IGF2024

Summary

This discussion focused on digital gender inclusion and responsible digital governance, particularly in low and middle-income countries. The panel explored barriers to digital inclusion for women and strategies to overcome them. A case study from Pakistan highlighted a structured national strategy to address the digital gender divide through multi-stakeholder collaboration and targeted working groups. Key barriers identified included lack of affordable devices and connectivity, social and cultural norms, digital literacy gaps, and economic constraints.

Panelists emphasized the importance of creating safe online environments, providing digital skills training, and ensuring meaningful connectivity. The role of community networks in empowering women in underserved areas was discussed, along with the need to extend such initiatives to urban settings. The importance of gender-disaggregated data for informed policymaking was stressed. Private sector initiatives, such as Meta’s programs for women’s digital empowerment, were presented as examples of industry efforts.

The discussion highlighted the need for explicit policy frameworks, multi-stakeholder approaches, and financing mechanisms to bridge the digital gender divide. Panelists agreed that closing this gap requires addressing not just access issues, but also quality of connectivity and online safety concerns. The session concluded by emphasizing the urgency of action and the availability of funding opportunities, such as the Women in Digital Economy Fund, to support initiatives aimed at digital gender inclusion.

Keypoints

Major discussion points:

– The digital gender divide and barriers to digital inclusion for women, especially in low and middle income countries

– Pakistan’s Digital Gender Inclusion Strategy as a case study of a national policy approach

– The role of private sector companies like Meta in promoting digital inclusion

– Community networks as a solution for connectivity in underserved areas

– Financing and policy mechanisms needed to support digital inclusion efforts

The overall purpose of the discussion was to examine challenges and solutions for bridging the digital gender divide and promoting responsible digital governance, with a focus on low and middle income countries.

The tone of the discussion was informative and solution-oriented. Speakers shared examples of initiatives and policy approaches in a collaborative manner, with an emphasis on multi-stakeholder efforts. The tone remained consistent throughout, maintaining a focus on practical steps to address the issues raised.

Speakers

– Waqas Hassan: Asia Lead for Policy and Advocacy at the Global Digital Inclusion Partnership

– Malahat Obaid: Director of Communications at the Pakistan Telecom Authority, member of the team that developed the PTA Gender Inclusion Strategy, digital gender specialist for the Central Bank of Pakistan’s Initiative of Women’s Financial Inclusion

– Onica Makwakwa: Executive Director at Global Digital Inclusion Partnership, Executive Managing Director for Women in Digital Economy Fund

– Cagatay Pekyorur: META’s Head of Community Engagement and Advocacy for Africa, Middle East and Turkey

– Josephine Miliza: Policy and Regulation Lead on Local Networks Initiative at the Association of Progressive Communications, advocate for digital equality based in Nairobi, Kenya, co-chair of the African Community Networks Summit

Additional speakers:

– Audience member from Colombia: Works with an NGO called Colnodo on community networks

– Audience member asking about PTA’s strategy for rural areas in Pakistan

Digital Gender Inclusion and Responsible Digital Governance: A Comprehensive Discussion

This panel discussion focused on the critical issues of digital gender inclusion and responsible digital governance, with a particular emphasis on low and middle-income countries. The conversation brought together experts from various sectors to explore the barriers to digital inclusion for women and strategies to overcome them.

Introduction

The discussion highlighted the complex and multifaceted nature of the digital gender divide, emphasizing the need for comprehensive, multi-stakeholder approaches to address it. Panelists explored various aspects of digital inclusion, from policy frameworks to community-driven solutions, addressing fundamental barriers such as digital literacy and online safety.

Key Themes and Discussion Points

1. The Digital Gender Divide: Barriers and Challenges

Onica Makwakwa, Executive Director at Global Digital Inclusion Partnership, identified several significant barriers to digital inclusion for women:

– Lack of access to affordable devices and internet connectivity

– Social and cultural norms that limit women’s access to technology

– Digital literacy gaps and lack of foundational digital skills

– Economic constraints, including limited financial resources and time

– Lack of relevant content in local languages

– Online safety concerns and cyber violence

2. Policy Approaches and Strategies

The discussion highlighted the importance of structured policy approaches with clear implementation plans. Malahat Obaid, Director of Communications at the Pakistan Telecom Authority, presented a case study of Pakistan’s Digital Gender Inclusion Strategy, outlining a three-phase approach:

1. Development of strategy pillars

2. Implementation planning

3. Setting targets, goals, and outcomes with a three-year action plan

Obaid detailed the strategy’s six working groups focusing on:

– Access and connectivity

– Affordability

– Digital skills and literacy

– Content and services

– Safety and security

– Research and development

This structured approach was seen as a model for other countries to follow, demonstrating the value of clear, actionable strategies in addressing digital gender inclusion.

The panelists agreed on the critical need for gender-disaggregated data to inform effective policies. Malahat Obaid and Onica Makwakwa both stressed this point, emphasizing its importance in understanding the depth of the problem and identifying areas for intervention.

3. Multi-stakeholder Collaboration and Private Sector Involvement

The discussion emphasized the importance of collaboration between government, industry, and civil society in promoting digital inclusion. Cagatay Pekyorur, META’s Head of Community Engagement and Advocacy for Africa, Middle East and Turkey, highlighted META’s approach to digital inclusion, focusing on:

– Creating a safe online environment

– Supporting access to digital tools

– Maintaining inclusive stakeholder engagement

Pekioror stressed the need for official policy frameworks and action plans to incentivize private sector involvement.

4. Community Networks and Locally-driven Solutions

Josephine Meliza from the Association of Progressive Communications introduced the concept of community networks as a solution for connectivity in underserved areas. She explained how these small-scale, locally owned infrastructure providers can effectively address digital inclusion by providing tailored solutions that understand and address local context and needs.

Meliza highlighted the impact of community networks on women’s empowerment, particularly in underserved areas, noting their potential to provide economic opportunities and enhance digital skills.

An audience member shared an example of a community networks project in Colombia, demonstrating the potential of women-led initiatives in digital inclusion.

5. Online Safety and Security for Women

The panelists agreed on the critical importance of ensuring women’s safety in online spaces. This included discussions on:

– Developing policies and frameworks for online safety

– Creating support groups to address online gender-based violence

– Implementing gender-responsive laws and legal frameworks

6. Capacity Building and Skills Training

The discussion highlighted the importance of digital literacy and skills training programs for women. Onica Makwakwa emphasized how the lack of foundational digital skills puts women at a disadvantage in accessing opportunities in digital technologies.

7. Financing Mechanisms and Funding Opportunities

Waqas Hassan, Asia Lead for Policy and Advocacy at the Global Digital Inclusion Partnership, discussed the need for financing mechanisms to support digital inclusion initiatives. The Women in Digital Economy Fund (WIDEF) was mentioned as a specific opportunity, with new funding rounds planned for India in 2024 and globally in March 2025.

Challenges and Solutions

While the discussion provided comprehensive insights into digital gender inclusion strategies, several challenges were identified:

1. Engaging women from conservative rural areas where mobile phone use is taboo

2. Balancing the commercial viability of community networks with serving hard-to-reach areas

3. Developing effective methods for collecting comprehensive gender-disaggregated data

4. Changing negative perceptions about women’s use of technology in conservative societies

An audience member raised a question about PTA’s strategy for involving women from rural areas in Pakistan, particularly in the Khyber Pakhtunkhwa region, highlighting the need for targeted approaches in challenging contexts.

Conclusion

The discussion underscored the urgency of action in promoting digital gender inclusion, framing it as both a social and economic imperative. As digital technologies continue to shape global economies and societies, bridging the digital gender divide remains a critical challenge that requires sustained effort, innovation, and collaboration across sectors and stakeholders.

In his closing remarks, Waqas Hassan referenced “The Time Is Now” report, emphasizing the timeliness and importance of addressing digital gender inclusion. The conversation provided a holistic view of the challenges and potential solutions, setting the stage for continued work and innovation in this crucial area.

Waqas Hassan: And I am the Asia Lead for Policy and Advocacy at the Global Digital Inclusion Partnership. We are a policy advocacy organization working on connectivity and digital inclusion. And one of the consortium members to manage the Women in Digital Economy Fund, which has been launched last year by the White House. Today, our session is about two things. One is, of course, digital gender inclusion, digital gender equality, but we’re going to link it with responsible digital governance. If you see what is digital gender divide, it simply refers to the inequality between resources. When men and women try to access and use the internet, are there equal opportunities for both of them? Or is one gender more disadvantaged than the other? I would include all of the genders in there as well. That is where we see that there is a gender gap. There is a digital gender gap in terms of when we’re speaking about it. Now, when we talk about responsible digital governance, we talk about creating and enforcing policies or frameworks and practices that ensure that we have ethical and inclusive and equitable use of digital technologies. So with that in our mind, and also I would like to remind you that this discussion is mainly focused on the low middle income countries. So that is going to be the focus of our discussion today. What right now, if we see and if we look at a few numbers from, let’s say, from ITU, there are 244 fewer women that are online than men. So gap, this is a huge gap, as you can see. So for example, women are just the 20% women who use internet in LMICs, but as compared to 34% men. And at the same time, because of this digital inequality, there is a huge economic loss which is associated with it. According to estimates by GDIP and others, the countries have almost lost one trillion dollars just by not being able to bridge the digital gender divide. So it is not just a social issue or a social empowerment issue, it is actually now an economical issue as well. So in that sense of the matter, if the countries are to utilize this opportunity, and they must, they can add about half a billion dollars over the next five years. So with this concept in mind, we thought of organizing this session. And we would like to have our fantastic panelists with us who will speak about different areas as per their expertise, I’ll introduce them a bit later on. I’ll just explain the session flow for all of you. What we’re going to do is that first of all, there would be a presentation on a policy best practice, or a good practice, I would say, from Pakistan, which is Pakistan Digital Gender Inclusion Strategy. We have with us Ms. Malahat Vaid, who is the Director of Communications at the Pakistan Telecom Authority, and the member of an all-female team that developed the PTA Gender Inclusion Strategy. And she also serves as a digital gender specialist for the Central Bank of Pakistan’s Initiative of Women’s Financial Inclusion. So once Malahat presents that strategy as a case study, we will then move on towards our rest of the panelists. One of them is Onika, who is the Executive Director at Global Digital Inclusion Partnership, and one of the Executive Managing Directors for Women in Digital Economy Fund. After Anika, we will hear from Kegatay Pekioror, he serves as META’s Head of Community Engagement and Advocacy for Africa, Middle East and Turkey. He has a law background and he has been spearheading META’s policy, public policy and programs prior to this role. And Kegatay prefers to be addressed as they or them. Next up we have Josephine Meliza, who is the Policy and Regulation Lead on Local Networks Initiative at the Association of Progressive Communications. She is a leading advocate of digital equality based out of Nairobi, Kenya and also co-chairs the African Community Networks Summit. So with this context in mind, let’s start with the session and I would request then Malahat to please present and talk about PTH, Digital Gender Inclusion Strategy and what kind of opportunities and challenges were there and how they actually started this process and then made a strategy and is now in the implementation phase of that strategy. So Malahat, I will hand it over to you, if you could please share your screen. You also need to unmute your mic, Malahat.

Malahat Obaid: For the generous introduction, I am grateful to the IGF and the hosts for having this workshop on such a critical subject and considering Pakistan’s Digital Gender Inclusion Strategy as a best practice. So without further delay, I believe I have a very short time to present my strategy. This is the flow of the presentation, I will be giving you some statistics and the gender gaps that exist in Pakistan, the formulation of strategy and the collaborations that we have during the strategy and the methodology we have adopted. Then the consultative… process that we followed, out of which we came out with challenges and barriers, and also the solutions to those barriers to overcome the inclusion issues that we have here in Pakistan. Towards the end, I will be telling you about the three years action plan that has been set out in the gender inclusion strategy, the working groups that we have created, and the impacts they will be creating once the strategy is implemented, and of course, towards the end, the achievements so far while we are implementing. Just to tell you, Pakistan is the fifth most populous country in the world with over 250 million population, mainly the population has around 50% as female population. Of course, almost 91% of our population has access to telecom services, but of course, the subscriber base stays at 196 million. Of course, the literacy rate, like any other Asian economies, is low, but relatively it’s low for Pakistan, it is around 63%. One of the main reasons why digital gender inclusion is not kicking off really in Pakistan, this female ownership of SIM is quite low, we have out of 196 million, only 47 million SIMs that are on female’s names or CNICs. These are the digital gender gaps that Pakistan is grappling with. If you can see, from 2018 to 2024, we have made a lot of improvement, however, when it comes to absolute terms, yes, we are improving, but in relative terms, Pakistan is one country in Asia which has lowest gender gaps. technology. We have made good progress when it comes to awareness about internet but when it comes to ownership and the use of internet of course the gaps are wider. Even in social media we have around 70 million social media users but the gap is, when we started off it was over 71% today it is 59% as it shows on the graph but this is for YouTube there is a you know a different number when it comes to Instagram and it is very you know forthcoming that the gap in usage of Instagram is less it is around 41% so I believe that the younger generation the younger females are using Instagram more frequently than the other the social media applications. For branchless banking we have reduced the gap to 54% and today there are around 35 million mobile wallet accounts that are being used by women and owned by women. Going to the digital gender inclusion strategy these gaps that I have just mentioned and then the rankings that were coming out for Pakistan like GSMA mobile connectivity index or for that matter inclusive internet index or the digital inclusion index Pakistan is not doing well so the government decided to address the issue with structured approach and in this regard a PTA took the lead and started the initiative of gender inclusion. We set up a committee which started working in the month of February in 2022 and following a structured approach we decided to go for the strategy first. In this regard UNESCO one of the UN’s main organization gave us the technical support, and of course, the Ministry of IT and the GSMA were there to support us in building up the strategy. The former Alliance for Affordable Internet also came forward and pitched in their share while we were developing the strategy. Of course, our operators were there to help us out. So when, you know, all this started off, the objective was to create a government platform based on all of the society approach, with members from all stakeholders identifying the challenges, make policy interventions and implement them across the sector, or rather all the sectors, for bringing the change and growth that is required for filling up all these gaps that we’ve been talking about. This is the methodology that we adapted. Phase one was to identify the problem for which we did a very extensive consultation process across the country. In phase two, we did the problem analysis, the areas where there was a requirement to go further deep and see where the problem is lying and how can we address. We came up with the strategy pillars and how to implement it. In the third phase, we set the targets and the goals and what would be the outcomes. Of course, and we came out with the action plan, which is a very, you know, it is although tough, but it’s a three-year action plan with specific targets and goals, and we are hoping that we will be, inshallah, able to manage it. The consultative process that we followed, as I’ve already explained, was quite an extensive one. We did a public perception survey, an IVR survey, then we had, you know, multi-stakeholder workshops that we conducted across Pakistan, and we did some expert interviews of the gender experts, not only in Pakistan, but internationally. as well to understand how to address the issues that have been coming up while we are going through this consultation process. And of course we did an online survey as well which was for all the sectors, females and even males, to participate and come up with their point of view of addressing the digital gender gap in Pakistan. We tried to, for the perception survey and the IVR survey, we tried, specifically for perception survey, we tried to access those areas in Pakistan which do not have the connectivity so that those people can really tell exactly the females where the problem is. Of course, accessibility is one problem, but then there are social and economic problems that came up as well. And the IVR survey that we ran across Pakistan is one of the largest survey for assessing the digital gaps or the digital inclusion state in Pakistan. It was around 100,000 sample size that we had and then there were multiple questions that we ran through that IVR survey. Of course, this was done with the help of our, the licensees, the mobile operators, they did this to assist PTA in running the survey. Of course, GSMA’s consumer surveys that are carried out regularly for Pakistan to assess the gender inclusion that they do every year, we also had their assistance and their contribution in the consultation process. Just to give you a couple of outcomes that we had from these surveys. In this survey, we mainly asked women and men both, if they have a mobile phone and have a SIM, and if they have, are they using it? And are they using the mobile? the internet or not. So the interesting fact that came out was that more women are using mobile than the ones who are owning it. Which means that there is an urge, there is a requirement by the women but they don’t have the phone so they make use of the phones that the family has and they use it. But the good thing was those females who have the mobile or for that matter the same, are actually making use of it and using the internet. So this was a good thing that they were not only having the phone but they were actually meaningfully using it. The perception survey that was ran in the areas of the country which were not connected we saw and we asked the women why are they using, what do you think would they do if they have internet and they were more inclined towards having better economic opportunities to help their families and to have a good communication with the family members who are out of the area where they are living. So with this consultative process we came out with the barriers and challenges that the females of Pakistan are currently facing. One of the major when we started off and then of course through the consultation process we realised that we do not have the gender desegregated data, whatever we have is not good enough for making a strategy or for building up any case for reducing the gender divide. So this was one of the major challenges or the barrier that we feel Pakistan has of non-availability of desegregation. data. Of course then the digital literacy and the availability of local content was not there and it was for the women who were already on internet also felt the need for having the local content. Affordability came out to be one of the major reasons for this digital gap. Women either do not have the capacity or the economic ability to buy or of course there are family concerns and disapprovals which do not allow them to have either the mobile or the same or for that matter having the package, internet package. Yes, infrastructure and accessibility was also one of the major issues where there are a number of areas in Pakistan where the terrain is difficult for even the operators to, the commercial operators to go there and provide the service. Then people, as I have already told you, people also have negative perception about using internet or having a mobile handset for their females. And then of this perception they thought that safety is one of the major issues while they allow their females or the girls to have mobile in their hand or using the internet. With this in mind, the three years action plan that was rolled out in the strategy was on a bigger platform that we started with the steering committee which is headed by the minister for IT and telecom in Pakistan and the secretarial support is given by PTA. Under this, we have identified these six areas of which we made working groups. One was affordability. Then it was accessibility, which was covering the infrastructure requirements. And then there was safety and security, how we can ensure that women should feel safe while they are online. Then we have to create digital literacy for those who are educated or who are literate, but still do not have digital literacy. So we have identified this as a pillar, as a core working group where we have to address this issue. Inclusion is one area where we need to change the perception of the general public and the masses that internet can be used for better purposes, for the economic and social well-being of a female or a family member. And of course, we have this working group on research and data that is going to be very helpful, of course, while we are doing the policy changes and setting up targets and goals for reducing this gender gap. All these working groups are being led by the top government agencies in the country, of course, according to the specific areas. Between the working group and the steering committee exists a technical advisory committee. These are all organizations out there who are actually helping reduce the gender divide or the digital divide across the globe. So they have the visibility, they have the capacity and the capability to guide not only our working groups, but but also help the steering committee identify and take the areas out where there is a possibility, immediate possibility of improving the situation in the country. With this, working groups and the steering committee, we have kicked off this digital gender inclusion strategy in August 2024, and almost all of the working groups are now live and they have started working, they are revising their TORs, although the TORs are already there in the strategy identified, but we always thought that it is good to give them a chance to reassess the situation and see if they can improve it and then will start implementing in their own areas. So with affordability Pakistan, the affordability working group, the impact that we are expecting is to have 25% more women in Pakistan who can now afford after this implementation and the projects that we are going to go through with these working groups, we will be able to increase this number. Similarly, we are expecting that by end of three years action plan, we will be having 20% more women have access to digital services and SIMS will be on their CNIC. So currently, as I told you, it is around 47 million women who own a SIM on their CNIC. We are expecting it to be 20% more towards the end of the next three years. Safety and Security Group is headed by the Human Rights Commission of Pakistan and we are trying to have… gender-responsive laws and legal frameworks that ensure that women are safe while they are online. So the digital literacy group is headed by the Ministry of Education and we expect that the 60% of adult women population will acquire digital skills with the implementation of this strategy and certainly would want this strategy to play its role while we turn around the negative perception of women use of technology through this strategy. And we are working with the Pakistan Bureau of Statistics, the federal commission which provides statistics for the country, they are also leading this working group and are in the process of devising the indicators that are required to assess the digital females participation in the digital arena. With this we have, you know, since August and even before while we were devising the strategy we started having the collaboration. So these are the organisations that we have partnered with and they have rolled out the programmes in digital skills, awareness and of course the reports that are going to come up and the awareness spread programmes that we are having. We are committed to the strategy implementation under all of the stakeholders approach and thank you and over to you Vakas.

Waqas Hassan: Thank you. Sorry for rushing you but we have, as you can see this strategy developed by PTA is why is it presented as a case study because is you can see a structured approach, and you can see a clear plan of implementation. So if you have more questions about the strategy, how it was developed, anything else, you can ask during the Q&A. Or you can reach out to Dr. Khabar, who is the member of Compliance and Enforcement at PTA, and here in the room at the very front. So with this, I will now quickly move to Anika. And Anika, with your extensive experience working with underserved communities and for digital gender equality, what would you say are the key barriers and challenges in low, middle, and income countries?

Onica Makwakwa: Thanks, Warkus. And thank you so much, Malahat, for that presentation. It just really helps us see the picture at the national level when a country really commits to understanding the gender-digital divide, and actually not just adopting policies, but a commitment to implementing for change. So a lot of these that I’m identifying, I think will resonate very much with the presentation that we’ve just had. And I’m going to base this on two particular publications we published this year. One is the Connected Resilience, which looks at gendered experiences of women through meaningful connectivity. And the other one is The Time Is Now, which is a policy impact report that we published through the YDEF initiative to actually really look at policy frameworks that are successful in advancing our efforts to close the gender-digital divide. And I would say that the biggest barriers that we are identifying in most of this report, and a lot of the work that’s been done by many other organizations, is the lack of access to affordable devices and internet connectivity. Having reliable digital information. infrastructure, especially for women in rural areas, is a major barrier that actually keeps them away from being able to enjoy and utilize, you know, digital services as well as be part of a digital economy. So I’m going to go through this very fast, because I know you don’t have a lot of time, but we want to have a little bit more discussion later on. The second one, key one, is social cultural barriers and gender norms. And this really is no surprise for many of us, but we have to continuously work on these on the digital side. They don’t just simply go away simply because we are working on technology. These are issues that exist within our society in terms of restrictions on girls and women’s mobility, also therefore has an impact on their ability to access services such as public Wi-Fi, as an example. The lack of digital literacy and skills, you know, foundational digital skills, really put women at a disadvantage in terms of even being able to acquire the necessary opportunities that exist in digital technologies. And the fourth one is economic barriers, and this one is just not so much a lack of having the financial resources, but it’s also a lack of time as an economic value, right? Because women are predominantly the ones that we expect to fulfill the unpaid care labor in most societies. And so it also means that, yes, they lack the financial resources to buy these devices that are unaffordable, but they also lack the time to be able to dedicate towards the skills and training and developing themselves for utilization of digital technologies. And lastly, maybe not lastly, I’ll just mention two more. One more is the lack of legal and policy frameworks that are very explicit about closing the inequalities. You know, these things are not going to just happen on their own. and we need to be intentional in making so, including safety online for women, having laws and policies that are explicit about giving that protection for them. And lastly, I won’t elaborate on it because that’s something that Malahat spoke a lot about, and that is the lack of gender data gaps. You know, we know what we know now, but we know that it may be quite inadequate because we are not collecting gender-segregated data to be able to really understand how deep the problem is and where the interventions are most needed. So I will pause there for now, and thank you so much for this opportunity.

Waqas Hassan: Thank you, Anika. Thank you for identifying the barriers which are most prevalent in the low-middle-income countries. And I’ll come back to you with a couple of things, but now I’ll move to Kagete. Kagete, first of all, thank you for joining us. And coming from Meta, you know, as a big platform, you know, one of the big techs, what do you think, what are the ideal ways in which the community and the industry and the platforms, you know, can help and overcome these barriers for digital gender inclusion? And how can we influence positive governance practices on this issue? Thank you so much, Vakas.

Speaker 1: I think I can try to answer this question by first talking like in Meta, like it’s Meta, how we are seeing the problem and how we are trying to overcome it. I’m not sure if you can hear me properly, but okay. And then like I may try to come up with a more proper answer to the question itself, maybe, by also including like my take on the issue. But first, I would like to start with by saying that like at Meta, we believe women should have equal access to the economic, educational, and social opportunities that the internet provides. that’s for sure. And we try to take a multifaceted and also multi-stakeholder approach in ensuring that our services are accessible and inclusive for women through all our platforms and products and policies. If I can try to put this in a structure to explain it a bit further, I think for us the first priority here is creating a safe online environment for all genders, but of course like for the women in the context of this panel. And the second pillar would be supporting access to the digital tools and the digital opportunities that our platforms also enable all our users. And the third bucket in a way connected to the first one as well, but also like there’s an independent side of it too that I can explain, that’s maintaining an inclusive stakeholder engagement in relation to our innovation, like when we are innovating a new product, and also our integrity related efforts, like when we are trying to understand the risks. By that what I mean is when we are innovating a new product to make sure that such product is not biased and it reflects the characteristics of all genders, we believe that we should be in consistent engagement with women and group representatives of other genders. And also when it comes to our risk understanding, our risk assessments, again those should be inclusive of the experiences of these user groups. And in doing this, like all three different buckets of work, I would like to say that our approach most of the time requires us to work closely with civil society organizations, like this is what I meant by my multi-stakeholder approach that we have, and also in some instances like we are in partnership with the governments. I will try to keep it as… brief as possible because I know that we want to open it for Q&A, but very briefly, when it comes to creating a safe online environment, it is of course mostly related to our own community standards and our policies which governs which content we allow and which content we don’t allow on our platforms. And we of course do have policies that are specifically designed to protect high-risk users, vulnerable groups including women, such as our hate speech policy, sexual exploitation of adults policy, bullying and harassment policy. They have elements that are specifically designed to protect women, such as from revenge porn or sex torture. And we have a safety center which includes useful information for people who may not feel safe in our platforms or in general online. And there is a specific safety hub that is focused on women’s safety itself too. On creating and supporting access to digital opportunities, especially when we think about low- and medium-income countries, I would like to mention one specific program that we have which is called She Means Business. This program is actually a training program to empower women with the tools that may enable them to benefit the digital economy in a more meaningful way for them. And it goes beyond just like teaching about our own tools, but also it includes information about business resilience, financial literacy and cyber security, because we are seeing that these are actually required to create success there. And in Turkey, we conducted this program in collaboration with the government and also civil society organization. And since it’s launched in 2017, 7,000 women have been trained on this program. Also in Africa, like continents, we focused in Nigeria, Kenya, South Africa and Senegal for this program. And again, thousands of women in these countries have been trained. Another example, like from this country, Saudi Arabia, when we think about metaverses, like more innovative like products that we have. We realized especially for our region, Africa, Middle East and Turkey region, readiness is the key issue regardless of the gender, regardless of the background. Hence like we come up with like some programmatic activities to make sure that the main youth is actually ready with their technical capabilities for these upcoming technologies. And we started Metaverse Academy in this country again in partnership with the government and also the university here. And I am very happy to say that the significant majority of the participants were women in this program and this was one of the goals for us as well. Also for the government. I can definitely articulate more on our stakeholder approach, inclusive but like I also want to be very mindful of the time like for the other panelists. Just before closing I want to say three more things very briefly because like the question is like what are the ideal ways and like it’s of course speculative, it will be speculative of me. But in my experience like when I look at all these projects that I was also involved in, I think we definitely benefit from official policy frameworks and action plans that prioritizes overcoming barriers to digital inclusion of women because they create an incentive for private companies to focus on this area and like come up with programmatic efforts. Again like this is my take. And I think as a second thing there is a huge benefit in facilitating direct engagements with civil society organizations and private again like platforms because like it helps us to as I mentioned like develop a better understanding of the actual situation. But also it allows civil society organizations and their representatives to have a deeper influence on the product development and also the projects that these companies do have. And again in relation to the civil society, I would also like to recognize the value of the advocacy efforts of these groups in keeping both platforms and also governments accountable. When we miss something or like when there’s an area that requires more investment or more government support, it’s always the civil society that puts it under a spotlight and definitely it plays a big role in keeping us accountable and come up with a better governance. Thank you.

Waqas Hassan: Thank you. Thanks, Kegade, for sharing Meta’s approach towards digital inclusion and online safety. And you mentioned She Means Business. That program was also launched in Pakistan. One of the organizations that was implementing that program has now actually been selected as a winner of Round One of Women in Digital Economy Fund. So they are going to be funded and they’re going to conduct these digital literacy trainings across Pakistan, which is great for the country of course and to bridge the gender digital gap. Josephine, I’m going to come towards you now and your experience building community networks and you know doing policy advocacy for that and being deeply connected with those communities on ground. When you take these kind of innovative solutions like community networks to these areas, what kind of impact do you see on women in those areas and how does this work for gender empowerment in those underserved areas? Thank you, Akash, and also for all

Speaker 2: the great panelists who have gone before me. I think a lot of what they’ve shared really resonates with the work that we are doing. And for those in the room who are not familiar with community networks, it’s just essentially small-scale or locally owned infrastructure providers that traditionally are based in places where commercial operators are not going because of profitability issues. And one of my reflections or learnings or just one of the things I’ve seen around the impact of locally driven solutions is really understanding the local context. And an example being in the sense of how they look at gender empowerment or women empowerment and inclusion is that when it comes to traditional operators, you find that they really do not integrate into issues such as distance. How long does a woman need to walk in terms of getting to maybe a cyber cafe where they can access internet as well as the devices, affordability, the other roles that they play at home. And so, what community networks do is being able to hold spaces, which are women’s circles where you get to demystify first what technologies are, but also just develop a program so that it is capacity building, whether it is the service provisioning, that really understand the different concepts around the women need. So we are seeing a lot of changes and a lot of impact in terms of skill building and addressing some of the issues, not just affordability. Right now, with the online space, there’s gender online based violence or technology facilitated violence, which impacts women. Some, yes, are able to get online, but get scared and now leave online spaces. And so, the essence of having community networks is also having not just online support groups, but also in-person support groups that are able to support these efforts. I’m not getting another chance, so I just also wanted to bring in a reflection on how we can be able to collaborate moving forward. I really appreciate the work that the partners such as GDIP have been doing in terms of highlighting where the gaps are and also bringing strong recommendations, whether it is on promoting digital policies that look at this issue, as well as financing with projects such as the YDEF, because a key gap that we’re seeing is when it comes to access to devices, there’s a lot of initiatives that are going towards capacity building, but very limited efforts in terms of ensuring that devices are affordable, as well as there’s actually affordable access and infrastructure. So, financing is a key aspect and digital policies that address this issue. issues, so that even when we are doing allocations for funds, such as the universal service access funds, we can be able to incorporate some of the aspects around inclusion at community levels. Thank you.

Waqas Hassan: Thank you. Thank you, Josephine. I mean, we can all agree that it’s not just that you take a brilliant, innovative solution to a community, it has to be a meaningful connectivity that you eventually take there. And having this financing mechanism out there, there was a session earlier in the morning on financing mechanism. I think it was a wonderful session where the panelists also shared about how those kind of financing mechanisms could be there. We are a bit short of time. I would now like to turn towards the audience. If anybody online or in the room would like to share their experience, or ask a question to the panelists, or if you have any insights, any good policy practice that you see and you’d like to share with us, please just raise your hand, or we’ll give you a mic, and take your views on this. I have a question for Josephine, if there’s none on the floor. There’s one on the floor, and then I’ll come back to you, Annika. Sure.

Audience: OK, thank you. Well, thanks for all the ideas and things that you shared today. I just want to tell you that I’m from Colombia, from an NGO called Colnodo, and we also work with community networks in our country. And the last years, these kind of networks has been related with women, because we have a project that is. is financed by Google, in order to implement 10 community networks in different communities in Colombia. But with the participation of women. Then one of the things that we do in our methodology is create a group we call head stories. I don’t know how to say in English. Head stories like managers of the community networks. But the most of them are women. And they receive capacity in technical issues about how to implement, install, and then sustain the infrastructure for the community network. And other group of women receive capacity also in how to create contents for the community network. And also other group in financial and administrative issues for the sustainability of the network. And additionally, another group that have training, for example, in enterprise, beginning an enterprise, or using technology for, yes, for their own interest. This is because we have been working with Meta also in Colombia in bringing to some women that kind of capacity in using the platforms for their own business. Then just to share with you, this kind of initiative is done where we can work with women in different activities and different contexts. And trying to find also what is the interest of the women. Because not all want to participate in all the things. But we can bring to them the opportunity to have capacities in different topics in accordance. of their interests. Thank you.

Waqas Hassan: Thank you, thank you so much. I hope you can hear me from this, okay. So, thank you so much for sharing this example with us from Colombia. I think what we can see is that we also see a structured approach when we see what is happening in Colombia around CNs and how women-led CNs and women-centric CNs can make a huge difference. We have, Kaketay, you wanna say something? Yeah, sure, sure.

Speaker 1: Thank you so much for sharing this. I mean, it’s so nice to see that, you know, the community found these efforts useful. I just wanted to note, like, while I also believe the value and necessity of, like, organizing this capacity building efforts, I want to share that, like, we are also, like, benefiting so much from another type of a working group. We have it, like, in our region, like, for SSA Sub-Saharan Africa region, we have, like, women’s working group, what we call. And it brings women rights activists and also digital rights activists together and helps us to better understand the issues that they have in online platforms. And, like, thanks to those engagements that we had in those groups with them, we were able to, like, better understand the issues around, like, online gender-based violence, like, feminist rapid response services, and we were able to support them. And we were also able to go beyond just, like, women cause, but, like, together with them, we were also able to address the issues of the LGBTQI plus communities in online, like, in the issues that they have in the online platforms. So I, like, capacity building, definitely, but on top of that, I think, like, there is, like, when we think about a woman, like, there is a value in also investing in tech feminism and tech law and governance space, too. I just wanted to add that.

Waqas Hassan: Thank you. Thanks. for the intervention at KKT makes a lot of sense. Anika, I’m gonna take your question and then we have one from the audience.

Onica Makwakwa: Yeah, sure, well, thank you so much. So I actually have a question for Josephine. You know, we have an emerging divide amongst those who are actually already connected, right? So we’ve got the connected and the unconnected, but amongst those who are connected, we’ve got an emerging divide that’s really centered around the quality of the connection. And so it seems, I’ve sort of observed that whenever we talk about community networks as an infrastructure project to bridge some of these gaps, for the Global South communities, we tend to confine them to rural areas only, right? You know, so I mean, I think in Africa, for the most part, the model has been, it’s only in places where it has been deemed commercially not viable for the operators to provide connectivity. However, the very same mobile operators discriminate against users, especially in urban, viper, urban areas, because they tend to focus more on business clients as opposed to the huge prepaid market that pays extensively high rates to connect. My question is why, is there scope and opportunity to consider community networks beyond rural areas? And I’ll just kind of give you an example that New York City public Wi-Fi is the largest community-owned network that I know of, but I just kind of find it very curious that when it comes to Africa, Asia, and maybe even Latin America, we are told that the only way to have a community network is rural areas, so that competition that comes from community-owned networks is not allowed in urban areas, and it’s unfortunate because what it looks like is that yes, we need competition in terms of digital technologies, but we also need competition. in terms of a financial model that can, you know, service the diversity and inequalities that exist within urban sectors as well. And I just would love to hear your thoughts on that and if, you know, this would be a pipe long-term or not.

Speaker 2: It’s not a pipe demand. Thank you, Onika, for bringing that up because in our conversations with many regulators, there’s usually the issue that there’s a lot of pushback from mainstream operators who see community networks as competitors. And because of the power and the finances and the control that they have over most of the state, it sort of becomes a difficult conversation to have, whereas community networks are really small-scale operators that do not have the financial muscle to push back. And so in a way to appease, I will say in a way to appease the big operators, it’s usually that then regulators say, why don’t you go to underserved areas where they are not operational or where there’s no connectivity so that it doesn’t seem like you’re here to compete with the big operators. But then in the same breath, the expectation is that you will go to the hard-to-reach areas but still become commercially viable because whenever community networks are in the room, there’s always the question of, are you sustainable? Are you sustainable? But then even the large commercial operators are not going to these areas because they are not commercially viable. But what we are seeing is that it’s not just an issue of no access, but it’s also quality as you’re saying. A lot of the opportunities now for people who live in urban areas is digital work and that means that it’s very expensive to access. And we are seeing not just for community networks who are non-for-profit but. even the small scale ISPs, really growing and becoming, you know, forced to reckon with in many of the areas in terms of not just affordable, but also good quality service and the ability to provide good customer care service. So it’s definitely a time to really relook our regulatory frameworks, not just for non-for-profit entities and we are saying even for small scale ISPs, because there is room to serve people, they are locally available, but it’s just that regulation is still tight and it’s because other players are competing fairly. Thank you.

Waqas Hassan: Thank you, Anika. It’s a great insight and I’d just like to mention here that the gender inclusion strategy that PTA has, one of the working groups for access, it does talk about community networks and providing support to community networks. So in a way, this is another good example where it is not, I mean community networks may have been discussed by licensing or other departments, but it is part of the gender strategy which gives it more impotence that you know it is going to be women-centric empowerment technology. I’ve been told that we have four minutes, but I’ll take one last question before we close. Please.

Audience: My question is from Mem Malahat, who is representing PTA, that how PTA is working to plan a strategy for involving women from the rural areas in Pakistan, or specifically in the newly emerged district in Khyber Pakhtunkhwa, even where phones with the women is a taboo. So how will you bring them to the internet, although in Pakistan we have some 49% of the population from women. So how do you see the women inclusion on the internet, specifically in the rural areas, especially in the tribal districts of Khyber Pakhtunkhwa?

Malahat Obaid: Thank you very much for your question. Just to give you a background, when we started off with this strategy development process, Khyber Pakhtunkhwa, for my audience as well, is one of the provinces of Pakistan in which there are, you know, some social barriers are more as compared to the rest of the country. So yes, we included, while we were doing the consultative process, there was extensive consultation undertaken while we were developing the strategy and we considered the viewpoint of the local communities as well. We had them on board while we were discussing the issue, the females, the organizations that are working in that area were also on board. You can go through the consultation process that is already available, the outcomes of the process that is already available on our website, PTA website. There are organizations that I have just mentioned we are collaborating with and they are working in that specific area which you are talking of, the Khyber Pakhtunkhwa region. They will be working on providing the connectivity as well as, you know, conducting programs for digital literacy. So the strategy has a very holistic approach towards all the locations and the areas that are already connected and that still needs some access issues to be resolved. So with time, of course, the accessibility group which is being led by PTA will be considered, will be considering, you know, taking into account if there are still some areas or issues that are left or for that matter are not covered in our TORs and you are most welcome to follow. the process of implementation of the strategy. Thank you.

Waqas Hassan: Thank you. Thank you so much, Malahat, and thank you for your question. We are like almost out of time. I wanted to have a closing statement from each of the panellists, but I think probably on behalf of the panel, Anika, would you like to just close with the closing statement to just represent the panel?

Onica Makwakwa: Yes, certainly. Thank you so much. So I will just close by saying that there’s a lot of initiatives that are taking place to help close the gender digital divide, and I’m just very pleased to share with you that one such initiative is the Women in the Digital Economy Fund, which was launched earlier this year, an $80 million fund that is strictly focused on supporting and funding the scale-up of solutions that are focused on women-led and women-focused initiatives to close the gender digital divide. We currently have a round that is open for India only, so please go to YDEF, W-I-D-E-F dot global. I will put it in the chat as well for those who are online, and see it will be closing soon. We will have another global round that will open in March of 2025. I really hope to see many exciting applications, including from community networks, especially women-led, women-focused, so that we have an opportunity to help close the gender digital divide in the global majority world. Thank you. Thank you so much. And if you have any questions, Wakas is the regional lead for Asia, so please, if you are in the room, bombard him. And if you of course want to know

Waqas Hassan: more about policy recommendations and how to go about bridging the digital gender divide, there is a report that we have out here which very amply says that the time is now, right, so the time is now that we make all efforts. And it is absolutely possible, and it is absolutely necessary to make a… a meaningful difference in the situation of digital gender divide through inclusive policy making, through stakeholder consultation and by processes which are community centric. So with that note, I thank you all for being here, thank you to my panelists, thank you for people who joined us online and have a safe day. Thank you. Take care. Anika and Malat, would you stay on the screen for a minute so that we can take a picture of the panel. We can probably huddle around the screen. Okay, so can you look at the front, thank you. Thank you so much, Malat, Anika, thank you, take care. Thank you, thanks everyone. Thank you, Vakas, thank you, thank you Anika, bye bye. Bye. As-salamu alaykum. Walaykum as-salam. As-salamu alaykum. As-salamu alaykum. As-salamu alaykum. As-salamu alaykum. As-salamu alaykum. . . . . . . . . . . . . . .

Agreement Points

Need for gender-disaggregated data

Malahat Obaid

Onica Makwakwa

Need for gender-disaggregated data to inform policies

Lack of gender data gaps

Both speakers emphasized the importance of collecting gender-disaggregated data to understand the extent of the digital gender gap and inform effective policies.

Importance of addressing social and cultural barriers

Onica Makwakwa

Josephine Meliza

Social and cultural barriers limiting women’s access

Community networks as locally-driven solutions

Both speakers highlighted the need to address social and cultural barriers that limit women’s access to digital technologies, with community networks seen as a potential solution.

Need for policies and frameworks to ensure women’s online safety

Malahat Obaid

Cagatay Pekyorur

Josephine Meliza

Need for gender-responsive laws and legal frameworks

Policies and frameworks to ensure women’s online safety

Support groups to address online gender-based violence

Multiple speakers stressed the importance of developing policies, frameworks, and support systems to ensure women’s safety in online spaces.

Similar Viewpoints

Both speakers emphasized the importance of structured, official policy frameworks and action plans to address digital gender inclusion.

Malahat Obaid

Cagatay Pekyorur

Structured approach with clear implementation plan

Importance of official policy frameworks and action plans

Both speakers highlighted the need for financing mechanisms to address the lack of access to affordable devices and internet connectivity for women.

Onica Makwakwa

Waqas Hassan

Lack of access to affordable devices and internet connectivity

Financing mechanisms to support inclusion initiatives

Unexpected Consensus

Community networks as a solution for urban areas

Onica Makwakwa

Josephine Meliza

Community networks as locally-driven solutions

While community networks are often seen as solutions for rural areas, there was an unexpected consensus on their potential value in urban areas to address quality of connection issues and provide affordable alternatives.

Overall Assessment

Summary

The main areas of agreement included the need for gender-disaggregated data, addressing social and cultural barriers, ensuring women’s online safety, structured policy frameworks, and financing mechanisms for digital inclusion.

Consensus level

There was a high level of consensus among the speakers on the key challenges and potential solutions for digital gender inclusion. This consensus suggests a shared understanding of the issues and a common direction for addressing the digital gender divide, which could facilitate more coordinated and effective efforts in policy-making and implementation.

Different Viewpoints

Scope of community networks

Onica Makwakwa

Josephine Meliza

My question is why, is there scope and opportunity to consider community networks beyond rural areas?

Community networks are small-scale, locally owned infrastructure providers that can effectively address digital inclusion in areas underserved by commercial operators. They can provide tailored solutions that understand and address local context and needs.

Onica Makwakwa questions the limitation of community networks to rural areas, suggesting they could be valuable in urban settings too. Speaker 2 focuses on community networks as solutions for underserved areas, implying a more rural focus.

Unexpected Differences

Overall Assessment

summary

The main areas of disagreement were limited, with most speakers generally aligned on the importance of addressing digital gender inclusion through various means such as data collection, policy frameworks, and community-based solutions.

difference_level

The level of disagreement among the speakers was relatively low. Most differences were in emphasis or approach rather than fundamental disagreements. This suggests a general consensus on the importance of digital gender inclusion and the need for multi-faceted approaches to address it, which is positive for advancing the topic.

Partial Agreements

All speakers agree on the importance of data and policy frameworks for addressing digital gender inclusion. However, they emphasize different aspects: Malahat Obaid focuses on gender-disaggregated data, Onica Makwakwa highlights the inadequacy of current data collection, and Cagatay Pekyorur stresses the importance of official policy frameworks to incentivize private sector involvement.

Malahat Obaid

Onica Makwakwa

Cagatay Pekyorur

The lack of gender-disaggregated data was identified as a major challenge in developing effective policies for digital gender inclusion. This data is crucial for understanding the extent of the gender gap and informing targeted interventions.

Lack of gender data gaps. You know, we know what we know now, but we know that it may be quite inadequate because we are not collecting gender-segregated data to be able to really understand how deep the problem is and where the interventions are most needed.

Importance of official policy frameworks and action plans

Similar Viewpoints

Both speakers emphasized the importance of structured, official policy frameworks and action plans to address digital gender inclusion.

Malahat Obaid

Cagatay Pekyorur

Structured approach with clear implementation plan

Importance of official policy frameworks and action plans

Both speakers highlighted the need for financing mechanisms to address the lack of access to affordable devices and internet connectivity for women.

Onica Makwakwa

Waqas Hassan

Lack of access to affordable devices and internet connectivity

Financing mechanisms to support inclusion initiatives

Key Takeaways

Digital gender inclusion requires structured policy approaches with clear implementation plans

Major barriers for women include lack of affordable access, social/cultural norms, digital skills gaps, and economic constraints

Multi-stakeholder collaboration between government, industry, and civil society is crucial for promoting digital inclusion

Community networks and locally-driven solutions can help bridge connectivity gaps, especially in underserved areas

Online safety and security measures are essential to ensure women’s meaningful participation in digital spaces

Resolutions and Action Items

Pakistan Telecom Authority to implement 3-year action plan for digital gender inclusion strategy

Women in Digital Economy Fund to open new funding round for India in 2024 and global round in March 2025

Unresolved Issues

How to expand community networks beyond just rural areas to also serve urban populations

How to effectively engage women from conservative rural areas where mobile phone use is taboo

How to balance commercial viability of community networks with serving hard-to-reach areas

Suggested Compromises

Allowing community networks to operate in both rural and urban areas to increase competition and service quality

Integrating support for community networks into national gender inclusion strategies

According to estimates by GDIP and others, the countries have almost lost one trillion dollars just by not being able to bridge the digital gender divide. So it is not just a social issue or a social empowerment issue, it is actually now an economical issue as well.

speaker

Waqas Hassan

reason

This comment reframes the digital gender divide as an economic issue rather than just a social one, highlighting the massive financial impact.

impact

It set the tone for the discussion by emphasizing the economic urgency of addressing the digital gender divide, leading to more focus on policy and implementation strategies.

We came out with the strategy pillars and how to implement it. In the third phase, we set the targets and the goals and what would be the outcomes. Of course, and we came out with the action plan, which is a very, you know, it is although tough, but it’s a three-year action plan with specific targets and goals, and we are hoping that we will be, inshallah, able to manage it.

speaker

Malahat Obaid

reason

This comment outlines a structured, actionable approach to addressing the digital gender divide, moving beyond theoretical discussion to practical implementation.

impact

It shifted the conversation towards concrete strategies and timelines, prompting other speakers to discuss specific initiatives and programs.

The lack of digital literacy and skills, you know, foundational digital skills, really put women at a disadvantage in terms of even being able to acquire the necessary opportunities that exist in digital technologies.

speaker

Onica Makwakwa

reason

This comment highlights a fundamental barrier to digital inclusion that goes beyond just access to technology.

impact

It broadened the discussion to include the importance of education and skill development, leading to conversations about training programs and capacity building initiatives.

What community networks do is being able to hold spaces, which are women’s circles where you get to demystify first what technologies are, but also just develop a program so that it is capacity building, whether it is the service provisioning, that really understand the different concepts around the women need.

speaker

Josephine Meliza

reason

This comment introduces the concept of community networks as a grassroots solution to digital inclusion, emphasizing the importance of local context and women-centric approaches.

impact

It shifted the discussion towards more localized, community-based solutions, prompting questions about the applicability of community networks in different contexts.

We have an emerging divide amongst those who are actually already connected, right? So we’ve got the connected and the unconnected, but amongst those who are connected, we’ve got an emerging divide that’s really centered around the quality of the connection.

speaker

Onica Makwakwa

reason

This comment introduces a nuanced perspective on digital inequality, highlighting that access alone is not sufficient for true digital inclusion.

impact

It deepened the conversation by introducing the concept of quality of connection, leading to a discussion about the need for community networks in urban areas and not just rural ones.

Overall Assessment

These key comments shaped the discussion by progressively deepening the analysis of the digital gender divide. The conversation evolved from highlighting the economic importance of the issue to discussing specific policy strategies, then to addressing fundamental barriers like digital literacy. It further progressed to exploring grassroots solutions like community networks, and finally to examining nuanced aspects of digital inequality even among those with access. This progression led to a comprehensive exploration of the issue, covering economic, policy, educational, and community-based dimensions of digital gender inclusion.

How can community networks be implemented beyond rural areas in developing countries?

speaker

Onica Makwakwa

explanation

This explores the potential for community networks to address connectivity issues in urban areas, challenging the current focus on rural deployment only.

How is PTA working to involve women from rural areas, especially in newly emerged districts of Khyber Pakhtunkhwa, where phone ownership by women is taboo?

speaker

Audience member

explanation

This addresses the specific challenges of digital inclusion for women in conservative rural areas of Pakistan.

How can we facilitate direct engagements between civil society organizations and private platforms to improve digital inclusion efforts?

speaker

Cagatay Pekyorur

explanation

This explores ways to enhance collaboration between tech companies and civil society to better address digital inclusion challenges.

What are effective ways to collect gender-disaggregated data to better understand and address the digital gender divide?

speaker

Onica Makwakwa

explanation

This highlights the need for more comprehensive data to inform policy and interventions aimed at closing the digital gender gap.

How can we develop and implement gender-responsive laws and legal frameworks to ensure women’s safety online?

speaker

Malahat Obaid

explanation

This addresses the need for specific legal protections to make the online environment safer for women.

What strategies can be employed to change negative perceptions about women’s use of technology in conservative societies?

speaker

Malahat Obaid

explanation

This explores ways to address social and cultural barriers to women’s digital inclusion.

Summary

This discussion focused on building barrier-free emerging technologies through open solutions to enhance digital accessibility and inclusion for persons with disabilities. Speakers from various organizations highlighted the challenges and potential solutions in this area. UNESCO’s vision for digital accessibility and open content was presented, emphasizing the need for ethical and responsible use of AI and emerging technologies. The importance of involving persons with disabilities in the development of technologies was stressed to ensure their needs are met.

Speakers discussed the role of regulatory authorities in advancing digital inclusion, noting that while regulators may have limited powers, they can advocate for accessibility and advise governments on policy directions. The need for comprehensive competency frameworks and training for educators on inclusive digital education was highlighted. Learning Equality presented their Kolibri platform as a case study of an offline-first, open-source solution designed to provide accessible learning experiences in areas with limited internet connectivity.

The discussion emphasized the importance of a multi-stakeholder approach, involving policymakers, educators, developers, and persons with disabilities in creating inclusive digital environments. Challenges such as the lack of accessible open educational resources and the need for capacity building among teachers were addressed. Participants also stressed the importance of considering cultural, political, psychological, institutional, and professional aspects when implementing educational interventions for learners with disabilities.

Key takeaways included the crucial role of regulators in promoting accessibility, the importance of openness in digital solutions, and the need to consider both digital and non-digital factors in ensuring equitable access to education and information. The discussion concluded by emphasizing the importance of inclusive design and development of technologies to serve their intended purpose for all users.

Keypoints

Major discussion points:

– The importance of making emerging technologies and digital platforms accessible to people with disabilities

– The role of regulators and policymakers in advancing digital inclusion and accessibility

– The need for capacity building and training for educators on inclusive education practices

– The potential of open educational resources and platforms to support inclusive learning

– The challenges of implementing accessible technologies in developing countries

Overall purpose:

The goal of this discussion was to explore ways to build barrier-free emerging technologies through open solutions, with a focus on improving digital accessibility and inclusive education for people with disabilities.

Tone:

The tone was largely informative and collaborative, with speakers sharing insights from their work and research in digital accessibility. There was a sense of urgency around addressing accessibility gaps, but also optimism about potential solutions. The tone became slightly more critical when discussing implementation challenges, particularly in developing countries, but remained constructive overall.

Speakers

– Muhammad Shabbir: Coordinator of IDF’s Dynamic Coalition on Accessibility and Disability

– Tawfik Jelassi: Assistant Director General Communication and Information Sector, UNESCO

– Amela Odobasic: Director of Broadcasting Bosnia

– Mohammed Khribi: Digital Accessibility Services Acting Manager, MADA of Arab states

– Revanth Voothaluru: Global Implementation Project Manager of Learning Equality

– Zeynep Varoglu: Senior Specialist in the Information and Communication Center of UNESCO

– Judith Hellerstein: Co-coordinator at the IGF Dynamic Coalition on Accessibility and Disability

Additional speakers:

– Nicodemus Nyakundi: Fellow for the Dynamic Coalition on Accessibility and Disability

– Itzel: TICET fellow

Building Barrier-Free Emerging Technologies: A Comprehensive Discussion on Digital Accessibility and Inclusion

This discussion brought together experts from various organizations to explore ways of building barrier-free emerging technologies through open solutions, with a focus on improving digital accessibility and inclusive education for people with disabilities. The conversation was informative and collaborative, with speakers sharing insights from their work and research in digital accessibility.

Key Challenges in Digital Accessibility

Muhammad Shabbir, Coordinator of IDF’s Dynamic Coalition on Accessibility and Disability, emphasized the lack of consideration for accessibility in technology development and stressed the need for universal design principles. He shared a personal example of encountering inaccessible VR technology, highlighting the challenges faced by people with disabilities in emerging tech environments. Shabbir also stressed the importance of dialogue between regulators and persons with disabilities to address these issues effectively.

Tawfik Jelassi, Assistant Director General Communication and Information Sector at UNESCO, pointed out the specific challenges in making AI and language models accessible. He presented UNESCO’s vision for digital accessibility and open content, emphasizing the organization’s efforts to advance inclusive education through open solutions. These efforts include developing guidelines for inclusive digital learning and promoting open educational resources.

The Role of Regulators and Policymakers

Amela Odobasic, Director of Broadcasting Bosnia, brought attention to the importance of involving persons with disabilities in technology development. She argued that while regulators may have limited powers, they can play a crucial role by advocating for accessibility to policymakers and implementing accessibility provisions within existing frameworks. Odobasic also noted the need for legal mandates to address new technologies like AI.

Open Educational Resources and Platforms

Mohammed Khribi, Digital Accessibility Services Acting Manager at MADA of Arab states, discussed MADA’s work in Qatar, including their digital accessibility services and training programs. He presented the development of an ICT accessibility competency framework and emphasized the importance of the DARE Index (Digital Accessibility Rights Evaluation Index) in assessing countries’ progress in digital accessibility.

Revanth Voothaluru, Global Implementation Project Manager of Learning Equality, presented their Kolibri platform as a case study of an offline-first, open-source solution designed to provide accessible learning experiences in areas with limited internet connectivity. He detailed the platform’s features, including its ability to work offline, support multiple languages, and provide a range of educational content. Voothaluru also discussed the implementation of Kolibri in various contexts, highlighting its potential to bridge accessibility gaps, particularly in developing countries.

Teacher Training and Capacity Building

The discussion revealed a significant need for capacity building and training for educators on inclusive education practices. Khribi stressed the need to integrate accessibility courses in teacher education curricula and emphasized the importance of continuous training for in-service teachers. Voothaluru highlighted the potential of using technology to support differentiation and personalization in education, particularly in large classrooms where individual attention is challenging.

Systemic Approach to Inclusive Education

Voothaluru stressed the need to consider cultural, political, psychological, institutional, and professional aspects when implementing educational interventions for learners with disabilities. He referenced Dr. Fernando Rimas’ framework for a systemic approach to inclusive education, emphasizing the importance of addressing multiple factors beyond just technology.

Audience Engagement and Unresolved Issues

The audience raised important points, including the need to engage open-source developers in creating accessible solutions and ensuring basic education access for students with disabilities before focusing on technology integration. These comments highlighted the complexity of implementing inclusive education and the need for a multi-faceted approach that considers various perspectives and local contexts.

Key Takeaways and Conclusion

Zeynep Varoglu summarized key takeaways, emphasizing the importance of multi-stakeholder collaboration, the need for continuous capacity building, and the potential of open educational resources in advancing digital accessibility. Judith Hellerstein, co-coordinator of the IGF Dynamic Coalition on Accessibility and Disability, reiterated key points from the audience questions, including the importance of basic education access and teacher training.

The discussion concluded with several thought-provoking comments that shaped the conversation. Jelassi’s framing of information, openness, and accessibility as public goods deserving of public support provided a compelling rationale for government involvement. Odobasic’s quote from a representative of persons with disabilities challenged the perception of accessibility as a ‘special needs’ issue, reframing it as a matter of equal rights and universal design.

In conclusion, the discussion provided a rich, multifaceted exploration of the challenges and potential solutions in building barrier-free emerging technologies. It highlighted the crucial role of regulators in promoting accessibility, the importance of openness in digital solutions, and the need to consider both digital and non-digital factors in ensuring equitable access to education and information. The conversation underscored the complexity of the issues at hand and the need for continued dialogue and collaboration among various stakeholders to create truly inclusive digital environments.

Muhammad Shabbir: Hello, and good morning, everyone. I am Muhammad Shabbir, the coordinator of IDF’s Dynamic Coalition on Accessibility and Disability. And I welcome you in the first session of this webinar. I am Dr. Mohammad Shabir, the coordinator of IDF’s Dynamic Coalition on Accessibility and Disability. And I welcome you in the session, Building Barriers, Free Emerging Tech Through Open Solutions, jointly organized by the Dynamic Coalition on Accessibility and Disability and the Dynamic Coalition on Open Educational Resources. I am thankful to the Internet Governance Forum for the opportunity and also to the team who have worked with me to organize this session. Just a couple of housekeeping rules. There aren’t many. First, we have amongst us some speakers. We will talk about different issues. Each speaker would have about 10 to 12 minutes for their early or initial intervention. Then we would come to the hall and online for the participants if there are any questions. People can address the question to a specific speaker or make general interventions as well. And then we would have the wrap-up by the moderators. and we would have a wrap-up, and in the end, there would be a vote of thanks. So to start with, I would invite our first speaker, Dr. Tawfik Jelassi, Assistant Director, Journal Communication and Information, Sector UNESCO. Dr. Jalassi will speak about overview of UNESCO’s vision for digital accessibility and open content. Dr. Jalassi, over to you. No, it’s okay, okay, okay, thank you.

Tawfik Jelassi: Good morning to all of you. Thank you for coming to this session, and let me also thank our moderator, Dr. Shabbir, but also Dr. Henrich Stein of the Dynamic Coalition on Accessibility and Disability for co-organizing this important session in the context of IGF 2024. I’m very pleased with the topic that was selected, Building Barrier-Free Emerging Technologies Through Open Solutions. Clearly, this is a very timely topic, especially in the context of IGF, the multi-stakeholder approach that characterizes this global forum, but also I think it’s a timely topic in today’s digital environment. I’m sure that the session will explore open solutions and technologies, in particular, to help barriers and foster inclusive digital. spaces. We all know that emerging technologies such as artificial intelligence and generative AI are drastically impacting the way we approach education. When we pair open educational resources with these technologies, the impact can only be transformative. What’s us? What type of learning value can we deliver to pupils and to students? And here I can say something from my more than three decades being a professor and dean and then minister of higher education. I think the new technologies of today with open educational resources give us the opportunity, maybe unique opportunity, to deliver personalized learning value so learners can adapt to the content, to their pace, to their style, sometimes even choosing their preferred language to get access to knowledge. The second key element beyond personalized learning is enhancing accessibility. We can here think as an example of visually impaired students. How can they navigate textbooks? I can help translate text speech and facilitate graphics. This is very important in terms of accessibility, especially for persons with disabilities. The third, I think, major transformative dimension is how to expand localization. And when we talk about today’s world, of course, it’s borderless, it’s global, but also I think technology can help us have relevant value-added content that is culturally relevant. And this is very important nowadays. However, this technology, especially when I say artificial intelligence, tomorrow quantum computing, they have to be used in a responsible and ethical manner. And I want here to mention the landmark recommendation by UNESCO back in 2021 on the ethics of artificial intelligence, a recommendation being currently implemented by more than 60 countries worldwide. So the ethical use of AI is a major challenge for everybody. We need to combat existing biases. If I take the gender-related biases, you know that in some of these gen AI large language models, there are many biases that depict women in domestic roles, and there is an association of women with family, with children, with households, while men related to men are more linked to business career. So obviously what we have seen from our studies at UNESCO is that large language models in generative AI not only replicate online the gender biases that exist offline, but they even amplify them. It’s obviously a very dangerous. Second dimension besides the gender bias is that we were reminded two days ago at the opening of this activity, and therefore they don’t benefit from any digital literacy. This is obviously a major challenge as well. The third is representation in AI systems. 40% of the world’s population lacks access to education in their native language, and therefore they are being excluded. very important and we need to tackle it as well. So these are challenges but of course we have to take stock of some accomplishments, whether it is in terms of enhanced accessibility, whether it is in terms of access to open educational resources which are universally available through digital platforms, and here I want to mention a major outcome of the UNESCO Third World Congress on Open Educational Resources that took place last month in Dubai, and the Dubai Declaration which was endorsed at the end of this major event very much calls for a commitment to advancing inclusive education through open solutions, and this is very important I think to take stock of. This is in line with the 2019 UNESCO recommendation on Open Educational Resources by 193. So a pledge was made in Dubai last month to increase the reach of inclusive education platforms by 25% by 2030, so this is a ambitious goal but hopefully through collective efforts we will achieve it. And let me mention here also the UNESCO revised guidelines for people with disabilities in online and distance learning. These revised guidelines offer a comprehensive roadmap to create open educational resources and digital platforms that can serve diverse needs of learners. Let me try to conclude here by saying that this session this morning is for a range of ideas. ideas, hopefully it is a springboard for change. It’s all in this context. Us as educators, we can advocate for open education resources that are tailored to local needs. Policy makers can ensure internet connectivity, bridging the digital divide, especially in areas. And thirdly, developers can design technologies from the outset. Let’s recall Joseph Stiglitz, who said, information is a public good. And as a public good, information needs to receive public support. I think the same is true for openness and accessibility. And this requires, obviously, a collective commitment by all. Let me assure you that UNESCO is unwavering in its mission to ensure that no one is left behind in the digital age. We should, together, seize this moment, not just to envision change, but hopefully to make it happen. Thank you.

Muhammad Shabbir: Thank you, Dr. Tawfik Jelassi, for these welcoming remarks, as well as the enlightening vision of UNESCO and how UNESCO is contributing in making digital environments accessible through open resources. Our next speaker, Lydia Best, was supposed to be online. But unfortunately, we received a message from her this morning that she fell ill, so she cannot contribute. So we wish her best and good recovery. Next, I will be speaking about challenges and solutions into addressing accessibility barriers in emerging technologies. And this is a topic when, as I, myself, a person with disability, encounter and interact with emerging technologies, there are a number of challenges that come in the way. And it is really unfortunate that the technologies that are coming up these days, they carry a huge potential to facilitate persons with disabilities. But due to certain barriers in the development, in the planning or execution of those solutions, those emerging technological solutions, that when they come to people with disabilities, they encounter certain barriers. And before I move forward, I would like to give a personal example. Some years back, I happened to encounter a wonderful VR solution, headset with some specific solutions. But when I tried to use that, it was, we found that it was only applicable or activatable through vision or touch. And it did not have any visual features. I’m not sure if the latest VR or AR systems, they do come with these kinds of assistive technologies or solutions. But it was about two or three years back. I believe it was in the end of 2021. So we might have those solutions. But unfortunately, some sort of developers, when they start developing solutions, they either forget, either are unaware of, or sometimes they feel it convenient. disregard the accessibility considerations. There comes a lot of sessions like this, and this session is a remembrance that disability, as UNCRPD, the United Nations Convention on the Rights of Persons with Disabilities, says that disability occurs when impairments in persons interact with the societal barriers. And this way, I would say disability is not specific to me or any specific group. It is cross-gender, cross-geographic boundaries, cross-race, cross-religion, and cross the boundaries of developed and developing world. So, any accident, any natural or man-made disaster, or any illness, just by passing off time as we age, this disability can catch us. So, whether you are a policymaker, whether you are a developer, where decisions are being made, you need to ensure that the technologies that are being developed are developed inclusively, and inclusively following the design of universal access or universal design, so that when, if today, we need it tomorrow, it may happen, we won’t push it on anyone, but it may happen that you may need it, and you may find that technology was inaccessible, and the time has passed to take the decisions. There are AI technologies in the system where we are using the technologies, but persons with disabilities are found neglected in the development of those technologies. JGBT and other LMS systems, they certainly provide certain accessibility issues. I would not talk about their biases against disabilities. That’s another topic and not the subject of this session, but we need to consider how they interact with people with different kinds of disabilities. There aren’t any sign language interpretation, for instance, coming with these kinds of solutions or platforms. Similarly, when different banks and different financial institutions, they develop their applications. They develop in a way that makes them secure. They make the websites and the apps inaccessible for people with disabilities. Same is the case with the learning management systems, LMS. I have encountered a number of LMS in Pakistan that are provided through international providers and the local providers as well. That when the students and teachers with disabilities, when they interact with those kinds of technologies and LMS, we found that those technologies were developed without considerations of people with disabilities in mind. So what is the solution then? The question comes to mind. What is the solution? The solution is definitely, number one, the developers need to be aware of the standards that are internationally available to make the solutions and platforms accessible for people with disabilities. such as Web Content Accessibility Guidelines, the stable version is 2.1. And more as we move along and more and more technologies are coming out, these standards are also being evolved. So the developers need to know this. The policy makers need to consider the policies that the development phase, the research phase and the execution phase. All phases include persons with lived experience of disabilities and testing them that these developments and technologies are being developed, accessible and inclusive for everyone. I will stop here and give the cue to the next speaker who is online again. And we will keep discussing this and more topics related to accessibility. But my next speaker is Amila Odubesic, Director of Broadcasting Bosnia. And Amila shall be speaking about regulatory frameworks and policies for accessible digital technologies. Amila, the floor is yours.

Amela Odobasic: Thank you very much, Dr. Shabir. Greetings to all of you from Bosnia and Herzegovina. I would have preferred to be in Riyadh with you, but unfortunately I was not able to. So let me first say that I’m extremely sorry that Lydia Best could not join us because she is such an expert in this field. But however, Dr. Shabir made an excellent introduction into the topic. Let me first say that I am not going to talk only from the perspective of the regulatory authority, but I’m also a co-rapporteur for the question on ICT accessibility for persons with disabilities that is being discussed within the International Telecommunication Union. And I have been involved in the topic for the last, well, since 2014, so it’s quite a long time. So I will definitely touch upon and tell you on what are the biggest challenges when it comes to policy makers and their efficiency or lack of efficiency in the area of creating policies, legal and regulatory framework. But I will also, if you allow me, refer to some of the global practices and perhaps convey what are the biggest challenges that members of the International Telecommunication Union are facing. So, as was previously pointed out, there is no doubt that in our contemporary era, as the digital revolution continues to gain momentum, the profound global impact of information and communication technologies is undeniable across all sectors. And this is something that within the question that I just mentioned, at the International Telecommunication Union, we always stress that the topic on ICT accessibility. disability cannot be singled out. We cannot look at this topic in silos. It should be looked at within a holistic approach. So, Dr Shabir already touched upon the challenges that persons with disabilities are facing. And they’re numerous, believe me, whichever country you look at. So, at the same time, you see, it’s quite interesting to see when, for example, during our meetings at the ITU, we have in the same room at the meetings, representatives of persons with disabilities as well as the representatives of the policy makers, the ministries, the regulatory authorities, other governmental topics. We also have industry. We also have a disabled society. We also have academia, etc. And it’s really, it’s quite, it’s not easy for us who are coming from the policy makers’ area, from the government’s area, really, to face all the challenges that persons with disabilities are facing. And as I said, I mean, there are many. First of all, the biggest challenge that persons with disabilities are facing in the, especially even, I mean, 10 years ago, that the barriers were even more solid and bigger. And that has considerably changed within this period. Nowadays, persons, even persons with disabilities, they became, the associations, I mean, they became more organized, more up front. For example, in Bosnia and Herzegovina, in particular, we encouraged associations of persons with disabilities to be a little bit more, a little bit more, you know, more organized, to be a little bit more, you know, more, you know, loud in advocating for their goals and in advocating for the, you know, going towards the government and really demanding that their needs have been made. And I will just say that during one meeting, you see, we always quite like to refer to this topic that persons with disabilities have their specific needs. And I will always remember that one of the representative or one of the associations of persons with disabilities said once, he said, well, look, our needs are the same as yours, okay, who do not sort of like fall into the category of the persons with disabilities. So we do not have specific needs, our needs are the same to have access to information, access to communication, et cetera. And this is the only thing that we are really asking for. So the first step, persons with disabilities, as I said, I mean, the government, not only the persons with disabilities, but even the government should be open to have a dialogue, to listen to the problems that persons with disabilities do need and the problems that they have and try to do their best in order to accommodate them. However, you see, we always think that the governments are very sort of like closed bodies, they’re closed authorities that are not allowing access to external parties. For instance, we at the Regulatory Authority of Bosnia and Herzegovina, I personally, because I gained all the knowledge at this working group of the International Telecommunication Union from the another lady, Andrea Sachs, and many, many other experts.

Muhammad Shabbir: So, I was personally very adamant that the government, first me as the regulatory authority and then the policy maker, should listen to persons with disabilities. So, the most important thing is not only to have that dialogue, but the most important thing is really to implement, to fulfill all the preconditions in order to make services accessible. Available and affordable, most importantly, to persons with disabilities. So, my personal view is that I always insisted that the implementation of the guidelines, of the standards, of good practices, and there are plenty of them and they’re all outlined in the report that are available on the ITU website under the Bureau of Development, in the Bureau of Development section. So, there are so many good practices that can be replicated, that can be adjusted to our environment, you see. So, there is the governments, for example, the policy maker, we create regulatory framework, excuse me, but what are the governments usually going to say? For example, now we are talking about artificial intelligence. The government is going to say, well, sorry, we can’t really, for example, in Europe, there is a body, there is the European Union, countries, members, Bosnia and Herzegovina and other six countries all together from our region, we are not members of the European Union. However, at the level of the European Union, there is a very distinct legislation that is being developed and implemented in the countries of the European Union. So, in the countries that are not members of the European Union, Union the governments will always sort of like find excuses and they will say well look we are not members so therefore we cannot implement because it’s not obligatory in the sense that let’s say European Union is going to follow and monitor our work and this is basically the role of the regulators authority that is crucial because regulatory authorities although they government linked to the government but we are expert bodies okay our job is really to follow what is happening internationally to see what are the good practices to talk to all the interested parties in this case with persons with disabilities and to try to do our best to through the development of the regulatory framework okay to implement the provisions and to impose certain obligations okay I mentioned in the light of the artificial intelligence at the level of the European Union for instance there is the the law on artificial intelligence has been adopted and put in force as of May this year so inevitably we as the regulator we can follow what are the provisions that are referring to the digital inclusion all together because we are also I mean in this as we said in this global digital revolution we are moving away from singling out only ICT accessibility but putting it in the context of the digital inclusion because that’s the only way you know that that we somehow respond adequately to this cross-cutting topic okay so for example the in our country and in many others like in many other countries in Europe so what we can do for now we can follow the development we can follow the good practices and see if there are any provisions that we can already put in our regulatory framework. Inevitably for that, the regulatory authorities should have legal mandate to do that. However, in most of the countries we do not have legal mandate because even artificial intelligence is such a brand new topic for the regulatory authorities to deal with. However, what the regulators could do, they could follow the topic, they could see what are the good practices and then they could perhaps develop some recommendations

Amela Odobasic: or guidelines for our licenses wherever relevant and try to sort of like impose that as a non-obligatory measure somehow, which can maybe a little bit contradictory. But in that way, what the regulators could do, they educate, they raise awareness, they share knowledge and then at the same time they encourage, let’s say, their licenses to get more involved in the topic. However, at the same time, the regulatory authorities could establish a dialogue with policy makers and then they could advocate that certain provisions should be put or the government should create the laws and certain provisions should be put in laws and encourage the government that in the process of public consultations, persons with disabilities and other interested parties are involved in this process, that their comments are very clear and to make sure that they are implemented in the best possible way. So, this as we could see, this is all. process. Okay. However, it may look, it may look as a very complicated process. Okay. But still, it is possible to do a very specific, to have a very specific results in practice. Okay, I’ll tell you when I first, when I was first, I started to get involved with this topic, when I came back to Bosnia and to my, to the regulatory authority where I work, I was, I was literally confused. And I was sort of like thinking, how can I make the first step? Okay. And a few years later, we managed to have the full, for example, I, we try to identify what is the biggest challenge. Yes, you need to wrap up, please. Okay. So I will cut across with the, I will cut, cut out this practical example. So let me just wrap up and to say that, yes, this, the topic is very challenging for the, for the government. However, we, I believe that all stakeholders, as, as Dr. Shabir already pointed out, should join in their efforts. Okay. Advocacy efforts are extremely important. We should look at it as a cross-cutting topic, and we should really advocate towards the policy makers in this sort of like joint way. So I’ll stop here. If there are any questions later on, I will be available. Thank you.

Muhammad Shabbir: Yes. Hello. hear me? Okay. Thank you very much, Amila, for your great intervention. Surely, our audience and I do have some questions to ask you. But the unfortunate responsibility as a moderator includes to cutting across speakers when they are exceeding their time limit. Our next speaker is from Qatar, Dr. Mohammed Khribi. He is the Digital Accessibility Services Acting Manager, MADA of Arab states. And he will be talking about innovations in accessibility services in the Arab states region. Dr. Mohamed, the floor is yours.

Mohammed Khribi: Okay. Thank you so much. Good morning. Hello, everyone. It’s a pleasure to be here at the internet in the IGF forum 2024. You know, 20 years after I first participated in the OASIS summit in Tunis back in 2005. You know, I participated in the summit representing at that time my university, the virtual university of Tunisia. Today, I’m honored and pleased to represent and privileged to represent the organization to which I belong, MADA, or Qatar Assistive Technology Center, where I work as acting director of the Digital Accessibility Services. But you know, I’d like to like define myself informally, just saying that I’m a passionate advocate for open and inclusive digital education for all. Initially, I have prepared the presentation to shed light on MADA’s contributions to bridging the digital accessibility gaps. But you know, the setting, but it doesn’t, you know, fit to the setting to our panel yesterday. So I’m going to just talk rapidly about my organization and shed light on, you know, some of the MEDA flagship projects in terms of digital accessibility, with the ultimate goal to empower people with disabilities accessing technology in order to live independently and participate in all aspects of life. But let me first get back to what has been said by Dr. Mohamed, actually when he explained it and he focused on how we need to address disability and how to focus on the accessibility barriers that prevent people with disabilities to access technology. So you know disability is often misunderstood, or let me say it’s not only defined from the medical or the charity or the special needs perspectives. In my view, I think we need to focus more on the interactions between persons with disabilities and the barriers preventing them to, you know, avail all digital services and opportunities. And our work is to enhance access for them, is to, I will not say remove these barriers, but at least reduce these barriers. So this is what we are doing in our organization at Qatar Assistive Technology. We are trying to enhance ICT accessibility in Qatar and beyond. Let me rapidly say a few words about Mada. So, Mada, it’s a non-profit organization founded in 2013. At that time, under the Ministry of Communication and Information Technology, now we shifted like two years ago to the Ministry of Social Development and Family. As I’ve previously said, we are focusing on enhancing ICT accessibility for persons with disabilities in Qatar and beyond. And we are working closely with all the stakeholders involved in the field of digital accessibility in order to innovate and to create and develop and offer innovative digital solutions for all. We are offering in Mada a wide range of digital accessibility services, as well as programs and activities. We are conducting a research agenda dealing with ICT accessibility and assistive technology. We are leveraging emerging technologies, like artificial intelligence, in order to develop digital solutions for people with disabilities. Let me talk a little bit about the digital accessibility services that we are offering. Basically, the services are around three pillars. The first pillar is the ICT accessibility services. So, we are partnering with local entities, whether governmental or from the private sector, to enhance the accessibility of their existing digital platforms. websites, web-based applications, kiosks and ATMs, mobile applications, etc. So we are counseling, like consultation sessions with these users, in order to let them make their digital platforms accessible. We are preparing auditing reports in order to check these websites and help them to make these websites accessible. We are offering accreditation services to these users, so that we can make sure that their solutions are fully accessible for persons with disabilities. We are offering also assistive technology services. We have assistive technology assessors that are making assistive technology assessments for persons with disabilities in order to identify which assistive technology solutions or devices that fit better their specific needs. And based upon the assessment, we ensure the provision of assistive technology devices and solutions for persons with disabilities. Based upon our internal policy of AT provision, and also based upon key priorities, like the areas, key strategic sectors that we are focusing on, for example, the education sector, the employment sector and the community sector. We are offering also a one-on-one training session for persons with disabilities to help them use the assistive technology that we have provided them with. We also offer continuous support. for them in order to make sure that the assistive technology devices and solutions are kept to their needs. And last but not least, we are offering also training and capacitive services, not only for persons with disabilities, but for all the stakeholders in order to foster the ecosystem. So we are delivering sessions for, like, teachers from the education sector, from the Ministry of Education, from universities, and also for web development in order to make sure that we are developing and designing digital solutions that are fully accessible and aligned with the standards of accessibility. Our training services are delivered, like, in different training modalities. We have face-to-face training workshops, we have online training courses, and we also conduct, like, blended learning experiences through our mega-academy initiative, based on, like you said, Dr. Muhammad, the learning management system that we’ve developed in order to even cater to the needs of everyone, including persons with disabilities. The second part, I’d like to shed light a little bit on the academy projects that are happening in the U.S. The first pillar is dealing with… The second is the… accessible, open and accessible training materials. So first of all, I would like to take this opportunity to record that those of my studies that I have been involved in, the key findings of this study are that there is a lack and there is a lack in terms of ICT accessibility and also there is a lack in terms of accessible open educational resources and there is like no existing common competency framework that covers all the required competencies around the topics of ICT accessibility and input design. My mic is not working. There is an interruption, right? Okay. But let me first maybe recall the main motives that drive us, you know, working on this, on this, let me say, proposals. You know, the Data Index, the Digital Accessibility Right Evaluation Index, it’s a benchmarking tool developed by G3 ICT organisation, you know, initiative of inclusive ICT organisation, that aims at tracing the progress of countries in terms of offering accessible, digital accessible services. In the Data Index, the edition 2020, Qatar has been ranked first. with a score of 89 out of 100. However, there are many domains in the Derandex that needs more endeavor and more work in order to enhance access for people with disabilities to these different sectors, like the ICT and education from oil sector. And the key findings of the Derandex report is that there is a lack of ICT accessibility competencies and expertise all over the world. There is also a lack in ICT accessibility courses. This means that students basically, in the field of the major, in the discipline of computer science or IT, continue to graduate without having any competencies or skills in the field of digital accessibility. Also, employees that want to build their capacity in the field of digital accessibility, visibility and inclusion, they cannot find professional training or education services to learn more about these topics. Okay, and the most important thing is that the colleges of education want to include in their curriculum topics around inclusive digital education or digital accessibility to let them be able to create and develop accessible digital content. So, based on these key findings, we proposed the ICT App Competency Framework, which is a comprehensive competency framework covering all the required competencies in the field of ICT accessibility. So, there are six competency domains in this competency framework, dealing with how to create accessible digital content, how to create accessible web content, how to become familiar with visibility and accessibility, and other competencies. So, from the one to the six, there are six competency domains. Then, we developed also a common repository hosted on the OER Commons platform. It is called ICT App OER Competency Framework, in which we are gathering all the accessible open educational resources around the themes of ICT accessibility and inclusive design. And we are using these open educational resources to conduct training workshops and to provide continuous online learning. experiences. OK, I got to stop now, I think.

Muhammad Shabbir: Yes, thank you very much, Doctor. And it is indeed a pleasure listening to your work and the kind of activities that you have been doing. It’s Mada Arab organization is doing a lot of wonders in the region. At least I was not aware of this work, so it was really enlightening listening to you. So the next speaker, ladies and gentlemen, is Revanth Voothaluru. I’m sorry if I’m pronouncing the name wrong, so please forgive me for that. Revanath is Global Implementation Project Manager of Learning Equality and shall be speaking about Open Content Platforms for Inclusive Education, the case study and insights. Revanath, the floor is yours. Revanath is online.

Revanth Voothaluru: Thank you so much, everyone. It’s wonderful to be a part of this. And sorry I couldn’t join in person. I’ll very quickly start sharing my screen. Wonderful. Good afternoon to everyone once again. And my name is Revanth Voothaluru, and I am joining from Bangalore, India today. I’ll be talking to you about how my organization, Learning Equality, is creating barrier-free emerging technologies through open solutions with a specific focus on equity, inclusion, and accessibility. The colleagues who have spoken before me have extensively covered about the challenges that exist and have discussed many different ideas. I’ll be talking about how some of this specifically comes alive in the work that we do at Learning Equality. Yeah. So I think in the world today, there are 2.6 billion people who remain offline and are unable to participate in the digital learning revolution. And more than 70% of the learners are unable to read. even a basic text. And this paints a stark picture of the global learning crisis, right? And unfortunately, the learners who are most affected by the crisis are often the ones who also lack access to digital resources. And what that does is it further widens the gap in learning opportunities for these learners. While we know that tech is not a silver bullet solution, we believe that it’s a strong means for addressing some of these gaps. And I think, yeah, and we build at Learning Equality, we build and maintain Colibri, an open source software solution designed to provide offline first teaching and learning experiences. Colibri is free to use and openly licensed and is equipped with over 200,000 open educational resources or OERs as a part of our library, which covers a wide range of subjects and learning needs. And for those of you who may not know what open educational resources are, these are openly licensed materials that can be reused, redistributed, and even repurposed depending on the license. And Colibri serves as a platform that hosts such resources. We also provide support to educators through our platform to differentiate learning and personalize learning. And there’s also features to collect granular data from the learner’s performance, which will further help in facilitating for differentiation. And all of this is enabled by a comprehensive do-it-yourself toolkit with detailed guidance materials to empower individuals and organizations to implement Colibri independently without relying on Learning Equality support. And Colibri is versatile and adaptable, working with a wide range of hardware models, all the way from older and low-cost devices like Raspberry Pis. And it also supports diverse pedagogical approaches, including self-learning, group-based learning, whole-class instruction, while blending technology into the learning environment. Aligned with a focus on equity, we also ensure that our products are compliant for people with disabilities. We work to continually improve the user experience for everyone while adhering to the relevant accessibility standards, and we keep adding new features consistently. The Colibri Learning Platform is partially conformant with WCAG 2.1 Level AA. While the platform is accessible, many OERs still do not adhere to accessibility standards, and I think Dr. Shabbiri spoke about this when he was presenting. Most of the OERs do not adhere to accessibility standards, which prevents them from being useful for learners with disabilities. As one of my colleagues says, it’s like you build a big door, but nobody can get in from there. That’s what it feels like when you work with Colibri and make it friendly for users with disabilities. But the content that is inside is not thoughtfully designed, and that’s a challenge that we often face. And in addition to that, Colibri also supports use of assistive devices, but many of these devices are cost-prohibitive in underserved communities where we work in. And some of these challenges continue to hinder our efforts in equitable access to learning materials, but we keep doing everything that we can to make this more and more accessible for learners with disabilities. And some examples of what this looks like is to ensure accessibility, we focus on multiple features, such as making all text functional, screen reader compatible, and resizable up to like 200%, while some videos also include sign language and captions. And links that are included in Colibri are designed clearly to indicate the purpose that they serve. And all of these features make Colibri beneficial for a range of contexts and learners around the world. And through our organic adoption and strategic partnerships, learning equality reached over 10 million learners across 220 countries and territories. And Colibri also adapts to various implementation models, depending on the unique context and needs of learners, right? Colibri can be implemented in several ways. For self-paced learning through an application. for group settings, enabling collaborative learning, and hybrid learning models as well where learning occurs across multiple different locations. For example, learners can visit a central location connected to a Colibri server, receive lessons and quizzes chosen by an educator, and then continue learning independently at home. And when they’re back at the central location, their data seamlessly syncs, so an educator can make informed decisions for learning journey, all without the internet. And this flexibility showcases the power of thoughtfully designed technologies, ensuring that the products are tailored to the real-world challenges faced by learners and educators in underserved communities. And additionally, to touch upon a little bit around our work with emerging technologies, to ensure that the technology can be used meaningfully, we believe that it’s crucial to make the relevant quality materials available as well. And we have been leaning into a new process that leverages advancements in generative AI and machine learning algorithms based on years of data collected through manually organizing digital content to curricular standards. As a result, we have developed a new holistic process that creates sets of curriculum aligned to digital resources by dramatically reducing the resources needed for an otherwise labor-intensive and knowledge-intensive process. And we’ve been piloting this across three countries and two languages. And in one of the projects that we did, we successfully mapped 6,500 content items to over 2,000 learning objectives and reduced the time spent for this process from months to a couple of days. And to quickly, before wrapping up, I wanted to share an example of what Colibri usage can look like in a school setting. So let’s say there’s a student, imagine that there’s a student called Angela, a student at a school where internet access is limited or unavailable. Angela’s school administrator receives a USB key preloaded with Colibri and digital learning resources. And they install that on a school’s existing laptop, which is then used as a class server. And Angela accesses the pre-curated content on a tablet, exploring lessons aligned to her curriculum. And as she progresses, her teacher can view a detailed report that highlights Angela’s strengths and areas where she’s struggling. And this enables the teachers to provide targeted support, recommend additional resources, and help Angela overcome challenges to succeed. And meanwhile, Angela’s school data is recorded locally, and when possible, it gets synced centrally. This allows the program administrators who are remotely located as well to analyze reports and make iterative improvements in the program. And here’s the most powerful part, which is everything happens seamlessly even without internet connectivity. And this is how Colibri brings impactful learning to students like Angela, who may not have internet accessible. And to close out, I think at Learning Equality, just like all of you, we also similarly want the world to be connected, but we know that the process is stagnating, right? Like even when there is connectivity, it may not be consistent or reliable enough to support classroom instruction. And hence, based on the work that we do, there are a couple of calls to action that I wanna invite you to hold on to. And in your work, I encourage you to consider the tech tools that you’re using and their reliance on connectivity. Who is left out when the internet is not available? That’s a question that I want us to think about. And if you’re advocating for use of emerging technologies like AI, is it being equitably used? And how can it be used as a tool for backend processes that enhance teaching and learning for everyone? Because not everybody can be able to afford technologies that support personalized learning through AI, right? And if you’re developing content, the question is how are you ensuring that the contents created are accessible for all? And I hope that you will consider equity in a new way as a result of this presentation and the examples that we shared through the work that we do. And I invite you to connect with me to discuss more about how we can strive to strive for equity in learning, enabled by edtech, even when internet. is limited. Thank you so much for this opportunity and I’d be happy to answer any questions that might yeah that that come up.

Muhammad Shabbir: Thank you very much for your very insightful comments, case studies and then wrapping up in promptly in time. So thank you very much once again. So before I open the list of my own questions, I would like to see if there are any online questions or someone wants to interact or ask questions from the participants presented here.

Audience: We have an online question. Can you hear me? Is this working? online question and the question is how many other in many countries in Africa persons with disabilities have disabilities. They may be slower learners or they may require different types of learning environment and oftentimes the teachers are not as knowledgeable about how to teach persons with disabilities differently. I know with people with autism and people with dyslexia there’s other different ways of teaching and what can we is there something that we can do that can help provide more training, more capacity building.

Muhammad Shabbir: Is the question directed to a specific speaker? We’ll direct it to either Dr. Shabir or Mohammed. Or learning ecology or to you the last speaker. Dr. Mohamed, or Revant, do you want to take a chance or should I? I’m happy to take, go ahead. I think I can give chance to Dr. Mohamed and then if Revant wants to add in.

Mohammed Khribi: Yes, thank you. Thank you for the question, it’s certainly very crucial. As I previously said in my speech that, here, you hear me all right? Okay. It’s okay, yeah. When it comes to offer like inclusive learning experience, there is, you know, lack in terms of, you know, capacity building for teachers. Their knowledge and their competencies around the topic of inclusive education, how to deal with learners with disabilities, how to prepare like digital education content, which is like fully accessible for people with disabilities. So this was also part of the key findings of, as I’ve mentioned previously, of the Derenbeck’s report. So how to tackle that? I think there is a need that universities, especially colleges of education, there is a need that they integrate in their curriculum courses dealing with accessibility, disability, inclusive education for all teachers, not only for those who are, you know, registered in the special education discipline. For all teachers, there is a real need. to build their capacities in terms of digital accessibility and inclusive education. One way to do that is to invest in the continuous training of teachers in service training. So, we need to collaborate. We need a multi-stakeholder approach. We need to collaborate with all involved parties in order to build the capacities of in-service teachers in terms of how to deal with learning disabilities in an inclusive education perspective. We at MEDAR are doing a lot in this perspective as we are collaborating internally with the Ministry of Education and with local universities and we are offering many training workshops around the topics of digital accessibility and inclusive education.

Muhammad Shabbir: Thank you, Dr. Maman. And instead of going to Vivant, I think I need to ask this question to Dr. Taufiq Jilasi. Since UNESCO is… Okay, so I think Dr. Jilasi left due to his own commitments. So, Revanth, do you want to take a shot on this?

Revanth Voothaluru: Absolutely. Thank you so much, Dr. Shabbir. I think one of the things that I often think about to build off of the response that was already shared is when you talk about supporting learners with disabilities, teacher capacity building is definitely one of the big ways to go about it. And I think to support it, specifically strategies like differentiation and personalization play a crucial role. But when we are talking about developing countries or global south, the classroom sizes are huge. So that’s where I think technology needs to be effectively leveraged in terms of… just getting that data about learner performance and differentiating support using that data so that each learner gets their own, you know, like learning materials that they can engage with. And the teacher is playing a role of like correcting their misunderstandings, clarifying and all of that. And learners can engage with learning at their own pace, which is what is useful for learners who sometimes struggle with certain aspects of learning processes, right? And I think the other point that I also want to add is when I look at problems like this, it’s important to approach it from a more systemic lens. And there is this particular framework that Dr. Fernando Rimas from Harvard recommends. He says, you need to look at any education intervention through five different perspectives. It needs to be cultural, political, psychological, institutional, and professional. I think even for something as simple as providing teachers with the tools to cater to learners with disabilities, there are all of these five things that need to come together so that it’s effectively delivered. I think those would be the two ways in which I would respond to the answer. It’s not an easy solution, but it’s a solution that can be thoughtfully implemented is what I would say.

Muhammad Shabbir: Exactly, I understand. We understand that there aren’t any easy solutions and search for easy solutions is not always the good one. So no matter how difficult we have to adopt these solutions, if we truly want inclusion and participation of all. So Judith, if we have a question online and if they are available, if they can ask the question by themselves. No, we cannot do that, sorry.

Audience: Okay. This question is directed to Amelia and it should be the role of regulatory authorities in advancing digital inclusions for persons with disabilities.

Amela Odobasic: Thank you, Judith. In my intervention, I already, I think, responded to that part of what is the specific role that regulatory authorities should do. However, I would just like to repeat again. that regulators cannot take steps and go ahead in front of the policy makers and governments. However, as expert authorities, as expert bodies, regulators should gain necessary knowledge on the particular topic and then they should really do as much as they can in advocacy effort towards the government in order to achieve the goal. However, there was one activity that I did not mention in my intervention and it’s also equally relevant for the regulators and that is to tailor the activities that they implement under the umbrella of media information literacy, in particular in light of digital literacy, producing researches, mapping the challenges, gathering all these stakeholders together and trying to achieve as much as possible, especially about what was being said when it comes to education. You see, for example, in Bosnia and Herzegovina, the education system is extremely complex and it’s usually also like any changes in that particular area, they take a long time. However, considering the target that the children and minors should be really, should receive necessary support in as much as possible, I mean, so that they can progress in their development without boundaries, the regulators should focus also their activities on media and information literacy and touching, discussing on accessibility and digital inclusion, particularly, I mean, that is something that we do in Bosnia and Herzegovina, but again, that would be another topic.

Muhammad Shabbir: Thank you, Amela. I think I would just want to add a couple of points into your intervention, really the great one, but with a little bit of differentiation to the point that regulators do not have the sort of powers or authority of policymakers. Yes, they do not, I understand that, but what the regulators can do, and this we have been doing in Pakistan as well, with both the telecom regulator and the banking regulator on both sides in terms of digital accessibility, we have been feeding them information about and we are training them about the activities, abilities, and requirements of persons with disabilities. And in turn, because one role of the regulator is they are the specialist in their own area and they feed the policy input to their governments. So what they can do is they can advise the governments to guide the governmental policies in the right direction. And when the policies are made, then it’s the job of the regulator to ensure that they are implemented. So that’s the crucial point where the role of regulator comes in.

Amela Odobasic: I absolutely agree with you. However, you see, I was only sort of like looking at the role of the regulator as a link between, you know, towards the governments. However, the regulators can and they definitely must do as much as they can in order to implement the provisions in their regulatory framework, you see. For example, that is what we did in Bosnia and Herzegovina. We detected that when it comes to TV accessibility, for example, that the percentage was extremely low. So what we did, we completely changed the provisions within the regulatory framework. We did not need a government, a new law for that. And we introduced quotas and considerably improved that area. So, yes, I absolutely agree with you. The regulators can do a lot. And this was just one example.

Muhammad Shabbir: Yes. Thank you very much for that. Thank you. Any in-person participants want to contribute?

Audience: My name is Nicodemus Nyokundi. I’m a fellow for the Dynamic Coalition on Accessibility and Disability. First is to Nela. I think I’ll comment that what she said on that disability needs are not specific needs. They are specific needs like any other person. And so in tackling such, we should be aware that anybody may be in need of such accessibility needs to engage. Accessibility and inclusion, in this case in the education sector. I wanted to add on the learning equality platform that the approach also should much focus on the trainers. Because I remember, I’m from Kenya, and I remember a previous government administration had a digital program for the education sector where they issued laptops. They ended up this way. So it was implemented. I feel like I passed on. Okay, sorry, sorry. Okay, I’ll You can actually focus on educating the and offering assistance to so that they are.

Muhammad Shabbir: Thank you, Nicodemus. I think there isn’t any question. Unless we have any questions, we can move to. OK. From the audience, so yes, and quickly. Very quickly.

Audience: It was more of a comment, actually, to the moderator. What attracted me here was the wide open solution. And you talked a lot about developers, and I’m one. And that is what I think is very important in this talk. Because it’s the developers who are going to build all these solutions. We are talking about what should be default, how it should really work. So I’d like us to always engage this open community, because that is how we can easily embed all these beautiful softwares and concepts into each and every digital platform. That was my comment. Thank you. My name is Itzel. I’m one of the TICET fellows. I don’t have a question. It’s more like a comment. I think that the education for people with disabilities is a common challenge in all the countries. And probably before we think about technology and access to the internet, we should make sure that all students with disabilities have access to basic education. Because in case of Mexico, that’s something that it’s not happening. And how can we think about inclusive education when the system and the government? governments refuse to invest in the development of people with disabilities. Because that’s what’s happening in Mexico. We only think, they speak a lot about inclusion, but it’s just what they say. It’s not happening in the reality.

Muhammad Shabbir: Thank you very much for the comments, both by Nicodemus and Incel. I am sorry to have this unfortunate duty performed once again. We cannot take any more questions because it’s the time to close and wind up the session. So for the key takeaways from the speakers and the discussion, I would like to request Ms. Zeynep Varoglu, who is the senior specialist in the Information and Communication Center of UNESCO. So I would request that you give us a brief summary of the key points from the speakers. Ms. Zainab.

Zeynep Varoglu: Okay. I think the key takeaways we can walk away with are that, first of all, we talked about the importance of governance and the role of regulators in ensuring that there is equality and equity in access to information and to learning. And second of all, the role of openness has been underscored and the role of stakeholders in terms of governments and in terms of educational institutions has been underscored. And a third point that we’d like to just underscore is the fact that what we’re talking about here is not the – it’s not the – there are other factors that are involved in terms of education and in terms of access to information and to learning that has to be taken into account, which are not digital, and that play a very big role in ensuring ensuring that there is actually movement in this way, but technology is an important factor, and when technology is done, it’s important that it’s done inclusively, it’s done with persons with disabilities also guiding the way and making sure that they are part of the process of the development of these technologies to ensure that they are actually serving the purpose that they’re supposed to serve. If I may, I’d like to just give the floor back, Shabir, but to thank also the speakers on behalf of UNESCO also and also underscore the importance that we thought of having a joint cooperation of the two DCs in this meeting because of the complementarity and the richness that comes from the discussion. So with that, I give the floor back to you, Dr. Shabir.

Muhammad Shabbir: Thank you very much, Zainab, and last but not the least, I will now pass on the floor to Judith Hellestein. She is my co-coordinator at the IGF Dynamic Coalition on Accessibility and Disability for the summary of key takeaways from the discussion that we just had after the speakers and the vote of thanks. Judith.

Judith Hellerstein: Thank you so much, Dr. Shabir. Yes, it was very fruitful and meaningful discussion, and some of the key takeaways from the questions are the importance of the regulator and what the regulator can do in helping to advance technical issues for persons with disabilities, whether it is through subsidies for universal access for smart devices for persons with disabilities, whether it is other type of subsidies there, what is their role as policymakers and regulators in ensuring that technology is available to all participants and also underscores the importance of the education department and the work on there in making sure that education is open and available to all persons and not giving the full thought to only one type of education. As we saw from one of our speakers, there are multiple options of learning platforms that can be adjusted and that can work for different persons with disabilities. So we want to make sure that we take into account all types of issues. And thank you so much because we are ending our session on time because the captioners have to leave for lunch. Thank you. And thanks for everyone coming here.

Muhammad Shabbir: Yes, thank you very much, Judith. Thank you very much, Zainab and the DCOER for collaborating with us on this session. I would also like to thank the participants who came here to attend this session. And last but not the least, a profound thanks to all the teams who assisted us, including the technical team, the captioners, the sign language interpreters, and others who made this session a possibility. Thank you once again.

Agreement Points

Importance of accessibility in emerging technologies

Muhammad Shabbir

Tawfik Jelassi

Amela Odobasic

Lack of consideration for accessibility in development

Need for universal design in technology development

Challenges in making AI and language models accessible

Importance of involving persons with disabilities in technology development

The speakers agree that emerging technologies often fail to consider accessibility needs, and there is a need for universal design and involvement of persons with disabilities in the development process.

Role of regulators in promoting accessibility

Amela Odobasic

Muhammad Shabbir

Regulators should advocate for accessibility to policymakers

Regulators can implement accessibility provisions within existing frameworks

Importance of dialogue between regulators and persons with disabilities

The speakers agree that regulators play a crucial role in promoting accessibility by advocating to policymakers, implementing provisions within existing frameworks, and engaging in dialogue with persons with disabilities.

Need for accessible open educational resources

Tawfik Jelassi

Mohammed Khribi

Revanth Voothaluru

UNESCO’s efforts to advance inclusive education through open solutions

Need for accessible open educational resources

Creation of offline learning platform with open educational resources

The speakers agree on the importance of developing and promoting accessible open educational resources to advance inclusive education.

Similar Viewpoints

Both speakers emphasize the importance of teacher training and capacity building in digital accessibility and inclusive education practices.

Mohammed Khribi

Revanth Voothaluru

Need to integrate accessibility courses in teacher education curriculum

Importance of continuous training for in-service teachers

Using technology to support differentiation and personalization

Unexpected Consensus

Systemic approach to inclusive education

Revanth Voothaluru

Unknown speaker

Need to consider cultural, political, psychological, institutional and professional aspects

Importance of basic education access before focusing on technology

Role of governments in investing in education for people with disabilities

Despite coming from different perspectives (technology developer and audience member), both emphasize the need for a holistic approach to inclusive education, considering various factors beyond just technology.

Overall Assessment

Summary

The main areas of agreement include the importance of accessibility in emerging technologies, the role of regulators in promoting accessibility, and the need for accessible open educational resources. There is also consensus on the importance of teacher training and capacity building in digital accessibility.

Consensus level

There is a moderate to high level of consensus among the speakers on the key issues discussed. This consensus suggests a shared understanding of the challenges and potential solutions in making digital technologies and education more accessible and inclusive. The implications of this consensus are that it provides a strong foundation for collaborative efforts to address these challenges across different sectors and stakeholders.

Different Viewpoints

Role of regulators in advancing accessibility

Amela Odobasic

Muhammad Shabbir

Regulators should advocate for accessibility to policymakers

Importance of dialogue between regulators and persons with disabilities

While both speakers emphasize the importance of regulators in advancing accessibility, they differ in their approach. Odobasic focuses on regulators advocating to policymakers, while Shabbir emphasizes direct dialogue between regulators and persons with disabilities.

Unexpected Differences

Priority of basic education access vs. technology integration

Revanth Voothaluru

Unknown speaker

Creation of offline learning platform with open educational resources

Importance of basic education access before focusing on technology

While most speakers focused on technological solutions, an audience member unexpectedly emphasized the need to prioritize basic education access for students with disabilities before focusing on technology integration. This highlights a fundamental difference in approach to inclusive education.

Overall Assessment

summary

The main areas of disagreement revolve around the role of regulators, approaches to teacher training, and the prioritization of basic education access versus technology integration.

difference_level

The level of disagreement among speakers is moderate. While there is general consensus on the importance of accessibility and inclusive education, speakers differ in their proposed approaches and priorities. These differences highlight the complexity of implementing inclusive education and the need for a multi-faceted approach that considers various perspectives and local contexts.

Partial Agreements

Both speakers agree on the need to improve teacher capacity for inclusive education, but they propose different approaches. Khribi emphasizes integrating accessibility courses in teacher education, while Voothaluru focuses on using technology for differentiation and personalization.

Mohammed Khribi

Revanth Voothaluru

Need to integrate accessibility courses in teacher education curriculum

Using technology to support differentiation and personalization

Similar Viewpoints

Both speakers emphasize the importance of teacher training and capacity building in digital accessibility and inclusive education practices.

Mohammed Khribi

Revanth Voothaluru

Need to integrate accessibility courses in teacher education curriculum

Importance of continuous training for in-service teachers

Using technology to support differentiation and personalization

Key Takeaways

Emerging technologies like AI have great potential but often lack accessibility considerations for people with disabilities

Regulators and policymakers play a crucial role in advancing digital inclusion and accessibility

Open educational resources and platforms can help make education more accessible and inclusive

There is a significant need for teacher training and capacity building on inclusive education and teaching students with disabilities

A systemic, multi-stakeholder approach is needed to truly achieve inclusive education

Resolutions and Action Items

UNESCO pledged to increase the reach of inclusive education platforms by 25% by 2030

Learning Equality developed an offline learning platform (Colibri) with open educational resources to improve access

MADA is offering training workshops on digital accessibility and inclusive education in Qatar

Unresolved Issues

How to effectively implement teacher training on inclusive education at scale

How to ensure governments invest adequately in education for people with disabilities

How to make AI and language models fully accessible and unbiased

How to provide basic education access for all students with disabilities before focusing on technology

Suggested Compromises

Using technology to support differentiation and personalization in large classrooms where individual attention is difficult

Regulators implementing accessibility provisions within existing frameworks when new laws are not possible

Information is a public good. And as a public good, information needs to receive public support. I think the same is true for openness and accessibility.

speaker

Tawfik Jelassi

reason

This comment frames accessibility and openness as public goods deserving of public support, which provides a compelling rationale for government involvement and investment in these areas.

impact

It set the tone for discussing accessibility as a societal responsibility rather than just an individual or private sector concern. Subsequent speakers built on this idea of collective commitment and multi-stakeholder approaches.

Our needs are the same as yours, okay, who do not sort of like fall into the category of the persons with disabilities. So we do not have specific needs, our needs are the same to have access to information, access to communication, et cetera.

speaker

Amela Odobasic (quoting a representative of persons with disabilities)

reason

This reframes the discussion of accessibility from a ‘special needs’ perspective to one of equal rights and universal design. It challenges the common perception of accessibility as an add-on for a specific group.

impact

It shifted the conversation towards viewing accessibility as a universal benefit and influenced later comments about inclusive design and development practices.

We need to collaborate. We need a multi-stakeholder approach. We need to collaborate with all involved parties in order to build the capacities of in-service teachers in terms of how to deal with learning disabilities in an inclusive education perspective.

speaker

Mohammed Khribi

reason

This comment emphasizes the need for collaboration across different sectors to address accessibility in education, highlighting the complexity of the issue.

impact

It broadened the discussion from focusing solely on technology solutions to considering the importance of capacity building and systemic approaches in education.

When you talk about supporting learners with disabilities, teacher capacity building is definitely one of the big ways to go about it. And I think to support it, specifically strategies like differentiation and personalization play a crucial role.

speaker

Revanth Voothaluru

reason

This comment brings attention to the pedagogical aspects of accessibility, emphasizing that technology alone is not sufficient without proper teaching strategies.

impact

It led to a more nuanced discussion about the intersection of technology, pedagogy, and accessibility, highlighting the need for a holistic approach.

Overall Assessment

These key comments shaped the discussion by broadening the perspective on accessibility from a narrow focus on technology to a more comprehensive view that includes policy, education, and societal attitudes. They emphasized the need for collaboration across sectors, the importance of viewing accessibility as a universal benefit rather than a special accommodation, and the critical role of capacity building alongside technological solutions. This multifaceted approach led to a richer, more nuanced conversation about creating truly inclusive digital environments.

How can we provide more training and capacity building for teachers to effectively teach persons with disabilities?

speaker

Online audience member

explanation

This is important because many teachers lack knowledge on how to teach persons with disabilities differently, especially for conditions like autism and dyslexia.

How can we effectively leverage technology to support differentiation and personalization for learners with disabilities in large classrooms?

speaker

Revanth Voothaluru

explanation

This is important for providing individualized support in developing countries with large class sizes.

How can we approach education interventions for learners with disabilities from a more systemic lens, considering cultural, political, psychological, institutional, and professional perspectives?

speaker

Revanth Voothaluru

explanation

This holistic approach is important for effectively implementing solutions to support learners with disabilities.

How can regulatory authorities better advance digital inclusion for persons with disabilities?

speaker

Online audience member

explanation

This is important to understand the specific role regulators can play in promoting accessibility.

How can we better engage the open source developer community in embedding accessibility features into digital platforms?

speaker

Audience member (developer)

explanation

This is important because developers play a crucial role in building accessible solutions.

How can we ensure basic education access for students with disabilities before focusing on technology and internet access?

speaker

Itzel (TICET fellow)

explanation

This is important because in some countries like Mexico, basic education access for people with disabilities is still a challenge.

Summary

This discussion focused on the cybersecurity challenges and ethical considerations surrounding artificial intelligence (AI) systems. Experts from various fields explored the need for trust, transparency, and responsible deployment of AI technologies. They emphasized that while AI adoption is rapidly increasing across industries, concerns about security vulnerabilities and ethical implications remain.

The panelists highlighted the importance of developing comprehensive cybersecurity measures specifically tailored for AI systems. They discussed the need for guidelines and standards to help organizations implement AI securely, addressing issues like data poisoning, model security, and supply chain vulnerabilities. The experts also stressed the significance of AI literacy and education for professionals and the general public to foster responsible AI use.

The discussion touched on the challenges of harmonizing AI regulations across different jurisdictions, with some panelists suggesting that complete harmonization may not be feasible due to cultural and regional differences. However, they emphasized the importance of interoperability and common frameworks for AI governance.

Ethical considerations were a key topic, with panelists exploring the complexities of defining and implementing ethical AI practices across diverse cultural contexts. They discussed the need for balancing innovation with responsible AI development, considering factors such as fairness, transparency, and societal impact.

The experts also addressed the future of work in the context of AI, suggesting that while AI may change job roles, it is likely to create new opportunities rather than eliminate human involvement entirely. The discussion concluded by acknowledging the ongoing challenges in AI security and ethics, emphasizing the need for continued collaboration and adaptive strategies to address emerging threats and ethical dilemmas in the rapidly evolving field of AI.

Keypoints

Major discussion points:

– The importance of trust and transparency in AI systems

– Cybersecurity challenges and vulnerabilities specific to AI

– The need for AI literacy and education across society

– Ethical considerations and cultural differences in AI development and use

– Regulatory approaches and challenges in harmonizing AI governance globally

The overall purpose of the discussion was to explore key security and trust issues related to the widespread adoption of AI technologies, and to discuss potential approaches for addressing these challenges through education, guidelines, and governance frameworks.

The tone of the discussion was largely analytical and solution-oriented. Speakers approached the complex issues with a mix of caution about risks and optimism about potential benefits of AI. There was an emphasis on the need for multi-stakeholder collaboration and nuanced approaches that consider cultural and regional differences. The tone became slightly more urgent when discussing the rapid pace of AI adoption and the need to quickly develop appropriate safeguards and literacy.

Speakers

– Gladys Yiadom: Moderator

– Dr. Allison Wylde: Member of UNIGF Policy Network of Artificial Intelligence team, senior lecturer at UNIGF, assistant professor at GCU London

– Yuliya Shlychkova: Vice President of Public Affairs at Kaspersky

– Sergio Mayo Macias: Coordinator of European Digital Innovation Hub, member of IGF Policy Network of Artificial Intelligence

– Melodena Stephens: Professor of innovation and technology at Mohammed bin Rashid School of Government in Dubai, UAE

Additional speakers:

– Jochen Michels: Online moderator

– Charbel Chbeir: President of Lebanese ISOC

– Christelle Onana: Works for EODNEPAD (developing agency of the African Union)

– Francis Sitati: From Communications Authority of Kenya (regulator for ICT sector)

Expanded Summary of AI Cybersecurity and Ethics Discussion

Introduction

This discussion, moderated by Gladys Yiadom, brought together experts from various fields to explore the cybersecurity challenges and ethical considerations surrounding artificial intelligence (AI) systems. The panel included Dr. Allison Wylde, a member of the UNIGF Policy Network of Artificial Intelligence team; Yuliya Shlychkova, Vice President of Public Affairs at Kaspersky; Sergio Mayo Macias, Coordinator of European Digital Innovation Hub; and Melodena Stephens, Professor of innovation and technology at Mohammed bin Rashid School of Government in Dubai, UAE. Additional contributors included Johan as online moderator, Charbel Chbeir from Lebanese ISOC, Christelle Onana from EODNEPAD, and Francis Sitati from the Communications Authority of Kenya.

The discussion focused on several key areas: trust and transparency in AI systems, cybersecurity challenges specific to AI, the need for AI literacy and education, ethical considerations in AI development and use, and regulatory approaches to AI governance. The overall tone was analytical and solution-oriented, with speakers balancing caution about risks with optimism about AI’s potential benefits.

Trust and AI Adoption

A central theme of the discussion was the complex nature of trust in AI systems. Allison Wylde emphasised that trust is subjective and culturally dependent, challenging the notion of universal trust standards for AI. She highlighted the difficulties in defining and measuring trust in AI systems, noting that trust varies across different contexts and cultures. Gladys Yiadom referenced a Kaspersky study indicating that over 50% of infrastructure companies have implemented AI despite trust concerns, highlighting the tension between rapid adoption and lingering scepticism.

Yuliya Shlychkova pointed out that AI, being fundamentally software, cannot be considered 100% safe, which leads to ongoing cybersecurity concerns. To address these issues, she suggested that education efforts could help build trust and harmonisation in AI adoption. This multifaceted view of trust underscored the need for nuanced approaches to fostering confidence in AI technologies.

AI Security Challenges

The discussion delved into specific cybersecurity challenges posed by AI systems. Yuliya Shlychkova highlighted vulnerabilities such as data poisoning, prompt injection, and attacks on various components of the AI development chain. She presented Kaspersky’s guidelines for AI security, which address issues like model security, supply chain vulnerabilities, and best practices for secure AI development and deployment.

Melodena Stephens raised concerns about the lack of algorithmic transparency, which makes it difficult to audit AI systems effectively. The potential security risks associated with open-source AI models were also discussed. The experts stressed the importance of developing guidelines and standards to help organisations implement AI securely, addressing issues like model security and supply chain vulnerabilities.

AI Regulation and Governance

The challenge of harmonising AI regulations globally emerged as a significant point of discussion. Dr. Alison highlighted the difficulties in achieving global harmonisation due to cultural differences, while Sergio Mayo Macias pointed to the EU AI Act as a potential model for regional AI governance. Melodena Stephens suggested that Africa has an opportunity to develop its own AI strategy and standards, reflecting the need for context-specific approaches. This was further supported by Christelle Onana, who mentioned the African Union’s continental AI strategy.

Yuliya Shlychkova emphasised the importance of self-imposed ethical standards by companies, alongside formal regulations. The discussion also touched on the role of private sector companies in AI governance and regulation. This multi-layered approach to governance reflected the complex landscape of AI development and deployment across different jurisdictions and cultural contexts.

Ethical Considerations in AI

The panel explored the complexities of defining and implementing ethical AI practices. Melodena Stephens noted that while AI ethics guidelines exist, they are often difficult to operationalise. Sergio Mayo Macias highlighted the crucial yet challenging task of ensuring algorithmic fairness and the importance of data quality in AI development. Allison Wylde emphasised how cultural norms influence the interpretation and application of ethics in AI contexts.

The discussion also touched on AI’s impact on the workforce, with Yuliya Shlychkova stressing the need for careful consideration of human-AI collaboration and the potential displacement of certain job roles. This highlighted the broader societal implications of AI adoption and the importance of balancing innovation with responsible development.

AI Education and Literacy

A consensus emerged around the critical need for increased AI literacy among professionals and the general public. Gladys Yiadom emphasised this point, while Allison Wylde highlighted the importance of youth mobilisation and education for responsible AI adoption. Melodena Stephens suggested that AI literacy efforts should distinguish between general digital skills and AI-specific knowledge, adding nuance to the discussion on education strategies.

Yuliya Shlychkova stressed the necessity of continuous training on AI risks and best practices within organisations. This focus on ongoing education reflected the rapidly evolving nature of AI technologies and the need for adaptive learning approaches.

AI in Cybersecurity

The potential use of AI in cybersecurity was discussed, with experts noting both the opportunities and challenges. While AI can enhance threat detection and response capabilities, concerns were raised about the potential for AI systems to be exploited by malicious actors. The need for robust security measures in AI-powered cybersecurity tools was emphasised.

Conclusion

The discussion concluded by acknowledging the ongoing challenges in AI security and ethics, emphasising the need for continued collaboration and adaptive strategies. Key takeaways included the subjective nature of trust in AI, the significant cybersecurity challenges faced by AI systems, the difficulties in harmonising global AI regulations, the importance of operationalising ethical guidelines, and the critical role of AI literacy.

Unresolved issues highlighted by the discussion included effective methods for harmonising AI regulations across different jurisdictions, practical implementation of AI ethics guidelines, balancing innovation with security concerns, the long-term impact of AI on the workforce, and ensuring algorithmic fairness and transparency.

The experts proposed several action items, including the use of Kaspersky’s guidelines for AI security, the development of self-imposed ethical standards by companies, and the adoption of risk-based approaches to AI regulation. The discussion underscored the complexity of global AI governance and the need for flexible, context-specific solutions that consider cultural, regional, and ethical dimensions while promoting responsible AI development and use. The importance of a multi-stakeholder approach in developing AI standards and regulations was emphasised as crucial for addressing the multifaceted challenges posed by AI technologies.

Gladys Yiadom: have as recently witnessed the emergence of AI-enabled system at an incredible scale. Despite various regulatory in- Between- Yes, can you hear me now? Okay. Very good, thank you. Thank you. So I was saying a gap between the general frameworks and concrete implementation remains. We are here today with our distinguished speakers to explore which requirements should be considered and how a multi-stakeholder approach should be adopted to produce new standards for AI system. Organizations like NIST or ISO are actively developing cybersecurity standards for AI-specific threats. However, the standards mostly cover AI foundation models development or overall management of risk associated with AI. This has created a gap in AI-specific protection for organization that implements applied AI system based on existing model. My first question will be to you, Alison, but let me please first share some of your bio. Dr. Alison Wild is a member of UNIGF Policy Network of Artificial Intelligence team. In this capacity, she contributes on interoperability among AI standards, tool and practice. Previously an international commissioner on security standards, she co-shared the first standards to integrate physical and cyber security. Alison is also a senior lecturer at UNIGF. assistant professor at GCU London. She also intervenes at Cardiff University and more. My question to you, Alison, is this one. The use of AI has increased significantly worldwide in recent years. A Kaspersky studies has revealed that more than 50% of infrastructure with a third company have implemented AI and IoT in their infrastructure with a further 33% planning to adopt these interconnected technologies within two years. Does this widespread acceptance of AI mean that the issue of trust is no longer a concern for users and organizations?

Dr. Alison: Thank you, it’s a fascinating question and we’re back to trust. So thank you for inviting us here to IGF 2024. I’m delighted to be here. And I think this question of trust really follows on from earlier talks in the plenary the other day, there was Dr. Abdullah Ben-Sharif Al-Gamadi from SADIA who was talking about trust. And he said, we need to enhance trust in AI products and also to have transparency and trust. And I think this really resonates with your question. So we have the issue of people saying we want trust but the question for us is, well, what do we mean? How do we define trust? Trust is subjective. So maybe I trust you. I think I probably do. I don’t really know you too well, but I trust you. I’m a human. And so our human behavior is naturally to trust. Children trust their parents without thinking about it. And I think that’s one of the issues in business. People see a new technology and they want to be with the top technology, with the new technology. And of course they want to use it really without thinking. And I think that’s part of the issue. And of course, there’s lots more I can say about this. You know, stop me when you’ve heard enough. But I think if we look at basically how are we understanding trust? How are we defining trust? What’s our conceptual framework for trust? What’s your trust in your culture? Are you a high trusting nation or not, depending on where you are in the world? So we need to really look at this as a subjective issue and start with that. So I can come back again, but maybe if I can, a few more things. So I think because trust is subjective, we can’t use statistics. We can’t use regression. We can’t go with central tendency. This is not something we can run a regression model and look at, I don’t know, cultural trust measures and look across the world. We can’t do that because it’s subjective. So we need to have something more sophisticated if we’re going to really try and get the conception right and then ideally get towards some sorts of measurements. So if prominent members are calling for trust, then well, what do they mean? And how are we going to have a conceptual framework for that and how are we going to measure it and how are we going to implement it if we don’t know what we’re talking about? Now, thank you. I’ll hand over. Thank you.

Gladys Yiadom: Thank you very much, Alison, for those points as your highlighted trust is a key element here. So I’ll hand it over now to Yulia, but before asking my question, Yulia Shishkova serves as Vice President of Public Affairs at Kaspersky. She leads the company relation with government agencies, international organization and other stakeholders. She oversees Kaspersky participation in public consultation at regional and national level on key topics such as artificial intelligence, everything related to AI ethics and also governance. My question to you, Yulia is, if there are still concerns regarding the trustworthiness of AI, what are the main reasons for this mistrust? Could you give us a brief overview of the current cyber threat landscape in relation to AI?

Yuliya Shlychkova: Sure. So I am represented in a cybersecurity company and our experts do research on threats. And we actually see that AI is still software and software is not 100% safe and protected. Therefore, there are already registered cases of AI being used by cyber criminals in designing their attacks and also AI has been attacked. So that’s why people with understanding of the matters do have concerns. And this is also only cyber security angle because AI also brings a lot of sociological, social concerns, ESG concerns. But if we back to cyber security area. So we actually see that more and more cyber criminals trying to automate their routine tasks using AI. So there are a lot of talks on the dark webs, them sharing like how to automate this and that. Also on the dark web, they are trying to sell hacked chat GPT accounts and those are trading very high. So we are also being attacked. Some of the examples of attacks include data poisoning, like open source data sets used to train models. We saw backdoors and vulnerabilities there. Also, so such attacks in the wild as prompt injection when attack is targeting the algorithm, how AI model works and trying to impact the output of the model. And what’s happening like because so many organizations like to play with AI. And Gladys mentioned this way Kaspersky did, but those people who were answering how many organizations using AI, they don’t even know the scale of shadow AI use in the organizations because a lot of employees. are reaching chat GPT to do their regular work quickly. So there is an absence of knowledge like how many of these services are used. And what is happening is that employees are sharing confidential business information, financial information with AI models and those models can be impacted and this information can get into wrong hands. So just to summarize that we almost see in the wild attacks on every component of AI development chain. Therefore, cybersecurity should be addressed. We need to talk about this and help not to stop AI usage but to do it safely and have basis for this trust in for AI use in the organization.

Gladys Yiadom: Thank you. Thank you, Yulia for this comment mentioning the use of AI and the idea that we need to be careful in terms of models. It leads me to the question that I will now address to Sergio, but before my question, Sergio Mayo has more than 20 years of innovation program and information system management in various fields such as finance, telecommunication, health and more. He cooperate with IGF as a member of the Policy Network of Artificial Intelligence as a member of it since 2023. He focuses on the social impact of AI and data technologies and digital ethnography. He currently coordinates the European Digital Innovation Hub. So Sergio, thank you very much for being with us today online. My question to you, given that the internet contains a wealth of information, sometimes contradictory or even fake, can one rely on the datasets utilized to train AI models?

Sergio Mayo Macias: Good morning. Good morning. Thank you. Thank you, Gladys. you to the organization for inviting me to this workshop. Well, actually, I think that trusting the data used to train AI models is part trusting the technology and part trusting in the human creating or operating that technology. And that’s a philosophy question. I will not go deeper in this, but going deeper regarding the data issues for trusting or not trusting in data used for training AI, there are an amount of problems really, really big. And I will mention some of them. First of all, and the most important one that comes to our mind is data bias. Data bias, of course, when the training data used to develop AI models is not representative for or of the real world scenario that it is intended to model. And if the data is skewed in terms of gender, ethnicity, location, or any other attributes, the AI model will inherit and amplify these biases. And this can result in unfair predictions, discrimination, and so on. But also, even though we have the data quality issues, like poor quality data, which includes incomplete or outdated information, and it also can severely undermine the reliability of AI models. But at the end of the day, even if we have a good data set, we have a human using this data, and a human creating an algorithm and a model. So going beyond the good or bad data that we used for training this model, we have to put the focus on the algorithmic fairness. And the algorithmic fairness is is an issue that is directly pointed at the human using the data. So the human using the data must be aware of the quality of this data, must be avoid the data bias, the data privacy concerns, for instance, and so on, the data manipulation, the insufficient data representation. But at the end of the day, he’s able to produce a fair algorithm with this data. So I think this is the key point for this question.

Gladys Yiadom: Thank you. Thank you, Sergio, for your comments. So now I will turn over Melodina. Melodina is a professor of innovation and technology at Mohammed bin Rashid School of Government in Dubai, UAE. She has three decades of senior leadership international experience and consult with organizations such as Agile Nation, Council of Europe, and the Dubai Future Foundation. So we were previously addressing regulatory issues. My question to you, to maintain the balance between the progress and the security, it is assumed that the emergence of new technology should be accompanied by the development of a corresponding regulatory base. Can we say that the current governance of AI is adequate? Are existing standards such as ISO or NIST sufficient for the security of AI? Or do we need specific regulations?

Melodena Stephens: So thank you for the question. I think it’s a complex one. So let me start from the top. If you look at how many policies are there for cybersecurity, I think there are more than 100 countries which have policies. While some of them are on security and they’re looking at algorithmic security, we see recently over the last two years maybe more focusing on critical infrastructure. And there’s two things driving it. One is we’re moving away from individual security. or corporate security or industry security to national security. So this becomes an interesting trend, right? And I think the main thing, the challenge we have is fragmentation. AI is global. If you just look at the supply chain of AI, it is impossible to nationalize it. So how can you maintain even national security or individual security or corporate security when AI is global? So that’s the first thing, fragmented regulations. Anu Bradford has written an interesting book that’s called Atlas of AI, and she divides the world into three. On one end, she looks at US as a very market-focused leadership. So you see private tech actually leading and dominating. If you look at US and its allies, I think we’re talking about 27 countries if you’d look at NATO alliance. Then she looks at the EU, which she says is driven by human rights and rule of law and democracy. Again, 27 countries if you look at it. And then she talks about state-driven national strategies, and you’re looking at countries like China. If I just take the BRI project, you’re talking about approximately 140 countries. So then you’ve got a good idea of how this fragmentation and how alliances will be created across the world. So it’s very geopolitical. If I look at the strategies that are currently, or the frameworks that you mentioned, the ISO and the NIST, so there are a couple of challenges with it. One, the scope and context is decided by the organization itself. So it’s not really taking the wider perspective. And we see in strategies like this, we need whole of society, whole of government, and whole of industry perspectives, which are missing, right? And I think also the focus on risks is a challenge itself. Because when you come to a place like cybersecurity, you’re looking at a public value domain space. And it’s really about decisions on trade-offs. Do I put national security ahead of individual privacy? That’s a trade-off. Do I invest in today’s technology knowing that a data center costs billions, right? And I know that it will create an environmental footprint and a sustainability issue later. That’s a trade-off. Do I connect everything through the internet of things, which is great, but that means I am creating vulnerabilities because of all of these connections because no one company has the technology stack from bottom to the end. So that’s a trade-off. I do not think when we talk of risks, we talk enough about trade-offs and that’s one of my concerns.

Gladys Yiadom: Absolutely right, Melodina. And I think we’ll also dive into it a bit later in the session. I also invite afterwards participants to share any question that they would have. So now moving to that, this workshop is also the opportunity to display some of the guidelines that has been produced with Kaspersky team, but also the speakers that are here among us. So I’ll kindly ask the team to share the slides. Yeah, can we please share the slide and the floor will be yours, Julia.

Yuliya Shlychkova: So while we are waiting for the slides. Thank you. Okay, so as Melodina said, a lot of focus is on critical use of AI and on developers of large language models on like national competitiveness in the area of AI. And we see that there is this gap because adoption of AI is happening on the mass. scale and it’s skyrocketing. And these users, these organizations who are fine-tuning existing models and using it also need some sort of guidance. Maybe not regulation, not compliance, not requirements, but at least some guidance. Do these 10 things and you will be at least 80% more secure. And this is what we have put our thoughts into and produced these guidelines. Just a little bit to illustrate the scale of adoption, that more than a million models are available in the public repository. And like developers at GitHub are already saying that the majority of them, they are using AI at some point and industries. So in a few years, I think there will be no one not using this. Attacks I already covered in my short intervention, but again, we see almost every point in AI supply chain can be vulnerable to attacks. In public, we see more than 500 records of vulnerabilities in AI and their accounting. So we asked in our survey, professionals working in organizations, do they estimate the rise or decrease of incidents within their organization? And the majority, more than 70% reported they see a rise in such incidents. But interesting thing that 46% out of these believe that these attacks were with AI use in that way or another. And also the same professionals also reported that they believe they are not equipped enough to address these challenges. They have lack of training, lack of qualified staff, insufficient IT team size. So these problems already here, they already exist. And when we add AI usage, especially shadow usage, so it’s like with immune system, every person has, right? So it breaks under pressure. So that’s why we believe some guidance, some basic requirements are of help to organizations adopting AI. So our guidelines cover four main pillars, key security foundations, infrastructure and data protection requirements, how can resilience achieve through validation and testing, and also adherence to governance and compliance. So talking about AI security foundations, we believe that first of all, leadership organization has to know about what AI services are used and whether they open new threats or not and how those are mitigated. Team has to be trained. IT professionals has to be trained on AI usage and risk associated, and also regular users who can use AI in their work also needs to have this awareness about risks and what to do and what not to do. And these courses has to be regularly updated. There needs to be field exercises and it should be continuous exercise. Also, the response of organization has to be proportional to the use. So each organization is advised to have threats modeling about what, check, check, what threats of non-using AI can be, what threats of misusing AI can be, and how those different threats can be addressed. So to have individual threats modeling is very recommended. Talking about infrastructure security, a lot of organizations are relying on cloud-based services, hence traditional approach to infrastructure security is also relevant here. That access to AI services has to be very, has to be locked, has to be limited only to those employees who need to have this access. They have to be two-factor authentication, there has to be segmentation like data models in one place, weights in another place. So it’s all mentioned in our guidelines and I will provide you link further just mentioning highlights of this. Then talking about supply chain, in a lot of regions some AI models, popular models are not available. That’s why a lot of organizations turn into proxies, some third parties and some of them can be reliable and some not. That’s why it’s very important to check from which source information coming and to have this audit of supply chain. Because of this, a lot of organizations also choose to have localized data models within the organization and if you choose this approach, there is also importance to follow requirements such as login access, keeping and backing up your assets. Then if your use is very wide of AI within an organization, you need to be prepared against machine learning specific attacks and there are already best practices how to do this. You see fancy words like distillation techniques, train models with adversarial examples. Like for policy people like this, it might sound as rocket science but IT people would know what this means. and we provide more details in our guidelines. Then also Sergio mentioned that if you’re using a model from a third party, this model was trained on specific examples, specific data sets. So before releasing it to public, you need to train this on the real life scenarios, on your industry benchmarks in real life. So testing and validation is really important, and you need to be ready to back up to the previous version if testing goes wrong. And also general cyber security requirements. Please ensure to have regular security updates when you monitor in public sources information about vulnerabilities. Have internal audits regularly to test and update based on this test. And of course, vulnerability and bias reporting. As an organization, you need to have information available to public so that users and your clients using your AI services have an opportunity to contact you if they notice vulnerability or bias, and you have an opportunity to fine tune this. And we also as an organization, very advocate for public bug bounties programs to include AI in your bug bounty programs to have more and more community engaged. Check, check. I’m speaking too long. So vulnerability reporting is important. And of course, since regulatory space is very, very active, it’s important to keep an eye and ensure that what you are using is adhering to the standards and regulation. And I think the last slide is the most important So the full text can be accessible upon this link It’s over 10 pages We really did our best and a big thank you to Alison, Melodyne and Sergio in reviewing it and contributing And the idea of these basic standards actually come from cyber security A lot of nations like UK, Germany and ministries of communications and technologies are trying to raise awareness of these basic cyber security standards and publish this information on their website So we believe that it would be a good idea if nations worldwide can also maybe take a look at what we have produced develop, fine tune it and to promote it on national and international level so that mass usage of AI can happen in a more secure way Thank you for the opportunity

Gladys Yiadom: Thank you very much, Julia, for sharing the guidelines Again, do not hesitate also to pass the Kaspersky book if you don’t get the chance to download it here So now, moving to another set of questions Julia, you were mentioning somehow AI trainings, literacy and my question will be to you, Melodyne In such cases, how best to address the issue of increasing AI literacy among professionals but also the wider population?

Melodena Stephens: Thank you First of all, I want to mention that digital literacy is not the same thing as AI literacy So I was having a conversation Some key places people think it falls under but right now most of what passes for digital literacy is actually digital skills training, and I don’t think it’s the same thing. So we need to be very mindful of that. AI is a much more complicated topic. And I think the challenge that we’re really facing is we need societal education, we need education of industry, we need education of policy makers. I have met engineers, I work with IEEE for example, even engineers struggle when you look at AI and you look at some of how it’s being deployed or what implications it has. So this becomes a challenge. And when you look at some of the policies, I just wanna take an example. If I look at NIST, there’s 108 subcategories. If I look at ISO, for example, we’re talking about 93 controls. And what people are doing is making them 93 policies. I don’t know about you, I don’t know who reads 93 policies, but the problem is actually operationalizing it and implementing it. So the way we’re delivering knowledge, the current method is not working. An audit system, the policies put over there, we don’t know how to translate it, we don’t know what it means for me. So we need to be able to translate this for different people based on their level of expertise. And I’ll just give you one example. I heard the word, you mentioned transparency. How can we get algorithmic transparency? If I look at what Google has just released in the last week, which is Willow, it does a calculation in five minutes, which according to them, a supercomputer will take 10 raised to 25 years. That’s 10 septillion years to do. Which human being can go and look at this and trace everything? It is impossible at the speed at which technology is doing. Just another example, if you’re talking about 175 billion parameters, we’re talking about 10 million queries per day. How many people do you have to employ to go and audit 10 million queries per day? So what we’re doing right now is taking a rough sample and we’re auditing it and then we’re reporting error rates and we’re only reporting sometimes one. one type, not false negatives, not false positives. Both are important. So there’s a lot of things that are missing currently right now in the way we’re evaluating AI. And I wanna also highlight something like this because they talk about, let’s have human in the loop. If anyone has read the foreign policy article on Lavender, Project Lavender, which was a facial recognition drone technology, they did have humans in the loop to decide who or what to target. The amount of time they spent, 20 seconds for review. I don’t know about you, but my brain does not think in 20 seconds of review. We’re not computers. So the first thing is I’m not a machine, I’m a human being. My skills are different from a machine. We need to understand both of that. And I think AI literacy is kind of understanding what a machine can do, what a machine cannot do. And I’ll take the last example, which was in 2021, Facebook had an outage. It was a BGP, Border Control Gateway, Border Gateway Protocol issue. Now, what was interesting is they’re very high tech. So their systems are all on facial recognition and authentication. So they should have been able to enter in to fix the issue. Unfortunately, what happened is they got locked out of their own offices. So you have backups and we’re depending on technology for those backups, but at the end, it’s the human being. So you’ve got to have a backup, which is a human being. And my worry right now is the knowledge those human beings are having are becoming obsolete because we’re not valuing it enough.

Gladys Yiadom: Thank you. Thank you, Melodina, for this comment. My next question to you, Alison, how can a zero trust approach be integrated into the development and use of AI?

Dr. Alison: Thank you, I’m just checking. That’s great, thank you. So just very quick, Zero Trust 101, I’m sure you’re all familiar, but for those of you that are not. So as I mentioned before, we’re humans, so we’re predisposed to. presumptive trust, to trust someone without validating. I think my Russian’s really bad. So trust but verify and of course now we don’t trust, we have to verify first. So zero trust, non-presumptive trust, we have to verify an identity whether it’s an individual, a person, a data user, a technology and so on or an application. We have to verify that before we can grant trust. So we have continuous monitoring. So in a process like artificial intelligence where we’re looking across a very complex dynamic ecosystem, we’ve got all of the moving parts all moving at the same moment, the humans taking decisions, the prompts going in, the black box doing its thing with the model we’re not sure where it’s come from, the data we’re using to train the input, the outputs coming out. So we’re saying operate zero trust throughout this ecosystem to give us a chance to verify before things come out the other side and before they’re implemented and as we’ve said, colleagues have said, companies are just doing this without thinking, just like a new technology, just like driving a car before people had a driving license, jump in the car and drive in and people don’t know what they’re doing. Same in industry at the moment. Industry’s adopting this at pace and at scale without, I think the word is guardrails and zero trust can be one of the guardrails. I’m happy to come back in more depth and questions later on. I think interoperability I think is the other thing for zero trust because we’ve got everything happening at the same time at scale with no common frameworks from whether it’s our friends in ESO or NIST or wherever in the corporate world, using technology, developing standards with no interoperability across those different domains. So it’s a very complicated systems-based ecosystem.

Gladys Yiadom: And basically what you’re saying is about how to use it responsibly. So it will lead me to my next question to you, Sergio. Given your experience as a coordinator of a regional European digital innovation hub, could you please tell us more about blueprints of best practices for the responsible deployment of AI in Europe?

Sergio Mayo Macias: Yes, thank you. Thank you, Gladys. Well, actually, the AI environment in Europe is known and has been, let’s say, labelled as a regulation-focused environment. This is because the AI Act and the DATA Act, among many others, as the main European general outcomes or the known reference frameworks, but this is only partly true. The bottom-up work has been going on for a long time. I always put the same example. We don’t have a Boeing company in Europe, we don’t have this US big company, but we have Airbus, which is not a big company, but a consortia of really, really small companies. So the way we are working in Europe is this way, the cooperation, the consortium, and so on. For instance, from 2099, there is a group called the High-Level Expert Group on Artificial Intelligence, established by the European Commission, and they, in 2019, they provided the ethics and guidelines for trustworthy AI. These guidelines emphasise the need for AI systems to be lawful, ethical, and robust, and they are producing, year after year, new drafts regarding this regulation. But we also have the AI office. supporting the development and the use of trustworthy AI. And this is only from the top, but we are also working from the bottom, from small companies and organization and RTOs. And for instance, in January, 2024, the commission launched an AI innovation package called the Gen AI for EU Initiative, which is a really easy reading package to support the startups and SMEs in developing trustworthy AI that complies with EU values. So all these islands are intended and are developed for providing security by default. Let’s say for SMEs and citizens not being able to be aware of the law, to be aware of the AI Act and so on. Another initiative is the Data Spaces Support Center. This Data Spaces Support Center was launched for contributing to the creation of common data spaces. Data spaces are a safe space for collectively create a data sovereignty, interoperable and trustworthy data sharing environment. And they are directly related to the AI deployment. They point to the core issue, the creation of trust. As Alison said, if you can create an environment where data is safe, reliable and secure, you are enhancing trust. And from there, you can go a step farther and use this data for training AI models. And also the network of European Digital Innovation Hubs, I am the coordinator of the one in Aragon region in Spain. We are close to the city. We are producing guidelines, blueprints and a lot of help for this key issue to create security and trust by default and letting people using AI not being aware of big documents or big frameworks or the act or the data act.

Gladys Yiadom: Thank you. Thank you, Sergio. Mentioning regulations and just coming back also to what you said, Alison, about interoperability. Is there a need to harmonize AI regulation from different jurisdictions? If so, is it possible to ensure such interoperability?

Dr. Alison: Thank you. So two parts. The first is, is it a requirement and is there a need? Is that correct? Sorry. Sorry.

Gladys Yiadom: Yes. Let me repeat that question. So is there a need to harmonize AI regulations from different jurisdictions? And if so, is it possible to ensure such interoperability?

Dr. Alison: Okay. Thank you. So I speak from a personal perspective here. So I don’t know if, realistically, I don’t know if harmonization’s possible because we’re looking across the world, across multi-stakeholder groups, private sector, governments, state actors, individuals. And it’s really difficult because there’s different cultures in play. And I think it’s right that individuals should have their culture and should have their way of being. So I really, I think that’s really hard. I think for cybersecurity and risk management standards, we do see some global take-up of the big standards there. So maybe we can look to what’s happened with those iso20s. 27,000, 27,001 family, or even the 9,001, the kind of quality management standards there. And look at what’s happened there as a guide to what might happen in the future. But I think there will always be difference. Differences across the globe, across private sector, different sectors. So I don’t actually know, this is my personal view, if harmonization is possible. Is it desirable in an ideal world, we would have interoperability across tools, across standards and frameworks, across all of those different factors, that would be the ideal. Whether it’s possible, I don’t know. But I certainly think guidelines are really a helpful stepping stone forward. So if everyone has the same framework to work from, and a common understanding, I think that’s a really big step in trying to achieve a future where we all understand where we’re going. If that, I hope that answers your question.

Gladys Yiadom: Thank you. Absolutely, Alice, and thank you. Thank you very much. My next question will be to Yulia and Sergio. Yulia, you mentioned how important it was to address it from a cybersecurity perspective. Why is the issue of cybersecurity crucial for AI systems? What would be state-of-the-art security for AI system look like?

Yuliya Shlychkova: So we believe that’s… It’s not working. Check, check. No. Check, check, check. Check, check, check. Yes, working. Now it’s working. Okay. We can hear you. So with AI is a new thing. So every technology first developing, and then people have this afterthought, oh, I had to put more thoughts about security there. So with AI, we have this opportunity to think about security by design. The same as regulation. Like regulation is always catching up. With AI, hopefully, there is a chance not to be a decade late That’s why it’s important to keep on par and think about cybersecurity Not only about how technologically to protect this, but also to spread awareness about issues so that regular users are not feeding AI with their personal data without necessity. Employees don’t share confidential information, etc. Sergio, do you want to add?

Sergio Mayo Macias: Yes, I agree with you. I think that for AI, we cannot push people to install the antivirus That is not realistic. We need to provide cybersecurity by default We cannot send the elephant in the room to final users. We have to define safe spaces for using the AI systems and we cannot expect final users to do it. For instance, I was mentioning before the data spaces pursue that goal. To create this framework, a space with legal governance and also technical issues are developed and deployed by default, just to be used So, we have the AI Act in the background, but we have to define these spaces for letting users use AI without concerning any other issue

Gladys Yiadom: Thank you, Sergio. Perhaps, turning to the audience to check if there are any questions Yes, we do have one question here. Sir, can we ask you to come to the middle and ask your question So, please share your name, organization and who you address the question to

AUDIENCE: Yeah, so my question is actually from Yulia, as she mentioned, you know, so there has been very difference in the conventional security and the AI security. For example, in conventional security, if you send certain requests, you get the same responses. In AI, it’s very different. So I mean, how do you see the security if every time the response generated is different? I mean, if even you train your model, you cannot expect if it will provide the same answer next time. You know, so like we are actually a security firm and we work heavily in the AI security right now. So we have faced these problems, like I mean, the security options which we provide to our clients. Even if you try after sometimes, the same errors, the same vulnerabilities arises again. You cannot handle it properly. So number one, how do you see that? As far as the vulnerability disclosure program you mentioned, I mean, companies are not taking it seriously. For example, if you report biasness as a vulnerability or as an issue, they’re not accepting. Even if you see the bug bounty program of the open AI and the bug crowd, they have clearly mentioned we are not accepting like biasness or racial or unethical responses in the report. So how do you see that? I would love to see the response on that if you, yeah, thank you.

Yuliya Shlychkova: So I think I like your comments and so I think they’re more like comments than questions. Thank you for sharing your experiences and for bug bounty, it took years for big companies to start doing bug bounties and vulnerability reporting. So I think that we, you, us, we just need to push for it and do this awareness. I’m sorry, we are human beings. It takes a while for us to accept the problem and start moving to the solution. As for the issue with the AI security being different, we also see this, we are using machine learning in our solutions for ages. And again, you need to ensure that you have representative data sets to train your model Then you’re dealing with these false positives, false negatives Like trying to find the bar where the performance is okay and acceptable But still, we have this human control on the top Because 100% confidence is not there That’s why we have human experts who are analysing the output and can interfere So what we call it, it’s multi-layered protection So we are trying to use different models, they’re checking on each other And at the end of the pyramid, there is human factor

Gladys Yiadom: Thank you, Yulia, for your response I’ll just take one online question and then I’ll hand it over to you So I believe, Johan, we do have one question online

Lufunu Chikalanga: More than one question Actually, there are three questions First of all, it was valued very much that the report was shared And also, there was positive feedback to Alan’s remarks with regard to trust must verify And having that transparency aspect with regard to cyber security and artificial intelligence One question to Yulia Please excuse if I misspell your name Lufunu Chikalanga from Osis Orisur Consulting He is interested to get some information about the role of open source and artificial intelligence And in particular, he raised the question whether it is enhancing security or increasing vulnerabilities

Yuliya Shlychkova: It’s a very good question So, on one side, we advocate for open source and it’s great that community being built around AI, models being shared, data sets being shared because it’s not, it’s limited innovation if it’s only proprietary models. So, and especially for regions like Africa and others, I think it gives opportunity to leverage innovation, like this openness, availability for open source information. On the other side, those who are deploying the models needs to own responsibility of security for the things they are using and to check, to audit, to do not admit that if someone developed this for you, it’s like 100% ideal. So, this would be my answer. Please, our panelists, add on to this.

Gladys Yiadom: Do you have any other comments from our panelists, perhaps on this topic?

AUDIENCE: Yeah, I like open source, but I would jump in and say, I think there is a role for closed source. I think it’s perfectly valid, for example, if you’re using AI for cybersecurity and that goes back to a question over here. I think it’s really good to have transparency, to know what you’re using as the training data. But yes, there’s the issue of innovation. I’m sure in the future, there’ll be a way beyond this. So, having a closed system that’s off the cloud, that’s proprietary, that’s able to learn and has that security badge.

Yuliya Shlychkova: I want to have something in the middle because we as a company, we do have transparency centers where in the secure environment, we are sharing the models we’re using, our data processing principles. So, this can be shared, but in a secured environment. Yeah, good point.

Gladys Yiadom: Thank you, Yulia. So, perhaps before taking another question online, Johan, we have one question in the audience here. Can we ask the person to answer?

AUDIENCE: Thank you. Sorry, do you hear me? Yes, we can hear you perfectly. Thank you very much for the panel. It’s very interesting. But I have a question maybe for Julian. I mean, the issue, I mean, when we speak about AI and security, okay, we have AI that could be used for enhancing security. We have the normal security issue about platform infrastructure data, data center, blah, blah, blah. And then we have the data security. I mean, when we speak, if there is any other dimension that we miss, I mean, there is in the algorithmic, in addition to these ones, I mean, because whenever, I mean, I have the feeling that it’s more data security and infrastructure security at large. But there is anything related to, let us say, machine learning process or algorithmic process that we have to consider according to your knowledge on this regard? I’m not sure it’s clear, but I have the feeling that we mix AI security with data security and infrastructure security. Is there is any other dimension? Model?

Yuliya Shlychkova: I have this headset. That’s why I feel that it’s also working as a mic. I believe that you’re right, that model security is also, should be considered in the holistic picture because this is black box and we can be in classic programming to be sure that the code will perform as intended. Therefore, it’s very important to test model. And we already saw adversarial attacks trying to impact the way how model functions, maybe to add noise and invisible for AI and let model misperform. So model security is also in the question, the algorithm. Definitely.

AUDIENCE: So I was just going to add today about, if you look at the traffic on the internet, 70 to 80% is API calls, which basically means it’s code talking to code. And each one of that is a vulnerability. So it’s not just data and critical infrastructure. I think it is also because we’re looking at algorithms which are made with different languages and we’re trying to map them together with interoperability and it is not working. So one update is happening. We’re not updating in real time. And I saw a piece of research that says it takes about 200 days on an average to find a security vulnerability. That’s 200 days for a hacker to access your data. So just think of all of us. We’re here at a conference. How many of you have ensured that your data and your devices are updated? And that’s the challenge, right? Yeah.

Dr. Alison: Thank you. I’ll jump in really quickly. I think some developers are like chefs. They have their cuisine and they use their process for the model and your mother’s process is probably different from mine. So I think there’s probably a lack of, what’s the word? Replicability in the model of who’s designed it and passing the steps to the next person. And once the model starts going, then we don’t know what’s happening and there’s no record. Thanks.

Gladys Yiadom: Sergio, do you have any comments?

Sergio Mayo Macias: Yes, please. Yes, indeed, indeed. I’m really happy to hear this question and I totally agree with Melody and Alison’s comments. And let’s say that we have an ideal world with no data problems and we have fair data, secure data, reliability data, and so on, so on. And data is not problem anymore. This is an ideal world. This is impossible at all, but let’s think about that. Afterwards. As you said, there is a programmer. We have the black box. We have the algorithm. And we have the human being there, using fair data, good data, data with no problems, with no bias, and so on. And what do we do with the black box? It is the same that happened, if you remember, with COVID crisis, with the vaccine. We have the chemistry and so on. The chemistry is data. The components. But afterwards, we have the people working with those components. Let’s say the programmers here with the black box. Do we trust them? And as I already said, at the end of the day, trust is not about data. It’s trust about human beings. So we have going beyond trusting data. We have to go beyond trusting the black box. We have to think about if we are ready to trust in human beings and developing their models.

Gladys Yiadom: Thank you, Sergio. Almost a philosophical question, right? At the end of the day. Yes. Indeed. The key in this. Thank you. Johan, do we have another question online, please?

Jochen Michels: Yes, we have. Some of them were partly answered by Sergio, for example. But I will first share the question. One question is by Max Kevin Belly there. He would like to know what is the relationship between regional legislation and limitations with regard to artificial intelligence and also on… on the level of different states, and whether that is a hurdle to try to find harmonized rules and harmonized, global harmonized regulations in that regard. So some standards, that is a question perhaps to Melodina and Sergio, and there is one further question by Maha Ahmad, and that was also particularly answered by Sergio, it’s about classification of AI technology, and Sergio already referred to the European AI Act and the risk-based approach, but perhaps Alison or Melodina, perhaps you can share examples from other regions, whether there is the same approach or whether there is another approach regarding high-risk AI, low-risk AI, and so forth. Thank you. That were the questions here from the online attendees.

Gladys Yiadom: Thank you, Johan. So perhaps Melodina.

Melodena Stephens: Okay, so the first question. The first question was on AI regulations and regionalization. Okay, so the EU is the only one that I would look at it currently right now that has…

Gladys Yiadom: No, it’s good. It’s working.

Melodena Stephens: Harmonized across its 27 countries, but we also see that it is in implementation, right? So it will take some time, and right now what we don’t have is time. With the rest of the world, what I’m seeing is a strong trend towards bilateral agreements, and part of it is on defense, part of it is on data sharing, and another big one on knowledge and talent. So we’re seeing a slightly, so much more polarized world where it’s focusing on bilateral ties, and this becomes very interesting. If you want to take a step further, is it about governments? Is it about tech firms? I think that is a far more interesting discussion for me. If I look at the 500 cables that are undersea that are transmitting about 99… 99% of the data, most of them have private ownership. If I see data centers, most of them are again private. So I think there’s a whole other discussion which we are not taking into place in policy regulations, which is the role of private sector, many of which these companies are having revenues and market capitalizations much larger than countries. So you can see a power asymmetry coming in over there. I think the second question was on… Classification right here. So I know this is an interesting one. So besides risk, I’m gonna move away from risk. There’s been a lot of debate on whether we should look at it as AI technologies or AI for industry regulations. And this is a hard one because what we’re seeing right now, if I ask you a question, is Tesla a car with software or is it software disguised as a car? What do you think it is? And therefore, how should it be regulated? And the very fact, if we don’t have an answer tells… But the fact it’s… Sorry, he says software.

Charbel Shbir: Hello. Yes, it is. Hello, my name is Charbel Shbir. I’m president of Lebanese ISOC. Regarding your question, I think it’s a software developed by a person or a developer engineer. So therefore, the regulation must be… He has liability regarding the software that he developed. This is my answer. It’s not about the car as it’s a car, because it is autonomous and it’s worked by itself. Reason why he should hold the responsibility because he developed the software. But I have another intervention.

Gladys Yiadom: But I just wanna add one point. You’re right, but when it is registered, how is it registered?

Charbel Shbir: It will be registered as a car. It is registered as a car, but the responsibility is who’s driving the car.

Melodena Stephens: That is why there are challenges. So think of your health app. Apple, is it a watch or is it a health app, right? And I think this is where we’re gonna have these interesting discussions on jurisdiction that AI will move across industries and we don’t have oversight. So the purpose with which it was developed for one purpose allows it to scale into a totally different industry for another purpose and we don’t have transparency on weights, why were those weights developed? It was developed for health, but now it’s being used in X case. And I think that’s the challenge. So thank you, thank you for that answer.

Gladys Yiadom: Thank you, and Melodina, perhaps ask Sergio if you have any further comments regarding the first question that was asked and then I will hand it over to Alison.

Sergio Mayo Macias: Well, actually, yes, it’s just more or less repeating the same that you said, but also I agree with Melodina that regarding data, being able to establish contracts for ensuring trust is the key issue now. Now with data spaces in European Union, we are trying to skip that problem for SMEs and for citizens and to establish this safe space with no need of contracts, with no need of agreements for sharing data. And actually I am aware that this model is being, is let’s say also used in some countries in Latin America. They are consulting us on why we are doing these data spaces and how they work. And they are trying to do more or less the same in South America for sharing data without the need of establishing this type of one contract or one agreement for each time that we share data.

Gladys Yiadom: Thank you, Sergio. Alison, please.

Dr. Alison: Thank you, just to jump back in. So the question of high risk contexts. So I was at Warwick University a couple of weeks ago with some of the MSc students coming in from industry, from all different sectors, critical national infrastructure, nuclear, I mean, everything. can imagine. And everyone wants to use AI for cybersecurity, because of course, we’re just human. But once we have the developers, that was a really interesting point over here about the developer bearing liability. But once the model starts modeling, then it’s gone from the developer. It’s gone from their hands. It’s not in their control anymore. So there was a conversation. And again, from another security institute, the Cognitive Security Institute, really interesting discussion there. And we are human. So a parental relationship, 80% of people we can train, but the other 20%, you know, it doesn’t matter how smart they are, or what, you know, whether they’re on the board, but these are the people that will always click on the link. We know that because that’s human psychology. So do we implement some security and say, okay, we’re going to just implement the security to stop that happening. So let’s secure the system and take out the 20%. I don’t mean that, you know, let’s secure the system so that that can’t happen. And that’s one of those trade-offs that Meledina was speaking about earlier. So maybe the company says, yeah, we’ll have zero trust, we’ll have best practice. But in the end, let’s put some baseline security in just to take away some of that baseline risk. Maybe that’s how we deal with this high risk. And, you know, to get back to our issue of innovation earlier on, it’s a really difficult space, but we can see this unimaginable innovation out there in the future. And it’s just really trying to navigate this difficult space at the moment, so that we can reap, hopefully get to the benefits. Thank you.

Gladys Yiadom: Thank you, Alison. So we’ll take another question from the audience. There’s one lady and then we’ll introduce her.

Christelle Onana: Good morning. My name is Christelle Onana. I work for EODNEPAD, which is the developing agency of the African Union. So my question goes to maybe Meledina and Alison. We discussed earlier, and you say that harmonization happen ideally. So then my question goes of, should we, so last July, the African Union adopted a continental AI strategy. There is quite a lot that needs done on the continent. The countries have different labels of policies and regulation defined. So if there is a continental strategy that has been adopted, it should be implemented sooner or later nationally. Should we then not talk about harmonization because we talk about a system that is global and is difficult to, to may put it to geo-localize to, you know what I mean? That’s one. And what will be your recommendation about then implementing the strategy that has been defined, going about it nationally, engaging with the countries for the development agency that we represent? Thank you.

Melodena Stephens: So you have a mic perhaps, yes. Okay, so I’ll start. I was very pleased to see the strategy, 55 countries, massive, massive, massive. I think we underestimate Africa as a continent and there is a chance now to be actually in the forefront. Now, there are a couple of things that are important to realize between the US private sector model, which is on market capitalization and the European Union model. There are two different things that Africa will have to decide. Are we in it for just the profits for the economy, this thing, or is it also about lifestyle? Because if you look at EU, I remember one of the discussions that was happening in Germany was, Why don’t you list on the stock market? Why don’t you want to be a trillion dollar company? And one of the founders actually said, well, I’m happy with the amount of money that I’ve earned. I can take care of the families. Why do I need to grow? It provides enough. And that’s very different from the other mindsets. That’s one thing that Africa would have to figure out because you’ve got a lot of societal values. Family is important. Society is important. What do you want to focus on? The second thing that I think is important is just to understand what are the assets within Africa. So we know that Cobalt, for example, DRC is a major provider. If we could go across the 55 countries and find unique assets that you could tie in, I think there is a win-win situation for all 55 countries that’s there. This is really important in the future because we see across the world, a lot of countries have assets, but they are sold as commodity products, not value added. And again, I like the EU model because you look at the trade, intra-trade within the EU model, it’s 60 to 70%, which I think is huge. So there is enough for everyone in Africa to benefit if you’re focusing on intra-trade. Non-harmonization, what would come? I think that’s important as standards for interoperability, right? So all of us with USBC, thank you European Union for that. But I think interoperability will be key on how you would want to make it work and even deciding who would be your key markets because who you would sell to will also decide whether you want to align your standards with them. And I think that’s things that you would have to decide at a strategic level.

Dr. Alison: Thanks for that, Melodina. I think I have to come back from an education piece and talk about the ideal world would be something like mobilizing the youth. And there’s all of the IGF youth ambassadors here from different countries. One of a young guy I’ve worked with from Ghana, IGF youth movement there and this vitality. and young people, and really think even going younger and younger, going into schools and doing an education piece that makes sense. So your parents’ business, what happens to your parents’ business, really at that level, so it’s really, it’s understandable the risks that are involved, so that people can embrace the risks and young people particularly can mobilise and get involved and take the actions that they need to, that will help families and help businesses locally. So maybe from the education piece, I mean maybe Kaspersky has something to say on an education piece.

Yuliya Shlychkova: I was just listening to you. Education is indeed important and I think education helps harmonisation. It’s like when people are connected with their minds, it automatically motivates more harmonisation. And I believe that education efforts should also be shared responsibilities that not only governments, but also private sector, university, parents, so that it’s also like a common goal and as a private company ready to contribute.

Gladys Yiadom: Thank you Julia, Melodina and Alison for your comments. Perhaps, Johan, do we have another question online?

Jochen Michels: Currently, we do not have questions online. There is a little bit of discussion between the attendees, but no direct questions to speakers.

Gladys Yiadom: Thank you Johan. We have a question on the audience. Can you ask you, sorry to come by ask your question. So please share your name, organisation and who you address your question to please.

AUDIENCE: Hi, I’m Odas. I’m from… Digital Uganda. We’re based in Kigali, Rwanda. And I want to ask Yulia regarding what you mentioned around data poisoning and open source datasets. So my question is around, have you seen some of these instances where there’s data poisoning and open source datasets and are there tools in the preparatory open source that can be used in security audits of such open source datasets?

Yuliya Shlychkova: We did see data poisoning, unfortunately. Because I’m not a technical expert, so I think I would not be able to move further. But even at the hugging phase, there were some backdoors and so ready to exchange business cards with you and connect with our experts who can provide more information. In terms of AI audit, we also see that this is raising trends. And in Europe, already more companies who are providing audits, adding AI audits in their portfolio. And I was able to chat with some of them. And what they’re saying is that they’re also developing methodology. Their first clients, it’s also their like pilots, pilots are grounded. They’re testing this methodology. So I believe we will see more and more of this.

Gladys Yiadom: Thank you, Yulia. We have another question from the audience.

Francis Sitati: Thank you very much. My name is Francis Sitati from Communications Authority of Kenya, which is a regulator for the ICT sector. My question is about the ethical considerations of AI. When you talk about innovation in AI, you can’t miss to talk about the ethical issues, especially with regard to the psychological effects of developing the data models. We’ve seen big tech companies using proxies, to, you know, leverage the affordable labor or cheaper labor within developing countries. So what do you think are some of the considerations in terms of AI practices, to promote AI practices with respect to the ethical use of AI?

Melodena Stephens: So this is a tough one, right? Because when I look at ethics, I think ethics are great. The line between good and bad is a difficult one. So on one hand I go, I want to increase the level of income. So I come and I choose cheap labor, but I’m also willing to close when I find another cheaper labor source. And this is the challenge we have to face, right? Or I want to introduce AI, but I don’t have any implications on the consequences to environment as an example, water consumption, electricity, e-waste recycling. E-waste is far more toxic than carbon dioxide, but we don’t have enough e-waste recycling centers. So with ethics, I think we need to, and there are many standards. I think the UNESCO has put up one recently at UNGA. They all agreed on certain standards. The problem is again, operationalizing it. So there are guidelines. And I think it’s for us to figure out what does that mean for our country and our people? And I always like it to be people-centric. So if I’m saying transparency, why do I want transparency for my people? And it could be because I want a cultural, I want it to be culturally sensitive. If I think in my culture, a child or someone to the year of 16 or 18, not necessarily 12, then I want it also to be aligned for my culture. Family is important. And I, maybe in my culture, it’s. collective family, it’s uncles, aunts, extended family. So I think translation is the difficulty which we don’t have alignment worldwide. So we have all of these things, we don’t know how to operationalize it, and we don’t know how to go and implement it. So right now at this point, because AI is being perceived as the in thing and because of national security issues, there’s a huge investment in AI. I wanted to mention this, the current tech debt is around 40 to 50%. That means if you put in 1 million into a project, you need to keep half a million for upgrading the system, retraining the system for cybersecurity. We are not considering that and that is leading to a lot of failure. Currently, right now, the AI failure rates is around 50 to 80%. So I just want to share this data set with you. 1.5 million apps on Google and Apple has not been updated for two years. 1.5 million apps. That’s a data vulnerability point. That’s a cybersecurity issue. And in 2022, Apple removed something like a half a million apps. So we’re seeing that we’re starting businesses using AI and the first question is why? What is the benefit for the human being? And the second thing is we’ve not considered we can’t sustain the business. So it becomes a cybersecurity issue. So yes, I think AI ethics, I mean, I’m happy to sit with you separately. IEEE also has a policy on a couple of these things, but they’re all guidelines. We aren’t able to implement it because there are cultural nuances and interpretation.

Gladys Yiadom: Thank you very much, Melodina, for highlighting this. Perhaps Sergio, Julia, any comments? Oh, Alison. No, please. Sergio, please go ahead first and then Alison.

Sergio Mayo Macias: No, no problem. I totally agree that ethics is a grey field. It is difficult to mandate ethics. Let’s say, for instance, if you are hiring people, you are a recruiter, or you are using AI for helping in your recruitment, is it fair, for instance, if you want, let’s say, a German native speaker to develop a system promoting CVs received from Germany? Are you avoiding to use CVs received from other countries? Are you going to read everything in the CV for filtering before calling people to interview? So they are difficult questions. So it is ethic or it is not ethic to define, to develop this type of algorithmics. I was mentioning before the algorithmic fairness. This is something that we have to have in mind, of course, fairness, but fairness is different than ethics. So we should think before developing an AI system if we want to use it for a personal use or for including other people being involved in the use of the AI system.

Gladys Yiadom: Thank you, Sergio. Alison, please.

Dr. Alison: Yes, thanks. This is probably outside of my domain, but I think we discussed earlier that ethics is probably something that’s a cultural norm. So I think maybe ethics for you are slightly different for ethics for different people from around the world. So maybe it’s something you’ve probably already done all of this and thought of this, but maybe something bottom up. What does ethics mean to you? Where does it come from? What are the norms of ethics? And this is probably an education piece at local schools, schools getting involved in consultations and helping you develop those. I’m sure you’ve probably done all of this. and then leveraging, I think, as Melodina was saying earlier, your unique assets, your unique resources with those tech companies, because the tech companies, we know who they are, some of them, well, they’re not, actually, I don’t see any of the exhibition stands, actually, but it’s quite interesting, they’ve got so much weight in the world, but I think if you can look at your assets and say, well, these are our unique assets, and maybe leverage that in this really imbalanced world with those tech companies, maybe, I don’t know, I hope that helps. Thank you.

Gladys Yiadom: Thank you, Alison. Yulia, perhaps, as Kaspersky developed last year, the ethical principles.

Yuliya Shlychkova: Yes, we believe that ethics is important, transparency is important, and also, in addition to mandatory regulation, self-imposed standards also is vital in the whole ecosystem, and we, as a company, developed our own principles, ethical principles, we mandatory declared to adhere to, and I think this is a good practice, and more and more companies, they joined in different pledges, showing their principles, so this has already happened, this is good, but I also wanted to comment that we even internally had this discussion, whether the usage of AI can influence the workforce, because right now, in Kaspersky, we have, like, 5,000 engineers, and our top, top-notch researchers, and we’re really proud of our research teams, because they’re able to discover very advanced cyber-Spanish campaigns, and our researchers are part of the community, which are, like, 100, 300 in the world, so it’s very unique talents, but they all started being regular virus analysts, investigating very simple viruses before they grew up to that level, so we were thinking whether introducing AI to do more simple tasks will kill this journey, maturity journey and actually we ended up with positive thinking because we believe with more AI being used to automate skills like the professional will shift from doing things manually from maybe being more operator of AI model so skills will be a little bit different but still the journey will be there and humans will be required. So at least internally we hope that it will affect human employment but still will introduce more opportunities and different job profiles.

Gladys Yiadom: Absolutely, I think this also has been one of the key questions that we’ve hear in international forum is about the future of work in the context of AI. Thank you very much for sharing that, Julia. We can also take one or two other question. Are there any question from the onsite audience? I don’t see any. Johan, do we have one or two last question? Oh, see, we have one, sorry.

AUDIENCE: Hello, can you hear me?

Gladys Yiadom: Yes, we can.

AUDIENCE: Okay, my name is Paula. I am from GIZ African Union. I think in the presentation, you showed that there was some cyber incidents that had happened based off of AI. But do we have any case studies on cybersecurity incidents based off of AI that have destabilized the nation? For instance, any sort of use of autonomous weapons to attack a particular nation and that.

Jochen Michels: We cannot hear.

Yuliya Shlychkova: But we also started to see more advanced use, used by advanced actors But it can happen in a very persistent manner For example, there is a collection of malware samples for all cyber security companies to refer to And we see that for some time, a malicious actor was sending samples With specific logic So that all cyber security engines later, trained on these samples Would recognize or not recognize this thing I’m trying to explain this in simple words But definitely we see that more advanced attackers are trying also to use these And let’s say to affect machine learning algorithms which are working in cyber security software So that later when they release their highly capable cyber-espionage campaigns The defense technologists would not see it or would act something So unfortunately we will see this more, but this is a race and we’re used to this in cyber security Attackers come in with new technology, we come in with new defense And in defense we also, in layers responsible for anomaly detection We also use a very highly efficient AI which can detect anomalies So we are good, we are on par, so there is hope

Gladys Yiadom: Thank you very much Julia, I think this leads us to the end of the session I would like to first thank our speakers for joining us today Online moderators and participants online and on-site We are available to continue this conversation Please do not hesitate to reach out to us and we’ll be happy to follow up with that The guidelines will be available online, so please also do not hesitate hesitate to check them. Thank you very much.

Agreement Points

AI security challenges

Allison Wylde

Yuliya Shlychkova

Zero trust approaches should be integrated into AI development

AI is still software and not 100% safe, leading to cybersecurity concerns

AI models can be vulnerable to data poisoning and adversarial attacks

Both speakers emphasize the need for robust security measures in AI development and implementation, highlighting various vulnerabilities and the importance of continuous verification.

Importance of AI education and literacy

Yuliya Shlychkova

Melodena Stephens

Education efforts can help build trust and harmonization in AI adoption

Continuous training on AI risks and best practices is necessary for organizations

AI literacy should distinguish between digital skills and AI-specific knowledge

The speakers agree on the critical role of education in fostering responsible AI adoption, emphasizing the need for specialized AI literacy and continuous training.

Similar Viewpoints

Both speakers highlight the complexity of implementing ethical guidelines and fairness in AI systems, acknowledging the challenges in translating broad principles into practical applications.

Sergio Mayo Macias

Melodena Stephens

Algorithmic fairness is crucial but challenging to define and implement

AI ethics guidelines exist but are difficult to operationalize

Unexpected Consensus

Regional approach to AI governance

Sergio Mayo Macias

Melodena Stephens

The EU AI Act provides a model for regional AI governance

Africa has an opportunity to develop its own AI strategy and standards

Despite representing different regions, both speakers advocate for regional approaches to AI governance, suggesting that tailored strategies can be more effective than global one-size-fits-all solutions.

Overall Assessment

Summary

The main areas of agreement include the need for robust AI security measures, the importance of AI-specific education and literacy, and the challenges in implementing ethical guidelines and fairness in AI systems.

Consensus level

Moderate consensus exists among the speakers on key issues, particularly regarding security challenges and the importance of education. This level of agreement suggests a shared recognition of critical areas that need addressing in AI development and implementation, which could potentially guide future policy and industry practices.

Different Viewpoints

Approach to AI regulation and governance

Melodena Stephens

Sergio Mayo Macias

Africa has an opportunity to develop its own AI strategy and standards

The EU AI Act provides a model for regional AI governance

While Melodena Stephens emphasizes the potential for Africa to develop its own unique AI strategy, Sergio Mayo Macias highlights the EU AI Act as a model for regional governance. This suggests different approaches to AI regulation in different regions.

Unexpected Differences

Focus of AI literacy

Melodena Stephens

Unknown speaker

AI literacy should distinguish between digital skills and AI-specific knowledge

There is a need to increase AI literacy among professionals and the general public

While both speakers agree on the importance of AI literacy, Melodena Stephens unexpectedly emphasizes the need to differentiate between general digital skills and AI-specific knowledge, which adds a layer of complexity to the discussion on AI education.

Overall Assessment

summary

The main areas of disagreement revolve around approaches to AI regulation, methods of building trust in AI, implementation of ethical guidelines, and the focus of AI literacy efforts.

difference_level

The level of disagreement among the speakers is moderate. While there are differing perspectives on specific approaches and implementations, there is a general consensus on the importance of addressing AI security, ethics, and education. These differences highlight the complexity of global AI governance and the need for flexible, context-specific solutions.

Partial Agreements

Both speakers agree on the importance of trust in AI adoption, but they propose different approaches. Allison Wylde emphasizes the subjective nature of trust, while Yuliya Shlychkova suggests education as a means to build trust and harmonization.

Allison Wylde

Yuliya Shlychkova

Trust in AI is subjective and culturally dependent

Education efforts can help build trust and harmonization in AI adoption

Both speakers recognize the importance of ethical guidelines for AI, but they differ in their approach. Melodena Stephens highlights the challenges in operationalizing existing guidelines, while Yuliya Shlychkova emphasizes the role of self-imposed company standards.

Melodena Stephens

Yuliya Shlychkova

AI ethics guidelines exist but are difficult to operationalize

Self-imposed ethical standards by companies are important alongside regulation

Similar Viewpoints

Both speakers highlight the complexity of implementing ethical guidelines and fairness in AI systems, acknowledging the challenges in translating broad principles into practical applications.

Sergio Mayo Macias

Melodena Stephens

Algorithmic fairness is crucial but challenging to define and implement

AI ethics guidelines exist but are difficult to operationalize

Key Takeaways

Trust in AI is subjective and culturally dependent, making it challenging to establish universal standards

AI systems face significant cybersecurity challenges, including data poisoning and adversarial attacks

Harmonizing AI regulations globally is difficult due to cultural and regional differences

Ethical considerations in AI development and deployment are crucial but challenging to operationalize

Increasing AI literacy among professionals and the general public is essential for responsible AI adoption

Resolutions and Action Items

Kaspersky has developed guidelines for AI security that organizations can use to improve their AI systems’ security

Companies should consider developing and adhering to self-imposed ethical standards for AI use

Unresolved Issues

How to effectively harmonize AI regulations across different jurisdictions and cultures

How to operationalize AI ethics guidelines in practical implementations

How to balance innovation with security concerns in AI development

The long-term impact of AI on the workforce and job markets

How to ensure algorithmic fairness and transparency in AI systems

Suggested Compromises

Adopting a risk-based approach to AI regulation, similar to the EU AI Act, to balance innovation and security

Focusing on interoperability standards rather than full harmonization of AI regulations

Leveraging unique regional assets and cultural values in AI development strategies

Implementing multi-layered protection in AI systems, combining automated AI security with human oversight

Trust is subjective. So maybe I trust you. I think I probably do. I don’t really know you too well, but I trust you. I’m a human. And so our human behavior is naturally to trust. Children trust their parents without thinking about it. And I think that’s one of the issues in business. People see a new technology and they want to be with the top technology, with the new technology. And of course they want to use it really without thinking.

speaker

Allison Wylde

reason

This comment challenges the assumption that trust in AI is a simple yes/no question. It introduces the complexity of human psychology and how it relates to trust in technology.

impact

This shifted the discussion from a technical focus to considering human factors and psychology in AI adoption and trust. It led to further exploration of how to define and measure trust in AI contexts.

We almost see in the wild attacks on every component of AI development chain. Therefore, cybersecurity should be addressed. We need to talk about this and help not to stop AI usage but to do it safely and have basis for this trust in for AI use in the organization.

speaker

Yuliya Shlychkova

reason

This comment provides a comprehensive view of the cybersecurity challenges in AI, emphasizing the need for a holistic approach to security.

impact

It broadened the discussion from general trust issues to specific cybersecurity concerns across the AI development chain. This led to more detailed conversations about security measures and best practices.

If you look at how many policies are there for cybersecurity, I think there are more than 100 countries which have policies. While some of them are on security and they’re looking at algorithmic security, we see recently over the last two years maybe more focusing on critical infrastructure. And there’s two things driving it. One is we’re moving away from individual security or corporate security or industry security to national security.

speaker

Melodena Stephens

reason

This comment highlights the evolving nature of AI security policies and their increasing focus on national security, introducing a geopolitical dimension to the discussion.

impact

It shifted the conversation towards considering the broader implications of AI security at a national and international level, leading to discussions about the need for global cooperation and standards.

We need to provide cybersecurity by default. We cannot send the elephant in the room to final users. We have to define safe spaces for using the AI systems and we cannot expect final users to do it.

speaker

Sergio Mayo Macias

reason

This comment challenges the current approach to AI security by emphasizing the need for built-in security measures rather than relying on end-users.

impact

It sparked a discussion about the responsibilities of AI developers and providers in ensuring security, leading to conversations about potential regulatory approaches and industry standards.

Currently, right now, the AI failure rates is around 50 to 80%. So I just want to share this data set with you. 1.5 million apps on Google and Apple has not been updated for two years. 1.5 million apps. That’s a data vulnerability point. That’s a cybersecurity issue.

speaker

Melodena Stephens

reason

This comment provides concrete data on AI failures and vulnerabilities, highlighting the scale of the cybersecurity challenge in AI applications.

impact

It brought a sense of urgency to the discussion and led to more focused conversations about practical steps needed to address these vulnerabilities and improve AI reliability.

Overall Assessment

These key comments shaped the discussion by broadening its scope from initial considerations of trust to encompass complex issues of human psychology, cybersecurity across the AI development chain, national security implications, the need for built-in security measures, and the urgent challenges posed by current AI vulnerabilities. The discussion evolved from theoretical considerations to practical concerns and potential solutions, emphasizing the multifaceted nature of AI security and the need for collaborative, proactive approaches across various stakeholders.

How can we develop a conceptual framework for trust in AI?

speaker

Allison Wylde

explanation

Trust is subjective and can’t be measured with traditional statistical methods. A conceptual framework is needed to define, measure, and implement trust in AI systems.

How can we address the issue of shadow AI use in organizations?

speaker

Yuliya Shlychkova

explanation

Many employees are using AI tools without organizational oversight, potentially exposing confidential information. Understanding the scale of shadow AI use is crucial for security.

How can we ensure algorithmic fairness in AI systems?

speaker

Sergio Mayo Macias

explanation

Even with good data, the human creating the algorithm must ensure fairness. This is a key point in addressing bias and ethical concerns in AI.

How can we balance national security concerns with individual privacy in AI regulations?

speaker

Melodena Stephens

explanation

This trade-off is crucial in developing AI policies and regulations that protect both national interests and individual rights.

How can we address the challenges of AI security given that AI responses can be different each time?

speaker

Audience member

explanation

Traditional security measures may not be effective for AI systems that produce variable outputs, creating new challenges for vulnerability detection and mitigation.

How can we develop and implement AI-specific protection standards for organizations using applied AI systems?

speaker

Gladys Yiadom

explanation

Current standards mostly cover AI foundation models, leaving a gap in protection for organizations implementing applied AI systems based on existing models.

How can we effectively harmonize AI regulations across different jurisdictions, particularly in Africa?

speaker

Christelle Onana

explanation

With the adoption of a continental AI strategy in Africa, there’s a need to understand how to implement it nationally while considering the global nature of AI systems.

What are the ethical considerations in AI development, particularly regarding the use of cheaper labor in developing countries?

speaker

Francis Sitati

explanation

There’s a need to explore ethical AI practices that balance innovation with fair labor practices and cultural sensitivities.

Are there case studies on AI-based cybersecurity incidents that have destabilized nations?

speaker

Paula from GIZ African Union

explanation

Understanding the real-world impact of AI in cyber warfare and national security is crucial for developing appropriate defenses and policies.

Summary

This discussion focused on strategies for protecting critical infrastructure cybersecurity through international cooperation and multistakeholder approaches. Participants emphasized the need for a holistic approach to address the growing cyber threats to interconnected critical infrastructure systems. Key points included the importance of developing common definitions and standards across jurisdictions to reduce fragmentation, which was identified as a major security risk. Speakers highlighted the crucial role of public-private partnerships and information sharing, while noting challenges around trust and incentives for collaboration.

The discussion explored how capacity building, especially for under-resourced countries, is essential to improve global cybersecurity. Participants stressed the need for policies that enable rather than restrict private sector cybersecurity efforts, particularly around data flows and encryption. The intersection of critical infrastructure with commercial technologies was noted as an important consideration for future-focused policies. Speakers also addressed the role of international norms and agreements in combating cybercrime and promoting responsible state behavior in cyberspace.

There was broad agreement on the importance of multistakeholder collaboration to address the complex challenges of critical infrastructure protection. Participants emphasized that this collaboration must be meaningful and inclusive, ensuring diverse perspectives are incorporated. The discussion concluded with calls for more concrete action to address growing cyber threats, noting the massive economic impact of cybercrime and the urgency of improving global cybersecurity resilience.

Keypoints

Major discussion points:

– The need for a holistic, coordinated approach to protecting critical infrastructure cybersecurity across sectors and borders

– The importance of international cooperation, standards, and capacity building to address cybersecurity challenges

– The role of public-private partnerships and multi-stakeholder collaboration in improving critical infrastructure protection

– The impact of broader technology policies (e.g. on encryption, data flows) on critical infrastructure cybersecurity

– The need to move from high-level discussions to concrete, actionable measures

Overall purpose:

The goal of this discussion was to examine strategies for aligning efforts to protect critical infrastructure cybersecurity across sectors and countries, and to identify key challenges and opportunities for improving critical infrastructure protection through policy, partnerships, and international cooperation.

Tone:

The tone was largely collaborative and solution-oriented. Speakers built on each other’s points and emphasized the need for coordination and joint action. There was a sense of urgency about addressing growing cybersecurity threats, but also optimism about the potential for progress through multi-stakeholder efforts. The tone became more action-focused towards the end, with calls to move beyond conversation to concrete measures.

Speakers

– Timea Suto: Global digital policy lead at the International Chamber of Commerce, moderator of the session

– Rene Summer: Director for Government and Industry Relations at the Ericsson Group, Chair of the ICC Global Digital Economy Commission

– Francesca Bosco: Chief Strategy and Partnerships Officer at the Cyber Peace Institute

– Julia Rodriguez: From the Permanent Mission of El Salvador to the United Nations

– Mr Wouter Kobes: Standardization Advisor for Netherlands at the Standardization Forum

– Mr Chris Buckridge: Senior Strategy Advisor at the Global Forum on Cyber Expertise

– Ms Robyn Greene: Director for Privacy and Public Policy at META

Expanded Summary of Critical Infrastructure Cybersecurity Discussion

This discussion, moderated by Timea Suto from the International Chamber of Commerce (ICC), focused on strategies for protecting critical infrastructure cybersecurity through international cooperation and multistakeholder approaches. The session brought together experts from various sectors to address growing cyber threats to interconnected critical infrastructure systems.

ICC Paper and Key Challenges

Timea Suto introduced an ICC paper on critical infrastructure protection, which outlines key challenges and recommendations for a multistakeholder approach. The discussion highlighted significant challenges, including:

1. Fragmentation and complexity in security (Rene Summer, Ericsson Group)

2. Lack of consensus on defining critical infrastructure (Julia Rodriguez)

3. Misalignment of definitions across jurisdictions (Wouter Kobes)

4. Rapid evolution of cyber threats (Francesca Bosco, Cyber Peace Institute)

5. Intersectionality of the technological landscape complicating policy approaches (Robyn Greene, META)

Multistakeholder Collaboration and International Cooperation

Participants agreed on the crucial importance of multistakeholder collaboration and international cooperation. Key points included:

1. Need for a holistic approach involving all stakeholders (Rene Summer)

2. Importance of public-private partnerships and information sharing (Julia Rodriguez)

3. Multistakeholder input for developing effective frameworks (Francesca Bosco)

4. Challenges around trust and incentives for collaboration

5. Need for regulatory interoperability across jurisdictions (Robyn Greene)

6. Essential role of capacity building, especially for the Global South (Chris Buckridge)

Global Forum on Cyber Expertise (GFCE)

Chris Buckridge highlighted the work of the GFCE in coordinating cyber capacity building efforts globally. He mentioned:

1. GFCE’s role in bringing together governments, private sector, and civil society

2. Focus on practical, coordinated approaches to cyber capacity building

3. The Women in Cyber fellowships program to promote diversity in the field

Standards, Policies, and Regulatory Approaches

The discussion emphasized the importance of standards and policies in addressing cybersecurity challenges:

1. Standards help address misaligned definitions across jurisdictions (Wouter Kobes)

2. Policies should be compatible with internet infrastructure and values (Robyn Greene)

3. Importance of encryption and data flows for cybersecurity

4. Need for privacy-by-design concepts in normative frameworks (Julia Rodriguez)

5. Resistance to unnecessary data retention mandates (Robyn Greene)

Emerging Technologies and Future Threats

Participants explored challenges posed by emerging technologies and future threats:

1. AI-enabled attacks as a growing concern (Chris Buckridge, Francesca Bosco)

2. Potential for fully autonomous cyber attacks (Francesca Bosco)

3. Importance of forecasting future technological needs and threats (Robyn Greene)

4. Need for responsible deployment of emerging technologies

Societal Impact and Broader Policy Implications

The discussion broadened to consider wider implications of cybersecurity failures:

1. Understanding societal impact of cyber attacks on critical infrastructure (Francesca Bosco)

2. Ensuring non-cybersecurity policies are compatible with cybersecurity best practices (Robyn Greene)

3. Cyber Peace Institute’s work on analyzing how cyber threats harm society and impact critical infrastructure

International Initiatives and Tools

Several international initiatives and tools were mentioned:

1. UN Cyber Crime Convention (Robyn Greene)

2. Global Cyber Capacity Building Conference in May in Geneva (Francesca Bosco)

3. internet.nl tool for measuring security standard adoption (Wouter Kobes)

Moving from Discussion to Action

The session emphasized the need for concrete, actionable measures:

1. Encouraging use of tools like internet.nl to measure security standard adoption

2. Need for awareness-raising and knowledge-building on international processes

3. Making it easier for companies to work with and share information with governments (Robyn Greene)

Unresolved Issues

Key unresolved issues included:

1. Achieving consensus on defining critical infrastructure across jurisdictions

2. Balancing security needs with privacy and human rights concerns

3. Addressing residual risks that industry cannot defend against alone

4. Preparing for potential future threats like fully autonomous cyber attacks

Conclusion

The discussion concluded with a sense of urgency about addressing growing cyber threats, balanced with optimism about the potential for progress through multi-stakeholder efforts. The ICC paper presented at the beginning and end of the session provided a framework for ongoing discussions and actions in this critical area of cybersecurity.

Timea Suto: one second, and then we will start. Okay. Now it’s working. Okay. Welcome, everyone. I think we are ready to start. For those of you who might wonder if you are in the right room, this is workshop number 103 at the Internet Governance Forum on aligning strategies protecting critical infrastructure. This is a workshop that we’ve convened with the International Chamber of Commerce and our partners. My name is Timea Suto. I’m a global digital policy lead at the International Chamber of Commerce, and I will be moderating this session today. So why have we chosen to put this topic forward for the IGF? We’ve chosen it because we feel strongly that digital transformation is now part of every country’s development that creates enormous opportunities and enables basically everything from distance learning to economic advances, manufacturing, agriculture, all societal divisions in all sectors of the economy, and that cyber security is central to making this space work. But as we see the cyber space evolving, and it’s the centrality that it has to our everyday lives, it also poses a number of risks, and it needs us all to work together to ensure trust in the digital economy through the protection of the availability, integrity, confidentiality of these most essential infrastructures that make the Internet and digital technologies work and the services that they provide so that they are truly resilient. So that’s all I really wanted to say about the importance of the discussion that will happen today. My role here will be the easy one. I’m just going to ask the questions, but I have a number of experts. both here in the room and online, who will do the hard job in trying to provide some answers to why we need to talk about this, where we are at, and where we’re heading towards. So just for a quick introduction before I hand over, we will have with us, and in the order of which they will be speaking in, Mr. René Sommer, online, who is Director for Government and Industry Relations at the Ericsson Group, and also the Chair of the ICC Global Digital Economy Commission, who will be our keynote speaker today. And then we’ll have a panel of conversation with Ms. Julia Rodriguez-Acosta, online as well. Hello, Julia. From the Permanent Mission of El Salvador to the United Nations. Mr. Wouter Corbes, Standardization Advisor for Netherlands at the Standardization Forum. Mr. Chris Buckridge, to my left, Senior Strategy Advisor at the Global Forum on Cyber Expertise. Ms. Francesca Bosco, online, who is Chief Strategy and Partnerships Officer at the Cyber Peace Institute. And last but not least, Ms. Robyn Greene, sitting in front of me, who is Director for Privacy and Public Policy at META. So without further ado, I think we’re ready to jump in and hear from René, a bit of a keynote address to kick us off and discuss a little bit about what is the current state of play in protecting critical infrastructures and their supply chains and what has ICC done about all this in the recent past. So René, I’m passing it over to you. I hope you can hear us and you’re ready for your keynote. Do we have René online? It seems like his screen might be frozen here. René, can you hear us? Can we try and connect? Hello? René, are you with us? Can you hear me? Can you try and speak? Can you message him, please, to try and speak?

Rene Summer: Can you hear me?

Timea Suto: Yes, we can.

Rene Summer: I can’t hear you in case you’re talking to me.

Timea Suto: Yes, I’m talking to you, but we can’t. Can we make sure that Rene has audio? I’m not apologies for the technical confusion. Or just while we’re trying to figure out, maybe if somebody can put in the chat that he can start his keynote. My apologies for the technical difficulty here.

Francesca Bosco: May I? Can you hear me?

Timea Suto: Yes, I can hear you, Francesca.

Francesca Bosco: I sent him a message. Let’s see if he can see.

Timea Suto: Thank you.

Rene Summer: Yes, I can hear now. Yes, perfect. OK, so Rene, I was just saying we’re ready for your keynote. Great, thank you very much. And great to see that we always have the challenges of technology today as well. So I guess that’s blame on the technology companies. Thank you very much for inviting me today. I’m Rene Summer with the ICC, the Global Digital Commission. And for those who don’t know us, we are representing 45 million companies from about 170 countries. And we are advocating for solutions and for policy recommendations and bring a wealth of experts in our network. So we do take a lot of effort and bringing a lot of expertise to make solid and insightful contributions. So with this in mind, we took some steps and reflected on what is it that we see unfolding, happening in our world today, and what is really at stake before we get into the more of the details of this discussion. And if we move to the next slide, please, I think what we are really concerned with is the current development in our cyberspace. And this is really putting new challenges and risks to our companies, but also goes beyond our companies and has significant impact both on public safety, economic stability and security and national security. And this of course means that more and more focus and emphasis is also put by national policymakers and regulators on the issue of cyber resilience and cybersecurity. So this of course motivated us looking at the next slide then to think more harder on what does this really mean when we not only have this broader picture and context of deteriorating cyberspace, but also that we see increased sophistication in cyber threats. So that means that we see more and more novel threat vectors and actors coming in to that play. And that is coupled with increased interconnectedness between what is ICT and other critical infrastructures. So we see also an expanded threat surface through this dependency. And that of course also means that there will be more and severe consequences if cyber attacks are successful. So this means that with this development and the increased emphasis by policymakers on cybersecurity and resilience of critical infrastructures and the supply chain, there is of course more pressure also on the industry to do more. And this is in many aspects rightly to take place, but it also means that we are facing a number of challenges, not only from a growing burden of compliance. taking off particularly the operators of critical infrastructures, but also these initiatives create challenges in terms of policy and regulation. And this is why we also want to be part of this discussion. So this really brings me to the purpose of why we took the steps we took and the details that we are presenting here today. And if we move to the next slide, please. This is the contribution that we are making here today and share the insights from our working paper on protecting cybersecurity of critical infrastructures and their supply chains. And at this really highest level, what we really want to convey as a key message is that there is a need for a holistic approach. And I will delve into what that means in more detail, but also that we need all stakeholders to be involved and particularly, of course, the governments that have to fulfil their roles as well. We many times hear that cybersecurity is a team sport, which is of course largely true, but there is also distinct roles and responsibilities that each stakeholders need to take and that also includes governments and policymakers. So if we can then move to the next slide and think about what are the dilemmas that we as, on one hand side, industry, but also other stakeholders and governments face in terms of doing more, we have in our paper identified some of the key dilemmas that at least from our end, we see limiting the effectiveness of what can be done more and better to increase the resilience of critical infrastructures. And of course, starting from a policy perspective… One of the challenges we see is that many jurisdictions that have developed critical infrastructure frameworks, which is far from all countries, have taken quite different approaches in terms of definitions and so on and so forth. And this creates at least two challenges. One is the question of policy targeting. If policy targeting differs between jurisdictions, of course, that means different objectives are ultimately being pursued. But secondly, as these frameworks then bend into also obligations and requirements, this brings complexity and fragmentation. And I would really like to undermine all of us here to think about that fragmentation and complexity is the number one enemy of security. This is not just a trade argument. This is really a security argument that fragmentation and complexity are the number one enemy of security posture. Then, of course, some jurisdictions have moved beyond the question of critical infrastructures only and speak of actually the essential services that these critical infrastructures deliver and bring to the public sector, or to the consumers, or to other industries. And I think that is another important element, is that ultimately we are not only protecting the critical infrastructures as policymakers, but the essential services that these render. And it is worthwhile to undermine that distinction as governments and nations move on to develop further frameworks. I think also something which we are trying to address in this paper is the increase interdependency between what has been typically that are seen as the telecom sector or the digital sector, and when those get interlinked, what previously were seen as separate industries being the energy grid, power distribution, and so on and so forth. This interdependency also creates additional risks and threats that need to be considered and addressed. Because of global supply chains and the suppliers that supply the equipment and solutions into these sectors, we also need to think about the global interconnectness and the impacts that may come from these dependencies. So we don’t only see a cascading risks or effects between different national critical sectors, but also from the national arena into the international space when we have also international supply chain. And as all of you well know, cybersecurity does not know any borders. So this, of course, brings additional challenges. I think it is also important to highlight the aspect of third-party suppliers in the supply chain that have been also increasingly targeted by threat actors and become an entry point into impacting critical infrastructures. And here, of course, a number of challenges that we will talk about later need to be addressed, but also important to keep in mind that there are, of course, different type of suppliers and they have different level of maturity. And making sure that we have sufficient capacities and capabilities in the supply chain to address these risks and exposures is extremely important. Which brings me then to, well, how do we move beyond dilemmas? And if we go to the next slide, please. We, of course, took good care… time and effort to think about what are the best industry best practices and what do we see on policy and regulatory side. And by no means this is a unique insight by ICC and its members because of course there is a lot of good work done by others and we have definitely stolen with pride where there are other entities or stakeholders that have put a lot of effort and thought into these questions. And here you can see a number of examples that we have addressed in our paper what we think is important to take on board and how we can also make use of these best practices when I talk more about public-private partnership. And some of these examples here of course such as having comprehensive security measures or strong data backups and so on are fundamental considerations that we believe the industry needs to lead with and it’s necessary part of the solution. But again we also have policy and regulatory approaches that we need to take care about and consider how they impact the culture of critical infrastructures and the operators of those. And it is of course so that as any other industry we talk about the operators of critical infrastructures they also face a number of constraints and that means that when we look at the different regulations and approaches it is important to think about how we make sure that those are effective, targeted and achieve their objectives so that we can work with the scope of trade in the most effective way and achieve the outcomes we I think all are looking forward to achieve which is secure critical infrastructures and the supply chain. So moving beyond this generic state. If we go to the next slide, please. We do, of course, think that there is more to be done and we believe from the industry side there are a number of priorities, thinking about the constraints again. For instance, start with the baseline security requirements first and make sure what needs to be done first is really in place. You don’t need to start with the perfection on day one, but really make sure that the bare minimum is in place and work from there rather than trying to fix everything at the same time. Secondly, I think what is important because of the dependencies I touched upon earlier, it is also important to think about what are the third parties, the supply chain actors doing in terms of contributing to or actually decreasing the security posture of critical infrastructures. So please do keep that in mind. And of course, from a more commercial point of view, partnerships between the critical infrastructure operators and suppliers is key. And that’s something which, of course, needs to be incentivized, but also there needs to be frameworks in place that make sure that, again, the bare minimum at least is achieved. On the policy side, I would say that there are a few things which we already see being developed in several jurisdictions. We see that there are now requirements on suppliers and third parties on how a secure software development process should look like. This is something which I think should be expected. And as we see that more and more sectors are becoming more software driven and software rich, this is definitely an important aspect of security. Speaking also of the supply chain. and where not only resilience, security, but also trust is important, diversification is key. And this is another element of policymaking that we see is developing, that you want to make sure that you have a resilient, secure and trusted supply chain. And then lastly, I think also, or we think that there is an essential aspect of policy to make sure that on one hand side, there are clear roles and responsibilities, but also that cooperation and coordination between the stakeholders is encouraged because we don’t want to see an environment when risk averse behavior stops the behavior of sharing information, being proactive and sometimes even taking risks, especially when we talk about in the heat of the moment when incidents and threats are unfolding and measures need to be taken. So with that, if we can move to the next slide, if we put some of these examples in a kind of a broader or bigger picture, what is it that we are really looking for? And this I think needs repetition and repetition because it takes time from staying this and seeing this being implemented into policy action. But number one, again, there is no single silver bullet here and that’s why we are advocating for a holistic policy that is both well balanced, but also well targeted to make sure that the critical infrastructures and essential services providers and their supply chain are working together towards a set of goals. In the context of collaboration, it is also important that we see that there is both emphasis on enforcement, but also on incentivizing appropriate behavior. And this, I think, is particularly important to keep in mind because cybersecurity is not an end in a sense that we come to a situation where everything is cybersecure. It is a continuous journey. It’s a state that is always on the move. So we will never be done. There is no final checkpoint. And that’s why it’s important to also have incentives for appropriate behavior. Then I think, and this comes back to my initial call, that also governments have a real important role. And while cybersecurity is a team sport, but there is also a clear role for governments. And there are residual risks, even if you develop an appropriate security regulation framework and you take appropriate mitigating measures on board, there will always be residual risks. And this is where governments in particular have a very important role to play. And you see some examples on measures how you can actually address these residual risks. This is something which the industry will not be able to fix. And there are no insurances for this to be taken. And even if so, it doesn’t mean that the negative consequences will not happen just because you have an insurance. So please do think about those as well, how to tackle the residual risk, which is very, very important. If we move to the next slide then, and here I think we have three more slides to kind of go a little bit more into some of the recommendations we have in this paper. From a policymaking perspective, it is absolutely necessary that nations do have an independent, competent cybersecurity agency. This is a competence area that needs to be developed and needs to be present, because as policy makers, you’re not only developing laws, but you’re actually also protecting in real time and take action to deal with incidents. Just having regulation and secure products doesn’t mean that threats will go away. And when developing these national frameworks, the reasons why we speak about holistic approach and a coordination between national cybersecurity agencies and policies is also because one thing is about having a clear framework that we as industry understand what is expected of us. But again, cybersecurity is also something that is happening in real time. We talk about incidents, vulnerabilities, mitigation, and so on, and it is absolutely necessary that there is a clear understanding of who is doing what and when. So that we can also take actions when actually attacks are successful, and we need to recover quickly and get back into operations with minimum damage and consequences. And this of course requires collaboration. So it is important to think about in the regulation that yes, we need enforcement, we need clear rules, but we also need good collaboration between the private sector and the national agencies. And lastly, when we talk about supply chains, again, I think looking at national fragmentation of requirements that breeds complexity, which is the enemy number one of security, international technical standard is a necessary feature of good security posture. If we move then to the next slide, please, which brings me to the international cooperation. Again, it is so that what happens at national level will not be bound by cyber incidents and cyber events from a national perspective. So, to address the issue, for example, of response or the complexity challenges through fragmentation, it is essential that governments do what is achievable in terms of working with their peers and strive to take action internationally and globally to make sure that we can have as much harmonization from the rules, requirements, and the standards so we can create a common platform for addressing challenges, but also work with the complexity and reduce the complexity through fragmentation. Coming back to the residual risks, this is where, of course, governments and nation states play an enormously important role. And this is coming back to the question, how do we address the residual risk? And this is where the international norms centric against 10% sponsored cyber attacks is very important. That may include things like thinking through more, how can we make sure that there is public attribution following incidents, that there is an implementation of robust deterrent measures for cyber attacks, and that we promote collaboration. If we move to the next slide, then, this is really to emphasize, and maybe not to dwell so much on, that, of course, industry collaborating with national stakeholders and international stakeholders is key. You see some examples of that mentioned here, but doesn’t really bring anything new. So in a matter of time, maybe we can skip this slide and then just finish off with that. I hope you find this information of interest and value. We do have a paper available. You have the links, both in English, Spanish, and in Mandarin. We hope that this is going to be an interesting read. If you have any further questions or interest in this information, please feel free to also reach out to the Secretariat of ICC, where we can schedule more interactions. I really hope that this intervention has inspired some of you and I look forward to the discussions that are to follow after my speech. Thank you again for the opportunity and I hope you have fruitful discussions. Thank you very much. Over to you, Timea.

Timea Suto: This was quite a comprehensive introduction and I do hope that it gives food for thought for the conversation that we have planned going forward. Of course, a little advertisement here for the ICC paper. If you come to our booth just outside this room here, we have a QR code from where you can easily download not only this one, but all the other publications that ICC has on cyber issues. But coming back to the conversation and picking up one of the last points that you’ve mentioned here, Rene, the need for collaboration around the protection of cyber security of critical infrastructures, and especially the collaboration in the international space. I’d like to turn to Julia and ask a little bit about how is this going and how are we seeing any barriers that might impede some cross-border collaboration and also what opportunities do you see in aligning national responses to security challenges with international and transnational agreements that we already have in place or we are developing. So, over to you, Julia.

Julia Rodriguez: Thank you so much. Can you all hear me okay?

Timea Suto: Yes, we can.

Julia Rodriguez: Beautiful. Good morning, good afternoon and good evening to all. Thank you so much, Rene, for the thought-provoking presentation. It is a pleasure to join this important conversation from New York very early in the morning. I extend my gratitude to the International Chamber of Commerce for organizing such a time… family and significant discussion, it is truly an honor to share views with such a group of speakers. To set the tone for today’s discussions and in response to the main questions, I would like to begin by highlighting the work that we have been doing at the United Nations regarding the protection of critical infrastructure. This issue is well-developed within the framework of responsible state behavior, which lay out voluntary norms for expected conduct in cyberspace, and the norm related to critical infrastructure emphasize two key principles, the current framework that we have today, more on like kind of positive obligations, the protection of critical infrastructure, and more kind of restrictive obligations in reference to what was just exposed by Rene, kind of like refrain from actions that damage or disrupt such infrastructure, particularly when they impact availability and integrity. And this normative framework is crucial, especially for those infrastructures that provide essential services, including the general availability of the internet itself. So it is worth noting that the importance of protecting critical infrastructure has long been recognized within the United Nations system. For over 20 years ago, this discussion began primarily from a development perspective, but in recent years, it has evolved into a core element of international security. And discussions now recognize that the protection of critical infrastructure is central to maintaining international peace and security, particularly in our interconnected world, where societal well-being cannot be separated from societal, economic, and human rights. humanitarian consideration. So bringing this discussion to the present, right now the UN, the United Nations Open-Ended Working Group on ICT and Security, has made significant progress in advancing this agenda. And one of the recent developments is in the just-published annual progress report in the critical infrastructure sectors that require protection, and now we have an inclusion on sectors that range from healthcare, maritime, aviation, financial services, and energy. And I think that the sectoral approach is a significant step forward, because it acknowledged that protecting critical infrastructure involves cross-border challenges with global implications, and second, because adopting a sector-specific risk-based approach allows for the development of target operational measures that reflect the unique characteristics and vulnerability of each sector. However, we also must acknowledge those barriers that impede cross-border collaboration in cybersecurity, as it was meant from one key challenge lies in the lack of aligned definitions and standards among nations. While the UN’s voluntary norms on responsible state behavior provide a clear framework, differences in national interpretations and legal frameworks often hinder operational coordination. Additionally, of course, there is gaps in trust, misaligned priorities, and the absence of unified approaches to identifying and responding to threats, and this border complicates these efforts that we’re trying to do at the multilateral level. Yet these challenges also… present with opportunities, aligning national responses with international agreement, for example, and not only at the international level, but also at the regional level, the creation of shared understanding on trends and coordinated responses, and of course, that by fostering trust and promoting partnerships, both public, private, and multilateral, we can enhance our collective ability to address the global risk facing critical infrastructure. So this directly addresses the first policy question on cross-border challenge that hinder operability and coordination. And for us, the role of public-private partnership in strengthening safety and security is key. So El Salvador has actively engaged in all the multilateral arena to advocate for concrete implementation measures. And we have emphasized the importance of partnerships and collaboration with service providers, for example, as these are essential to ensure the protection of critical infrastructure. While the understanding of the need for multi-stakeholder collaboration is well-established, we still are facing challenges at the UN for interslating this broad principle into actionable policy-oriented recommendation. So I will stop here, and particularly those colleagues that represent other stakeholders to share current best industry practice. I think that Rene presented some very well recommendations for enhancing cyber resilience, and I remain eager to engage further during the Q&A session and comments. And I thank you so very much.

Timea Suto: Thank you, Julia. We’re gonna return to the room here from the online world, and I’m gonna turn to Vautier here in front of me. We’ve mentioned the role of norms, we mentioned the role of regulations, but I wanted to ask you about standards and protocols that also need to work with jurisdictions, sorry, I think I’m losing my microphone, to make sure that the systems we put in place are actually operational. and we don’t have the fragmentation that Rene was talking about in the beginning. So how do you see that from the point of view of where you’re sitting with the standardization organization in the Netherlands? Yes, thank you very much.

Mr Wouter Kobes: So as part of the Dutch government, we are using standards as a vessel to achieve various goals. One of them is interoperability within government, but also strategic independence from large vendors. And specifically on those standards that address cybersecurity, of course, the security of the government as well. And we actually see that when we are pushing for adoption of these standards, the result is that also other parts of critical infrastructure are positively affected by this, because they start implementing certain standards as well. And I think the interesting connection to the keynote of Rene is that the holistic approach to cybersecurity is also seen through security standards. You have really organizational standards. The well-known are, of course, the ISO 27K1 and 2 standards, which give your organization basically a guideline to implement cybersecurity measures at an organizational level. Then moving on, there are technical standards that, well, each of these standards really serve a goal in actually protecting your organization better or addressing a design flaw of the internet itself in terms of cybersecurity. And I think the benefit of those standards is that it’s quite easy to measure if a standard is adopted or not. And when all that fails, then there are also standardized methods to share information, for instance, between CSIRTs, SOCs, and vulnerable organizations. Think about indicators of compromise, vulnerabilities that have been found within systems. And in recent years, even a standard has been developed where you basically can publish in a standardized way, contact information which can be used by security researchers or ethical hackers to contact you in case if they find you vulnerable. find a security issue in your system organization which was not found in any of your previous efforts to improve cybersecurity. So this is very nice, these are very nice standards to have but of course a standard needs to be adopted before it becomes effective and this is where our main challenges lie and I think in our experience one of the the best methods to actually increase adoption is to show how well standards are adopted within the Dutch government and we we have developed also a tool, a measuring tool for this purpose that actually can report for every website, for every email domain how well the standards are adopted within a certain government organization and throughout presenting these measure results regularly we see over time these important security standards which in return will not solve all the challenges that Rene have laid out as cybersecurity because I completely you are never done with cybersecurity but it it has in fact benefited the security of the Dutch government in that sense and it’s really nice also to have published this measuring tool as an open source project for well basically everyone in the world to to use and to to measure their adoption of these important security standards. So that was my contribution, thank you.

Timea Suto: So I’m going to turn to Chris here on my left because we’re talking here about a holistic approach making sure that things work across borders making sure that we share information, we don’t lose sight, that all takes me into thinking about perhaps we need some capacity building to really enable this whole of society approach that we need to cybersecurity and to mainstream the conversations that we’re having on the cybersecurity critical infrastructures into the general thinking around digital transformation so how do you how does the GFC see that and where do you see it from where

Mr Chris Buckridge: you’re sitting? Yeah so thank you very much Tamea and I mean I so Chris Buckridge I’m here as a senior strategy advisor with the Global Forum on cyber expertise and based on what I already had based on listening to Rene’s keynote there which was wonderful I should apologize in advance because I’m going to go into full marketing mode for the GFC here but I mean I think it’s all it is really relevant and that idea of capacity building is so central to a lot of this. I think Rene’s comment that really resonated me about fragmentation and complexity are the enemy of security is really it’s at the kernel of what the GFC is about and it’s sort of flipping that and saying coordination and clarity are really the fundamentals of security and so the GFC is an organization it’s the platform for international cooperation on strengthening cyber capacity building and expertise globally and it was established in 2015. It’s a multi-stakeholder organization we have around 250 members and partners 88 of those states organize the state nation states 16 international organizations and then the remainder are private sector academia NGOs so it is really quite a broad community a lot of diverse expertise and awareness there and and working together in really a number of ways to try and facilitate essentially that that cyber capacity building CCB and make sure that’s happening in the best way so we do that by connecting sort of the network of implementers donors and those who are in need making sure that they finding each other in the global sense it’s about identifying in developing best practices so there are certain approaches that we know work well and there are other approaches that we try out from time to time and they maybe don’t work as well and so that that’s a really important community activity finding that out learning together and then also I mean highlighting the importance of cyber capacity building it was there in Renee’s presentation as well it that building capacity and building it at the global level not just in you know the global north but also looking to the global south because that the cyber security threats are global is really essential and so I can speak to a few of the different activities that the the GFC has been involved in in in sort of some different aspects different ways in which we’re doing it the first one I’ll mention and Valter spoke about standards there so I won’t say too much about this but the triple I initiative the internet infrastructure initiative is something that GFC has been doing for the last few years or facilitating for the last few years and it’s very much in line with that with promoting and educating about standards like IPv6 DNS sec TLS RPKI DKIM and DMARC so really looking at lots of different elements in the technological stack and standards and how they can be usefully employed and deployed for for better security turning to a slightly different aspect it would be in in terms of thinking about policy frameworks the sort of alignment in in what we’re trying to achieve and I think something useful to highlight there would be the the Accra call which came out in 2023 was an output of the the global conference on cyber capacity building with the first one of those was in Ghana in Accra in 2023 GC 3b we call it which we have yeah regularly get wrong wrong order there so I’m not sure if we’ve made it easier by calling it that but and we have another of those the second GC 3b is going to take place in Geneva in May next year. But that’s really about, again, this sort of coordination. It’s connecting the cyber security and cyber capacity building communities with the development community, with what’s going on in international development. And it’s got really four voluntary, non-binding, but direction-setting actions that people can sign on and commit to and then report on, strengthening the role of cyber resilience as an enabler for sustainable development, advancing the demand-driven, effective, and sustainable cyber capacity building, fostering stronger partnerships and better coordination, very important, and then the last one, which is equally and perhaps even more important than any of them, unlocking the financial resources and implementation modalities. So that’s always the struggle here. I mean, there is governments, private sector, any of these stakeholders have priorities, have limited resources. So making the case that investing in cyber security, investing in capacity building is essential, is a really fundamental element in all of this. And that’s, I think, where the ACRA call is important. The last, I’ll just say one more point here, and it’s kind of tying into what Julia was talking about as well, and particularly in the international cyber diplomacy scene and what’s going on in the open-ended working group. One of the projects that the GFC has been really thrilled to be involved in and coordinating is the Women in Cyber fellowships. And that’s been working with donors, donor states from around the world. At the most recent OEWG meeting, which was just a couple of weeks ago in New York, we actually had 47 fellows from different Global South member states taking part, traveling to New York, taking part in training, but also taking part actively in those OEWG negotiations. And so, obviously, this is wonderful in terms of taking some steps towards gender balance, which is important. But I think also, and really importantly here, is that without that funding, without that project, a lot of what you would have had there in those New York negotiations particularly from Global South countries would not be bringing in subject matter experts. They’d be using their staff in New York. They’d be using their permanent representations, which is great, but to be able to have the subject matter experts there in the room, enriching the negotiation and the discussion around the OEWG is almost, to my mind, the bigger achievement, the bigger important thing that we’re doing there. And then having that expertise filter back to the national level. When they go back to capital, when they go back to their governments. So that sort of level of coordination and capacity building is, I think, really fundamental in achieving, again, what Renee spoke about, the need for some coordination of approach and across different jurisdictions. So I’ll stop there. Thanks, Timea.

Timea Suto: Thank you so much, Chris. A lot in a very short time from what the GFC is doing, and we know that there’s more. But what you told me, the last point, I think it was the most striking. Because if we enable the participation of those who might otherwise not be at the table, it is really the way through which we benefit and can make sure that the policies that we’re thinking about actually work in practice on the ground and they’re actually implementable. And I want to stick with that idea as I turn to Francesca online. Do you talk a little bit about what the Cyber Peace Institute is doing and also how you see the role of stakeholders in these conversations? Especially when we turn to multilateral discussions, we see quite a gap there, but we are here in the heart of multistakeholder at the IGF. So how do we bring those two elements together? Thank you so much. Can you hear me well? Yes, we can. Okay, perfect.

Francesca Bosco: Thank you so much. And thanks a lot for the invite. And it’s an honor to speak today. I’m very sorry not to be able to be there in person. Maybe just a quick remark on who the Cyber Peace Institute is and what we are doing. The Cyber Peace Institute is an international non-profit organization. We are based in Geneva, but the mandate is global. I would say that at the backbone of the expertise of the Institute to analyze how evolving cyber threats are harming society and notably impacting critical infrastructure, specifically in the civilian domain. We provide direct cybersecurity assistance and capacity building, and we advocate for responsible behavior in cyberspace, providing policymakers with data-driven insights. So thank you so much for the opportunity to intervene in this discussion. It’s difficult, I would say, to come after an excellent previous intervention. So I would just maybe share a couple of thoughts when it comes to which are the challenges that we see when it comes to the international approach to protecting critical infrastructures and maybe sharing also a couple of potential ideas on how to address this. Indeed, as René very well highlighted in his remarks, but also Giulia mentioning specifically the UN processes and specifically the open-ended working group discussions, I would say that a couple of significant obstacles that we see are the lack of consensus among the states when defining critical infrastructure. Indeed, the great sectors have been identified, notably the healthcare sector. But, I mean, clearly, then there needs to be also one of the elements that René mentioned, which is moving, let’s say, from policies into action. So first of all, the definition of the… of the critical infrastructure. And the second part that I would like to mention is also the rapid evolution of cyber threats that adds to these challenges. It was hinted by Rene in his initial remarks. But indeed, a practical example that comes to mind is the ransomware attacks on health care systems during the COVID-19 pandemic that exposed the technical vulnerabilities, but also the lack of preparedness, basically, to ensure the service continuity. I’m mentioning specifically the health care sector because I think it is a good example, according to your question, Timea, in where the multistakeholder community can really bring an added value. Because I think that the progress that we saw at the open-ended working group level, so integrating the inputs and the voices of the multistakeholder communities brought to this, basically. And I can tell you from a very practical standpoint, what we did at the Cyber Peace Institute. So the Cyber Peace Institute was launched at the end of 2019, well on time, basically, to start during the pandemic. Which was, on one hand, we transformed it, in a way, into an opportunity. Because the mission of the Institute is to protect the most vulnerable in cyberspace. At that time, the most vulnerable in cyberspace was the health care sector, basically, widely identified from hospitals, to labs, to civil society organizations that were working. For example, when it comes to developing countries, we’re working, basically, to provide essential services. So we took this comprehensive approach. And we tried to understand, OK, how the critical infrastructure are, this critical sector is impacted by cyber attacks. Not so much from the angle of, let’s say, simply, allow me to say, collecting information about the damages, the cost, how many devices were infected. but try to understand what it really means for society. So what is the real impact and the real harm that these attacks are causing to society? Practical example is how many ambulances redirected, how many people could not get the vaccine, and showing this both with, as I mentioned before, a very strong technical analysis to highlight the modus operandi of the malicious actors to identify, let’s say, the critical sectors that are targeted, in which countries, and so on and so forth, but also highlighting this harm aspect and how international laws and norms were violated. So having this all-encompassing view coming from a neutrally independent civil society actors is one of the examples of how we can advance multi-stakeholder cooperation in a very concrete way. And I mean, the platform that we develop is publicly available. We use the same capability to develop the platform to monitor the attacks against the civilian infrastructure in the context of the Ukraine conflict. And I mean, the platform is developed by the Institute, but not in silo, meaning that we’ve been working on this with other civil society partners, with academic partners, with the private sector that is providing key data infrastructure services and expert views. We’ve been socializing this and extensively worked on this also via our engagement at the open-ended working group level. So I think it’s a very concrete example of how the multi-stakeholder collaboration can work. Allow me maybe to just to mention a couple of things when it comes to what we need to do, let’s say, with some some sort of like actions that we can take when it comes to the challenges that we see in international cooperation sectors. Building on the excellent remarks that Julia made, I think there is one point which is, again, as Rene was saying, not just having the norms but operationalize them. And we truly believe that transparency is the way to go. And again, we need to have concrete, actionable measures. And so, for example, we’ve been consistently advocating for voluntary state reporting on what constitutes a critical infrastructure within national frameworks, but also basically to enhance predictability and enable collaborative risk management across borders. Measuring the harms. I mentioned that, for example, in our work regarding the healthcare sector, regarding the civilian infrastructure in the context of the Ukraine conflict, we always add the harms dimension. We develop a specific methodology. And this is really key to understand how the impact is going beyond, let’s say, the pure, I would say, financial monetary damages. But you really need to understand the impact of cyberattacks on society, especially those cyberattacks that are obviously targeting the critical services that are making our societies running. Just a couple of points in terms of key actions. Rene mentioned the emerging technologies. Allow me to say, indeed, it’s a critical area where, obviously, I’m thinking about artificial intelligence, quantum, are bringing amazing opportunities. But at the same time, improper deployment could create new vulnerabilities, especially when we think about a critical infrastructure because still important to remember that many critical infrastructure that we are still seeing today are running on legacy systems, meaning that they were not conceived of basically to be connected just to start with. So this is extremely important to have a sort of like responsible approach in deploying emerging technologies. And then, I mean, I was smiling when Chris was talking about the GC3B because indeed one of my key points was to definitely scalable capacity building specifically for under-resourced communities. And I really appreciated that Julia also mentioned the, let’s say the connection between the, I would say the evolution between the understanding that cybersecurity is a key component of development as well. And to this end, I was encouraging basically the audience as well to build on existing initiatives like the excellent work done by the GFC and the opportunity that we have with the Global Cyber Capacity Building Conference that is upcoming in May in Geneva, really to bridge this gap between cybersecurity and development communities and critical infrastructure protection is one of the, I would say the key pillars. And maybe just to finish, we talk about multi-stakeholder collaborations. I gave some practical examples and I’m happy to, I mean, to dig into this more if I may. And it’s a sort of like a personal mantra. It needs to be meaningful. I mean, multi-stakeholder collaboration means nothing if it’s, I mean, if it’s just on paper or if it’s just to tick the box. And I really like what Renee was mentioning at the very beginning in terms of like partnerships are working where, when basically each partner is providing, let’s say, his or her best, let’s say expertise. to create basically the best solution possible, but according, let’s say, to what they can bring at the table and not simply because they want to be sitting at the table. So I think we need to see multistakeholder collaboration starting valuing much more, which is the impact of a multistakeholder collaboration instead of just having it as a nice to have.

Timea Suto: Thank you so much, Francesca. So we’ve covered quite a bit of ground that Renée started. We’ve heard on the importance of international norms and their implementation. We’ve heard about standards, capacity building, multistakeholder partnerships. So I have one more element that I would like to throw at Robyn and hear a bit of an insight on that, which is what is the role of policies, national policies in this? How do we make sure that policies are responsive to everything that we’ve heard here? What is it that’s out there that is helpful? What is it that we still need? And how do we move towards perhaps a bit more interoperability or harmonization of what’s happening in national context, going back to the initial thought of fragmentation being so harmful to cybersecurity? So a short little question there for you, if you can cover that.

Ms Robyn Greene: Sure, I will do my best. Thank you so much for having me here. I’m really excited to talk about this critical issue. One of the things that I think you’re going to see throughout my comments is how the things that I’m going to be recommending are not only applicable when you’re thinking about critical infrastructure and cybersecurity. I think when we get into the policy space, we really have to confront the fact that critical infrastructure is no longer just critical infrastructure. It is something that intersects with commercial technologies, with everyday sort of technologies and with the people who use those technologies. And as a result of that, one of the first things that we need to do from a policy perspective is to really take a holistic assessment of the technological landscape, as well as the threat landscape, so that we can understand things like what are the kinds of devices that interact with what we consider to be core critical infrastructure. This is especially important as private sector services are increasingly intersecting with or actually building and providing that core critical infrastructure. In addition to that, we need to make sure that policies around cybersecurity for critical infrastructure include security requirements that are technically compatible with the internet infrastructure and consistent with the values of an open, interoperable and secure internet. As I’m going to discuss in more detail a little bit later in my comments, this includes things like not mandating any legal or regulatory threats to key security tools like encryption, such as requiring things of the private sector like building key escrow or other so-called backdoors into encrypted products and services, content scanning and labeling requirements or traceability requirements that undermine encryption. This also includes resisting implementing mandates around private sector data localization and restrictions on private sector data transfers. The other thing that we really need to do is look to the future. What does the future of technology look like? What will future technologies require and how will they intersect with our critical infrastructure? How will the next generation of technologies even potentially replace today’s critical infrastructure? Partnerships with the private sector can be uniquely impactful in helping governments to do this kind of, you know, looking into the crystal ball, if you will. And since private sector entities, technology companies in particular, but also academia and other multi-stakeholder experts are really at the vanguard of these technological advancements and can be uniquely helpful in doing that kind of forecasting so that we can make sure that cybersecurity protections for critical infrastructure aren’t only responding to the threats of yesterday and today, but also preparing for the threats of tomorrow. In addition to that, and this is one of the most important things, and I think one of the greatest challenges that we see in the policy landscape, make it easy for companies to want to work with and share information with governments, cyber threat indicators, that is, and make sure that those relationships with companies are not, you know, the big don’t is don’t establish relationships with private sector on the basis of regulatory threats or threats to services, to their license to operate. Legal frameworks that promote human rights norms, rule of law, and legal predictability, not only in the context of cybersecurity, but also in the context of other policy spaces are the ones that will promote willing collaborations and do ensure that relationships are reciprocal. At the end of the day, the willing collaboration is one of the most important things for private sector partnership with the public sector in critical infrastructure protection, because, of course, you don’t want companies in the position where they’re only focused on checking boxes, and they’re, you know, only doing what they’re absolutely obligated to do. You want companies that are really looking at the holistic cybersecurity and threat landscape and proactively sharing information with governments that they think will really lift all boats, if you will. And so this makes this one of the most important elements of encouraging this willing collaboration beyond not having it be sort of like a mandatory or fear-based mechanism is making sure that these relationships are reciprocal, making sure you’re sharing, governments are sharing information back with the private sector early and often. This not only helps to lift all boats by enabling companies to better protect their clients and users, but it also builds trust and incentivizes these companies to come to the table in the first place. Beyond just reciprocal information sharing, I think the other types of sort of reciprocal partnerships can also include skill building and reciprocal access to technological tools and new technologies. The next thing that I think is going to be really important in having a better policy space that is providing more robust protection for critical infrastructure is actually starting to track the broader policy landscape. And this is something that I sort of touched upon a little earlier in my comments, but we need to really start to internalize the fact that regulatory debates and proposals that are not directly about cybersecurity or about critical infrastructure will inherently affect our ability to protect critical infrastructure in particular. And so, as I mentioned, you know, resisting the impulse to pursue policies that require data localization is, I think, you know, one of the more important things that we can do. At the end of the day, data localization is actually one of the more harmful policies for cybersecurity, not only in terms of like private sector protection of information and things like that, but also in terms of protection of critical infrastructure. This is because it increases costs for companies and for the government, in many cases, to actually apply state-of-the-art cybersecurity solutions. It restricts access to and deployment of those state-of-the-art cybersecurity services and measures, and it limits and disincentivizes regular system updates. It also limits resilience measures, like storing backups of systems in multiple locations. In addition to that, it’s critically important to restrict to, excuse me, resist restrictions on international data transfers for the private sector. When we’re thinking about protecting cybersecurity, information is absolutely essential. And because of how the private sector intersects with critical infrastructure so much, and as I mentioned, in many cases, actually operates or owns critical infrastructure. infrastructure, it’s really important that companies be able to have that global visibility into what the threat landscape is and be able to access information as quickly as possible. One of the most limiting factors to that is restricting the flow of information because that is inherently going to limit your view to the domestic threat landscape rather than the global threat landscape. So encouraging data flows is actually encouraging cybersecurity in many ways. And then finally, resisting the adoption, resisting the impulse to undermine or chill the adoption of end-to-end encryption and quantum resistant encryption. Encryption is by far the most effective tool that we have to protect privacy and security of communications. This applies not only to private communications, but also to government communications and data. And ultimately, any time you see policies or regulations that mandate weaknesses in encryption, even if they are meant only to apply to private sector tools and systems, they inherently wind up intersecting with government and critical infrastructure systems. And so what you wind up doing is actually lowering the global security level of anything, you know, that’s going to be touching those systems. We actually have a very sort of like current, if you will, example that’s also a very stark example, to be honest, of how important encryption is to protecting cybersecurity and critical infrastructure in particular. As folks may be aware of Salt Typhoon, this is a major story in the U.S., but I imagine it’s being followed throughout the world where, you know, foreign spies have essentially taken advantage of vulnerabilities in telecommunications and ISP systems in order to infiltrate those systems. And, you know, while they may have access to be targeting lots of different people’s communications and private data, they are, in fact, targeting government officials. And so this is, you know, one of those examples of how we see the private sector intersecting with critical infrastructure and the government and the need for encryption. The last thing is resisting the impulse to mandate data retention beyond what is necessary. You’re just keeping data that could be useful to, you know, cyber criminals and other malicious actors unnecessarily if you’re imposing data retention mandates that go beyond, for example, what’s necessary for business purposes or what’s necessary for operational purposes, depending on the kind of entity that’s subject to these requirements. The next issue that I think is really important when it comes to the, and this is the last issue, when it comes to the policy environment and protecting critical infrastructure and cyber security of critical infrastructure is international cooperation. This is certainly not surprising, as we’ve heard this many times throughout the panel already, but ultimately this does not just include the sort of traditional types of cooperation around cyber threat information sharing and securing supply chains. It also includes things like regulatory interoperability. Make sure that not only cyber security regulations are interoperable with other regulations from other, like cyber security regulations from other governments, but make sure that non-cyber domestic and foreign regulations that implicate cyber security are compatible with current cyber security best practices. Too often we see, you know, regulatory proposals that are meant to address social concerns like, you know, online safety and things like that, which are critically, critically important, but that would actually wind up doing things like undermining encryption, and this is, of course, incompatible with cyber security and critical infrastructure, cyber security best practices. And so I think, you know, as a global community, it’s incumbent upon us not only to look at the policy landscape through the lens of what is directly affecting critical infrastructure because it is literally regulating critical infrastructure, but what are the secondary and tertiary policies that we’re considering and applying to government and the private sector that could actually still have significant ramifications for critical infrastructure and cyber security globally. In addition to that, addressing cyber crime safe haven jurisdictions is critically important. You know, we need to make it harder and more risky for malicious actors, whether they’re working independently, for criminal organizations, or directly or indirectly for nation states to attack critical infrastructure, particularly as, you know, we see the growing closeness between critical infrastructure and private sector technologies and stakeholders. The U.N. Cyber Crime Convention was originally proposed and promoted by several of these safe haven states, and that’s somewhat ironic, perhaps, but we are sort of in a place now where the negotiation has completed, and parties are going to move to negotiating the modalities for the protocol discussions and the protocols themselves and adoption and ratification of the treaty. Rule of law governments need to prioritize ensuring that the protocols are not only providing for specific procedural and human rights safeguards that weren’t included in the convention text, but also accountability mechanisms to ensure that all parties play by the same rules and that they work cooperatively towards investigating and preventing global cybercrime, not only when it serves their specific geopolitical or national interests. Finally, capacity building is another really important element of international cooperation and private sector, public sector collaboration. This is something the Cyber Crime Convention has a lot of potential to improve, not just as it applies to cybercrime investigation, but also to technically advance the technical skills and practices of other parties to the convention. The technically advanced and well-resourced governments can and should provide material support and technical training to augment the cyber security capabilities and practices of the less resourced and technically advanced nation states that are a party to the convention. I think there’s just, the policy landscape is something that we often think of as being very specific to critical infrastructure or to supply chain or something like that, but one of the things that I think we should really start to focus on as we think about cyber security and critical infrastructure is how the broader policy landscape and how relationships between governments and private sector entities can really impact that space too. Thank you.

Timea Suto: Thank you so much, Robyn. Quite a lot of information in that as well and also exploring in this extra element of cyber security, but actively fighting cybercrime, which we know in the U.N. it’s two separate processes, but in real practice they are, they go hand in hand. We had a second round of questions prepared, but I don’t think we will have time for that. We are 15 minutes away from the end of the session and I do want to turn to the audience as well and hear a little bit if you have any questions, if you have any remarks on what we’ve heard from the speakers before I give them the last word. So anybody, if you have comments online, please put your hand up, we can turn to you or here in the room. Likewise, put your hand up physically and we’ll get you a microphone. So are there any questions or comments? Think you were very comprehensive or very exhaustive, either or the other? Well, if there are. audience has no questions or input, then I think I’ll do a round-robin and then in the very end I’ll get to Rene on the account of first and last words. So in the order that I’ve called you previously, perhaps I can turn to Julia and ask what are your takeaways from this discussion and what is the one element that you think we should take forward as a message from this session for the IGF and for the global multi-stakeholder community

Julia Rodriguez: to ponder upon or perhaps act upon? Yes, thank you. Thank you so much for a great conversation. It has been really interesting. I think that the panel is a proof of why a stakeholder collaboration is crucial because I think that each one of the speakers has contributed with its insights on their competencies. I think it is impossible to summarize, but one of the main things that stuck with me, the importance of standards. From my perspective, these can directly address these mass-aligned definitions that make operationalization a challenge. Capacity building is key across the technical aspects as network security, encryption, incident response, but also from the more social and economic and humanitarian perspective and of course the impact of this cyber diplomacy that we’re trying to develop and great comments on data minimization. I think that we need to incorporate more privacy by design concepts into the normative framework of the United Nations and I think that many of these cyber intrusions at the end affect individuals. So I think this has been very well highlighted by the cyber peace institutes harms methodology. I think it is a great, great takeaway and my one sentence takeaway, it will be multi-stakeholder collaboration is essential to protect And I will stop there. Thank you.

Timea Suto: Thank you so much, Julia. Wouter?

Mr Wouter Kobes: Yes, thank you. Well, hinting on the words Francesca said, I think the Network Information Security Directive, version 2, we have in the EU, does a really nice attempt in defining critical infrastructure. And I think the point of Robyn, where you have to involve your commercial sector as well, is also captured there, because it extends towards the supply chain of this critical infrastructure. So I think that’s a nice attempt, at least by the EC, to define that critical infrastructure. Yeah, I think my giveaway to the audience and the panelists is also to lead by example in adopting internet security standards. So I invite you all to, after this session, navigate to our security adoption tool, internet.nl, and measure your own organization and see where you have room to improve in leading by example in these internet standards. So with that, I would like to thank you all for this very interesting discussion.

Timea Suto: Thank you, Wouter. Chris?

Mr Chris Buckridge: Yeah, thanks, Timea. And thanks for organizing this session and for a really interesting discussion and set of interventions. I was happy not to be the first person here to mention AI. I think too often the conversation seemed to be turning to that. But it is a really interesting and significant point. And I mean, at the OEWG the other week, really every meeting of the OEWG, more member states are highlighting AI as an area of real concern for them. And it makes sense. I know ISC2, I think, did a survey late last year and more than half of CISOs, security professionals, are anticipating AI-enabled attacks or AI-enhanced attacks to be part of what they have to defend against. Now, it’s not entirely clear what’s actually happening and to what extent that’s happening in real life at this stage. And I think there were some states that also made that point. But, I mean, Unity has done a study which sort of really highlights that sort of arms race we’re in where AI is enhancing the abilities of attackers, it’s enhancing the ability of defenders. But that really centers back to the need. for capacity building, it centers back to, that’s great that the defense is sort of continuing to ratchet up along with the attack, but if you’re in the global south, and if you’re not really on that sort of, in on that arms race, you’re becoming increasingly vulnerable to these attacks. So this is not something where we can leave people behind. If you get left behind, you’re going to be a vulnerability, and that’s going to be a vulnerability for the entire system. So we need to be ready to, sorry, invest, sorry, in cyber capacity building. And I mean, to use another very overused term, we need to be agile about that. We need, and I think Robyn mentioned, the changing landscape, the sort of ever-moving landscape that we have in terms of security. That cyber capacity building activity also needs to reflect that. It needs to be ready to engage with what the latest threats are, the latest vulnerabilities are, and to be ready to mitigate that. So it is, as Wouter, I think, also said, a constant. It’s not something where we can say one and done. It’s something we need to keep evolving and working on as time goes on. Thanks.

Timea Suto: Thank you, Chris. Francesca?

Francesca Bosco: Thank you so much. So what was tried me, I mean, I think is, the clear articulation. So thank you so much for the excellent discussion, because I think there was a very good segue among the different speakers. And I think we all reiterated the fact that the dependency is not only from a technical standpoint, but there is a dear need to understand the complexity of the ecosystem when we talk about a critical infrastructure. And I really appreciated the last comment from Robyn, the last remarks from Robyn, specifically on this, how the policies are kind of like intertwined. I also very much appreciated that the, one of the things that I’ve been, I mean, I spent all my life in the country in cybercrime, cybersecurity, misuse of technology, and so on and so forth. And one of the key challenges is always information sharing. It’s doable, but it needs to go both ways. And I think Robyn very well highlighted the fact that it cannot be just, let’s say, private sector vis-a-vis government, for example. But I mean, again, we need to create the ecosystem for the information sharing. So I think this is super important to be stressed. We mentioned several times building capacity, I would say, as very well Chris was mentioning, for now and for the future. Interestingly, I mean, in these days, I’m working on the potential risk of fully autonomous cyber attacks, impacting, for example, critical infrastructure. And indeed, the idea is not only to conceive it, but also to potentially build the capacity for being able to respond. And let me finish maybe with some of the remarks that building on what Rene and Julia also were saying. And again, going back to the idea of the meaningful multi-stakeholder collaboration standards. The standards are key. Or for example, international processes are key. But let’s be honest, not all the actors that should be involved in the multi-stakeholder approach have the means, have the resources, have the understanding on even how to engage. I’m thinking about the civil society difficulties in engaging with the standards bodies, for example. Or I’m thinking about many companies that would like to engage, for example, in the open-ended working group and similar processes, but they didn’t even know where to start, basically. So kudos to the ICC for organizing these panels because I think it’s also, I mean, helping in this direction. But I would say that more awareness-raising and really knowledge-building needs to be done in this sense.

Timea Suto: Thank you, Francesca.

Ms Robyn Greene: We just got the five-minute warning. So I’m gonna be extremely brief, especially since I wasn’t very brief in my initial comments. And I think I’ll just sum everything up with three thoughts. One, keep in mind how intersectional the technological landscape is, and therefore how intersectional we need to think about the policy landscape, and how that will impact the ability for the private sector to partner with government in the protection of critical infrastructure. Two, never ever underestimate the impact of encryption on cybersecurity. the importance of ensuring that all policies protect and promote the adoption of encryption rather than undermining it. And then three, also never, ever, ever underestimate the importance of data flows and the risks of data localization mandates, especially as applied to private sector entities and how that will ultimately lead to ramifications for critical infrastructure cybersecurity. Thank you so much, this has been a great panel.

Timea Suto: Thank you, Robyn. Rene, I give you the first word, I’m going to give you the last word as well. From your keynote speech after hearing all our speakers, what has changed from what you said or what would you like to highlight to build on what you said?

Rene Summer: Thank you, Timea, thank you all. Well, I mean, a lot has been said, so maybe on the margin of what has been already mentioned, I was thinking about what to say and then Elvis Presley’s song came to mind, a little less conversation, a little more action. And I think it falls down that we see the need for more actionable progress. I would really like to stress that many of the threats we see growing are stemming from those residual risks where industry will not be able to defend itself and how to address the residual risks, I think is very, very important. And the cost of inaction here is growing day by day. I think we have seen numbers that the global cost of cyber today is about 11 trillion US dollars that correspond to three G7 countries’ nominal GDP from 2022, I think, meaning Germany, UK and Japan. And we need to change the tide of this development.

Timea Suto: Concise as always, thank you, Rene, but it’s quite powerful as well. As a last word to take away. That only leaves me with one job, is to thanking you all for being here, for accepting ISIS’s invitation for this conversation and for sharing all your expertise and insight with us and with the audience here in the room and online. There will be a report of this session on the IGF website, so we will be. coming to you with that. And, of course, the ICC website is always there, so please take a look at our publications, not only on cyber security, but as Robyn highlighted, we also need to look into what we have done on data issues, especially on government access issues to data. So I’ll leave you with that. Huge thanks to my panelists, and a huge round of applause to all of you who’ve been here. Thank you. Thank you very much. Bye-bye.

Agreement Points

Need for multistakeholder collaboration

Rene Summer

Julia Rodriguez

Francesca Bosco

Ms Robyn Greene

Need for holistic approach involving all stakeholders

Importance of public-private partnerships and information sharing

Multistakeholder input crucial for developing effective frameworks

Intersectionality of technological landscape complicates policy approaches

Speakers agreed on the critical importance of involving all stakeholders, including governments, private sector, and civil society, in addressing cybersecurity challenges and developing effective frameworks.

Importance of addressing fragmentation and complexity

Rene Summer

Mr Wouter Kobes

Ms Robyn Greene

Fragmentation and complexity hinder security efforts

Misaligned definitions make operationalization challenging

Regulatory interoperability needed across jurisdictions

Speakers emphasized that fragmentation in approaches, definitions, and regulations across jurisdictions creates complexity and hinders effective cybersecurity efforts. They stressed the need for alignment and interoperability.

Need for capacity building, especially in the Global South

Rene Summer

Mr Chris Buckridge

Francesca Bosco

Need for holistic approach involving all stakeholders

Capacity building essential, especially for Global South

Multistakeholder input crucial for developing effective frameworks

Speakers agreed on the importance of capacity building, particularly for countries in the Global South, to ensure a more secure global cybersecurity ecosystem.

Similar Viewpoints

Both speakers emphasized the importance of standards and policies that are compatible with internet infrastructure and values, and can help address misalignments across jurisdictions.

Mr Wouter Kobes

Ms Robyn Greene

Standards help address misaligned definitions across jurisdictions

Policies should be compatible with internet infrastructure and values

Both speakers highlighted the need to prepare for future threats, particularly those involving AI and autonomous systems, in the context of critical infrastructure protection.

Mr Chris Buckridge

Francesca Bosco

AI-enabled attacks anticipated as growing concern

Need to prepare for potential fully autonomous cyber attacks

Unexpected Consensus

Importance of encryption for cybersecurity

Ms Robyn Greene

Julia Rodriguez

Policies should be compatible with internet infrastructure and values

Need to incorporate privacy-by-design concepts in normative frameworks

While coming from different perspectives (private sector and government), both speakers emphasized the importance of protecting encryption and incorporating privacy-by-design concepts in cybersecurity frameworks, showing an unexpected alignment on this issue.

Overall Assessment

Summary

The main areas of agreement included the need for multistakeholder collaboration, addressing fragmentation and complexity in cybersecurity approaches, the importance of capacity building (especially in the Global South), and the need to prepare for future threats like AI-enabled attacks.

Consensus level

There was a high level of consensus among the speakers on the major challenges and necessary approaches to protecting critical infrastructure. This consensus suggests a growing recognition of the complexity of the issue and the need for collaborative, holistic solutions. However, specific implementation details and prioritization of actions may still require further discussion and negotiation among stakeholders.

Different Viewpoints

Approach to defining critical infrastructure

Julia Rodriguez

Mr Wouter Kobes

Lack of consensus on defining critical infrastructure

Standards help address misaligned definitions across jurisdictions

While Julia Rodriguez highlights the lack of consensus in defining critical infrastructure as a challenge, Mr Wouter Kobes suggests that standards can help address these misaligned definitions.

Unexpected Differences

Emphasis on encryption

Ms Robyn Greene

Other speakers

Policies should be compatible with internet infrastructure and values

While most speakers focused on broader cybersecurity issues, Ms Robyn Greene placed a strong emphasis on the importance of encryption, which was not as prominently discussed by other speakers. This unexpected focus highlights the potential tension between security measures and privacy concerns.

Overall Assessment

summary

The main areas of disagreement centered around the definition of critical infrastructure, the role of standards, and the emphasis on specific technical aspects like encryption.

difference_level

The level of disagreement among speakers was relatively low, with most differences being more about emphasis and approach rather than fundamental disagreements. This suggests a general consensus on the importance of protecting critical infrastructure, but varying perspectives on how to achieve this goal effectively.

Partial Agreements

Both speakers agree on the need for a comprehensive approach to cybersecurity, but they differ in their focus. Rene Summer emphasizes stakeholder involvement, while Robyn Greene highlights the complexity of the technological landscape and its impact on policy.

Rene Summer

Ms Robyn Greene

Need for holistic approach involving all stakeholders

Intersectionality of technological landscape complicates policy approaches

Similar Viewpoints

Both speakers emphasized the importance of standards and policies that are compatible with internet infrastructure and values, and can help address misalignments across jurisdictions.

Mr Wouter Kobes

Ms Robyn Greene

Standards help address misaligned definitions across jurisdictions

Policies should be compatible with internet infrastructure and values

Both speakers highlighted the need to prepare for future threats, particularly those involving AI and autonomous systems, in the context of critical infrastructure protection.

Mr Chris Buckridge

Francesca Bosco

AI-enabled attacks anticipated as growing concern

Need to prepare for potential fully autonomous cyber attacks

Key Takeaways

A holistic, multistakeholder approach is needed to protect critical infrastructure cybersecurity

International cooperation and alignment of policies/standards is crucial

Capacity building, especially for less-resourced countries, is essential

The broader policy landscape beyond just cybersecurity impacts critical infrastructure protection

Emerging technologies like AI present new challenges and opportunities

Encryption and data flows are vital for cybersecurity and should not be undermined

Public-private partnerships and information sharing are key, but need to be reciprocal

Resolutions and Action Items

Participants encouraged to use the internet.nl tool to measure their organization’s security standard adoption

More awareness-raising and knowledge-building needed on how to engage in international processes

Need to operationalize existing norms and move from conversation to action

Unresolved Issues

How to achieve consensus on defining critical infrastructure across jurisdictions

How to balance security needs with privacy and human rights concerns in policy approaches

How to effectively address residual risks that industry cannot defend against alone

How to prepare for potential future threats like fully autonomous cyber attacks

Suggested Compromises

Balancing enforcement of security requirements with incentives for appropriate behavior

Finding ways for less-resourced stakeholders to meaningfully participate in standards development and policy processes

Considering both cybersecurity and development needs in capacity building efforts

Fragmentation and complexity are the number one enemy of security.

speaker

Rene Summer

reason

This succinctly captures a key challenge in cybersecurity, emphasizing the need for coordination and simplicity.

impact

Set the tone for subsequent discussions on international cooperation and standardization.

We need to really start to internalize the fact that regulatory debates and proposals that are not directly about cybersecurity or about critical infrastructure will inherently affect our ability to protect critical infrastructure in particular.

speaker

Robyn Greene

reason

Highlights the interconnected nature of policies and their unintended consequences on cybersecurity.

impact

Broadened the conversation to consider wider policy implications beyond direct cybersecurity measures.

We tried to understand, OK, how the critical infrastructure are, this critical sector is impacted by cyber attacks. Not so much from the angle of, let’s say, simply, allow me to say, collecting information about the damages, the cost, how many devices were infected, but try to understand what it really means for society.

speaker

Francesca Bosco

reason

Shifts focus from technical impacts to societal consequences, providing a more holistic view of cybersecurity.

impact

Encouraged consideration of broader societal impacts in cybersecurity discussions.

Make sure that not only cyber security regulations are interoperable with other regulations from other, like cyber security regulations from other governments, but make sure that non-cyber domestic and foreign regulations that implicate cyber security are compatible with current cyber security best practices.

speaker

Robyn Greene

reason

Emphasizes the need for regulatory coherence across different domains and jurisdictions.

impact

Highlighted the complexity of policy-making in cybersecurity and the need for a more integrated approach.

We need to be agile about that. We need, and I think Robyn mentioned, the changing landscape, the sort of ever-moving landscape that we have in terms of security. That cyber capacity building activity also needs to reflect that.

speaker

Chris Buckridge

reason

Emphasizes the dynamic nature of cybersecurity threats and the need for adaptable capacity building.

impact

Shifted the discussion towards the importance of ongoing, flexible approaches to cybersecurity.

Overall Assessment

These key comments shaped the discussion by emphasizing the complex, interconnected nature of cybersecurity challenges. They broadened the conversation from technical specifics to include wider policy implications, societal impacts, and the need for international cooperation. The discussion evolved from identifying problems to exploring holistic, adaptable solutions that consider the rapidly changing technological landscape and the need for coherent, cross-sector approaches to cybersecurity policy and practice.

How can we operationalize international norms on cybersecurity and critical infrastructure protection?

speaker

Francesca Bosco

explanation

Moving from policies into action is crucial for effective implementation of cybersecurity measures.

How can we measure and understand the real societal impact and harm caused by cyberattacks on critical infrastructure?

speaker

Francesca Bosco

explanation

Understanding the full scope of harm beyond just technical or financial damages is important for developing appropriate responses and protections.

How can we responsibly deploy emerging technologies like AI and quantum computing in critical infrastructure while addressing potential vulnerabilities?

speaker

Francesca Bosco

explanation

Emerging technologies offer opportunities but could also create new vulnerabilities, especially when interacting with legacy systems in critical infrastructure.

How can we improve engagement and participation of civil society and smaller companies in international cybersecurity processes and standards development?

speaker

Francesca Bosco

explanation

Many stakeholders lack the resources or knowledge to effectively engage in important cybersecurity discussions and standard-setting processes.

How can we address the challenges of cyber crime safe haven jurisdictions?

speaker

Robyn Greene

explanation

Safe havens for cybercriminals pose significant risks to global cybersecurity efforts and critical infrastructure protection.

How can we ensure that non-cybersecurity policies and regulations are compatible with cybersecurity best practices?

speaker

Robyn Greene

explanation

Policies in other areas can inadvertently impact cybersecurity, so a holistic approach to policy-making is necessary.

How can we better prepare for and defend against potential AI-enabled cyberattacks on critical infrastructure?

speaker

Chris Buckridge

explanation

AI-enhanced attacks are an emerging concern for cybersecurity professionals and require proactive preparation and defense strategies.

Summary

This discussion focused on protecting critical infrastructure from cyber threats and implementing international cyber norms. Participants explored how to identify critical infrastructure, noting the challenges in reaching a universal definition due to regional differences. They emphasized the importance of understanding interdependencies between sectors and conducting thorough impact analyses.

The conversation highlighted the need for baseline cybersecurity measures for critical infrastructure operators and service providers. Suggestions included asset inventory, vulnerability management, and compliance with applicable standards. Participants stressed the importance of training employees and raising awareness about cybersecurity risks.

The role of international cyber norms and confidence-building measures was discussed, with participants generally agreeing that these voluntary agreements can help reduce risks and foster cooperation. However, questions were raised about their effectiveness in preventing attacks during conflicts.

Participants debated whether it’s realistic to expect cyber operations to avoid targeting critical infrastructure, especially during peacetime. They noted the challenges in attribution and accountability when norms are violated. The discussion touched on the potential for unintended consequences when attacking interconnected systems.

Regional and international cooperation was proposed as a way to address these challenges. Participants suggested creating shared definitions of critical infrastructure within regions and establishing mechanisms for information sharing and joint incident response.

The session concluded by emphasizing the need for more diverse global participation in discussions about critical infrastructure protection and cyber norms implementation, particularly from developing countries and civil society organizations.

Keypoints

Major discussion points:

– Defining and identifying critical infrastructure across different countries and contexts

– Implementing baseline cybersecurity measures and standards for critical infrastructure protection

– Understanding interdependencies between critical infrastructure sectors and supply chains

– The role and impact of voluntary cyber norms and confidence-building measures

– Challenges in protecting critical infrastructure during peacetime and conflicts

Overall purpose:

The goal of this discussion was to explore practical measures and international frameworks for protecting critical infrastructure, as part of the Geneva Dialogue project to connect high-level cyber norms with on-the-ground implementation.

Speakers

– Anastasiya Kazakova: Cyber Diplomacy Knowledge Fellow at Diplo, part of the Geneva Dialogue team

– Vladimir Radunovic: Director, E-diplomacy and Cybersecurity Programmes at DiploFoundation

– Thomas Schneider: Director of International Affairs, Swiss Federal Office of Communications (OFCOM)

– Nicolas Grunder: Global Lead Counsel Digital, Data & Cyber, ABB

– Bushra AlBlooshi, Director of Cybersecurity Governance Risk Management Department, Dubai Electronic Security Center

– Kazuo Noguchi, Senior Manager R&D, Hitachi America

– Kaleem Usmani, Head of the CERT-MU, Mauritius 

– Klée Aiken, Director, Community & Capacity Building, the Forum of Incident Response and Security Teams (FIRST)

– Maria Pericàs Riera, Project Assistant, Center for Geopolitics, Geoeconomics, and Technology, DGAP

– Melanie Kolbe-Guyot, Head of Digital Policy, C4DT – EPFL

Expanded Summary of Critical Infrastructure Protection Discussion

Introduction:

This discussion was part of the Geneva Dialogue on Responsible Behaviour in Cyberspace, an initiative launched by the Swiss government and implemented by DiploFoundation with the support of several actors, and aimed at connecting high-level cyber norms with on-the-ground implementation. As explained by Vladimir Radunovic and Thomas Schneider, the project currently focuses on protecting critical infrastructure from cyber threats and implementing the agreed cyber norms. The session brought together participants from various sectors, stakeholder groups and regions to explore practical measures and international frameworks for protecting critical infrastructure and promoting responsible behaviour in cyberspace.

Geneva Dialogue Project and Scenario-Based Exercise:

The session began with an introduction to the Geneva Dialogue and its goals. A significant portion of the discussion revolved around a scenario-based exercise, which presented participants with a hypothetical cyberattack on a fictional cloud service provider. This exercise served as a springboard for discussions on critical infrastructure protection, international norms, and practical implementation strategies.

1. Defining and Identifying Critical Infrastructure:

A central challenge highlighted throughout the discussion was the need to define and identify critical infrastructure across different countries and contexts. Maria Pericàs Riera presented the DGAP project and noted the significant diversity in how countries define critical infrastructure globally, with over 40% of countries not publicly announcing what they consider critical. This diversity presents challenges in establishing common norms and protections.

Dr. Bushra AlBlooshi emphasised the need for common agreement on critical infrastructure definitions at regional or international levels. Kaleem Usmani underlined a need for conducting thorough asset inventories and impact analyses at a national level, highlighting a difference in approach between standardisation and individualised assessment.

Nicolas Grunder from ABB stressed the importance of understanding what constitutes critical infrastructure, while Anastasiya Kazakova pointed out the challenges in identifying cross-jurisdictional interdependencies. This underscored the complexity of the issue, particularly when dealing with infrastructure that has national, regional, or international impact.

2. Protecting Critical Infrastructure:

The discussion emphasised the need for baseline security requirements for critical infrastructure. Kazuo Noguchi from Hitachi America highlighted the importance of backup systems and geographic distribution of infrastructure, introducing a specific, practical measure for protection. Paola Nkandu Haamaundu stressed the need for training and awareness programmes for critical infrastructure staff, while Nicolas Grunder emphasised the importance of business continuity and incident response planning.

Vladimir Radunovic pointed out the need to secure supply chains and address interdependencies, a point echoed by Dr. Bushra AlBlooshi, who highlighted the complexity of interdependencies between different infrastructure sectors. Dr. Bushra shared a practical example: “We need to defined the critical sectors, and for each sector, we need define their he interdependencies, and if one sector goes down, this will give us a better understanding of what we should expect from the other sector.”

3. Role of Cyber Norms and International Cooperation:

Kaleem Usmani from CERT-MU argued that cyber norms help reduce the risk of attacks on critical infrastructure. Vladimir Radunovic elaborated on the importance of confidence-building measures and the role of norms in guiding responsible state behavior in cyberspace.

Klée Aiken from FIRST highlighted the importance of information sharing and threat intelligence exchange. However, Melanie Kolbe-Guyot from C4DT-EPFL raised the question of whether cyber operations can realistically avoid targeting critical infrastructure, especially during conflicts.

4. Challenges in Critical Infrastructure Protection:

Several challenges were identified throughout the discussion. Dr. Bushra and Vladimir both highlighted the complexity of interdependencies between different infrastructure sectors and the challenge of protecting infrastructure with international or cross-border impacts.

Imad Aad from C4DT-EPFL pointed out the difficulty in controlling security of actors across supply chains, a point echoed by Kazuo Noguchi who emphasised the interconnected nature of supply chains, including software, hardware, IoT, and people.

Anastasiya Kazakova raised the issue of lack of transparency from some states about critical infrastructure protection approaches, suggesting that greater transparency is needed to enable stakeholders to support state efforts in critical infrastructure protection.

Vladimir Radunovic also highlighted the potential unintended consequences of attacks on service providers like the fictional OmniCloud, emphasizing the far-reaching impacts such attacks could have on various sectors and countries.

5. The Geneva Manual and Operationalizing Norms:

Thomas Schneider discussed the Geneva Manual, which focuses on operationalizing critical infrastructure-related norms. The manual aims to provide practical guidance on implementing cyber norms and protecting critical infrastructure.

Conclusion:

The discussion concluded with several key takeaways:

1. There is a need for international efforts to better understand cross-jurisdictional interdependencies across CI at national, regional and international levels.

2. Protecting critical infrastructure requires addressing complex interdependencies and supply chain vulnerabilities.

3. Cyber norms and international cooperation play an important role in critical infrastructure protection, but challenges remain in implementation.

4. Baseline security requirements and standards are needed for critical infrastructure operators and service providers.

5. Critical infrastructure protection requires engagement from multiple stakeholders including governments, industry, and researchers.

Action items included finalising the next chapter of the Geneva Manual focused on critical infrastructure protection by early next year, developing more scenario-based games and cards to facilitate discussions, and seeking more input and participation from developing countries in the Geneva Dialogue process.

Vladimir Radunovic concluded by mentioning an upcoming session on civil society engagement in technical discussions, further emphasizing the project’s commitment to inclusive dialogue.

The discussion highlighted the complexity of protecting critical infrastructure in an interconnected world, emphasising the need for continued dialogue, cooperation, and practical action at national, regional, and international levels.

Vladimir Radunovic: Okay, let’s start. I hope you all got the headphones. It’s channel number four. So, number four is the room. Welcome to the session Securing Critical Infrastructure, Who and How. My name is Vladimir Radunovic. I’m leading cybersecurity programs for Diplo Foundation, an international educational capacity building institution. I’ll be sort of a host today together with my colleague, Melanie, who is here on behalf of DPFL and C4DT. But there will be a number of distinguished experts also joining us both here and online. And there I count all of you as well. Now, critical infrastructure has become a buzzword and we have seen it everywhere, popping up in the norm setting and policy setting frameworks, but also popping up among the professionals dealing with cybersecurity. But rarely we see how these two connect. Typically, the discussions are in silos. What we are trying to do with the Geneva Dialogue Project, and you will hear in a second a bit more about that, is to connect the high-level norms, cyber norms and frameworks with the practical work in protecting critical infrastructure. But before we dive into the session, let me welcome on behalf of Switzerland, who is the main supporter of the Geneva Dialogue on Responsible Behaviour, Thomas Schneider on behalf of Ofcom of Switzerland, to maybe put the welcome words and set the stage. Thomas, the floor is yours.

Thomas Schneider: Yes, thank you. This is an initiative of the Swiss Federal Foreign Ministry, but we partner with them in many ways, so they’ve asked me to say a few things about the Geneva Dialogue and the motivation also behind this. The Geneva Dialogue on Responsible Behaviour in Cyberspace was established by the Swiss Foreign Ministry now six years ago. It is led by our friends from the Diplo Foundation with the support of the Republican State of Geneva. Geneva is, in their view, a state of themselves. Other partners include the C4DT, we’ve already heard from EPFL, Swisscom and UBS. The aim of the Dialogue is to analyse and map the roles and responsibilities of the various actors in ensuring the security and stability of cyberspace. The Geneva Dialogue is a global dialogue, building on the Geneva tradition of bringing the world together. It engages some 100 companies, organisations, institutions and experts. In 2023-2024 more than 50 representatives and independent experts have contributed to the drafting of the Geneva Manual. In this context the dialogue stems from the principle of shared responsibility and particularly asks how the agreed cyber norms can be best implemented by relevant stakeholders together as a means to contribute to international security and peace. Concretely the Geneva Dialogue investigates the consequences of agreed upon norms for the relevant stakeholders. It does not try to find consensus but to document existing views of such stakeholders on their roles and responsibilities in the Geneva Manual as well as give good practices that should inspire others and promote responsible behavior in cyberspace. So this inaugural edition of the Manual focuses on two norms related to supply chain security and reporting of ICT vulnerabilities. This year the Geneva Dialogue discusses the operationalization of the critical infrastructure related norms and the sessions is another important opportunity to gather international feedback from various experts for the next chapter of the Geneva Manual. So I’m looking forward to an interesting discussion and I hope you all enjoy it. Thank you very much.

Vladimir Radunovic: Thank you Thomas. So briefly what the outline of the session will look like. We’ll start with a short overview of what is the main challenge that we try to address and what is the Geneva Dialogue about. My colleague Anastasia remotely will run us through that and then we’ll play a little bit and I think that’s the point of making most of the sessions useful but also interesting. So we’ll have a scenario game with cards. and we’ll break up in groups, we’ll try to step into shoes of governments, operators of critical infrastructures, researchers. And then after that, we’ll get back to a plenary discussion to reflect a little bit on main issues that were raised. I’ll pass the floor now to Nastya to lead us through the main issues and the Geneva dialogue, and then to drive us into the scenario exercise that we’ll play. Nastya, over to you.

Anastasiya Kazakova: Hello, everyone. Happy to be here. My name is Anastasia Kozakova. I’m a Cyber Diplomacy Knowledge Fellow at Diplo, and I’m also part of the Geneva Dialogue team. And within my 10 minutes, I’m going to briefly tell the story of what we do within Geneva Dialogue. And I think the perfect example would be this fictional story, which, of course, unfortunately, inspired by real events. So let’s imagine a large logistics company identified as a critical infrastructure operator, which was hit by a ransomware attack because the threat actors managed to target the weak security at the company service provider. And the service provider happened to be a small company, which provides cloud services and manages the cloud infrastructure of that logistics company. Imagine a part or a whole infrastructure of your company being frozen just because you are interdependent with other companies across supply chains. But of course, you have little control over the security of other actors across supply chains. The challenge that you are inevitably affected and your infrastructure might be at risk. And that’s, I think, one of the default scenarios across different actors across supply chains where different products, infrastructure have been interconnected with inherent vulnerabilities and the potential for malicious actors to target this. One of the main questions for us that we’ll look at and this story provides us with the example, who is responsible for taking action to mitigate cyber risks and protect critical infrastructure across borders and supply chains? Fortunately, there is some guidance. Almost 10 years ago, states formulated and agreed on a set of norms for responsible state behavior at the UN and some of the norms specifically agreed on to ensure supply chain security, report ICT vulnerabilities and also to protect critical infrastructure. There are questions though, how these norms guide actors in protecting critical infrastructure and how can specifically non-state stakeholders, which is the private sector, academia, civil society, technical community can implement the norms and support state’s efforts? So these are the questions that we look at the Geneva Dialogue, which is the global dialogue, we build a community and we discuss the roles, responsibilities of different actors in cyberspace to facilitate responsible behavior, implement the norms and address cyber risks. The initiative has been running since 2018 and there was a lot of work being done since then. In 2023, we started exclusively looking at the implementation of the norms and since then you can see that more than 60 contributors, which represent organizations, businesses and also individual experts who participate on a personal capacity have contributed to the Geneva Dialogue. All of these contributors come from more than 20 countries from different regions and that highlights that Geneva Dialogue is truly about the global community connecting different people in different parts of the world. In our community, we look at the four main stakeholder groups. So as I mentioned, this includes non-state stakeholders represented by the private sector and industry, academia, civil society and technical community, which is mostly represented by open source community, cybersecurity researchers and incident response experts. As there are 11 norms that we need to look at, we started discussing them step by step and in 2023, First we started with the two norms related to vulnerabilities and supply chain security. So that was the first step of our work. The outcomes were published in the Geneva Manual, the comprehensive guidance on how the stakeholders can help support the state’s efforts, other efforts in the community and implement the norms. This year, we expanded the scope and started looking at the three norms which we grouped as the norms related to protection of the critical infrastructure protection. We did quite a lot of work and here, there’s just some of the examples. In 2020, we already discussed different good practices, which the private sector implements to build a secure by design products and reduce vulnerabilities in them. In 2021, there was a study where we looked at the different governance approaches of selected countries to regulate the security of digital products. Essentially, that was a solid basis for us to more actively look into the implementation of the relevant norms and produce the first chapter of the manual in 2023. Structurally speaking, the Geneva Manual provides different inputs and we intentionally want to keep this document user-friendly for different stakeholders with different backgrounds. So when we discuss roles and responsibilities, there’s the first element, what when we identified a particular role, which is important to implement the norm, then we also look at the responsibilities, the incentives, this is the white element, different challenges, which stakeholders might have, which serve as a barriers for them to implement the norms and the good practices. Hopefully that might be helpful for those who are not part of the Geneva Dialogue, but who might be interested to make the contributions and find different useful experiences from Geneva Dialogue experts. And specifically when we discussed the norms related to vulnerabilities and supply chain security, we identified five roles. So you see them on the right side and specific. I just want to emphasize that civil society was also highlighted as one of the roles by our experts because we believe that and we heard the feedback from our experts that civil society, especially those actors who are involved in policy, advocacy and research might be a really important element putting the pressure on both state actors and the private sector to implement the norms and facilitate implementation of the relevant security practices. Today’s session is one of the first steps for us to collect international feedback which is increasingly important for us to produce the final chapter of our work this year with the focus on the critical infrastructure protections. Early next year we are going to announce the next chapter, the second chapter, with the focus on critical infrastructure protection. Just to give you a brief example of the level of discussions that we have in the Geneva Dialogue, there are some preliminary findings that we’re able to hear from our experts. I’m not going to read out all of them and we will be actually happy to share the finalist version early next year as I just said, but just to give you some of the examples of what we discussed. When we unpacked those norms which are the result of the diplomatic agreements between states at the UN, our non-state stakeholders and experts highlighted different concerns. One of them is the lack of the international efforts to understand and protect cross-jurisdictional interdependencies in some critical infrastructure sectors that might have regional international impact. The other point that we also heard is that critical infrastructure is governed by national legal frameworks and some states prefer to keep a high level of secrecy due to national security reasons. However, a lack of sufficient transparency for stakeholders, specifically domestic stakeholders, was highlighted as one of the barriers for them to support state efforts in critical infrastructure. protection and therefore different experts have highlighted that transparency about how states see the approach to protect critical assets is important element to make sure that stakeholders are aware of those efforts. Another example of what we so far have heard from our experts and that would be the topic of our tabletop exercise, a lack of universal baseline or minimum cyber security requirements to protect critical infrastructure. The suggestion came from the discussion that again there’s acknowledgement that critical infrastructure is governed by national legal frameworks, however there are connections between different critical infrastructure facilities through transnational essential services or other types of the infrastructure and that actually raised different more or less universal questions about the security across the supply chains for critical infrastructure operators. The question then further how to make the different legal systems which govern critical infrastructure and the security in them more or less interoperable so the actors who face more or less the same security issues might already have a common basis at least baseline understanding on how to address those security issues. I’d like to stop here and just make a call that as I mentioned we build the community and we also welcome the input of our interested stakeholders to support our work and also contribute with their expertise so the first chapter of the manual that we produced last year is published and you can see the link on the website that’s open to the feedback you can get in touch with us directly and at the same link we are going to announce the next chapter of the Geneva manual and ultimately we would welcome other stakeholders who are interested who have time and passion please join us to discuss this. important topics. So thank you very much. I’d like to briefly then go to the next segment as Vlada mentioned. We have the table top exercise which will be the with the main focus on discussing possible universal minimum baseline security measures for critical infrastructure protection. And before we explain the rules for participants on-site and virtually, we prepared the fictional scenario and to explain it perfectly we prepared also the video and hope that will be a little bit entertainment today. So I’m gonna to launch the video and please let me know if you can hear it.

Vladimir Radunovic: We don’t hear the sound though it’s not necessary. You can try to see if you can

Anastasiya Kazakova: put the sound on but we have the script. Okay on my side the sound is the maximum.

Vladimir Radunovic: Is the sound also shared? I hope so. Even if not I mean it’s it’s very visual and it’s inside so it’s fine. Okay so I’ll continue.

Video: Something significant has happened. Mr. Martin. Come in. I’ve been waiting for you. We’ll skip the formalities. Global Flow Logistics has a big security problem. IT will handle that. We need your services to deal with a different type of problem. Needless to say, I expect absolute discretion. It wasn’t even us they targeted directly. The breach had come through Nimbus Tech Solutions. Could you explain what happened? The attackers have exploited vulnerabilities in Nimbus Tech Systems’ poor network segregation, weak access controls, and outdated patches. Once inside, they moved into the infrastructure of the cloud service provider OmniCloud, eventually further slipping into, among other clients, into GFL IT systems. I assume something similar to this scenario happened. All our systems are blocked. The key infrastructure is offline. What happened? We need answers now. I’m working as fast as I can. The threat actors breached our systems and the entire supply chain that supported critical infrastructure across the region. Get the global flow online and fast. Their infrastructure goes offline and puts the entire critical infrastructure in our country at risk. Great. Now all systems are blocked. I just had a call from the government. They are asking for answers. Ms. Wong? This was no ordinary cyber attack. It was a full-scale assault on the networks that kept modern society moving. It seems that it had all started with a simple, preventable breach in a small company. The consequences would echo for weeks. But at that moment, she only had a few hours to figure out how to stop the bleeding before the entire structure crumbled.

Anastasiya Kazakova: So that was the scenario. That was a really short explanation of what happened. And the main idea, it’s completely fictional that there was a supply chain attack targeted a large logistics company through the weak security of the company’s service provider. And that affected multiple critical infrastructure industries in the country. So currently, at this moment, we’d like to proceed discussing this scenario in several groups and I’ll just want to briefly explain the rules. The main goal would be for this scenario to discuss the three questions that we prepared in smaller groups and reflect mainly on what could be possible those minimum cybersecurity requirements for, first of all, critical infrastructure operators and relevant stakeholders, service providers to protect critical infrastructure. So we want to look at this problem from different perspectives, different lens: government, critical infrastructure industry and cybersecurity research stakeholders. And we will have also team captains for each group on site and virtually. And as I mentioned, we will have three questions for each group. Those questions you can see on the slide. So basically, one of the first questions, what universal baseline security should be mandated for the operators? The next question with a focus on the same security requirements, but for the service providers, if you see the difference between them, would you believe that might be actually a closer approach to define those security measures for service providers as for the critical infrastructure operators? And the third question, a little bit optional, if you still have the time, which steps are required at a regional international level to ensure these requirements are effectively implemented across different sectors and jurisdictions? The question mostly targets different international efforts, if you see the necessity, especially in currently complex, geopolitically complex environment. We mentioned we also have team captains. So on site, we will have several groups.

Vladimir Radunovic: Thank you, Nastya. But as you can see, we have quite some ladies, which is a nice surprise in cybersecurity areas, not so often. What we are going to do now, we’re going to break into, I’ll add another group because there is a huge number of people in the room. So on this side of the room, I invite everyone who wants to play a role of the government to just move there slowly. They will be led by Dr. Bushra and Melanie. On this side of the room, we’ll have all those that want to play the role of the critical infrastructure operators. Think about critical infrastructure in whatever way you want. Hospitals, transportation, energy, whatever. In this case, we have a transportation issue. Maria will lead that group. I’ll take the third group, which is the cybersecurity researchers, incident responders and techies in a way, in this part of the room. What we are going to do, my colleagues will give us the scenario. So this video that you saw you also get in a comic book format So we’ll have few minutes to go to the comic book to remind ourselves Then we’ll get the cards each group will have the cards which will make us enable us to discuss the options to choose couple of cars that are priority options based on three questions that Anastasia looked at now the important thing the scenario shows something that happened an incident We’re not responding to an incident. We are rolling the time backwards and saying what should have we done so that this doesn’t happen. So think about rolling backwards to say if we have done this measure which says maintain and up-to-date all the digital assets of the critical infrastructure. This might not have happened and so on. Don’t go into details of the incidents – we are trying to see how the global norms and these practical issues are connected. Okay those that want to play the government move to that side those that want to play the critical infrastructure play move here. We’ll have about 20-25 minutes to discuss in groups and the colleagues the leaders will tell us what to do. Thank you.

Anastasiya Kazakova: All Right, so we will proceed virtually I Hope the participants on site can hear us. So Kaleem the floor to you and I will start her in the screen.

Kaleem Usmani: Thank you very much, Anastasia, and good afternoon, everyone. As Anastasia has mentioned, we are the Cybersecurity Research Stakeholder Group, and then, as announced before just starting this scenario, we are having some 20-25 minutes, and we are having three questions in a round. One, universal baseline cybersecurity measures should be mandated for CI operators to protect their infrastructure. And again, in terms of the CI operators, in terms of the service providers, so basically what we’re trying to do here is that we are encouraging the participants to come up with their suggestions, and then we will be opening the floor soon. We will also be having our colleague, Nicholas, who will be again talking about the first question on to the CI operators. So, we will wait a little bit on to that and then maybe we can start.

Nicolas Grunder: Yeah, thank you very much, Kaleem. I think I would not add too many more words, as we only have 25 minutes, I suggest that we just get started, right? And Anastasia, I was not so sure with the cards, it’s probably difficult to pull up the cards with suggestions, right? So, maybe we… Yeah, I think I would not add too many more words, as we only have 25 minutes, I suggest that we just get started, right? And Anastasia, I was not so sure with the cards, it’s probably difficult to pull up the cards with suggestions, right? So, maybe we… So, I suggest that we maybe just start with someone from the participants, considering what should be some baseline security measures and suggestions. I think we should just open the discussion of anyone who would propose a suggestion and why you would have such a suggestion.

Kaleem Usmani: So, I think we’re having one hand raised, Imad, please go ahead.

Imad Aad: One thing that comes to my mind for researchers to make some requirements for critical infrastructure operators is first to understand the critical infrastructure first. It’s not clear for all the researchers what is a critical infrastructure even in their own country. Second thing, they don’t know what is the supply chain of this critical infrastructure, right? Here, there’s a big question which is, should the critical infrastructure make it transparent? How they depend, what are their providers, there are some pros and some cons against this.

Kaleem Usmani: All right, maybe also another aspect of it is that we are trying to focus from the organizational and the technical measures. So meaning to say that what could be the organizational measures that these CII operators, they should be putting in place and as well as the technical measures, what they should be putting in place. As Imad said that first of all, it is important for us to understand that what are the critical infrastructure, what it is, how do we identify that, how do we carry out the assessment, what organizational structure is required. So I think these are the aspects and Nicholas, I think we will be having one more hand raised, Paula. So Paula, please go ahead. Thank you. Thank you.

Paola Nkandu Haamaundu: Thank you Dr. Kaleem. Just adding on to what the previous contribution was, understanding what critical infrastructure is. So for instance, if the nation deems that maybe the health sector is critical infrastructure, what the health sector should do as a start is to identify what assets they are in charge of, what assets they have. That way, they’ll be able to know what needs to be protected, what should be classified as high risk, what should be classified as low risk. And this is maybe more on the operational side. So they should be able to understand what assets they have as the health sector, what’s critical for the nation to have and to deem as critical infrastructure, what should be protected first. If the health sector was attacked, what would cause the biggest challenge to the health sector? So a basic understanding of what the assets are, or sort of like an asset inventory.

Kaleem Usmani: All right. Thank you, Paula. So I think again, the question which is coming here is that how do we identify critical infrastructures and what are the ways of doing it? So maybe we are having Nicolas on board from ABB. Nicolas, would you be able to share a little bit of experience where what are the ways and what are the sort of, in a way, baseline questions or kind of a checklist, which helps the organizations in order to identify their critical infrastructures? Obviously, in different countries, critical infrastructures, they vary a little bit as compared to the other country. But as per your experience, Nicholas, would you quickly tell us a little bit about how to identify and then how to carry out the risk identification around so that clearly they’re able to identify which sectors are or could be considered as critical?

Nicolas Grunder: It may vary between the countries depending on the industries they’re actually having. But I think what is something common is looking at the impact. So what impact does it have if a certain company or a certain type of providers of infrastructure would be taken out of service, either partially or completely, and what impact does it have on individuals on the functioning of certain services. And it’s basically about defining the services that are critical for functioning of society, right. So, of course, it’s very, very high level but but I think that that would be something important as we have heard is, if there is at least some sort of a common understanding and I think now looking at from an info for also from a provider of products into critical infrastructure so basically looking at the supply chain. That’s of course is important for the providers of products into critical infrastructure because we will have to to actually employ and deploy and develop cybersecurity measures for the products that are then secure to be used in these critical infrastructures. So so looking at the question what what is what is the universal baseline. I think that this probably difficult to formulate conclusively what is critical infrastructure but giving some of the criteria, what, based on the impact, it can have, I think, I think that that would be certainly helpful.

Kaleem Usmani: Thank you. Thank you, Nicolas, and also, I think, along with this particular group we are having two other experts, and one is clear from first and one is casual. And maybe we can also hear from clay clay. Do you have some sort of explanation around what Nicholas has added. clearly that how and what are the best practices for identifying critical infrastructures because normally we see that as Nicolas mentioned that that’s the key that that’s the key once we have and then also some reflection onto the part of the governance and the risk management that how the whole governance of this critical information infrastructure partition has to happen in a country and then we move on to the next level of understanding. So Klee, the floor is yours.

Klée Aiken: Good everyone and thanks Kaleem. I hope everyone can can hear me okay. Yeah I think you know in terms of the basic baseline cyber security measures and things like that obviously there’s the normal level that you’d expect from any type of organization but by being critical infrastructure you do have these additional requirements that are placed upon your organization. In terms of determining which organizations fall into that category it’s very much determined by each individual government and their approach and their perspective. You know we’ve had conversations with folks in the Pacific for example where you know certain cultural aspects or assets or tourism related assets that wouldn’t necessarily be considered critical infrastructure in other countries were deemed critical infrastructure at least in the exercises that we were doing. So it’s really important as Nicolas said to look at what is that impact on the individual economy. So that’s national security perspective, that’s an economic perspective and most importantly is looking also at the human impact both directly in terms of you know for example health and human services and that impact on people’s health and their ability to get treatment and emergency care but also kind of the flow-on impacts that can that can have effects on individuals. Last or two weeks ago, we were on a panel and one of the speakers was speaking about the ransomware incident in Australia last year. And one of the challenges that they faced was finding means to coordinate between the federal government, the state governments, and being able to reach from a cyber perspective into women’s shelters, because very sensitive information about folks staying in those facilities were leaked through the ransomware incident. So you have to really focus on those kind of flow on third order impacts that wouldn’t necessarily come to mind. So critical infrastructure can get very complicated to define. But yeah, it’s just important to focus on that impact on individuals, national security, and economy. Thank you.

Kaleem Usmani: Thank you very much, Klée. And another aspect also is in terms of organizational measures we have been talking about. And then also, the other important aspect is the technical measures, because both are the combination. Because if you want to put it in a more structured, then obviously both organization and technical measures are important, because organizational measures normally govern the whole technical measures implementation. So we are having a hand, and then maybe we’ll get back to Kazuo on the technical measures. Imad, you have the floor, and then we move on.

Imad Aad: Yeah. Here I am again. Regarding the impact, it is very complicated to measure the impact of a flow in a given infrastructure because of the dependencies. Let’s say if you are cutting water, okay, water is critical infrastructure. And then how long will the society survive just because of the lack of water, but it’s also for cooling. for instance, for cooling generators or for cooling whatever, then electricity might depend on the water. Everything else depends on the electricity. And trying to measure how much dependent water is on electricity or vice versa, this is super hard, right? What may help in this direction, what may help the researchers is, for each critical infrastructure service, they can define what they depend on and what other stuff depend on them. So input and output dependencies. This may be helpful for researchers, right? In order to assess the impact of attacks.

Kaleem Usmani: Sure. Thank you very much. I think interdependencies is the key into defining the critical infrastructures. I totally agree. And this is an area, which is a complex area, which we need to look into and work onto. And I think for today’s discussion, interdependencies of the critical infrastructure is one of the areas to be discussed and have a thought process onto that. Imad, do you want to say something?

Imad Aad: Yeah, I would add to the note that it’s inward and outward for each service. So it’s not only if I am electricity, I’m an electricity provider. It’s not only what I depend on, but I can also list what other services depend on me. You see what I mean? Yeah, thanks.

Nicolas Grunder: I just may add, I just seen a comment that Paolo Carlos made and he mentioned continuity planning. And I think this is a very important baseline that… So what’s the goal of protecting critical infrastructure? So the goal is that it actually, it can continue to operate and having the business continuity and the recovery planning in place, having played that, I think that is also an important requirement that actually should be applicable across the board, regardless of jurisdiction, right? Because you want to keep it running.

Kaleem Usmani: Thanks. Thanks, Nicolas. And again, that’s again a good point, of course, continuity and business continuity is important, and especially here, we are talking about the design and that is, again, an important aspect. So maybe even Kazuo is with us. And Kazuo?

Kazuo Noguchi: Yes, great targets here already. Ultimately, for critical infrastructure to be sustainable or resilient, any attacks can be tolerated. So how long it can be sustained, regardless of attacks, how to create not to be kind of down. So that’s one of the resilience measure. But impact analysis, I totally agree the consequences, as well as the risks measure, particularly to the human lives. And from that, investment and the priorities and the resources should be allocated accordingly. But critical infrastructure named based on the countries like 15 or 13 or 18. But those are adding based on the risks and human lives these days for the technical advancement. In addition, these new additional things such as AI can be impacted quite well, positively and negatively, how to make those measures or risks or consequences human lives should be properly put into the context. So let me stop here.

Kaleem Usmani: Thank you. And so obviously, as the discussion is moving towards that, how do we identify how to identify the services? What is the importance of interdependencies inward and outward? again secure your supply chain. This is again is coming up out of this particular discussion. Even impact analysis is important. I think this was mentioned by Nicolas as well as Klée. This is also something what we need to have once we are talking about the baseline security measures which we need to have and we move on accordingly. So still I think we are having some three to four minutes for us to discuss from that. Any other questions from the floor maybe that we can take it up and then we can summarize quickly and then we can have a last round with the experts here and then maybe then we can wrap up this part of the discussion. So any questions from the floor? Paula, you have the floor.

Paola Nkandu Haamaundu: Thanks. Maybe not a question per se but I think there should also be an aspect of training for the employees and awareness because of the industry or because of how quickly cybersecurity changes and things are moving. There’s constant need to be up to date with how to protect critical infrastructure. So there’s need for training for staff that are working on that critical infrastructure but also the general awareness for staff that interact with the infrastructure. Thank you.

Kaleem Usmani: And coming back one more thing which is connecting of course because even training and awareness is important. Another aspect also once we are talking about the technical measures here is again compliance and standards and I think that connects a part of very much as a cybersecurity major onto the CI operators. So maybe I can open the floor to the experts and around compliance and standards for this as a cybersecurity major for the CI operators and then maybe we can wrap up this session here. So I’ll start with Nicolas and then Klée and then to Kazuo and for that if there is any final question which we have that we can take it up and then we can close. So over to you Nicolas.

Nicolas Grunder: Thank you Kaleem. I think I mean standards is absolutely essential especially if you look at it from perspective. of a globally operating company. I think that is where the big benefit of cooperation or global cooperation is essential, that there are certain standards that you can also rely upon and that you know they apply in country A and in country B and in country C and that would then be actually the real baseline. I’m now trying to look, I’m a lawyer so I’m not a researcher, but trying to look at it from a researcher’s perspective, I think that is where where researchers can play a huge, huge role in actually defining these standards, right? Because that’s something when you look at it from a technical perspective, that’s very much something where the researchers will actually provide the input.

Kaleem Usmani: Thank you. Thank you, Nicholas. Over to you, Klee, for your final thoughts.

Klée Aiken: Yeah, definitely. So with standards and compliance, you know, there’s obviously the clear value of the standards to help teams to uplift their cybersecurity, but there’s also kind of the responsibility on government when you’re defining certain industries and certain organizations as critical infrastructure to create certainty of the expectations that you have on the companies. So that’s a pretty critical role that can be played and you can look not only at the technical standards and technical expectations and policies that need to be in place, but also responsibilities around reporting as well as communications. Because again, we’re looking at critical infrastructure because of the flow-on impact that it has on the wider economy and individuals. So thinking about other aspects beyond just technical expectations when you’re developing these types of standards is quite important. Thank you very much, Klee.

Kazuo Noguchi: Yes. So, ultimately, global supply chains are really complex, and including small companies and small nations, and built onto supply chain, software, hardware, IoT, and the people in the supply chain, and how to make sure that the end-to-end is working well, and all the service providers to protect those, including databases, as well as those chains, and the hardware chains, which is part of this exercise, but software supply chain, there is also, and the database are all connected. So, all the researchers to analyze those, and some vulnerabilities to get to know and protect constantly, those are the part of the measures, particularly automated things are coming up, and all connected, physical, as well as the virtual things. This case is cloud, which is a new type of, perhaps, political infrastructure category, perhaps. So, how we can make sure that all connected things can be protected well. So, those are going forward. Thank you.

Kaleem Usmani: Thank you very much, Kazuo. So, more or less, I think we are getting into the shape of understanding that what should be the basic or baseline cybersecurity measures should be mandated for a CI operation. And the discussion which has come up here is, how do you identify? What are the ways of identifying and understanding the structure of the CI? I think this is another aspect which we have been talking about. Interdependencies was something, again, we have been discussing that how the interdependencies inbound and outbound, that has to be seen in order for us to look at the complete visibility of the supply chain attacks, in order to identify the CIS and accordingly put subsidy measures in place. We also have been talking about the impact analysis because this is impact analysis is important in order for you to identify whether the CI is critical or not. This is, again, I think what we have been talking about. Another discussion which came up as a baseline cybersecurity is also the business continuity and even the incident response plans, they’re important aspect of having that baseline cybersecurity measure in place for the CI operators. Also, we have been- We start? And then obviously implement the vulnerability management and of course, securing the data, that’s the data protection. So that’s the important aspect.

Vladimir Radunovic: Thank you, Nastya. Playing in different shoes. Oh. Just scratching the surface, what are some of the issues? Certainly we’ll be waiting for the next step to define more of those kinds of- See how to-

Anastasiya Kazakova: Vlada, apologies. I think we can’t really hear you properly. You are disappearing from time to time.

Vladimir Radunovic: Ah, this one, yeah. I didn’t sing enough, you know. If I sang enough, I would know how to mic. Thank you. Thank you. Okay, we move to the last part of our session. To discuss a little bit, couple of questions that we had for round table. And we start with a question on, well, Nastya, you can probably show the questions. We start with a practical aspect, then we try to connect with cyber norms and confidence building measures. At this point, I’ll pass the floor to Melanie to lead, but I invite you to jump at any point, raise a hand. We wanna interact, right? Melanie, over to you.

Melanie Kolbe-Guyot: Fantastic, so please, now we’re starting out with our discussion rounds. And I really invite everyone to also report from their group what they found was most interesting, speaking also a little bit from which perspective you were talking about, and also what your reasoning was. So the first question we wanna discuss is, how can we effectively protect critical infrastructure, facilities, and assets that do have national, regional, or international impact? So in particular, what practical measures should be implemented? And importantly, which stakeholders need to be engaged in this? Right, so we’re trying to kind of go between our online audience and the in-room audience. I would like to start very quickly with our Zoom people. Nicolas, would you start out?

Nicolas Grunder: Yeah, Melanie, thank you very much. And I’m also reporting a little bit of what we discussed in the group, and we were the researchers group. And interestingly, the first questions from the perspective of the researchers, what is actually critical infrastructure? And so we delved a bit into that topic and seeing that critical infrastructure might be defined differently from jurisdictions, but essentially, what we’ve seen important is that there is some sort of a baseline that is developed based on… on the impact that an incident can have. And then we very quickly, we started talking about standards as well, which I think we all think it can be very beneficial and standards, not only being technical standards, yes, that’s an important part of it, but also organizational standards, incident response notifications, et cetera, et cetera. So it’s that kind of broad array, but let me open the discussion again to the group of people as well.

Melanie Kolbe-Guyot: Great, fantastic. Someone else, what practical measures do you think are really important? Anyone in the room who would like to give it a go? Yes. Volunteers? Dr. Bushra, go ahead.

Bushra AlBlooshi: So thank you so much, first of all, for the invitation and for the very nice interactive session that we had so far. Just to reflect on a few practices that we’ve been doing in United Arab Emirates or in Dubai and few of the practices that we were doing also internationally with the World Economic Forum. Reaching to an agreement, what is critical infrastructure and reaching to a common agreement at the regional level or national level might be challenging, but reaching to unified agreement to the policies regulations that we can all deploy on our service providers, whether those service providers are cloud providers, software providers, or even critical infrastructure operators themselves, I think we are all doing common things but we need just to come together in order to say, okay, those are common things, let’s agree on them internationally. And we published a report with the World Economic Forum in 2021, where we were calling for harmonized certification for individuals, professionals, service providers, and even products. You can find the report in WEF website, its call for harmonized certification report with the World Economic Forum. Out of that report, actually, there was an action that was taken forward. So there is an international coalition that was created for cyber security professional certification where more countries came together, and we met last November in Wilton Park, and we came out with agreed, let’s say, set of definitions for certification accreditation within the professional domain. If that can be done for cyber security professionals, why not for other domains? Why not for cloud providers? Why not for software? And also there is a platform for certifying hardware devices. It’s called Common Criteria, and with multiple countries, they came together. They are agreeing on minimum security requirements for hardware devices. And ICT hardware devices, if that can be also done, and it was done, and it was proven to be effective, then we can do something similar at provider’s level or even software level. So for me, priority one is to agree, whether regionally or internationally, on the minimum security requirements, certification requirements that can be done for the service providers. Why I need to certify cloud provider in multiple countries with the same regulations or same requirements.

Melanie Kolbe-Guyot: Thank you. Dr. Bushra, this is precisely what we were actually talking about in our group, which was the government group. It’s like some sort of credential, some kind of checkup system and management of the service providers, and especially those four critical infrastructure providers. Let me revert back to our Zoom. Kazuo, could you chime in, please?

Kazuo Noguchi: Yeah. Thank you, Melanie. It was a really interesting scenario case that we had in a short period of time. To remind myself for the question that Brad mentioned, how to make it better before it happens. One of the critical things for the infrastructure provider is that the backup, backup, backup. And backup system in the different geography and the countries and regions, so that the spread, there are risks. That’s one thing that we can do. The difficult part here, the scenario is a new one, global cloud provider. Sometimes difficult to know, identify single point of failure, it’s great to have as a measure. And the data perspectives for the supply chain, including people, sometimes happening, how to make the measure so that that data integrity, also the hardware, software, supply chain’s integrity should make properly. And the zero trust architecture is coming up. For instance, the development, also the good for security by design and the default for the users. So risk scenario. We talked in this, the online discussions, how to make the good consequences risk assessment and all interdependent to the business as well as people, how to make that impact analysis to clarify how critical it is. And to based on those critical infrastructures level, how to make the prepared investment and prepare not to happen. And for the resilience perspective, although cloud may be not working, but there may be the way to get around. And for the United Nations, GGE and OEWG 11 norms, those are great starting point for the operationalization. As Anastasia mentioned, this one is good guide and good capacity building for that is ultimately the confidence building. And also the confidence building, meaning that communicate well. And the UN Open Networking Group started the point of contacts globally, more than 110 countries. And communicate through those, for the private or stakeholders are good or initiative through all the channels of nation jurisdictions. Finally, on the prevention and resilience coming up, some are identified, but on prevention, how to make the better use of AI for instance to detect. and to address the vulnerabilities beforehand what’s happening, but ultimately for the operators to be sustainable, that’s critical for life. Yeah, thank you for this opportunity.

Melanie Kolbe-Guyot: Thank you Kazuo. You packed up a bunch of operationalizations. Thank you very much to also put this a little bit in the global perspective, in the interdependence between service provider critical infrastructures and of course the governments. I would like to see one more person from our live audience. Yes, we have someone. Fantastic. Thank you.

Audience: Thank you. I’m assuming here that the hacker and the country that has been hacked are in peace, I mean between their two countries. However, there is a probability that both countries are in war. And I’m believing that there should be a framework under the United Nations with a certain of infrastructure. No? Shall I repeat? With a listed infrastructure items and should be agreed between everywhere around the world that those elements should not be touched in peace or wars by cyber crimes. For example, even if there is a war, electricity, water and transportation shouldn’t be touched or affected even in those sort of nonsenses. I think this is one of the agreements that should be in place these days, you know, in order to avoid such… future problems.

Melanie Kolbe-Guyot: Thank you, fantastic, and you kind of skipped a bit to question number three already, because that’s exactly an important point to consider. So we will come back to this, thank you. So let’s move to the second question. Now, we looked at the practical measures, and we kind of want to come back to what the roles of cyber norms is, right? The roles of cyber norms, especially FG&H, that’s been discussed, and confidence-building measures, CBMs, when it comes to the protection of critical infrastructure. So they are voluntary in nature, right? Do you think they have an impact on the protection of critical infrastructure, although they’re clearly voluntary? Vlada, go ahead.

Vladimir Radunovic: Yes, I actually wanted to connect to what our colleague mentioned. The context that we are discussing this is the UN agreement within the General Assembly, ultimately before, by all the states of the UN, about these cyber norms and confidence-building measures. And exactly as you said, one of the norms is do not attack each other’s critical infrastructure, and boost the resilience of each other’s infrastructure. And some of the CBMs, the confidence-building measures that the countries have agreed, include something that we have in the cards and that we have discussed in the groups, such as work on understanding how each country defines the critical infrastructure. Sorry, probably we’ll never be able to agree. This is a common agreement of what is critical infrastructure everywhere. But this is one of the CBMs to try to exchange it and understand. And then the other one is capacity-building, which we mentioned in our group, I guess, in ours, in others, capacity-building across the board. of the governments, but also, for instance, there was a good point of training of the suppliers towards their customers in critical infrastructure. What are the risks? So what I want to say is, even if these norms are voluntary, all the states have agreed. Even if they would be binding, it’s a good question if states would be adhering to them. We see breaking the international law every day. But I think the measures that we discussed are very practical ones which directly contribute to implementing the norms and CBMs. My question, maybe back, is to what extent the governments, which made the agreement understand this, that this is the implementation? Back to you, Melania.

Melanie Kolbe-Guyot: Thank you so much. Kaleem, actually, we’re calling you as the head of CERT in Mauritius.

Kaleem Usmani: Thank you, Melania. And I think that this is a good question. All the way with the rule of cyber norms and confidence building emerges when it comes to the protection of CIE. Does the voluntary nature have an impact on the protection of CIE? And I think the answer is very much yes. And this is what Vladimir has been talking about. And there are a few things around quickly how they’re going to help. And being voluntary in nature, all these 11 norms, and especially I think this is what we have been studying. So what they basically do and how they help. And though they are voluntary, first of all, what they do is that they try to reduce the risk of cyber attacks. And I think that’s the point what we are talking about. And why they do that? Because the norms establish the prohibition of cyber attacks on critical infrastructure during a peacetime. And examples are even very much mentioned into the GGE report of 2021 and the OEW report of 2021 as well as what we are talking right now through the OEWG dialogue which is going on currently. And then it will be maturing in July 2025. So yes. And then also one of the components here is that they act as a deterrent, in fact, against state-sponsored threats by increasing accountability. So I think that’s another aspect which, again, where voluntary non-binding norms, they help into protecting critical infrastructures because there are some three, four norms are specifically around CIIs if you look at the all 11 norms and including the supply chain and the vulnerability. So, of course, they all connect. Now, also, they foster international cooperation if we talk on those lines. and especially sharing the threat intelligence content against targeting CIIs. And also the states collaborate under these principles to build a global resilience to cyber threats. That’s another aspect I think, that’s how the norms, they help into protecting CIIs. And also they enhance the incident reporting mechanism. This is, I think, coming from the technical community. That’s an important aspect once we are talking about the incident handling and resolution of the critical infrastructure, especially, for example, into the SCADA systems or the technology environment. And maybe also the last comment which I wanted to add here is the promoting accountability and responsible behavior. And I think that’s what the gentleman from the audience has said, that there has to be some sort of an agreement where the states, they should not be attacking to the essential services law. Like, for example, electric grid or water supply. So that’s another aspect, and this is where the contribution of the incident response team that comes to picture. So maybe I’ll stop here. I thank you very much for giving me the floor.

Melanie Kolbe-Guyot: Thank you, Kaleem. Thank you very much. We have one more intervention from the audience.

Audience: So this intervention is within the context of the talent discussions and the two consequent manuals that have been released. So there has been international consensus on the fact that you cannot attack cyber critical infrastructure, but the problem lies in identifying those infrastructures. And a potential solution for this could be regional cooperation. For example, where we are at the Middle East could agree on any infrastructure relating to oil could be critical to them and it could be established and there could be regional cooperation setting up a body of its own for the region. And this could be done globally with certain regions focusing on their own vulnerabilities. And then this could potentially pave the way forward for international cooperation.

Melanie Kolbe-Guyot: Right, before we move to the last question, any more assessments on the impact that you think cyber norms and CBMs can have? All right, then let’s move on to the last question, and we kind of had these little nuggets of this conversation already in the previous minutes. So the question is like, is it reasonable to expect cyber operations to avoid targeting these critical infrastructures? And we’re talking here particularly about in context of peace times, right? Or is this an unrealistic expectation? And how do we establish this kind of accountability for harm that is caused by threats to critical infrastructure, especially when the agreed upon norms are being violated? So these are two kind of questions in one, but you are free to only answer to one of them. Maria, please go ahead.

Maria Pericàs Riera: Yeah, first of all, thank you. Thank you for giving me the opportunity to be here today. So first of all, I would like to talk briefly about what has been mentioned about the identification of critical infrastructure at the nation level. So I will here like to introduce the project that we have done at the DGAP. It’s called German Council on Foreign Relations. If you have any questions, then you can come to me and I will really talk a bit more individually with you about it. So what we have tried to see is to identify or to look at every country in the world, all the 190 plus something nations worldwide, and see what each country considers as critical infrastructures. And one of our main takeaways is that it’s very different worldwide. So for example, even when you check energy sector, this can mean very different things across the globe. And yeah, during our study, we’re not trying to see, okay, you should consider this or this or that as critical, but rather to see how diverse it can be and how complicated it can be. So we’re just like acknowledging that this is a huge task. Our second takeaway would be that there are still many, many countries all over the world. It was over 40% of. countries worldwide that haven’t publicly announced what is critical for them. So when I was doing this research, I was checking at all, I don’t know, constitution, ministries, websites, et cetera, to see what is critical for them, but still, this DGAP tries to be a disaster. Otherwise, again, is it better now? Thank you. So if you check the database and you see that some countries that you know that they have defined it have been omitted, please let me know, and we would love to introduce this. And regarding the accountability of these norms, I’m not the person that can say if they’re going to help or not in avoiding attacks on critical infrastructure during peacetime, but I think that at least the first step of a country saying, okay, this is critical for me, and then this respective country trying to create some type of critical infrastructure resilience, and then getting in contact with the service providers and critical infrastructure providers is already going to be a great step in order to promote the resilience of the providers, because, for example, our group, we were the critical infrastructure operator, and then we saw how many things can go wrong in one second and how interconnected we are. So yeah, these are my thoughts on this, but also, if some people from our group wants to contribute or say or mention something, please feel free to do so.

Melanie Kolbe-Guyot: Yeah. Can I just pick up on this? So yes, this is one of the issues we also in the Geneva Dialogue had the questions like we can endlessly talk about what is critical infrastructure and what is not, and it’s actually complicated because there’s a diversity across contexts, but yes, at some point, there might be some exchange necessary to understand this. At the same time, we can go very simple and say electricity grids. It’s probably, I think, probably in all contexts, we would agree that’s critical infrastructure, right? Okay. Or nuclear power plants. Right? Okay. So let’s assume we have one definition in mind. Is it reasonable to accept to expect and pursue norm violations that targeting, for example, electricity grids during peacetimes? Is this? Is this a reality? Is this something we that’s reasonable to expect? Or are we like, yeah, well, probably not. I just remember we had volt typhoon attack in the salt typhoon attack in the US, where exactly these kind of things were prepared, prepared for. Let’s go ahead.

Vladimir Radunovic: This one is probably better. Based on this, I’m thinking one thing is whether the states are going to avoid attacking each other, particularly in peacetime, which I guess and I don’t know if anyone here from the defense sector, but I suppose the defense sector would say, Okay, if we have a conflict, there are no borders. And in peacetime, we can call it a peacetime. I’m not sure they would avoid doing that. But I have another concern is that sometimes it can be an attack against the omni cloud. And the attackers actually do not know that they will cause the the spillover effect on one or more critical infrastructures. So we are back to that question, not only how we define critical infrastructure, but do we know the dependencies of all those critical infrastructure on the service providers, cloud software, and so on.

Melanie Kolbe-Guyot: Dr. Bushra, please.

Bushra AlBlooshi: Yeah, I can I can reflect on that very good point that Vladimir raised, I think from a nation, a nation perspective, it’s very important to define critical infrastructure, then define also the assets related to each sector and the sector lead and who’s doing what, this is the first step. And this is what we did. This is what we did in Dubai, it took us a while till we came out with that model, what is a critical and then what are the critical services from a business point of view, it should be done absolutely from business point of view. And then you start defining the critical assets from IT point of view. Then we also did one more important exercise. What are the interdependencies between those critical infrastructure? What is the interdependency between the power sector and transportation sector? What if the power sector goes down? How the transportation will react? How all other sectors will react? And what are the countermeasures or the agreements that we need to take at the nation level? So I think starting from the national level is very important, and then building up the other types of collaboration at the regional level or international level are considered as next steps.

Melanie Kolbe-Guyot: Thank you very much for this good illustration of how to identify these questions and interdependencies. Fantastic. So we’re on the finishing line, and I’ll hand back to Vlada, no, to Nastia, to give us our last closing remarks.

Anastasiya Kazakova: Yeah, and before that, if you allow, I’ll just probably a quick follow-up question to Dr. Bushra, because that was a really important also aspect for the second chapter of the Geneva Manual. So Dr. Bushra, if you could quickly share, is there also a defined approach? How does Dubai approach the security of those interdependencies and services which are provided by foreign companies and overseas actors?

Bushra AlBlooshi: Just briefly, because for the sake of time, I think we are limited in time here. So we have plans for each interdependency. By the way, our critical infrastructure sectors is already in our website, desc.gov.ae. You can find the critical sectors, and for each sector, we define what are the interdependencies, and if one sector goes down, what we should expect from the other sector. For example, power sector, they said if our systems goes down, we are expecting that the critical infrastructure on the other side, transportation, for example, they can react and they can operate for four hours till we bring up the service up. And in that case, transportation, they should make sure that they have generator that can operate if the power goes down in Dubai.

Melanie Kolbe-Guyot: Thank you so much. Nastya, back to you.

Anastasiya Kazakova: Thank you very much. That was really helpful. We’ll finalize on the now side. We just wanted to… briefly share the key insights what we discussed virtually in our groups and perhaps that might be also helpful maybe some thought-provoking photo for the audience on site. So we from the cybersecurity research perspective discussed the measures so which should be mandated for critical infrastructure operators to protect the infrastructure and some of the key insights so we definitely most of the inputs were about a better understanding of the what’s actually critical is and understanding the asset inventory what are those assets that needs to be protected what are those dependencies inward outward securing those dependencies and looking also more comprehensively at your supply chain. The participants we also discussed the importance of conducting impact analysis and threat assessment given the regional and local specifics of the facilities and an infrastructure and you also probably see that we specifically pointed out to the necessity to ensure the compliance with applicable standards and laws and implement vulnerability management and securing the data. So that was some of the insights that we discussed so far. I will open the floor if anyone has any further comments from the virtual group.

Kaleem Usmani: Thank you very much just the last question where we have been talking about the interdependencies and interdependencies as you mentioned about that how the overseas foreign actors they come into picture. Normally what we did at the level of the country here is that we have a clear guideline which talks about it how the interdependencies they have to be dealt with. So what we did is that we have come up with the full fledged CIIP framework and that CIIP framework is connected with the national information infrastructure guideline and which in a way the implementation of the CIIs, and that has a very clear baseline that how both overseas and the local CII operators, they have to interact with each other. So this is what we are basically trying to do to ensure this particular guideline so that there is a clear-cut actions that are required in order for them to carry out their risk assessment and the major gap in terms of the vulnerabilities and the weaknesses they have into their system so that the CII operators, they are in a position to guide their operators in order to implement those. So thank you very much. That’s the point which I wanted to make.

Vladimir Radunovic: Probably time to wrap up. Thank you so much for the online group there. I hope you also had fun. Thank you all for being with us. I want to just with a few lines close this. The next steps we are working on is trying to finalize the Geneva Manual like this on the vulnerability disclosure and supply chain about critical infrastructure. The game we did is not finalized so I hope by mid next year we’ll have the next manual. We’ll have the games as well, probably more cards, more scenarios. Everything will be open for the audience. Now what is critical for us is that in this process of shaping the final document we get as many voices particularly around the world from developing countries which honestly we’re still missing. So if any one of you want or know someone of the companies, technical community, civil society, open source community regulators, that want to get involved in Geneva Dialogue and provide their feedbacks and experiences, please do. You’ll find us around the Diplo booth over there today and tomorrow still. And then with this we close this discussion. much the civil society in this discussion. You’ll notice that in discussions about vulnerability disclosure, we did have a particular actor on civil society. We should reflect on that more. But in the meantime, the next session here in this room is connecting to that. And the question is, how do we make sure that the global civil society gets more engaged in these sometimes rather technical discussions about standards, security, Internet governance, and so on. So stay in the room for the next session. We’ll come back in 10 minutes. With that, I thank you so much.

Agreement Points

Importance of defining and identifying critical infrastructure

Nicolas Grunder

Bushra AlBlooshi

Maria Pericàs Riera

Kaleem Usmani

Importance of understanding what constitutes critical infrastructure

Need for common agreement on critical infrastructure definitions at regional/international level

Diversity in how countries define critical infrastructure globally

Importance of conducting asset inventory and impact analysis for critical infrastructure

Multiple speakers emphasized the crucial need to define and identify critical infrastructure, recognizing the challenges in reaching a common understanding across different jurisdictions and the importance of conducting thorough assessments.

Need for addressing interdependencies in critical infrastructure

Anastasiya Kazakova

Vladimir Radunovic

Bushra AlBlooshi

Challenges in identifying cross-jurisdictional interdependencies in critical infrastructure

Need to secure supply chains and address interdependencies

Complexity of interdependencies between different infrastructure sectors

Several speakers highlighted the importance of understanding and addressing the complex interdependencies within critical infrastructure, both within and across national boundaries.

Similar Viewpoints

Both speakers emphasized the importance of international cooperation and norms in protecting critical infrastructure, suggesting that collaborative approaches are essential for effective protection.

Kaleem Usmani

Unknown speaker

Cyber norms help reduce risk of attacks on critical infrastructure

Need for regional cooperation in identifying critical infrastructure

Both speakers stressed the importance of preparedness and resilience in critical infrastructure protection, focusing on backup systems and continuity planning.

Kazuo Noguchi

Nicolas Grunder

Importance of backup systems and geographic distribution of infrastructure

Importance of business continuity and incident response planning

Unexpected Consensus

Transparency in critical infrastructure protection approaches

Anastasiya Kazakova

Bushra AlBlooshi

Lack of transparency from some states about critical infrastructure protection approaches

Need for common agreement on critical infrastructure definitions at regional/international level

Despite potential national security concerns, there was an unexpected consensus on the need for greater transparency and international cooperation in critical infrastructure protection approaches.

Overall Assessment

Summary

The main areas of agreement centered around the need for clear definitions of critical infrastructure, addressing interdependencies, international cooperation, and the importance of preparedness and resilience.

Consensus level

There was a moderate to high level of consensus among speakers on the key challenges and necessary steps for critical infrastructure protection. This consensus suggests a growing recognition of the global nature of the issue and the need for collaborative, multi-stakeholder approaches to address it effectively.

Different Viewpoints

Approach to defining critical infrastructure

Maria Pericàs Riera

Bushra AlBlooshi

Diversity in how countries define critical infrastructure globally

Need for common agreement on critical infrastructure definitions at regional/international level

Maria Pericàs Riera highlighted the significant differences in how countries define critical infrastructure, while Bushra AlBlooshi argued for the need to reach a unified agreement on definitions and policies at a regional or international level.

Unexpected Differences

Overall Assessment

summary

The main areas of disagreement centered around the approach to defining critical infrastructure and the level at which security measures should be standardized (national, regional, or international).

difference_level

The level of disagreement was moderate. While there were differing perspectives on specific approaches, there was a general consensus on the importance of protecting critical infrastructure and the need for some form of standardization. This suggests that despite differences in approach, there is potential for collaboration and progress in developing effective cybersecurity measures for critical infrastructure.

Partial Agreements

Both speakers agreed on the importance of identifying and defining critical infrastructure, but differed in their approaches. AlBlooshi advocated for a common international agreement, while Usmani focused on conducting thorough asset inventories and impact analyses at a national level.

Bushra AlBlooshi

Kaleem Usmani

Need for common agreement on critical infrastructure definitions at regional/international level

Importance of conducting asset inventory and impact analysis for critical infrastructure

Similar Viewpoints

Both speakers emphasized the importance of international cooperation and norms in protecting critical infrastructure, suggesting that collaborative approaches are essential for effective protection.

Kaleem Usmani

Unknown speaker

Cyber norms help reduce risk of attacks on critical infrastructure

Need for regional cooperation in identifying critical infrastructure

Both speakers stressed the importance of preparedness and resilience in critical infrastructure protection, focusing on backup systems and continuity planning.

Kazuo Noguchi

Nicolas Grunder

Importance of backup systems and geographic distribution of infrastructure

Importance of business continuity and incident response planning

Key Takeaways

There is a need for clearer definitions and identification of critical infrastructure at national, regional and international levels

Protecting critical infrastructure requires addressing complex interdependencies and supply chain vulnerabilities

Cyber norms and international cooperation play an important role in critical infrastructure protection, but challenges remain in implementation and accountability

Baseline security requirements and standards are needed for critical infrastructure operators and service providers

Critical infrastructure protection requires engagement from multiple stakeholders including governments, industry, and researchers

Resolutions and Action Items

Work on finalizing the next chapter of the Geneva Manual focused on critical infrastructure protection by mid-next year

Develop more scenario-based games and cards to facilitate discussions on critical infrastructure protection

Seek more input and participation from developing countries in the Geneva Dialogue process

Unresolved Issues

How to effectively identify and protect cross-jurisdictional interdependencies in critical infrastructure

Whether it’s realistic to expect cyber operations to avoid targeting critical infrastructure, especially during conflicts

How to establish accountability mechanisms when agreed-upon cyber norms are violated

How to balance national security concerns with the need for transparency in critical infrastructure protection approaches

Suggested Compromises

Focus on agreeing on baseline security requirements and certifications for service providers rather than trying to reach universal agreement on critical infrastructure definitions

Pursue regional cooperation and agreements on critical infrastructure protection as a stepping stone to broader international cooperation

Start with protecting universally recognized critical infrastructure like electricity grids and nuclear plants while working towards more comprehensive definitions

Reaching to an agreement, what is critical infrastructure and reaching to a common agreement at the regional level or national level might be challenging, but reaching to unified agreement to the policies regulations that we can all deploy on our service providers, whether those service providers are cloud providers, software providers, or even critical infrastructure operators themselves, I think we are all doing common things but we need just to come together in order to say, okay, those are common things, let’s agree on them internationally.

speaker

Dr. Bushra AlBlooshi

reason

This comment shifted the focus from trying to define critical infrastructure to finding common ground on policies and regulations for service providers. It offered a practical approach to addressing the challenge.

impact

It led to discussion of specific initiatives like harmonized certification and international coalitions, moving the conversation towards concrete actions rather than theoretical definitions.

One of the critical things for the infrastructure provider is that the backup, backup, backup. And backup system in the different geography and the countries and regions, so that the spread, there are risks.

speaker

Kazuo Noguchi

reason

This comment introduced a specific, practical measure for protecting critical infrastructure that hadn’t been mentioned before.

impact

It shifted the discussion towards more technical, operational considerations and led to further comments about risk assessment and resilience.

I’m believing that there should be a framework under the United Nations with a certain of infrastructure. No? Shall I repeat? With a listed infrastructure items and should be agreed between everywhere around the world that those elements should not be touched in peace or wars by cyber crimes.

speaker

Audience member

reason

This comment introduced the idea of a global agreement on protected infrastructure, even during wartime, which was a novel perspective in the discussion.

impact

It prompted consideration of international frameworks and agreements, leading to further discussion about the role of the UN and global cooperation in cybersecurity.

So we have plans for each interdependency. By the way, our critical infrastructure sectors is already in our website, desc.gov.ae. You can find the critical sectors, and for each sector, we define what are the interdependencies, and if one sector goes down, what we should expect from the other sector.

speaker

Dr. Bushra AlBlooshi

reason

This comment provided a concrete example of how a government is addressing the challenge of interdependencies in critical infrastructure, offering practical insights.

impact

It grounded the discussion in real-world practices and prompted consideration of how different sectors interact and depend on each other in critical infrastructure.

Overall Assessment

These key comments shaped the discussion by moving it from theoretical considerations to practical approaches and real-world examples. They broadened the scope from defining critical infrastructure to considering international cooperation, technical measures, and interdependencies between sectors. The comments also highlighted the complexity of the issue, showing how it involves multiple stakeholders and requires both national and international efforts. Overall, these insights deepened the conversation and led to a more nuanced understanding of the challenges and potential solutions in protecting critical infrastructure.

How to define and identify critical infrastructure across different countries and contexts?

speaker

Maria Pericàs Riera

explanation

There is significant diversity in how countries define critical infrastructure, with over 40% of countries not publicly announcing what they consider critical. This makes it challenging to establish common norms and protections.

How to map and understand interdependencies between different critical infrastructure sectors?

speaker

Dr. Bushra AlBlooshi

explanation

Understanding interdependencies (e.g. between power and transportation sectors) is crucial for assessing vulnerabilities and developing contingency plans.

How to establish universal baseline or minimum cybersecurity requirements for critical infrastructure protection across jurisdictions?

speaker

Anastasiya Kazakova

explanation

Given the transnational nature of many critical infrastructure services, there’s a need for more universal security standards while respecting national frameworks.

How to make legal systems governing critical infrastructure security more interoperable across countries?

speaker

Anastasiya Kazakova

explanation

This would help address common security issues faced by actors across different jurisdictions.

How to effectively protect critical infrastructure facilities and assets that have national, regional or international impact?

speaker

Melanie Kolbe-Guyot

explanation

This requires identifying which stakeholders need to be engaged and what practical measures should be implemented.

How to establish accountability for harm caused by threats to critical infrastructure when agreed-upon norms are violated?

speaker

Melanie Kolbe-Guyot

explanation

This is crucial for enforcing norms and deterring attacks on critical infrastructure.

How to address the lack of transparency from some states regarding their critical infrastructure protection approaches?

speaker

Anastasiya Kazakova

explanation

Greater transparency is needed to enable stakeholders to support state efforts in critical infrastructure protection.

How to secure the complex global supply chains involving small companies and nations?

speaker

Kazuo Noguchi

explanation

The interconnected nature of supply chains, including software, hardware, IoT, and people, presents significant security challenges.

Summary

This panel discussion at the Internet Governance Forum focused on the UN Cybercrime Treaty and its potential impacts on human rights and transnational repression. Experts from various organizations expressed serious concerns about the treaty’s broad scope and lack of robust human rights safeguards. They argued that the treaty’s vague language and deference to domestic laws could enable authoritarian regimes to abuse its provisions for surveillance and repression of dissent.

Panelists highlighted how the treaty expands investigative powers and international cooperation beyond core cybercrimes to any “serious crime” as defined by domestic law. This could force countries to assist in prosecuting acts that are not crimes in their own jurisdictions. The treaty’s weak privacy protections and potential to undermine encryption were also criticized.

Case studies from Saudi Arabia and Latin America illustrated how existing cybercrime and anti-terrorism laws are already used to target activists and journalists. Panelists warned the treaty could exacerbate these abuses on a global scale. They also noted the treaty’s provisions could endanger cybersecurity researchers by criminalizing their work.

The experts urged policymakers and industry leaders to oppose ratification of the treaty in its current form. They recommended using upcoming protocol negotiations to address human rights gaps and involve civil society voices. Overall, the discussion emphasized the need for stronger safeguards and more precise language to prevent the treaty from facilitating human rights violations under the guise of combating cybercrime.

Keypoints

Major discussion points:

– The UN Cybercrime Treaty lacks adequate human rights safeguards and could enable transnational repression

– The treaty’s broad scope and vague language around “serious crimes” is problematic

– The treaty gives states too much flexibility in implementation, allowing for potential abuse

– Cybersecurity researchers and civil society could be negatively impacted by the treaty

– There are opportunities to improve the treaty through protocol negotiations and by states refusing to ratify

Overall purpose:

The discussion aimed to raise awareness about human rights concerns with the UN Cybercrime Treaty and encourage policymakers and other stakeholders to push for improvements before ratification.

Tone:

The tone was serious and concerned throughout, with speakers emphasizing the gravity of the potential human rights impacts. There was a sense of urgency in calling for action to address the treaty’s flaws before it is too late. The tone became slightly more hopeful towards the end when discussing potential ways to improve the treaty going forward.

Speakers

– Joey Shea: Covers Saudi Arabia for Human Rights Watch

– Deborah Brown: Covers tech and human rights in the tech division at Human Rights Watch

– Lina al-Hathloul: Saudi human rights defender, head of monitoring advocacy at Al-Qist

– Nick Ashton-Hart: Leads the Cybersecurity Tech Accords representation at the UN

– Veridiana Alimonti: Associate Director for Latin American Policy at the Electronic Frontier Foundation

– Fionnuala Ni Aolain: Professor of law at Queen’s University of Belfast and regents professor at Minnesota Law School, former UN Special Rapporteur on counterterrorism and human rights

Additional speakers:

– Khaled Mansour: Member of the Oversight Board for META

The UN Cybercrime Treaty: Human Rights Concerns and Potential Impacts

A panel of experts convened at the Internet Governance Forum to discuss the UN Cybercrime Treaty and its potential implications for human rights and transnational repression. Joey Shea, the moderator, opened the session with a moment of silence for detained human rights defenders, setting a somber tone for the discussion.

Human Rights Concerns and Transnational Repression

The panelists unanimously expressed significant concerns about the treaty’s current form and its potential for abuse. Deborah Brown of Human Rights Watch highlighted that the treaty provides broad surveillance powers without sufficient protections. She noted that while the treaty allows states to refuse mutual legal assistance on human rights grounds, this flexibility could be exploited by repressive regimes.

Veridiana Alimonti from the Electronic Frontier Foundation warned that the treaty could enable cross-border surveillance and data sharing by repressive regimes. This point was powerfully illustrated by Lina al-Hathloul, a Saudi human rights defender, who shared how Saudi Arabia already uses vague cybercrime and anti-terrorism laws to silence dissent. She provided specific examples of how these laws are used to target activists, journalists, and human rights defenders, emphasizing that the treaty could exacerbate such abuses on a global scale.

Nick Ashton-Hart, representing the Cybersecurity Tech Accords at the UN, raised alarm about the treaty’s allowance for secret surveillance and data collection. He also highlighted concerns about the asset seizure and forfeiture provisions in the treaty, which could be used to target individuals and organizations unfairly.

Impacts on Cybersecurity Research and Internet Security

An unexpected consequence of the treaty, as pointed out by Nick Ashton-Hart, is its potential negative impact on cybersecurity research. The treaty’s language criminalizes accessing systems without permission, which could inadvertently endanger the work of security researchers who routinely probe systems to discover vulnerabilities. This lack of protection for researchers could have far-reaching implications for overall internet security.

Recommendations and Future Considerations

The experts offered several recommendations for policymakers and stakeholders:

1. States should refrain from signing or ratifying the treaty in its current form.

2. Upcoming protocol negotiations should be used as an opportunity to address the treaty’s flaws.

3. Civil society voices must be included in treaty discussions to ensure a balanced approach.

4. Governments should engage with domestic stakeholders when making decisions about ratification.

Nick Ashton-Hart emphasized the importance of the US and EU not ratifying the treaty, as this could influence other countries’ decisions. He also suggested that better results could be achieved in future negotiations, given that opponents of safeguards and rule of law protections lack sufficient votes.

Deborah Brown stressed the need for engaging with domestic stakeholders on ratification decisions and highlighted the treaty’s flexibility, which could be both a strength and a weakness depending on how it’s implemented.

Unresolved Issues

The discussion left several important questions unanswered, including how to effectively balance cybercrime prevention with human rights protections and ensure the treaty cannot be misused for political persecution. The panelists agreed that addressing these concerns and strengthening human rights safeguards will be crucial as the process moves forward.

Technical Difficulties

It’s worth noting that the session experienced some technical difficulties, which were briefly mentioned in the transcript. Despite these challenges, the panelists were able to convey their key points and concerns effectively.

Conclusion

The panel discussion highlighted the urgent need for policymakers, civil society, and industry leaders to engage critically with the UN Cybercrime Treaty. The experts’ unified stance against ratification in its current form sends a strong message about the treaty’s potential to facilitate human rights violations under the guise of combating cybercrime. As negotiations continue, it will be essential to address these concerns and ensure that efforts to combat cybercrime do not come at the expense of fundamental rights and freedoms.

Joey Shea: with the headphones on. We’re going to begin the session. My name is Joey Shea. I cover Saudi Arabia for Human Rights Watch. We’re also joined in person by my colleague Deborah Brown, who covers tech and human rights in our tech division also at Human Rights Watch. I want to welcome you today to our session on the UN Cybercrime Treaty and the impacts that it may have on transnational repression. We have a very important and, in fact, historic panel for everyone here today. Before we begin the conversation, I do want to take a moment to acknowledge who is not here. Many human rights defenders are unable to be here on the grounds, including a number from the country in which this conference is taking place. So I do want to take a moment to say a few names of human rights defenders who have been detained arbitrarily across the Middle East, including in the country in which we now reside, and have a moment of silence for them. So I want to speak about Mohammed al-Ghamdi and Assad al-Ghamdi, who are two brothers. And all the names that I’m going to be saying, just to note, are individuals who are detained in relation to expressing themselves online, either through Twitter or X or other platforms. So Mohammed and Assad al-Ghamdi, who are both citizens of the country in which we are now in. Noura al-Qahtani, also a citizen of the country that we are now in. Ahmed Mansour, Alaa Abdelfattah, Abdelhadi al-Khawaja, and Ahmed Hassan al-Zoubi. So again, all these are individuals who have been detained for expressing themselves online. So I want to take a moment, a brief moment of silence, to reflect on these individuals and their contribution to this space. So thank you again to everyone for being here today. The other thing I want to acknowledge in addition to those defenders whose name I just spoke, other folks who are not able to be here in the room with us today. So beside me would have sat Lina Al-Hathloul, who is joining us remotely on the screen. Lina is of course a citizen of the country in which we now reside, but she is unable to be here given security concerns related to her activism abroad. So instead of her physically being here in person, we’ve laid out an empty chair and a name tag here to symbolize not only her absence, but the absence more broadly of the community of civil society members from this country who are not able to be here in person nor to attend due to the rights crisis here. I also want to welcome our other panelists to get to it more concretely, who are joining us remotely. We have Nick Ashton-Hart, who is joining us here on our lower left of the screen. So Nick leads the Cybersecurity Tech Accords representation at the UN and headed their delegation to the Cybercrime Convention negotiations. And the Tech Accord is a global coalition of more than 160 companies that advocates for greater international action to address malicious cyber incidents and their causes. We are also joined by Virginie Almondi, who is an Associate Director for Latin American Policy at the Electronic Frontier Foundation. She is a lawyer. She holds a PhD in Human Rights from the University of Sao Paulo Law School. And her work focuses on the intersection of technology and human rights, such as privacy and freedom of expression. We’re also going to be joined a little bit later. by another colleague, Fionnuala Ny-Alolen, who is a professor of law at Queen’s University of Belfast and a regents professor at the Minnesota Law School, and she’s also a former UN Special Rapporteur on counterterrorism and human rights. So to start off to our discussion here today, I want to turn to my colleague in the room, Deborah Brown, who has been focused on the UN Cybercrime Treaty for many years, and so I first would be super grateful if you could sort of take us through, first of all, what is the UN Cybercrime Treaty, what is its status, where are we today, and what are the main issues with regards to human rights concerning the treaty.

Deborah Brown: Thank you so much, Joey, for the introduction, and hi to everyone on the room and online. I know it’s very early for some of you, so thank you for joining us. Thank you also, Joey, for that moment of silence. I think that really grounds our discussion, why we’re here, to talk about transnational repression and the rights of people who’ve been detained or otherwise had their rights restricted on the basis of cybercrime laws. I’m gonna start off with an overview. I see some familiar faces in the room. I know some of you are intimately familiar with the UN Cybercrime Treaty. Others of you luckily might not be, and so I just want to sort of set a groundwork or grounding the treaty on the basics, where we are, what it does, and what comes next. So this is the first global treaty on cybercrime that we’ll be discussing today. It was first approved to move forward almost five years exactly today by the UN General Assembly. In 2019, in December, the UN General Assembly voted to start negotiations on this treaty. There was not consensus at the time that there should be a global cybercrime treaty or what even the scope or purpose of that treaty would be. The treaty was first proposed by the Russian Federation. Russia circulated a draft treaty two years prior, in 2017 and when it came down to decide whether to move ahead with this The US European Union and a number of like-minded states voted against or abstained from the treaty from the process to start the treaty negotiations since then There’s been a little over three years of negotiations give or take and in August 2024 what’s known as the ad hoc committee, which was the body established to negotiate the treaty text agreed on a treaty They agreed by consensus For the treaty that sits before the UN General Assembly this week. It’s expected to be adopted. I think any day now and At that point it will open for ratification Once 40 governments ratify the treaty 90 days after that point it will go Into effect into force and then soon after within the next two years negotiations on a protocol to be attached to the treaty will also start and That protocol will be adopted once there’s agreement on it and once 60 states have ratified it. We refer to the treaty shorthand today as the UN cybercrime treaty But it’s actually a bit of a misnomer. That’s not the full name. I’ll read out the full name for you, which is strengthening international cooperation for combating certain crimes committed by means of information and communications technology systems and For sharing of evidence and electronic form of serious crimes and that last bit is I think what brings us here today Mostly is to discuss beyond cybercrime beyond attacks on computer networks and systems this treaty is actually a general-purpose treaty to Co-op to investigate and prosecute and cooperate internationally on a much wider range of crimes specifically serious crimes The Treaty just to kind of break down the components. It does actually criminalize certain Certain acts the criminalization chapter if you will and that requires states that ratify the treaty to criminalize in domestic law certain offenses. These range from core cybercrimes like attacks on community, ICT systems, illegal access to data, illegal intercept, things like this, and cyber-enabled crimes, a select number of them, like online child sexual abuse material and non-consensual dissemination of intimate images. I think we’ll hear a bit more from Fanula later on about the compatibility of those offenses and how they’re drawn up with international human rights law, but I just want to flag that in the negotiations there was a lot of disagreement, or negotiation, one might say, on the scope of criminalization. There were some states that really wanted to see a much broader range of acts criminalized, which would include content-related offenses, things that are broadly defined, or not defined, like extremism or terrorism, and then states that wanted to see a much narrower set of crimes included. And we landed somewhere, I would say, in between, but on the flip side of that there’s a much broader scope of crimes on which investigations and prosecutions can happen and transnational cross-border cooperation. So the convention requires states to establish expansive electronic surveillance powers to investigate and cooperate on a range of crimes, even when no ICT systems were used to commit those crimes. It includes specifically international cooperation on anything called a serious crime, which under the treaty says that basically any crime as defined in domestic law that carries a criminal sentence or penalty of four years in prison or more. Now looking around the world, and I think we’ll hear more about this from my colleagues remotely, many countries criminalize acts that are defense of human rights, for example, independent journalism, criticizing one’s government, being LGBT. And under this treaty, states are required to provide mutual legal assistance to prosecute those crimes that might not even be an offense in their own country. And that’s the kind of issues that we’ll be talking about. more about later. I know for this introductory period we’re trying to just cover the high-level points so I think I’ll just move to the human rights safeguards or lack thereof before turning to other colleagues. I think it’s important to recognize that the treaty does include a provision, an article on human rights, and it also includes, so that’s article 6, it includes another article 24 on conditions and safeguards. And this wasn’t a guarantee from the outset and it’s important to recognize where some progress was made. Article 6.2 specifically says nothing in this convention shall be interpreted as permitting the suppression of human rights or fundamental freedoms. And so it’s designed in principle to guard against misuse of the treaty to restrict or violate human rights. Unfortunately that article isn’t actionable. There aren’t really enforceable limitations on the use of the treaty to restrict rights elsewhere. And I will turn to article 24 which is the condition and safeguards article which largely defers to domestic law. It does mention international human rights standards but it does so in a selective and in some cases optional way. It relies heavily on the principle of proportionality but fails to mention legality and necessity, meaning that limitations on human rights that would be permitted by the treaty should be legal like specific and really clear and that they should be necessary, meaning that they’re designed for a specific purpose and the least restrictive measure necessary. Things like judicial authorization are not required, they’re a bit optional in this, and things like independent notice of individual notice to let’s say people who’ve been surveilled or had their data collected for the purpose of an investigation there’s no individual notice and there’s no transparency required that you’d need to know in order to act. actually push back against such requests. And I’d also flag that Article 24.2, as a whole, only applies to Chapter 4, the procedural measures, and to Chapter 5 on international cooperation, when the powers on Chapter 4 are relied on. So there are certain acts like law enforcement cooperation and joint investigations, which may include the sharing of data collected outside of the treaty or domestically, aren’t covered by the human rights provisions. And there were strong efforts from some member states to apply Article 24 and conditions and safeguards to the whole treaty, and those were not successful in the end. So there are certain gaps, and there’s a lot of latitude and kind of flexibility given to governments in how they interpret and enforce the treaty from the human rights perspective. Throughout the negotiations, Human Rights Watch, Electronic Frontier Foundation, industry have been raising these concerns in terms of the gaps and how this treaty can be used to abuse or abuse to violate human rights. We often give examples in our work. These are not hypothetical, and this is why I’m very pleased that Lina will be speaking here to share from her work and her experience on the very real cases of what’s at stake.

Joey Shea: Thank you so much, Deborah, and I think that is a very appropriate note to end on as we turn now to Lina Al-Hathloul, who I didn’t actually probably introduce when we began. But Lina Al-Hathloul is a Saudi human rights defender. She is the head of monitoring advocacy at Al-Qist, which is a Saudi-led human rights organization based in London. She’s also the sister of Loujain Al-Hathloul, one of the most famous Saudi women’s rights defenders who spent over 1,000 days in Saudi prison due to her human rights work. So with that, I’d like to turn to Lina, and Deborah did an excellent job sort of outlining understanding what the cybercrime treaty is and some of the gaps with regard to human rights, particularly as the treaty sort of defers to domestic law on a number of these issues. So I’m wondering if you could speak about your experience as a Saudi human rights defender and Saudi law and how this treaty may sort of interact and lead to further repression inside of Saudi Arabia.

al-Hathloul Lina: Thank you, Joey. Thank you, Deborah. As-salamu alaykum. Good day, everyone. I’ll be reading my speech and we can have a later conversation later on. So I want to begin by expressing my gratitude for the opportunity to address you today, even if I cannot be with you in person. I had hoped to join you directly, but due to safety concerns and the legal travel bans imposed on my family since 2018, that remains impossible for now. That is, I could maybe be trapped in the country should I had come in person. For today, an empty chair will have to represent my voice, a stark symbol of the silencing faced by so many of us. I do hope the situation will change and I can join you in person very soon. My sister’s case is an example of the grim reality that many face. For her women’s rights work, she has been imprisoned, tortured and placed under an illegal travel ban. Her story is not unique and it serves as a powerful backdrop to my remarks today about the proposed UN Cybercrime Treaty and its potential ramifications for countries like Saudi Arabia. The UN Cybercrime Treaty, as it currently stands, is excessively broad and it reduces significant legal uncertainty. It provides states with the tools to leverage high-level, intrusive domestic and cross-border surveillance powers to address a vaguely defined list of criminal offences. This vague framing risks becoming a serious weapon in the hands of governments that are already using cybercrime laws to suppress dissent. The situation in Saudi Arabia is a cautionary tale. Over the past few years, our monitoring and research have revealed the disturbing extent of Saudi Arabia’s surveillance apparatus, both online and offline. Civil society can no longer speak independently, and those who dare to express what the authorities consider dissent are often silenced through imprisonment or worse. One of the most troubling discoveries we made was the existence of a Saudi state security watch list known as Watch Upon Return or Tarqab al-Awda in Arabic. This list monitors social media accounts of Saudis abroad, targeting them upon their return. To give you a stark example, a Saudi citizen was arrested simply for criticising the quality of food provided by the embassy during COVID-19. Another case is Salma Shihab, a PhD student who was arrested upon her return from the UK for social media content supporting human rights defenders. Her initial sentence was six years, which was then later increased to 34 years before being reduced to 27 years. She remains in detention to this day. Even more surprisingly, Saudi state television has laid bar the authorities’ efforts to suppress free speech online. On the Thursday night programme Blindspot, But five imprisoned social media users were interviewed, including one man jailed for a single tweet, a tweet that he hadn’t expected could land him in prison. The message was chillingly clear. No one is safe. No one is safe online. And even what one considers mild criticism can become a crime. We have documented hundreds of cases of individuals in prison solely for their online expression. Among them is Abdelrahman al-Sathan, a man who remains forcibly disappeared to this day. His case highlights the dangers of a poorly constructed cybercrime treaty. Abdelrahman was tweeting anonymously when his identity was allegedly revealed after Saudi authorities corrupted Twitter employees to obtain user data. Under Article 34 of the proposed treaty, states are required to cooperate in collecting, obtaining, preserving and sharing electronic evidence for any serious crime punishable by four years or more. Article 40 requires states provide one another with the widest measures of mutual legal assistance in investigations, prosecutions and judicial proceedings in relation to acts criminalized by the treaty and any serious crime. Without clear and robust limitation, such provisions will give governments unchecked power to surveil, arrest and silence individuals under the guise of law enforcement. It also risks making states part to the treaty complicit in abuses by Saudi authorities. The problem is compounded by differences in judicial systems and their independence. or lack thereof. The treaty largely defers to domestic law in the conditions and safeguards it outlines in Article 24. In Saudi Arabia, laws such as the counter-terrorism law and the anti-cyber crime law define criminal offences in dangerously vague terms. These laws are routinely used to target peaceful activism and free speech. Offences committed are tried in the Specialized Criminal Court, or the SCC, a jurisdiction that has been increasingly weaponized against human rights defenders. Trials are often held in secret, court documents withheld, and witnesses barred from testifying. This lack of due process leaves individuals without any protection against abuse of the law. The cybercrime treaty will only exacerbate these existing abuses, it would provide governments with even more tools to surveil, silence, and detain critiques, undermining fundamental human rights under the pretense of addressing cybercrime. It is critical to address these risks and implement clear safeguards to ensure that such provisions cannot be misused. In closing, I want to emphasize that cybercrime legislation must prioritize human rights and include robust definitions, safeguards, and independent oversight. The price of failing to do so is measured in lives silenced, freedoms lost, and families torn apart, a price that many, including my family and I, know all too well. Thank you for listening, and for holding space for voices like mine. I look forward to a day where I can join you in person, without fear, to continue this vital conversation. Wassalamu alaikum.

Joey Shea: Thank you. Thank you. to hear even further how the cybercrime treaty will impact human rights and freedoms here in Saudi Arabia. I also want to turn now to Veridiana. I just want to make sure that the screen, there we go. I want to turn now to Virjana to speak about another case study, and I just want to make sure that our technical, we’re just going to wait until the Zoom appears on the screen here so that we can see Virjana as we are hearing from her. Hi. Excellent. Virjana, I’m sure you can’t see in the room, but you’re now on our screen. So welcome. So Virjana, I want to sort of turn to you now and ask you about the lack of robust privacy and data protections and the conventions, and specifically how these may be problematic from a Latin American perspective, particularly with regards to the legal frameworks in place and the weak protections in your region. So welcome.

Veridiana Alimonti: Thank you very much, Joey and Deborah. So we at the Electronic Frontier Foundation have engaged with the UN debates on the cybercrime convention from the early stages, and as Joey mentioned, the point I want to highlight is the fundamental imbalance of the proposed treaty between surveillance powers and human rights safeguards and how this is concerning vis-a-vis transnational repression. So EFF has repeatedly stressed that the convention has become a broad surveillance pact. As Deborah mentioned, it establishes intrusive investigative measures at national level and requires international cooperation in accessing and sharing data, even for crimes that do not involve ICTs, and such powers come without adequate safeguards. to prevent their abusive application. Although the treaty text that’s that the implementation of surveillance obligations must comply with state’s commitments before international human rights law, not all states that are UN members and may join the convention have ratified important treaties such as the international covenant on civil and political rights or have domestic legal frameworks that ensure sufficient guarantees. So if we consider Latin American countries within any spectrum of democratic nations, safeguards that we can deem essential are not necessarily present in domestic legal frameworks. Looking only at prior judicial authorization for accessing communications related data for example, Colombia doesn’t require prior judicial order for the interception of communications content. Peru allows real-time location data access without a previous warrant under specific conditions subject only to later judicial review. In Panama, the law authorizes prosecutors to request a considerable amount of communications metadata to telephone providers without previous judicial authorization. Law enforcement authorities in Paraguay also rely on a supreme court’s ruling to require access to metadata without judicial authorization. And in Brazil, there is an ongoing legal debate on whether the disclosure of storage location data requires a previous judicial order. Yet as Deborah mentioned, article 24 of the UN convention sets that the application of the investigatory surveillance powers and procedures provided for in its specific chapter are subject to conditions and safeguards provided for under the country’s domestic law. And that in accordance with and pursuant to the domestic law of each state party, such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power of concern, include safeguards that are absolutely crucial as judicial or independent review, the right to an effective remedy, which is an international human right established in international human rights instruments, grounds just to find the application, and limitation of the scope and the duration of such power or procedure. Also, it’s Article 24 establishes the principle of proportionality, but not legality necessity and non-discrimination. So as such, the text of the UN Cybercrime Convention does not require that surveillance measures have prior judicial authorization, are only carried out in the face of reasonable suspicion, and are necessary for the investigation. Furthermore, the authorities could keep such measures secret indefinitely, according to the law of each country. These surveillance powers that state parties to the convention will have to establish in their domestic law and will be available for international cooperation, include real-time collection of metadata, interception of content data, which are two provisions that could be abused to underpin government use of malicious software, for example, to spy dissidents and human rights defenders. It also includes a provision that can force individual tech employees working at service providers to provide information, possibly including security weaknesses that could be used to bypass system security safeguards. The fundamental imbalance between surveillance powers and human rights safeguards is particularly concerning in Latin American countries, where the lack of adoption of legal safeguards against data, the absence of comprehensive data protection laws in the law enforcement context, and the insufficient mechanisms for transparency, notification, effective remedy, and oversight pose significant risks to human rights and vulnerable communities. This is also particularly concerning on how it can boost transnational repression. The key function- The intention of the convention, if ratified, will be to create a means of requiring legal assistance between countries that do not already have mutual assistance treaties, MLATs, or other cooperation agreements. This could include repressive regimes who may previously have been hindered in their attempts to engage in cross-border surveillance and data sharing. In some cases, because their concerning human rights records have excluded them from MLATs. The Treaties International Cooperation Chapter compels countries to collect and share private data across borders, effectively requiring them to assist each other in electronic surveillance for a wider range of serious crimes, whether or not technology is involved in the crime. The cross-border evidence gathering applies to any crime that a state chooses to punish with at least four years of imprisonment under its national law, subject to certain restrictions. Proposals to define more strictly serious crimes were not accepted. So, this broad discretion granted to states under the UN Cybercrime Treaty is a deliberate design intended to secure agreement among countries with varying levels of human rights protections. This flexibility in certain cases allows states with strong protections to uphold them, but also permits those with weak standards to maintain their lower levels of protection. The Convention’s underlying flaw is the assumption that, in accommodating all countries’ practices, states will always act in good faith. But what the history and patterns of transnational repression teach us is that this does not hold true, and that mandatory human rights safeguards and effective oversight of whether these safeguards are fulfilled are absolutely essential. A key learning that unfortunately and alarmingly is not reflected in the text of the UN Cybercrime Convention. Thank you.

Joey Shea: Thank you for, thank you for Jana for those important remarks. And I think it’s very important that we look at multiple different case studies to see how the rights impacts of this treaty globally. I’d like to turn now to Fanula if we could get her up on screen as well. I’ll just take a moment. Hi everyone. Brilliant. Fanula welcome, you’re on our screen even if you can’t see the room. Thank you so much for joining us. So I’m wondering if you could speak a bit more about the treaty, but specifically how the broader securitization policies and practices by member states may be impacted and the relationship between the treaty and those policies and practices.

Fionnuala Ni Aolain: Sure, everyone I’m delighted to be joining you today albeit remotely and am pleased to offer an assessment I think of what might be described as selective human rights pieces of the UN Convention Against Cybercrime and really to reflect on in some ways the fundamental incompatibility of parts of this treaty with international human rights law. I think it’s also really fair to say that due to the scale scope subject matter of the convention, the convention poses distinct human rights risks that really should have required heightened scrutiny and safeguards rather than lesser scrutiny and safeguards. And here I align my remarks with the views of the U.N. High Commissioner for Human Rights in their submission to the treaty process in July of 2024. And my focus is really to start by looking at the nitty gritty language of the treaty. And I do that because I think it’s really important that we’re not simply abstract in thinking about how this treaty really has failed to grasp with and create obligations for states under human rights law, but the deliberate avoidance and obfuscation of human rights language and human rights requirement. And I think this represents something of a broader challenge that human rights is facing, particularly in the intersection of new technologies and human rights globally, is the way in which human rights language or what I would call human rights light constructions of new treaties really serve to undermine existing treaty language and practice. And the second is the treaty, I think, represents another pattern, which is the failure to address or be acknowledgement of fundamental and existing patterns of abuse by states. And so that the treaties, in fact, almost it’s like the emperor’s new clothes, an unwillingness to address what we know about state behavior in a particular area and address it through treaty law. And the third, I think, is this really important point that that is sort of builds on the point about human rights light standards, is the weakening of existing treaty framework standards, human rights treaty frameworks by creating de facto spaces of opt out or spaces where critic critical spaces where states essentially get to exclude human rights protection. And the broader point is that new technologies have effectively, particularly in this area of security and new technology, have been given a pass on the application of international human rights law, often based on arguments of exceptionality, that these spaces are exceptional, that they require exceptional, fast and particular kinds of responses, creating, I think, enormous disjunction in our. overall protection schemes. But let me go to some of the language. And I want to start with Article four of the treaty that requires states parties to criminalize offenses under, quote, other applicable U.N. conventions and protocols when committed through the use of an information and communications technology system, end quote. And this provision, I think, is the practical effect of extending the scope of the offenses under other conventions to encompass cyber means without formally amending each of those conventions. So it’s quite an important slight of hand, a move that I think is quite significant. Now, there might be reasons to legitimately extend some offenses under earlier conventions and to update earlier conventions. But I think Article four is objectionable for two fundamental reasons. One is because it’s inherently vague and uncertain in scope, and it doesn’t identify the specific conventions or the offenses that will be updated. And there are dozens of instruments and many more offenses within them that might be affected. And when those treaties were negotiated, each of those offenses was carefully negotiated, giving due legal scrutiny to the particular elements of each substantive and incoherent offense under the convention. And so as a fairly doctrinal lawyer, I think I’m really concerned that Article four requires wholesale and indiscriminate potential extension of every offense under every convention without close drafting scrutiny of whether it’s appropriate or possible or even necessary. And what more particularly what the human rights implications of that are adverse consequences of doing that would be. So this haphazard extension of a wide range of criminal offenses seeking a variety of really different purposes is just not good practice on drafting critical criminal instruments, and I think gives rise to not just inconsistency and unpredictability, but is at odds with the sort of a fundamental tenet of human rights law. And I think the second challenge we see in Article four is the criminalization of offenses and this criminalization. of offenses committed through information and communication technology systems is ambiguous. It’s just ambiguous. And it doesn’t really tell you in which circumstances cyber means should actually be unlawful. And this idea of commission through the use of information could encompass just a whole range of conduct and interactions. And that some of those could be intentional. Some of them might not be. Some of them might be unconscious, indirect, or even offline connections with information and communication systems. And I think this is really, really problematic from a fundamental criminal law perspective and a human rights perspective, because it undermines that absolute obligation in international human rights law of legal certainty. If you are to be made the subject of a criminal offense, you need to know what offenses, they have to be clearly defined in advance in a way that you could regulate your conduct so you don’t end up being in violation of the law inadvertently. And I think that’s just simply not the case here. Individuals may end up being in violation, not just because the law is not clear, but because it suits states to have the law unclear, because that actual level of uncertainty actually puts individuals, and I would say particularly human rights defenders and other civil society actors, on the defensive and therefore preemptively regulating their conduct for fear that they might run afoul of something that’s not clear. And I think what we might end up with is considerable variance at national level about what kind of offenses are produced at national level, a kind of a way that you get double criminality. And when we get to the parts of the treaty that deal with extradition and mutual assistance, actually you run into even further complicated problems. And I do want to flag that I think between the cyber crime offenses, Articles 7 to 12, are really quite problematic. It’s really not clear. When you look at the nature of these offenses, again, they appear to be overbroad and capitalist. or a range of conduct that not, in fact, that that’s not, in fact, sufficiently serious to warrant criminalization. But actually, these offenses risk targeting a whole range of other actors. And the actors I want to highlight are those actors like whistleblowers being criminalized or those engaged in disclosure of information that expose illegality or fraud. It risks criminalizing those who take action to prevent crime. It risks criminalizing ethical hackers, cybersecurity researchers and those who are in the work in the digital infrastructure ecosystem to actually protect us. And probably the most and most substantial fear that I think previous comments have picked up also is the danger that this kind of criminalization is going to get at protest and freedom of expression online. And I also think I’d want to endorse the comments about the lack of sufficient safeguards and conditions of safeguard and the risks that this pose for civil society actors. I also want to pay attention to the way in which the general human rights safeguards that we find in chapters two, five, six and seven are simply inadequate, because actually, when you look at the treaty, it looks like a Swiss cheese. You get like human rights language in one piece, but not in others. And I think that should provoke our curiosity and reflection on why human rights clauses were put in some places and not in others. And I think the lack of consistency of human rights safeguards throughout the treaty. So, for example, their exclusion in chapter two or the limits on it in chapter seven and chapter six tell us, in fact, that again, there really was a Swiss cheese effort here to not ensure consistent human rights safeguards across the board, but to do a pick and choose a kind of an a la carte menu of human rights protection in the treaty. I also want to highlight. Chapter 7, and I want to particularly flag Article 35, which is the general principle on international cooperation, where there’s simply no mention of human rights. And I think this point that you’re leaving out human rights protection in those places, particularly in the context of transnational repression, where we see the gaps in protection being particularly problematic, their exclusion here underscores this broader problem of an unwillingness by states to address the actual practice of transnational repression, which is increasingly being framed under the language of assistance and cooperation among states. And again, brings us back to this human rights, this sprinkling of human rights, the human rights light approach. Two final comments on human rights lacuna I would include is Article 34, the limits on assistance and protection of victims, where again, the failure of the treaty to implement existing and growing human rights law on the rights of victims is simply not present. We see the same in Chapter 6 on prevention measures, where we see actually a failure to implement the massive advantages that are massive and protections that we’ve seen developed over several decades. And I close by just saying that the one of the parts of the treaty that concerns me most is the focus on technical assistance and capacity building under Chapter 6, which refers to training, exchange of information, technical assistance and technology transfers between states. And again, the striking absence of fundamental human rights activity protections in these activities stress to us the ways in which human rights entirely sat at the margins of the conversations in this treaty, weakening it in fundamental ways, but also having the reverse. effect of weakening back to the fundamental human rights treaties, the absence of their inclusion in this important step by states to regulate the cyber arena. So let me stop there and thank you for your time.

Joey Shea: Thanks very much, Fionnuala, for those important remarks. I want to turn now to Nick, if we could get Nick up on the screen from our technical team. Nick, can you hear me all right? Nick, if you can hear us, we’re working to get you up on the screen, but just as we’re working to do that, Fionnuala had mentioned the impact of the treaty on cybersecurity And I know throughout the course of your work, you work very closely with cybersecurity researchers. So I’m wondering if you could, when we finally get you up on the screen, if you could sort of discuss and give us your thoughts on the importance and value of protecting these researchers and why the convention may be harmful for their work. And just give us one moment as we try to bring you up on the screen. Can you hear me okay? In the meantime. To our technical team, Nick is down at the bottom. There we go. Well, thanks again. We have you up on the screen now, Nick. So again, that question, could you just sort of touch on the importance of cybersecurity researchers throughout the course of your work and how the treaty may be harmful to their work?

Nick Ashton-Hart: Thank you very much. I think that’s actually the very first point. I want to address them. You can spend a long time talking about the problems of the convention, but this is one of the two most important areas for us anyway. And thank you for inviting, thank you for organizing a session on this subject at the IGF and for the invitation to speak on it. I should say out front that the Cybersecurity Tech Accord, along with the global business community very broadly has publicly opposed signature ratification or accession to the convention of the text as it stands, along with a very broad array of civil society and voices. It’s been said more than once that throughout the negotiations, there was such unanimity across the board from business and civil society that none of us had ever seen that level of agreement before, which unfortunately the negotiators did not take really enough of a warning from. As you mentioned, there is considerable additional legal risk from cybersecurity researchers, for cybersecurity researchers in the convention. The article on illegal access requires countries to criminalize accessing computer systems without permission of the system’s owner using the same language that the Budapest Convention uses, but without the context of the explanatory report to Budapest, which makes clear that actions which are in the public interest should not be criminalized, meaning that security researchers, investigative journalists, whistleblowers and others are at risk of criminal prosecution in this convention in a way that is not the case in Budapest. Without the work that security researchers do, criminals and others will find it easier to exploit vulnerabilities, to breach sensitive systems, spread malware and engage in ransomware. other attacks. And those risks become even more important when you consider the red teaming that is needed to test AI systems for bias, but also to to test that guardrails against misuse of those systems work not only in the languages of those of those who develop the systems, but in global language sets, for example. Some member states have said publicly that security researchers are protected because of the reference to them in Article 53, three E of the convention. But this is simply not true. And a plain language reading of that article will tell you that it’s not true. Because all that it does is recognizes the importance of security researchers. It does nothing to protect their work. And you don’t have to take our word for it. The global security research community wrote a letter to the negotiators in February, warning them that the convention endangered their work. Unfortunately, the negotiators did not act in any way to address that problem. It allows authorities to force any personal company to facilitate access to computer systems, or stored electronic data in Article 28.4, which you’ve heard about from others today, in a manner that is far broader than Budapest. The Office of the UN High Commissioner for Human Rights has warned that this would directly threaten the global availability of encrypted communications and encrypted services, which we agree with that assessment. And undermining encryption threatens the safety and security of citizens globally. Government and or private sector technology workers on holiday with access to secure systems could be compelled to provide access to those systems, and system owners would not know until it was too late. On safeguards as they relate to the private sector. Many powers in the convention, as you’ve heard, are from Budapest and other treaties, generally verbatim. The safeguards and protections were copied and generally weakened. Many states, OECD states, have said the convention sets new standards for safeguards because it contains protections that are new to international criminal justice law, which is true but misleading because the foundational protections in the convention are weaker than prior instruments, not stronger, and those foundations undermine the new protections which rely on them. In particular, Article 24.2 is copied from Budapest and is an essential foundation of all other protections. In Budapest, all parties must have these procedural law protections, but in this convention those protections are to be, quote, in accordance with and pursuant to the domestic law of each state party, end quote, meaning they are essentially optional. Procedural law is absolutely fundamental to users and human rights, but also to firms because these are the provisions that allow service providers to go to court to contest requests for user data when we think they’re unlawful or disproportionate. They are what requires a state to ground requests in applicable law and which provides for warrants rather than simply allowing a demand for data without judicial authorization. In many countries, you’ve heard in detail earlier in this session from the previous speakers, warrants aren’t required to demand data from service providers. Requests are kept secret and providers may not object to them. Several UN member states at the committee level and at the third committee, when it was adopted by the first stage of UNGA, stated on the record that they will treat every safeguard provision in this convention as entirely subject to their own discretion. to their existing national legislation. This means we do not have to guess whether this convention will be abused. States have told us that they will do so on the record multiple times before the convention has even been adopted by the UNGA plenary. While the convention requires confidentiality in the operations of its powers in eight articles, it requires transparency in none. States may use the convention’s powers, all of them, in perpetual secrecy. What this means is that firms operating globally will get demands for data which must be kept secret, and there will be no recourse to courts to push back against them, even if the firm knows they’re breaking the law in a different jurisdiction if they grant the request. This will all be legitimized because a treaty with the UN’s name on it allows for it to happen. I wanna talk about something in addition today which we haven’t talked about yet and which doesn’t get enough attention, which is the convention’s provisions on asset seizures and forfeiture. The Budapest Convention does not have these provisions. As said by the Council of Europe in its briefing to Budapest member states on 4th July of this year, and I quote, “‘Risks arising from the current draft text “‘of the convention are stemming from provisions “‘on money laundering and asset forfeiture. “‘In some states, targeting assets is a primary means “‘to target opponents or businesses “‘and to restrict fundamental rights. “‘This entails the risk of abusive criminalization, “‘investigation, or seizure of assets. “‘For example, the combination of broad jurisdiction “‘with low thresholds for liability of legal persons, “‘low threshold and intense standards “‘for participation and attempt “‘could elevate non-criminal and unintentional conduct “‘by service providers to a predicate offense “‘and lead to the.’ freezing of assets. Or for political reasons, individuals and organizations may be targeted for fraud, and their assets may then be confiscated domestically or via international cooperation. All of what you’ve heard today begs a question of, why didn’t these many problems get addressed during the negotiation, especially given stakeholders were in the back of the room consistently raising them? The answer is that the process allowed for voting on the substance. This is a major and terrible precedent. Treaties have been previously decided by consensus. Negotiators on OECD states were always worried that they didn’t have the votes for more robust safeguards. We know this because they told us again and again whenever we proposed fixes to these problems. It turns out that they were wrong. And we know this because Iran demanded several votes to remove safeguards and human rights provisions in August before the convention was adopted. And the most votes they could get in favor of this was 31 when they needed more than 90. In short, we recommend that all states not sign or ratify the convention now. The UNGA resolution adopting it will authorize the current negotiating committee to develop a protocol. And we believe national negotiators should be tasked with fixing the problems in the convention during that negotiation. And if they are successful, then states could join the convention and the protocol together. We know we will get better results this time, or we can, because of Iran with its votes showed that the opponents of safeguards and rule of law protections don’t even have a quarter of the votes that they need. That’s all I have time for. But I look forward to the discussion and the questions.

Joey Shea: Thank you, Nick, for that intervention. We’re nearing the end of our time, so I want to open it up to the floor in the room first. We have at least one question online, but I just want to see from our audience here if there’s any questions to our panelists about the treaty and the rights implications globally and also in the various case studies that were presented today. No, if there’s no questions from the room, I know that we have one question online. So, from Monica through our Zoom call here, Monica asks to our panelists, how would human rights codified in national basic fundamental law prevent authorities from a country to transfer data to another treaty signatory? So, Deborah, do you want to?

Deborah Brown: I can start, and I’m very happy for others to weigh in as well. So the treaty does include an article that allows governments to refuse to provide mutual legal assistance on human rights grounds. I’ll read, I think it’s 4022, I’ll read the text now, it says nothing in this convention shall be interpreted as imposing obligations to a foreign mutual legal assistance if the requested state, meaning the state who receives the request for evidence, has grounds to believe that this request has been made for the purpose of punishing a person based on their sex, race, education, religion, nationality, ethnic origin, or political opinions, and it goes on a bit on that. So there is, as we said, this treaty provides flexibility, and as Fanula put it, it’s like Swiss cheese. You see human rights sprinkled in here and there, you can read into it, if you’re really committed to not allowing the treaty to be abused, there are ways you could use it and justify refusing cooperation. The point is, it doesn’t require states to refuse cooperation. They need to be proactive about it. So there’s both a reality, like from what we heard from Lina and from Virgiana, there’s countries around the world who expressively don’t want to respect human rights and are looking for ways to engage in repression, transnational or otherwise. And there’s no shortage of evidence to provide the negotiators reasons to provide stronger human rights protections. And there’s also a practical issue here. This essentially creates mutual legal assistance treaties globally. So rather than on a bilateral level or multilateral level, it’s basically would, for all signatories, require mutual legal assistance, and not for a specific set of crimes, but for crimes based on domestic law with a prison sentence of four years or more. So effectively, you’re going to have a massive number of requests coming in. And to be able to find the requests that one can interpret as posing an obligation of providing substantial grounds for belief that the intention of the request was to repress human rights is a lot of ifs. Firstly, to find the case, to be looking for the case, the purpose of punishing or prosecuting a person on the basis of these protected classes is a high threshold. And it’s all voluntary. Again, it provides flexibility to do so, but no requirement to do so. And so between the high volume of requests that will be incoming to already overloaded mutual legal assistance authorities, and just the reality that a lot of governments are looking for ways, there’s been numerous reports in recent years on transnational repression by Human Rights Watch, by Citizen Lab, by Freedom House that are showing clear trends. So rather than responding to those trends and creating a stronger threshold, this treaty essentially gives a lot of latitude for governments to find ways to cooperate. So I think I answered the question as to how one could find a way in the treaty, but I think the reality is that those are going to be the exceptions, not the rule.

Joey Shea: Deborah, I’m wondering if any of our panelists online would like to weigh in, and perhaps our tech team, who seem… To no longer be here could help them help us get them on the screen But to our online panelists we can hear you so if you want to intervene Please go ahead while we try to get you up on the screen So as we’re So we do have one more question from Yeah, so we have one question from from the audience here, but we’re I’m gonna pass the mic

Audience: It’s an internet governance forum that beleaguered by lots of technical challenges, that’s very not funny anyway Basically all of the speakers. My name is Khaled Mansour. I serve as a member of the Oversight Board for META And my question is all of you paint a very bleak picture that the train has left the station. It’s racing Basically a 40 countries Sign or ratify this treaty. It’s done. It’s a done deal. So what can be done to convince?

Joey Shea: Oh He’s in the IT booth, so I’m gonna take over moderation I’m seeing Nick on the screen, which is convenient because I think Nick has some thoughts on this but also happy to hear from others

Nick Ashton-Hart: But it’s it is like the key question I think the first thing is to remember that in in this in In international judicial cooperation a great deal of the data that most of the country needs is located in a relatively few jurisdictions The u.s. In particular. We have already said that they have no plans to seek ratification or to sign the convention in any reasonable, in any, they’re not going to do it soon, at the very least, they’re going to wait and see what countries do, but the EU has not, the EU commission has said that they want to sign and ratify and the commission, the parliament has to agree to this, so there’s an opportunity for Europe not to do that because Europe is the the next most popular destination to get data from. Throughout the negotiations, we were told by many developing states who genuinely want to cooperate on cybercrime, on actual cybercrime, that the US and the EU member states joining was of fundamental importance because that’s where the data, most of the data they needed is, so were those states to team up and use the protocol negotiations to address some of these issues, they, we know they have the numbers because of the voting situation that I just recounted for you, but we know that they would have support from many other states who need them to join the treaty for it to be a viable instrument, so I think, I think really now is the key is to get, is to get, to get member states to say that they’re not going to sign, they’re not going to sign or ratify the convention as it stands, they supported its adoption, but they’re not going to join it and they’re going to use the protocol negotiations to, to address its flaws. It’s worth pointing out that the reason protocol negotiations exist at all in this is because the many, the many states who are of a more autocratic bent insisted on having protocol negotiations because they want to go and add even more crimes and even more scope to the convention, which makes it doubly important for OECD member states and, and their allies to say well that’s not going to happen, in fact the opposite’s going to happen, we’re going to make this about. about an actual cybercrime and an actually workable result that all states who genuinely want to work on cybercrime will participate in, which I think also goes to the question, Monica, that you asked, or part of the question that you asked. But I don’t see any other, the only other thing that could be done to address the convention is to work through the conference of the parties once it has entered into force, once 40 states have ratified it. And that’s far more, far less likely to have a successful result than the protocol negotiations allow for.

Joey Shea: Thanks, Nick. It’s very concerning to note about how ratification may lead to authoritarian states adding even more crimes to the treaty. I want to go back to Lina for just one moment. We only have a few more minutes left in our session. There’s been a lot of discussion about transnational repression and how the treaty can facilitate and contribute to transnational repression. Could you speak a bit about the sort of history of transnational repression in Saudi Arabia and the gaps in the domestic law here, and how the treaty may interact with those gaps in domestic legislation to perhaps lead to further transnational repression? And also, in case we don’t have time, I’d encourage you to also speak, given that there’s so many policymakers in the room here today, folks from industry and government, what your message is with regard to the treaty on their engagement going forward as ratification comes.

al-Hathloul Lina: Thank you, Joey. That’s a lot to cover, but I’ll try my best. Just maybe, first of all, regarding transnational repression, I mean, what we have been monitoring are different trends. So it’s usually either the government collaborating with other governments in order to commit human rights violations. So, for example, I mentioned the case of my sister who was arrested, but before being arrested, she was actually kidnapped from the UAE with the help of the UAE government, the Emirati government, and brought back to Saudi Arabia and then forcibly disappeared in Saudi Arabia. So we see directly transnational repression with the collaboration of two states. But there are also other kinds of transnational repression, also linked to the digital rights. There’s also the use of spyware technologies, including Pegasus, for example, for numbers. And we have it, I mean, the founder of Al-Qais, has been targeted by Pegasus and is now trying the company and the state in UK courts. So this is also considered as transnational repression. And you also have, I mean, we have to remind this here, but the killing of Jamal Khashoggi in a Turkish consulate, in the Saudi consulate in Turkey, for example. So there are different ways we could describe transnational repression. And it’s mostly done through digital technologies. For Saudi, I mean, when we speak about national laws. What has to be known is, first of all, you don’t have a general penal code. But we do have, for example, two important laws for the topic is the first, the Saudi cybercrime law, and the second one is the anti-terrorism law, which are both used to silence civil society and to criminalize any remaining free speech. For the cybercrime law, we have, it’s problematic in its Article 3 and Article 6. So first, Paragraph 5 of Article 3 punishes any person who publishes defamatory content using various information technology devices with imprisonment for a period of up to one year or a fine of up to $130,000. So we see that usually what consists of what is defamatory is very broad and vague, and can be sometimes also just the comment on someone’s appearance on television, for example. We also have Article 6, so Paragraph 1 of Article 6 punishes any person who produces, prepares, or stores material impeding on public order, religious values, public morals, or privacy through an information network or computer with imprisonment, again, for up to five years and a fine, and or a fine of up to $800,000. And again, here in this definition, everything is very vague, and anything can be considered as impeding public morals, and we’ve seen it in our monitoring. and monitoring work as well. And then, so a person can be charged on the cybercrime law, but also at the same time for the same case on the anti-terrorism law. And what’s very problematic with the anti-terrorism law is really it’s Article 1, the mere definition of what is terrorism. It’s too broad, very vague. We have seen, again, also people getting charged with the anti-terrorism law just for tweets, in which sometimes it’s also commenting social issues that have no link to terrorism whatsoever. And so we have cases where people have been charged with cybercrime law, with the anti-terrorism law. And then, because the judge has so much discretion in Saudi courts, they can add also, for example, two, three years of prison based on the judge’s discretion. So these are the main three laws and, yeah, and use of discretion by the judge in Saudi courts that I would say are the most problematic ones. Thank you. I don’t know, can you maybe just remind me the last part of your question?

Joey Shea: Yeah, the last part of my question, Lina, was any sort of anything you wanted to say to the policy makers here in the audience. We have folks from government and industry here, and any sort of recommendations you would have for them on how they should be engaging with the treaty going forward as it moves towards ratification with respect to human rights?

al-Hathloul Lina: Yeah, I mean, the first thing really is to listen to civil society. I think, I mean, we are discussing now this treaty. Haiti, in Saudi Arabia, when no Saudi civil society can really be present. So I think that the first step is really to be supportive of civil society being present in these spaces in order to really understand what’s at stake. I mean, we cannot just regulate such topics without knowing what’s at stake. And I think that everyone in this room, in your room, Joey, and everyone else, realizes how dangerous it is. It’s not even ratified that I cannot be there in person. So I think that everyone has the duty, really, to push for civil society to be present, to be protected in discussing these topics, and that it should not be seen as a bubble, because it will backfire. I mean, it is against everyone’s interest to have these discussions behind closed doors and not seeing the consequences it could have on everyone.

Joey Shea: Thank you very much, Lina. We just have a few moments left, so I want to actually put that question to the rest of our panelists. Maybe we can start with the rest of our online panelists, Nick or Virgiana, if you have any recommendations for the folks here in the room with how they can engage with the ratification process.

Veridiana Alimonti: I can start, and, well, considering everything that we discussed so far, the way that we see and, of course, EFF also opposes signature ratification and accession to the text as it is now, and have been urging states to vote no when the UNGA votes the UN cybercrime. treaties, so policymakers and industry that are part of this panel and have been listening to our discussion, we would like to extend the call to pay attention to the concerns that we shared here. At this point of the vote in the General Assembly, and nonetheless, if the text passes and we have it, then it’s the process inside each country where policymakers and industry are also to point out these concerns and in another state where this is being discussed internally, if it passes, as it is, what would be a problem in our perspective. To discuss the least harmful way to incorporate this internally, considering the mace and the human rights safeguards a la carte that we mentioned in this panel that should be embraced in each context that this treaty goes on, but what I would like to highlight is that in our position or in our view, we shouldn’t get, in the FF’s view, we shouldn’t get to the point of incorporating this treaty into national law with its current text. We should be able to make its safeguards more robust globally as the investigative powers are robust right now globally. So that’s it. Thank you for the opportunity to be part of this discussion and to share. our thoughts about the cybercrime convention.

Joey Shea: Do you have anything closing to add in terms of advice for the folks in the room? And we just have a few moments, so we’ll keep it short, Nick, and then we’ll close with Deborah. Nick, can you hear us? If you have any closing remarks, please go ahead.

Nick Ashton-Hart: Sorry, I thought it was like a general call. I didn’t hear it was me, because you’re quite faint for some reason on my end. I mean, nothing in particular you haven’t heard. I mean, I hope people who aren’t familiar with this are concerned. You should be. And the best thing that people can do is communicate to their governments what their concerns are and ask that they not be willing to sign this until improvements are made and to engage actively in the forthcoming negotiation process on the protocol to make that possible, because that’s really the only practical way that there is to change the content of the convention. Otherwise, it would be only five years after the convention enters into force could the conference of the parties entertain amendments to it. And I think by then, it would be very difficult to get much support for amending it again. So this is really the time is to not sign it and for states to remain engaged in the process. And this time around. work with civil society and the private sector and come up with proposals in advance that the back of the room can actually support and to be bold, because the states who need the data and the states who have the data are far and away enough to get meaningful changes adopted over the objections of the relatively small number of states who are on the other side of all of the issues that you’ve heard today. That’s the good news. There isn’t a majority for a lot of these provisions. Now we know that, and we should take advantage of that knowledge to change the text.

Deborah Brown: I know we only have three minutes left, so I’ll try to be quick just to build on what Nick was saying. The protocol is an important opportunity. It’s worth mentioning that even if a state hasn’t ratified the treaty, they can participate in those negotiations, as opposed to the conference of state parties. That is an argument both to not ratify, but also to participate in the protocol. This was a relatively open process for a multilateral treaty negotiation, meaning that civil society and industry were in the room, though a lot of these concerns that have been raised today we had proposals to address. I think there’s a gap there also with the UN Office of the High Commissioner for Human Rights, which had very tangible expert advice on how to plug the human rights gaps in this treaty. Moving forward, there’s been ideas floated by the US and an explanation of a position to have a legislative guide or implementation guide. To really lean on the expertise within the UN system would be incredibly important for that. Also, to listen to national stakeholders or in the case of the EU, regional stakeholders. Of course, each member state has a different process to get to ratification, and it’s really important to listen to domestic stakeholders on how to whether they support the treaty and what action to take and within the context of the EU it’d be wonderful if there was an opinion requested by the European Court of Justice and also to listen to request and consider recommendations or opinions from the EU data protection supervisor who had issued an opinion on a draft version of the text which was quite critical. So I think I will end there. I think we’re more or less at time. Joey, any final remarks?

Joey Shea: Just to say thank you to all of our panelists online for participating in this important discussion and especially to Lina who really should be here in the room with us today and again just to emphasize how important her voice is and the voice of Al-Qist and other Saudi human rights organizations are and how unfortunate it is that they are not able to be with us here today. But thank you everyone for joining us and yeah I hope you have a wonderful rest of your IGF. you you you

Agreement Points

The UN Cybercrime Treaty lacks adequate human rights safeguards

Deborah Brown

Fionnuala Ni Aolain

Nick Ashton-Hart

Veridiana Alimonti

Treaty provides broad surveillance powers without adequate safeguards

Treaty lacks consistent human rights protections throughout

Treaty allows for secret surveillance and data collection

Treaty could facilitate cross-border surveillance and data sharing by repressive regimes

Multiple speakers agreed that the UN Cybercrime Treaty does not provide sufficient human rights protections and could enable abuse of surveillance powers.

The treaty poses risks to cybersecurity researchers

Nick Ashton-Hart

Deborah Brown

Treaty criminalizes accessing systems without permission, endangering security researchers

Lack of protections for security researchers threatens discovery of vulnerabilities

Speakers highlighted the potential negative impact of the treaty on cybersecurity research, which could hinder the discovery and reporting of vulnerabilities.

Similar Viewpoints

These speakers advocated for not ratifying the treaty in its current form and suggested using future negotiations and stakeholder engagement to address its flaws.

Nick Ashton-Hart

Veridiana Alimonti

Deborah Brown

States should not sign or ratify the treaty as it stands

Use protocol negotiations to address flaws in the treaty

Engage with domestic stakeholders on ratification decisions

Unexpected Consensus

Broad agreement across civil society and business sectors

Nick Ashton-Hart

States should not sign or ratify the treaty as it stands

The speaker noted an unprecedented level of agreement between civil society and the business community in opposing the treaty, which is significant given these groups often have divergent interests.

Overall Assessment

Summary

The speakers largely agreed on the inadequacy of human rights protections in the UN Cybercrime Treaty, its potential for abuse, and the need for significant improvements before ratification.

Consensus level

High level of consensus among the speakers, implying a strong unified critique of the treaty from various perspectives (human rights, cybersecurity, legal). This consensus suggests a need for substantial revisions to the treaty to address these shared concerns.

Different Viewpoints

Approach to addressing treaty flaws

Nick Ashton-Hart

Veridiana Alimonti

Use protocol negotiations to address flaws in the treaty

Treaty lacks consistent human rights protections throughout

Nick Ashton-Hart suggests using protocol negotiations to fix treaty flaws, while Veridiana Alimonti emphasizes the need for more robust global safeguards rather than incorporating the current text into national law.

Unexpected Differences

Overall Assessment

summary

The main areas of disagreement revolve around the specific approaches to addressing the treaty’s flaws and the level of engagement with different stakeholders in the process.

difference_level

The level of disagreement among the speakers is relatively low. They largely agree on the fundamental issues with the treaty but have slightly different emphases on how to address these issues. This general consensus implies a strong united front in opposition to the treaty as it stands, which could be significant in influencing policy decisions and future negotiations.

Partial Agreements

All speakers agree that the treaty has significant flaws and should not be ratified as is, but they differ on the specific actions to take. Nick Ashton-Hart suggests using protocol negotiations, Veridiana Alimonti opposes incorporation into national law, and Deborah Brown emphasizes engaging with domestic stakeholders.

Nick Ashton-Hart

Veridiana Alimonti

Deborah Brown

States should not sign or ratify the treaty as it stands

Treaty lacks safeguards against misuse for political persecution

Engage with domestic stakeholders on ratification decisions

Similar Viewpoints

These speakers advocated for not ratifying the treaty in its current form and suggested using future negotiations and stakeholder engagement to address its flaws.

Nick Ashton-Hart

Veridiana Alimonti

Deborah Brown

States should not sign or ratify the treaty as it stands

Use protocol negotiations to address flaws in the treaty

Engage with domestic stakeholders on ratification decisions

Key Takeaways

The UN Cybercrime Treaty provides broad surveillance powers without adequate human rights safeguards

The treaty could facilitate transnational repression by authoritarian regimes

The treaty poses risks to cybersecurity researchers and their work

There are significant concerns about the treaty’s vague language and deference to domestic laws

Civil society and industry groups broadly oppose ratification of the treaty in its current form

Resolutions and Action Items

Policymakers are urged not to sign or ratify the treaty in its current form

States are encouraged to use upcoming protocol negotiations to address flaws in the treaty

Governments should engage with domestic stakeholders and civil society on ratification decisions

Unresolved Issues

How to effectively balance cybercrime prevention with human rights protections

How to ensure the treaty cannot be misused for political persecution

How to protect cybersecurity researchers while criminalizing malicious hacking

How to address the treaty’s broad scope and vague definitions of crimes

Suggested Compromises

Use the protocol negotiations to strengthen human rights safeguards while maintaining core cybercrime provisions

Develop implementation guidelines with input from UN human rights experts to mitigate potential abuses

Allow states to opt out of certain provisions that may conflict with domestic human rights protections

The UN Cybercrime Treaty, as it currently stands, is excessively broad and it reduces significant legal uncertainty. It provides states with the tools to leverage high-level, intrusive domestic and cross-border surveillance powers to address a vaguely defined list of criminal offences. This vague framing risks becoming a serious weapon in the hands of governments that are already using cybercrime laws to suppress dissent.

speaker

Lina al-Hathloul

reason

This comment succinctly captures the core problem with the treaty – its vagueness and potential for abuse by repressive governments.

impact

It set the tone for much of the subsequent discussion about the treaty’s flaws and dangers, particularly for human rights defenders and dissidents.

Article four requires wholesale and indiscriminate potential extension of every offense under every convention without close drafting scrutiny of whether it’s appropriate or possible or even necessary. And what more particularly what the human rights implications of that are adverse consequences of doing that would be.

speaker

Fionnuala Ni Aolain

reason

This comment highlights a specific and critical flaw in the treaty’s drafting that could have far-reaching consequences.

impact

It deepened the analysis by moving from general concerns to specific legal issues, prompting more detailed discussion of the treaty’s text and implications.

We know we will get better results this time, or we can, because of Iran with its votes showed that the opponents of safeguards and rule of law protections don’t even have a quarter of the votes that they need.

speaker

Nick Ashton-Hart

reason

This comment provides a strategic insight into how the treaty could potentially be improved, offering a glimmer of hope in an otherwise bleak discussion.

impact

It shifted the conversation towards potential solutions and next steps, rather than just focusing on the problems with the current treaty.

The protocol is an important opportunity. It’s worth mentioning that even if a state hasn’t ratified the treaty, they can participate in those negotiations, as opposed to the conference of state parties. That is an argument both to not ratify, but also to participate in the protocol.

speaker

Deborah Brown

reason

This comment offers a practical strategy for engagement with the treaty process, even for states with concerns.

impact

It provided a concrete action item for policymakers and stakeholders in the audience, shifting the discussion from analysis to potential action.

Overall Assessment

These key comments shaped the discussion by first establishing the serious flaws and dangers of the UN Cybercrime Treaty, then delving into specific legal and procedural issues, and finally exploring potential strategies for improvement and engagement. The conversation progressed from outlining problems to proposing solutions, providing a comprehensive overview of the treaty’s implications and possible ways forward for concerned stakeholders.

How can the protocol negotiations be used to address flaws in the UN Cybercrime Treaty?

speaker

Nick Ashton-Hart

explanation

Nick suggested using the upcoming protocol negotiations as an opportunity to fix problems in the convention, which is important for improving human rights protections.

What are the potential impacts of the UN Cybercrime Treaty on cybersecurity researchers?

speaker

Joey Shea

explanation

Joey asked about this specifically, highlighting the importance of understanding how the treaty could affect the work of those who help protect digital systems.

How can civil society be more effectively included in discussions about the UN Cybercrime Treaty?

speaker

Lina al-Hathloul

explanation

Lina emphasized the need for civil society participation to fully understand the treaty’s implications, which is crucial for developing balanced policies.

What steps can be taken to prevent the UN Cybercrime Treaty from facilitating transnational repression?

speaker

Joey Shea

explanation

Joey asked about this in relation to Saudi Arabia, highlighting the need to address potential misuse of the treaty for human rights abuses.

How can policymakers and industry engage with the ratification process to address human rights concerns?

speaker

Joey Shea

explanation

Joey asked this to all panelists, indicating the importance of finding ways to improve the treaty during its implementation phase.

What are the implications of the treaty’s provisions on asset seizures and forfeiture?

speaker

Nick Ashton-Hart

explanation

Nick raised this as an area needing more attention, suggesting it could be used to target opponents or businesses and restrict fundamental rights.

How can states effectively use the human rights provisions in the treaty to refuse cooperation on abusive requests?

speaker

Monica (audience member)

explanation

This question addresses the practical application of human rights protections in the treaty, which is crucial for preventing misuse.

Summary

This discussion focused on protecting Internet data flows and addressing challenges in trade policy initiatives. Panelists explored how data localization laws and restrictions on cross-border data flows threaten the open, globally connected nature of the Internet. They highlighted concerns about how such policies can negatively impact privacy, free expression, and economic growth, particularly for small businesses and network operators in developing countries.

The speakers emphasized the need for evidence-based policymaking and standardized practices for data protection and security. They discussed tools like the Internet Society’s Impact Assessment Toolkit to help governments understand the consequences of their policies on Internet infrastructure. The importance of involving diverse stakeholders, including network operators, small businesses, and civil society, in policy discussions was stressed.

Panelists noted the challenges posed by the intersection of digital trade issues with national security concerns, which has led to increased restrictions. They called for greater collaboration between the digital and trade communities to address misconceptions about data flows and sovereignty. The discussion highlighted the need for more research on the economic impacts of data localization, especially in developing countries.

Participants agreed on the importance of raising awareness about how restrictions on data flows threaten the Internet’s existence. They suggested engaging with international development banks and national policymakers to promote informed decision-making. The discussion concluded by emphasizing the need for collaboration among all stakeholders to maintain free data flows and shape the future of the Internet and digital trade positively.

Keypoints

Major discussion points:

– The importance of protecting cross-border data flows and resisting data localization policies that threaten to fragment the internet

– The rise of digital sovereignty and data localization laws as threats to an open, globally connected internet

– The need for evidence-based policymaking and impact assessments to understand the effects of data flow restrictions

– The role of trade agreements in protecting cross-border data flows and the recent U.S. reversal on this issue

– The importance of including diverse stakeholders (e.g. small network operators, businesses) in discussions about data flows and trade policy

The overall purpose of the discussion was to examine threats to cross-border data flows, particularly in the context of trade policy, and explore ways to protect an open, globally connected internet while addressing privacy and security concerns.

The tone of the discussion was largely analytical and collaborative, with experts sharing insights from different perspectives (e.g. human rights, trade policy, internet governance). There was a sense of urgency about the threats to cross-border data flows, but also optimism about potential solutions through multi-stakeholder collaboration and evidence-based policymaking. The tone became slightly more concerned when discussing geopolitical tensions and national security issues near the end.

Speakers

– Nermine EL Saadany: Moderator, Regional Vice President at the Internet Society

– Natalie Campbell: Director and Senior Director, North America at the Internet Society

– Mahroz Khan: Cross-border Expansion Manager at the Digital Cooperation Organization (DCO)

– Jennifer Brody: Deputy Director of Policy and Advocacy for Technology and Democracy, Freedom House

– Sabhanaz Rashid Diya: CIGI Senior Fellow and founder of the Tech Global Institute

– Farzaneh Badiei: Founder, Digital Medusa

Additional speakers:

– (Audience member): Senior Project Manager at the Council of Europe

– Dana Kramer: Representing Canadian NRI (youth and national)

– Milton Mueller: Professor at Georgia Institute of Technology’s Internet Governance Project

Protecting Cross-Border Data Flows: Challenges and Solutions in Internet Governance

This discussion, moderated by Nermine EL Saadany of the Internet Society, brought together experts from various fields to explore the critical issue of protecting cross-border data flows in the face of emerging challenges, particularly in trade policy initiatives. The panel examined how data localisation laws and restrictions on cross-border data flows threaten the open, globally connected nature of the Internet, and discussed potential solutions to address these challenges.

Key Threats to Cross-Border Data Flows

The panellists unanimously agreed that data localisation laws pose a significant threat to the open Internet. Natalie Campbell from the Internet Society highlighted how these laws threaten global connectivity, while Jennifer Brody of Freedom House emphasised that such laws enable government surveillance and control. Sabhanaz Rashid Diya, a CIGI Senior Fellow, pointed out that the recent US reversal on cross-border data flow policy encourages data localisation, further exacerbating the problem.

Farzaneh Badiei, founder of Digital Medusa, drew attention to the impact of data localisation on small network operators and meaningful connectivity. This perspective was particularly valuable in highlighting how these policies affect not just large corporations, but also smaller players in the digital ecosystem.

The discussion also touched on the concerning trend of trade agreements no longer prioritising or including strong protections for cross-border data flows. Both Natalie Campbell and Mahroz Khan from the Digital Cooperation Organization expressed worry about this development, noting that it poses significant risks to the open Internet. Khan specifically mentioned ongoing discussions at the World Trade Organization (WTO) and the shift in the US position on cross-border data flows.

Impacts of Restricting Cross-Border Data Flows

The panellists explored various negative impacts of restricting cross-border data flows. Nermine EL Saadany emphasised how such restrictions fragment the Internet and hinder economic growth. Jennifer Brody highlighted that data localisation laws impede access to information and communication, raising serious human rights concerns. She also discussed Freedom House’s work on internet freedom and its relevance to this issue.

An audience member raised the possibility of tariffs on digital services being used as retaliation in trade disputes, adding another layer of complexity to the issue. Milton Mueller, a professor at Georgia Institute of Technology, brought attention to how national security concerns are increasingly being used to justify digital trade restrictions, particularly in the context of US-China geopolitical rivalry.

Approaches to Protect Cross-Border Data Flows

The discussion then shifted to potential solutions and approaches to protect cross-border data flows and maintain an open Internet. Natalie Campbell advocated for the use of the Internet Society’s Internet Impact Assessment Toolkit to evaluate policies affecting cross-border data flows. She provided specific examples of how this tool has been used to assess the impact of proposed legislation on Internet infrastructure in countries like Ecuador and Kenya.

Farzaneh Badiei suggested standardising data protection and security practices globally as an alternative to data localisation. This approach aims to address security concerns without resorting to harmful localisation policies. She also emphasised the importance of involving small network operators in these discussions.

Several speakers emphasised the need for more comprehensive research and evidence gathering. Mahrooz Khan called for gathering evidence on the economic impacts of data localisation, especially in developing countries. He also highlighted the work of the Digital Cooperation Organization (DCO) in developing digital trade policies and promoting cross-border data flows.

Sabhanaz Rashid Diya stressed the importance of involving diverse stakeholders, including small businesses, in policy discussions. Jennifer Brody proposed engaging international development banks on data protection issues, highlighting the need to incorporate data protection expertise in development projects.

Natalie Campbell emphasised the importance of raising awareness that data flows are crucial for the Internet to exist, suggesting outreach to national decision-makers on this issue. She mentioned the role of Internet Society chapters in raising awareness about internet threats at the local level.

An audience member brought up the Council of Europe’s Convention 108 and the Budapest Convention as potential models for international cooperation on data protection and cybercrime issues.

The moderator concluded by emphasising that collaboration among all stakeholders is key to maintaining free data flows and shaping the future of the Internet and digital trade positively. The discussion highlighted the need for continued dialogue, evidence-based policymaking, and more research on the economic and societal impacts of data localisation policies.

In summary, this discussion provided a comprehensive overview of the challenges facing cross-border data flows and the open Internet. It highlighted the complex interplay between technical, economic, legal, and human rights considerations in this domain, and proposed various approaches to address these challenges while preserving the fundamental openness and global connectivity of the Internet.

Nermine EL Saadany: Thank you, everyone. Please confirm that you hear me online. Okay. Yes, perfect. So good afternoon. It’s a pleasure to be here with you today. My name is Nermin El Saadani. I am the regional vice president at the Internet Society, and I will be moderating this very interesting session today about protecting Internet data flows and trade policy initiatives. I think the rapid globalization of the digital economy has transformed the way we conduct business and the way we communicate and innovate. As data becomes an increasingly valuable asset, it is imperative to ensure the free flow of cross-border data. However, there is a rise of protectionist measures and data localization policies that threaten and fragment the Internet and might hinder the economic growth. So in this session, we will be delving into the critical issue of protecting the Internet data flows in the context of trade policy initiatives. I have with me online and as well on-site a very distinguished panelist whom I cherish being with and among because of their expertise, and I think the session will be very, very interesting. And without further ado, I would like to introduce our first speaker online, Ms. Nathalie Campbell, the director and senior director, North America at the Internet Society. And allow me, Nathalie, to address the very first question in our session. Why removing, in your opinion, Internet protections for cross-border data flows against mandated data localization and electronic transmission threaten the Internet? You have the floor, Nathalie.

Natalie Campbell: Thank you, Nermeen, and thank you, everyone, so much for joining us today. It’s really an honor to be here and to speak to you all about this really concerning issue. So at the Internet Society, you know, we’ve been paying attention to different threats to the Internet over the last several years. And, you know, we pay extra attention when we observe threats that would impede the Internet at the infrastructure level, but specifically in terms of what it needs to exist. Over the last several years, I think it’s no surprise to everyone here that there’s been increasing threats of fragmentation to the Internet, and often these come from governments who are trying to address different issues on the Internet, and doing so without considering what the Internet needs to exist in the first place. So the Internet Society and our mission for Internet for Everyone, we work as a resource with governments, and we help them understand the impact of different decisions on the Internet and how to mitigate harm with tools like our Internet Impact Assessment Toolkit. But today we’re here to talk about a newer challenge that is more difficult to tackle and to steer different actors in the right direction because of the secretive nature of these initiatives and the lack of transparency to different folks in this process. And that’s the threats emerging in trade initiatives to the Internet’s promise of global connectivity and specifically open data flows. So the Internet Society, we’re not a trade expert, but we started paying attention to this issue because it is an Internet threat that we spotted in 2023 when we started seeing talks about certain Internet protections that were being advanced in the World Trade Organization’s joint statement initiative on e-commerce. We started paying attention when certain protections for open data flows and pushing back on mandated localization, when that became deprioritized and ultimately there was a lack of consensus. on these protections that are crucial to the internet and its global connectivity, things that needs to exist in the first place. So this is why we started paying attention to this issue and why we’re so happy to have an opportunity to speak with everyone here today about it, because we believe that, open data flows are not just a nice to have, the internet needs these to exist. And the fact that these protections are no longer prioritized in trade initiatives, this is a worrying signal to countries around the world that very much rely on open data flows for digital trade to be successful in the first place. If we’re no longer thinking about the fact that these need to be prioritized as a protection, then that poses a risk to the internet because countries who are involved in these trade initiatives might otherwise not be prioritizing this when they’re thinking about their own different approaches to national regulation. And specifically we’re worried because as many countries around the world don’t have approaches to data governance, they might be looking towards restrictions to data flows or mandated data localization in the name of privacy and security, but we know that these are not actually helpful to both those goals and are actually very harmful to the internet’s infrastructure and what it needs to exist in the first place. So that’s kind of why we were hoping to help share these concerns with folks here today and to have a conversation with participants to not only share awareness about our concerns, but also to brainstorm what can be done to help steer countries in the right direction to protect things that are crucial to the internet and what can we do to support different actors to ensure that trade initiatives are also prioritizing protections for the internet, especially given the lack of visibility that folks have into these conversations. What can we do together? Thank you.

Nermine EL Saadany: Thank you so much, Nathalie, for setting the scene for our discussion and let me take from what you have said and maybe just take a minute to explain again to our audience because I see some new folks entered the room. Our session today will tackle protection of trade and the data flow and cross-border data and it will be divided into two parts. Part one will be the panel that we are having now, very distinguished panelists we are having online and on-site and then the second part we will have some robust kind of discussion where the experts will share some views as well and definitely in between we will listen to your views and maybe take some questions and answers. And from what Nathalie has said and maybe I would refer to my colleague on the left, Mr. Mahrooz Khan, cross-border expansion manager at the Digital Cooperation Organization, the DCO, and from your expertise, Mahrooz, the reaction of the countries on the threats and how they look at the threats that the trade can face and what is the impact on SMEs in specific.

Mahrooz Khan: Thank you so much and I really appreciate this opportunity to be here and I would like to congratulate the Internet Society for organizing this discussion and from where I’m coming from, I’m a trade and investment lawyer trained at WTO and then UN International Trade Center, so I’m coming from that dimension, but specifically here at the Digital Cooperation Organization I’m working on the nexus between the digital policies and the trade policies through various of its programs. The DCO is a new intergovernmental organization with 16 member states spanning across three different continents, so we have a good mix of member states from Europe, from Africa, as well as Asia. So I would like to actually start the premise that there is actually discontent between trade community and the digital community and it has been lagging for decades. When we talk about, as Ms. Nettly actually mentioned, that this new topic actually started coming to the conversation in the digital community in 2023. So actually, let me actually specifically lay out what actually happened in 2023. In 2023, United States stated its position that it will not support its argument and it will not enter into any legally binding agreement which guarantees cross-border data flows. And then it got into news because then it also had that catchy name, tariffs. So custom duty cross-border data flows, but in addition to that, there was a threat that custom duties would be applicable to the electronic transactions. And here, let me also bring you the background. This discussion has been happening in the trade community. Back in 1998, there was a committee formed on electronic transactions where the countries agreed that they will not impose any custom duties on electronic transactions. That was a temporary moratorium. It has been renewed again and again and recently, since the last four years, it has been extended on a bi-yearly basis, twice, during the ministerial conference of WTO. The committee at the WTO, there was no agreement on any other issue apart from the moratorium, so it did not produce anything. So what happened was, a group of countries, specifically 91 countries representing 90% of the global trade, started to negotiate on a plurilateral trade agreement where US, being this big supporter of open cross-border data flows, proposed its position that we need to have open cross-border data flows, the data localization requirements must be minimized, and then there must be a strong position on source code sharing. So later on, what happened? So the conversation started back in 2017, the country started negotiating. Then in 2023, United States stated its position, it is backing off, and then it got into news, and how it is going to impact the digital community. So where do we stand today? We do not have an internationally legally binding instrument at any stage which guarantees open cross-border data flows. This position was actually taken by US at the WTO. However, they have backed down. Amongst these 91 countries, nine of them dropped, including United States. So the latest agreement that we have amongst the 82 countries is that there must be facilitation of electronic commerce, and the language of the treaty is not much legally binding. And they have taken out cross-border data flows, the data localization requirement, and the source code. At the DCO, what we did, looking at these developments, we actually assessed where the countries stand today on these digital trade policies. And we actually collected regulations across 16 member states that actually accounts around 2,500 regulations. So in order to move towards the next direction, we need to know where we stand today. So we collected this assessment, and then we also did a survey with the business firms who are involved in digital trade, trying to understand their experience to actually connect the dots. Moving forward, we will be actually sharing a high-level trends analysis that shows the developments of digital trade. The importance of this discussion, we are connected with our moderators today through Zoom. That would mean additional imposition of taxes, but then how those taxes would have to be paid, the speakers connected in different jurisdictions, from Canada to UK and other jurisdictions, how that has to be implemented. So this topic actually creates more regulatory uncertainty. That also means Ms. Nermeen, who has actually come from Egypt, she’s able to call her family through WhatsApp. That means that won’t be possible, or that might not be possible. We do not know. And for the private sector, and here the major issue comes, the private sector, especially for the small, medium-sized enterprises, it will become a hurdle. We need open cross-border data flows that allow small businesses, and in the new digital economy, it allows small businesses to provide their goods as well as services and expand into different regions. The uncertainty on this issue would mean, and without any agreement between any countries, that would mean we are uncertain about the future. So there needs to be actually discussion. The original point that I mentioned, the discussion between trade community and the digital community, and the countries need to actually start monitoring the impact that it will have on their businesses, on their economy, and moving forward, any new shape that our economies can take. I’ll stop here.

Nermine EL Saadany: Thank you. Thank you so much, Mahmoud. It’s very insightful. And we will move to our next speaker online, Ms. Jennifer Brody, Deputy Director of Policy and Advocacy for Technology and Democracy, Freedom House. And I think, Jen, from your own experience, access to information and communication technologies nowadays has becoming an essential matter for more inclusive society and become more and more related to human rights. So if you can share from your experience, your thoughts about that, please. Jen?

Jennifer Brody: Sure, my pleasure. And thank you so much for having me here today. It’s a real honor and a pleasure. First off, just to share, if you’re not familiar, Freedom House, we are the oldest human rights and democracy nonprofit in the United States, founded in 1941. We produce the report that many of you may be familiar with called Freedom on the Net. It surveys essentially the state of internet freedom in over 70 countries around the world, working with local country analysts. At Freedom House, we first engaged in this topic after the US government, the USTR, reversed its longstanding cross-border data flows policy in the World Trade Organization talks in October, 2023, that the panelists who spoke before me alluded to. Like ISOC, we are not digital trade experts. Instead, for Freedom House, we are human rights experts. So I will be speaking specifically to the human rights impacts of these policy reversals. So first, I want to touch on data localization laws, which is a result of reversing or helps encourage… Sorry, I’m on my first cup of coffee. So reversing a longstanding cross-border data flows policy helps encourage data localization laws. So what are these data localization laws? They place personal data firmly within reach of governments, creating unique risks for people’s privacy, free expression, access to information, and other fundamental freedoms. These implications are especially problematic in authoritarian contexts where there exists weak rule of law. So to zoom in and provide one example, if we’re looking at Rwanda, in Rwanda, the government mandated that companies store data… locally, which left personal data easily accessible in an environment in which authorities have embedded agents in telecommunications companies and use data from private messages to prosecute defenders. And now to zoom out, Rwanda’s approach is quite similar to China’s authoritarian approach to data governance. And I will underscore Rwanda is not an outlier. Governments around the world are seeking to repress dissent by surveilling their people’s digital communications. In fact, over 78% of the world’s internet users live in countries where simply expressing political, social, and religious viewpoints leads to legal repercussions. And I can say we expect this problem to only be exacerbated with the forthcoming UN Cybercrime Treaty. Happy to discuss that more later. So now just a few notes on how this policy reversal of cross-border data flows impacts internet fragmentation or leads to it rather. So first just some background. We know that at multilateral forums, the Chinese government has been working alongside like-minded governments to divide the global internet into state-run enclaves that can be more easily monitored, censored, and controlled. Unsurprisingly, Chinese officials view the World Trade Organization as yet another forum to assert their approach. In negotiations over electronic commerce rules, the Chinese delegation has, for example, advocated for the need to consider internet sovereignty as a legitimate public policy objective. From Freedom House’s perspective, we’re based in Washington, DC, where I’m coming to you from earlier this morning. It is deeply concerning that the United States, once a leader of the interoperable free and global internet, is arguably inching towards China’s internet sovereignty. And this is happening at a time when the world needs the United States to stand up for a free, open and global internet now more than ever before. Indeed, Freedom House’s Freedom on the Net report that I mentioned earlier, found in its most recent edition that came out just a few months ago, the report found that internet freedom declined for the 14th year in a row. So we’re really facing dire circumstances. On a fragmented internet, people have limited access to information from foreign sources, which is especially critical in closed spaces. And just to provide a concrete example, Wikipedia, the free encyclopedia that we all know and love, and is run by the nonprofit Wikimedia, they cannot afford to comply with data localization laws, because they require setting up expensive data collection and storage facilities. So if Wikipedia can’t operate, people, their right to information is essentially undermined because they cannot access this resource. Also, on a fragmented internet, people may struggle to connect with loved ones abroad, and may face barriers to organizing online with communities around the world. For example, in Uzbekistan, due to Skype and Twitter’s non-compliance with the data localization law, authoritaries temporarily blocked these and other popular platforms, and this severely limited people’s ability to communicate and access information. And I will stop there. Thank you.

Nermine EL Saadany: Thank you so much, Jen, and thank you so much for accepting our invitation while it’s very early at your end. We much appreciate it. I would refer now to my panelists on my right, Subhanaz Rashid Daya, CIGI Senior Fellow and the founder of the Tech Global Institute. We have been listening, Daya, a lot about data localization and how this can impact free trade and cross-border data and so on, and I would like to listen to your views on that regard, please. Thank you.

Sabhanaz Rashid Diya: Thank you, Ramin, and it’s very good to be here with a number of experts, both on-site and online. So I am Subhanaz Rashid Daya, and I’m a Senior Fellow at the Center for International Governance Innovation, which is a think tank out of Canada, as well as I am part of the Tech Global Institute, and we primarily work with global majority countries around technology policy issues. And I think I just wanted to build on what my last speaker said around data localization laws kind of cropping up across the world, particularly in authoritarian regimes and the challenges around it. But I think if you can kind of take a step back and really start kind of questioning or interrogating how this really came about beyond some of the trade agreements, in the sense that I think there’s been a perpetual conflation of concepts such as sovereignty and cross-border data flows and kind of treating it as a binary framework in terms of, you know, if there’s data flows happening, then a country’s sovereignty is being questioned. Similarly, there’s also a conflation of ideas between cybersecurity and cross-border data flows. sense that, you know, if a country wants to have a more cyber resilient ecosystem, then they’re better off having local localized data centers or local data storage mandates in order to be able to protect their people in a more meaningful way. And I think these sort of frameworks and we oftentimes, you know, don’t want to kind of indulge too much in analogies, but these sort of binary frameworks have really fueled a lot of frustrations and misconceptions and interpretations among governments around the world, where they are more and more inclined towards data localization mandates. And we’re seeing increasingly these sort of laws being cropping up around the world, but particularly in global majority countries, which already have resource constraints and many of these countries where there’s very serious concerns around speech, privacy and people’s civil rights. If I could just build on that a bit more further, I think, you know, and I think Farzana is gonna talk a little more about the role of civil society in terms of how we’ve been divided since 2017, building on what Mehrot said in terms of what kind of that looks like. But, you know, civil society in the global majority really understand that the intent behind it is kind of what Jen has alluded to in terms of that law enforcement wants increasingly access to personal data to be able to control population and to be able to, you know, infringe upon their speech rights. And with the expansion of transnational private sector, that need has become even more, even greater. And they feel that there’s a very strong, and they feel the only way to kind of access the data is by having these mandated local data storage provisions. I think the other way we have seen it also come up is, you know, oftentimes there’s also frustrations among law enforcement domestically in terms of how they, in terms of, you know, just genuine crimes and the very complex process they have to go through with, you know, with MLATs and other kinds of data sharing agreements with other countries. And that complex process has really also made it difficult for them to access user data. So there’s a number of other sort of, I would say, equities at play, both political and national security equities at play that have led to this proliferation of data localization laws across the world. Some of this is, some of these are genuine challenges and some of these are more political challenges or there’s a need to control. But I think it is important to be able to place the expansion of data localization mandates within this political context in order to better understand why it’s happening in the first place. In other areas, we’ve seen it really kind of come up is within bilateral and multilateral funding instruments. And we’ve seen areas where, for example, there is a need to push towards more increased cybersecurity measures. And many countries interpret that as local data storage measures because the way they can ensure cybersecurity in their minds is by having local data storage measures. And so we have seen this come up in many of the debt conditionalities from the World Bank and the IMF groups. We have seen it come up in some of the bilateral aid functions as well in terms of where we see a lot of push toward a lot of conflation between cybersecurity and localization mandates, particularly in the global majority. I can also, I think if you have a second round to where we’re gonna talk about where we see opportunities with the multilateral instruments as well. But I just wanna give a bit more background in terms of where we are seeing it coming up, why it’s coming up on the various equities that has led to this happening. And of course, with the US kind of backing down on their position on cross-border data flows, it has, I would say, exacerbated these tensions even more because now in the absence of an internationally legally binding agreement around cross-border data flows and the various existing and new challenges around technology, data transfer, cybersecurity and online safety, we’re left in a limbo where civil society and communities with a global majority are stuck with these multilateral localization laws that have made it extremely difficult for them to express themselves, protect their privacies and exercise their civic rights. Thank you.

Nermine EL Saadany: Thank you so much, Daya. And I’m sure that we will have some questions from the floor to continue our discussion as well. But let me refer to last but not least, our online panelist Farzana Badia, PhD founder, Digital Medusa. And Farzana, you will speak with, I will reflect on the digital sovereignty and we will continue with the three threats on technical community and the ability of countries to develop data governance policies. Farzana.

Farzaneh Badiei: Thank you, Nani. And thank you for for the invitation. Just for those who don’t know, I’m. I have been working on internet related issues and governance and infrastructure for over for over a decade, and I started Digital Medusa to protect and defend the internet. It’s very similar to Internet Society’s mission. But I think we need multiple organizations to actually do that in such a junction. So one of the. So this kind of like advocacy against free trade and digital free trade. We saw that happening in like around. So it started happening around 2014 when there was this TPP trade trade negotiations were going on. And there were several civil society organizations and individual scholars that believe that free trade, a digital free trade. It actually hampers that digital sovereignty and privacy of people because nation states cannot cannot come up with their own data protection laws and also labor. There were a few labor unions that that believe that because of this digital free trade agreement, the labor rights were not being protected, especially in the global south. And like the conversation was ongoing and since. Well, digital trade. like free trade and digital trade has been like a sub topic of conversation for 20 years, as Mahrooz also mentioned, more than 20 years, 25 years. So, but one of the, but as Trump got elected in 2017, he wanted to renegotiate NAFTA and kind of created this chaos that everybody got worried that we might actually lose this protection for cross-border data flow. And one of the things that was very interesting was that so we gathered together, civil society gathered together to, like we issued statements on how cross-border data flow is very important for protecting human rights, but also defending and protecting the global cross-border data flow. And so for a few years, we, it was okay, but then there was this urge of digital sovereignty brewing among many nation states. And they believe that they can assert their sovereignty by localizing data and usually going after or going against the principles that made the internet happen, which is like global cross-border data flow with no discrimination. And so, and to our surprise, in 2022, we saw another surge of advocates that, that advocated, that told USTR in its consultations that free trade agreements, especially when it comes to digital issues and like big tech, it’s always like there’s also this search towards like attacking big tech for good reasons. But here, I will explain why we went the wrong path. But there were, so they advocated for not having digital free trade clauses in different trade agreements because of the labor rights, because they believe that data protection cannot happen if there are these free agreements. And also there was also a copyright issue that they thought that these advocates thought that the free trade agreement can actually take away, like they wanted stronger intellectual property, which is very much like has been hampering cross-border data flow and fair use for a long time. So anyway, we saw this and they successfully in a way managed to convince USTR to backpedal the clause that is very important for cross-border data flow. And the reasons that I think that the reason for being successful was first of all, this urge that they wanted to fight with big tech and that they did not understand the implications of this work on internet infrastructure. structure and global connectivity, that you are not only hampering big tech’s operation, you’re also hampering the operation of the network operator, that small network operator, that needs to rely on foreign services to provide connectivity. Also, there was this misconception that data protection laws cannot happen if you have a free trade clause, which is, I don’t know why this misconception keeps happening. I don’t want to deny it, but I haven’t seen enough evidence about it. And also, of course, the talk about digital sovereignty and all the nation states want to, one way or another, to assert their digital sovereignty. And most of the time, that is not to protect their citizen, but it’s to protect their power and control. And now we are in this mess. So I think that, so I’m going to discuss, yes, sorry, by USTR, I mean US trade representative. And so in the next segment, I’m going to discuss a little bit how, on a granular level, not having free trade agreements that facilitate cross-border data flow can actually have an impact on network operators, which we have kind of overlooked because the focus has been always on how to get big tech to be more accountable. And we have not looked at what sort of effect our advocacy will have on these network operators. Thank you.

Nermine EL Saadany: Thank you so much, Farzana. And here comes the time where we open the floor for discussion. I have with me as well my colleague, John Morris, online to help with the chat. questions that we received and as well Israel Moses here in on the ground to help with the session with the panelists or I mean the questions from the floor. So, John, do we have any questions over the chat, please?

John Morris: We don’t yet, but please, for the folks online, please post your questions and we’ll come to you.

Nermine EL Saadany: And I encourage as well. Yes, please.

Audience: Hello, I hope you can hear me. My name is Mark Taylor. I’m a senior project manager at the Council of Europe. I work for the Secretariat of Convention 108 and Convention 108 plus, which is the Council of Europe’s data protection convention. It’s based on human rights, democracy, rule of law. And it’s the oldest convention in this field and now is updated some time ago. One of the important aspects of it is that it does have the principle of free cross-border data flows as part of it. And I see here now twice, I think I’ve heard it, states struggling to come up with their own laws. We’re here to help with these kinds of things. And now, if people agree with the Council of Europe’s approach, of course, I mean, if they don’t, then that’s their deal. But there are two conventions I can think of that are relevant here. The Budapest Convention, which is a convention against cybercrime, global convention, anyone can join it, and Convention 108. Perhaps the panelists have some thoughts on this, because it is also part of a kind of a regional fragmentation. I had a lightning talk on Sunday about standardizing definitions in data transfers. I think it’s one of the ways of getting there, because increased data flow actually, logically, at least in my mind, reduce the need for data localization. If there are agreements for law enforcement, et cetera, to access data across borders, then there’s no need for them to shut themselves off from the rest of the world. That’s all. Thank you.

Nermine EL Saadany: Thank you so much for your question. Daya, maybe you can reflect, if you’d like.

Sabhanaz Rashid Diya: I’ll have to reflect very briefly on that, unless my speakers online would also like to chime in. I think I completely agree in terms of the Convention 08 and the Budapest Convention, providing very useful frameworks for that. But I think, to your point about why are not more nation-states approaching for help, I think there is a fundamental, a couple of underlying, I would say, values misalignment. But more important than that, I think there’s also political misalignment, in terms of, especially within the global south. I think Farzana very eloquently explained the history of the genesis of it, and particularly within global south communities, global south governments, and this urge to fight big tech. But I think there’s also an urge to fight Westphalia, and there’s an urge to fight global north hegemony. And I think in many ways, even if the Budapest Convention is there, it is universal, anybody can join it. I think those kinds of political tensions, geopolitical strifes, have led to countries less willing to approach those for help, and rather go for their own data localization provisions, even if they’re imperfect. And yes, countries do struggle to come up with a data protection regime that makes sense. And I think you really got to the crux of it, in terms of really having standardization of definitions, standardization of transfer clauses, what enables a transfer versus what does not enable a transfer, what are the conditions for access to data, and how do we really build a comprehensive human rights framework, and due diligence across the transfer pipeline, and across the data sharing pipeline. But I think there continues to be those kinds of sort of values, misalignment, political misalignment, that leads to it. And I think that’s also the reason why we see the UN Cybercrime Convention Treaty also come up, because of the fundamental values misalignment in that space. But yeah, happy to kind of take this offline, but those are some of my initial comments.

Nermine EL Saadany: Thank you so much, Daya, thank you. Anyone else from our panelists would like to reflect on that before we refer to the second speaker, our second question? I think you need to open the mic. Hello?

Mahrooz Khan: Yes. Great. Thank you so much for actually mentioning those conventions. I’m well aware of the Budapest Convention, not the other. So you see, there needs to be this technical exchange of information that needs to happen there. Specifically, and there are actually regional approaches, but when it goes to international legislation, so the health and security development congress said, for example, today I think that there’s a possibility that imperatives will have to be changed because they’ve been so ambiguous. So I would like to hear from each side, so indirus and infection screening of the epidemic will be determined. There needs to be a technical exchange kind of approach that will go ahead now and be considered in the next level. So we need that kind of. So for any decision to be made, we need the evidence. And I think the most important, what I want to say is that for policymakers, they need to make informed decisions. And I think we jump directly, the negotiators jump directly towards legalizing their understanding. And I think we miss the steps of learning what would be the impact. And I think many developed countries do it, but not developing countries, so then they are uncertain. Okay, what would be the impact if I enter into international legally binding contract? Why it’s happening at WTO? That goes against, again, why the reason the WTO was able to be created, the original idea from 1947 did not crystallize until 1996, but because of injection of intellectual property policy area into this space. And why that space? Because that provides a legally enforceable mechanism. It provides that platform. That’s why it has been negotiated. And just to reference what US position was original for cross-border data flows, the data flows, no party shall prohibit or restrict cross-border transfer of information, including personal information by electronic means, if this is for trade. So I think we need to move towards informed policy decisions, and we need to learn on these fronts.

Nermine EL Saadany: Thank you so much. I think we have a question here.

Audience: Yes, please. My name is Dana Kramer, representing my NRI, both youth and national for Canada. I was wondering about, like, there are a lot of tariff threats right now that are occurring out of the United States, and we don’t know whether or not these threats will materialize. And I’m from Canada, so we’re quite sensitive to it at the moment. And I was curious about, does the panel think that we might see increased threats for tariffs on digital services, for instance, as a mechanism to fight back against some of these US-imposed tariffs, because they do have so many technology companies that have global reach? Or would that be a misalignment of understanding some of your arguments today? Thank you.

Natalie Campbell: Thank you so much. Nathalie, do you have a reflection on that? Go ahead. Sure. Thanks. Hi, Dana. I’m also from Canada, and I’ve also been paying attention to those suggestions recently about tariffs. I do think that the suggestion of imposing tariffs is one thing when we’re talking about bringing commodities from one country to another. The fact that that has translated to the idea of electronic transmissions is really problematic because the internet has no borders. So that’s where my concerns would be. And we have seen these conversations happening, as Meraz mentioned, at the World Trade Organization. The fact that some countries would like to see tariffs on electronic transmissions, that would be a source of revenue for some of these countries. I think that’s how they’re looking at it. And so I do think it is important, as we raise awareness about these threats, that that is something that is highlighted. Cross-border data flows, that’s not a commodity. The internet’s not a commodity. We can’t regulate the internet like a commodity. Open data flows and electronic transmissions, these are needed for the internet to exist in the first place. And the minute that you put any kind of barrier to access, whether it’s a tariff or a regulation restricting what we can share online and what moves across borders, that becomes a problem for the internet. That becomes a problem for all of us here relying on the internet to be able to connect with one another. And essentially what it’s doing, it’s placing national borders online and making the internet not seamless, making it complex. So I do think that’s a really good question and underlines the importance of hopefully some of the solutions that we can brainstorm in the next portion. of this event on how can we get that message across, how can we help governments and folks involved in trade initiatives, how can we help them understand that we can’t be considering these things if we want the internet, which digital trade needs to be successful in the first place, we want that to continue to exist.

Nermine EL Saadany: Thank you so much, Nathalie. And I think if we don’t have further questions from the floor, either online or on site, maybe we can start our second part, because this will be another interesting segment of our discussion today, as we will be tackling the very important questions, how can we help? How can we collaborate with our different hats to stop trade policy changes that can hinder the internet? In this part, I would actually pose a question, and I will refer to my panelists to reflect on that questions with their own hats and their own expertise. So our first question in that sense will be, how can we steer countries towards data governance approaches that address privacy security concerns while protecting the open globally connected, secure, and trustworthy internet? And if I can put you, Jennifer, to be our first reflector on that, Jen?

Jennifer Brody: Yes, happy to jump in. Thank you for the question. So yes, we know that, as has been discussed, to protect cybersecurity, right, to enhance data sovereignty, as folks like to call it, data localization laws are often implemented. You know, often, not always, sometimes arguably, right, with good intentions, but if we don’t have strong laws in place, like comprehensive data protection laws that are human rights centric. More often than not, they result in, you know, extremely harmful surveillance that undermines many, many human rights. And I’ll just, just on this topic, I wanted to share, there’s an academic scholar, Anupam Chander. He wrote an excellent piece called Data Nationalism that essentially debunks the arguments that, you know, data localization helps enhance cybersecurity and protect citizens. I just dropped that article there if anyone is interested. So anyway, I would love to, you know, hear, hear from folks in the room. How do we encourage companies or countries around the world, rather than, you know, localizing data, pursuing alternative mechanisms, you know, to allegedly protect their people? Right at Freedom House, we’re very strong advocates of comprehensive data protection laws. So I would love to kind of open it up to the floor to see, to see what folks think. And then before I do that, I’ll also share one other Freedom House resource. I wanted to develop something shorter and pithier for this. We didn’t have the bandwidth at the organization, but just another great resource for this group. My colleague some years ago, before I started at Freedom House, actually wrote a fantastic report called User Privacy or Cyber Sovereignty. So, essentially unpacking many data localization laws around the world and talk and walking through their impacts on human rights from the freedom of expression, right to assembly, association, assembly, which could also serve as a good resource and local advocacy. So I will stop there.

Nermine EL Saadany: Thanks a million, Jen. And I’m not sure if you’d like to maybe interact. So if you have any reflections on what Jen has already mentioned, we can pause and take some questions. And if not, maybe we can continue to our next reflection on my question and then we can. go back to you and hear your views as well. So maybe Farzana, you can reflect on the question if I may ask you. Yes, go ahead.

Farzaneh Badiei: Oh, sorry. So is this like about my prompt? Yes, it is. Yeah, all right, great. So I just, I don’t want to blabber on, so I just want to say like the wording that the framework. So one of the things that I see is being the problem and this is why we’re not agreeing on a lot of things among ourselves and in policymaking is that we have not really nailed down all the impact, adverse impact of blocking cross-border data flow. I mean, we have worked on it, but we have to show how that network operator that lives in a small island and uses the infrastructure, the data infrastructure that is not on that island, how data operation can be affected and how it hampers the meaningful connectivity for their users. And when I was talking to different network operators, especially people from those operators from those islands told me that this could raise an important risk for their operations. So I think that also there’s another example of, this is a trade barrier, but when we say that, when we kind of like do not liberate cross-border data flow, Then we’re talking about restrictions on data flow for DNS, like Domain Name System Resolvers, which is one of the critical parts of the Internet. Today, all of us have used DNS resolvers to connect. These trade barriers, they could also create some ambiguity of whether, can I provide my DNS resolver services to other nations and other people, and then people in countries that need access to DNS resolvers that operate stable and functional, then they might not be able to use it. I think that these case studies should be brought up more, and we need to really assess the impact. Internet Society has a really great Internet impact assessment tool that we can use and measure the impact of these trade agreements that do not facilitate cross-border data flow anymore, on access to the Internet and global cross-border data flow. This is my suggestion because I don’t really care whether we protect the Internet by trade agreements or anything else. What we care about is to keep the Internet global and interconnected, and facilitate data flow. Trade agreements, until now, have been the critical mechanism that facilitated this. So it is not that we are protecting, we are being like free trade advocates. And so it’s just that it’s one of the main tools that have allowed us to bring the internet to everyone. So if they have other solutions, if there are other solutions, then I’m all ears. But also we need to address concerns that we kept talking about, like data protection. I think Council of Europe suggestion is very relevant. We need to standardize our practices, our security practices, our privacy practices globally so that communities don’t feel left behind and just go against cross-border data flow to solve their issues. So I just wanted to put that out there. I think that these are like some of the suggestions that I’ve been thinking about. I think we need more interaction with network operators, especially from the global South with people who provide critical infrastructure and see how we can also address the concerns that are raised by the labor unions and others that how we can actually solve those problems without affecting cross-border data flow.

Nermine EL Saadany: Thank you so much, Deir. That’s much appreciated. And Natalia, I think it might be within the context that you shed some light on the toolkit and maybe you can give us some examples as well about how this works.

Natalie Campbell: Sure, thank you, Nermeen. So I mentioned it before, but one of the ways that the Internet Society works with governments to help them understand how to support the Internet and mitigate harm of unintended consequences when they’re going about regulation is we help them use our Internet Impact Assessment Toolkit, which Farzana just mentioned. And what this does is it helps governments understand what the – and anyone who uses the toolkit – understand what the Internet needs to exist in the first place. It lays out a framework of not only what do we need to think about when we want to make sure that we’re protecting the Internet’s foundation, things like data flows that are critical to it existing in the first place, but also what should we think through when we’re developing policy to ensure that we’re working towards an Internet that is open, globally connected, secure, and trustworthy. So we make ourselves available to work with governments who want advice on whether they’re headed in a direction that supports the Internet and to think through the different aspects of the framework, which has helped us mitigate a lot of negative impact to the Internet proactively in many countries around the world. But the value of this toolkit is that when we mentioned before about governments thinking about things like mandated localization or data flow restrictions, they’re often – they have a mindset for privacy and security. What our toolkit does, it helps countries understand how that’s a myth. And I can give a really concrete example. I recently had the opportunity to travel to Oman for this very reason, doing a workshop about our toolkit with some government departments there. I was a little bit surprised when I arrived, you know, in trying to get to the hotel and curious about why a – like Uber wasn’t in a country. And I came to understand that the transportation department has data localization laws, meaning that personal information has to be stored within a country of Oman. But at the same time, there’s another rule in a country that any service or person in a country needs a license to use things like encryption, which we know is a foundation of security online into protecting our data and keeping it private and secure. So I thought to myself, well, this is a really interesting example of how countries who might be thinking about things like mandated data localization as privacy and security enhancing is actually a myth because if I’m a company such as Uber, am I really going to want to expand my services in a country where I can’t use encryption to secure any kind of personal data at all that has to be stored within a country? And the risks of not only exposing personal data to whoever might want access, not just the government, but with encryption, anyone who wants access could get access. That was a very clear, I guess, a way to help folks locally understand how often when we’re talking about these issues in the name of privacy and security, it’s actually counterintuitive and not helping us get closer to that direction at all. So that’s the value of tools like our toolkit, and one way that I think that is useful to think about when we’re talking about how do we steer countries in a direction that supports the internet. If trade initiatives were to also think about how to make use of these tools, I think it could also be a valuable way to. help folks understand how do we go about initiatives and even just the value of the internet to digital trade in the first place. Thank you. Thank you so much

Nermine EL Saadany: dear. Mahrooz, can you reflect and can we take the last comment from your side on that question so that can we move to the other one. Definitely. Thank you so much

Mahrooz Khan: again and I totally agree with the references made by the earlier speaker Ms. Farzana and Ms. Natalie. So we need to know where we stand before we make our decision. I would state that again. First on the regulatory side and secondly we need to talk, the governments need to talk to the businesses how it is going to impact them. The fact that we are importing any goods, importing any services, there is a reason for that because it is better service, it is better good, it has a price competitive advantage. So once we put tariffs or new regulatory barriers to external goods and services, it also impacts our own consumers and looking at the impact of the previous US tariffs threat had on their own development of industry. We have create great example there. What happened with the steel industry? Has it developed? Is it good for the local consumers? Not. And one of the earlier questions made by is are the new tariff threats real? They are very real. They are not just used in the debate of the digital economy, they are used for other purposes as well. For example, tariffs threat posed by the United States when the European Union announced its digital services taxation in the earlier Trump term, and so moving back from tariff threats to actually what can be done. So the governments need to actually do their regulatory assessment, they need to talk to the business in an organized way, and here the role of international organization. Societies need to help the governments, specifically because of the reasons, because I find bureaucrats do not have that much benefit in doing more work than what they are actually mandated to do. The next step would be, so a country needs to look internally, talk to their private sector in an organized way, where it can be actually monitored. For a given sector, this policy position will have this impact. For another sector, this will be the impact. And then move towards actually cooperation amongst other countries, because a country on its own is not sufficient. As Ms. Netanyahu actually gave the example of Oman, I had a similar experience there two weeks ago. And another example was shared about Rwanda, the data localization in Rwanda. And there we have another project on how we can actually increase investments in the digital space of Rwanda. And there, from the evidence we found, well, they have to loosen out their data localization requirement. And what we know right now is actually the government, after having seen the evidence, they need to attract investors. They need to attract big tech for the betterment of their economy. So now they’re rethinking, okay, how can we actually adjust those rules? So with better informed policymaking decision and with the help of international organizations and the society, we can actually move towards that transition.

Nermine EL Saadany: Thank you so much, Mahmoud. If we have any reflections as well from the floor, that would be the time that we can maybe open the floor for some discussions and reflections. Online, Maurice, do we have any? No questions have come up online. Okay, so maybe we can move to our second prompt or the second question. And I can pose the question here as, how can the participants actually work on these issues in their own countries or organizations? So, Leah, maybe you can start.

Sabhanaz Rashid Diya: Definitely. Thank you. I think many of the strategies were alluded to by my previous speakers, but I think one of the things that, and I think it’s also quite central to the IGF, but generally even in. in this particular conversation is the role of having diverse voices in this conversation, right? So Farzana talked about small network operators within the global majority. If I look around the room or even outside, there aren’t as many network operators even present here, but we’re having these conversations here. And even in the WTO and many of the negotiations, we don’t see that voice or that perspective. Similarly, small business owners, small business enterprises, who again rely on open cross-border data flows to be able to conduct the business, they’re also not represented. So I think there is a very serious role in which we have to think about the decision-making around whether we want to support cross-border data flow or not, what is the localization mandate, the stakeholders, whether it’s consumers, whether it’s network operators, whether it is small business owners, whether it’s civil society, whether it’s a technical community. I think these stakeholders are often missing from these conversations and it becomes very much limited or very narrowly focused. I think the other thing that I think Amaros alluded to was this debate between the digital community and the trade community, but I would actually expand the debates even within the digital community and even within the trade communities around these various issues, but also again, the broader connectivity community has also been kind of excluded from any of this. I think, again, given the interconnectedness that we live in, there’s a real, I would say there’s a real need in terms of, one, involving not just more diverse stakeholders within national boundaries, but also internationally having other stakeholders in place and kind of engaging them because so much of the technologies are interconnected, so much of the trades are about sort of the cross-border piece. And I think there’s new challenges and new dichotomies at play that mandate a much broader conversation. So that’s one. I think the second is in terms of where we see how sort of participants here can contribute. I think Farzana kind of, and I also have with Mehros sort of got into it in the sense that we really have to be very clear about exactly what we’re asking for and what the clear messagings are. And whether if, and you know, because there’s so many different kinds of equities at play and because there are so many different kinds of messaging around it, I think that makes the conversation even more challenging to navigate. So really asking, you know, what specific aspects of trade, what specific aspects of interconnect, what specific aspects of cross-border data flows, how do we want it, what the impacts are. And I think there’s some really important work that has been done by researchers in the past that really talks about some of the impact, but really crystallizing what the asks are and what the impact is, is really, really important to move this conversation forward because otherwise it becomes either too heavily focused on trade or too heavily focused on internet sovereignty, or digital sovereignty. And I think that does a disservice to, I think both sides of the aisle. And the last piece I was gonna say is just reference from some research. I think Nigel Corey, I remember when we were looking into the data localization mandates in Vietnam and Pakistan and some of it in Bangladesh, which is my country, you know, a lot of the work that was done at the time we were looking, we were trying to find research that would help us understand what really is the impact of data localization and what really is the impact of that on businesses and on network operators. And, you know, lo and behold, there really wasn’t any research available at the time for global majority countries. Nobody could crystallize the exact GDP impact, the exact trade impact, the exact sort of purchasing power impact that these kinds of agreements and these kinds of moves would have. And we had to end up commissioning that kind of research to come up. So in the absence of data and research that actually can inform policy decisions, we, again, we go back into. these binary dichotomies, binary debates, these values misalignment without any concrete data to actually back any of the policy decisions. So I think there’s a real necessity for evidence in this space. It is a longstanding debate, but the way the debate has evolved recently is very much on, I would say, perceptions and misconceptions versus actual hard data pointing in very specific directions. And I think there’s a very important contribution from participants here, but also across the various communities that I’ve mentioned in terms of driving that data collection and evidence gathering to inform decisions. Thank you so much.

Nermine EL Saadany: Thank you. Maybe I can refer to you again, Mahmoud, for quick reflections and as well maybe final comments, and then we will move to the other panelists as well as we are wrapping our session.

Mahrooz Khan: Hello. Yes. Great. Thank you so much again, and I would actually quickly sum up because I have actually talked a lot in this conversation today. So again, I was actually, this is what is the next way forward, actually collecting the right evidence. And just to share, you shared another example, and okay, what is digital trade? The data on this does not exist. WTO, World Bank, IMF, they have collated together, and right now they are assessing the methodologies. So a lot of work needs to be done there in that dimension to actually really see what is the impact of this. And secondly, what is the main agenda? What should be the main agenda of like all these different spheres? I would say sustainable development, and there we cannot just have free trade agenda. We cannot just have, just for the sake of open internet. Open internet is good for the society. It is good for the consumers. It is good for the producers. It provides economic opportunities, but on the other hand, we also have to be careful about environment. We have to be actually thinking holistically. And I would say a lot of work needs to be done at the evidence level, and here the role of technical agencies is to actually prepare those kind of tools, those kind of actually methods that could actually help the governments. For example, as you mentioned, Internet Society’s toolkit that I think could be a really good tool. And then the main agenda with the final destination for sustainable economic development. I don’t think I have anything else to add here. Thank you. Thank you so much.

Nermine EL Saadany: May I go back to our online panelists and maybe Farzana, you would like to reflect on as well, maybe final comments from your side, please?

Farzaneh Badiei: Yeah. So actually, Professor Muller just told me that he’s in the room. And in 2017 at Internet Governance Project at Georgia Tech, we started working on digital free trade issues. And we also came up with a special issue on digital trade. And we wanted to raise awareness about the importance of the issue. But at the time, nobody, like we couldn’t believe that the U.S. government would back Penzl from the cross-border data. But we did raise concerns because as I mentioned, there were like renegotiations of free trade agreements. And so all I’m saying is that we need to see what has been done in the past, what sort of academic work has been done in the past, what sort of advocacy has been done in the past and gather those documents and work that has been done, especially in academia and civil society organizations. And so not to start anew, but also see what sort of new issues have raised so that we can tackle them. But as I said, we are here to raise awareness and we are here to defend and protect the free global internet. And if like, well, one of the main ways to do that was to have the free trade, free digital trade clause, in these free trade agreements. And we have to, in our advocacy, while we have to address the concerns of data protection and security, we should also think about alternatives to free trade agreements and see what else can facilitate cross-border data flow. Because unfortunately, the enemies of the internet are multiplying year by year from the states to businesses that they want digital sovereignty, they want to fight with the big tech at the cost of free and open internet. And I think that a lot of it is because they don’t understand the implications of having a restricted internet that is not connected globally. And we can learn lessons from countries that actually block their citizens from the global internet and raise awareness. Thank you.

Nermine EL Saadany: Thank you so much, Farzana. Jen, final remarks from your side as well, please.

Jennifer Brody: Yeah, thank you. Just quickly, I just want to pick up on something that Diya mentioned regarding the importance of the international development banks in these conversations, right? The World Bank, the regional development banks, like the Inter-American Development Bank. We’re thinking about advocacy. We were chatting about how these actors are incredibly important to include in these conversations. And when evaluating, for example, helping a country build a national database, from what I understand, they’re lacking data protection experts, folks who… how to center human rights and in cybersecurity policies, etc. So just to flag for kind of the global community working on these issues, that’s a target that I’m quite interested in engaging, and I think there’s a lot of potential there. Thanks, Jen. Natalie?

Natalie Campbell: Thank you. I want to highlight a point that Dia made earlier that I think is extremely important. We’re talking about digital trade initiatives, but this isn’t a digital trade problem per se. We’re talking about an existential threat to the internet. And I think that reminding people, and when we are raising awareness about this issue, that we have to lead with that. And it might be difficult or even impossible for some of our audiences and different stakeholders to engage in trade initiatives. But what we can do is raise awareness with our own national decision makers who are part of these conversations. Luckily, organizations like the Internet Society has over 110 chapters around the world who are helping to expand our reach in raising awareness about this existential threat to the internet. They are a voice for the internet, both of policymakers, but also in terms of helping to gather other local partners and stakeholders who can make our collective voice louder. Our chapters are already using things like our Internet Impact Assessment Toolkit to help decision makers avoid harm to the internet on national policy, including on data governance legislation. But what we need to do, I think, is to be talking to more folks who are involved in these trade initiatives and helping them to understand as well that we’re not just worried about an aspect of digital trade here, we’re worried about an existential threat to the internet. folks understand how the Internet works and why data flows aren’t just a nice to have, they are crucial if we want an Internet. I think that’s going to be increasingly important going forward and something that we can all do and you know work throughout our own various audiences and organizations to help make sure that we’re all working together to protect the Internet. Thank you so much

Nermine EL Saadany: Nathalie. I would ask the floor if there is any reflections before we close. Would you like to say anything Dr. Muller?

Milton Muller: Hello everybody, I’m Milton Muller. I’m at the Georgia Institute of Technology’s Internet Governance Project and former colleague of Farzana in both ICANN and IGP. I think the point that I haven’t heard that probably needs to be brought to your attention is the the intersection of these trade issues with national security. For about 80% of the time national security is an excuse for restricting trade but in the context of geopolitical rivalry between the US and China it has become a very powerful excuse. I don’t know when you have a president that imposes tariffs on Japanese and the Canadians and refuses to allow a buyout of US steel by the Japanese on the grounds of national security. You have to wonder if he’s thinking about the Japanese and Canadians as enemies or what. But in the digital economy the situation is extremely dire. Every form of digital service, digital product application is now perceived as a national security threat. So it’s not just data flows, it’s the battery storage systems, the electric vehicles because they can see things and they might be sending data back to China. Of course we have the TikTok ban but we have cables and telecom service licenses being taken away from people who had them because they are Chinese companies. So the political environment around digital trade has been completely blown up by the national security issue and that means you’re dealing with slightly different dialogue and a different set

Nermine EL Saadany: of constituencies. Thank you so much Dr. Mueller and thank you for being here. I think our time is out and I would like to thank all the panelists and the audience for the valuable contribution. I think collaboration is the key. This is my take, collaboration among all stakeholders so that we can maintain the data flow freely and to maintain or to shape the future of the of the internet and the trade in the best possible way. Thank you so much and looking forward to meet you again online and off-site. Thank you. You

Agreement Points

Data localization laws threaten the open internet

Natalie Campbell

Jennifer Brody

Sabhanaz Rashid Diya

Farzaneh Badiei

Data localization laws threaten global connectivity

Data localization laws enable government surveillance and control

Data localization laws impede access to information and communication

Data localization hampers small network operators and meaningful connectivity

Multiple speakers agreed that data localization laws pose significant threats to the open, globally connected internet by enabling government control, impeding access to information, and hampering network operations.

Lack of protection for cross-border data flows in trade agreements

Natalie Campbell

Mahroz Khan

Trade policy changes are deprioritizing protections for open data flows

Lack of consensus on data flow protections in trade agreements is concerning

Speakers highlighted the concerning trend of trade agreements no longer prioritizing or including strong protections for cross-border data flows, which poses risks to the open internet.

Similar Viewpoints

These speakers emphasized the need for more comprehensive research, evidence gathering, and diverse stakeholder involvement to inform policy decisions on data flows and localization.

Sabhanaz Rashid Diya

Mahroz Khan

Jennifer Brody

Gather evidence on economic impacts of data localization

Engage international development banks on data protection issues

Involve diverse stakeholders like small businesses in policy discussions

Unexpected Consensus

Importance of standardizing global data protection practices

Farzaneh Badiei

Jennifer Brody

Standardize data protection and security practices globally

Engage international development banks on data protection issues

Despite coming from different perspectives, both speakers highlighted the need for global standardization of data protection practices, which is unexpected given the usual emphasis on national sovereignty in data governance discussions.

Overall Assessment

Summary

The speakers generally agreed on the threats posed by data localization laws to the open internet, the concerning lack of protections for cross-border data flows in trade agreements, and the need for more research and diverse stakeholder involvement in policy-making.

Consensus level

There was a high level of consensus among the speakers on the main issues, particularly on the threats to the open internet. This strong agreement suggests a unified concern in the internet governance community about current trends in data localization and trade policies, implying a potential for coordinated advocacy efforts to protect cross-border data flows.

Different Viewpoints

Role of trade agreements in protecting cross-border data flows

Natalie Campbell

Farzaneh Badiei

Trade policy changes are deprioritizing protections for open data flows

Trade agreements, until now, have been the critical mechanism that facilitated this

While Campbell expresses concern about trade policy changes deprioritizing protections for open data flows, Badiei emphasizes that trade agreements have historically been crucial in facilitating cross-border data flows.

Unexpected Differences

Approach to addressing data localization concerns

Farzaneh Badiei

Natalie Campbell

Standardize data protection and security practices globally

Use Internet Impact Assessment Toolkit to evaluate policies

While both speakers aim to address data localization concerns, their proposed approaches differ unexpectedly. Badiei suggests global standardization of practices, while Campbell advocates for using a specific toolkit to evaluate policies.

Overall Assessment

summary

The main areas of disagreement revolve around the role of trade agreements, the specific impacts of data localization, and the best approaches to address these issues.

difference_level

The level of disagreement among the speakers is moderate. While there is a general consensus on the importance of cross-border data flows and the risks of data localization, speakers differ in their emphasis on specific aspects and proposed solutions. These differences reflect the complexity of the issue and the need for a multifaceted approach to addressing cross-border data flow challenges.

Partial Agreements

All speakers agree that data localization laws are problematic, but they focus on different aspects: Brody emphasizes human rights concerns, Diya highlights the impact of US policy reversal, and Badiei focuses on the effects on small network operators.

Jennifer Brody

Sabhanaz Rashid Diya

Farzaneh Badiei

Data localization laws enable government surveillance and control

US reversal on cross-border data flow policy encourages data localization

Data localization hampers small network operators and meaningful connectivity

Similar Viewpoints

These speakers emphasized the need for more comprehensive research, evidence gathering, and diverse stakeholder involvement to inform policy decisions on data flows and localization.

Sabhanaz Rashid Diya

Mahroz Khan

Jennifer Brody

Gather evidence on economic impacts of data localization

Engage international development banks on data protection issues

Involve diverse stakeholders like small businesses in policy discussions

Key Takeaways

Data localization laws and restrictions on cross-border data flows pose a significant threat to the open, globally connected internet

Trade policy changes deprioritizing protections for open data flows are concerning for internet governance

Data localization often enables government surveillance and control rather than enhancing privacy and security

Restricting cross-border data flows can hinder economic growth, especially for small businesses and network operators

There is a need for more diverse stakeholder involvement and evidence-based policymaking on digital trade issues

Resolutions and Action Items

Use tools like the Internet Impact Assessment Toolkit to evaluate policies affecting cross-border data flows

Raise awareness with national decision makers about the importance of cross-border data flows for the internet

Gather more evidence on the economic impacts of data localization, especially in developing countries

Engage international development banks on incorporating data protection expertise in their projects

Unresolved Issues

How to balance national security concerns with maintaining open cross-border data flows

How to address privacy and security concerns without resorting to data localization

How to effectively involve diverse stakeholders like small businesses in trade policy discussions

How to create standardized global practices for data protection and security

Suggested Compromises

Focus on standardizing data protection and security practices globally rather than localizing data

Consider alternative mechanisms to data localization for addressing privacy and security concerns

Involve both digital and trade communities in policy discussions to bridge divides

We started paying attention when certain protections for open data flows and pushing back on mandated localization, when that became deprioritized and ultimately there was a lack of consensus on these protections that are crucial to the internet and its global connectivity, things that needs to exist in the first place.

speaker

Natalie Campbell

reason

This comment highlights a critical shift in trade policy that threatens the fundamental architecture of the internet. It frames the issue as an existential threat to global connectivity.

impact

This set the tone for the discussion by emphasizing the high stakes and urgency of the issue. It led to further exploration of the political and economic factors driving this policy shift.

Data localization laws place personal data firmly within reach of governments, creating unique risks for people’s privacy, free expression, access to information, and other fundamental freedoms. These implications are especially problematic in authoritarian contexts where there exists weak rule of law.

speaker

Jennifer Brody

reason

This comment connects trade policy to human rights concerns, broadening the scope of the discussion beyond economic considerations.

impact

It shifted the conversation to consider the societal impacts of data localization laws, particularly in authoritarian contexts. This led to further discussion of the tension between national sovereignty claims and human rights.

There’s been a perpetual conflation of concepts such as sovereignty and cross-border data flows and kind of treating it as a binary framework in terms of, you know, if there’s data flows happening, then a country’s sovereignty is being questioned. Similarly, there’s also a conflation of ideas between cybersecurity and cross-border data flows.

speaker

Sabhanaz Rashid Diya

reason

This comment insightfully unpacks some of the conceptual confusions driving restrictive data policies. It challenges simplistic narratives about data sovereignty and security.

impact

This comment deepened the analysis by highlighting the need for more nuanced understanding of these concepts. It led to discussion of how to address legitimate security concerns without resorting to harmful data localization policies.

The intersection of these trade issues with national security. For about 80% of the time national security is an excuse for restricting trade but in the context of geopolitical rivalry between the US and China it has become a very powerful excuse.

speaker

Milton Mueller

reason

This comment introduces the critical dimension of national security concerns driving trade restrictions, particularly in the context of US-China rivalry.

impact

Though coming late in the discussion, this comment shifted focus to the geopolitical drivers of trade policy, adding another layer of complexity to the analysis. It highlighted how national security concerns are reshaping the digital economy landscape.

Overall Assessment

These key comments shaped the discussion by progressively expanding its scope from technical internet architecture concerns to human rights implications, conceptual clarifications about data sovereignty, and finally to geopolitical dimensions. They moved the conversation beyond surface-level trade policy issues to explore deeper societal, political, and security implications of data flow restrictions. This multifaceted approach highlighted the complexity of the challenge and the need for nuanced, collaborative solutions that balance various stakeholder concerns.

How can we standardize data protection and security practices globally to address concerns without restricting cross-border data flows?

speaker

Farzaneh Badiei

explanation

This is important to help communities feel included and prevent them from opposing cross-border data flows as a solution to their issues.

What is the specific impact of data localization mandates on businesses and network operators in global majority countries?

speaker

Sabhanaz Rashid Diya

explanation

There is a lack of research on the exact GDP, trade, and purchasing power impacts of data localization in these countries, which is needed to inform policy decisions.

How can we involve more diverse stakeholders, such as small network operators and small business owners, in discussions about cross-border data flows and trade policies?

speaker

Sabhanaz Rashid Diya

explanation

These voices are often missing from policy discussions but are crucial for understanding the real-world impacts of data flow restrictions.

What alternatives to free trade agreements can facilitate cross-border data flows?

speaker

Farzaneh Badiei

explanation

With challenges to traditional free trade agreements, it’s important to explore other mechanisms to protect open data flows.

How can we engage international development banks like the World Bank in conversations about data protection and human rights-centered cybersecurity policies?

speaker

Jennifer Brody

explanation

These institutions play a significant role in shaping policies in developing countries but may lack expertise in data protection and human rights considerations.

How does the intersection of national security concerns with digital trade issues impact cross-border data flows and internet governance?

speaker

Milton Mueller

explanation

The increasing use of national security as a justification for trade restrictions in the digital economy is changing the political landscape around these issues.

Summary

This panel discussion focused on safeguarding critical infrastructure beyond borders, exploring how diplomatic and technical communities can collaborate to address cybersecurity threats. Experts from various regions shared insights on protecting transnational critical infrastructure like energy grids, subsea cables, and satellite systems.

Key points included the need for stronger cooperation between national technical and diplomatic communities to enable better international collaboration. Panelists emphasized the importance of capacity building, particularly in developing countries, to enhance cybersecurity capabilities. The discussion highlighted the interconnected nature of critical infrastructure across borders and sectors, necessitating a coordinated approach to protection.

Speakers noted the evolving threat landscape, with cyberattacks on critical infrastructure potentially having far-reaching consequences for international peace and security. The importance of regional cooperation and harmonization of approaches was stressed, particularly in Africa’s energy sector. Panelists also discussed the role of public-private partnerships in infrastructure protection, given the increasing privatization of critical assets.

The discussion touched on the need for clear national frameworks defining critical infrastructure and roles of different stakeholders. Awareness-raising about transnational critical infrastructure was identified as a crucial first step for many countries. The panel concluded by calling for increased multistakeholder dialogues and capacity development initiatives to enhance the protection of critical infrastructure across borders.

Keypoints

Major discussion points:

– The importance of protecting transnational critical infrastructure, especially in sectors like energy and telecommunications

– The need for greater collaboration between technical and diplomatic communities at national, regional and international levels

– The value of capacity building and information sharing to strengthen cybersecurity for critical infrastructure

– The role of regional frameworks and harmonization in protecting cross-border infrastructure

– Opportunities for multi-stakeholder cooperation to improve critical infrastructure resilience

Overall purpose:

The goal of this discussion was to explore how diplomatic and technical communities can work together more effectively to safeguard critical infrastructure across borders, using concrete examples from different regions to identify challenges and best practices.

Tone:

The tone was collaborative and solution-oriented throughout. Speakers shared experiences openly and built on each other’s points constructively. There was a sense of urgency about the need for greater cooperation, but also optimism about the opportunities to make progress through multi-stakeholder efforts.

Speakers

– Marie Humeau: Moderator, working at the Dutch mission in Geneva on digital and cyber issues

– Orhan Osmani: Head of the Cyber Security Division at the ITU Telecommunication Development Bureau

– Shariffah Rashidah Syed Othman: Director of Policy and International Cooperation at the National Cyber Security Agency of Malaysia

– Towela Nyirenda-Jere: Head of the Secretariat at the Africa-EU Energy Partnership

– Franziska Klopfer: Principal Project Manager for Cyber Security Governance at DCAF (Geneva Center for Security Sector Governance)

– Wenting He: Associate Researcher with the Security and Technology Program at UNIDIR

– Tereza Horejsova: Senior Outreach Manager at the Global Forum for Cyber Security Expertise

Additional speakers:

– Audience member: Unnamed person from Austria who asked a question

Safeguarding Transnational Critical Infrastructure: A Multifaceted Approach

This panel discussion, moderated by Marie Humeau from the Dutch mission in Geneva, explored the challenges of protecting transnational critical infrastructure and the potential for collaboration between diplomatic and technical communities to address cybersecurity threats. Experts from various regions and organisations shared insights on safeguarding critical assets that span national boundaries.

Key Threats and Vulnerabilities

The panellists highlighted the increasing vulnerability of critical infrastructure to cyberattacks, with potentially far-reaching consequences for international peace and security. Wenting He from UNIDIR emphasised the particular vulnerability of subsea cables and satellite systems, while Towela Nyirenda-Jere from the Africa-EU Energy Partnership stressed the growing importance of energy sector interconnections as targets. Shariffah Rashidah Syed Othman from Malaysia’s National Cyber Security Agency noted that attacks on critical infrastructure could have cascading effects across borders.

The discussion underscored the interconnected nature of critical infrastructure across borders and sectors, necessitating a coordinated approach to protection. Shariffah Rashidah provided a thought-provoking perspective, noting that critical infrastructure “does not exist in vacuum” but relates to the specific risks and defining characteristics of each country. She elaborated on Malaysia’s approach, which involves the National Cyber Coordination and Command Center in defining and protecting critical infrastructure.

International and Regional Cooperation

Wenting He discussed the UN Open-Ended Working Group (OEWG) and its emphasis on the risks of malicious ICT activities targeting critical infrastructure. Shariffah Rashidah highlighted the ASEAN Cyber Cooperation Strategy, including the establishment of the ASEAN Regional CERT, as an example of regional cooperation. Towela Nyirenda-Jere stressed the need to incorporate cybersecurity considerations in Africa’s continental power systems master plan.

The importance of regional cooperation and harmonisation of approaches was a recurring theme. Franziska Klopfer from DCAF, working specifically in the Western Balkans region, emphasised the value of informal networks between national Computer Emergency Response Teams (CERTs) in building trust.

Bridging Technical and Diplomatic Communities

A central theme was the urgent need for stronger cooperation between national technical and diplomatic communities. Orhan Osmani highlighted a “huge gap” between these communities at the national level, which he argued “blocks future collaboration on an international level”. Shariffah Rashidah proposed developing institutionalised training programmes in cyber diplomacy for diplomats before their international postings, including initiatives like the Women in Cyber Fellows program.

Capacity Development and Awareness Raising

Capacity development, particularly in developing countries, was identified as crucial for enhancing cybersecurity capabilities. Orhan Osmani suggested changing the term “capacity building” to “capacity development” and highlighted the ITU’s focus on the Global South. Tereza Horejsova from the Global Forum for Cyber Security Expertise emphasised the importance of involving the technical community in policy dialogues and capacity development initiatives for developing countries.

Franziska Klopfer raised the important point that awareness-raising about transnational critical infrastructure is a crucial first step for many smaller countries that may not be fully aware of their role in or dependence on such systems.

Multistakeholder Cooperation and Public-Private Partnerships

The panel emphasised the role of public-private partnerships in infrastructure protection, given the increasing privatisation of critical assets. Towela Nyirenda-Jere advocated for structured public-private partnerships. Tereza Horejsova called for increased multistakeholder dialogues and more meaningful involvement of the technical community in these discussions.

Challenges and Future Directions

Wenting He highlighted the ongoing challenge of attribution in cyberattacks, emphasising the need for continued research and international cooperation in this area. Shariffah Rashidah mentioned the upcoming final discussions of the OEWG and the focus on developing a permanent mechanism for cybersecurity at the UN.

The panel concluded by calling for continued efforts to strengthen collaboration between states and the technical community, explore multistakeholder dialogues on protecting transnational critical infrastructure, and work towards developing more effective international mechanisms for addressing cybersecurity challenges in critical infrastructure protection.

Marie Humeau: Yeah. Good morning. Thank you very much for being here. My name is Marimo. I’m working at the Dutch mission in Geneva on digital and cyber issue, and I’m very pleased to be your moderator today for this session on safeguarding critical infrastructure beyond borders. Actually, the entire idea behind this session is really to look at how we can better work between the diplomatic and the technical community and how to strengthen those efforts with a very concrete example on the critical infrastructure. So through this concrete example, we would like to look at the different region, and we have esteemed experts on our panel to help us guide through how it’s working today, how the diplomatic and technical community are working to address the threats that they are facing and how in the future we should really endorse those relation to make our cyber environment even more resilient. So as you know, there’s malicious activities that are targeting critical infrastructure. Unfortunately, those activities can have a spillover effects, and we really need to work on fostering resilience and cyber resilience. For this, we need to build capacity, we need to increase those collaboration, and really this relation between the diplomatic and the technical community is key, and that’s what we’re going to try to explore. At the moment, we are still like working a bit in silos, but we have seen some changes in the past, and we are hoping with our experts on the panel to explore how from their perspective they’ve tried to address those issues and they’ve tried to reach the gap between the technical and the diplomatic community. We will guide you through three different themes. So just so you’re aware before we start, there is a journey that we are going to have together. We will first look at the cyber threats, and then the policy response that we have now, and then the opportunities for a greater collaboration. So on the panel that I’m very pleased to moderate, we have Mr. Oran Osmani, who is with us online. He is the head of the cyber Security Division at the DITU, the International Telecommunication Union in the Telecommunication Development Bureau. So he’s leading lots of capacity building around the world on the cyber activities. We will also have Sharifa Rashida Syed Othman, Director of Policy and International Cooperation at the National Cyber Security Agency of Malaysia. And she really has a specific role because she is sitting in a technical agencies, but she’s also following lots of those UN development and discussion. So she is, I would say, one of the incarnation of how you can also make the link between the technical and the diplomatic community. We will also have Dr. Tawela Nirendra Jere, Head of the Secretariat at the Africa-EU Energy Partnership. And we also have Franziska Klopfer. She works at DCAF, the General Geneva Center for Security Sector Governance. And she is the Principal Project Manager for Cyber Security Governance. She works a lot in the Western Balkans. So we already have like different perspective and we know how crucial it is at the regional level, not only at the international level, but to work together. And it will be interesting to see if there are some differences in the approach that are being adopted in the different region. And then finally, we have Ms. Wenden He, Associate Researcher with the Security and Technology Program at UNIDO. And she has been, she’s like an expert on those issues. So she will provide us also with a great scene setter before we all dive into the discussion. And then, because the panel wouldn’t be like finalized with Tereza Oriyezova, she’s Senior Outreach Manager at the Global Forum for Cyber Security Expertise. And that will help us make the most out of the discussion and everything that we will hear in the next in the next hour. So, so, so those are my, my, my, my panelists and we will together like go through this journey on on where we are what has been done and also where we can do better and improve our work together. So, as I said, we will follow like the three steps approach. And we will start with actually going through the ICT threats framework, and then how this, this, this, the threats are really targeting critical infrastructure and how it impacts international peace and and security. So for this I’m going to first ask wanting to give us a bit of a scene center about what are the different components of critical infrastructure that facilitate the provision of essential services across borders. So what are the issue, like with the jurisdiction, but also what kind of type of stress, and how you’ve seen the evolution of, of the, the landscape, but also how can those malicious activities actually impacts international peace and security. So the floor is yours to like give us a bit of a background.

Wenting He: Thank you so much Murray. I hope you can all hear me and these are very important questions. While critical infrastructure designations vary across jurisdictions, there is this broad recognition of certain sectors as critical or important. So this includes energy transportation telecommunications commercial and financial systems, among other things. Many of these sectors provide essential services across national borders, for example, transnational energy pipelines operates national regional and international critical information infrastructure, in particular, refers to information and communication systems and networks, whose disruption or damage, who severely impact essential societal functions. So, this type of infrastructure. includes subsea cables, satellite systems, and cloud infrastructure, such as data centers. All of which support critical information and communication services across multiple states. For the interest of time, I will focus on subsea cables and satellite systems. But if you are interested in, you know, the cloud side of things, Unidear is publishing some reports on this topic very shortly. So please check out our website. So it’s no exaggeration to say that subsea cables really form the backbone of global communication. They transmit over 95% of international data traffics. And they enable reliable, efficient, cost-effective data transfers between data centers globally, which supports cloud services that we are all benefiting from. However, these cables are particularly vulnerable to physical threats. According to the International Cable Protection Committee, so each year, approximately 150 to 200 cable faults occur globally, primarily due to accidental human activities such as phishing and anchoring. Additionally, cable infrastructure also faces cyber risks. And this include potential hacking of the remote network management systems used for monitoring and managing cable activities. Satellite systems also play a very critical role in global communication. They provide internet connectivity in, you know, like large areas of the globe, particularly in remote or underserved areas. However, over, you know, recent- years, disruptions to space assets are becoming increasingly common. Potential threats include denial of service attacks, command injection, malware, signal interference, and physical damage to the satellite components. So in terms of the evolving threat landscape, attacks on international critical infrastructure and critical information infrastructure can disrupt essential cross-border services with increased complexity and impact. This challenge is especially pronounced in the increasingly digitalized world where such attacks, especially those targeting critical information infrastructure, including the relevant ICT supply chains and service providers, can significantly amplify both the reach and consequences of malicious activities, thus making such actions, thus making this type of infrastructure a compelling target for attackers. Additionally, the transnational nature of this infrastructure adds further complexity to its protection, making international collaboration a very essential element of effective safeguards and responses. And I know we will delve into this further and I will, so now I will turn to the, you know, the international security and peace implications of malicious activities targeting transnational CI or CII, so critical infrastructure and critical information infrastructure. Well, I don’t know how familiar you are with, you are familiar with, you know, the ongoing processes at the UN on cyber security, but the ongoing UN Open-Ended Working Group or OECD. BWG on ICTs through its annual progress reports emphasize that malicious ICT activities targeting critical infrastructure and critical information infrastructure can have cascading effects at national, regional and international levels. Such activities can pose heightened risks to populations across regions and can be also escalatory. In particular, the OEWG highlighted the need to secure subsea cables and satellite communication networks from malicious activities, which could cause significant disruption and damage to telecommunications and also potentially affect the technical infrastructure essential to the availability and integrity of the internet in large areas of the globe. Subsea cables have historically been targeted during conflict as a means to disrupt an adversary’s communication. For instance, at the beginning of the First World War, one of the British military’s first moves was actually to sever Germany’s undersea telegraph cables. Today, subsea cable networks have become increasingly complex and interconnected, transmitting vast volumes of data for both military and civilian purposes. Malicious attacks on these dual-use critical infrastructure pose significant risks to global connectivity, but also to international security. Attribution challenges further complicate the issue as it is often very difficult to determine who is behind the cable damages. This uncertainty could… to lead to accusations and potentially escalating tensions between states, even when the disruption may in fact be unintentional. So in the current environment of heightened geopolitical tensions, national security surrounding subsidy cables can drive further technological competitions over cable ownership, construction, and lending points, with important implications for global and also regional stability. Furthermore, satellite systems also play a very vital role in armed conflict, supporting critical military functions, including communication, navigation, and also intelligence gathering. Attacks targeting satellite networks and ground stations have the potential to disrupt adversaries, critical military operations, thus increasing the likelihood of such actions in conflict scenarios. Moreover, due to the dual use and transnational nature of satellite services, cyber attacks can have far-reaching consequences. This impact may extend far beyond the warring parties to affect also civilians and civilian services internationally and across sectors. I will stop here, Marie, and over back.

Marie Humeau: Thank you very much, Wenting. So now we kind of have the parameters of the journey we are going through, but like as in any journey, there’s unexpected things that can happen. So I would like to ask my panelists, I know we’ve prepared some questions, but if you feel the willingness to interrupt or to ask other questions or compliment what is being said, please feel free. We’re looking at you also on the screen. So just like wave, and then we will give you the floor accordingly. But as any journey, it’s always more interesting when- it’s when everybody can participate. So maybe I will now turn first to Rashida. And maybe you can give us a bit of your perspective actually from the Asian Pacific region and what kinds of threats you’re like experiencing on critical infrastructure and the potential impact of cyberattacks targeting such sectors on a national and regional level. So the floor is yours Rashida. And thank you for joining us because I know you’re not also on the same time zone.

Shariffah Rashidah Syed Othman: Thank you very much. A very good afternoon here but I just want to flag everyone that currently there is an azan for the prayer time in Malaysia where I could not lower the volume. It’s in the building. If it’s okay with the audience I can proceed or else can I just wait for just one minute to make sure this ends. If it’s okay for all of you.

Marie Humeau: It’s as you prefer. Honestly it’s part of the journey I guess. So if you want to do it now please feel free. The sound is good on our side.

Shariffah Rashidah Syed Othman: All right. So of course let me just if it’s okay can I just wait because it’s quite very loud here. So I will continue. Thank you very much. I’m sorry.

Marie Humeau: So I see Tawela has now joined online. So maybe we’ll start our journey with Africa then. And then if Tawela can you just maybe share with us your experience on So I see Tawela has now joined online. So maybe we’ll start our Africa’s energy sector. And could you. She will need permission to speak.

Towela Nyirenda-Jere: Hi. Good morning. Good afternoon. afternoon. Oh, yes. Now it’s working. We can hear you. Yes. Okay. My apologies. I’ve been struggling a little bit with the connection on this side. But I’m definitely happy to be joining you all. Let’s see if I can turn on my camera. Yes. We can hear you. Now we can see you. Perfect. Well, thank you for doing this. So maybe you can give us a bit of your experience from the African energy sector. Thank you very much. And good morning, again, to everyone. Good afternoon, as well. And fellow panelists, likewise. So I’m joining you from Addis Ababa in Ethiopia. And for those that may not know, I am currently now leading the Africa-EU Energy Partnership, which looks at promoting collaboration between the two continents on issues relating to energy and adjust energy transition. I think in terms of this topic around critical infrastructure in Africa, and very, very specific in terms of the energy sector, I think one of the things that is very evident, perhaps is that within the ICT ecosystem, the issues around critical infrastructure are well known and well discussed. And perhaps in energy, the conversation is a little bit different, but at the same time, needs to be brought perhaps to the same level as the discussions that we are having in the digital space. So when you look at Africa’s energy landscape, currently, of course, we know that, you know, 55 member states, five geographic regions, each of which has their own systems and ways of connecting and interconnecting through the different power pools that exist. And what has been done now is that the level of the EU is that there is an effort now to look at interconnecting the entire continent by really putting in the relevant infrastructure that would connect countries and regions. At the same time, looking at the harmonization of the different regulatory elements that would make that possible. And the whole idea is to be able to facilitate the flow of energy across the continent, and beyond in terms of meeting Africa’s energy needs, but also being able to then export excess capacity outwards. What this then means is that there’s a lot of emphasis being put on these interconnections that are cross border and trans boundary. And when we start talking about this particular interconnection, and the idea that we will need some form of smart grids to be able to manage this whole system, issues around being able to then define critical infrastructure in the energy sector become important, because these cross border links are very critical in so far as making the system work. At the same time, the aspects of cybersecurity and how we secure that infrastructure also become very important. And these are some of the things that in my previous job at AUDNEPAD, we had looked at as we were developing this continental power systems master plan. And one of the recommendations we made was to from the very beginning to incorporate this understanding of cybersecurity, and the need to make sure that within the energy sector, we were actually also looking at developing adequate capacities in terms of cybersecurity. So I think where we are now is that as a continent, there hasn’t yet been any kind of overarching framework, so far as critical infrastructure from an energy perspective. And that is one of the things that we will start looking at now. Different countries, of course, have some policies that are looking at critical infrastructure. South Africa is a good example. I believe Kenya is also another example. And the idea then would be that to learn from these experiences. to look at regional frameworks and then ultimately to have a continental framework that looks at critical infrastructure from the perspective of the energy sector. Back to you, Marie.

Marie Humeau: Thank you very much, Dawila. I think it’s, as you said, that the more you interconnect with those critical infrastructures such as the energy, the more also you will need each other to make sure that those cyber threats do not impact your network as well. So, thank you very much for sharing your initial perspective. And maybe now, I think, Rashida, you can provide your perspective from the Asia Pacific. Thank you very much.

Shariffah Rashidah Syed Othman: Thank you very much, Marie, for the introductions. And I also want to thank Wenting for giving and setting the scene and also has given a perspective of the ongoing discussions at the OEWG as well as the development and what actually the importance of critical infrastructure that strengthens international peace and security. And also, to allow that actually explain in terms of how energy sector is important and the initiative that has been done. And earlier, Marie introduced me that I came from an organization that implements cyber security. And also, I also want to acknowledge this is an opportunity and also benefits that I got from the Women in Cyber Fellows where I think GFCE is also actually facilitating this hosting and facilitating this event. And because of that, it actually made me understand and also a learning experience as well in terms of connecting between the importance of how national levels need to implement the framework of responsible state behavior and how best we can. do that in actionable item or actionable action. So coming back to the questions earlier regarding critical infrastructure sectors across border in Asia-Pacific region, I think earlier Wenting described about two things, which is the subsea cables as well as the satellite system, which I think it is global to any other region of the world. But one thing that I also want to connect and relate what actually happened at national level, which I think Toela mentioned specifically on energy. Because one is we hear earlier, depending on the country, how actually they determine the critical infrastructure and the critical infrastructure does not or CII does not exist in vacuum. It actually relates to the risk that the country face and also what actually define the country, the country’s importance. For example, in Malaysia, for our cyber security act, we define critical infrastructure, 11th sector in our cyber security act, we define infrastructure as a computer or computer system, which destructive disruption or destruction of the computer or computer system would have a detrimental impact on the delivery of any services essential to the security, defense, foreign relations, economy, public health, public safety and public order of Malaysia, or on the ability of the federal government or any of the state’s governments to carry out its function effectively. And coming back to the sector specific of critical infrastructure, even at national level, they actually exist vertically and horizontally. In terms of horizontally, for example, energy, regardless how strong our subsea cable, how strong our satellite system, if energy is out, you cannot even operate the cyber environment. That’s how the importance of the interdependency of each and every critical infrastructure. At the same time, depending on which part of the world you are, if the energy comes from the water, hydro or water will become another part of important things of the country and goes back to what is the resource of the energy. Coming back to how actually we develop and how actually at ASEAN Pacific and why actually specifically in ASEAN, how we put the importance of critical infrastructure in ASEAN, we actually have produced an ASEAN Cyber Cooperation Strategy, where in the strategy, one of the dimensions, it says about advancing cyber readiness cooperation, where two important things being put. One is the SERT cooperations and coordination, where recently we have established and launched our ASEAN Regional SERT together with all ASEAN member states. And secondly, of course, the focus is on the coordination of regional CII protection. So in a nutshell, the discussions that happening at the UN actually complements the work that we do at national level. And having been in an organizations that actually do both, we actually work together with our Ministry of Foreign Affairs and see how this thing can actually interconnected, interdependency, and also it will reflect not only at national level, regional level and at the global level. Apparently, I will stop here.

Marie Humeau: Thank you very much, Rashida. And thank you for sharing your personal experience as well. I think you are a good example on how the technical community and the diplomatic community, as well as we should look at the national, regional and international level altogether. And I think you made a great point about the complementarity of those different approaches. As well, I think one important point about how you at national level define critical infrastructure. I think that’s also an important point for each and every one of us to better understand what other countries and what critical infrastructure on top of what we are discussing at international level. So maybe we will move on in our journey to Actually, and what you mentioned, Rashida, with your national experience, I think, and your regulatory framework, is actually the perfect path through our next step in our journey, which is really looking at the policy responses and the lesson learned from good practices on the protection of critical infrastructure. I saw you, Oran, I think I saw some of the ping that you did popping in onto our screen that we have here. So I feel like you are now, like it’s time for you to step in and then to tell you a bit more about how to strengthen the protection of transnational critical infrastructure. Is there a scope for the diplomatic and technical community to work together to actually mitigate those ICC incidents? Oran, the floor is yours.

Orhan Osmani: Thank you, Marie, and good afternoon and good morning to everyone. It’s a pleasure to be on this panel. I think, you know, as your question points, is there a scope between diplomatic and technical community to work together to mitigate these incidents? I think there is always, if there is a will, always there is a way to do things. So I think, you know, I stand by that. But I think what we need to do is basically, probably we need to take a step back and on national level, connect these two communities, because we see huge gaps between diplomatic and technical community on national level. And that one basically blocks the future collaboration on international level. So, you know, if we are clear on national level, where we stand in terms of cybersecurity from diplomatic and technical point of view, I think we can basically strengthen collaboration and we can work together towards, you know, an understanding that, you know, some of the critical infrastructures which serve the essential services in the countries needs to be protected and they must be protected. Because, you know, we are talking about, you know, people who are now, I know more and more people are on. medical devices which you know basically the life-supporting devices and know any energy let’s say any energy attack it attacks those devices we are keeping people alive so I think you know we need to we need to really we need to be have compassion towards those those people I think we need to promote more let’s know what is at risk there and I think you know besides you know I think you know I heard venting she was talking about you know mainly focusing on on state state to state challenges they have on on but also we have the big group of those who are making money than all the cyber criminals who are basically it’s a big industry so it’s is bigger than anything and and cybercrime threats are bigger than any natural disasters around the world so basically no it’s something we need to deal with and I think we need to increase more and more collaboration between technical community but also diplomatic community probably also what we need to work on on on more is attribution because you know often you know this is my personal view I see often the attributions happen very quickly but from technical perspective you know I understand you know to attribute an attack to someone is going to be very challenging because you know you need to have more more evidence you need to spend more time to ensure that you know that the attribution is correct and know when you attribute something to someone which is not which is not kind of true or it’s or it’s misleading then the challenge is basically collaborating how to work together so I think you know we need to work more on capacity development so basically I mean often I I go against the term of capacity building because capacity buildings we build capacity where there is no capacity but I think now we need to continue development because I think you know all regions have capacity but we need to continue development of the capacity so you know probably we need to change the language how we approach and another thing you know which I think we can strengthen protection of critical infrastructure is that know if government community and member states work together in terms of you know, collaborating and kind of, you know, coordinating the activities, aligning each other, you know, how we can, how we can work together and basically, you know, support the development of the world, because I think, you know, I mean, we are having all these national and transnational conflicts. But I think, you know, something which is coming after all the world is the climate change. And I think, you know, we need to we need to promote more of, you know, actually what is happening to us as a world, and probably, you know, the political tensions we will reduce, and we can work better on cybersecurity and other and other challenges we face as a world. So I think, you know, probably, you know, this is my input. I don’t know, let’s see, you know, how conversation goes. And I’ll probably add and chip in with other views. Thank you.

Marie Humeau: Thank you, Orhan. So it’s, it’s about strengthening our capacity. But, and also, I think, indeed, the link between the technical and the diplomatic community, sometimes we don’t speak the same language. So it’s also about, I guess, strengthening our common understanding of each other, and maybe learning how to, like speak the language of all the others. So you can work better together as well. And thank you very much for for this perspective. I think we will now in our journey throughout the world, jump into the Western Balkans region with with Francisca. And you have been working with the technical community, the certs in that region, and you’ve helped him set up informal networks, where actually it’s about like getting to know each other, building trust, sharing information. And I think that’s relates a bit to what Aran was saying also about the need for, for, for, for to build on our capacity and also to better exchange information. Can you tell us a bit more about how can such networks of technical experts help protect the critical transnational political infrastructure?

Franziska Klopfer: Thank you very much, Marie. And Hello, everyone. Very pleased to see you, see you again. Indeed, we have my organization, the Geneva Center for Security, the governance have been working for quite some time in the Western Balkan region in Europe. And one of the areas that we work with is organizing regional events for national certs. And indeed, this has helped through a long term process to facilitate communication and build trust. And now led to what one can describe as an informal network of where the staff of this certs communicate. I want to kind of take up on what the previous speakers have said, that there is a lot that can be done by different communities. And I think it is important definitely to see the potential of the technical community to also get involved in, you know, transnational international processes. But I think it is very important to to then go back to see, as Arhan had said, what’s happening at the national level. Because these certs, they also they cannot work in a vacuum. They cannot do diplomacy or in a vacuum. They are part of a national structure where they, I think, have a, for example, the certs have a very interesting role that they can play. They are usually in countries, either the certs or the national cybersecurity agencies, in charge of also supporting and coordinating with critical infrastructure and critical information infrastructure. So they are really there to support and to help them and to enforce cybersecurity standards and also to exchange information and information that might have also received from friendly neighbors on cyber threats. But I think this cannot be done. in a vacuum or outside of diplomatic processes, as you know. I mean, we’ve talked quite a bit about agreements, bilateral or regional or international, about coordination between different countries on protecting of CII. And I think this is, we know that there are different actors involved in it and there’s on the one hand the diplomatic community and then technical community can come in with their expertise. But it is very important that in a country, the roles of diplomats, of technical community, or for example, CIRTS and other actors are clearly defined. And it’s clear what the role they play in, for example, in this process of protecting transnational critical infrastructure. And that it’s also clear how they communicate, coordinate and communicate with each other. Because as has already been mentioned, I think this is a big problem. You have different actors working on similar topics, but there’s no clarity about how they should cooperate. They often don’t even meet regularly in meetings. So I think that’s one of the areas, but when we talk about also capacity building or capacity development, that we should not see these different actors in isolation. But I think part of the capacity development would be to strengthen the links, clarify roles and responsibilities and strengthen links between those different stakeholder groups at national level.

Marie Humeau: Thank you, Franziska. I think the message is clear that we need to strengthen our capacity, everyone’s capacity also at national level first. And then that would also allow for better engagement, I think at regional and then international level. But let’s put everything one step at a time and start with the strengthening at national level of this collaboration also between the technical and the diplomatic community. Maybe I’ll move back to Willa. and look at from your perspective on the Africa’s energy sector. Can you share with us some good practices, good example at your level, at the African Union level, and what kind of further steps would you think governments and industry stakeholders in the region can take to better protect the energy infrastructure? I think it’s always good to have a look at concrete sectors. So Tovela, the floor is yours to share your perspective on this.

Towela Nyirenda-Jere: Thank you very much. Maybe let me just start by appreciating I think Rashida’s intervention and especially the idea of the fact that critical infrastructure perhaps will be looked at and prioritized differently within different member states and regions, depending on what is obtaining in the region and also in terms of how regions work and are organized. And I think also to Orhan’s point about the fact that capacity building but maybe enhancing and going further in terms of capacity endowments and looking more at very deliberate strategies for capacity development I think are very important points. So I think turning to the case of Africa and looking at good practice and maybe trying to do a bit of a balancing act between the energy sector but also all the other infrastructure sectors as well. I think one thing that I would cite as good practice that I think this is also to Rashida’s point but also in terms of the way Africa works and is structured is the idea of really being able to foster and promote regional cooperation and harmonization across the different regions because that then makes it easier when we now want to start implementing different policy frameworks if there is some way in which there’s a bit of harmonization but also that there is some cooperation. Within the energy sector. Of course, there’s, and as with other sectors, there’s a myriad of stakeholders that are involved in all of this. So you will have utilities at the national level, you have the power pools, you have the regional economic communities, you have other private sector entities perhaps that are responsible for grid development. And then obviously you have the African Union itself. So there is a need for a very balanced cascading of cooperation, both from top going down, but also from the bottom going up. And being able to structure this in a way that makes sense, I think is important. And I think for the energy sector, I think Africa has managed to do this in a very coherent way by bringing together all these different actors to look at the sector critically and identify the different areas where harmonization and standardization is needed, but also establishing the relevant cooperation frameworks. When we now look maybe very specifically at the issues of cybersecurity, I think we’re all aware that the African Union has its convention on cybersecurity and personal data protection, which has now entered into force, and which also sets, I think, a very good framework in terms of how the continent wants to approach issues of cybersecurity, issues of privacy, issues of data protection. And I think what is important then as we move forward is making sure that this convention is seen not as an ICT instrument or an ICT device, but that it really has importance across the entire infrastructure landscape, and obviously beyond when we start looking at just general issues of people’s day-to-day lives as well. To the point about capacity and the capacity endowments, really, when we now look at how we operationalize the convention, again, very important to make sure that we’re not losing sight. of the fact that in addition to the digital cyber experts, if I can call them that, that we need to make sure that our experts that are managing our different utilities, whether it’s in water, whether it’s in energy, and those that are managing our other infrastructure, you know, in terms of transport, in the water sector, that all of these are adequately equipped with the understanding of, you know, cyber security measures, but also that there is some element of coordination and cooperation across the different sectors within countries at regional level, and then also at a continental level as well. And then lastly, I think that, you know, in terms of the practice, I think the GFCE perhaps mentioned this a little bit, just in terms of this idea of being able to provide a framework where one can actually have a way in which to match the capacity needs in terms of cyber capacity building, and linking that to where expertise and experts lie and being able to make those connections and offer that platform that enables this flow of expertise and experts between regions and between countries, so as to enhance the cyber security posturing across the globe. Back to you.

Marie Humeau: Thank you very much, Jawila. I think you, you, you, you touch upon another important point is also sharing best practices across sectors, and it’s that the cooperation need not only to happen between the technical community and the diplomatic community, but also across sectors, because the more we get connected, the more we rely on each one sector rely on the other. But also, I think each sector can learn from the best practice of the other. And I think you point out your best practice from the energy sector, and I’m pretty sure a lot of other sectors can learn from how you are trying to like put things together and to be able to share better the information to make your, your infrastructure also more resilient. And I think that’s exactly what we are. trying to do here and I can I can see on the screen of one thing that they’re already some exchange of of willingness to exchange information about what everyone is doing so I think that’s the objective is really to share our experience here, and to connect and continue that discussion also after after this session so I’m quite excited about what I see on the screen on my left. And it’s not only happening in the room. So maybe we’ll guide you through the next step in our, in our journey which is our nearly final stop, because we will then open the floor to everyone to ask questions, but apparently someone wants to take the floor. Yes, Rashida please do.

Shariffah Rashidah Syed Othman: Thank you very much, Marie, I just want to just connect and give some response with regards to Francisca’s views as well as Toela. About the importance of structuring and position. While we are talking about the technical community in terms of sets and giving them a proper place at the national level, as well as how Toela mentions the importance of making sure that the things are being interconnected in such a way, where I think the experience that we took in terms of making sure the discussions between the technical people and diplomat, as well as the people that look into the policy at national level. This is also the experience that we got from the exposure from the learning curve that we got from the OEWG, and other activities that we, we see at national level, as well as at regional level, specifically on the third part. the chief executive of my organization, the National Cyber Security Agency, has the responsibility to maintain the National Cyber Coordination and Command Center, which is our national CERC, and the act actually give an importance of the designation of sector lead, where they are being empowered to designate the national critical infrastructure with the processes, then they are a compulsory notification of incident, where the coordination can actually be swiftly being done at national level. This is also complement the works that, and the development that is happening at national level, where the national CERC, which is the NC4 itself, is also being submitted at the UN OEWG as the technical global point of contact. This is where I think the learning curve our country takes in terms of understanding and connecting the dots between the discussion with the technical people, the policy people at the domestic level, as well as the diplomat that works at the United Nation. Another part that I also want to touch is the opportunity that we have in terms of capacity building, where one of the thing that we managed to work together, especially with UNIDIR, and at national level, we get a blessing from our management to do that, where we will develop and institutionalize a proper training in our institute that train the diplomat before they are being stationed internationally in terms of cyber diplomacy or tech diplomacy, so that the people that face when they go overseas, the diplomat have the clear understanding of when to connect the dots and how actually they can bring back the discussion that they see and they negotiate at any platform, bilaterally or multilaterally, back to the organization. in organizations that look and lead national cybersecurity initiative at national level.

Marie Humeau: Thank you. Thank you very much Rashida. I think indeed it’s important to know who to contact and where in those points of contact are key and crucial. And thanks for sharing your best practices. I think your point about capacity building and the training of diplomats is an amazing one. And I’m very pleased as well that our co-organizer today are being mentioned by so many of you on their best practices as well, because I do think that UNIDIR and GFCE are doing lots of work to try to strengthen those capacity as well. And indeed, the women in cyber, we can see here that we have quite a panel with lots of women. So it’s also nice to see this because it’s not always the case, but thank you around for bringing a bit of men balance in this discussion as well. So maybe, or no, no, yes. I know sign on it from the virtual room, but so maybe we’ll, yeah. Maybe we’ll step in in our last topic. And before I give the floor to everyone and to some questions. So maybe what are the, so we will step in for the future and where we are heading next step in our journey. So maybe, Francisca, you want to start with what are the opportunities for greater cooperation? And do you see, I think you started like answering that question a bit already, but do you see like ways to reach out and to set up mechanism to better be prepared and equipped for those, for greater collaboration? And that includes also the role for the multi-stakeholder community in those discussion.

Franziska Klopfer: Yeah, I think that’s a really good question. I think that’s a really good question. I think that’s a really good question. I think that’s a really good question. I think that’s a really good question. Yes, I think we’ve spoken quite a lot about this already, so I’ll keep it short and I think maybe just a very practical step, and Rashida already mentioned it, I think a very good first step would be when you do training of cyber diplomats, actually one of the most essential things, make them aware of what’s happening in their country, who’s in their country, who they need to coordinate with, who they need to consult, also to establish national priorities, because these are the national priorities that we will bring to the international discussions, including discussions on CII, and also engage with the multistakeholder community in order to identify indeed and to work with CII. I think I’ll leave it at that in the interest of time, just two first practical steps that I would recommend to take.

Marie Humeau: Thank you. I think we are running, we only have a few minutes left, so maybe what I’ll do, if that’s fine, I’ll look at the room and see if there are some pressing questions coming from the room. Yes, I see a gentleman at the back. Excuse me? Mike, yes, please. Thank you. It’s coming from you, Ben. No, Mike. Thank you.

Audience: Hello. Yes, so I’m into you from Austria, and I’m curious to know how many of you, so I guess that you’re coming from, each of you are coming from different countries, so how many of you have seen policy documents that actually addresses transnational critical information infrastructure and talk about whether your government is allowed to or planning to attack in case of emergencies or in case of contingencies, especially if it’s relevant? if you have seen any documents published by the military administration. So is your country, especially the military department, allows or take into consideration the possibility they would be able to attack critical influence structures in other countries?

Marie Humeau: Is there any question also on the chat? No? Okay. So maybe we’ll take your question. And because we also have two minutes left, at the same time, I’ll ask the speakers to answer your question and then to give their final remarks before Theresa wraps it up and do our photo album of our journey together. So maybe I’ll give you the floor one by one, and then you can address the question that has been asked. But also you can bring us a bit of your flavour, and Francisca, you’ve already started to do so, on what are the opportunities in the future, be it at national, regional, or at international level, for greater collaboration? But also, what can stakeholder bring to the table in terms of the protection of critical infrastructure, and the importance of actually this multi-stakeholder cooperation that is needed to be better equipped and to have a more resilient critical infrastructure? Maybe I’ll start at the bottom right with Oran, and then I’ll go to Toela, to Francisca, and to Rashida and Francisca. So Oran, you have the floor.

Orhan Osmani: So can you hear me, I think? So I think the question of the gentlemen, honestly, I don’t have an answer, because ITU is a government agency, so we keep supporting member states to build the capacity. So… know, we are focused on Global South, where we, you know, run cyber drills, where we bring communities together, so technical communities. Now we are trying to bridge the gaps, bringing diplomatic community to our meetings and have a discussion among them. So in principle, you know, I don’t have an answer for him on that regard. But you know, all comes down to, you know, collaboration, information sharing. So we have often, you know, even countries which are aligned to each other, they don’t share all the information. So basically, you know, I think, you know, I think quite a lot needs to be done, I think, trust needs to be built. And so we need to we need to work around around that. So I think, you know, the opportunities are there to to increase collaboration, but are we going to take and take action on really putting the citizen at the center, because I think, you know, what is happening now we are putting at the center other things. But if you put the citizen at the center, you know, those who need the essential services, those who benefit from those essential services, and those who contribute back to the society, I think, you know, then I think quite a lot of things can be solved. But you know, I’m very idealistic in that regard. So I think, you know, I’m not sure, you know, what, what would work the best, but you know, we keep continuing to work together with a global South building the capacity which is needed to support the digital developments of the countries. We, you know, help women in cyber, through mentorships, through capacity building, and so on. I mean, a lot to be done, honestly, you know, a lot to be done. And we need to sit down as development agencies or partners or stakeholders on building capacity, developing capacity. So we need to sit down and kind of decide who’s going to be doing what, because I think a lot of duplication of efforts is happening in on the same area. So I think we need to kind of spread the net and try to cover most we can, because the resources are limited in terms of financial and human. And I think, you know, can be done a lot if just there is a will to sit down and lower our egos and work together. I mean, that’s, that’s all. Thank you.

Marie Humeau: Thanks. Thanks, Oren. So I think And as you said, a lot needs to be said and done, but we are also pressured with time. So I will give each of you 15 seconds, and then, Teresa, I can wrap up. I’m really sorry, but maybe we can have another session on the next IGF to continue the discussion, because apparently so much needs to be done and so much needs to be said. And we are seeing this initial cooperation that are taking place now. So maybe, Doela, if you can give us in 50 seconds a short snap of what you think we should be doing.

Towela Nyirenda-Jere: Okay. Thank you very much. Very quickly, I think, as we see now that there’s a large move towards privatization of a lot of infrastructure, whether it is in-country or transnational infrastructure, this means then that, on the one hand, there will be a need for stronger collaboration between private sector and governments through very structured PPPs that focus on this issue of the protection of that infrastructure, but at the same time, governments, I think, need to then continue setting the container in terms of the relevant policy and regulation mechanisms, but making sure that these are things that can be implemented and that are enabling the protection of the infrastructure, but also, I think, as Aura has said, making sure that we’re not losing sight of putting people at the center of what we’re doing. Thank you.

Marie Humeau: Thank you, Doela. Rashida, you have 15 seconds.

Shariffah Rashidah Syed Othman: I’m going to be short and quick, but I just want to touch on, just now earlier, we mentioned about OEWG discussions. So one of the things that we are doing right now, we are in the final lap of the OEWG. The central of the discussion before next July is to ensure what will be the future permanent mechanism, where we want to actually, together with all the states, to develop a permanent mechanism on how we want to position cybersecurity at the UN. This is where an important discussion starts, where actually we want to position the stakeholder so that they can contribute. to execute effectively in the permanent mechanism that we wanted to do. One thing we talk a lot today is about energy from where if we want to talk about energy, be sector specific, bring the right stakeholder, bring the right skill, then we can solve the right specific question in sector specific problems at the at that level that it can be escalate at regional and national level.

Marie Humeau: I’m going to pass it over to Francesca.

Franziska Klopfer: And just to add to what everything has been said, maybe go back to the beginning. I think there’s still also some work to be done to just raise awareness of the existence of this transnational critical infrastructure and a lot of I think smaller countries might not be aware or they might not be aware of where these often these critical national transnational infrastructure on their protection. So I think that’s a good step for the very very beginning. That’s still I think necessary.

Marie Humeau: Thank you Francesca. I will give my last words to to Teresa. But before this, I would like to thank all the panelists for being with us and sharing your your expertise. And this is just the beginning. But I’ll give the floor to to Teresa.

Tereza Horejsova: Thank you, Mary. So we put this session together because we thought there was a lack of understanding of what benefit involvement of the technical community can have in multistakeholder dialogues on these topics. We have felt from our experience that sometimes these multistakeholder consultations have been more a tick-the-box approach, which is not what we want, because they are stakeholders in addition to the myriad of other stakeholders as was already said at this session. So we hope that this technical community can get involved, especially next year, in the in the regulational dialogues. We had some great examples from from Africa. Africa, from Asia, from Western Balkans, with some concrete challenges, including the definition on the national level of what is actually critical infrastructure, some efforts for regional cooperation as well. So I will not be able to go through all these details, but if you allow me, there are a few kind of calls for action that I think can shape the continuation of our discussion on this topic. The first is that we do need to strengthen the collaboration between states and the technical community, and we will be able to explore more in detail how, be it third-to-third cooperation or in the framework of the open-ended working groups. We do need to build capacities, especially for developing countries. We have heard the capacity building or capacity development, as Orhan clarified, has been coming up in the discussion in relation to these topics. And another idea that I think we can play with is how can we further convene multistakeholder dialogues on protecting transnational critical infrastructure, which is something that we will look into and we will try to come up with some ideas, be it in the form of a series of workshops or other initiatives. So I will have to stop here because I know we are over, but thank you very much for being part of this.

Marie Humeau: Thank you and have a good day. Thank you so much. Thank you. Bye-bye. Thank you. Bye-bye. Thank you. Bye-bye.

Agreement Points

Critical infrastructure protection is crucial for international security

speakers

Wenting He

Towela Nyirenda-Jere

Shariffah Rashidah Syed Othman

Orhan Osmani

arguments

Subsea cables and satellite systems are key vulnerable components

Energy sector interconnections are increasingly important targets

Attacks on critical infrastructure can have cascading effects across borders

Cybercrime threats to infrastructure are greater than natural disasters

summary

Speakers agree that protecting critical infrastructure, including subsea cables, satellite systems, and energy interconnections, is vital for international security due to their vulnerability and potential for cascading effects across borders.

Need for collaboration between technical and diplomatic communities

speakers

Shariffah Rashidah Syed Othman

Orhan Osmani

Franziska Klopfer

Tereza Horejsova

arguments

Cyber diplomacy training for diplomats is crucial

Bridging gaps between technical and diplomatic communities

Value of informal networks between national CERTs to build trust

Need to involve technical community in policy dialogues

summary

Speakers emphasize the importance of fostering collaboration and communication between technical experts and diplomats to address cybersecurity challenges effectively.

Similar Viewpoints

Both speakers advocate for structured cooperation mechanisms, either at the regional or international level, to address cybersecurity challenges more effectively.

speakers

Towela Nyirenda-Jere

Shariffah Rashidah Syed Othman

arguments

Need for regional cooperation and harmonization of approaches

Permanent UN mechanism for stakeholder contributions on cybersecurity

Unexpected Consensus

Citizen-centric approach to infrastructure protection

speakers

Orhan Osmani

Towela Nyirenda-Jere

arguments

Putting citizens at the center of infrastructure protection efforts

Structured public-private partnerships for infrastructure protection

explanation

While coming from different perspectives (ITU and energy sector), both speakers emphasize the importance of considering citizens’ needs and involving the private sector in infrastructure protection efforts.

Overall Assessment

Summary

The speakers generally agree on the importance of protecting critical infrastructure, the need for collaboration between technical and diplomatic communities, and the value of regional and international cooperation mechanisms.

Consensus level

There is a moderate to high level of consensus among the speakers on the main issues discussed. This consensus suggests a shared understanding of the challenges and potential solutions in protecting transnational critical infrastructure, which could facilitate more coordinated efforts in policy-making and implementation at national, regional, and international levels.

Different Viewpoints

Focus of capacity building efforts

speakers

Orhan Osmani

Towela Nyirenda-Jere

arguments

We keep supporting member states to build the capacity. So…know, we are focused on Global South, where we, you know, run cyber drills, where we bring communities together, so technical communities.

Need for regional cooperation and harmonization of approaches

summary

Orhan Osmani emphasizes capacity building focused on the Global South through cyber drills and bringing technical communities together, while Towela Nyirenda-Jere stresses the need for regional cooperation and harmonization of approaches in Africa.

Unexpected Differences

Overall Assessment

summary

The main areas of disagreement were subtle and primarily focused on different approaches to capacity building and bridging gaps between technical and diplomatic communities.

difference_level

The level of disagreement among the speakers was relatively low. Most speakers presented complementary perspectives on protecting critical infrastructure and enhancing cybersecurity cooperation. The differences in approaches reflect the diverse regional and organizational contexts of the speakers, rather than fundamental disagreements on goals or principles. This low level of disagreement suggests a general consensus on the importance of protecting transnational critical infrastructure and the need for multi-stakeholder cooperation, which is positive for advancing global cybersecurity efforts.

Partial Agreements

Both speakers agree on the need to connect technical and diplomatic communities, but they propose different approaches. Orhan Osmani suggests bringing diplomatic communities to technical meetings, while Shariffah Rashidah Syed Othman emphasizes specialized training for diplomats in cyber diplomacy.

speakers

Orhan Osmani

Shariffah Rashidah Syed Othman

arguments

Bridging gaps between technical and diplomatic communities

Cyber diplomacy training for diplomats is crucial

Similar Viewpoints

Both speakers advocate for structured cooperation mechanisms, either at the regional or international level, to address cybersecurity challenges more effectively.

speakers

Towela Nyirenda-Jere

Shariffah Rashidah Syed Othman

arguments

Need for regional cooperation and harmonization of approaches

Permanent UN mechanism for stakeholder contributions on cybersecurity

Key Takeaways

Critical infrastructure like subsea cables, satellite systems, and energy grids are increasingly vulnerable to cyberattacks with potential cascading effects across borders

There is a need for greater collaboration between technical and diplomatic communities to address cybersecurity threats to critical infrastructure

Regional cooperation and harmonization of approaches is important for protecting transnational critical infrastructure

Capacity building and training, especially for developing countries, is crucial for improving critical infrastructure protection

Multistakeholder cooperation, including public-private partnerships, is necessary for effective protection of critical infrastructure

Resolutions and Action Items

Explore ways to strengthen collaboration between states and the technical community, including through CERT-to-CERT cooperation

Look into convening multistakeholder dialogues on protecting transnational critical infrastructure, possibly through a series of workshops

Work on developing a permanent UN mechanism for stakeholder contributions on cybersecurity issues

Unresolved Issues

Specific mechanisms for improving information sharing between countries on critical infrastructure threats

How to effectively involve the technical community in policy dialogues beyond a ‘tick-the-box’ approach

Ways to address the duplication of efforts in capacity building initiatives

How to balance national security concerns with the need for international cooperation on critical infrastructure protection

Suggested Compromises

Focusing on putting citizens and essential services at the center of critical infrastructure protection efforts rather than solely on national interests

Developing structured public-private partnerships that allow for private sector involvement while maintaining government oversight on critical infrastructure protection

We need to take a step back and on national level, connect these two communities, because we see huge gaps between diplomatic and technical community on national level. And that one basically blocks the future collaboration on international level.

speaker

Orhan Osmani

reason

This comment highlights a fundamental challenge in addressing cybersecurity issues – the disconnect between technical and diplomatic communities at the national level, which hinders international cooperation.

impact

It shifted the discussion towards the importance of national-level coordination as a prerequisite for effective international collaboration on cybersecurity.

Critical infrastructure does not exist in vacuum. It actually relates to the risk that the country face and also what actually define the country, the country’s importance.

speaker

Shariffah Rashidah Syed Othman

reason

This insight emphasizes the contextual nature of critical infrastructure, highlighting that its definition varies based on each country’s specific risks and priorities.

impact

It broadened the conversation to consider how different countries might approach the protection of critical infrastructure based on their unique circumstances.

We need to promote more let’s know what is at risk there and I think you know besides you know I think you know I heard venting she was talking about you know mainly focusing on on state state to state challenges they have on on but also we have the big group of those who are making money than all the cyber criminals who are basically it’s a big industry so it’s is bigger than anything and and cybercrime threats are bigger than any natural disasters around the world

speaker

Orhan Osmani

reason

This comment broadens the scope of the discussion beyond state-to-state challenges to include the significant threat posed by cybercriminals, comparing it to natural disasters in terms of impact.

impact

It expanded the conversation to consider non-state actors as a major threat to critical infrastructure, adding complexity to the discussion of protection strategies.

Part of the capacity development would be to strengthen the links, clarify roles and responsibilities and strengthen links between those different stakeholder groups at national level.

speaker

Franziska Klopfer

reason

This insight emphasizes the importance of clear roles and communication channels between different stakeholders at the national level as a key aspect of capacity building.

impact

It refocused the discussion on the need for structured coordination and clear responsibilities among various actors involved in protecting critical infrastructure.

We will develop and institutionalize a proper training in our institute that train the diplomat before they are being stationed internationally in terms of cyber diplomacy or tech diplomacy, so that the people that face when they go overseas, the diplomat have the clear understanding of when to connect the dots and how actually they can bring back the discussion that they see and they negotiate at any platform, bilaterally or multilaterally, back to the organization.

speaker

Shariffah Rashidah Syed Othman

reason

This comment introduces a concrete solution to bridge the gap between technical and diplomatic communities through specialized training for diplomats.

impact

It provided a practical example of how to address the disconnect between technical and diplomatic communities, moving the discussion towards actionable solutions.

Overall Assessment

These key comments shaped the discussion by highlighting the complex, multi-faceted nature of protecting critical infrastructure across borders. They emphasized the need for better coordination between technical and diplomatic communities at both national and international levels, the importance of context-specific approaches to defining and protecting critical infrastructure, and the necessity of capacity building that includes clear role definition and specialized training. The discussion evolved from identifying challenges to exploring potential solutions, with a focus on practical steps to improve collaboration and communication between various stakeholders.

How can we better structure and position the technical community (e.g. CERTs) at the national level to improve coordination with diplomats and policymakers?

speaker

Franziska Klopfer and Shariffah Rashidah Syed Othman

explanation

This is important to improve communication and coordination between technical and diplomatic communities at the national level, which can then enhance international cooperation.

How can we develop more comprehensive training programs for diplomats on cyber diplomacy and technology issues before they are stationed internationally?

speaker

Shariffah Rashidah Syed Othman

explanation

This is crucial for ensuring diplomats have a clear understanding of cyber issues and can effectively engage in international discussions and negotiations on these topics.

What are effective ways to raise awareness among smaller countries about the existence and importance of transnational critical infrastructure?

speaker

Franziska Klopfer

explanation

This is important because many smaller countries may not be aware of their role in or dependence on transnational critical infrastructure, which is crucial for effective protection efforts.

How can we better coordinate capacity building efforts among development agencies and partners to avoid duplication and maximize impact?

speaker

Orhan Osmani

explanation

This is important for making the most efficient use of limited resources in building cybersecurity capacity globally.

What mechanisms can be developed for stronger collaboration between private sector and governments through structured public-private partnerships focused on critical infrastructure protection?

speaker

Towela Nyirenda-Jere

explanation

This is crucial as there is a trend towards privatization of infrastructure, requiring new forms of cooperation to ensure protection.

How can we design a permanent mechanism at the UN level for positioning cybersecurity that effectively incorporates multi-stakeholder contributions?

speaker

Shariffah Rashidah Syed Othman

explanation

This is important for ensuring long-term, structured global cooperation on cybersecurity issues, including critical infrastructure protection.