[Read more session reports from the WSIS Forum 2018]
The moderator Ms Erika Barros Sierra, international ICT policy manager, Access Partnership, opened the workshop with remarks about the evolution of cyber-attacks, their increasing sophistication and damaging impact. With the deployment of the Internet of Thing (IoT) there will be more ‘open doors’ for hackers to target vulnerable devices. Moreover, she noted that there would be no ‘absolute security’, but that we still have to work on improving our approaches to mitigating cyber-attacks.
Sierra suggested a first question to discuss – how the lack of agreement and collaboration between stakeholders in responding to cybersecurity incidents, like vulnerability announcements, can impact the trust in the use of ICT.
Mr Gavin Willis, international relations team, UK National Cybersecurity Centre (NCSC), started his intervention with a remark about the UK’s international obligations. He recalled a norm proposed by the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) to encourage responsible reporting of information and communications technology (ICT) vulnerabilities and available remedies to such vulnerabilities to eliminate potential threats to ICTs and infrastructure. The Organization for Security and Co-operation in Europe (OSCE) members agreed on confidence building measures (CMBs) in 2016: ‘the participating states will on a voluntary basis encourage responsible recording of vulnerabilities affecting the security of the use of ICTs and share information on available remedies to them, including ICT business and industry’. Willis also reminded the participants about international standards issued by the International Standard Organization (ISO) on vulnerability disclosure (ISO/IEC 29147:2014) and vulnerability handling processes (ISO/IEC 30111:2013). The UK is also taking active steps in the field by publishing the ‘Security by design’ document, which requires all companies that provide Internet-connected devices and services to provide a public point of contact as a part of the vulnerability disclosure policy in order that security researchers are able to report misuse. Then Willis stressed the work performed by the NCSC in vulnerability reporting publicly. The UK government’s strategy to build trust for disclosure policies includes: invitation of cybersecurity research/expert organisations; initiative called ‘industry 100’ – the UK government, and at least 100 people from the industry to work with NCSC. Willis concluded with the advice: ‘Patch your systems to diminish vulnerabilities!’
Mr Israel Rosas, InternetpPolicy analyst, Mexican government, shared the Mexican multistakeholder experience in collaborating with industry, academia and the federal police – in charge of the national Computer emergency response team (CSIRT) for vulnerability disclosures. The cybersecurity strategy of Mexico has several strategic objectives: security itself, public security, and national security. Moreover, Rosas stressed the importance of collaboration with academia, promotion of research, and capacity building for students.
Mr Antonio Amendola, executive director, international external affairs, AT&T, said that cybersecurity is a business imperative. It looks at its customers as the public sector does at its citizens. So the most important thing is to anticipate threats that require a great level of attention from analytics. The ability to predict threats could lead to a stronger security. Amendola noted that vulnerability disclosure programmes must keep the balance: information sharing for companies has to be confidential while the public can keep feeling safe, despite so many vulnerabilities. He also mentioned the EU Cybersecurity Act proposal which introduced the ICT certification procedure. While the intention is good to foster trust in products, this should be voluntary rather than obligatory and enforced by legal measures and fines. ‘Trust cannot be mandated, it should be fostered by mature market’.
Then the moderator asked Ms Chloe Autio, policy strategy, Intel, about any SDGs that could be achieved without ICTs. She said that the development process cannot happen without security and trust in new technologies that help to achieve SDGs. Autio added that the focus must be on making sure people are using ICTs in the right way.
The speakers also discussed questions regarding the lack of cybersecurity practices and ways to supply them; the American National Institute of Standards and Technology’s (NIST) framework as a good example of public-private partnership; activities of ‘white hackers’; and educational initiatives to promote skills and knowledge about secure behavior in cyberspace.
By Ilona Stadnik