IGF 2016 - Day 0 - Room 10 - BPF ON CYBERSECURITY Creating Spaces for Multistakeholder Dialogue in Cybersecurity Processes

The following are the outputs of the real-time captioning taken during the Eleventh Annual Meeting of the Internet Governance Forum (IGF) in Jalisco, Mexico, from 5 to 9 December 2016. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

RAW FILE

INTERNET GOVERNANCE FORUM 2016

ENABLING INCLUSIVE AND SUSTAINABLE GROWTH

JALISCO, MEXICO

5 DECEMBER 2016

WORKSHOP ROOM TEN

BPF ON CYBERSECURITY ‑‑ CREATING SPACES FOR MULTISTAKEHOLDER DIALOGUE IN CYBERSECURITY PROCESSES

4:30 PM

>> Hello?  Hello?  Is that working some yep.  Can you pick it up in the back?  Is that okay?

>> Working.  Okay, good.

>> Okay. Ladies and gentlemen, sorry that this has been a little bit of a logistical nightmare.  I do apologize.  We're a bit crowded together here, but we're going to get underway because we lost a bit of time.  My name is Matthew Shears with the center for democracy and technology and I have the pleasure of moderating this excellent panel.  As you've seen from the panel description, the purpose of this panel is really to understand how we can create spaces for multistakeholder dialogue on cybersecurity issues.  Now, obviously, this is a challenging issues.  It's one of those spaces that typically is very sensitive from a national security perspective, so what we want to do here is learn from the spaces that we've engaged in, the opportunities for that engagement, and really draw out some key learnings from it.  And I'm really hoping there are members from the best practice on cybersecurity here who can share their experiences from the floor.  And also, anybody else.  So I really want to make this an interactive session so we're going to go through the panel, so please hold your questions and also your experiences.

I want you to get a mic.  We can share and we'll take questions at the end of the panels and then we'll open it up to discussions.  So we've got a couple of people taking noughtses so what's really important is that you ‑‑ notes so what's really important is that you tell us what your concrete learnings are from participating in cybersecurity spaces.  How easy has it been as different stakeholders?  How do we open doors to participate in cybersecurity spaces and what do we need to do going forward?  Because those comments and learnings you will provide us with will then be relayed in the Thursday morning best practice for cybersecurity.  Thursday morning, right?  Brian?

>> Yes.

>> MATTHEW SHEARS: Yes, Thursday morning.  So please don't hesitate.  Jump up, give us your thoughts and most importantly your experiences.  So, I'm not going to talk anymore but I'll come back with a couple of issues.  I'm going to let Tatiana lead this off, Tatiana Tropina from the Max Planck institute.  Then we're going to be go to Carmen Gonsalves, then bell Contreras with CSPM.  Then Sowmya Karun with CCG, and then Gbenga Sesan, from Paradigm Initiative Nigeria and then end with Walid Al‑Saqaf.  Go ahead, Tatiana.

>> TATIANA TROPINA: Thank you so much.  Sorry for crowded room.  We are creating spaces for dialogue here.  Just a couple of points.  I believe I have three or four minutes.  What I learned personally from being in cybersecurity for almost 15 years now in kind of different countries and different spaces.  Well, first of all, I believe that when we are talking about cybersecurity and multistakeholder dialogue, we are sometimes confusing different cybersecurity demands because dependent on which demand we are, the participation channels and stakeholders would be different.  We can talk about participation in creating frameworks for cyber crime and for digital investigations and it would be completely different from national security issues and those would be different from critical information infrastructure protection.  So we have to understand first before we heading somewhere to participate, before we are heading somewhere to create any spaces, we actually have to understand where we want to create the space.

Which domain this is, and how we can contribute.  I think there is a lot of criticism about fragmentation of efforts in this area, but I think this is very natural that these efforts are getting fragmented because I do believe there's some overlap, for example, national security and critical information infrastructure.  But there are different issues where domains and stakeholders are unique and they do not overlap so we have to understand the spaces first before we aim for any multistakeholder dialogue.  Another thing is that there are two levels, national and international level.  And if we think about stakeholders we will see some very unique domains and very unique processes.  For example, let me go a bit historical.  Before we created all the notion about multistakeholder cybersecurity, there was a big notion about public private collaboration in cyber crime, in cybersecurity which meant something different.  You can organize public private corporation, for example, in digital investigations, but it's hard to talk about multistakeholder when you talk about operational things because there are unique mandates of the government.  There are unique mandates of the law enforcement agencies.  So, for many of the processes, we can talk only about multistakeholder policy making, or in the best case, multistakeholder law making.

And, I'm sorry for getting complicated, but there are two levels.  National and international.  And it's not a secret that there are many closed spaces like global group of experts like some international agreements and frankly speaking, I do think there's a need for multistakeholder dialogue here, but I don't think that these venues will get open very soon so I believe we have o aim for spaces on the national level or on the regional level on your own country like on the level of council, African, Europe, you name it and from there, one can broadcast the ideas.  If the venue is closed, there is still a possibility to have a dialogue with the national government and then the national government representatives can broadcast this idea, for example, about human rights, about safe guards.  They saw that sometimes it really works well when the government has good dialogue with industry, with Civil Society.

Then further about multistakeholder.  I believe that we do already have very good enrollment of technical community, private sector, and academia into cybersecurity matters.  It is different because it is sometimes seen as antagonizing.  I will talk about opening these doors a bit later, just a couple of examples from my personal proxies.  I work for the academic institution and I do believe that if you have a knowledge and willingness to contribute, you can contribute into different processes from international organizations to different working groups.  For example, I'm a member on Freedom Online Coalition working internet where we have different representatives of different governments and civil society and we came up with different recommendations on how to make cybersecurity policy making a more human‑rights oriented.  The idea behind these recommendations is that talking about security balance is very wrong because any framework should be human rights oriented by design because security of the persons is very important and we have these recommendations supported by both governments and Civil Society organizations.

And now I'm wrapping up my intervention about opening the doors from my personal perspective.  You have to understand like to create ‑‑ creation of multistakeholder spaces can go top down so the different organizations, working groups, international organizations, governments can open the doors.  These can go top down, but it can go bottom up.  So, if you are, for example, Civil Society and you're struggling with a question, academia, how can I contribute?  Think about different domains.  Set up clear goals.  Think where you really can contribute and then many even closed doors will be opened.  Like, my institute worked on the national level like on legislation reforms.  I think we have quite a good collaboration with council of Europe, for example.  So, the doors are open if we are ready to offer our knowledge and if we are ready not to go into confrontation but to listen to other parties.  To meet somewhere in the middle, not compromising our values but the problem of law enforcement, of legislators, because it is a hard job.  It is easier to talk about good frameworks and human rights.  But try to work with different law officers and try to understand the frustration.

So just being open to this dialogue, not only being open to your ideas but listen to others and come to some kind of compromise, something that will have value for all the parties of these multistakeholder things.

>> MATTHEW SHEARS: Thanks, Tatiana.  That's a wonderful opening.  Just a little bit of publicity, if anyone is interested in the Freedom Online Coalition Working Group 1 that Tatiana referred to, they can go to freeandsecure.  If we can free up the presentation.  Carmen, whenever you're ready?

>> CARMEN GONSALVES: Yep.  Thank you very much, Matthew.  Hello, good afternoon everybody and thank you that you invited me here to check in this framework about the global forum on cyber expertise, the GSET.  The Netherlands as a starting point, I work for Netherlands government, by the way, ministry of foreign affairs.  The Dutch government strongly believes that striving for a truly resilient cyber domain requires global engagement and better ways to work together.  That's why, indeed, we are, as a country, proud to be one of the founders of the global forum of cyber expertise, and I'm also very happy that I have the privilege to be the co‑chair of the GFCE at the moment.  The GFCE was launched at the 2015 global conference on cyber space, and its aim was and is to create a pragmatic action‑oriented and flexible multistakeholder platform to obtain best practices and cyber expertise, identify best policies, and multiple these.

>> MATTHEW SHEARS: Hang on one second.  Carmen, if you can just say ‑‑ we can't actually, I don't think we can do it from there.

>> CARMEN GONSALVES: Where is it?  Can I do it myself?

>> MATTHEW SHEARS: Yep.  Okay. Good.  Thanks.

>> CARMEN GONSALVES: Yes.  Thank you.  That's where we are.  More or less.  So, the idea behind the GFCE is that all though much progress has been made on addressing cyber issues, we can all benefit from sharing our experiences and strategies to take full advantage of the rapidly changing cyber environment.  The ultimate aim is that by doing so, we can broaden the companies which embrace the vision of the internet which is free, open, and secure.  That's what it's all about to create this critical mass of countries that share this vision of a free, open and secure internet.  The GFCE currently counts 55 members from governments, international, intergovernmental, international organizations and private companies from all over the world.  Closely involving and working with Civil Society, technical community, and academia.  The GFCE has an advisory board consisting of Civil Society, tech, and academia which provides advice to the GFCE.  Yes, sorry.  I have to do that myself.  Be self‑organizing.

So, this is only the second year we're in GFCE.  GFCE is very young.  You have to take that into account.  It's into development, still.  So at the beginning of this year, 2016, we conducted a survey among our members to find out how they are viewing where we're heading and how they see the strengths and weaknesses and the added value of the GFCE and what came out of that survey is that most members consider value of GFCE for three issues.  The first important notion is that they consider GFCE a repository of knowledge and a place to exchange ideas on good practices with practical products like training manualing and exchange of information also through our website.  A place to share knowledge about where projects are occurring, and planned which enables coordination.  So coordination aspect is also an important one in order to have an idea of what is going on all over the world where capacity building is concerned in order to know what's lacking and what could be done on top of that.

And thirdly, members joined in thinking and feeling that this is an important clearing house that helps match members looking for sharing ideas and good practices with members that are aiming for implementing projects or host projects in their respective countries, also supply in demand of knowledge.  Capacity building is at the hart of GFCE.  Through closer collaboration among stakeholders we think we can optimize assets and combine specific expertise.  So we organize initiatives, created a partnership formula between intergovernment organizations and companies involving Civil Society, and tech and academia.  So it's definitely multistakeholder in essence, all about exchanging good practices in a sustainable manner.  It is about creating seed projects that will result into other off shoots.

At the moment, there are 12 ongoing capacity building initiatives, mostly in the field of cybersecurity and cyber crime.  I'm going to give two examples.  Thanks.  Of ongoing and past initiatives.  First of all, there's the very successful initiative, global awareness campaign initiated by the U.S. and Canada.  That's an initiative aiming at private educators and individual citizens regarding their own responsibility for creating safe cyber space.  So it's an awareness campaign, as such.  It's an initiative to create awareness campaign based on the point of departure that it's not the sole responsibility of governments to design and implement such a thing.  You have to do that jointly with all stakeholders on board, so jointly organize awareness campaigns.

The message of the campaign is therefore created by a coalition of private companies, non‑profits, and government organizations.  And furthermore, there is an interesting initiative that's called progressing cybersecurity in Senegal and west Africa.  As part of this initiative, the global security capacity center in 2016 conducted a cybersecurity maturity review of capacities in Senegal supported by a ministry of post and telecommunications in Senegal.  For that, the most important Senegalise stakeholders, government, academia, law enforcement, and private sector NGOs and on the basis of this endeavor, and evaluation, the Senegalese government will have better tools to prioritize areas of capacity in which Senegal should invest strategically.

Another third initiative is one I would like to briefly mention that recently had a very, very interesting expert meeting in Bucharest.  It's an initiative on coordinated vulnerability disclosure initiated by Hungary and the Netherlands.  The idea is that this will result in a handbook of best practices in order to promote and safe guard and find a good way to enable ethical hackers to work.

So we're now moving into second year of the existence of the GFCE and now we have to look at the future, what are we going to do?  We are definitely going to capture the good practices that we have been developing over the past year and we also want to take them forward, and furthermore, we want to design a future agenda for global capacity building.  That's what we are, at the moment, aiming for.  In the year 2017, we'll have several important milestones in this respect.  There's going to be a GFCE meeting in March in Brussels where we will look at these future plans and we will hope to make a real step towards a long term strategy during the next global conference on cyber space that is ‑‑ and I'm going to disclose something that's not official, so keep it in this room, but it's really 99.9 percent sure it's going to take place in India, hopefully next November.  And India is also hopefully going to become our co‑chair in the GFCE.  Thank you.

>> On the internet?

>> CARMEN GONSALVES: Well it can be on the internet?

>> India is going to host the next GFCE?

>> CARMEN GONSALVES: It's not officially launched but we are really very near so I think we can do it.

>> MATTHEW SHEARS: Breaking news.  You heard it here, although you can't tell anyone.  Belisario, over to you.

>> BELISARIO CONTRERAS: Thank you very much.  I think Carmen spent a lot of time talking about the GFCE, actually.  We're very pleased to be part of the GFCE.  We invite you to go to the website.  I have several initiatives with several partners.  Actually, I want to take a couple of seconds to thank several partners like the government of Canada, the United States, Estonia, Spain, Senegal, Columbia, Dominican Republic.  All these countries are financial contributors to this program and they are the ones who make it possible, so we are very thankful, especially with the government of Canada who actually put forward our initiatives ten or 12 years ago.

We want to focus a little bit of what we do.  In three different areas.  One is minister of justice in the organization of Americas.  One is focused on the infrastructure of internet, and other one is intergovernment service, which is where I am located, which is where the service is.  It's not that we do all antiterrorist issues.  That was the place where they said, let's put them there.  Okay?

We have been actually, member states have developed several declarations.  Have gave us mandates to work on different issues.  It's just like working on fostering our developing national for Certs, whatever you want to call it.  Working on research and expertise, so we have ‑‑ one of the things we have to do is publish a series of reports actually with coloration of the private sector and academia.  This year we have a major support with other contributors, Microsoft, different contributors to that report.  Trainings and workshops, we have more than two or 3,000 people because they are not just government officials.  They received some per year.  Crisis management exercises.  Something that we are doing in collaboration government of Spain is organize an exercise every summer and this year for the first time, organize the first bilingual security where we have that operation there.  Awareness, this is something that we're working with the internet campaign initiative.  There are organizations there working on the alliance.

EHS in the United States, Canada, and different governments that are actually adopting this.  In all these, our member states have official recognized that in order to face cybersecurity issues or cyber issues in general, they need to work with private and Civil Society actors.  So what we have tried to do in all these different initiatives is try to make sure the different actors, all these actors are engaging in all those initiatives.  For example, when the national policy development processes, we try to reinforce that to our governments that these actors need to be involved from moment zero to make sure that the processes is totally strong from the beginning until the end.  When we are working on reports, research, we RIADIS actually that the private sector ‑‑ recognize actually that the private sector and academia are the ones who have the most information but it's very important as well to get information from law enforcement initial response agencies or institutions so we try, actually to promote those relationships.  In terms of training and workshops, we are able to do sometimes all these things based on collaboration.  Otherwise, it would be super expensive and impossible to do things so that's something very important to highlight.  We work with a variety of partners from different sectors and this is something that we are very, very proud.  Again, exercises, workshops, all these things we are trying do that engagement.  I'm sure that we're going to have time for, or I hope we have time to engage more discussion.  We wanted to share these and try to open with the discussion.

>> MATTHEW SHEARS: Wonderful.  Thanks, Belisario.  I'll be coming back with a couple more questions to you, specifically, on some of those.  Now we're going to turn to Sowmya, if you can work us through Civil Society experience in India.  Thanks, very much.

>> SAMANTHA BRADSHAW: Hi, everybody.  Good afternoon.  ‑‑

>> Sowmya: Hi, everybody.  Good afternoon.  I'm a project manager with the cybersecurity team.  A relatively young team, and we seek to provide unbiased research inputs into cybersecurity law and policy making.  And before I sort of take you over, I will also be presenting the findings of a paper by my colleague commissioned by GPD, but before I run you through those findings I'd like to given you some context as to how cybersecurity policy and legislative processes function in India.  To be fair, p cybersecurity policy making, the process itself, the is very limited in India.  There have been very limited policy, however, over the past couple of years we see there has been increased governmental attention.  We know that the IT act which is a primary technology legislation is being considered with amendment.  Several draft policies are being brought out and put out for public comments which is some form of multistakeholder engagement, so to speak, which is honestly the most limited form.

This has also been followinged by the channeling of budgeted resources which means huge budget reallocations with respect to cybersecurity, we have the office of the cybersecurity coordinator which was created for the first time last year, the national cyber coordination center and even a huge research fund dedicated to be for multistakeholder engagement including with industrial, academia, technical community, all of that.  What we have discovered there's been a draft on critical infrastructure, what we have seen is that in India, at least, often these policies are ad hoc, mostly reactive and rather uncoordinated and perhaps a function of that not entirely open to active participation or inputs from multiple stakeholders, particularly my organizations, which is academia.

So, theoretically, of course, whether it's the legislative working groups or a lot of other mandates that these processes function under, theoretically, they're supposed to engage with several stakeholders including industrial, Civil Society, organizations, the technical community, academia, but what unfortunately happens is that whether they actually take place, whether this multistakeholder consultation actually takes place and to what extent they're engaged with is not very clear, perhaps because these questions often relate to security and other information classified and information is therefore not available in the public domain.

What we do know is they're not always inclusive and representative.  I think this was perhaps demonstrated best by the Indian government which released a draft encryption policy last year only to have it withdrawn within 24 hours following huge public outrage because it had a lot of problematic provisions of since then, the policy has been that the encryption is back at the multistakeholder level and that it's going to have a lot of actors and things like that.  But what we do see in practice is that this is often not limited to industrial bodies and the participation by actors like Civil Society or academia is often very limited.

Like I said, this is possibly because it relates to national security and therefore it remains shrou ded in secrecy and also these are often divided among a number of government departments.  For instance, cybersecurity would be looked at by ministry of home affairs.  Focus inputs by actors by ourselves is often lacking.  Of course, the future is not entirely bleak.  For instance, the public outrage that followed the release of the encryption policy I think has alerted the government to the need to seek inputs and facilitate such participation by Civil Society organizations and by academia.  The fact that we have this research fund that is being allocated with a huge budgetary outreach.  We hope this will be a constructive form for various stakeholders to engage with us.  It's also hartening to hear from the first speaker that with if we engage with them, they are going to be welcome to our inputs so the various mean engagement that we have identified as an academic research consultation is obviously participation providing formal inputs, making ourselves valuable, really, by offering the necessity expertise ‑‑ necessary expertise and filling that vacuum in independent, inbiased, neutral writing.  Participation in advisory committees, facilitating discussion, and creating awareness in the public about these important issues by conducting conferences, symposiums, panels, et cetera.

So this is what we're pressing to do.  And most importantly at the moment given the situation, given the multistakeholder engagement I think our primary form is to create this space for engagement and fill that vacuum, fill that guide through specific proactive engagement with stakeholders.  So, yeah.  And I think it's good to note that the GFCE meeting is going to be in India in November so I think that will be a fantastic beginning.

>> MATTHEW SHEARS: Gbenga, come tell us about your experience in Nigeria.

>> GBENGA SESAN: So let me start with 3:00 a.m. today local time.  That was 10:00 a.m. in Nigeria.  I had to stay up to watch something that is quite historic as far as this kind of conversation is concerned.  Many years ago, we drafted a bill.  And I'm saying Civil Society drafted a bill that had content on security, on government, and on Civil Society.  That bill went through first reading, second reading, and today the public hearing was held.  But it wasn't always like that.  Let me rewind a few years to 2013, three years ago.  Three years ago, it was April when I got a call from the National Security Advisers office to visit them.  Now, many of my colleagues were worried.  If you get a call from the NSA, you have to start asking yourself, okay, what have I done?  And things like that.  But I wasn't worried.  I wasn't worried because we always wanted to have a situation.  We always talk about digital rights but one of the key problems we had was you talk to yourself in a silo.  You talk to yourself in this echo chamber, Civil Society talking to Civil Society about rights.  It doesn't make any difference because the people you need to talk to outside the room include security agents, include governments, include people whose duty it primarily is to protect citizens and in many cases, in doing that, they step beyond boundaries and infringe on rights.

So I came out of the meeting and I realized that, maybe not for the first time, but I realized that these conversations can actually happen.  Multistakeholderism isn't just something be talk about, it can happen, but many times it doesn't happen because everyone is talking to the people they're comfortable with.  And I think that one of the key things we need to learn about this is that open conversations actually help.  Because for the first time ‑‑ what I did on that day was to run a scenario of terrorism in Nigeria.  And many who were there from Civil Society, I think some of us were understanding the thinking for the first time of a security agency.  And it was good.  I mean, this is what empathy is about.  Putting yourself in your opposite's shoes and being able to understand, why on earth would you pick someone up in front of a church because he looks like a Muslim and he disappears for three weeks and nobody finds him.

The reason for that is because in their own thinking, the way to prevent the attack was to make this guy disappear.  And then the conversation started.  That was the first lesson.  If you're open enough, you can have a conversation.  I think our second lesson in this whole journey is the fact that there will be, it's the whole 9 yards.  The whole storming before, things like that.  One of those times, we started inviting security agencies and other government agencies to our meetings with all this annual freedom forum where we used to talk to ourselves, a Civil Society about digital rights.  But then we opened it up in 2015 and said, you know what, guys come in and talk to us about this.  We're talking about rights, protecting citizens human rights online and things like that, but share your own perspective.

We had someone from one of the agencies ‑‑ the name of the agency, I won't mention.  This guy came so the stage, took the mic, and said everything we wanted to hear.  We asked him questions.  So, what do you do about citizens when you suspect that something is going wrong, and owe gave us the perfect ‑‑ he gave us the perfect Civil Society answer.  We consider their rights.  We consider what the Constitution says.  We consider costs and things like that.  And of course, everyone knew that this guy was lying but guess what?  This was the first time they honored that invitation, and I think it was an important step.  That conversation continued.  Two times, when they request for information.  I remember one time when conversations were talking, and we had a number of people who were bloggers who were picked up because somebody somewhere thought that when you write an article about my boss that I don't like, that is cyber stalking, of course it's not cyber stalking.  You work for a security agency and you have a right to piss someone off, so you can do that.

We decided we were going to add value, so there were aspects of the conversation that were difficult.  One of the problems we had was there that there was a climate affair.  Now, when there's a climate affair, many times since he's suspended when you're having a conversation about rights and someone says, but are you supporting terrorists?  Now, that kind of shuts down a conversation.  But the beauty of ongoing conversation is, we're all looking for the same thing here.  Literally.  I'm looking for a better society.  I'm not asking you not to do your job, but I'm saying that in solving the problem of security, don't create another problem of rights violation.  And I think that was one place where we began to have better conversations.

And so, fast forward to the public hearing that held today.  One of the reasons why we were excited about this public hearing was not because this was a bill we were interested in.  One of the key reasons is because when we kept saying, we don't like this.  We don't want this.  We don't want that.  We decided, at some point, that this isn't the only thing we're going to say.  We can't always say, we don't like this.  We don't like that.  The question is, what do we like?  And I think it's important in conversation many times to say, yes, there are things I don't agree with, but what will you agree with if you were in my shoes, what would you want to do?  So we drafted ‑‑ I mean, it was initially a charter who advised that we couldn't have a charter.  So we called it a declaration.

And then one of the legislators we spoke with suggested that, well, if you could tone this ‑‑ turn this one particular declaration into a full legislative proposal, a bill, then I could present it on the floor of the House and it could, eventually, if it's successful, become a lieu.  And that's what we ‑‑ become a law.  And that's what we did.  I think ‑‑ this is the last thing I will say ‑‑ I think one of the other lessons we need to learn is that in creating a space for collaboration where, you know, different stakeholders work, we must be willing ‑‑ and I speak maybe more to Civil Society now, we must be willing to do the hard work that we can't even take credit for.  When that bill has passed, I can't claim credit for that bill.  My organization can't.  It's the sponsor of that bill, in fact, he's already won one award because he sponsored the bill.  And when he won the award, someone sent me an email in the office that said, hey, we drafted this bill, but he's winning the award.

I think it's a major lesson to learn that we need to get the work done, allow someone else to take the credit because there is this overall good that we're looking at and it's a much bigger picture.  This is an experience in Nigeria.  Like I said, it wasn't always like this, but these are some of the lessons we have learned over time.

>> MATTHEW SHEARS: Wonderful.  So, those are the kind of lessons that we're hoping to tease out today, so for those of you that want to speak about yourself experiences, bear this in mind.  That's something to bring to the floor here.  Before I go to Walid because he's going to talk about what Gbenga was talking about.  I just want to know, is everybody okay with the temperature in this room or would they like more air‑conditioning?  More air‑conditioning?  It's on max?  Can we lower the temperature?  Further.  More.  Twenty.  Yeah.  Yes.  If you can get a bit closer to the mics, that will help.  Thanks.  Okay. Walid.

>> WALID AL‑SAQAF: I guess it's Gbenga who warmed up the atmosphere.  Well, my name is Walid.  I actually come from an interesting background.  I came as an activist and moved to become a Board member in ISOC, an interesting combination.  But I'll have two segments of my talk.  One is with the hat of ISOC as a Board member and the other is in my capacity, my other hat, which I'll explain.  First, in terms of ISOC, all of you know ISOC, obviously, which is aiming at promoting the open development and as you know, so that the internet becomes secure, open, and reliable for all people.  But then the approach that's been taken was derived basically from the principle of the internet itself.  The internet was never born by, let's say, with a mind‑set of being controlled by one entity.  It was decentralized in its nature.  It meant that people had to work together in order for it to succeed.  Engineers, governments, everyone, infrastructure providers, et cetera.  So the notion of security and cybersecurity comes very deeply ingrained in the actual meaning of the internet and it meant that ISOC will have to adopt a framework that develops on this, which is in our terms, called collaborative security.  It means that everyone is responsible in some way or the other for the responsibility of part of the network.  And so, it meant that both governments, individuals, technical community, private sector, Civil Society, all of them are involved in one way or the other.  Additionally, recently, we've developed as ISOC the trust framework.  The trust framework is one way of taking this and problemizing it so it can become more by the elements.

It's basically four different components.  The first is user trust.  With user trust it means that everyone using the internet, not only end users as individuals but also government entities, private sector, et cetera, every who is involved is a user.  Whether you're a minister, the CEO of a company, you all eventually are users.  The second part is technology trust and that means the building blocks of the internet and the technologies and applications that build on the internet and applications and services, so these have a responsibility and they need to be involved in the process.

The third is the networks themselves, the trusted networks.  These include all the entities that have a distributor ownership, cable networks, routers, et cetera, those need to understand how to best utilize security in their respective roles.  And finally, the trustworthy echo system, and here is about the governance of internet as a whole.  And that is how the internet is governed and how it deals with internet issues at large.

So, these are comprehensive and there's documentation online.  I won't bore you with the details.  What this means is that government as well as others are involved.  So ISOC had real, good, successful examples in which this operator worked in some way.  For example, in 2013, the OECD revised guidelines on the privacy and transborder flow of personal data.  Thanks to the personal advisory at the time, they pushed for this change to happen and with expertise from ISOC that was contributing directly to this, it was possible to convince and persuade governments to change.  It's not impossible.  Just that you need to provide them the real background information and expertise and technical community has a very important role to play.  Additionally, ISOC is also working on new technologies, developing an idea.  For example, recently, I'm breaking the news to you, ISOC has actually chartered the ISOC blockchain special interest group, and this is good news because it means that we're opening our Horizons to new ideas.

The decentralized nature of the internet requires thinking differently.  Cybersecurity is the a the core of why blockchain technologies ought to be studied and explored.  This is attracting people from Civil Societies, from businesses, et cetera, and governments are already jumping in.  They understand that there is something of value to them.  So ISOC is doing this but then let us come to the other aspect of ISOC, which is the local leave.  Yes, we talked about the global level but then we have a very p important aspect which is chapters.  ISOC has a hundred chapters and active members in this conference itself and the forum, there are many.  Part of what they do is translate what is going on in the global level to the local level and they connect the context needs of the society.

I'll give you a very typical, one example of my original country, Yemen, and I'd like to thank Tatiana, actually.  She has a hand band for One Connected World.  And in fact, this project is highlighting recently one of the ISOC funded Beyond the Net projects in Yemen which, they actually provide training for schools to establish their own cybersecurity guidelines within the school environment in the level of children and teachers and all sorts of, I mean, the sectors within the educational system.

It starts small with a few schools, but it can expand.  Additionally, there was a very remarkable story in 2013 where the ISOC chapter in Yemen helped invite ripe NCC as well as ICANN to Yemen for the first time and they actually sat down with governments and private sector and Civil Society and lawyers and technical community to come up with ideas of resolving the crisis in the IP sector, which was ‑‑ and that caused a lot of security problems.  The government was unwilling to open up the door for more IP addresses to be bought by the private sector.  But then, again, ISOC chapter came in and persuaded the government through dialogue.  As Gbenga mentioned, it's important that you mention to them what they have at stake.  So it succeeded.  So these are examples both from the global level as well as local level.

Finally, let me take off my ISOC hat and put on my actual hat, which is a hacker hat.  I was a hacker.  I used it do software to circum vent censorship by governments.  I realized today that government can benefit from hackers.  In fact, one of the most successful projects was called hack the Pentagon.  Basically prizes given by government to hackers to help them identify vulnerabilities in government websites, very critical infrastructures in the government.  Within 13 minutes, the first very well initial was detected and then 200 reports came afterwards and then 110 hackers joined.  They gave about $75,000 in terms of bounties, but actually hackers went on for free.  Said, I just want to hack the Pentagon and identify problems with government websites.

This is what the government needs to learn.  There are successful examples, we've seen this happen, and I hope they learn from them.  Thank you.

>> MATTHEW SHEARS: Thanks, Walid.  Fantastic.  So, are there any immediate questions for the panelists?  Because then I want to ask if there are any members of the BPF ‑‑ we had members of the BPF on the panel but I would like to see if there are members of the BPF who want to share their experiences successful or not in opening up cybersecurity.  First, are there any immediate questions for the panel?  Do we have another mic, by any chance or are we going to have to share?

>> Thank you very much.  I'm a member of the BPF.  To start with, I would like to recognize Gbenga Sesan as being a very powerful force to reckon with.  When it comes to organizing support for the concerns about security initiative.  I want to touch on the needs to embrace multistakeholder and how to build trust into it.  Because I had an experience.  I had this privilege of being part of the team that developed a national cybersecurity strategy and we were engaged by the National Security offices.  Initially, they expected us to cut the document and submit it and, but we came up with the position that, see, the cybersecurity strategy is not something you can do like the usual policy and strategy.

You need to engage the stakeholders.  So what we did is this.  First and foremost, we're trying to understand the different terrain.  You have the private sector terrain, the Civil Society terrain, and the government terrain.  First and foremost, we did interagency to bring out the ministry, department an agencies together to trust themselves.  A big institution.

Then we took it from there.  We actually went to the domain of the private sector like from Legos where they were able to organize the support of the stakeholders and they also experienced the ‑‑ then the Civil Society.  That is where we have a little bit of issues.  I'm quite surprised at what he has been taking.  I wish that most of the society is taking the position and approach that they have been doing because the problem with Civil Society, you know, for me, from what we are perceiving and the perception of the government, this seems to be more aggressive.  And looking at a society as ‑‑ government is looking at a society as it wants to take control or influence what has been the statutory responsibility.  But like you said, the need to at least invite.  I think the civil society themselves need to be more transparent and be open to discussion and dialogue.  That's number one.

Then number two, I think it is essential to understand that government is still struggling with the understanding of orderment the language that the government has understood is stakeholder.  Last week, we had a meeting on the need to have the implementation from a strategy to the commitment action on setting up the critical information infrastructure.  Now, they invited stakeholders but not multistakeholders.  They invited people like them.  Said, hey, you're going to have your problem here.  You cannot talk about or develop a tool on critical information infrastructure without the organizers of the infrastructure.  Where are they?  They are not here.

So, what I'm saying is that maybe the Civil Society can help in the area of intervention.  At least, it can help to build a capacity of the government themselves to understand that the approach for the governors when it comes to security is not necessarily stakeholder, is multistakeholder.  What we have done, because I also have a little background in Civil Society.  What we have done, fortunately, because we are ‑‑ we understand the Civil Society, we have been able to integrate something into the policy of the ‑‑ I'm talking about national policy and cybersecurity, as part of the general principle.  Three principles that must be implemented or that must be engaged if we are to implement cybersecurity.  Number one, corporation.  Number two, public/private partnership, and number three, multistakeholders.  Now, there's a need to convey that to the government.  Government is still struggling.  They are seeing you coming into share the power with them.  Let me use open government partnership.  I happen to be one of the committee members.  See, government is not that willing ‑‑ maybe I should be talking from African perspective.  Government is dismissing, you know, see, it is my power, my responsibility.  Why are you coming to share the power with me?  So the governments need to be taught.  Need to be, you know, a whole lost of work needs ‑‑ lot of work needs to be done by the Civil Society.  Thank you.

>> MATTHEW SHEARS: Thanks, very much.  I think you're reinforcing a message we've heard pretty much across the panel.  Anyone else from the BPF wants to jump in and speak of their experiences?  If not, questions for the panelists?  Come on.  Don't be shy.  This is ‑‑

>> I haven't followed very much the best practices and the document itself.  I'm very interested to read it.  I think it has been a good work, but I just want to share perhaps a small advertisement and perhapsing it something similar of what has been said here because in cybersecurity matters, the question of participation of different stakeholders is still a bit sort of work in progress in a way.  And I had the chance to attend the GCCS and my boss, Paul, is part of the advisory board of the GFCE.  And our members work for APNIC, the regional internet registry, in a recent survey have said the most important challenge for them is in the realm of security.

So, we noticed when we started to have an immersion into these issues, I mean, the UN group of government experts and different processes that have been working on, for example, cyber norms in the last ten or so years, in closed doors with very few participation from different stakeholder groups.  So, I realized, well, probably there is a bit or a lot to learn from internet discussions and different governments that have included cybersecurity but not a lot.  And perhaps in the cybersecurity realm, mostly being dealt by international lawyers or based with international relations professionals.  This requires a little bit more of a multidisciplinary approach.  I'm not suggesting a multistakeholder approach all the way in one shot, but at least a multidisciplinary approach.

So, this inspired a workshop proposal.  It will happen this Thursday at 1:00 p.m.  It's workshop 132 called cyber norms meet internet government.  The idea is to provide here at IGF a welcoming space for the international lawyers, for the international relations people that are around here to try to see various opportunity for cross‑pollennation between internet governance debate and the cybersecurity debates.  So it's at 4:30, workshop 132 Thursday.

>> MATTHEW SHEARS: I should medication that there are a series of cybersecurity workshops that all feed into this.  Brian.

>> Yes, there are.  I'll be quick.  Thanks, everyone.  I'm Brian.  I provided some Secretariat support for the best practice forum.  Just so you know, the draft output document is available for public comment.  Still, this week, on the IGF website.  Please have a look there and feel free to make comments.  We'd really love that.  And our session, Matthew mentioned it earlier, is on Thursday from 9:00 to 10:30 in workshop room 9, and we'll be building upon this discussion.  We have some good speakers and we're really looking forward to staying this work forward beyond this week.  So thank you very much.

>> MATTHEW SHEARS: Thanks, Brian.  Yes.

>> Before ‑‑ I know that we have representatives from governments.  Members who have been in law enforcement, so don't hesitate to jump in here as well.  Thanks.  Oh, and please introduce yourself.

>> Hi, my name is Isabel.  I'm from Germany.  I'm a researcher on cybersecurity there and also a member of the steering committee of the IGF Germany.  Thats with very interesting.  I would like to ask a bit more about the capacity building initiatives that you mentioned.  They were ‑‑ so, I'm just wondering how exactly they work and how that looks because you also mentioned that many of them, you know, you need to prioritize and you have limited resources.  Belisario, you mentioned that these projects are quite expensive, so you need to partner with companies for that, too.  And so I would just like to have a little bit more practical insight in how that works and also, how do you prioritize projects and which ones.  For example, now we heard about these two projects with Senegal and the vulnerability project but how do you choose them and make sure that there's also kind of an equal, or those projects are promoted that really need promotion?  Thanks.

>> BELISARIO CONTRERAS: This is something that more and more of our donors are asking about.  First of all, we need to recognize that metrics on cybersecurity is very difficult.  There is a lot of qualitative information, qualitative metrics, but we're actually trying to get quantitative information.  About how we prioritize, basically, we're trying to, actually, we're trying to identify those countries that have commitment, which is something key in the Latin American region because resources are very, very limited.  And as resources are very limited, we need to partner with other international organizations, private sector, academia, and Civil Society actors.  For example, in terms of trainings, which is something that perhaps could be really expensive, training on cyber, I don't need to say how much expensive it is.  The risk is actually that many people could leave their job placement.  We tried to work with other partners like interpole, actually, with ITU.  This year, we had Rodrigo with the government of Spain.  This year, they host for free summer for two or 300 people.  Of course, again, the donations that provide the foundation.  Companies like Microsoft, Semantech, Kapersky, all of these provide to deliver these things.  We were with academic institutions like Oxford and other Universities notice regions that actually, when we go to a country, we were with them.

For example, where starting a project actually that is financed by city formation which is actually creating a digital pattern on cybersecurity, which is actually focused on people with not too many economy resources.  So, it's ‑‑ our budget is very limited at the OAS.  All of the organizations are in a financial crisis.  UN, all in financial crisis, so our budget is actually based on project‑based, and we need to deliver and show results.  So again, our budget is very, very limited when compared with other peers and we need to maximize our resources and the only way for us, as we've proven, is through collaboration.  We're always willing and open to work with, for the Civil Society, academia, technical community and Civil Society association, so we're willing to work with all these organizations.  Private sector and other governments, more than willing to do.  And there are a lot of successful stories.

So I can talk more on this if something.

>> CARMEN GONSALVES: Thank you, Belisario.  I could add to all the very relevant things Belisario said is that from the GFCE point of view or practice, you asked about, how do you know that you don't duplicate or that you cater for all the needs.  In the GSCE, we just try to match supply and demand.  It's important to recognize that initiatives taken under the umbrella of the GFCE are by definition open to all GFCE members so that's also a way to ensure that what you do with one country or a couple of countries is always open in the events that we organize in the framework of those organizations are open for all members.  So then, you avoid that you limit the spread of information.  Furthermore, I wanted to add something previous speaker who has left the room raised about the need for a multistakeholder dialogue in the area of cyber and international peace and security, so cyber norms, CVMs, et cetera.  I just wanted to raise here or to inform you that the Netherlands with other partners is working on the launch of a global commission on the stability of cyber space, built on the same format as the commission of international governance but really going to focus on cyber and international norms for peace and security because we think that indeed stakeholders, other stakeholders, others than governments also should be able to discuss these measures and to help in generating ideas that could feed into the global normative process.  Thank you.

>> MATTHEW SHEARS: Thanks, Carmen.  Okay. We've got some questions.  If you could pass this back to Michael.  Michael, if you could introduce yourself and then I'll go to the gentleman here.

>> Good afternoon.  My name is Michael Woma.  I'm with the Foreign Ministry of Canada and full disclosure, I'm also the Canadian expert to the UN group of governmental experts on cybersecurity.  I'd just like to respond and comment on a couple of things that have been raised here.  Both at the domestic and international level.  As this is a discussion about best practices, I'm a little reluctant to offer advice, but I can suggest from a government perspective what has worked well in talking to governments and perhaps what has not worked so well in talking to governments.  And if there are any other government representatives, I can talk a little bit about what Canada's experience has been with this and our rationale in doing some of the things that we've been doing.

So, first off, I think Tatiana mentioned the differentiation between the international and the national.  I think that's very important, and I'm going to return to that.  But she also spoke about trying to walk a mile in the shoes of the other person.  And that was actually a comment raised by a number of people there.  I think that's extremely important that when you're going to be trying to engage as Civil Society or private sector or academia with government, that you take an open and understanding approach and try to recognize the interest of your partner in government.  Certainly in democracies, the bureaucracies of politicians intend to do good so setting yourself up in an adversarial relationship isn't necessarily a way to achieve that dialogue that Gbenga was referring to and the success that he had with that.  Speaking of in terms of offering some advice to other government representatives, Canada is right now in the process of undergoing three different reviews that touch upon cybersecurity.  We're doing a national defense review.  We're doing a cybersecurity review and we are doing a national security review, all of which have elements of cyber in them.

And the government has committed to doing this in a very open and transparent manner calling upon all stakeholders to contribute ideas and comment on proposals of the government and it has been very effective both in soliciting very good ideas but I think also in demonstrating, as I say, the intentions and understanding of the government in this respect.  As Carl Bilt suggested separately, this also has good context in had a we call social license.  If the government operates without consulting sit ry, then its actions are not going to be well understood.  The process itself aids a discussion so that when a conclusion is reached everyone feels that they have an tenant to be a part of that and therefore tends to be more supportive of the outcomes that result, so my advice to government colleagues would be, this can be a very painful process but it is an essential process if you're to have success at the end of the day.

Now, just to turn to the international very briefly.  So in the international ‑‑ oh, one last point on that last.  I would point out that of course this kind of discussion goes far beyond internet issues or cyber issues.  We're starting to talk in the Canadian context about what we call participatory democracy.  All elements of imposts inside or outside the realm are open to the multistakeholder approach.  I don't know if anyone here was at the discussion earlier today on ICANN and the transition where Larry Strickling spoke very elegantly about the idea of trying to push the a multistakeholder into the domain of public policy.  I think that's something without calling it that under this rubric of participatory democracy and I would encourage people to look the a it more broadly and not just limit it to the cyber realm.

Now, just moving to the international.  Democracies are dabbling with participatory democracy but of course all the governments in the world are not democracies.  When we reach the international dimension, we are constrained by a system that has been established based on state sovreigncy.  Now, for better or worse, this is the situation we find ourselves in.  Now the democracies that participate in this system are looking to change this this to look for a more consultative approach, looking to ensure more voices are heard, but we are not the only players on the scene.

So I would encourage everyone to recognize the limitations that we, as governments, suffer under when operating internationally and what I would recommend to you, though, is to take every opportunity to engage engage where these opportunities arise.  For example, on cyber crime issues, the Budapest, the Council of Europe are opportunities to participate.  Engage in these processes.  The OSCE on site is also soliciting input.  You need to take advantage of these to make sure your voices are heard.

In order to do that, I would strongly encourage Civil Society to organize themselves in order to take advantage of these opportunities and to share best practices among themselves and how they deal with their own governments.  Because at the international level, as I say, in the situation that prevailed today, you are going to need to each individually intervene with your own national governments in order to ensure that they translate your voice to the international level in those situations where you aren't able to make your voices heard yourselves.  Thanks.

>> MATTHEW SHEARS: Thanks.  Can you pass the mic over to the gentleman over here who wished to ask a question?  If you can just introduce yourself.  Okay. If you can pass it back to the lady on the left.

(laughter)

This is like a game.

>> Hello.  My name is Karen Wise.  I'm from the mentioned Global Cybersecurity Capacity Center at the University of Oxford.  We are a research institution to look at what works in cybersecurity capacity building.  What works but doesn't work, what are good practices and one of our key outputs is the maturity model where we collaborating with the UIS, the GCE to look at countries in their capacity and different dimensions to see where we actually have to build capacity.  Also, to give donors and policy makers and organizations something in the hand where they can decide where we have to start.  That's one way.

We are also having a cybersecurity capacity portal.  Actually, also to help all the stakeholders to have access to the knowledge, access to good practice, avoid duplication, share the knowledge, and I invite everyone to look at it and invite everyone also to contribute and to send good practice.  What the portal also includes is what other initiatives worldwide, local and global initiatives we are doing together with the GFCE.  If you want to know, who are the players, where are they acting, what are they doing, it's a very good resource.

And, I think that's all, like this is our efforts actually to give something to the world to enhance all stakeholders capacity also to find out where they have to look and where they get the information from.

>> MATTHEW SHEARS: Thanks very much.

>> I just wanted to add something.  We prepare this portal, which is cybersecurity that come, in Spanish, is

(speaking non English language)

  Again, security observe.  I see an article on for that report.  We invite you to check all those indicators on how the is and to confirm something Michael was mentioning about Civil Society and private sector, I will say as well in our experience between governments, Civil Society, community, private sector, is importance of finding middle ground.  Not everyone is going to ‑‑ again, not everything is going to be perfect for all actors for all the stakeholders.  There is not going to be a perfect initiative so it's very important that as all our colleagues were saying here, we get into middle ground.  That way, we are humble and we acknowledge that we need to actually give up something to get to the final goal.

>> WALID AL‑SAQAF: I'd like to come back to the point of why cybersecurity is important.  Because the internet itself is built that way.  It was not possible that a single entity would control it so maybe one approach is to help bring awareness to officials, to government policy makers, to the people who are involved in processes to have them aware of how the internet works the principles, the basic underlying nature and structure of the internet and why they don't have an off and on switch, for example.  And why censorship doesn't work.  I've been involved in censorship p intervention for many years and they keep on getting surprised why people access the website.  I thought we told the guy to shut it down.  So this is a deficiency that we need to focus on.

>> Can you hear me well?  I would like to come back to the comment from the government of Canada because I really appreciate your comment about existence of these intergovernmental model which is based on the all systems test and interstate bilateral and multilateral negotiations.  I've been thinking about this for the past few years, and I came to the conclusion that we just have to accept this.  We have to accept that some of the models in cybersecurity will not be multistakeholder in the short, medium, and long term.  And multiple multistakeholder model and intergovernment model which are based on multilateral organizations, multilateral governments will exist.  We have to accept that while they're not multistakeholder and not inclusive, we still have to find a way to channel our opinions.  Just acceptance that this is the process.  As you said, there would be no perfect forum.  There would be no perfect solution.  We have to think process‑wise, not silver bullet wise.

>> MATTHEW SHEARS: Thank you, Tatiana.  Any other questions?  Anybody?  Yes.  Here we go.  All the way in the back.

>> I'm from Council of Europe and we recently had a very interesting experience.  There was a particular one recently.  Every one or two years I'm organizing a so‑called octopus conference where we can have a maximum of two or 300 people because the room is full.  Academia, law enforcement, Tatiana, Belisario.

>> TATIANA TROPINA: Last time I registered, too, the room was full.

>> We still let you in.  Anyway, experience was preceded by the cyber crime convention which is in the governmental, it's part of the Budapest government only two days and then three days the octopus conference and we just cast in the cyber crime conference a very difficult issue mainly about government society data in the Clouds and what are the conditions, restrictions, and at some point, we came to a stale mate.  We said, okay, we have to continue discussions later.  But then, two and a half days, Octopus conference, the same issue we discuss in a multistakeholder environment and I think there we came to a break through because we had in a way, Civil Society, private sector entities, data protection community confirming some of the points that many of the governments had made, but that other governments could not agree to.  And I think that helped so it's an at nation.  The discussion ‑‑ alternation.  The discussions will continue, but we have to have everyone in order to advance.  It's not a silver bullet.  It's iterative, a process.  Sometimes we need to coordinate better.  Last night, Belisario and I created a platform with two bottles of wine and many other things so we should explore all the opportunities we come across.  Thank you.

>> MATTHEW SHEARS: Wonderful.  If you could pass the mic to the gentleman over there.

>> Thank you.  Martin with the Form of Incident Response and Security Teams.  Within the technical community, within engineers, we have the saying that code speaks.  I had to think of that when I was listening to Tatiana at the very beginning because she mentioned something about doors actually opening the moment that you have conversations that go deeper than just being antagonizing and being aggressive to the other's point of view.  I've seen that happen in our community quite a bit where we have governments that typically don't like to cooperate and then they sit together, they realize they have a common problem and they actually find a way to work together.  So today, we see that some of the tools that were developed by members of the first community are being used by different governments that otherwise don't really have a lot of relationships in common within the technical community.  Or we see that they're being used by both technical community as well as private sector, for instance.

So, I think that's a very powerful message that those doors can be opened.  And I actually had a question for the panel.  I think we heard one great example from Nigeria where doors actually did open when those conversations started to happen, and I'm kind of wondering if we as a community can work together to put some of those examples on paper and actually make them available to others so they can see, okay, this is a place where it actually did work.  So I want to thank Tatiana for bringing that up at the beginning because I thought it was a very compelling message.

>> MATTHEW SHEARS: Thank you, because that is exactly what we're hoping to tee off with this discussion.  So yes, absolutely.  Tatiana, do you want to respond to that?

>> MATTHEW SHEARS: Yes, I think this is a very good idea because sometimes I feel like we are reinventing the wheel in different parts of the community or in different countries where we have already solutions that can be used, leveraged, discussed, we are opening the doors.  So good idea.  Thanks.

>> MATTHEW SHEARS: Is there anybody on the panel who wants to talk about a door‑opening event or experience?  No?  Okay.

>> I think ‑‑

>> MATTHEW SHEARS: Oh, sorry.

>> No, I will say like in the Latin American region, we see many opening doors.  Many.  (Belisario speaking).  Many opportunities.  And I really like your suggestion, and actually, we should move forward, move on, and I think there are multiple regular things in the stable and in this BPF.  Actually, we should try to put that together on a paper and try to capture all those best practices where the doors open and try to show the world.  I think that's a great idea, and it could be actually a great outcome of this session.  I'm modeling that to contribute.

>> NIELS TEN OEVER: Just on that, we have two informal rapporteurs, we're taking notes.  I don't think we'll have time to pull those together, but I will certainly be speaking on them on Thursday, the things that have been brought up today.  Marcus?

>> Thank you.  I was just going to pick up on Martin.  He forgot to say he would be moderating the best practice forum and we're very happy to have him as a moderator.  I'm the coordinator of the best practice forum and I enjoyed this discussion.  I especially liked Tatiana's comment on the fact that there are multiple venues and the governments from the Council of Europe do need a space where they can discuss among themselves, but it is important that they interact with other stakeholders.  This was very much the starting point when we discussed, what is the comparative advantage of the IGF and this is precisely the comparative advantage.  It brings the stakeholders together.  Yes, we know there's the global group of experts discussing among themselves, but they need to interact with other stakeholders to move forward.  And here, I think, can be a very good role for the IGF and this is essentially what we're trying to do with this best practice forum.  And this meeting here has been an excellent feed into the best practice forum.  Then we can reflect that also in the outcome document.

This clearly was not conceived as a one shot exercise but as a multiyear exercise.  The issue will not go away after one meeting, but it needs a sustained and sustainable effort.  Thank you for that, and I hope we see you all on Thursday.

>> MATTHEW SHEARS: If you can just bear with us because we started late, maybe just five more minutes and then we'll wrap up.  I know we're running over time.

>> Yeah, go ahead.

>> So, I think it's important to say this.  (Gbenga speaking).  Multistakeholder isn't about holding hands and singing Kumbaya all the time.

(laughter)

I think it's important to say that because I get that feeling.  I think when your friend is a real friend, they tell you the truth even when it hurts.  It's important also to say this.  As much as we seek cooperation, we're not looking for compromise.  There are values we hold as fundamental and dear about digital rights.  First, when is the eighth?  Sorry, I'm mixing up days and dates.  But on December 8th, right here we will launch a report on digital rights in Africa and we're calling out the Nigerian government and 29 other governments on practices we disagree with.  So I think it's important to say that yes, we will cooperate.  We will work together but we won't compromise on specific values, digital rights that must be respected.  I think, I just got a feeling that it's beginning to sound like Kumbaya, it ends and all is well.  Otherwise, we're going to pretend, move from the extreme of not talking to each other to deceiving each other.  There will be clashes.  There will be moments we don't agree.  We will work together, but when you step beyond the red line, we will speak.

>> MATTHEW SHEARS: Any other comments from the floor?  Okay.  I'm going to take two minutes, if I can balance my laptop on my ‑‑ so.  I'm the co‑chair of the Freedom Online Coalition Working Group.  A number of the members are in the room here.  I asked the Working Group members to jot down in a document what they felt the learnings were for them in terms of the workings in the Working Group.  Because we spent two years together.  We developed this set of recommendations on human rights and cybersecurity.  And I urge you to go look at them.  They've been supported by the freedom online coalition.  By the Canadian government, US government, Dutch government, and by a whole host of society organizations and businesses, to take a look at those.  So why did it work?

It's reinforcing some of the things said here.  Key criteria, focus attention and work in areas where overlapping goals exist, right?  Recognize and get clarity on constraints.  Be clear and open with regards to the motivations that you have.  Be constructive.  Build on existing agreed positions or supported text.  These are the kind of things that we found worked very well.  Yes, we absolutely did disagree on key factors when we were doing these recommendations and our ability to agree on things were parameterred by those disagreements but we found a way forward and common space and what we have was a constructive and incredibly useful product.  So it can work, but Gbenga's point, yes, of course, we still have position and we can stand ground on those positions but we can find common ground as well.

I'm going to turn to the panel.  Does anybody want to make any last comments before we wrap this up?  Again, I apologize for the room.  Thank you so much for bearing with us.  Round of applause for the panelists and for yourselves

(applause)

And hope to see you at the rest of the cybersecurity workshops and on Thursday.  Thanks very much.