Reporting for Fact-Based Policy Making and Effective Mitigation’ cross community session. DAAR and its planned open data initiative’s goal of ‘providing data to support community, academic, or sponsored research and analysis for informed policy consideration’ was discussed. Mr Rod Rasmussen, incoming chair, Security and Stability Advisory Committee (SSAC), stated that although the technological aspect of abuse (e-mails, browsers, firewalls detecting abuse in seconds) was solved, the policy aspect was not. He mentioned the use of reverse engineering domain name generators and observing the results to identify abusive users. Piscitello underlined this point saying that a system able to identify which policies worked and which did not was needed. The benefits of opening DAAR data to the public were listed as historical trend analysis, flagging registrars who are not responsive to abuse reports, contractual compliance reporting, and providing data for efficient policy making. Ms Tatiana Tropina, cybersecurity expert representing the Non-commercial User Constituency (NCUC), drew attention to the limited mission of ICANN, the dangers of blurring lines between DNS and content abuse, and risks related to self-policing by the domain name industry instead of law enforcement. Another participant stated that the data DAAR will open to the public was aggregate and could not be used for contractual compliance.
Ms Denise Michel, Business Constituency (BC), drew attention to data showing new generic top-level domains (gTLDs) experiencing 10 times higher abuse than legacy gTLDs, and stated that ICANN is planning to introduce a policy addressing this. How abuse reporting can support registries and registrars in their prevention and mitigation efforts was among the key questions discussed.
‘GAC discussion on DNS Abuse Mitigation’ was the final session of the annual meeting related to DNS abuse. Updates and action points of the Public Safety Working Group (PSWG) were presented to government representatives. The implications and possible benefits the DAAR and its planned open data initiative could have for domain names hosting child abuse material were among subjects flagged by Italy, the UK, Iran, and Australia’s GAC representatives.
The launch of the Geneva Digital Talks series – organised by the Canton of Geneva – gathered around 80 representatives from the technical, governmental, business, not-for-profit and academic communities. The speakers included representatives from the Canton of Geneva, the International Committee of the Red Cross (ICRC), the EPFL’s School of Computer and Communication Sciences, Deutor Cyber Security Solutions, the Federal Department of Foreign Affairs (FDFA), the University of Geneva, FONGIT (Geneva's high-tech start-up incubator), and the Geneva Internet Platform (GIP). The key messages of the launch event revolved around the need to understand cybersecurity in a multidisciplinary way.
At the start of the discussions, we were reminded that Geneva is, above all, a platform of dialogue and a place for finding sustainable solutions. Moreover, Geneva has a reputation as an ecosystem for stakeholder engagement, where the digital discussions can be people-focused.
Security is key to modern societies, but it was not originally built into the Internet. Addressing it now is comparable to repairing a plane while flying it. To understand the issue, the discussions followed the journey of an Internet data packet that crosses national borders, that is vital to digital economy and innovation, and is ultimately crucial in high-level negotiations impacting a number of sectors.
The interplay between the Silicon Valley as a place of technological development and social disruption, and Geneva as a constructive, human rights-oriented policy space, set the tone of the discussion. Recent calls from the private sector to advance discussions on a cyber treaty, brought forward the need to have a shared understanding of the vulnerabilities, issues and prospects of cyberspace. If a cyber incident amounts to a kinetic attack, international law applies, but for everything in between, there is a ‘grey zone’, just as there is for a distinction between ‘civilian’ and ‘military’ in digital terms. Previously, key conventions have been negotiated with the involvement of non-state actors in equally sensitive fields, such as the Biological and Toxin Weapons Convention or the Chemical Weapons Convention.
On its journey, the Internet data packet is first tested physically: the integrity and correctness of the code are essential, as there is no bug-free software or liability for software in place. While we are getting better at writing and verifying software in safety-critical applications, trust in the ability of others, who are unknown to us, to fix it is gradually eroding if we can no longer distinguish between good and bad intentions.
To diminish the risks of interference and misuse, the Internet data packet should be protected by a community that understands infrastructure, relevant technology and invests in security. Suggestions were made to eliminate the prevalent ignorance and complacency about security, also distinguishing between IT security and cybersecurity. The latter concerns a criminal network with a goal. Effective co-operation needs to include users (to notify about breaches) and providers (to react to vulnerabilities or breaches) working together. Regulation can also be used as a carrot to incentive and a stick to sanction those who do not comply, thus increasing the overall level of security.
When it comes to the framework for state action, different instruments are currently deployed. In addition to the guidelines provided by the UN Group of Governmental Experts in their 2015 report (11 voluntary norms), international law, and in particular the UN Charter, includes provisions on the use of force, the interference in the domestic affairs of states, the peaceful means to solving conflicts, but also, self-defense. International customary law covers state responsibility, even when using proxies, and due diligence for international wrongful acts that apply to digital space. In international humanitarian law, if the kinetic dimension is reached in cyberattacks, cyber means amount to armed conflict. Moreover, the human rights obligations of states apply online, as they do offline (e.g. freedom of expression). Confidence building measures, such as the ones put forward by the Organisation for Security and Cooperation in Europe (OSCE), represent additional means to strengthen collaboration at the global level. With this multi-layered framework in place, it is important to build awareness and strengthen the capacity of states to understand and apply it before new binding rules are discussed.
When discussing the attribution of risk and responsibility, there is a danger of substantive fragmentation: we have global technologies, but local laws and there is an overlap of regulations and sets of conflicting norms, that may be detrimental or counterproductive. The question here is whether we can move from the Geneva Digital Talks to policies, or even to the Geneva Digital Courts to address the needs of regulators. As the birthplace of international arbitration, Geneva has a unique role to play in the attempt to solve Internet-related disputes.
From a digital economy perspective, the Internet data packet has recently been carrying more and more sensitive records, including health and personal data, or social security information. With the advent of the Internet of Things (IoT), we will move from cyber to digital security in a much broader sense. Every second, 95 passwords are stolen around the world, showing that security by itself is no longer enough. There is a need to move from security by reaction to security by interaction. The Internet giants that operate most online services need to be brought into the conversation about norms, key responsibilities and regulation.
The Geneva Digital Talks will continue with a series of events in the build-up to the Internet Governance Forum. The focus of the GDT will be set on the following aspects, identifying key competencies available in Geneva: technological, legal, social and political.
More information on the GDT and online exchanges can be found here: https://www.giplatform.org/geneva-digital-talks.
The objective of the session was to discuss the meaning of digital citizenship; define the level of e-accessibility, obstacles, and risks; and explore issues such as the creation of secure digital identity and of a borderless digital society.
The moderator of the session, Ms Birgy Lorenz (PhD, Scientist at Tallinn University of Technology Centre for Digital Forensics and Cyber Security (project Cyber Olympic)), presented the Estonian digital society model.
Mr Alex Wellman (Head of Marketing, Estonia Investment Agency), elaborated on Estonia’s e-residency programme, the advantages for business, the benefits from digitalization, and the difference of the initiative from countries providing tax benefits.
Ms Clara Sommier (Analyst, Public Policy & Government Relations, Google) emphasised the importance of accessibility for all in a digital society, along with the openness of the Internet, finding your voice online, and the ability to empower the disadvantaged and get them in the mainstream.
Ms Sandra Särav (PhD candidate at University of Lausanne, Switzerland) stressed that trust is the key to digital citizenship. She also emphasized the need for global citizenship.
Ms Marianne Franklin (PhD, Professor of Global Media and Politics, Goldsmiths University of London, UK and the Co-Chair of the Internet Rights and Principles Coalition at the IGF) noted that migrants, refugees, and asylum seekers need to be considered when discussing citizenship. It is important to define the digital citizen and to understand the issues holistically. She questioned whether digitisation or citizenship comes first. Franklin believes that the design of any digital framework for citizenship is critical and should not be restrictive. She emphasised the importance of design of the systems and the importance of having alternatives in order to avoid overreliance on one system. On the question of cross-border digital citizenship, it is important, she said, for countries to agree on some underlining principles.
To address the issue of digital skills of older people, Mr Haris Kyritsis (Greek Safer Internet Centre youth panel) shared the example of youngsters having digital skills, teaching older generations how to use this platform. Sommier suggested using a blend of online and offline options. Sarav emphasised showing and teaching elders how to use the Internet.
Mr Raed Yakoub (Research Associate at Goldsmiths, University of London) added that there may be different ways in which a group of people may be discriminated against owing to requirements for different identification and authentication documents than the ones they have. He proposed creating e-societies and e-residents as ways to encourage inclusion.
There was also a discussion between Sarav and Wellman on the advantages and disadvantages of having a single identity to stop digital threats.
On the question of the possibility of setting up a scrutinising body to ensure citizen data is not abused by any government, Sarav suggested the need to recognise cross-border interoperable services while Sommier suggested sharing only legitimate data with governments on a case-by-case basis.
Responding to the question of youth participation and their lack of trust in government, Sommier noted that e-participation is important, but that a suitable space needs to be created so that the voice of the youth can be heard. Such an initiative she believes needs to be taken at the political level. Kyritsis believes that digital citizenship can be an option to engage the youth. Franklin added that participation needs to be encouraged in many ways and on many levels. Having youth role models was also a suggestion.
Responding to the question as to what would be the perfect digital society, Sarav suggested the existing one, as there cannot be anything which is perfect; for Kyritsis, it is one where privacy and security issues are addressed; for Sommier it is when the Internet is open and everybody can access it safely. Wellman suggested looking at things from a higher level, while Franklin will be satisfied when citizenship is defined as inclusive participation and success is measured in terms of inclusion of disadvantaged in the society.
Ms Oliana Sula (Lecturer at Faculty of Business, Universiteti "Aleksander Moisiu" Durres) summarised the discussion, stating that the Estonian model can be termed as a best practice. She noted that models need to be customised and there is a need to make different systems more interoperable. Models should define digital citizenship and distinguish it from digital residency as well as define digital inclusion and how to address the disadvantaged to improve digital participation and regulating competition.
Members of the At-Large Advisory Committee (ALAC) and the Regional At-Large Organisations (RALO) leadership discussed policy and process issues related to the At-Large Community, which represents the interests of end-users.
The two-part session was chaired by Mr Alan Greenberg (Chair, ALAC).
Speaking in a private and personal capacity, Mr Göran Marby (Chief Executive Officer and President, ICANN) shared his experience from Sweden regarding the topic of universal connectivity. He gave a short background on Sweden and said that 100 years ago, Sweden was one of the poorest countries in the world, but has since become one of the richest, with a high living standard. Unlike its neighbours, Sweden was not invaded during the Second World War, which means that its industry was not affected by the war. That is when they started manufacturing and doing things together, and the country thrived.
When he worked at the Swedish telecom and postal regulator, Marby's and his team’s main obligation was to provide connectivity. There is a regulation in Sweden that states that everyone must have access to the Internet. By the time he left the post, only 250 households out of 4.5 million lacked connectivity. This was attributed to the Swedish Broadband Forum, which Marby referred to as a ‘turning point’. Participants were encouraged to come up with a strategy for the Domain Name Systems (DNS), IPv6 and other related topics if they were to succeed in universal connectivity. Marby also talked about the Fibre to the village concept, which targeted 280 municipalities. About 170 municipalities funded their own fibre connections and built them themselves. He added that people tend to fund projects or give money when there are benefits. On the issue of spectrum and who it belongs to, he said that they decided that it was an asset to the people, and that its value of that should go back to the people. He said that first, they needed to increase or maintain competition, and second they needed to use it to get coverage. These two points would ensure that they get the money. Currently 80% of Sweden has mobile coverage, the remaining areas which are not covered are places like national parks and reserves. Marby's advice is to do things together, as a joint effort, ‘you have to sit with people and work with them’ in order for the project to succeed.
The meeting went on to discuss the At-Large Summit (ATLAS) III that will take place in March 2019 in Kobe, Japan, during ICANN64. ATLAS is a global general assembly, held once every five years. The first ATLAS was in Mexico City in March 2009, the second was in London in June 2014. Session attendees were tasked with thinking of criteria for selecting participants for the 2019 ATLAS. There were also discussions about the fact that many At-Large Structures (ALSes) seem not to be active, and that there is a need to make them so. Additionally, members agreed that newcomers should be encouraged to participate while other already active participants should get funds to attend the summit.
Mr Patrik Fältström (Chair, Security and Stability Advisory Committee (SSAC)) gave an update of the SSAC's activities. According to its charter, SSAC focuses on advising the ICANN community and Board on matters relating to the security and integrity of the Internet’s naming address allocation systems. Expertise of the committee ranges from addressing and routing, to DNS, DNS Security Extensions (DNSSEC), domain registry/registrar, DNS abuse, etc. Since 2002, the SSAC has produced 97 publications in the form of reports, advisories, and comments. Outreach is a major function of the SSAC.
Currently, the SSAC is looking into name space issues, harmonisation regarding Internationalized Domain Names (IDNs), organisational review – external and internal, and rate limiting issues, among others. Fältström also shared current and future milestones, which include contributions to the Work Stream 2 (WS2) of the Cross Community Working Group on Enhancing ICANN Accountability (CCWG Accountability). WS2 was launched after the Internet Assigned Numbers Authority's (IANA) stewardhip transition, to continue addressing ICANN accountability topics. Work Stream 1 (WS1), finalised before the transition, focused on mechanisms enhancing ICANN accountability, which was required to be in place or committed to, within the time frame of the transition.
Regarding security concerns of end users, especially since At-Large represents the interest of end users, Fältström said that digitalisation of society is happening, things are moving to the cloud, and there is business evolution. These things require Internet Protocol (IP) addresses. He thinks that there is not as much effort being put into building a robust Internet, as there is in building applications and solutions. Fältström finished by saying that DNSSEC is important for ICANN.
Mr Göran Marby, CEO and President, Internet Corporation for Assigned Names and Numbers (ICANN), delivered the final keynote speech of the tenth edition of EuroDIG. Marby reflected back on the time he lived and worked in Tallinn, and said that Estonia has made noteworthy progress since then. According to him, it was the power of the Internet that made the fast positive change over the last twenty years possible.
EuroDIG 2017 brought up the timely discussion on how we use the Internet, reminding us that it is not a natural resource, but one that the whole community has to take care of. In 2016, ICANN and the Internet Society celebrated the twenty-fifth birthday of the Internet and the progress end-users experience today. Marby focused on several points correlated with the discussion during the event.
First, he emphasised that partnerships and the multistakeholder model are at the centre of ICANN’s work and provide for the interobjectivity of the Internet. The Internet needs of one end-user differ from those of another, and only interobjectivity can provide co-operation.
Second, in order to protect this interoperability, Marby stressed the importance of technology and the underlying functionality that enables the operation of the Internet. ‘We are not the Internet, but we are what controls it’, Marby said. In regards to technical operability, he mentioned the importance of the Domain Name System Security Extensions (DNSSEC), and reminded the audience about 11 October 2017 as a milestone for ICANN, when the new Key Signing Key (KSK) rollover will take place.
Third, Marby addressed the negativity surrounding the current discussion on the Internet, and reminded us of its positive sides. ‘The Internet is not done’, Marby noted, and expressed ICANN's goal of connecting an additional 1.5 billion users worldwide with the current 4 billion connected users. In his view, the key for the future of the Internet is recognising the users' local needs. The future Internet will be both local and global, Marby concluded. Lastly, he reminded us once again that the Internet is not a natural resource, and has to be updated, mended, and fixed all the time by the whole community.
The President of Estonia, Ms Kertsi Kaljulaid, started the conference with welcoming remarks.She noted that we are all connected – by optical cables and computers – but mostly by our faith in human development and freedom. We believe in free and fair elections, the rule of law, an independent judiciary, and human rights and freedoms. In modern society, free Internet is fundamental as it affects culture, the economy, communications, governance systems, and international relations.
Nonetheless, security should not be used to restrict the freedom of expression since security and freedom are not mutually exclusive, she emphasised. Securing online interactions is a precondition for enjoying Internet freedom. She gave the example of Estonia which balances between security and freedom through providing a network of public and private e-services based on a secure online identity. The country is also proud to be, as per Freedom House, the first in the world in Internet freedom.
Kaljulaid highlighted that today, much of the world’s commerce and communications pass through the Internet and hence the benefits of e-services outweigh the investment costs to create and maintain them. Estonia provides effective e-services that save 2% of the GDP. In this regard, she further referred to the World Bank 2016 report, which underscored that connectivity does not inevitably result in digital dividends. Digital technology transforms societies if supplemented by policies that support digital adoption.
Finally, she mentioned that Estonia will take EU presidency soon. Their presidency has a strong digital agenda that focuses on strengthening the single digital market, increasing solutions for cross-border e-services, and facilitating strategic discussion among member states as a cybersecurity strategy is expected in 2017.
The President of Lithuania, Ms Dalia Grybauskaite, commenced by noting that digital society is more competitive and democratic because it allows citizens to express their opinions. However, it remains a tool for European integration, and competitiveness depends on the political will to integrate. ‘A lot of people look to us because we should not only lead, but also help other countries. We have many events in this area and we hope that they do not only demonstrate our knowledge but also our willingness to introduce all areas of our life including digitisation and Internet’, she alluded. Europe is used to living in this environment, but it is also realistic about the threats entailed. Such risks should be challenged, not only through military exercises and deterrence, but through developing capacities and being innovative, competitive, integrated and knowledgeable. She finally said that she hoped that the Estonian presidency will take the lead on that.
The final remark was made by Ms Sandra Hoferichter, Secretary General, EuroDIG Association, who provided an overview of the history of the Internet policy dialogue in Europe. In 2008, EuroDIG was one of the first initiatives to discuss Internet governance after the establishment of the global IGF. What started as the idea of ten enthusiastic individuals in a café in Paris, four months later led to a meeting hosted by the Council of Europe, to discuss the potential of this dialogue. Now, there are more than twenty national and regional Internet governance initiatives across Europe, committed to the multistakeholder model.
In her talk, she noted that although many governments in Europe and around the world are committed to multistakeholderism, it is not considered to be the model of the future and forums like this are sometimes questioned vis-à-vis the impact they make. In many parts of the world, legislation is made without consultations with the relevant stakeholders. The digitisation in our life sometimes happens without an option to opt out. Yet, most users do not really see the need to be engaged in Internet governance. It is thus the aim of EuroDIG to raise awareness of the challenges ahead and to facilitate discussions, but not to finalise them. Over the past years, the discussions at EuroDIG focused on the European digital single market and industry 4.0. However, recent developments have shown that some people fear the digital revolution that goes along with the loss of their workplace and privacy. Therefore, ‘we are here looking at the digital future from a different angle, to discuss the promises and pitfalls’, Hoferichter concluded.
The session, moderated by Ms Tatiana Tropina, Max Planck Institute for Foreign and International Criminal Law, and Mr Vladimir Radunović, DiploFoundation, focused on how security threats change the cybersecurity landscape and influence the perceptions and actions of different stakeholders. Tropina instigated the discussion by asking the panellists to pinpoint the cybersecurity challenges in their respective fields.
Ms Sally Wentworth, Vice President of Global Policy Development, Internet Society, provided a global perspective noting that in an increasingly compelled security environment, security could hinder interoperability and lead to potential fragmentation. The importance of laws and norms was emphasised by Ms Marina Kaljurand, Former Foreign Minister of Estonia, Chair of the Global Commission for the Stability of Cyberspace, who explained that governments should lead through a multistakeholder approach. In the same vein, Mr George Jokhadze, Cybercrime Programme Office, Council of Europe, identified key challenges: first, regulations, in terms of drafting new rules and laws but also applying old laws, such as the Convention on Cybercrime; second, awareness of law enforcement agencies and citizens; and third, international co-operation and collaboration with technology companies such as Facebook, Google, Microsoft. On the other hand, Ms Kaja Ciglic, Director, Government Cybersecurity Policy and Strategy, Microsoft, pointed out that the challenges are not specific to Europe, but they are global. On top of them is the security-centred approach, adopted by many governments. Additionally, basic security measures and awareness can help avoid some challenges and create tech-savvy citizens.
Radunović then put forward another question: who should protect cyberspace? The government, industry, technical community, and/or users? Mr Chris Buckridge, RIPE Network Coordination Centre, explained that there is no single answer. The government clearly has a role but they do not have the required technical expertise. This led Tropina to further ask: who should lead the multistakeholder model? She noted that during the CyCon 2017, it was said the governments are mastering cyberspace but not the protection of cyberspace. In response, Kaljurand underscored that cybersecurity is part of national security and hence citizens expect the state to handle that. However, it is a responsibility shared between governments (which have the biggest share), the technical community, industry, and civil society. But governments have to lead since it is the duty of governments to ensure security, the integrity of data, and authentication of people. Wentworth further asserted that leadership depends on the issue at hand. For example, the industry should lead on issues related to innovation and scaling networks to meet future demands.
When the floor was opened for discussion, the audience spoke about the role of government, but also the industry that should provide reliable products, and end-users who should be educated. Some explained that governments have a duty to provide protection and raise awareness. However, it was mentioned that some governments are not trustworthy, as they could represent a threat rather than provide protection.
To address the question of whether technology, regulation, or social contracts/norms can protect cyberspace, Ciglic pointed out that, on the one hand, the fast pace of technology challenges the capacity of governments to provide the necessary protection. On the other hand, security attacks harm businesses and hence more investment in security is important. Building trust in the online environment is therefore important for businesses to operate. Jokhadze added that cybersecurity is not only about protecting citizens, but equally about punishing wrongdoers.
Radunović asked: Do we need more regulations? In reply to this, Wentworth alluded to the possible tools to deal with security. Technology is constantly evolving and policy should also be evolving to address issues as they come up. In addition, consumers should demand security and privacy as their entitled rights. Tropina, however, argued that consumers do not demand security as they look for what is cheapest. Consumers thus need more security raising awareness. Finally, Kaljurand highlighted that experts have provided interpretations of international laws to cyberspace and hence governments have to decide how to take them forward. Ciglic noted that Microsoft has been active in international cybersecurity norms for five years; not focusing on content regulations but on limiting specific sets of government behavior.
Opening the session, co-moderators Mr Dirk Krischenowski, dotBERLIN GmbH & Co. KG, and Ms Maarja Kirtsi, Estonian Internet Foundation/.ee, explained that the discussion will focus on issues related to innovation and competition on the domain name market, especially in the context of new generic top-level domains (gTLDs), launched by the Internet Corporation for Assigned Names and Numbers (ICANN) in 2014.
To kick-start the debates, Krischenowski gave an overview of a study conducted by ICANN on competition, consumer trust, and consumer choice in the domain name market. Some of the main findings of the study: new gTLDs contributed to the growth of the market; the sales channel integrated the new gTLDs quickly and lead to much greater consumer choice; many new registrar operators entered the market, especially in former under-developed markets; the number of registry operators increased by a factor of 60; typical TLDs are niche, targeted, and geographic TLDs. Overall, the New gTLD Program has lead to a dramatic increase in consumer choice, a modest increase in competition, and minimal impact on consumer trust.
Ms Elena Plexida, European Commission (EC), talked about the evaluation and revision process that the EC has launched with regard to the regulations for the .eu TLD. She explained that the .eu TLD was formally established by Regulation 733/2002, while EC Regulation 874/2004 set the rules for the registry and the .eu. The .eu TLD was delegated by ICANN in 2005. As the market has continuously changed, these regulations have become outdated, have generated administrative challenges and need a revision. Issues to be analysed during the evaluation process include: whether the .eu objectives have been achieved (to boost e-commerce and empower end-users to create a European digital identity), the legal separation between registry and registrars, whether the registry should be more active in other Internet governance areas (and how).
Mr Jörg Schweiger, DENIC e.G./.de outlined one issue of concern for the domain name industry: How to make sure that domains do not subsurface, in the sense that they exist from a technical point of view, but users are not really aware of them? The industry has been constantly looking for the ‘killer application’ to address this issue. He pointed out that one way to make domain names more attractive could be to build on the discussions about self-determination, sovereignty, and identity. The main objective of .de now is to retain as many domain names as possible, and that the direction the registry is growing in is not necessarily related to innovation per se, but rather to having a secure domain name space.
Ms Lianna Galstyan, Internet Society Armenia, said that the .am registry never had an objective to have a high number of domain name registrations, but rather, to give the community the possibility to register domain names under .am. The same rationale was also behind the launch of the Armenian Internationalised Domain Name (IDN).
Mr Ardi Jürgens, Zone Media OÜ, pointed out that domain names do not exist in a bubble; they are part of a system which includes resources and applications. A healthy growth in the demand for domain names could result in applications and people using domain names for creating value, either for them or society. In the search for a ‘killer application’, the industry should look at young people and try to find a way to create value for them within the domain name space. Compared to social media platforms, domain names have the main advantage of being under the control of the registrant, and this is something that the industry should try to communicate better.
Mr Andrea Beccalli, ICANN, discussed examples of innovation in the DNS, such as the new gTLDs, the introduction of IDN TLDs, and the DNS Security Extensions (DNSSEC). Even the community work on developing the rules and processes for the New gTLD Program can be seen as a form of innovation. Schweiger, however, argued that the new round of gTLDs does not necessarily means innovation, as it was simply presenting what was on the market already – TLDs. Moreover, most business models surrounding new gTLDs are similar to what had been on the market before their introduction, with only a few exceptions.
Security in the domain name space was mentioned during the discussions as an area that deserves more attention. There are troubling correlations between new gTLDs and ‘innovation in crime’, and there are service providers who have blocked all new gTLDs from their servers due to security concerns. Innovation on the security front should be a priority for new gTLDs. Privacy is also an issue that requires increased attention, as users are more and more demanding in this regard.
The risk of cybersquatting was also raised as an issue of concern for new gTLDs, with regard to the protection of trademarks. It was said that the current protection mechanisms (such as the sunrise period allowing trademark holders to register relevant domain names, and mechanisms for rights enforcement post domain name registration) are helpful, but not sufficient. Such issues are currently analysed within the ICANN framework.
At the end of the session, a point was raised – that it is not actually clear what is innovative in the domain name space, as TLDs have been in place for many years and they are basically the same ‘technology’ or ‘tool’ that they have been since the creation of the DNS.
The objective of the session was to discuss the basic technical concepts which are the building blocks for cybersecurity discussions.
The session was initiated my the moderator, Mr Chris Buckridge, External Relations Manager, RIPE Network Coordination Centre (RIPE NCC), who stressed the need to understand the technical concepts at work in order to understand the building blocks for contributing to the cybersecurity discussions. In addition to the technical community, other stakeholders also need to understand what happens on the Internet and how it happens.
Mr Patrik Fältström, Manager Engineering, Research and Development at Netnod, Stockholm University, elaborated on the meaning of time, noting that the measurement of time is dependent on accuracy and precision. Based on requirement, organisations need to choose between accuracy and precision. He added that time stamps need to be accurate, especially for events happening in distributed systems. While new technologies such as 5G clocks need to be more accurate, there are challenges owing to the differences in time scales, even within the same time-zone.
Answering a question about Galileo, the global navigation satellite system, vis à vis the Global Positioning System (GPS), he clarified that the former is more modern, however it is very similar to the GPS system.
Responding to a question on the Netnod system, Fältström explained that the Netnod system does not allow access from outside, as redundancy is important for resilience when it comes to security issues.
Fältström explained the importance of replaceability, redundancy, and having multi-vendors that are informed on the way the system works. Moreover, consumers should have the option to choose which service or vendor they want to use.
Mr Marco Hogewoning, External Relations Officer – Technical Advisor, RIPE NCC, pointed out that while most people treat cybersecurity as a technical problem, it is much more than that. He added that although technology can secure the systems, there is a cost associated with building the systems and a need for willingness to apply the solutions. He further added that as cybersecurity is a broad subject, it needs the involvement of all stakeholders, even when the solutions are being designed. He further stressed the importance of looking outside the cause and complexity of cybersecurity, for a more simplistic solution.
Hogewoning indicated that laws today are mostly reactive, and it is important to invest in preventive security, educate people, build quality products and pay the price of the product. He went on to say that it is important for people to report cybersecurity breaches, in order for Computer Emergency Response Teams (CERTs) across the world to provide reports which are meaningful and functional and can help in the discussions.
Ms Marjolijn Bonthuis Krijger, ECP, reiterated that while technical skills are important, it is equally important to have knowledge about cybersecurity and teach self, employees, community Members, and young children about it.
Mr Peter Koch, Policy Advisor at DENIC, emphasised the need for standards. While the complexity in standards today leads to challenges in deployment and their misinterpretation, it is important to learn from mistakes and not repeat them.
He further stressed the fact that no software is bug-free today, especially as software has dependencies on the building blocks, which may have bugs that are harder to fix. Even operating system software has an option to review codes, and security software operating systems have been reported to have bugs. It is therefore important for organisations to invest money and manpower to review software in order to fix the bugs. Moreover, there should be an incentive among users to upgrade the existing versions. He also added that security is like an organisation and demands attention, and that the human factor should not be ignored.
One of the paradoxes of data society is that there is not enough data about data society itself. Numbers are used without the necessary rigor. For example, estimates of damage from cybercrime range from tens to hundreds of billions. The volume of e-commerce is also estimated to have a very wide range.
The session on Global Survey of Internet User Perceptions provided a fresh breeze by presenting data from 24 225 Internet users from 24 countries on Internet Security & Trust. This global survey was conducted by the Centre for International Governance Innovation, IPSOS, Internet Society, United Nations Conference on Trade & Development (UNCTAD), International Development Research Center (IDRC).
The presenters summarised the main findings of the survey which led to discussion:
1. There is greater online trust in developing than developed countries
Some argued that developing countries are in an ‘early growth’ phase. Others questioned whether the amount of trust in developing countries is proportional to the lack of information and awareness of risks.
2. There is greater trust in the Internet industry (ISPs, online services) than in governments
The most trustworthy actors are Internet service providers (66%) and online banks (65%). Internet users have least trust in the responsible behaviour of foreign governments (43%).
3. The trust in their governments varies greatly
81% Indonesian survey respondents trust their government to act responsibly online. On the other side of the scope is Mexico, whose government enjoys the trust of only 25% of the survey’s respondents.
4. A lack of security is the main source of distrust
According to the survey, most Internet users do not trust the Internet because it is not secure (65%). The lack of trust is slightly lower when it comes to the reliability of the Internet (40%).
5. Cybercrime is the main concern
6. Changes in online behaviour could lead towards more trust
45% of the survey’s respondents avoid opening emails from unknown e-mail addresses. This is becoming part of the global digital hygiene. Most panellists during the discussions highlighted change in online behaviour as one of the main ways towards increasing both security and trust on the Internet. For ISOC, increasing the cybersecurity culture is one of cornerstones of the concept of collaborative security. The survey shows particularly noticeable changes in online behaviour in Latin America.
7. Economic patriotism online
Internet users prefer to buy goods and services from their own country even if they have a chance to buy them from abroad via e-commerce platforms.
8. Digital policy
The survey identifies the following issues as the main concern for Internet users: consumer protection, protection of data privacy, and protection against cybercrime. The discussion focused on two ways for strengthening digital policy space: government regulation and ‘policy by design’. For example, an Internet Society representative argued that privacy-by-design, in particular encryption, could be a solution for data protection and privacy.
This session addressed the concern over the rise of cybercrime and its consequences for privacy and security online, as well as the resulting lack of trust among consumers and governments to adopt digital technology. The topic was introduced by the moderator, Ms Cécile Barayre, Economic Affairs Officer at UNCTAD, who stressed the transformational nature of e-commerce, generating both opportunities and challenges.
Barayre then went on to introduce H.E. Ms Rahman Ahmad Khan, Minister of State for Information Technology and Telecom, Pakistan, who outlined some of the critically important areas for addressing cybercrime:
According to Ahmad Khan, users must have the same rights and protection online as they do offline in order for user trust to be restored.
Next, Prof. Ian Walden, Queen Mary University of London, addressed the legal aspects of responding to cybercrime. For state response to be effective, there needs to be a harmonisation of criminal justice systems, for example around the Council of Europe’s Budapest Convention, and criminal justice relations need to be regulated in such a way as to enable the co-operation between law enforcement agencies. Policing cyberspace should focus on prevention and disruption, rather than prosecution, and needs to happen in collaboration with third parties, such as service providers and the Internet industry. Effective cybersecurity strategies need to address prevention and cultural shifts to change the culture of insecurity. Finally, legal and regulatory responses should include criminalising conduct, enhancing law enforcement powers (while taking into account the need to safeguard privacy rights), and putting into place cybersecurity frameworks that include prevention and permit active defence.
With a view from the private sector, Mr Yuejin Du, Vice-President of Alibaba Security, outlined the key cybersecurity challenges:
To combat these challenges, Du provided several examples of the technological measures taken by Alibaba Security, as well as its efforts to build a ‘security alliance’ with other actors in the e-commerce ecosystem. Finally, co-operation with law enforcement is inevitable.
Zooming in on one solution against cybercrime, Prof. Nir Kshetri, Bryan School of Business and Economics, University of North Carolina, explained the role of blockchains in strengthening security of the Internet of Things. He compared the potential of blockchains with cloud-based services, and highlighted their decentralisation as a particular advantage. Another solution was provided by Mr David Satola, Lead ICT Counsel, World Bank, who introduced a portal for capacity building for emerging countries, available at www.combattingcybercrime.org. Its aim is to enhance the capacity in developing countries of the policy, legal, and criminal justice aspects of building an enabling environment to combat cybercrime. The portal consists of a toolkit, an assessment tool, and a virtual library. Mr Gustav Lindstrom, Head of the Emerging Security Challenges Programme, Geneva Centre for Security Policy, presented a similar project: the National Cybersecurity Strategy (NCS) Guide. This project is spearheaded by the ITU in collaboration with 14 partners from different sectors, and aims to produce a reference guide for developing and implementing a national cybersecurity strategy. The guide covers the overarching principles of a NCS, an overview of good practices, and a practical guide for the strategy formulation process.
Finally, Ms Marilia Maciel, Digital Policy Senior Researcher, DiploFoundation, presented the trends, challenges and opportunities of capacity development in cybersecurity. First, she highlighted the changing social context in which individuals and societies are becoming cyber-dependent. As digital services become increasingly complex, complete security will never be possible and risk will always be present. Therefore, it is key to make the environment around cybercrime more secure. She pointed at the surging number of bilateral agreements on cybersecurity, as well as some of the multilateral instruments in place, which all refer to the need for capacity building.
She then presented a number of lessons learned from DipoFoundation’s capacity development initiatives:
Finally, she introduced the Digital Commerce course developed by the Geneva Internet Platform, the International Trade Sector, CUTS, and UNCTAD.
The eleventh Symposium of the Future Networked Car took place on 9 March 2017, during the 87th edition of the Geneva International Motor Show. The Symposium was jointly organised by the International Telecommunication Union (ITU) and the United Nations Economic Commission for Europe (UNECE). The main objective of the event was to offer a platform for a fruitful discussion among different stakeholders – vehicle manufacturers, governments and Information and Communications Technology (ICT) industries – on the future of vehicle communication and automated driving.
The session started with opening remarks from Mr Malcolm Johnson, Vice Secretary-General at the ITU, who stressed the importance of bringing together multiple stakeholders in order to foster technological innovation. In particular, he underlined the crucial role of the ITU as a UN-mandated agency that has successfully brought together and facilitated the convergence between two communities: industry and ICT sectors. The Symposium has seen growing participation in the last years, and has attracted more than 170 participants in 2017.
Ms Eva Molnar, Director of the Sustainable Transport Division of UNECE, joined Mr Johnson in stressing the importance of co-operation, not only between different industry sectors, but also between different agencies – as is the case with the ITU and UNECE. In particular, her speech approached vehicle automation from a regulatory perspective: she reasoned on the relevance of the existing legal conventions vis-à-vis the latest technological changes and pushed for the development of harmonised regulations.
The event comprised five thematic panels, each discussing a specific aspect of vehicle automation.
The Executive Roundtable reflected on the advantages and challenges that automatic driving will bring to individuals and societies once such technology is spread on a larger scale. All speakers talked about the necessity of harmonising the standards regulating such technology among different countries.
In particular, Mr Anders Eugensson, Director of the Governmental Affairs Department at Volvo Car Group, analysed the benefits of automated driving for individuals in terms of costs, liability and accuracy of data. With the development of such technology, customers would purchase automated driving packages that would cost less than a car. Moreover, he considered that cars will operate autonomously, and, in case of accidents, the responsibility would not rely directly on customers. Finally, thanks to cloud connectivity technology, the data available to the car system will be more accurate.
The Second Panel reflected on the benefits of fifth generation mobile networks or wireless systems (5G) for the development of automated driving. The speakers agreed on the crucial role of 5G technology for automated vehicles, especially in terms of connectivity and communication among units. Mr Peter Vermaat, Chair of the Connected Vehicle Working Group at the Wireless World Research Forum, considered that as opposed to a cloud computing type of connectivity (i.e. storing and accessing data over the Internet), Peer-to-Peer (P2P) computing (interconnected communication among peers, i.e. automated vehicles) allows for increased safety and improved efficiency of communication, and reduces the need for infrastructures.
The Third Panel discussed how Artificial Intelligence (AI) will change current transport systems. All the speakers built their discussions on the benefits of automated driving discussed by the previous panellists. Furthermore, they focused mainly on the possible risks to individuals from the deployment of AI. They assessed such risks in terms of security (protection from cyber-attacks), personal data protection (privacy concerns) and social economic externalities (loss of jobs in the car industry or transportation sectors).
The Fourth Panel focused on the relationship between connected vehicles and automated driving. The panellists discussed the co-dependency of connectivity and automated driving: having accurate communication systems among vehicles is crucial for the development of automated driving systems on a larger scale. David Holecek, Director of the Connected Products and Services Division at Volvo Car Group, concluded that connectivity, autonomous driving and AI are the cornerstones that will develop the concept of fully autonomous cars rather than autonomous driving in the future.
The Fifth Panel concluded the session by focusing on the cybersecurity threats to automotive systems. The speakers discussed the consequences that connectivity has in terms of individuals’ security in particular. Based on an interconnected system, automated vehicles operate in a constantly-hostile environment, susceptible to hackers’ attacks, resulting in financial cyber ransom, car theft and loss of control over the vehicle.
The 47th WEF Annual Meeting, which took place in Davos-Klosters, Switzerland, on 17‒20 January, brought together leaders from across business, government, international organisations, academia, and civil society, to discuss several digital policy issues.
The future of the digital economy was an overarching theme for many sessions, exploring aspects such as the digital transformation of industries, the fourth industrial revolution and its implications (in areas such as gender equality and jobs), steps for shaping national digital strategies, the need for shared norms and rules for the digital economy, and trust-based collaboration among stakeholders. Security and crime in the digital era were part of the discussions, with a focus on multistakeholder approaches for tackling cybercrime, the cyber resilience of critical infrastructures, cyberwar and forms of manifestation, and terrorism in the digital age. During the meeting, WEF launched a report on Advancing Cyber Resilience: Principles and Tools for Boards. Prepared in collaboration with the Boston Consulting Group and Hewlett Packard Enterprises, the report outlines a series of principles and tools for companies to tackle cybersecurity risks and ensure the resilience of their information infrastructures.
The advancements in the field of Internet of Things (IoT) and artificial intelligence (AI) were also looked at during this year's WEF meeting, as participants explored policy implications and outlined the need for principles and standards to ensure that IoT and AI products bring benefits to society as a whole, while minimising the risks (in areas such as social inclusion, privacy, and security). Trustworthy online information, a topic that has attracted a lot of attention lately, was also discussed, with a focus on possible modalities for balancing freedom of expression with the need to educate users on how to differentiate between real and misinformation.
In addition to contributing thir views to these and many other discussion tracks, WEF participants used the meeting as an opportunity to launch new initiatives and agree on future actions. In one such example, major financial service providers (e.g. Mastercard, Visa, and Paypal), global IT and telecom companies (e.g. Ericsson and GSMA), and intergovernmental organisations (e.g. the United Nations Development Program and the United Nations High Commissioner for Refugees) agreed on six principles on public-private cooperation aimed at facilitating digital cash payments in crisis-affected populations.
As has been the case at many other high-level events recently, the Agenda for Sustainable Development also featured high in Davos. On a more general level, world leaders discussed the challenges of globalisation and the increasing anti-globalisation trends. Many of the debates revolved around the need to identify modalities for reforming the governance of globalisation processes, with a view to improving them and making them better suited to contribute to global growth and development.
The 2017 United Nations Office at Geneva (UNOG) and the Geneva Centre for the Democratic Control of Armed Forces (DCAF) seminar discussed the topic of Violent Extremism Online – A Challenge to Peace and Security. The three-hour session started with an introduction by Mr Michael Møller, Director General of UNOG concerning the importance of eradicating violent extremism online as a challenge for peace and security. As he indicated, the risk to further violence arises and the Internet needs to be protected from terrorist attacks. He also mentioned the crucial role of the next Internet Governance Forum (IGF), to be held in Geneva in December 2017, in the fight against violent extremism online which would be, as he stated, ‘a major opportunity to tackle the issue in the International Geneva’.
Mr Adam Deen, Senior Researcher and Head of Outreach at the Quilliam Foundation, the first speaker of the session, focused his presentation on the ideology and the underlying reasons which led to the creation of the Islamic State (ISIS). As a former member of an Islamist extremist organisation himself who utilised universities for recruitment, he perceives the creation of ISIS as a logical result of 20 years of hidden groupings all over the world which today broadly use the Internet for the recruiting process. He also considers that the use of the Internet for recruitment purposes is a strong advantage for terrorists, given its anonymity, its interactivity which spreads contagious ideas faster, its accessibility, and, most importantly, its inexpensive fees.
Deen underlined the strong power of online interactivity which helps terrorists to easily provide their own religious instruction, reports from battles, interpersonal communications, threats against western countries, and pictures of the daily life of a terrorist with the aim of normalising them and creating a sense of belonging and camaraderie. According to research carried out by the Quilliam Foundation, approximately 1000 pieces of media content are provided each month by ISIS. He added that most of the content focuses on mercy, redemption, and camaraderie, notions that are already strongly present within the Muslim community and exploited by ISIS through personal grievances used to manipulate the recruits and increase the sense of belonging. He regrets that the interactivity as such also contributes to a form of clustered discourse which leads to extremism, since there is no time given for debate and for ideas to evolve.
One of the main highlights of Deen’s speech concerned the dehumanisation of the victims which, as he stated, is also part of the ideology supported by ISIS. He explained that the ideology as such creates a barrier between believers and non-believers and rationalises the violence. In his opinion, this facilitates the preparation of attacks and eradicates a possible mutual coexistence between believers and non-believers since the recruits do not see themselves as part of a society as a whole but as part of a transnational community that stands out from the rest of the world.
Deen’s speech also focused on the concept of pre-propaganda, which in his opinion forms the root of the extremism we face today and the main reason behind the creation of ISIS. In his own words, ‘ISIS did not create extremism, extremism created ISIS.’ He said we cannot count on the disappearance of ISIS to put an end to the ideology. In his opinion, the ideology as such needs to be made irrelevant or obsolete.
For the second part of the session, the panel on Violent Extremism Online was moderated by Ms Anne-Marie Buzatu, Deputy Head of Public-Private Partnerships Division at DCAF, who underlined the importance of practical solutions to put an end to the development of ISIS and violent extremism online.
Ambassador Kok Jwee Foo from the Permanent Mission of Singapore to Geneva stated that we live in a fragmented world which also allows the establishment of sophisticated and violent transnational communities such as ISIS to propagate a message and pursue a political goal. He added that Singapore has also been confronted by recruits willing to join ISIS and underlined that the battle against ISIS concerns everyone and needs to be addressed by multiple stakeholders. Part of his speech focused on the diversity of Singapore and the need to establish concrete policies to preserve the common space and to ensure an openness to all religions. He stressed that efforts at deepening multi-racial and multi-religious harmony is a never-ending endeavour.
In an effort to ensure inclusion and counter extremism, two policies have been established in Singapore. The Religious Rehabilitation Group (RGG) was launched in April 2003 by the Muslim community and academics to combat misinterpretations promoted by self-radicalised individuals and those in support of ISIS through media content. SG Secure is an initiative put in place by the Ministry of Home Affairs to promote community vigilance, cohesion, and resilience against global terrorism on the rise and to apply concrete measures. One of these measures consists of visiting every single home in Singapore to raise awareness of security and to encourage families to participate in this programme. Ambassador Foo concluded by underlining the importance of such policies and the need to find the right balance between security, freedom of expression, and international cohesion.
The second panellist, Mr Adam Hadley, Project researcher and associate at the ICT4Peace Foundation, presented an overview of the foundation’s activities, findings, and recommendations on counter terrorism. As part of its activities in 2016, phase one analysed threats regarding the use of technology by terrorists and scoped out practical measures. Three global workshops were organised to include various stakeholders from the private and public sectors. The outcome report, published in December 2016, entitled Private Sector Engagement in Responding to the Use of the Internet and ICT for Terrorist Purposes, provides an overview of the current threat assessments, emerging or potential threats, and responses from technology companies involved in several initiatives such as the Global Network Initiative (GNI) based on United Nation and human rights principles. The initiative targets four areas in particular: development of guidance systems, building of training capability and legal teams, cooperation with Internet referral units (IRUs), and investment in counter narrative to support civil society.
Another important point in Hadley’s speech concerned the active role of technology companies such as Facebook, Microsoft, and Twitter which publish transparency reports and deliver information about requests for the takedown of online content from governments all around the world. He also stressed the urgent need to create frameworks respecting human rights and mentioned some concerns about the legitimacy of the private sector and the capacity of small companies to develop policies to challenge the use of the Internet by terrorists.
Several recommendations have been established by the ICT4Peace Foundation including the will to build on existing initiatives, to support dialogue regarding a normative framework through a multistakeholder approach, to encourage coordination, to establish global knowledge sharing and a capacity-building platform focused on policy and practice, to build the capacity of small tech companies, to support data-driven research on effectiveness, and to promote digital literacy. The conclusion of the speech focused on the foundation’s plans for 2017 which provide the inclusion of more multistakeholders in the fight against violent extremism online and the establishment of a platform which aims to share global knowledge on emerging practices, norms, standards, and policies that have been developed on the subject matter.
The final speaker, Mr Mark Stephens, International Human Rights Advocate, CBE, and Independent Chair of the Board of Directors of the GNI, presented the work of the GNI which brings together ICT companies and investors willing to forge a common approach to freedom of expression online. The GNI focuses on two elementary human rights - freedom of expression and the right to privacy - principles that are designed to protect citizens and to prevent any serious consequences of a breach of these rights. Stephens added that one of the GNI’s main concerns is the impact of laws which would tend towards improper protection of freedom of expression. This concern led to the development of various recommendations from the GNI regarding consistency with human rights norms that governments should respect, including the fact that human rights’ restrictions should be established in a clear and precise law that is proportionate and necessary. He added that governments should not impose liability on intermediaries.
In the second part of his speech, Stephens stressed the role of ICT companies and the fact that most of them are more restrictive and efficient in their policies than parliaments are in their laws. He concluded by stating that the true challenge is that the issue at stake is larger than companies or governments; this also underlines a need for international cooperation between stakeholders in the protection of essential rights such as freedom of expression and the right to privacy.
The panel discussion was followed by a Q&A on the proper use of terms such as ‘Islamic’ which can be misused, the role of different stakeholders in the fight against ISIS, and the importance of tackling the issue with concrete measures to promote tolerance and coexistence between religions.
The handbook, structured around 10 major challenges in big data security and privacy, gives an overview of best practices that should be followed by big data service providers to fortify their infrastructures. Each of the 100 best practices presented, an explanation is given on why the practice should be followed and how it can be implemented.
The guide explores risks and opportunities associated with the Internet of Things, and provides a framework with recommendations for securing the IoT.
The set of guidelines contain recommendations on how to mitigate security threats and weaknesses in Internet of Things services. It includes guidelines for service ecosystems, endpoint ecosystems, and network operators.
The tutorials are intended to provide Internet users with a better understanding of the online and mobile threats, including spam, malware, malicious websites, spyware, etc.
The document provides guidelines for public and private organisations when plannins and organising the selection and validation of smart city technologies. It describes the types of testing and assessments to consider in order to select the most secure vendors and technologies.
The report provides an overview of the Internet security threats landscape in 2014
The document provides guidance for the secure implementation of Internet of Things (IoT)-based systems. It provides an overview of IoT security challenges threats to individuals and organisations, and outlines several security control mechanisms that could be used to mitigate such challenges and threats.
The fact sheet is intended to explain DNSSEC in simple terms.
The page provides brief monthly reports on online threats such as spam, web attacks, malware, and phishing.
A series of best practices and white papers produced by the Messaging Malware Mobile Anti-Abuse Working Group, and aimed at providing the technology industry, as well as users, with recommendations and background information to improve messaging security and address online, mobile, and telephony threats such as spam, malware, etc.
The Best Practice Forum (BPF) on cybersecurity was an opportunity to link various communities, and mainly focused on discussions about the multistakeholder process (Best Practice Forum on Cybersecurity - Creating Spaces for Multistakeholder Dialogue in Cybersecurity Processes) and again looked at how to define cybersecurity from various perspectives (Best Practice Forum - Cybersecurity). Several other sessions also shared useful experiences from developing coun- tries in capacity, especially with regard to Computer Emergency Response Team (CERT) capabilities (Cybersecurity - Initiatives in and by the Global South - WS26) and awareness-raising campaigns (What Makes Cybersecurity Awareness Campaigns Effective? - WS113).
The role of the technical community and the private sector was outlined in assisting the implementations of cyber-norms and confidence-building measures by the UN, regional organisations, and governments. While the IGF was seen as the place to encounter all stakeholders, and the proposal made that a dedicated (possibly even main) session is scheduled at IGF 2017, it was suggested that the Internet governance community meets the security community within the framework of the Global Conference on Cyber Space (GCCS) in 2017, with support of the Global Forum on Cyber Expertise - GFCE (NetGov, Please Meet Cybernorms. Opening the debate - WS132).
The contribution of cybersecurity to economic development and the overall SDGs was recognised, and the roles the OECD and World Bank could play were emphasised (How do Cybersecurity, Development and Governance Interact? - WS115). The need to incentivise the Internet industry in implementing high Internet standards was noted, and the GFCE was suggested as a forum for discussion (Building Trust and Confidence: Implement Internet Standards - WS240). Security of the IoT was underlined, as was the strong link between human rights and encryption (On Cybersecurity, Who Has Got Our Back?: A Debate - WS196). A clear link between cybersecurity and human rights was reiterated throughout several sessions, and particularly by the contributions of the Freedom Online Coalition - FOC (Open Forum: Freedom Online Coalition - OF27).
As the demands of ICT-related SDGs need to be met with capacity-building initiatives, cybersecurity was identified as one of the eight core digital skills people need in the twenty-first century. Internet Governance, Security, Privacy and the Ethical Dimension of ICTs in 2030 (session 150) suggested that the interpretation of vast amounts of information and big data that Internet of Things (IoT) will bring could result in an innovative multi-trillion-dollar economy. Examples of solutions that can both boost the economy and increase security were raised in From Cybersecurity to ‘Cyber’ Safety and Security (session 172); these included the use of social media for managing disasters.
Ensuring trust in cyberspace through collaboration between governments, the industry, and users was outlined as fundamental for utilising economic opportunities necessary for fulfilling the SDGs during discussions in Action Line C5 (Building Confidence and Security in the Use of ICTs) - National Cybersecurity Strategies for Sustainable Development (session 120). Such cooperation in the area of cybersecurity, however, should be built on trust between the public and private sectors. A Trusted Internet Through the Eyes of Youth (session 151) warned that trust on the Internet is highly fragmented due to the diverse interests of stakeholders, and especially due to surveillance programmes. Multistakeholder dialogue and shaping policies by consensus were mentioned as ways to strengthen mutual trust.
When it comes to practical suggestions for improving cooperation in cybersecurity, panellists of session 120 also suggested cooperation in incident response that can include both compulsory and voluntary reporting on cyber-incidents. Session 170 on The Contribution IFIP IP3 Makes to WSIS SDGs, with an Emphasis on Providing Trustworthy ICT Infrastructure and Services invited companies to invest more in education, professionalism, and security. Providing good quality legal and technical information and data to decision-makers was added to the list of suggested measures by the discussants of session 172.
Various emerging risks were also discussed in several sessions. Session 172 raised concerns about the emerging face of terrorism which increasingly uses new technologies including commercial drones.
Session 150 warned that big data should be accompanied by ‘big judgment’ and awareness of communities of the risks of ‘uberveillance’ - becoming possible due to brain-to-computer interfaces (BCIs) and and sub-dermal implants - that can have an irreversible impact on society. On the other hand, session 120 commented on encryption as a useful concept that can enhance individual security, and suggested that law enforcement agencies can benefit greatly from other digital evidence.
With a rise in cybercrime and a sharper focus on cybersecurity by policymakers worldwide, it is no surprise that the issue was discussed at great length during the IGF 2015. Cyberattacks, which are on the rise and are evolving with the growth in infrastructure, mobile money transfers, and social media, affect the economic growth and sustainable development of many countries. The real economic cost of cyberattacks is considerable. However, as the discussion during Managing Security Risks for Sustainable Development (WS 160) concluded, it was hard to identify and calculate the cost of each cyberattack due to multiple tangible and intangible effects, with one of the consequences being the limited availability of global statistics on cyberattacks.
With regard to cybersecurity strategies, the speakers made reference to the OECD’s recommendation on Digital Security Risk Management for Economic and Social Prosperity which seeks to ensure that risk management is considered an important facet when decisions are made on digital issues. They said, however, that existing cybersecurity strategies are too focused on technology and are missing the human element. In Commonwealth Approach on National Cybersecurity Strategies (WS 131), the speakers agreed that cybersecurity should be tackled by governments in partnership with the private sector, regulators, and other governments. It requires legal frameworks, the use of technology to enforce cybersecurity, harmonisation of regional laws, and cooperation among states to tackle cross-border cybercrime.
The issue of trust (as well as other issues, such as privacy and freedom of expression, which are discussed below) was a main theme that intersected with security. Discussed predominantly during the main session dedicated to Enhancing Cybersecurity and Building Digital Trust, the panel agreed that multistakeholder approaches and private-public partnerships should be used to address the challenges. ‘If you want total security, go to prison’, said one panellist. On the other hand, surveillance and censorship cannot be used to justify cybersecurity. Surprisingly, a panellist in Cybersecurity, Human Rights and Internet Business Triangle (WS 172) revealed that 80% of actionable intelligence comes from publically available resources.