[Read more session reports and live updates from the 13th Internet Governance Forum]
Regional co-operation for cyber capacity building is extremely important for developing countries to exchange frameworks for strategy design and to create toolkits for incident response. The role of governments is crucial to push the process of creating cybersecurity capacities; however, other stakeholders are also important to provide feedback and review government policies.
Ms Carolin Weisser, Global Cyber Security Capacity Centre, opened the session and asked participants to focus on challenges for capacity building and development of national cybersecurity frameworks, and to speak on regional cooperation.
Mr Bill Dutton, Global Cyber Security Capacity Centre, University of Oxford, shared the outcomes of the recent conference in Oxford where they gathered observations concerning cybersecurity. He said that cybersecurity has become a ‘wicked problem’ since so many actors, risks, and technologies are involved in the process and ‘people have moved away from saying we're going to resolve it.’ Instead,‘it is going to be a permanent issue in dealing with cybersecurity. Dutton mentioned a consensus on the essential steps in developing capacity on the national level: to develop a strategy and establish national computer security incident response teams. Also, he noted a technical focus on cybersecurity is distinct from cultural and societal aspects of cybersecurity. Norms development among users creates cultural mindsets that help people consciously to think about cybersecurity in their everyday information practices. Dutton concluded that we should act globally and regionally to help with capacity building in the local level.
Mr Greg Shannon, Chief Scientist, CERT Division at Carnegie Mellon University’s Software Engineering Institute, addressed different perspectives on cybersecurity, giving the example of the IETF meeting model for regional and national collaboration for capacity building. Then he said that effectiveness of CERT work fully depends on the ability of engineers to make decisions and respond. He further raised a question regarding the agency making decisions: ‘Is it only the government? Or is it actually people in the field who are putting their hands on the key board, on the cables, and helping to keep connectivity there?’ In conclusion, he suggests two models: one respects and encourages distributed agency and teaches from a capacity building point of view; the alternative has a set of rules that you must follow that limits agency.
Mr David van Duren, Global Forum on Cyber Expertise, provided a brief overview of the GFCE work and its development. The main goal for the 2015-2016 years was to build a personal network between people and create an overview of cyber capacity building. The work of these years was also product-oriented: GFCE produces toolkits, guidelines on implementation of assurance, or how to deal with mobility disclosure or, more broadly, how to develop cyber strategies. Then he mentioned the Delhi communique that puts a commitment to cyber capacity building on a high-level. Presently, GFCE has created working groups according to the communique provisions to complete the commitment.
Ms Amanda Craig, Microsoft, spoke on national efforts to protect critical infrastructure and mentioned the regulations in China, EU, Singapore, and Japan as examples. She also clarified that cybersecurity strategies are currently using a holistic approach to cyber risk management, which has four steps – to identify, protect, respond, and recover from cyber incidents.
Mr Juan Manuel Wilches, Commission for Communications Regulations, Colombia, related the history and experience of Colombia in building a national cybersecurity framework. At first, it was not coordinated between different agencies and sectors. However, during 2014-2015, Colombia received support from other countries. Finally, the country released a cybersecurity policy based on recommendations provided by the OECD. Wilches noted that at this time Colombia has improved the level of cybersecurity sufficiently. However, Colombia does not share information about incidents, since 78 percent of operators do not send information to the CERT and 64 percent of them do not coordinate with CERT.
Ms Kerry-Ann Barrett, Organization of American States, related reports produced by OAS on what member states see as threats in the region and how they identify risks to security. Also OAS has a program focusing on training of technical and legal personnel within the region. She stated that it is important to look at the capacity building process from the political perspective, because a political will is required to start implementation. Finally, she mentioned the role of NGOs in Guatemala, Mexico, and Colombia in commenting on draft strategies and in improving them substantially.
By Ilona Stadnik