IGF 2023 – Day 0 – Event #63 Call for action: Building a hub for effective cybersecurity – RAW

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> JANICE RICHARDSON: Good afternoon, everyone.  Today we're here to talk about, well, to call for action, Building a Hub for Effective Cybersecurity.  We are going to briefly introduce you to the speakers, but before I begin, I want to warn you that we have a couple of questions for you.  We'd like to know your viewpoint.  Therefore, have your mobile phones at the ready to respond to the questions.  So I'm Janice Richardson, French‑Australian.  I am chair of the education and skills working group, and let me hand over to Wout, who will introduce himself and the speakers will introduce themselves.

>> WILLIAM DRAKE: Yes, thank you, Janice.  My name is Wout de Natris, I'm the coordinator of the coalition internet security safety of the IGF.  I was supposed to moderate this session, but unfortunately they brought the two sessions today at the almost same time, so I'll be dropping out quite soon.  And Janice kindly took over the moderation of the session.

I think that is enough introduction for me, so I'll hand over the microphone so everybody can do a very fast introduction of themselves.

>> JANICE RICHARDSON: Let's begin with Anya.

>> I represent NASK, which is National Research Institute I'm coordinating their Safer Internet Centre since 2006.  And we do awareness activities, we also have the hotline and help line that we cooperate with the NGO that we have a center with.  Thank you.

>> MACIEJ GRON: Hello, my name is Maciej Gron, I am ‑‑ work for, also for NASK, I'm a lawyer, I deal with the regulation especially in the cybersecurity.  And also the cooperation of the universities.  Thank you.

>> I am from the PWC Japan, and my focus is manufacturers, IT devices, and I'm facing all the Japanese manufacturers and the hiring the students or something like that.  And it's nice to see you guys.

>> Hello, my name is ‑‑ I am from Gambia, chair of the security committee, and I also work with the university.

>> I am a Brazilian, I am the vice chair of the youth standing group and I also work in cybersecurity field as the tech lead for development of cybersecurity twos.

>> JANICE RICHARDSON: If we can pass it along to the other side, and introduce the rest of our speakers.  And we do have one speaker online.  Is Emanuel ready to introduce himself?

>> My name is Dennis, I'm from the United Nations Department of Economic and Social Affairs.  I mostly cover e‑government and IGF in my work.

>> Good afternoon, my name is Sela, I work with NASK in cybersecurity prevention department.  And I mainly am involved in children's safety project.

>> LARRY MAGID: I'm Larry Magid, CEO of ConnectSafely in Silicon Valley.  We work in the area mostly of child safety, but also safety for all stakeholders, as well as privacy and security.  And if you see me typing, I'm not checking my email, I'm the rapporteur, so my job is to try to remember some of what happened today and summarise it at the end.

>> JANICE RICHARDSON: Wout ‑‑

>> Good morning, I am the executive director of Latin America internet association.

>> ‑‑ I do cybersecurity education and research, and I also lead some cybersecurity training programme for industry.

>> JANICE RICHARDSON: Thank you.  ‑‑ no.  Okay.

What can I ask you to tell us a little bit about the IS.

>> WOUT DE NATRIS: It's a dynamic coalition within the IGF system.  And we announce ourselves in ‑‑ at the virtual IGF of 2020.  And we made sure that we have something to report on and plan in 2021 in Poland, and last year, we ‑‑

>> ( off microphone ).

>> WOUT DE NATRIS: I'll use this, maybe.  It's better, I think.  Thank you all.  I have no clue if you can hear me or not.

So in Poland we introduce our plans, and last year we had our first presented which was made by Janice Richardson and her team on education and skills.  And this year we'll be presenting three reports, and the announcement of another tool.  So we are really hitting our stride more or less.

What we are going to discuss today is that it's very nice to have a digital report, a fairly obscure website called Internet Governance Forum, but how to actually make sure that it moves into practice.  At the coalition we want to make a difference, and not just have a nice report out.  And what Janice is going to present on today, and we're going to discuss together today, is an idea of cybersecurity hub.  That's where I will start work and my ‑‑ that part of my introduction, and not to take anything away from Janice.  But how do we actually start moving?  The question we face as IS3C is how do we move from theory to practice?  That goes for all working groups.  We have a working group on security by design of the Internet of Things, that produces a report in two days' time in our coalition session.  We have one on procurement, government procurement, supply chain management.  How are those ideas going to be translated into actions or the government start procuring ICT in a secure way and not in an insecure way.  We have a tool that is going to be developed to help them with that, so that they have a list of the most urgent and important internet standards and IST best practices that they can start using when procuring.

I'll stop there, there are more working groups, one that is going to start hopefully is on emerging technologies.  What we're discussing today is the report we produced last year.  On tertiary cybersecurity education.  What we found is that the curricula most universities and higher education schools do not match what industry demands from them, let alone what society as a whole demands from them.  And this is a gap that needs to close.  And it needs to close in a few different ways.

Obviously it's the content of these education curricula, but what about facilitating a mid‑career change for people who may want to start working in cybersecurity?  How to close the lack of experts in gender and how to make it more attractive for youth to work in cybersecurity.

And that is something that is being discussed for probably two decades, but the gap is not closing.  And we have some ideas to close that gap, and that is what we will discuss today.

But how to proceed?  We think that it's important to bring the right people together, to create the context wherein people can start discussing this, on an equal level.  And what better place to do that is the IGF.  The Internet Governance Forum is one of the only organisations where no matter if you're from governments or just somebody with a private interest in the topic, can discuss at the same level, at the same amount of importance, and equality.

So how to bring these people together and get them out of the silos.  How to get it to work that's been beyond reach and how to motivate people to join.  How to find funding for this important work that determines all of our future.  In this workshop we cooperated with InSight, as well as NASK, we presented the concept of the cybersecurity hub.  The hub where corporations start and concepts are turned into actions.  And capacity building is developed and supported.  In this session, you will be invited to share your views after the presentations of our panelists, and unfortunately I cannot be present for the whole of the workshop due to the schedule issue that could not be solved.  So I wish you a fruitful discussion, and I certainly look forward to see your input online when I look at the session.

So instead of being the moderator I'm handing the Mike tone to Janice, who will take the rest of the session, and when you leave, you know why I have to excuse myself.  Thank you have etch, and I hope you have a very good session.

>> JANICE RICHARDSON: Thanks, Wout.  As he said, if you wish to intervene after each speaker, you can.  You can ask questions, we would like this to be an interactive session.

I'm going to tell you a little bit about the study that we did in 2021.  We managed to reach 66 countries, we began by 30 interviews, from countries as far flung as Australia, Nepal, the United States, and of course many centered around Europe.  What did we learn?  Firstly, from people from industry and business who participated, we got a very clear idea of the profile of what they're looking for in cybersecurity.  Firstly, creativity.  Of course critical thinking, that's top of everyone's list.  Team work seemed to be extremely important.  But holistic thinking, this was the complaint ‑‑ young people who leave university who come to the workforce and not holistic thinkers.  They do have good communication skills, this is very important.  They are insufficiently diverse.  Women are not joining the workforce.  Young people don't seem to be very keen, in fact, to be part of the cybersecurity industry.  We got quite a different picture from the people from education who participated.  Yes, they agreed critical thinking, they agreed in theory but where are we in practice?  They seemed to place a lot of focus on coding, on learning about specific products, and I'm glad to see that many of us agree here.

But industry points out, they are not teaching young people how things function.  Young people arrive, they do not really understand how the internet works, what is the backbone of the internet?  How does cloud security work?  All of these issues remain the gap, I would say, between what industry wants from people who join the workforce, and what tertiary industry is putting out.

Of course we know what's happening, companies are training their own young people, school levers, but this leaves us with a workforce who know today's products, but they don't have the very broad education base to permit them to adapt to all of the changes.  And we've seen so many changes over this past year even, with ChatGPT and all is the other technology that is rearing its head everywhere.

What is the cybersecurity hub we're dreaming of?  It will be a place where industry and tertiary education sector are present, and as an educator, I would like to say that all education could be ‑‑ should be present because if we don't learn how things function from a very early age, we're not going to jump in and learn when we reach our teens.

We need authentic resources for young people to learn with.  And this could be an area of exchange also.  We need to understand the best practice.  For example, in Denmark, they're already doing something like this.  So how can we do it at an international level?  As Wout said, who are the people who should be involved?  How do we get them around the table?  These are some of the questions that we're hoping to answer during this session, and we're hoping that you will participate now, but as we move forwards with this cybersecurity hub.

I'm going to continue the discussion, unless anyone has any immediate questions, by handing the floor to the team at NASK.  NASK has been our partners way back since we actually created the Insafe Safer Internet Network, Safer Internet Day, et cetera and once again, they've been our partners in the report, in the study, and as we move forward.

Can I ask you to tell us a little bit about the experience in the field of NASK?

>> MACIEJ GRON: Thank you very much.  I think that we are one of the few stakeholders that are ‑‑ who came to the global IGF straight from the local IGF.  Just this Wednesday we had our local IGF in Poland, and that's because we have ‑‑ are lucky to have a stop over in our home city also.  But I can ‑‑ our IGF in Poland, there was almost ‑‑ 800 registered people, and the first time in ‑‑ the youth IGF constituted the majority of participants.  So it's a big difference, and this year was really fantastic.

Before I talk about our experience on building awareness and education, I will tell you a few words about the NASK.  Because the NASK, which is the National Research Institute who has connected to the internet over ‑‑ today it is a register of internet domains, but also we are responsible for many issues related to digitization and especially cybersecurity.

We are ‑‑ in our National Cybersecurity System, we are Computer Security Incident Response Team.  And we are responsible for cybersecurity for everyone except military and government.  And that's why education and building awareness is for us very, very important.  And the last years we have ‑‑ we trained thousands of people, we have our ‑‑ secure VIP training, and there was more than 1,700 training sessions had over 3,000 people.  Individual and multiperson training.  We have trained members of Parliament, of government, ministers, independent authorities, like financial supervision commission and others.  We also train local government authorities, recently we have also started training in the healthcare centers.

We also have a large influence on the legislation of the legislation, we work out of our opinions and recommendations to the ministries, Special Ministry of the Digital Affairs.  We are entering the ‑‑ increasingly and ‑‑ close cooperation with the Chamber of Lawyers special attorneys at law and Barristers, and also from our point of view this influence has been a big challenge.  And we try not only ‑‑ we try not only ordinary people, but also (indiscernible).  Also we have two years ago we have established a cyberscience center, are this is the coalition of free universities, and we also provide with them ‑‑ we have courses in cybersecurity management, and the last one, the last thing which I want to underline, we have also established a partnership for cybersecurity.  It's a new platform, when we meet people from the private sector and the public sector, and we still see that cooperation between private and public sector and especially we want to combine the education sector and the business, private business.  We deeply think it's very important and we ‑‑ that's why we want to cooperate with the rest of the world, and that's why we think this is something that is very important.  Thank you.

>> JANICE RICHARDSON: Thank you.  If you could please pass the microphone S. I'll passes this one along.  You're in charge of IGF youth Poland, and wants to look at this from the perspective of tertiary students.

>> JULIA PIECHNA: Hi, I would like to share with you, with our experience with involving young people, tertiary education students.  So since 2020, under the patronage of NASK, we ‑‑ the youth IGF Poland has been run.  It's a part of international and global IGF that is operated under United Nations.  And the main goal of Youth IGF Poland is to create an open forum for exchange of experience and view among young people and experts from different fields and backgrounds.  And one of our main objectives is also to create ‑‑ to establish a community of young professionals interested in new technology, in internet governance, while encouraging youth participation in national and international events.  For example, IGF ‑‑ Global IGF, or our national Polish IGF that was initiated in 2016.

Just a few days ago, like Maciej mentioned, we organised IGF Poland, and actually the IGF Youth are very focal and very important part of events at the agenda, and this is a case actually each year.  Since 2016.  And this year inspired strongly by the research that Janice presented here, we decided to strengthen our force and activities addressed to reach young people even stronger, and also to involve universities, involve representatives of a continuum in our activities.  Because these are two very important and vital groups that should be addressed by talking about bridging cybersecurity skills gap.

So from March to June 2023, we organised seven meetings with further education students, at several Polish universities.  The topics covered during these gatherings involved, for example, cyberpolicy, internet governance, and privacy and human rights in digital realm.  We also presented them opportunities available to join IGF youth, and we also discussed and presented them the opportunity that are available in the professions connected to new technologies, and what is also very important, we invited them for joining competition with the prize being attendance here in Kyoto, so today we are delighted to have two competition winners with us, Alexandra, and ‑‑ and the last important thing, there's a question that we prepared and invited young people to participate.  And this is not meant to be a representative one, but it's rather to serve as an initial analysis of students' attitudes and concerns in online security and career prospects.

So I will just present you a few findings from this question.  For example, the top career interest for young people is artificial intelligence, and cybersecurity.  And 50% of our respondents attended universities ‑‑ participated in external cybersecurity trainings, 71% believed cybersecurity training during their studies is ‑‑ should be mandatory.  Also they think that education about cybersecurity should be involved in all educational levels, even in preschool.  What is also important?  They feel according to ‑‑ soft skills, team work, communication, were considered by 89% as crucial as technical skills.  Also they think that cybercrime, according to 99% in the data, according to 97% were identified as major cybersecurity threats.  And 63% expressed concerns about future cyberattacks.  These are only selected findings, and 139 respondents went and participated in this questionnaire.  Thank you.

>> JANICE RICHARDSON: If I can now turn to Anya.  Some of you may be thinking, where was this ‑‑ where is this initial report?  How can we see the results?  You can very easily go to the IS3c website and there you can get the report in English and in Polish.

Anya?

>> Yes, in my few minutes I would love to relate with what Janice said in the beginning, that the cybersecurity competence education is not actually the question only for the tertiary education, but it's also the responsibility of primary and secondary education.  And I think we strongly believe that the idea of the hub that one of the goals of the hub would be also to create recommendations on adopting school curriculums of the digital transformation.

Having at NASK cyberthreat prevention department, and having a safer internet centre for almost 20 years or 17 years, we are in the permanent dialogue with schools.  We prepare educational materials for them, we organise events for them, we have youth panelists that we talk a lot, and consult on the situations.  And I'm very interested in your countries, I hope to learn a lot during this workshop, but in Poland there is really a significant need to focus more on media education in schools.  And lately when we were ‑‑ recently when we were preparing educational materials for schools, the school scenarios, we did the research if our teachers, we asked them what do they need to prepare the scenarios, exactly admitting their needs, and they would like to share with you a couple of results that we got from them.  Like asking them what they think about actual media education in schools.  And especially in defense of cybersecurity.  And according to the majority of teachers, it was 57%, they said the existing curriculum is not adapted to the realities of technology development.  Almost 30% believe that they don't have sufficient knowledge, like the teachers don't have sufficient knowledge, even to recognise if something is happening bad for children, like there is any sign of the problematic using among students.  57% of teachers that we asked, they said they have only two lessons, twice for 45 minutes a year to talk about cybersecurity and internet safety.  And of course they think it should be multiplied.

Mostly when they talk about obstacles, they say there is lack of time.  The curriculum of schools is totally not adjusted to the needs of coming future.  They also consider a big problem the lack of cooperation with parents in general, so I think in Poland at the moment it's happening a lot, like there are many, many very good changes, but we need a bigger focus to change the curriculum, and all what they say was that we need to include digital competencies.  Since first year of education.  That's what the teachers ended their questionnaires when talking with us.

So I think we will talk also a lot about this primary and secondary education in terms of cybersecurity competencies.

>> JANICE RICHARDSON: Thank you, Anya.  So we've looked at some of the necessities and from what age we should start integrating these into education.  We've also looked at the local, or the national level, Poland.  Let's jump now to the international level.  The United Nations.  And I'd like to ask Dennis Sousa to take the floor, please, and to tell us a little bit about how we can push for this cooperation at the international level and the multisector level.

>> DENNIS SOUSA: Thank you, Janice.  First of all, I would like to start thanking the National Research Institute, NASK, ISc3 and Janice for inviting us here.  I think it's a very good learning opportunity for us as well, like turning this into practice, and what can actually do in action with government, with other stakeholders in the field.  I think it's a very good ‑‑ this is a very good example, and it has great potential.

So I am listening to the parts, because I was thinking, where we can use this actually in which area, and I prepared some major cybersecurity documents, but I think this group here is very familiar with what I'm going to say.  So instead of that, one thing that comes to mind is in our division, we look at eGovernment, 193 member states are using ICTs to deliver services, as well as St. most populous city in each country, we look at them, and we do a lot of capacity building in the area of eGovernment, including with the local public officials and cybersecurity.  Cybersecurity both from the supply side, from the government, but also from additional skill side, from the demand, like have people ‑‑ how people are aware of the issues, the threats.  I think this could be a great research for both sides, this hub.  So I just want to put that on the table.

Other than that, please stop me when I run out, because I think I just want to highlight the main things from my notes.  This group is familiar with the UNGGG, and the open‑ended working group, but one of the things that may not be familiar is the Secretary General recently in 2022 established a high level advisory board on effective (indiscernible).  One of the significant recommendations from the board is expanding the definition of threat to peace and security to include digital harms, and in their recommendation they also called for greater capacity building, so this is again, it fits there.

But other than that, the Global Digital Compact capacities are all a security part of it, but I will not go there because I see this group is more action oriented.  So I'll stop here, and if I have any other ideas I'll come back.

>> JANICE RICHARDSON: Thank you very much, Dennis.  And I think it's important that we do look at eGovernment also, because that's where the necessity is, and governments are also doing their own capacity building as we hear.

We are now going to turn to industry.  And we're going to call on Professor ‑‑ here is the microphone.  Please let's hear about it from your point of view.

>> Thank you.  So this is Yuki, and I work for a graduate school, and I have many students here.  I also have many trainings from industry.  I run cybersecurity education in university, and a training programme for industry.  So I would like to very much resonate what Janice said in the beginning.  There is a huge gap between what universities are doing versus what industry wants.  There is a reason for that.  For instance, university needs to innovative.  University wants town vent AI.  Whereas industry needs to use AI.  So there is huge gap.  Because if we, for instance, try to develop industry training programme, we teach them how to use the AI securely.  Versus in the university, we teach them how to invent AI.  So there is black box versus white box thinking.  There's a huge contrast.  And this is where ‑‑ there's a huge gap.

But I know because I am the ‑‑ I do white box teaching as well as black box teaching.  The industry training in Japan, funded by ‑‑ $20 million every year, and question actually teach them how to use devices, how to use cloud security, for instance, how to implement (indiscernible), how to implement DX with security.  This is kind of multidisciplinary, like you need to ‑‑ how to use cloud, how to use AI security, how to implement IO to security, versus in university you have to implement security, et cetera so this is like two‑faced sets of different ‑‑ same problem, right?

In the industry training programme, we invite them to do good team work, working in teams to huge solve a huge problem.  The problem is multifaceted.  In a huge corporate system.  So you need team work for problem solving.  But in the university, you must be forced ‑‑ you master ‑‑ you must prove that I'm an innovator, I'm excellent.  Because of that, I cannot invite every student to do team work and graduate all around, because of the credit.  So I think university system is a bit old from the service people perspective.

I stop here, and wait for other question.  Thank you.

>> JANICE RICHARDSON: It seems that really we have a dilemma here.  How do we put together the black box and the white box without getting a gray area?  I'm wondering, is Emanuel on line now?  Right.  You're going to do the work now, if you can take out your mobile phones, can we let you lead us on this?  Do you have a microphone?  So you're going to have a question.  You're going to have to think about the various options that we give you, which will come up on the board.  But first we need to tell you where you go with your mobile phone.

>> Give me a second.  I need to ‑‑ I need help.

(laughter)

>> JANICE RICHARDSON: Okay.

>> I need help because I need to share my screen.  Where should I click?  Oh, probably somewhere here.

>> JANICE RICHARDSON: If you tell them where to go ‑‑

>> I'm good.  I'm good.

>> JANICE RICHARDSON: You're good, okay.  Great.

>> KATARZYNA KALISZEWICZ: So we are going to have two questions for you.  Let's start with the first one.

>> JANICE RICHARDSON: Can you enlarge the QR Code a little bit, maybe?

>> KATARZYNA KALISZEWICZ: Yeah.  Let's do it full screen.  I'm going to.  So you can join us by using the QR Code, or just going to menti.com and putting in the code, the 67413964.

>> JANICE RICHARDSON: Let's go more slowly.  Menti.com.

>> KATARZYNA KALISZEWICZ: That's right.  And the code is 67413964.  It's also here at the bottom.

>> JANICE RICHARDSON: It's there very large now, they can see it.  Are you online?  Do you have the question?  Yes.

>> KATARZYNA KALISZEWICZ: We have 13 people on the line.

>> JANICE RICHARDSON: Super.

>> KATARZYNA KALISZEWICZ: What we would like you to do is to prioritize, very good, good job.  So you have to drag the answers from the most important for you to the least important.  And the question is, what should be the key functions of the hub in order of priority?

>> JANICE RICHARDSON: And of course we're relying on your input here so we can really see what you think should be the priorities.

>> KATARZYNA KALISZEWICZ: We're still waiting for answers.  Don't be shy.  Question have 19 people and eight answers only.

>> JANICE RICHARDSON: How many now?

>> KATARZYNA KALISZEWICZ: 13.

>> JANICE RICHARDSON: We want to give you time because we do want you to think about it.

>> KATARZYNA KALISZEWICZ: Exactly.

>> JANICE RICHARDSON: It's a very complex question.  If you have finished, I'm wondering, is there anyone who has a question that they would like to ask at this point?  We've been throwing information at you, but we haven't heard very much from you yet.

We'll move to the next question.  There is a second question and I'll give you the microphone.

>> KATARZYNA KALISZEWICZ: Let's go to the second question.  Which practical steps should be prioritized to launch and build the hub, and please vote on the most important.  I know here on the screen it looks small, but if you look at it on your phones probably more visible.  But we have the define strategic plan, goals and objectives, secure funding and resources to establish and maintain the hub.  Create an online platform to deliver training, workshops, and so on.  Seek accreditation or recognition from relevant industry bodies, government agencies.  And develop marketing and outreach strategies to raise awareness and attract partnerships.  You can pick only one here, yes.  We are picking the one which has been ‑‑ which is the most important.

>> Thank you.  I would like just to comment on the ‑‑ on our last question, because about the necessity of bringing the cybersecurity ‑‑ the companies closer to the students, because while I have the experience of learning and the problems I had, because most of the systems that we try to ‑‑ are very expensive, very specific, very difficult to put your hands on.  So connecting to people that want to learn with these kinds of resources, definitely eases the learning process.  Well, it makes it possible.

>> JANICE RICHARDSON: Thank you.  And I think that's an extremely pertinent comment.  And it's one thing we hope that we'll manage to do with the hub.

I think we have our answer.  Please tell us what is the priority according to the people here?

>> KATARZYNA KALISZEWICZ: The priority is to define the strategic plan, so first we are going with goals, objectives, of course long‑term vision of the hub.  This is the most important for 12 people.  And then they think a good one is also create an online platform to deliver training, workshops, and networking opportunities.

>> JANICE RICHARDSON: Great.  And let's really ‑‑ that's really something that came up with the students, the PhD students that we were working with on the interviews in the survey.  Samoa, for example, Nepal, both said there is no opportunity in our country to actually do this type of training.

We are now going to move on to our speakers.  As Dr. Emanuel is not online, I'm going to ask now Raul if we could please hear from you.

>> I was asked to speak about the ‑‑ how to prepare out of the companies, private companies in Latin America.  But let me provide some context.  I think that's everything that has been said here is applied to the whole world, I think.  It's not an original issue.

But 2022, according to a study that was very ‑‑ was disseminated broadly in the region, almost 70% of the companies, different companies declared to have had some kind of security problems in the region.  It was, unfortunately we don't have monthly status, but to see how those issues are evolving, but everybody could see this year the very big events, big security incidents in the region.  Both at the public and private sector.  And two governments faced a serious attacks, Costa Rica and Colombia.  In the case of Costa Rica, the government was really in difficult conditions to continue working in several areas, and the case of Colombia was also very ‑‑ was very recent, and ‑‑ but also private companies have been in the press, even ‑‑ like law firms, famous law firms that have been attacked and all the information of their customers have been compromised, and we don't want to know what kind of information they have.

But ‑‑ so the point is that companies are being ‑‑ are becoming more conservative about this, which is good, they say in every survey the companies seem to be more can be to be more conscious about the risks and to consider the security risks as important issues.  The point is that it is not reflective at the time of allocating resources.  And when in difficult times, as we face at the last couple years, these were demonstrated by some status that securities, one of the ‑‑ the resources were cut first.  So that is ‑‑ at the end of the day it seems that it means that they don't understand the risk they are facing, until they have a problem.  Like usually the problems are in the form of RID attacks, access to information blocked and the criminals ask for ransoms to free the access to information.  And in those cases the companies in average are losing a few million, three, 4 million for attack of that size.  They could have spent less money in trying to prevent those situations.

I think there is a need of massive programs, and I think it's very interesting, we are discussing here about the skills and human resources, because this is a problem.  I have read in the news and in Mexico they started ‑‑ a study says that only in Mexico there's 200,000 people to work in this area, it's an impressive number, but so we need to implement some scalable solutions, massive programs.  It's not enough that some ‑‑ with public resources we support the companies to implement, or tried to educate ‑‑ we need to do something massive.  It is very interesting that the number of companies that say that they are adopting new measures is increasing approximately 10% per year.  But the attacks are increasing 20%.  So we would not win this.  We ‑‑ one of my hats is that I belong to the Hawaiian chapter of internet society, we're starting to work with an alliance to disseminate some measures for SMEs, I think this is something that that could be done, one of the things.  But we should try to find solutions that are scalable, as I say, before we reach much more bigger audiences than we are doing now.  Thank you.

>> JANICE RICHARDSON: Thank you, sir.  Here I think a few important points came up that who are we talking about when we talk about the cybersecurity industry?  Well, in fact, we all have to be cybersecure.  The farmers, the trades, everyone needs this cybersecurity, the second thing I think of specific interest, attacks are increasing by 20%, but resource allocation increasing by 10.  So we are not going to get along very far if this situation continues.

Our next speaker I think is going to tell us more about the expectations of the private sector if I'm correct.  And I'm going to pass the floor to someone who works in Japan.

>> Thank you.  I'm Hiko.  I would like to share something the graduates, after they finish the school and join the companies.  And currently I'm working with the PWC, I do the consulting for the cybersecurity for the older industries.  So we are also hiring those people, and before that, before PWC I was working for Panasonic, I was interviewer for those grads, more than a hundred people.  And what I think about, I like to share is, while those graduates, they have very plenty basic good knowledge, for the cybersecurity, which means than they all pass very good.  And why?  Because I think maybe in Japan we are corroborating with university, like the professor, we go to all the university schools to meet the professors and introduce those students while we are doing ‑‑ what we are doing, what we're doing for the cybersecurity, for Panasonic or PWC, we explain those people and ‑‑ and let them understand what we are doing.  So that maybe make them interesting?  And so we communicate not the student, to the university, with academia industry, it's a very important thing for the kids.  Not the kids, graduates.

So I think this is the one good idea, and also we are very encouraged the internship as well.  For the not pay, or we pay, but still if those people are very interesting about to do something, we always open to let them work, to feel what they are doing, so maybe they have some imagine for the cybersecurity job.  So this is also important, so it makes more opportunities, chance to give them.

And also while we can ‑‑ have more specialists to meet the business needs, I think this is an interesting story, three months ago in Japan there is one high school, very major technical high school, with the cybersecurity companies together trying to do the workshop for the ship, the maritime.  With the real operation one, for the ship.  With the student and cybersecurity companies together trying to attack a defense exercise for them.  And I think it's so very exciting, you can use the ship and try to attack and feel what they are doing, and so those high school students very exciting, maybe we can do some maritime cybersecurity job in the future?

So we need to give them some experience.  Real experience, which is very important.  And also usually the corporation doing some cybersecurity sponsor, so we also invite those students for free, sometimes cybersecurity conference is very expensive.  But we gave them for free to join.  And of course maybe let them do some small job, volunteer, but let them also introduce those cybersecurity people introduce them, and so that they can make the connection and maybe you can help support those ‑‑ their future.

I think I am going to stop right now, okay?  Thank you so much.

>> JANICE RICHARDSON: I have a question for you.  Because the cybersecurity industry, or what we learned from the research is that they're really looking for a very diverse workforce.  They need the younger, the older, the males, the females.  It seems to me that you're talking about students.  Do you have any great ideas to help along these mid‑career shifts?  How can we get a more diverse population involved?  Do you have any ideas on that?

>> You mean the mid‑career shift?  You mean once they work for different job, and trying to jump into the cybersecurity?

>> JANICE RICHARDSON: Yes.

>> Okay.  Well, I think this is a very important thing, yes.  Actually, some people are not very good at software engineer, or don't know about cybersecurity, but they try to jump in to the cybersecurity job, to carry a change.  We also accept those people, because I think the cybersecurity, they have very different point of view.  I mean, they have the engineer and technical, and also the governance, I think cybersecurity have many jobs.  Involved.  So I think I'm very encouraging those people to jump in, if you need some training, we need to support them, and to let them make some different career for the cybersecurity.  Yes, we do that.

>> JANICE RICHARDSON: Okay.  Because it seems to me that a lot of people in their career aren't aware that in fact they could do this switch.  I think you have something to say here.  Please do.

>> For such a career change, industry needs it, not employee needs it.  Maybe they are having working for factory for 10 years, but they're not aware but the company needs cybersecurity people in factory.  Because factory is becoming more digitized.  And because of that we have industry sponsored training programme, where a company chooses those nominees, not the industry ‑‑ individuals.  And they send us them to one‑year programme.  One‑year programme, right?  Full‑time, one year, from 9:00‑5:00, every day, Monday through Friday.  They come to our facility, and study and do cyberexercise programming, testing, everything.  From like July to June.  It's whole one year.  And they do a lot of team work, and they do a lot of presentations, they do a lot of simulated exercise assist like briefing to the boards, briefing to accountants, reporting to the lawyers.  And lots of those business oriented exercises.  So it's a one‑year programme, it's huge.  But we have a lot of ‑‑ more than 350 alumni, and everyone say, I was new to I.T., but after finishing this programme, I'm actually a cybersecurity specialist, and being able to go to a different company.  I'm very proud of it.  This is just one year.  And there is huge industry backlash against management saying do you actually require one year?  But from our experience, this can ‑‑ this training is one year, because of the huge technology stock, and lots of regulatory legal developments like standards and regulatory developments, and, you know, lawsuit, and case laws.  And every complexity has to be taken into account in business context.  So this requires a huge amount of time, but with this, one‑year investment, one person can change from a person like a salesperson to cybersecurity personnel.  We have many, many examples in Japan.  Thank you.

>> JANICE RICHARDSON: Thank you.  So that does seem a very interesting good practice, be that other countries could benefit from.

I'm going to pass the floor now to our youth.  I have a lot of trouble with your name, I'm sorry.  Can you please remind us where you come from, and tell us your point of view on this.

>> Hello, thank you, Janice.  I think the best way to start talking right now is actually telling a story that happened to me last month.

I was visiting a factory, and as the ‑‑ a cybersecurity specialist, I need to understand to really understand what these factories work, how they work.  And I sat with them and spent like a couple of hours asking everything, how each one of the machines worked, and I said to the person, okay, I have ‑‑ well, we have two weeks to me to understand everything and point your errors.

So the person looked to me and said, okay, so you are like a generalist specialist?  And, yes.  So to me this shows the most difficult part of cybersecurity, which is that you need to have a transversal knowledge.  You need to understand ‑‑ deeply understand how these machines work to know what they shouldn't do.  The and this makes a huge barrier.  So when we have people like ‑‑ you can take advantage of them knowing the sites, their factories, but when you're bringing young participants, you don't have this advantage.  So the person needs to learn all of it.  And this is incredibly difficult.  Like, I had the opportunity to sign up for a course on industrial security, and the first task was, okay, tell me more about the space you work for, because we are going to work on it.

And I said, what?  Space?  Machines?  I don't have any experience with these machines.  And the person said, oh.

Okay.  And this became a major issue to me.  So being the ‑‑ being a young person entering this subject in the beginning was actually a very lonely task, because you ‑‑ it was just only you and your computer learning how to work with the systems and how to exploit their vulnerabilities.  And at least I am seeing a strong shift now, like when I went ‑‑ used to go to security events, most of the people were just curious, and now they work in the field.  And these experiences really evolves the field, really evolves the community around it.  But we really need to make closer the persons coming to this new field that have almost none prior knowledge, because while we know the basics of how it's programmed, how to operate machines, but this deep knowledge you get from the experience of running it, we will not have.  And this is a great barrier for us.  Thank you.

>> JANICE RICHARDSON: So you're really underlining the importance of transversal knowledge, and yet in our report, 67% of people who responded from the business and industry sector consider that cybergraduate ‑‑ the cybersecurity graduates have insufficient capacity of transferable skills.  So it's really something that they picked up on.

Ismalla is from Gambia.  Where is Ismalla?  Oh, sorry.  Over to you, and I think that you're going to tell us a little bit about how you think we can diversify the cybersecurity workforce and encourage more women into it.

>> Of course.  My name is Ismalla, I am from The Gambia, West Africa, small country but a little over 2 million people population.  And I am the chair of a cybersecurity community, and I also work as a security analyst, senior analyst for The Gambia government.  And I would say the same similar story as my brother here, I am from a developing country, and a country where cybersecurity education is not offered in any university or college.  And it's literally impossible for someone to be encouraged to pursue a career in cybersecurity.  And I stumbled upon it through one of my mentors, a Peace Corps U.S. citizen who was in Gambia actually on a boot camp, and being a curious guy, I was with computers.  For some reason, which I regret, I had the computer network, and it was very, very serious a little bit, and as he brought me in, mentored me, this was back in 2014, 2015.  And this is where I kick start my cybersecurity career first, give me some online courses.

Fast forward to 2019 when I started working for The Gambia government as a security analyst, first cybersecurity officer in that revenue authority, I realized over the years that women and youth are really interested in ‑‑ normally Africa in general.  And this obviously looking at the skills and the resources I needed at a global level, the expertise needed at a global level could be an opportunity for African governments to get youth in this industry, which is actually going address youth on employment at some point.

So I started the community to see how best we can involve the academia, and also the government and the youth leading that initiative, organising boot camps and cybersecurity education programs.

Through our process we were able to graduate about 50 university students, and this obviously ‑‑ this notion as mentioned, many people think cybersecurity is an I.T. business, or technical job.  And that goes moving from legal to cybersecurity, to cybersecurity, you'll be surprised.  When we first went to The Gambia University, University of Gambia, we ‑‑ asked participants from cross cutting departments, not just computer science, but also development study students, you have sciences, the legal department, and you will see almost 80% of the participants that actually saw an interest in cybersecurity are not more from the computer science department.  Many of them want to become developers from the computer science department.  They want to develop AI and similar programs.

You see the legal department, they want to get into the industry.  So what we did was, some go to Cisco, we have to give kudos to them, the I ‑‑ they have actually done a great job recently by providing free cybersecurity school for under privileged communities and those who want to get into the industry.  And we used that opportunity to train over a hundred youth in getting this programme.  And I am really happy that we have 25 people that have done the ISC certification, and out of the 25, 15 of them are of course female.  Women.  And 10 are male.

So ‑‑ and then they all get their cybersecurity certification.  So literally this is what I have to say, and I also create collaboration and participating from a different level when it comes to internationally to involve the global south in this process.

>> JANICE RICHARDSON: So interesting, because the young people that we talked with during the research told us there was simply not enough online courses, not enough ways to access the cybersecurity sector.

I'm wondering, how many people here in all, raise your hand if you are looking at cybersecurity from the point of view of industry.  If your background or your workplace is industry.  Please raise your hand so we can see who we are talking to.  Industry?  One hand.  A big one.

>> (off mic).

>> JANICE RICHARDSON: Yes, please, go ahead.

>> People like my situation, I am not 100% on this topic, it's one of the things.  It's less ‑‑ this is why I don't raise my hand.

>> JANICE RICHARDSON: Well, does that mean everyone in the room is more or less working in the education sector?  Raise your hand if you consider that you are working in the education sector.  There are some hands that weren't raised.  And I'm just wondering, which sector do you represent?

>> (off mic).

>> JANICE RICHARDSON: Microphone.

>> Thank you.  Actually I had a bit of difficulty to raise my hand because I'm half and half, between education, because it's hard to define whereas either you provide some guidance or knowledge, or you inspire policy, or you educate as such.  So I think there is an overlap between these two areas indirectly.

>> JANICE RICHARDSON: Can you please tell us a little about yourself?  What is your profile?

>> My profile is actually I'm a former police officer.  I used to work at Europol, and we're looking at the cybersecurity from a different angle.  But this discussion, I think this profile is especially of interest, because for us, police officers, there is no barrier between cybersecurity and cybersafety.  And I think this is a dilemma here, that we should never look at either of each, but at the both at the same time.  So because whenever you take a perspective of a victim, it doesn't matter, really.  So I would appeal here that whatever is planned as far as the strategies are concerned, let's address both, because in the end it will not matter to the end user or to the end victim.  That's the perspective of law enforcement at least.  Thank you.

>> JANICE RICHARDSON: Thank you.  And that is really interesting, because I think almost everyone here is involved in safety almost as much as the security, and you'll remember that here we are internet standards, safety, and security.  But thank you for reminding us.

I'm wondering from those people that we haven't heard from yet, do you have any really great examples, some good practice from your country that you think that we could all learn from and that would help us as we go forward in building the cyberhub?  Is there anyone who would like to take the microphone and tell us about good practice in their country to add to what we've learned here so far?  No?  Would you like to take the microphone and tell us your point of view?  Anyone?  Yes.  Take it around.  No one?

>> (off mic).

>> JANICE RICHARDSON: I didn't know there were people behind us, I'm sorry.

>> Thanks so much.  I'm Clay from FIRST.  My previous job was working with the Pacific and I think you mentioned Samoa earlier, so I can use an example from Samoa.  But it's an example that you can see in Tonga and across the Pacific.

Obviously being small island countries, they have a lot of challenges with retaining and building cyberskills, just like the rest of us, but almost amplified due to the size of the countries.  And one of the most effective ways that we've seen to build a more sustainable cyberskill community is through kind of organic cybercommunity groups.  Potentially like what you've been working on.

So in Samoa, a few years ago a bunch of folks came together, just over breakfast, and created something called Samoa Information Technology Association, this creates a space for training to occur.  Not just from external donors, but training between professionals within Samoa.  It creates an informal space for industry knowledge to be shared, so similar to what happens in network operator groups.  Very much an informal place to take shop.  And for what we've seen, this space creates kind of that missing gap that folks were mentioning between the academic side and industry side, are because it's where newcomers to the feel can talk and meet and network and learn lessons directly from current active operational experts.  So, yes, Samoa Information Technology, that was started over coffee, so while hubs are really great, I think it's really important to leave that space for informal information sharing as well, not just formal trainings.

>> JANICE RICHARDSON: And that really is I think a very interesting idea, training each other.  And this idea of community, which you mentioned.

Is there anyone else who would like to tell us a little bit about good practice?  Something they've been involved in, they think really made a difference, and we could take it on board as we move off with this hub?  Yes?  Please, take the floor again.

>> I hope it will be useful.  My experience originates from the EO policy cycle.  So it's very much helps as far as the strategy is concerned.  We used to base, when I was working at the agency, we used to base our strategy on findings of the research.  So first as you've mentioned, the report is obviously very useful, but it's nestles to look at what is current experience, and what are the threats of online threats as you said, and there is a nice bridge between practitioners and learners.  So it's always very important to look at the real cases, and investigate them, research them.  And then plan accordingly the research cycle, or the policy cycle.  Because I have also witnessed facts and instances when policy was not relevant to what was happening online, for example.  When there was a big gap and strategy was prepared in silos.  This is the worst case scenario.  So as far as EU policy cycle came into the force, and maybe this will be a useful good practice for this forum as well.

>> JANICE RICHARDSON: I do think that's extremely interesting, because one of the first things we're thinking of doing with the hub was going into universities perhaps with a survey or beginning by interviews to understand how cybersecurity is being taught.  But what you're telling us is that we should also be looking at the cases, and so our hub should be ‑‑ should have an easy mode of recording cases so that we can really link the two.

Are there any other ideas?  Because we really are starting out now where ‑‑ over the next days, pushing forward to see how we're going to develop this hub.  What it will really look like.  We really thank you for your input, and your input.

Are there any other ideas?  We'd love to hear from you.  You've come to the session, I'm sure you've got ideas at the back of your mind.  So please ask for the microphone, or speakers, what have you got to add?  Yes, please.

>> Thank you.  I can ‑‑ I have a quick idea, maybe what the hub can consider doing is retaining the talent.  As we know, maybe colleagues from the private sector can comment more, but the job is very stressful, and I think most of the cybersecurity experts (indiscernible) so what do we do to keep them at their post?  So this is something, a question for the table.

>> Yes.  The cybersecurity job is very stressful.  Because there are many interesting responses you need to take care, you need to do to the clients, to be safe, to defense those attacks or something.  So it's very straightforward, sometimes 24 hours, it's very stressful.  But ‑‑ and some people leaving, they don't want to do this job anymore, and go to ‑‑ go back to the software engineering, coding, or do some other job.

While we have to do ‑‑ what we have to do is of course, there ‑‑ is ‑‑ (indiscernible) is a good idea, but it's just temporary.  I think we need to think about the quality of life.  Not ‑‑ no pressures, you need to take care of the quality of life, more something differing ways to make them become ‑‑ work for the cybersecurity job.

So I think ‑‑ that's why we do, if they want to attend a conference, I let them go, or do the training, I just let them do it.  Or we always think of something, what they want, and maybe if we can accept, we just give them that kind of offer.

>> I think we could have also a mind shift, because usually the cybersecurity team is responsible for this cybersecurity.  And if you put the whole responsibility into, like this team, which are usually very small, you bring a lot of stress to them, because it's ‑‑ it's kind of difficult to work when you are in this cybersecurity team, because everybody ‑‑ even inside the company see you as an enemy, because you are trying to impose, you're trying to push things, and make things harder, more difficult to them.  And so you have these kind of difficult relation, because you are responsible for the security, and you also have difficulty to implement the security changes.

>> JANICE RICHARDSON: Right.  I'm going to ‑‑ it's really interesting, we haven't talked about that stress, about that quality of life.  So we see more and more things that the hub should take into account.

Katarzyna, what were the answers of the first question, please?

>> KATARZYNA KALISZEWICZ: No problem.  I can even show them again.

>> JANICE RICHARDSON: Yes, I think it's the best idea.

>> JANICE RICHARDSON: And then we're going to have a brief summary of what we've looked at.  Larry is going to raise some of the points so we can do some final discussion about these issues.

So, yes.

>> KATARZYNA KALISZEWICZ: So let's ‑‑ I think the first one, because we have October ‑‑ key functions of the hub, and the first priority for most of our audience is to promote collaboration between industry, universities, and the cybersecurity workforce.  And I think that we all know that this is something we popular here, that we are working between different stakeholders.

Then the second one is enhance cybersecurity skills at all levels of education.

The third one is gather and scale up good practice from cybersecurity and tertiary sectors.

The fourth one, raise interest in careers in the cybersecurity industry.

And the fifth one, provide online training from top experts on emerging topics.  Which I find is quite interesting, because in our second question, creating an online platform for trainings and workshops is the second best, right?  And here is the last one.

>> JANICE RICHARDSON: And that is interesting.

If we can get you to reflect on that if we can figure out why that might be, I'm going to ask you, Larry, to give us a brief run down of what you've picked up Larry is also from the United States and ‑‑ come on.  You should tell us a little bit of your background.

>> I'm a recovering academic, it's been many years since I've been to university, but I came to technology from an academic perspective, and then became a technical writer, wrote a newspaper column in the United States, actually still write it, it's been running for almost 40 years, written for the "Los Angeles Times" and "New York Times," now the "Mercury News."  I've been on national radio and television with CBS News, I've worked with the BBC and other news.  So I've come from a variety of angles, I can't keep a job so I keep switching careers.  I'm a mid‑career person change myself.

You know, really thinking about how you can take the kinds of things that we're talking about here, the kinds of things we talk about universities, the types of things that engineers talk about, the types of things that policy people talk about, and translate them to average people.  To people who read it in eighth ‑‑ read at an eighth grade level, parents, kids, teachers, folks.  The kind of people who listen to me on radio, which are just any everyday people, most of whom have never been to an Internet Governance Forum, or taught at a university, most of whom have never worked in the tech industry.  But they probably have a smartphone, they probably have a computer, they probably have kids that are using the technology, and so they are ‑‑ have a very strong vested interest.  That's where I come from.

But I have been listening carefully to your conversation today, and clearly my notes only reflect a small portion of what was said.  And so if you said something brilliant and I didn't get it down, accept my apologies.  But this is sort of what I took away.

One is, making ‑‑ first I want to put another context about 20 years ago, I attended a conference at Carnegie Mellon University in Pittsburgh, where this very problem was being articulated.  This is not a new conversation, as everybody in this room those.  It's been an ongoing issue for many, many years.  So I just wanted to throw that in to the hopper.  Which is to why we need to make it more attractive to youth, to work in cybersecurity, a couple people pointed out the gap is not closing, I think it was that the problem grows by 20% a year, the human power to solve the problem grows by 10% a year, you don't have to be an MIT graduate to figure out that math is not working.  So that was a really clear statement that was said.

Also bringing the right people together to create the content.  And that gets into something I'm going to talk about in a few minutes, which is the interdisciplinary approach.  What I heard over and over today is this is not something that's simply comes out of the engineering side of the equation.  You need to bring in social scientists, humanities, people from all walks of life.  And all disciplines need to be approaching this problem.  You can't solve it simply by code.  Code is important, but there's so many other factors, including social issues, and norms, et cetera.

Janice I think made a really good opening statement that I think should be part of the overall discussion, the foundation, which is with companies looking for critical thinking, creativity, holistic thinking and diversity.  And that's so important, and those things tend to get overlooked when you're looking for people who you think just have the right technical skills, but don't necessarily have the creative skills, critical thinking skills, the holistic look at the world, and of course as we ‑‑ many people have talked about, don't necessarily reflect the workforce and the communities that we should be serving.  And that's where diversity comes in.

I loved this comment someone made, I don't know who it was, educators tend to focus on coding but not teaching young people how things function.  What's the backbone of the internet, how does cloud computing work.  Understanding the gestalt, what is you're trying to fix is important, if you're trying to fix it.  It would be like if you were a refrigerator repairman who's never used a refrigerator.  You might know where the parts go, but do you know what they do and why they're there?

I loved the community about cybersecurity is important for primary and secondary education, some think it should be mandatory, but clearly it needs to be something we start talking about very early.  And getting people excited about.  I mean, we have, it's true we've got right now at least in the United States we have close to full employment, but that's a temporary thing.  There are many, many periods where we have far more applicants than we have jobs, and there are, I don't know, thousands, hundreds of thousands of cybersecurity jobs that are open in the world.  Certainly even in the country I come from.

Also I think another person or several people made the comments, talked about factories, farms.  This is not just a tech sector problem.  No matter what it is you do, whatever industry you're in, you need cybersecurity specialists.  It's almost like every company needs a chief financial officer, someone to do the books.  Every company needs somebody to clean the floor, whatever it is.  Well, every company needs somebody to watch cybersecurity.  I don't care if you're a small organisation or multinational corporation, someone there needs to be thinking about cybersecurity.  Even in my little NGO, we don't have a dedicated person for it, but we sure have to pay attention to it, because like everybody, there are attacks against our infrastructure as well.

Is someone, a couple people mentioned creating opportunities in developing countries.  Gosh, that's important.  First of all, there are problems in developing countries that need to be addressed.  Second of all, there's a huge talent pool in the world that is not being used.  Not being exploited.  I don't mean exploited in the negative term, but taking ‑‑ all the terms are negative.  You know what I'm saying.  Not being utilized.  And we really need to utilise people from around the world.  We tend to think about that, I pick up the phone and call a company and I get somebody with an accent, somewhere in the world, usually doing a relatively entry level position.  Well, there are very smart people in other parts of the world besides the developed world who can be doing high‑level work.  We just can't afford not to take advantage of that talent.

I really liked the comment about giving high school students real experience.  Really getting them involved, there's such talent amongst high school kids, and I shouldn't even call them kids.

Many of them are capable of doing serious work, and while I would never advocate child labor, I do advocate taking advantage of young people's ability to be part of the solution.  And young people, and also to see cybersecurity as a place they can go into college, or maybe not even go to college, maybe find jobs in cybersecurity direct it will out of high school.  There are probably talented people who could work with or without a college education.

Someone made the comment, it gets back to the comment I made about the joke I made about the refrigerator.  Visiting a factory the cybersecurity specialist needing to understand how the factory works, shall each machine, and again, you can't fix something in a vacuum.  You have to understand the context in which it works.  I think that should be generally very important to any kind of hub based on what I heard today.

Lots of graduates need ‑‑ have insufficient knowledge about real world applications.  Again, the same notion.  You need to have a gestalt, a real understanding.

Someone made the comment about networking.  I'm going to combine that with the suggestion someone made that more young people should be coming to conferences like these.  I have to tell you something, 90% of what I learn at conferences like the IGF doesn't happen in meetings like this.  With all due respect, to the brilliant people who just spoke, and all of you were very good, it's the conversations you have in the hallway, it's the connections you make.  That networking, same thing you get at the university.  Why do Harvard students do better than people at other schools, because they meet people who can open doors for them.

In the last 12 hours, not even that, I guess I've been here probably eight hours, I've already opened so many doors and so many things I can do with my little N the GO based on people I talked to.  Since I got here this morning, it's amazing to me.  What I've accomplished in the last few hours just walking around talking to people.  So getting young people a part of those conversations is so important.  Connecting them with mentors, with each other.  It's just essential.

The other ‑‑ the last one which I thought was very interesting was this comment about how cybersecurity is stressful.  I can see that.  It's probably one of those jobs, the joke they talk about airline pilots.  A flight is six hours of pure boredom and three seconds of sheer terror.  When the system goes down and maybe it doesn't go down that often, but when it does, it's hard to imagine what the cybersecurity staff have to go through.  I kind of imagine, because our systems have gone down, and we had connectsafely.org go down an hour before Safe Internet Day.  Luckily we found somebody who could bring our system back up in time for our event when we were going on national television promoting what we were doing.  That was the worst possible time for our system to go down.  Well, those moments are very, very stressful.  And finding ways to encourage people to retain them, to promote them, to compensate them properly, to provide them with career advancement, all the things you need to keep a workforce happy and productive is very important.  I would say that for a hub, and again, I came into this knowing very little, just taking notes, what I think I learned today from listening to all of you is that this hub that you build has to be something that goes from the highest level conceptualization about what it is you're trying to do, and we learned this from your survey, what are the goals, frameworks, all the way down to the nitty gritty of how it operates.  And I would even argue, maybe even some kind of job bank where you help people, link people looking for work to the jobs that are out there.  So it's a big effort that you're taking on, but it seems to me despite what I said about going to sessions, this session was extremely productive, because you came away with a very rich blueprint of what you need to do, what we need to do, what the world needs to do to have a more secure cyberinfrastructure, and to provide good paying, meaningful, and important jobs to probably millions of people around the world.

>> JANICE RICHARDSON: Thanks very much, Larry.  I'm going to start with Raul, and I would like each of our speakers to just have a few words, some last thoughts to wrap up this session.  But of course if there are people in the audience who also want to have a few words, you are most welcome.

>> Yes.  Thank you.

I found every comment very interesting.  But especially what was said about that we have to understand this is probably ‑‑ be this is very interesting, because maybe the companies should start to hire people already with the idea that these are people that will work in these positions for a short term, so maybe offer a plan, growing plan to move to other area of the ‑‑ inside of the technology part of the company.

I think that's ‑‑ what really concerns me is that the idea of scalability.  Because we speak about providing training on a platform.  But how many people we can train on a platform?  What we can do really to achieve things that ‑‑ at a different dimension.  Quantitatively different.  So I think we say that there is a demand of talents that's not satisfied, but at the same time, I don't know how it's being calculated, because if we calculate how many people we need to face those challenges, so yes, we need more people.  But on the other hand, how many people at least in Latin America, how many companies are really hiding specialists?  I think that's probably if they look for more people, if they ‑‑ the demand increases, so more people, we want to work in the area.

So this is a complicated equation, because probably that's ‑‑ we need public support for private sector to understand what the challenges are, but we have also the same problems in the public sector, because public sector don't understand either the problem.  I mentioned in Latin America we're very serious in the last year.  So maybe we should work with intergovernmental organisations more, trying to convince them about the dimension of the programme and how we can involve them as to be part of the solution.  How we can work together to work with the private sector, the education system.  So really turnaround that this is a problem for the country, for the region, for the world, and to elevate the level of the priority.

>> JANICE RICHARDSON: Thank you.  Yes, Katarzyna, has anyone come online, do you see anyone who has raised a question?

>> KATARZYNA KALISZEWICZ: Unfortunately not.  But we have some listeners.

>> JANICE RICHARDSON: Okay, great.  And do you have anything you'd like to add to this discussion?

>> (off mic).

>> KATARZYNA KALISZEWICZ: I can have a question.

I think I ‑‑ my opinion might be either controversial or very boring, it depends how you look at it.  But I think that we are at a point where each company should have cybersecurity specialists like we have work safety specialists, yes?  So we learn that when you see water on the floor, you should avoid it, because you will slip on the floor and fall over.  I think it should be the same for cybersecurity now.  Because we all use computers at some point, and even if we think about industries that normally we would say oh, they do not use computers, we have now a situation in our country in Poland that is many, many more people in medical industry are starting to use computers, the system for doctors is in the computer, so nurses also should have access there.  And we are going to continue to spread this thing.

So I think it's just necessary to have this awareness that there will be more and more specialists needed in the field, and we should start training those people, because it might shock us soon.

>> JANICE RICHARDSON: Thanks, Katarzyna.

Dennis, do you ‑‑ sorry, there's one here.

>> Thank you.  I think very quickly, it all comes to incentives.  Either to people or to companies, like major company would not be able to afford their online like Amazon to be off, because of cybersecurity.  There are incentives there.  From the U.N. perspective, if you want to reach out to stakeholders, global digital compact discussion coming up in 2024, WSIS+ 20, overall review is coming up in 2025.  I'm just putting those on the table.  Those are the areas that you can ‑‑ we can hear your voices and we can ‑‑ you can lobby.

And this cybersecurity hub, whatever you are developing, if it's good, it will be used by governments.  So it's, again, back to incentives.  If you put a good product out there, it will be used.  But it's all ‑‑ all I think for all of us to improve it.

>> JANICE RICHARDSON: Super.  And that is incentive.

>> 

>> JULIA PIECHNA: Many important things were mentioned, maybe I will focus on the thing that comes to mind, from my professional experience.  I think that what is really important among other things is education from the (indiscernible), and integrating cybersecurity safety education, into curricula, into education.  And to maybe resigning from traditional methods for the sake of unconventional and involving methods to really ‑‑ that was mentioned here, that really make the young people to understand the tools they are using, and ‑‑ understanded the mechanism.  Thank you.

>> JANICE RICHARDSON: Thanks, Julia.  I don't know if you want to ‑‑ no?  I really loved that fun idea.  We have a project running in the Scandinavian countries that's been running for about four years, where we write a scenario about internet safety for 11 to 14‑year‑olds, but then we find a local magician and the magician and I work together to figure out what are the best tricks, and of course the tricks in Iceland are quite different from the ones we do in Finland or Norway.  But this fun element seems to be so important.  I'm really glad, I think it was you who mentioned it.

>> So I think it's an interesting concept.  Our training centers, we were discussing it, it should be cooperating us as a global internet.  We have friends in UK, I think we can have more collaborations.  One thing about it, we are all busy, so it's going to be complex stuff, I want to have it less demand, or less workload, in terms of workload.  It should be less binding.  So that everybody from all scales, like nonprofits, and the government agencies, etc., like IGF, everybody on all sides can join, on a nonbinding basis, but there should be network trust, because this can be abused by criminals.  So network of trust is very important for this project.  Thank you.

>> I have a message for industry business, and sector, and this is also the goal for us.  Because I want to say that education sector is open for cooperation, and I mean not only the IT business, but the fashion industry, and so on.  And I'm ‑‑ next year we will find more people from the industry, and figure out you are with us.

>> JANICE RICHARDSON: So let's think out of the box.

>> And I would continue with this trust, and from then, some time ago I took part in the panel about women in I.T., and women participating in this panel also said that this kind of stress and (indiscernible) that is somehow related with work in the cybersecurity discouraged men and women to take part in this business, to go into these careers.  So maybe extremely important to repeat that not only you have to work really in this field to be involved in cybersecurity, that there's so many different ‑‑ like Janice said in the beginning, that you don't really have to be in this gaming area that some people perceive the cybersecurity is, and second thing, I think it's extremely important also talking about diversity to organise the parents, to really be able to motivate their girls to see their future in this field.  Because right now you always see boys in the coding extra classes and the girls go to dancing classes.  It needs parental awareness.

>> Thank you for everything.

Actually I learned from you guys a lot about your insight comment, and new information for me.  And actually next week I have ‑‑ I had my daughter's high school, and high school principal asked me to talk about cybersecurity jobs.  So actually I have to do this, since we have been discussing this kind of session.  So I want to tell them, I will tell them the cybersecurity is very fun job, and it's very important job, and also it's very proud job.  And it's also challenging job.  It's going to be a very interesting job forever, so I just want them to more interesting about the cybersecurity job.  And also I want to think about something maybe we need something, a cybersecurity hub ecosystem so we can do more to the system ‑‑ like SDGs, we need to keep thinking, keep mentioning this kind of conversation in the near future.  Thank you so much.

>> Well, I will spend my last words talking about the importance of the actually the culture on being this facilitator, this ‑‑ how they help to create the imaginary ‑‑ the ‑‑ they mold people to like cybersecurity.  And for that I would like to remember about two films.  Hackers and War Games, which were very important for the '80s generation to see hackers as the ‑‑ this very cool people that were hacking things and this ‑‑ how this created the cybersecurity imaginary.  And also when we talk about it, we need to think of the general perspective, because, well, I opened a position in my group to recruit a woman, and I couldn't.  Like, it stayed for one month open, when I gave up, I hired a man in the next day.  So this is really a cultural thing, and we really need to work on it.

>> JANICE RICHARDSON: So your key is going to have to be very convincing when it goes into that school next week.

>> Yes.  So my last input will relate to what he said, but more importantly, having more women participating in this industry.  And I think we are unaware of, but it's some form of a cultural life example, when I take my niece and nephew to get toys for them, for Christmas, you go to the boys' store, you get a million stuff.  So many amazing cool toys.  You go to the girls' shop, you get some unicorn ‑‑ I'm not saying unicorns are not nice, but my point is culturally we need to also ‑‑ to see if we are actually grooming them not to be innovative and also involve in this creative industries.  And that being the case, I think industries like companies or businesses should also be given priorities to women in order to participate in cybersecurity.  And my advice for my brother, I also experienced similar in my office, but then what I did was rather than giving them ‑‑ because it's a state level, step by step, rather than looking for an expert in engineering or someone who has years of experience, I went for FRC.  So when I was able to get someone, I got ‑‑ just got a lady who studied law, and gave her an opportunity, and she did tremendously well.  So the bar, how we get them on board we knees to be looked at.  If you want to pick them from a perspective where you're looking for an expert, you're going to chase them out.  Thank you.

>> JANICE RICHARDSON: Thank you.  I'm wondering if the audience has any last words that they'd like to add.  It's really important that everyone feels that they've had their say.

Anyone over that side want to take the microphone for a last thought about this hub?  Because we're going to be calling on all of you, yes, someone behind me, we're going to be calling on all of you to really support us in this, it seems so important.

Would you like ‑‑

(laughter)

You would?  There's a microphone somewhere.  No?  No?  No one further?

Well I hope that you're going to join us in this enterprise.  We are determined, after what we learned with the report, that we really have to move forward, we have to move forward together, and we talked about safety and security, but in French, security is the same word.  And possibly in other languages also.  No one can be safe if we don't have this security.

I hope we're going to continue working together.  If you have any ideas, please come up and tell us, because we are chasing ideas now, when we're working on this strategic plan.  Thank you very much for joining this session.  Thank you speakers, thank you Larry.  And I ‑‑ we'll be meeting in the corridors and talking further about this.  So thanks for a very interactive session.

(applause)