IGF 2017 - Day 1 - Room XXIV - NRI Collaboration European National Perspectives on Securing Critical Information Infrastructure

 

The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

(Static for audio)

(Audio technical difficulties)

>> MARINA KALJURAND: Governments have central role there.  But for the first time in the history of mankind can't provide the security.  Here comes private sector, academia, civil society and technical community.  And I think that's crucial that all these different communities are starting to talk to each other.  Not only talk, but listen to each other and cooperate with each other.  That was one of the findings.  Another thing where I think the governments and communities more widely are discovering is that international cooperation is crucial.  You might have your things excellently organized at home, but cyber does not have borders.  Cybersecurity does not have borders.  Which means international cooperation is crucial.  That is why discussions like this one are very important. 

And one more remark about the booklet.  As a matter of fact, I don't understand the last bullet.  It doesn't make sense for me.  For those who don't have the booklet, the last bullet says for human rights and security in cyber space, the convention on cyber crime is the basic document.  No, it is not.

If we talk about cybersecurity and human rights, we have various documents.  I say just disregard the final point.  Here Budapest convention is important.  If I have a couple of more minutes? 

>> Yes.

>> I understand our discussion will be about critical infrastructure.  I want to share ‑‑ I would like to share the discussions that are going on, on critical infrastructure globally, within the United Nations and also in other multi‑stakeholder forums. 

First of all, going to the United Nations.  I'm happy to see colleagues from the UNGG.  UNGG is the words that everybody keeps repeating.  It is the group of governmental experts that had its fifth session during 2016, 2017.  The group was discussing five fields, mandating to look into by the Attorney General ‑‑ Secretary‑General.  It is with the norms and applicability of international law.  The group failed to have a consensus report, because one of the fields, international law, was too challenging for some countries.  They were not ready to repeat what was already agreed by United Nations in 2013, 2015 that international law applies to cyber. 

Having said that, I would like to say the group had very good discussions on many other subjects, including protection of critical infrastructure.  I am really sorry that the report is not public.  Because I think that even this little section that we discussed and where we made progress should be available to a wider community. 

I know you are online and you might kill me after that, but I decided to introduce what United Nations discussed during the last GG session on critical infrastructure.  And I'll be talking about three norms.  Three norms that were first stated and written down in that report of 2015.  So if you go to the report of 2015, then you find, first, first norm, states should take appropriate measures to protect their critical infrastructure from ICT threats taking into account general assembly resolution on the creation of global creation of cybersecurity and critical information infrastructure and other relevant resolutions. 

What we wanted to do, go into more details and in this report tell international community what do we see, how does it seem, how it should be implemented in practical terms.  We came up with solutions, we saw the global culture of cybersecurity should include sharing information on best practices for protecting critical infra.  You should share information on incident identification procedure, incident handling tools and other methodologies, emergency resilience, lessons learned from previous incidents. 

What else was important this time we discussed in depth cooperation with other stakeholders.  Trust me, for a group of government experts in the first committee of the United Nations to discuss cooperation with industry, private sector, academia, civil society, it is a big thing. 

Here I see it is changing step‑by‑step and there is willingness to engage with other communities.  Second norm that was discussed in the GG and written down in the report of 2017 says that a state should not conduct or knowingly support ICT activity contrary to its obligations on the international law that intentionally damages critical infra, or otherwise impairs the use and operations of critical infra to provide services to the public.  There is no question that it forms the backbone of all of the services.  Any operation, any activity involving critical infrastructure using ICT should be analyzed and carefully thought through because the results might be unexpected.  And the results might be wider.  The results might be different from what expected at the very beginning. 

So all the states are ‑‑ should be encouraged to consider the potentially harmful effects.  Before undertaking some activity.  The final point to emphasize from 2015 says states should respond to appropriate requests for assistance by another state whose critical infrastructure is subject to malicious ICT act.  State should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infra from another state emanating from that territory taking into account regard to sovereignty.  We reiterated the due diligence which is known under international law, which states have obligation to stop malicious activities that are originating and transiting in the toward.  Even more important, we looked into assistance.  We have SOS in maritime law.  If I might put it literally e‑SOS in cyber.  Someone asks for assistance on how to behave.  In real life, it is easy.  In cyber, it is more complicated.  What does the request look like?  How quickly should the country response?  If not going to respond, how will they inform about not responding?  How to guarantee after responding that the country leaves the one who asks for assistance?  So on, so on, so on.  Very many difficult questions.  What we tried do in the GG is look into how this assistance should be provided and how assistance should be requested. 

So those were the discussions in the United Nations.  What I would like to encourage, now, as I made public what we discuss there, I think all forums have the right to know about the discussions, have the right to reflect on the discussions and have the right to take the discussions forward. 

Now, my final 0. ‑‑ I am not looking at you.  My final point.  How to take the discussion forward.  Estonia said I am chairing the global commission on cyber space.  It is a multi‑stakeholder platform with 28 commissioners from different areas and geographically from different places.  So we have commissioners from Berkeley to Beijing, professors, diplomats, hackers, industry, private sector.  Very different people on the commission.  And when our commission met first time, we decided to look into critical infrastructure.  Because critical infrastructure is something where, let's say people, experts in the field see the next attacks or next operations that might have serious results and serious effects.  And when we were considering what critical infrastructure should be on the agenda, we decided to look into Internet and we published our first call.  Call to protect public core of Internet.  So finally, I'm going to read out how we put the norm.  Without prejudice to their rights and obligations, state and nonstate actors should not conduct or knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public or the Internet.  And therefore, the stability of cyber space.  It's available on our website, cyberstability.org.  Please look into that.  Please consider it.  And please be in touch with us.

If you think it is useful or if you think we have to write it in a better way.  And sorry for speaking so long.  I stop here.  Thank you. 

>> TATIANA TROPINA: It was a beautiful long introduction, I think it bringing us ‑‑ thank you, Marina.  It is different regional and national.  We clustered it into different issues like national security, national policy and frameworks, regional and global cooperation trust between stakeholders, capacity building new challenges, but critical information infrastructure.  Which is the main topic of this session is the topic which came up recurrently in almost every submission.  And this is why I am going to actually move to other speakers on the panel and ask them ‑‑ Vladimir, do you want to go to prioritization, first? 

>> VLADIMIR RADUNOVIC: That competency and capacity is key challenges.  When we were running through the national regional IGF, besides critical structure, there are many other that are concerns.  Such as educational framework, educational, regional cooperation, many others. 

One of it is things we wanted to ask you, actually is to try to prioritize the topics on your national level.  So these six are some that we took out from the inputs from IGF.  National policy operation framework, critical infrastructure, regional global cooperation, trust between stakeholders, educational, awareness, emergence of intelligence.  So while we move on, to hit the points of some of the IGF, I invite you to again, go to the same website.  Try to in a way, prioritize.  A, what is the relevance based for you and your national environment, what are the relevance of the topics?  Which are the most relevant?  Which are less relevant?  B, what are the reality on the national political agenda, the IGF, to what extent you discuss these six issues.  Try to see, is there a discrepancy between what we think on national level it should be a priority and what we think or see that is being discussed. 

So as we move on and I pass the floor back to Tatiana, let us know what you think.

>> TATIANA TROPINA: Thank you very much.  I think while prioritization is going on, I will see what we define.  Is there anything turned on?  Thank you.  What we could define as one of the present topics and discussions which in different jurisdictions and international level it presents different topic and national security, cybersecurity and national security and use of critical information infrastructure and critical infrastructure protection.  And we saw from the submissions that there are different debates, like for example, debate about offensive, and defensive capabilities in Germany ‑‑ oh, my gosh, I forgot to introduce our remote speakers we have Isabel Skierka from Germany.  And Ornulf Storm from Norway.  I will definitely give them the word.  Before, I think Germany would be in this cluster.  But before, I would like to ask speakers who are onsite to reflect on their approaches to national security and critical information and protection.  Particularly, I would like to start with the Netherlands and address the issue we identified about approaches to national security versus cybersecurity.  If you can cover this in relation to critical information infrastructure, just few points, how do you address this in your country?  Thank you? 

>> NINA LEEMHUIS JANSEN: Thank you.  Sorry for my voice, I seem to have lost it on the plane.  I hope it stays with us.  For the Netherlands, the process of defining the infrastructure.

It was a company that was not vital, at least not in our critical infrastructure.  It did influence a lot of government websites and processes.  This company was called diginoter.  It made the parliament recognize they need to do something.  And they started addressing a procedure for security breaches.  In 2006, we realized we needed to engage in a process whereby, with the organizations and companies to define critical assets in order to protect them.  We didn't look so much back then to the critical information infrastructure protection.  So we tried to rectify this in our update, in the updating of our list of critical infrastructure in 2014.  Then we took along critical infrastructure.  Up until now, it seems to be difficult to define exactly what assets, what processes within the critical information infrastructure are to be protected.  Then after the process, what is the best method to protect these?  We were asked to legislate and regulate the business.  At the same time, we want to make sure we don't lose out on the voluntary infrastructure sharing that was going on, that you need for good cybersecurity. 

This has been a process over the last few years in which we try to form our legislation in a way that it suits both critical infrastructure protection and full information sharing, whereby the information processed by our NCC security center, which is confidential and companies do not want to share, there are specific exemptions from the Freedom of Information Act.  This is one thing, they don't want to provide information and know what government will have to do with that. 

We tried combine these.  This process has actually only finished this year.  It will be brought into coming year when we have to really implement this directive European directive into existing law.  Only legislating is only one of the methods to make sure you secure your critical information infrastructure.  There are many more, but maybe you would like to ‑‑ I can take that upon in the next few questions.

>> TATIANA TROPINA: Thank you very much.  Actually, as we identify debate about critical information infrastructure versus quite a few speakers.  I would like to ask speakers before I call on Georgia, for example, or U.K.  Anyone want to jump in right now or from you to address this issue?  If not, Nata, maybe you can tell us about the debate in Georgia.

>> NATA GODERDZISHVILI: Absolutely.  Thank you.  It started from shaping such cybersecurity strategy.  We have a practice that countries, often, my country as well, shape approve the strategy and it not really working. 

How we started, we started to align the strategy with the security as much.  We started with threat assessment document.  We identify that for Georgian population, information society, cybersecurity becomes the really national security challenge.  And for starting from that perspective, we align cybersecurity with national security concept and we align critical information infrastructure with critical infrastructure protection so the core principles of protection and how we do that is in our cybersecurity strategy.  We strategy we align the regulatory and legal frameworks attached to that. 

We have different lists.  We have list for critical physical infrastructure and separate lists for critical information infrastructure.  Again, I'm from a country where the most attacks comes to the state, state critical infrastructure because the cyber, the data theft from government sector is in big, big quantities, rather than attacks on private critical infrastructure.  So the government decided that we adopted first the lists of critical information infrastructures in the government sector.  And we have policy standards, technical requirements as well as the regulatory requirements for those 39 government institutions.  Rather than with the private sector and private information infrastructure, we have more softer approach.  We don't obligatory tell them you have to follow the standardization.  But rather start looking at public sector and adhere to those rules voluntarily.  This is the approach from Georgia that we started from government critical infrastructure and moved softly to the private critical infrastructure.

>> TATIANA TROPINA: Thank you. 

>> VLADIMIR RADUNOVIC: I wanted to see how many of you have defined from the national framework, what is the critical infrastructure structure, how many countries do you have defined in the national framework?  And the others don't know or you don't have it?  So how many don't have it defined?  Now, I'll start for presenting my country at well, at least.  Huh?  Okay.  So still this is one of the issues we have to discuss, to how do we define.  Maybe the Georgian experience can be a good one at some point. 

>> DAVID RUFENACHT: Maybe we have defined or had a strategy that is finishing this month. Switzerland will be adopting the second strategy in the spring, if all goes with.  With the critical infrastructure with the dependency on society with the Internet and IOT, it will be what is critical infrastructure?  If suddenly cars have converged systems that are controlling the traffic, those might be considered also as a critical infrastructure.  I don't think it is one time we can define everything.  So we have to follow the evolution of the Internet. 

>> TATIANA TROPINA: Basically, if I look for example, at list of prioritizations, I see emerging challenges somewhere in the middle in terms of relevance.  But not that high into the national agenda.  But yeah, I agree with you.  Is there anyone onsite that wants to jump in right now about the definition of critical infrastructure?  Because I would like to move to our remote speakers.  Are they online?  I would like to ask Isabel, first, if possible to talk about a different aspect of the national debate.  We found it interesting and did attribute to national security and critical infrastructure but more about offense, defense, and offensive and defensive capabilities.  So if Isabel is online and can speak, because she's from ESMT from digital society institute.  She will be here a little later.  Isabel, if you can jump in and talk to us a bit about this issue?  Yeah, okay.  Can you hear me?  We will give it a try in a few minutes.  Okay.  So maybe we can ask Nick.  Do you have something from the U.K. perspective? 

>> NICK WEBAN‑SMITH: On behalf of the U.K. AF.  And dealing with describe threats dealing with parts of the IGF meeting in the U.K.  Two of the substantive seven topics were on this subject.  It was a big area for us.

I would like to start with a story about our deputy Prime Minister who has been suspended from office because his computer ‑‑ his office in the House of Commons was found to have pornography on it.  He said he is innocent, and it is a common practice among the parliamentarians share their password.  In fact, the people making the laws, up to the Prime Minister, commonly share their passwords with everybody else.  So one of the key topics of discussion was really about education and about the skilled shortages about dealing with the challenges of the infrastructure.  Really, a lot of the big problems that we have experienced in the U.K. have been quite unsophisticated low‑level attacks.  We had earlier this year, a ransom ware attack.  47 hospital groups, pretty much 2/3 of the U.K. hospitals were affected because they didn't have basic security upgrades on their computer systems, which made them vulnerable.  It is a known vulnerability, which has been there for a number of years.  But as a result of this, thousands of operations were canceled.  Massive disruption.  Major, major, major topic, really quite a sort of simple thing.

In terms of the national strategy, one of the things that we have done is to really try to improve the basic awareness and skills of people across all industries.  I know we spoke about whether it's I.T., in critical infrastructure or infrastructure, which is critical.  So in the U.K., we don't have a distinction.  The cybersecurity strategy has identified 13 sectors, and that is from transport, obviously include autonomous vehicles, health systems, energy generation.  All of these areas are now increasingly reliant on computers.  And computers which ‑‑ some of which are legacy systems and were not designed for the situation where you actually have cyber threats.  So we have a big problem where, actually, upgrading the systems to make them more resilient is in itself a threat.  It requires testing, it involves down time and actually has a massive operational impact.  So in the U.K., we're on the second of two five‑year national strategies.  The first strategy was essentially leave it to the market to try to solve of some  ‑‑ solve some of the problems.  That was decided to be a failure.  The second strategy was government led.  The second is up now, just had the first 12‑month review.  It is very much getting up an running but seen as being a coordinated and successful way of handling that type of problem.  So in the U.K., specifically around defending against known threats, deterring threats from happening by building better systems in the first place.  And generally trying to provide a coordinated focus point for the rest of the country across all sectors. 

>> VLADIMIR RADUNOVIC: If I may have a question.  Looking at the U.K. IGF, and the discussions you had, you did have discussion on the things and threats of future emerging technologies to critical infrastructure in general.  Were there any specific points you wanted to share on that bit? 

>> DAVID RUFENACHT: It is an interesting discussion, but the reality is there is no disruption to autonomous vehicles at the moment because we don't have any to disrupt.  It is more about the hypothetical we will have them shortly and design the system.  We're trying to future proof future technologies network the way, for example, our health service and power stations are not future proofed when we introduce the new technologies, they have to have it by design.

>> VLADIMIR RADUNOVIC: That is the point.  We are present looking at what is coming, but we should look into the future.  Marina? 

>> MARINA KALJURAND: I think it is a big mistake to look at what is happening today.  Government societies they have to start thinking out of the box and have to start looking into the future.  That is why ‑‑ I don't know if somebody from Finland is here.  At the moment Estonia and Finland are working on a draft law to regulate the status artificial intelligence.  In Finland, Alicia T is sitting on the board of a company theater.  She has the right to vote and participate in the discussions.  She is already there, although there is not law yet.  We have to come out of the box and start thinking today and not only thinking, discussing, writing the laws and strategy documents how to regulate tomorrow.  Because tomorrow will be in five minutes.  We don't have 40 years like after Internet was introduced to us. 

>> TATIANA TROPINA: I think we have someone from Finland.  Would you like to comment or not? 

>> My name is (?) That is true.  They have artificial intelligence on the board.  I think it is, personally, more a publicity stunt to have that there to promote services and products.  Anyway, it is an interesting way to think how artificial intelligence can support the board work.

>> >> This is a panel about the infrastructure, what discovered, the whole supply chain is not defined as critical.  If you look at the IOT, it is not defined as critical infrastructure yet.  In your procedure, in your policy, you should take into account, how are you going to work around this issues?  Our national cybersecurity center has a constituency, which means it is government and critical infrastructure so they cannot share or act or react for a small or medium sized companies or citizens alike.  We have tried to at least establish in the coming years is digital trust center where all stakeholders can get information and share information.  And we can build on sectoral information sharing, analysis centers in order to get all stakeholders to get more information or protect themselves, because this critical infrastructure is indeed what we're focusing our policy on right now, but mostly not the challenge for the future probably.

>> TATIANA TROPINA: Thank you very much.  I have two questions.  Are there any intervention from you and second question, is there any remote speakers online?  Did we manage? 

>> VLADIMIR RADUNOVIC: I think we have Isabel now.  Unless she's in the row outside, waiting for registration.  Isabel, if you can hear us?  The floor is yours.  Nothing yet?  Should we move on.

>> TATIANA TROPINA: I think we should move on.  I'm sorry we couldn't get remote speakers engaged.  If there is any opportunity for you, you can just read the submissions, I think on the session page.  But I would like to move further, because we still have few speakers left and few issues to discuss.  Su Sonia Herring from the SEEDIG.  Would you like to update us on the issues are discussed with SEEDIG.

>> Su Sonia Herring: Of course.  This is southeast European dialogue on Internet governance.  It is a stand‑alone event for the last three years.  Usually, we have at least 15 or 16 countries from the region each year present at our annual meetings. 

We had sessions focused on cybersecurity both in 2016 and 2017.  And I've been watching the NRI topics for relevance, reality here, number five, education and awareness and also emerging challenges was also among the topics that were discussed and highlighted at our meetings. 

Other highlights and key messages would be from our sessions in the last two years are our participants feel strongly about accountability, both by government and especially by security services or software providers.  So they feel there should be stronger accountability on their part, especially this year out, talking about widespread attacks like wanna cry, and that sense, two stakeholders we focused on was software services and also the user's responsibility in preventing this.

One of the key messages says the weakest link can be the users.  That is why awareness and education is top priority.  As you already heard everywhere you're only as strong as your weakest link.  Our focus was on the users.  And also, security by design was another highlighted message.  And the role of governments was repeatedly talked upon.  More collaboration, more dialogue on the high level, higher level between governments and the private sector and the public was pointed at as a solution for these problems. 

And one last thing that was highlighted both years was the importance or the debate between security and human rights and how in the SEE region, when security was the topic, how always rights take the backseat.  So that was pointed at as something that needed to change.  That is something that we needed to focus on more, especially from the civil society stakeholder group.  And if I may very shortly, I would also like to talk about Turkey. 

There is a single message ‑‑ SEEDIG, I come here as a researcher that is active in Turkey, I would like to talk about how it is there.  Maybe you have heard, we have had quite a bit of cyber attacks and leaks in the last few years.  And like one of the biggest ones were where 40‑plus million citizens' information was leaked.  It wasn't a big orchestrated attack because it wasn't well protected. 

Since the last few years, there is no streamlined approach or strategy, but always talk of creating a cybersecurity center that will be completely national and to be frank, it is a propagandistic approach to it.  When you look at the implementation, it isn't there.  I just wanted to lightly touch on that as well.  Yeah, thank you. 

>> TATIANA TROPINA: Thank you very much.  Is there any chance to try our luck last time with either Ornulf or Isabel?  The remote speakers, let's try Isabel again or Ornulf to see if it might work. 

>> She's speaking but it doesn't ‑‑

>> TATIANA TROPINA: So I'm sorry for the interruption.  Is the problem on our side? 

>> The problem is our side.

>> TATIANA TROPINA: Our side?  Then my sincere, sincere apologies to our remote speakers.  I really wish we could have the technology working better.  I think we have the last contribution from Albania, could you please update us on Albanian approaches on these issue. 

>> I am commenting on behalf of Albania government and IGF, I would like to make an overview of cybersecurity issues in Albania.  Albania is in the southeastern Europe region and this region is dealing with cybersecurity for some years ago.  And Albania is firstly approving the cybersecurity agenda on 2014.  Since that year, we have established some governmental institution about national security and after that, we produce a policy document dealing with cybersecurity.  And earlier this year, we have proven the cybersecurity which is the first cybersecurity law for the country. 

After we approving this law, we're launching critical infrastructure definition.  We are focused and identifying the critical infrastructures that are in fields of energy, health, financial, transportation, industry, government sector, and environment. 

And now, the most critical thing and the most challenging one is the corporation ‑‑ cooperation with the multi‑stakeholder groups.  This is most important.  We need cooperation initial level, but in order to go forward, we need to have very good cooperation in regional and international level.  And also, earlier this year, we'll launch the Albania IGF and one of our focus session will be cybersecurity.  With this IGF initiative, we'll have the opportunity to have discussion with stakeholder groups and see what is going on. 

>> TATIANA TROPINA: Thank you.  Actually, this brings a nice segue to the second question we have at our session.  Namely, how national and regional Internet governments can contribute to the issue?  And can they contribute at all?  Before we move there, can you update us on the relevance and reality? 

>> VLADIMIR RADUNOVIC: I think it is similar to what the speakers have in mind.  Education is the top relevant issue on the international level.  It could be better or higher on the agenda.  On the other hand, the emerging challenges seems a little bit less relevant.  Okay, we learned that this is something we have to have in mind.  Probably because of the other, which are more burning issues, we're not focusing that much on the emerging challenges.  It is interesting that ‑‑ in reality, emerging issues are low on the agenda, not discussed that much, but we see that the regional cooperation, and national frameworks are higher on the national agenda.  That is something that is already mature in discussions on the national, regional level.

Okay.  I will switch to the open board.  So this is basically sort of a Twitter‑like space.  Post comments or questions on your own, whatever you wish to address or question or debate.  And I think we can move on to the final question.

>> TATIANA TROPINA: I'm totally lost with the microphone, how to switch it on and off.  Also, if you have thoughts, even yes or no, can regional IGF initiatives contribute to the cybersecurity debate?  Cybersecurity dialogue, so on?  If you have a short idea how, just put it there.  Or you can raise your hand or put it there, but we really would like to see your input, especially if you made it to this session, it is the first session of the first day of the IGF, so you probably have some thoughts about this.  But I would like to go through the panel first, unless we have any intervention from you on this topic about national and regional IGF or any other topic. 

Dear speakers, do you believe that IGFs, the national, regional government initiatives can substantially contribute to the cybersecurity issues?  On many occasions the venues are closed.  And if you think this is possible, how?  How do we frame the debate?  How do we bring the issue?  You know, issues forth and back from the issues to the national policy level and back?  And I think I will just start, you know, with the order from that side.  Please? 

>> NINA LEEMHUIS JANSEN: What I said about organizing trust, I think that is what they can do, they can provide a platform where multidisciplinary experts can participate in a debate and help us bring our policy further.  Our national IGF, it is organized several meet ups around specific themes, for example, on encryption, we had quite a strong debate in the Netherlands and at least this platform, all the perspectives were tabled.  You can really sharpen your own policy that way.  I think that is one of the most added ‑‑ the biggest added value of the national platforms.  Yeah.  I'll leave it at that.  Thanks. 

>> TATIANA TROPINA: Thank you very much.  David? 

>> DAVID RUFENACHT: I think we touch on different things.  The multi stakeholder approach, we're watching information ‑‑ we were speaking about hospitals.  My job is to speak with hospitals and critical infrastructure.  I learn every day.  I don't know what is going on exactly in the domains.  Having a forum to discuss, what is a cybersecurity for hospital, what is a problem for them, how does that function?  Getting that information helps us better secure society in general.  I think having a forum for us where we can discuss these things and learn how each industry or which parts of the industry are dealing with cybersecurity, what are the issues?  Is it the confidentiality or integrity or availability?  Each have their own priority.  Learning critical processes, the technology they're learning and future challenges, that would be a good approach.

>> TATIANA TROPINA: Thank you very much.  Before I move to marina.  Give a last try for Norway.  Can we connect Ornulf, I'm sorry, Sandra.  If there is any chance our remote speakers go to 279126 or see it posted in the chat, you answer this question briefly.  We want your input, something is not working on the technology side.  Marina, could you please follow up on this? 

>> MARINA KALJURAND: Well, I come from a country, it is called e‑Lifestyle.  e‑Independent.  We have been online since the '90s.  I don't think it is possible without talking and cooperating with all different actors in the field.  Maybe in this discussion I am privileged because I have seen it works.  I would like to encourage everybody to start the forums in one form or another finding the right forum, participants but being as inclusive as possible.  Today, when we're talking about critical infrastructure, private sector owns infrastructure.  Private sector is one providing online services.  How can we cooperate without them.  Civil society, coming from a country that is independent, it is important for us also to have human rights on agenda.  So online services and the same principle, human rights online equal to human rights offline.  Civil society is needed there.  I don't see other way of being successful in these discussions, than including as many stakeholders as possible. 

>> TATIANA TROPINA: Thank you very much to Nina, David, and Marina.  I would like to invite Nata to comment.

>> NATA GODERDZISHVILI:  Thank you.  We identify cybersecurity is a team sport.  We need every stakeholder to be engaged and share information.  This is a knowledge‑sharing platform.  We also gain some fruits out of that.  From last IGF Georgia small and medium had a memorandum, how to share information about incidents and what kind of platforms we use for that.  Also, we provided small trainings for the information society about information and cybersecurity.  So we use much of this platform.  It is the proper way in our reality.

>> TATIANA TROPINA: Anyone that ask the question how do we issue the IGF, I think Nata just said how they measure that in Georgia.  This is a good example.  Sonya, you are next in the queue.

>> Su Sonia Herring it is a bit of repeating.  From the SEEDIG experience and youth IGF, the regional subregional are the perfect place.  As people mentioned before, these are usually very closed off discussions.  It is hard to get information on as earlier said, some of the reports aren't even made public.  So I think it's the perfect place to talk about this and both build capacity and awareness.  The more defense stakeholder groups you build together and strengthen the dialogue, although it may not be immediately measurable, it definitely has short, long‑term effects, and I think all the meetings and sessions focusing on this, we will see the positive effects in the near future of it.  Because you have the technical community, governments, civil society, other stakeholders, they get to hear different aspects of things they wouldn't normally be exposed to.  I think NRI definitely have value to contribute to the discussion.

>> TATIANA TROPINA: Thank you.  How do you walk the walk and talk the talk at the U.K. IGF

>> It is definitely the case that the opportunity to share information and for the technical and governmental people who are implementing national cybersecurity strategies can hear.  For example, when they talk about network monitoring as a countermeasure against threats that are real and present, they can hear the concerns of civil society about civil rights infringements and human rights.  We're in the post‑Snowden era, citizens are concerned about security, but extremely concerned about government monitoring.  It is a good point, they may not agree with each other, but that is the whole function of these IGF meetings, you can get good dialogue and exchange opinions in a fairly nonthreatening manner.  That is really helpful way to socialize the more difficult areas, I think.

>> VLADIMIR RADUNOVIC: Isabel is landing.  She has an avatar.

>> I'm going to read.  Cybersecurity is highly political in Germany.  The possible defensive about the capabilities highlights different dimensions of cybersecurity.  The security of information technology, critical infrastructure and individual users on the one hand, ITC and national security on the other hand.  Two events have fueled the rise of cybersecurity to the top of the political agenda and the Snowden revelations and attack against the parliament in 2015.  And the expansion of hacking capabilities is cause for growing public debate is about the government's role in cybersecurity.  With the rising number of cases, now challenges law enforcement, due to increasing use of technologies and growing threat for German industry.  The government has expand this defensive hack. 

With rising number of cybersecurity cases, increasing use of encryption and growing threat for German industry, the government has begun to expand the expansive hacking capabilities.  This is cause for growing debate, which will continue into the new government soon to be formed.  The IGF Germany November 15, 2017, we took up this debate and discussed lawful hacking by government as well as secures the Internet of things in different sessions.  Responsibility for cybersecurity in Germany is not centralized in the government.  The ministry of the interior is the most important agency since it oversees the federal office for security.  As well as the police and domestic intelligence agencies and newly founded hacking agency, the ministry of defense assumes the increasingly important role.  The foreign intelligence service is active in cyber space but disparate.  Apart from the industry, cybersecurity is no multi stakeholder policy domain.  The government agency, the ministries have a closed grip on the issue.  Germany has adopted two cybersecurity to date.  The first adopted in 2011 has a clear presented civilian direction.  It is the basis for the establishment of the national cybersecurity council and national cybersecurity center, which is supposed to be a cooperation platform for all security agencies under the supervision of federal office of information security.  The national cybersecurity center has been ineffective so far with only around 10 employees, but will be strengthened on to the new strategy.  In the second Germany cybersecurity strategy from 2016, military cyber defense plays a much larger role.  The strategy adopted a holistic view of offensive security.  The German minister of defense established the cyber command which comprises around 15,000 members in total and encompasses everyone with ground and research cluster.  Overall, the government is currently expanding its offensive cybersecurity capabilities with the establishment of a military cyber command in 2016 as well as the establishment of a central office for information technology in the security sphere, which will develop hacking tools as an independent research agency overseen by the ministry of the interior.  At the same time, the German government is pursuing the goal of strengthening ITC security in critical infrastructure and the Internet of things.  The federal office for information security is overseeing the Germany tic security, is expanding, albeit not enough some claim.  It is being overseen by the ministry of interior.  The German government adopted the laws for critical infrastructure. 

>> TATIANA TROPINA: Thank you very much.  So we have input ‑‑ Vladimir ‑‑ I know that we have to wrap up.  But I would like to ask question to Marina because we don't have a lot of time, but I would really like to ask this question.  Just to bring the debate home from where we started. 

As someone who participated in GG and was in the thick of all the national security issues, do you think there is a way to marry those issues what we are doing at the national IGFs?  Is there an easy way to do this?  Is there any solution which will work for everyone, every country globally?  Or do we have to all go our different ways? 

>> MARINA KALJURAND: Very good question and you want me to answer it one minute.

>> TATIANA TROPINA: Maybe two? 

>> MARINA KALJURAND: Yes, we have UN general assembly resolutions, but it is defined by each international state.  Can we learn from each other?  We can.  Should we learn from each other?  We should.  No question.  There has to be cooperation.  The more we cooperate, the more we know about each other's systems.  The less there are possibilities for escalations because of not understanding what we're behind, different incident, definitely. 

Will states talk to IGFs?  And will the next GG or whatever is going to happen next time include civil society?  I don't think so.  I don't think so.  And that's okay.  I think that states have the right to have their own fora within the United Nations.  But they have to cooperate with others. 

I said last time we discussed the approach.  They're all mentioned.  Looking at the discussion in the room, I think it will be easier for industry to get into the discussion because governments depend on industry much more than on other multi stakeholders.  But smart governments discuss at home and internationally with all multi‑stakeholder. 

Even if there is not an established way of cooperation with civil society, IGF, I would say we should do it anyway.  And we should continue sending our messages to government and then the same finish example.

Is the industry that is forcing government to start drafting the law.  So civil society has the same power and there is a power to influence government in looking into cybersecurity.

>> TATIANA TROPINA: Thank you very much.  I will ‑‑ is there any comment?  Question?  I will pass it Vladimir.

>> VLADIMIR RADUNOVIC: From the Germany IGF, the hottest topics can be brought there topic.  They're as an example, you see the increasing transparency of the government and armament, it popped up.  It is fine, as marina said the governments have their own fora and technical community, the merit is putting them all together.  The question I leave open here is to what extent we really have governments at the national IGF and passing it somewhere beyond.  We don't have time to respond to that, but it is worth thinking. 

>> TATIANA TROPINA: Thank you very much.  And do we want to wrap it up now?  Because we are out of time?  Anyone wants to add anything? 

>> VLADIMIR RADUNOVIC: It is interesting points raised.  It is a pity you are not taking the mic.  That is okay.  That is the point.  There are comments about more transparency, openness of governments to talk to private sector, including about sensitive issues like critical infrastructure.  Need for instant response mechanisms like Norway.  And then we had that we need to bring in more sectors that might not be included like health, as we heard from U.K., SME, schools, so on.  That robots will take us over.  That is also a good one.  The question that I read is to what extent the governments are actually involved in the IGF.  Yeah, there are more.  It was quite useful.

>> TATIANA TROPINA: I liked the one about the robots.  Seriously.  Whoever wrote it, it's nice.  (Chuckling).

So if there are no further comments or issues, I think we are five minutes out of our time.  So I would love to thank our wonderful speakers.  And all of you who contributed to these boards, because it is very interesting for us.  I believe for the national regional initiative, as well, to contribute.  And thanks to Sandra for bringing us together and organizing this session.  Thank you, Sandra?  You want to say something? 

I have not been updated on this.  I am probably making it up.  You all have pieces of paper that look to me like onsite feedback form.  There is an evaluation form, like how do you like this session, did this session present good content.  Here since it is anonymous, you can be so honest.  You can't be always honest, but here you can.

Fill it in, say yes or no, give it back to Sandra.  Give it to Sandra.  She's sitting over there.  Thank you all very much. 

(Applause)(

Session concluded 10:38 a.m. CET)