The session, moderated by Ms Tatiana Tropina, Max Planck Institute for Foreign and International Criminal Law, and Mr Vladimir Radunović, DiploFoundation, focused on how security threats change the cybersecurity landscape and influence the perceptions and actions of different stakeholders. Tropina instigated the discussion by asking the panellists to pinpoint the cybersecurity challenges in their respective fields.
Ms Sally Wentworth, Vice President of Global Policy Development, Internet Society, provided a global perspective noting that in an increasingly compelled security environment, security could hinder interoperability and lead to potential fragmentation. The importance of laws and norms was emphasised by Ms Marina Kaljurand, Former Foreign Minister of Estonia, Chair of the Global Commission for the Stability of Cyberspace, who explained that governments should lead through a multistakeholder approach. In the same vein, Mr George Jokhadze, Cybercrime Programme Office, Council of Europe, identified key challenges: first, regulations, in terms of drafting new rules and laws but also applying old laws, such as the Convention on Cybercrime; second, awareness of law enforcement agencies and citizens; and third, international co-operation and collaboration with technology companies such as Facebook, Google, Microsoft. On the other hand, Ms Kaja Ciglic, Director, Government Cybersecurity Policy and Strategy, Microsoft, pointed out that the challenges are not specific to Europe, but they are global. On top of them is the security-centred approach, adopted by many governments. Additionally, basic security measures and awareness can help avoid some challenges and create tech-savvy citizens.
Radunović then put forward another question: who should protect cyberspace? The government, industry, technical community, and/or users? Mr Chris Buckridge, RIPE Network Coordination Centre, explained that there is no single answer. The government clearly has a role but they do not have the required technical expertise. This led Tropina to further ask: who should lead the multistakeholder model? She noted that during the CyCon 2017, it was said the governments are mastering cyberspace but not the protection of cyberspace. In response, Kaljurand underscored that cybersecurity is part of national security and hence citizens expect the state to handle that. However, it is a responsibility shared between governments (which have the biggest share), the technical community, industry, and civil society. But governments have to lead since it is the duty of governments to ensure security, the integrity of data, and authentication of people. Wentworth further asserted that leadership depends on the issue at hand. For example, the industry should lead on issues related to innovation and scaling networks to meet future demands.
When the floor was opened for discussion, the audience spoke about the role of government, but also the industry that should provide reliable products, and end-users who should be educated. Some explained that governments have a duty to provide protection and raise awareness. However, it was mentioned that some governments are not trustworthy, as they could represent a threat rather than provide protection.
To address the question of whether technology, regulation, or social contracts/norms can protect cyberspace, Ciglic pointed out that, on the one hand, the fast pace of technology challenges the capacity of governments to provide the necessary protection. On the other hand, security attacks harm businesses and hence more investment in security is important. Building trust in the online environment is therefore important for businesses to operate. Jokhadze added that cybersecurity is not only about protecting citizens, but equally about punishing wrongdoers.
Radunović asked: Do we need more regulations? In reply to this, Wentworth alluded to the possible tools to deal with security. Technology is constantly evolving and policy should also be evolving to address issues as they come up. In addition, consumers should demand security and privacy as their entitled rights. Tropina, however, argued that consumers do not demand security as they look for what is cheapest. Consumers thus need more security raising awareness. Finally, Kaljurand highlighted that experts have provided interpretations of international laws to cyberspace and hence governments have to decide how to take them forward. Ciglic noted that Microsoft has been active in international cybersecurity norms for five years; not focusing on content regulations but on limiting specific sets of government behavior.