[Read more session reports and live updates from the 13th Internet Governance Forum]
Public private partnership (PPP) models in cybersecurity need to be prescriptive, allowing an interplay between actors. Civil society is a diverse group, and can play multiple roles in PPPs. It is important, however, that it is involved substantially, rather than just for reflection.
Setting the scene of the session with an example of a successful global PPP model, Mr Manon van Tienhoven,Advisor at the Global Forum on Cyber Expertise (GFCE), presented the GFCE as a global multistakeholder platform that encourages international co-operation on cyber capacity building, with a multistakeholder advisory board. The GFCE started with an awareness-raising role on cyber capacity building, which brought up its Delhi Communique. It then moved to the implementation of capacity building measures by establishing Working Groups which allow greater involvement of members (states and companies), as well as partners such as NGOs and academia. To extend the outreach of its results and best practices, the GFCE is setting up a cyber capacity building knowledge portal, with content provided by partners.
Presenting the results of her research on PPP, Ms Catherine Garcia van Hoogstraten, Lecturer & Researcher, The Hague University of Applied Sciences (THUAS), commented that PPPs like GFCE can succeed as long as the governance structure is clear and transparent. It is civil society that could bridge gaps in transparency in a PPP model and increase mutual trust. Some useful guidelines on PPP models can be found in the Budapest Convention (articles 16-21 on the legal basis for PPPs), the WEF principles for PPP in the field of countering cybercrime, the Digital Geneva Convention proposal, and the University of Leiden research on the risks and potential of PPPs. As an example of the role of the NGO in a PPP, she shared the case of an NGO in the Philippines which used a chatbot to help trace attempts of sexual exploitation of children, which then stimulated the build-up of a regulatory framework.
Mr Enrico Calandro, Research ICT Africa, explained that the academic literature on PPPs comes from the days of telecom sector regulation where the private sector was brought in to support government efforts by bridging budget deficits or skills shortages, which led to a form of descriptive PPP for broadband roll-out. The next phase, however, brought a demand for more prescriptive PPP models for new issues: not-so- well-structured partnerships but more the interplay between actors, including information sharing. He gave an example of Mauritius, which is positioning itself as a regional hub, hosting AFRINIC, and its ICT strategy aimed at developing an efficient collaborative model between the government and the private sector, though still not including civil society.
Ms Kerry-Ann Barrett, Organisation of American States (OAS), shared the OAS practice of having civil society organisations, registered through its website, around the table in discussions on cybersecurity. As an example, in the development of national cybersecurity strategies in Mexico, Paraguay, Guatemala, and Costa Rica, OAS stimulated the participation of civil society organisations which helped with comments and input. She underlined that the role of civil society is more than awareness raising; it can also develop competences, tools, and mechanisms to involve society. As another example she shared the Cyberwoman Challengeproject, implemented in Columbia, where NGOs help get women around the table, and then the private sector helps with developing skills. Involvement of civil society in political processes and PPPs ensures trust, as it shows that certain work was not just a government decision but that someone from the broader society also trusted in it.
Mr Robert Collett, Head of Capacity Building, Prosperity and Cyber Crime at the UK Foreign Office, shared how the UK institutions work on improving the cybersecurity capacities of others, as well as their own. As of 2012, the UK had invested £10 million in projects working in 100 countries. Practice has shown that protects related to cybersecurity are surprisingly dependent on non-state actors, as most of those who can protect systems are outside of government. Research also happens outside of government, and experts are ex-government too. He added that civil society often knows the subject, and, more importantly, it cares and has a passion for achieving something. In many cases it is civil society organisations that provides help in other countries, like in Columbia. He underlined that the IGF is an opportunity to meet with civil society organisations and to listen to fresh ideas.
Ms Daniela Schnidrig (Global Partners Digital) reminded us that civil society is very broad and diverse. It comprises activists, researchers, technologists, and educators. Involvement of civil society in cybersecurity projects needs to be done in holistic way, from planning to implementation; such an approach also contributes to increasing trust.
The moderator of the session, Mr Patryk Pawlak (EU Institute for Security Studies and the Co-Chair of the GFCE Advisory Board), added the example of the Geneva Recommendations for Responsible Behaviour in Cyberspace, a project run by the Swiss government as an open multistakeholder process which truly involves non-state stakeholders.
Ms Lucie Krahulcova (Policy Analyst in Access Now) gave an example of her organisation which provides cybersecurity capacity building at grassroots level, with projects like a 24/7 help-line and Digital Security Clinic where people come with complex issues and get help to understand technologies, as well as obtain legal support. Civil society plays a particular role in strengthening human rights outside of Europe. She underlined, however, that involvement of civil society needs to go beyond submitting comments in consultations; it needs to be substantively involved.
Mr Vladimir Radunović, DiploFoundation, added an example of his organisation providing capacity building programmes in cybersecurity for governments in developing countries, using technology such as online courses. He also emphasised the potential of civil society organisations to be conveners of other sectors, even various sectors of the government, for dialogue, as they might play the role of a neutral player and act swiftly without administrative burdens. In this regard, he gave an example of an informal multistakeholder cybersecurity group built in Serbia, in partnership with the OSCE and other organisations, that had an impact on developing law and strategy. He also added useful examples of PPPs in developing national cyber competences in developed countries, such as Finland, Israel, Korea, and Germany.
Pawlak added the GFCE Global Good Practices as a good repository of PPP practices from members and partners.
A delegate of the Russian Federation MFA reminded us that we need a new generation of researchers in fighting cybercrime, and suggested that, besides the Budapest Convention, there are several other regional instruments that need to be discussed and addressed. They noted that the most appropriate venue for global dialogue is the United Nations, reminding us that the UN has adopted the recent Russian resolution related to combating cybercrime.
A delegate from an Indian cybersecurity company spoke about the course curriculum on cybersecurity developed by the private sector and certified by the state, where civil society organisations helped institute scholarships for 1000 women. A delegate from the European Institute spoke about a series of convening sessions in Brazil, yet warned of the language barrier among stakeholder groups and sectors that is a big issue.
Collet noted that the Budapest Convention is particularly useful for practical co-operation across law enforcement agencies, where other signatories (also outside of Europe) confirm it is useful. He agreed that language across sectors is a barrier, and suggested that multistakeholder dialogue helps in interpreting the terms. Calandro added that civil society organisations can provide evidence and research to governments that some policies are counterproductive, sharing the example of Uganda with regard to a tax on social media use which reduces GDP. Krahulcova concluded by saying that risks to society will not be solved by controlling technology and micromanaging its implementation; instead, societal issues need to be solved outside of the digital realm.
By Vladimir Radunović