IGF 2023 – Day 4 – Launch / Award Event #69 Building a Global Partnership for Responsible Cyber Behavior – RAW

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> LOUISE MARIE HUREL: Welcome back to the session today, I am Louise Marie Hurel with the Royal United Services Institute. What is the goal of partnership and why is this important, before I turn our great speakers both here and online. The focus of the Global Partnership is really to map practical understandings of what responsible Cyber Behavior means, how it is interpreted by different Stakeholders. For this first year, we are looking specifically at how States see responsibility in practice, what are the regional nuances, what are the contextual and cultural elements that shape the understanding of responsibility.

As part of these Global Partnerships, we have a structure. We have an Advisory Board.

I see that Chris is over here in the room representing the Advisory Board. Thank you, Chris.

We also have members. So the Global Partnership consists mostly of researchers and research institutions from across different regions. We have over 70 scholars and researchers involved.

The idea is that we have working streams for each of the regions, and we will be producing regional papers out of that, which will be a Global Partnership for Responsible Cyber Behaviour for the past year. So it is quite exciting, so stay tuned.

But there is the bigger question of why is this important, why is this relevant, and why now? So, if you have been following closely, the UN negotiations, the open‑ended Working Group, there are increasing tensions, and tough questions that are sometimes very hard to deal with from a diplomacy or geopolitical standpoint, but as a research community, this is something we can do. We do this as researchers from across different regions.

But there are different challenges from the background of this conversation. So, first there is a lot of understanding, even publication around big powers that often dominate the debate. That is fine.

But it leaves little space for other regions and other countries to kind of vocalize their own understandings and interpretation, so I think it is important to think about, how do we think the research Agenda around that.

Second is the international piece in security discussions are the highest level that one can have when it comes to, let's say responsibility in Cyberspace. In the context of the UN, we are talking about negotiating a document, right?

It is a place where you have an output, which is a consensus document, and you don't necessarily see the regional nuances in those particular documents. Perhaps you are just focusing on the highest political angle, so responsibility is potentially not just that.

There are other layers we need to consider.

And, finally, that there is, of course, a need for a greater contextual value in seeing responsibility, in addition to the norms that have been agreed at the International level.

So, to think about that over at the IGF with a multi‑stakeholder objective. So that is the goal of the conversation here. To bring stakeholders from each stakeholder group to reflect on how we see Cyber Responsibility in Cyberspace and practice. It is a snapshot of each of them, because we only have an hour, but hopefully it is a trigger for food for thought conversations we can have around each of these topics.

Today we have two people online, but I will present all of them. We have Regine Grienberger joining us online.

She had to leave but she kindly agreed to joining us and being online. So, thank you, Regine. She is the Cyber‑Ambassador at the Fortune office. We have Pablo here, and on my other side, John Hering, the Senior Government Affairs Manager at Microsoft. We also have Charlotte Lindsey. And we have Eugene EG Tan, an Associate Research Fellow. Eugene EG Tan, S. Rajaratnam School of International Studies. And we have Koichiro Komiyama, JPCERT, APAC. You can see we have a lineup of Government representatives, Private Sector, Academia and Technical Community here.

So, I will stop talking now. Regine, I hope you are here with us in Cyberspace and we can see you at any point. Is she online? Can I confirm with the ‑‑ Regine?

>> REGINE GRIENBERGER: I am. I am.

>> LOUISE MARIE HUREL: Wonderful.

The idea is really to be a conversation. It is supposed to be dynamic. I wanted to start with you to unpack the layers of what Responsible Cyber Behavior means in practice, right?

So, while the discussion at the UN has provided a framework for responsible State behavior, there are still many nuances we are still kind of exploring. For some states, for example, responsibility might be seen as calling out bad behavior, or irresponsible behavior through public attribution or sanctions, let's say, so how has Germany been positions itself in regards to that. Could you elaborate a bit?

>> REGINE GRIENBERGER: Thank you, Louise. Thank you for the platform. The past OWG and the current OWB on Cybercrimes show the error when the Cybercrimes are only negotiated by a few capable states is definitely over.

We have now the whole UN Member States, the members involved in these negotiations, and also a lot more of non‑Governmental Stakeholders, which is good.

But, still, we need more smart people to sort out the complex issues that we have here, so I am really grateful that you established this platform.

For your question, I wouldn't start with attribution. The way that States can Strengthen the normative framework is implemented. It sounds a little bit trivial, but it is not.

We in Germany have no problem with the negative norm, so reframe from. We would never attack the infrastructure, but the positive norm, like protect particular infrastructure are much more difficult to implement.

We have, for example, at the moment, negotiations about a national law that is going to implement a new directive on the European level. It is the NIS directive, which is legislation to protect critical infrastructure. It sets benchmarks and standards for entities of critical infrastructure, and it will request a lot more of Cybersecurity experts to actually do this, do all the jobs that are mentioned in this legislation.

So, where do we find them? This is very difficult to implement.

The second thing that States can do is, overcome, monitor their own implementation, and share with others. In the last OWG with the discussions about a national survey, I think it was a Mexican proposal. I think it is a good thing to document what you are doing in order to implement Cyber Norms. It is also a way to share Best Practices and get others on board. And as we know, it is a cross‑border endeavor to implement the Cyber Norm, so it is a possibility to define the interfaces between national jurisdictions.

And the third element, I would like to mention, still before attribution, is capacity‑building. This has been defined in the last negotiation round as a two‑way street. We had a very nice panel also doing IGF, describing the challenges with coordination for Cyber Capacity‑building matches. I think we all have to do a lot more work to get this really going.

It is not only a question or money, but it is also a question of, again, Human Resources to be invested, but also, coordination to get the right things done.

Then the last thing is attribution. It is holding malicious Actors accountable. We reject the notion that we cannot properly attribute. I think we can. We have the technical possibilities and we have to use political judgment to put this in the international ‑‑ the observations we do on a technical level to put this into an international context.

So, we have established in Germany a nationality attribution procedure. The foreign ministry is the pen‑holder of the procedure and works together with other ministries and agencies and intelligence services who might have intelligence or other effects to contact with the procedure. We do it in a thorough, responsible way, so when we go out with and an tributes, decision, you can be sure we have the necessary background information collected and that this is something that is not done ‑‑ it is a political attribution because it is a political decision, but in the basis, there is a really effect‑based and responsible analysis of what has happened.

To, sanctions is something asked. It doesn't require attribution and it doesn't require automatically sanctions, but in the European Union, within the diplomatic toolbox, we have also the instrument of sanctions to use it together. This is something that we will probably see more often in the future. There is a lot of appetite for sanctions out there, because malicious behavior is really increasing from different sides.

So, I will leave it with that. Thank you.

>> LOUISE MARIE HUREL: Wonderful. Thank you very much, regime. I think what we see from your points is that there are positive levers to think about responsibility. A positive understanding of responsibility, where you build capacities, where you think about the development of national laws and how do you connect that with the regional level when it comes to the you, implementingenings like the NIS directive and monitoring implementation, but they are negative not in the sense of a judgment call, but what it proposes.

There are levers such as attribution and sanctions within the State craft toolbox to think about responsibility as something that is external, right?

There is the internal responsibility of the State to necessarily have the capabilities and capacities to be held accountable when it comes to its own citizens, but there is also the external responsibility over there when thinking about if another state is acting or non‑state Actor and other states and vice versa that applies the vision externally. So, thank you, Regine. I know there is discussion of national policy and national law focusing on cyber. Pablo, over to you. I know one of the components is trying to connect the domestic constitutions development, the principles, with let's say the framework for responsible state behavior and the implementation of international law in Cyberspace. Can you explain a little more and give us you a little insight into that process. Because as I know, it is still under way, right?

>> PABLO: In 2017 we introduced our first policy.

While we tried to cover everything in cybers, but we set up a new goal and one was related to foreign policy, which is very important, because for the first time they were engaged in this process. Okay, our firm policy has a lot of principles and we basically said those principles and they are part of the foreign policy, and also part of our view on policy Cybersecurity.

That was important for us because it was in that moment that we started this work.

Then our Cyber Defense policy was released back in 2018, and was also very important, because it was one of the first that started with the basic Cyber Operation, where we conducted the respect of international law IHLs and international law Human Rights. And it was actually an initiative from the Minister of Defense, barring the hold or processing.

That is before the Minister of Foreign Policy made the statements. In coordination with the Minister of Foreign Affairs. And when it was released I think one week before the new administration in 2018.

But it is in English, so everyone want as copy of it, I am happy to share it with you.

I think it is still a lot of challenge that we would like to address in a new national Cybersecurity policy, which the text is ready. It was approved by the Interior Minister committee on Cybersecurity in May of this year. It can be released in 2023.

The new policy if is actually a commitment to promoting international norms, the application of the international law and Cybersecurity, CBS, which is an important foreign policy. There has been a lot of work doing at the level of the UIS with establishing 11 CBNs in Cybersecurity.

Also we have worked on the international cooperation of strategy in Cybersecurity and also on the national position on national law in Cybersecurity. It doesn't mean we are not trying to work on this, but now is a big part of the mandate of the new policy, and I think it will be very important, because it is basically a commitment, coming from the President.

So, we have a mandate and we have persons working on this. But I think it is still a challenge when it comes to the response we have on our regions. as Regine mentioned, attribution. As to what other states think about it. Maybe under attack, but some foreign power, the question is, what is the benefit of making this an attribution? Is something necessary to do, or may the Press Release?

But I think there are some benefits, and something we need to discuss more internally at the level of the Government and other ministries.

As you know, in Latin America you have this problem of Governance of Cybersecurity, where you don't have, sometimes, national Cybersecurity agents in charge of this. You have committees, etc. So, that is something that we still need to improve more, and exchange view with other states.

Trying to promote this dialogue, what other states think about the application into International Law, what is your experience on implementing the 11 (?)

I would like to mention capacity‑building that is now critical, very important role, with a lot of Training Courses regarding application of International Law. If you want to take some important decision on this, and just develop a national position, you need people to really understand what we are talking about.

So, I think that is going to be ‑‑ I mean, the only I think law we have right now is our Minister or Foreign Affairs, which is really good, thanks to the training thanks to the OIS. And I want to talk about the outstanding work being done for Cananda, the United States, Estonia, the UK, actually, with the Training Courses.

I can now also mention the global immersion leaders programme on Cybersecurity, thanks to that programme right now because basically one of the main focus to promote is small state behavior.

So, I think it is something quite important to promote this sort of dialogue. I think local partners with play a very good role in our regions to create this sort of space for the State to come get exchange.

As I said before, it is still a challenge. There are a lot of things we can do. My aim, the next time there could be an attack on one state in our region is Costa Rica. We can maybe come together with a collective response and say we really condemn this attack. Not naming necessarily who was behind it, but to show that in combination of something that can be done. Thank you.

>> LOUISE MARIE HUREL: Thank you very much. It is interesting to have two Government representatives in this panel, because you have kind of two ways of thinking about the nuances already of thinking about that internal dimension, and Pablo, you mentioned the whole development and the history of how Chile arrived where it is right now, and it is important to have the policy right now, because then the whole conversation of how to better connect the domestic side of things and how the policies have been developed with the International Law and advance.

To have that mandate, as you said, to be able to do that, which is quite important. We know, then, in terms of policy‑making in the region, it is really always about that. I think your point on attribution is also quite interesting. It is not necessarily there is a political interest in naming and shaming, but understand, this external responsibility is something that, you know, there needs to be a further trust‑building within the region to think about what are the channels, how can we make the POC directory within the CBMs at the OES kind of advance in that way and be more implementable.

So, now I want to shift to you, John. We talked a lot about states. A huge part about the whole conversation about Responsible Cyber Behavior goes to the Private Sector, right? Big companies like Microsoft, right? As we have been seeing its engagement. I wanted to do a very, very quick question. I think I will do a sandwich already with the second question I was going to ask you, because I am quite excited about that one!

The first one is really, so, as I said, Responsible Cyber Behavior is broader than just thinking about state behavior. What are the main lessons learned, and perhaps the challenges, or bringing together the Private Sector within the tech accord. Many people, I imagine some might be familiar, but others might not. Do you want to do a quick reply on that?

>> JOHN HERING: Yes. Our group has been around for five‑and‑a‑half years now. What is not a challenge is getting folks on the same page. It has been remarkable in how much there has been interesting in joining the group. We kicked off in 2018, which is 34 companies and pushes 170 now. That reflect as lot of pressure that companies feel across the industry from our customers as Cybersecurity remains the domain of conflict, to make clear where we stand, what is our role as folks are developing the products and services so often weaponized by various Actor, including increasingly, Governments.

It has been easy to sort of get spokes on board to say, hey, we have commitments to good security, protecting our customers, we are not interested in weaponizing our products and services to undermining peaceful technology. One of the challenges, though, I think, is getting companies that have such widely different capacities on the same page.

You know, some companies, like you said are large, multinational firms and many beforehand familiarity with UN processes and peace and security online are very, very foreign so it has been interesting to bring a broader swath of the industry into the conversation.

We have also seen real meaningful progress taken across the industry by virtue of the work of the technical accord.

Most notably starting a few years ago we started encouraging companies to have coordinated vulnerable policies in place as a party of baseline expectation.

When we called on companies to start doing that, there were maybe a dozen CBD policies you could find online and maybe today you can find I think 100 that are reviewable online. It can serve as a proofpoint for action for that group but also a point of reference for other companies to think about what would a CBD policy look like in that one particular context. So, that is one example.

>> LOUISE MARIE HUREL: That is fine. I said I would do one round, but I will squeeze in, because of our time, the second question over here to you, John.

You talked about the tech accord. I think it is an interesting endeavor to bring folks together from industry, across different levels. Not necessarily just strictly tech companies, in that case.

But when we think about Microsoft's role specifically, I mean that doesn't apply to just Microsoft but maybe other companies that have been engaging in context of conflict, crisis scenarios, right, I mean the war, so what is role of the Private Sector in those contexts?

What is the responsibility of the Private Sector in engaging in conflict situations as we have been seeing right now in the Ukraine. What would you say about that?

>> JOHN HERING: A lot of that question is not my place or Microsoft's place to answer as it relates to armed conflict. But something that has been thrust to the Floor and certainly Microsoft has played a forward‑leaning role, the tech accord and conflict came out with a statement on responsibilities in times of armed conflict.

In particular for Microsoft, we focus on doing three things as it relates to the conflict in Ukraine. The first is hardening security for our customers in the region. If you are going to be exposed to a particular sophisticated threat Actors, making sure we are providing the best security we can. We did a lot of work migrating secure data into Cloud environments which made targets.

And we responded now to upwards of ten different generations of wiper malware in the context of the operations targeting Ukrainian data.

The third, and this is something we have leaned into more in the past year in particular, is regular reporting on what we are saying in the context of the war in Ukraine. We doubled, I think, a lot of our efforts around threat context analysis in particular. Not just talking about what Cyber Event was, but painting the picture of the activities of a broad threat Actor group, how they are aligned oftentimes with the military campaign.

We have seen missile strikes immediately presiding or right after Cyber Operations over safe targets or geographies. Microsoft obviously can't low the level of coordination and where it takes place within Government agencies, but the correlation would seem to suggest that.

But Microsoft has not been alone in this. There have been a lot of Private Sector companies leaning forward in similar ways. Obviously a lot of the success of those efforts to thwart cyber in that conflict are attributable to the Ukraine investigator to move quickly for a broad Multi‑Stakeholder Coalition. This is not going to be the list. One silver lining here is that it looks like a robust Multi‑Stakeholder Coalition that is well coordinated and determined can at least ensure that as this emerges as a domain of conflict, there can be asymmetric benefits to defenders.

>> LOUISE MARIE HUREL: Wonderful. I think that gives us a lot of food for thought. Of course, there are various types of companies engaged. Tech companies, threat intelligence companies. You can go more and more kind of like nuanced in the classification of companies involved in conflict, right?

I mean, there are evolving questions of whether they are combatants or not, on whether the Private Sector has an extra responsibility because they are infrastructure providers.

Anyway, I wanted to pass it over to Charlotte. Since we are talking about conflict situations, I wanted to talk more about the human element and the organisations that sometimes are the primary targets, or let's say the ones that suffer the spillover of a lot of that geostrategic competition.

So, Charlotte, I don't know if you can hear us? I wanted to check.

>> CHARLOTTE LINDSEY: Yes, I can hear you. Can you hear me?

>> LOUISE MARIE HUREL: Yes. Lovely, Charlotte. I know it must be so early there. Thank you for joining us. I know the Cyber Institute has been doing really great work in trying to minimize harm to civilians in Civil Society Organisations. Normally individuals in Civil Society Organisations, the third sector, are left by themselves to know how to best respond and protect themselves and their infrastructure.

Could you share more about what can be done better to support these groups?

>> CHARLOTTE LINDSEY: Thank you. I am sorry I can't be there in person but thank you for inviting me today. The Cyber Peace Institute has been working to understand the impact and harms of cyber attacks. Important to build evidence and data driven understandings of the harm inflicted by cyber attacks. There is always a lot of hypotheses, but what we have been trying to do is really foster more context‑aware approaches of the harms and impacts, so that we can also look and then what is the best way to support and engage in capacity‑building and building resilience for particularly vulnerable communities.

So, I think that is a very good starting‑point, understanding the evidence and data‑driven impact and harms.

What we have been looking at, for example, a particular vulnerable group have become more and more impacted and targeted by cyber attacks are Humanitarian and Human Rights development organisations work to support victims of armed conflict and vulnerable populations in crisis situations.

What we have done there is really built both a Humanitarian Cybersecurity Centre, but also very specific Cyber Peace Builders programme where we match the needs of individual organisations to cyber resilience and capacity‑building support that can be provided free to those organisations to help them respond and build their capabilities to prevent or to respond to attacks.

I think that is a very important point. But then on the policy side, it is really important to take the understanding and lessons learned from that, and inject that understanding into policy discussions. For example at the open‑ended Working Group, or the adjunct committee on the Cybersecurity Convention to say this is what is happening and this is what needs to be done to prevent that.

Another particularly vulnerable community we saw during the pandemic was the healthcare community. We saw during the pandemic, particularly, the heightened two years of with pandemic, we saw increasing attacks against very critical infrastructure, the healthcare infrastructure, linked to the response to the pandemic.

One of the things we did with our partners there, the Government of the Czech Republic, Microsoft and the Cyber Peace Institute, we build a multi‑stakeholder compendium on Best Practices, on protecting the Best Practices from Cyber Harm that is practical recommendations to improve the resilience of the Health Sector. Looking at practical recommendations of what has worked and building that into resilience programmes.

And lastly, we have been working over the last two years on the cyber attacks in times of conflict, particularly related to the Ukraine and Russian conflict. There we are monitoring currently at the moment 112 different Threat Actors who are very loud and proud about the attacks they have been carrying out. They have been self‑attributing, so obviously there still needs to be more technical, policy legal attribution behind that but it speaks to what we said in the beginning, being clear about the responsibility of states, also to make sure that attacks don't happen from their territory or potentially hold persons accountable for that.

I think where that will be very important steps going forward, looking at how those that have breached the laws and norms will be held accountable.

>> LOUISE MARIE HUREL: Thank you so much, Charlotte. I think that starts to paint to us, let's say a gradient of understandings of responsibility that are complimentary, right? We discussed the national, domestic and external notion of responsibility. When we talk about state graft and what that means when it comes to applicability of the norms. We talked about the Private Sector and the evolving understanding of what it means to engage in conflict situations, being a company.

Not that Private Sector has not been involved in conflict. When we look at other context, it is not new, but when we talk about the Tech sector engaging in protecting and providing support and assistance, then maybe we are talking about new dimensions of responsibility over there.

And now, looking at the third sector, looking at Civil Society Organisations and what the Cyber Peace Institute has been doing, there is an extra layer there, how the Civil Society Organisations can feed back into Government, and say, you know, these are the harms. Be very thorough about the data that we collect and be able to hold them accountable for the actions and the spillovers of many of these activities, right?

Charlotte, I will get back to you on the second question, definitely. So, I will now pass it over to Eugene. So, Eugene, now we are on the sweet spot, because, as a person that comes from Academia, my heart goes out to you, as well as a Fellow person from the same sector.

I was wondering, at the heart of the Global Partnership, really lies this commitment to foster research‑led dialogue with different views from different countries and regions on the topic.

Are we doing enough as a research community to really connect those realities, or are we really in our own silo. How does RSIS be involved in thighs silo is.

>> EUGENE EG TAN: For the longest time I think academic research has been done on an individual, regional Case Study basis, where actions by states are documented under actions and commitments made by states. From this we draw Best Practice and implement it in an arbitrary manner.

What has been lacking in research is this common measurement of what responsibility actually is. Which is what makes this project so exciting. What makes this project doubly exciting is how wide the consultation is, and the intersectionality of each individual on this panel, online and even in this room here brings to the whole project.

This means the discussions, the findings, come from a group of people, not just a snapshot from a specific region or perspective, but one with a wider context of responsibility with States, industry, Civil Society, academic view, coming together on a very global scale.

So, this brings me back to your question about having need to connect different realities when doing comparative studies among the region.

So, I think as an academic community, we haven't necessarily done enough talks across regions. Academics tend to focus more on individual context. This can be area studies. This can be specific topics that you are interested in. But I think that has been changing, especially when funding is starting to come online, where academics like myself can actually interface with different regions.

I mean, I met you first in Mexico. An Asian person meeting someone that is basically from European in Mexico. So, doing so helps us build that bridge, helps us understand the different context we reside in. And I think this broadens the richness and conversation, broadens the conversations that we have, and I think we are all richer for that. Yes.

>> LOUISE MARIE HUREL: Wonderful.

I wanted to follow‑up on that, actually, Eugene. It is quite interesting, the need to connect the goal, let's say, research community around this indefinitely it is at the heart of the GP‑RCB, the Global Partnership for Responsible Cyber Behaviour, seeks to do. But, Eugene, what can we do better? You started alluding to points there, but what can we do better to develop a research Agenda that is attentive to the cultural, contextual, kind of elements that might play into defining Responsible Cyber Behavior?

>> EUGENE EG TAN: You are asking a Fellow academic how to do research design. (Chuckles) Personally, because this is a global study, it is going to be really difficult to control for all the cultural and contextual elements across the regions and different states.

So, what would be reasonable would be to pull out the common strands of what constitutes responsible behavior, and not these deviations from the norm.

This would enable us to put out a document, which potentially defines responsible behavior as a baseline, rather than building on existing research, which is to provide a Case Study on how States think or how businesses think, how they are being responsible.

Because it is such a nebulous concept of responsibility, right? There is no one measurement, like I was speaking about earlier. Because there is no one measurement. Everyone thinks they are responsible, right?

So, it is how we draw out these extra measures, how we can actually inform the whole community as a whole, how these extra measures can be actually implemented, that will bring value to the whole ecosystem.

>> LOUISE MARIE HUREL: Absolutely. And I think, from what I am hearing potentially, is painting a spectrum of responsibility. We already have the norms, right? They are at the International level. How they are interpreted, we have the area studies, of course. But I think your point on understanding the deviation element is quite fundamental, right? And how do we access those, let's say practices to be able to draw that.

So, that is part of what we will be doing in the next year, so that is quite exciting.

I wanted now to turn to Koichiro. You have been engaged in so many different bits and pieces of the Technical Community, right? As being part of the first Advisory Board and so on and so forth with JPCERT. I wanted to peek to you about the Cert's important role, the norm to protect Cert's against being targets and a fundamental role of maintaining the security of networks and systems for many years now.

But many countries have now established reporting requirements, right? We discussed that a bit. For instance, is it realistic to expect organisations to report incidents within a short timeframe sometimes? Or to have Governments require that some vulnerabilities and incidents be first reported to them?

So, I see there is a responsibility from the side of the certificate community, right? But is it realistic to expect certain things especially when it comes to vulnerability reporting and reporting requirements?

>> KOICHIRO KOMIYAMA: Thank you very much. I am Koichiro Komiyama from Japan from the response team. I know you mentioned CERT, to protect the global Internet. The role has changes in the last few years.

Include, furlough in this case, reporting Cybersecurity into CERT India, the Indian CERT, and since I spend a week in IGF meeting this week, I ran the Sri Lanka war similar negotiation a few months.

I also like to note there are many other Government agencies who received the security incident reports. For our case, Japan. If there is a Cybersecurity incident, they share information with JPCERT, but if they are associated with personal information leak, then they have another, another Government‑led commission which they are mandated to report up. And instant disclosure to US financial institutions.

My second point is, you may be not familiar with what with are receiving. For example, JPCERT, we receive 27 cases or incidents per year. And about half the cases, or half of the incidents, we need to engage, or we need to communicate with someone in the United States. The ISPs, the platforms, researchers in the United States. Then that is half of our received report.

Another 30% to 40%, we need to reach out to China. So, US‑China combined, is more than 80%. And from this fact, I like to suggest the Cybersecurity may not be as global as you imagine. What is crucial on the Internet is not very ‑‑ very distributed, but, rather, concentrated in a few places on earth.

The other thick is, you know, often regulatory misunderstood, if they got more information, they can make more accurate decisions or assessments to us, among 20,000 of the cases, what we like to see is less than 1%.

Only less than 100 cases can be used or very beneficial for us to honor as what type of APT attack is happening, which, Japanese great gulf infrastructure is compromised already? And others?

The last is not something, you know, is not very informative or actionable, at least for us.

Now, I like to conclude my last point, that the worst‑case scenario is the local registration hinder or undermine the international or global information‑sharing, which we have been doing for us 10 or 20 years.

Local 4J is a good example. There is is a common software library we use everywhere. And this was first identified by a Chinese researcher working for Alibaba's subsidiary.

They made a great job to identify the issue, and then also sharing it with the local 4J immediately. But far from being praised or, you know, getting the word, someone about Chinese authority incident. A chilling affect among Chinese Cybersecurity.

I do not expect they can share information with JPCERT or other Government agencies in the future.

So like we see data being localized, we also see vulnerability information being localized. We are in the middle of the process, and I like to look at exploring how we can fix this issue, you know, make sure vulnerability information is being shared among Stakeholders, or who should know. Thank you.

>> LOUISE MARIE HUREL: Thank you very much, Koichiro. On the one hand the State ‑‑ going back to Regine and Pablo over here, as a state we need to develop regulations and develop national policies that we make sure that we have vulnerability disclosure, that we have, kind of like procedures in place.

Understand it is kind of like, let's think more carefully about what the procedures are, and whether that actually hinders our communication channels that have been established, right?

I think we can see that not just for J but the NIS directive. There is always the process of adjusting in many ways, is the timing correct for expecting CERTs to report. Is it responsible, it is an understanding of what CERTs are responsible to do but is it, in the end, feasible or not. We always try to figure that out in one way or the other.

We have 10 minutes left. Thank you to our panelists for really sticking to the time. I want to open the Floor to those of you that may have questions. I wanted to hope up the conversation. Are there any questions from the audience? Or are we just tired?

>> JOHN HERING: I would ask policymakers to think about the impacts to the research community. It is not just some of the ones you were citing, but also the current negotiations around the Cyber Resilience Act in Europe and mandating unexploited vulnerabilities to Government agencies, which have not necessarily in the position to take action to fix that, prioritizing getting it fixed and keeping companies and users secure.

And then there are people that want to replicate the policy. You create a race to the bottom that have different imitators with vulnerable reporting requirements which may not be in the interest of the best product security and keeping the most sensitive data secure.

>> LOUISE MARIE HUREL: Great. Any other points from the audience? No? Everyone is very tired. It is the last day of the IGF. I get you. It is very overwhelming. I want to go back to Charlotte. Charlotte, if you are still online. I wanted to follow‑up on the dimension of Civil Society Organisations, right? I think it is undeniable, talking about state responsibility, talking about private sector responsibility, there is an interesting spot which is definitely the development of commercial hacking tools or spyware, which is also a very tricky topic, both for democracies, and, let's say, those in the spectrum and authoritarian regimes. What accountability measures do we need to be setting in place to protect citizens from the misuse of those kinds of technologies.

>> CHARLOTTE LINDSEY: Great. A great question and one we could take a lot of time on, the use and abuse of Human Rights and respective laws, see this as a growing and lucrative market. The issue of accountability, first we have to look at as a responsibility of all Actors.

Particularly, we have to look at the focus on how do we get redress for victims. So, if there Governments are able to hold accountable those that cause the violations of Human Rights, what is the readdress for victims.

But if we look at the measures that need to be taken, and we have talked about this before, public attribution. You have to be able to identify the Actor, build on, enforce findings of any technical analysis to achieve accountability, you have to be able to hold somebody accountable, so attribution will be an important aspect of this.

Then looking at legal action.

We have seen some countries that have taken legal action now. So formal investigations. And if the investigations build enough evidence in cases to then be able to bring legal cases, which will then focus attention on who commissions, who is financing, sanctioning, such abusive use of surveillance technology, and that can support driving accountability.

I think that we dot ‑‑ I think it is important to lack at the States have a legal obligation to protect and promote Human Rights, and hold those who violate them to account.

So, looking at state responsibility and how states are taking up this responsibility is important.

And then also looking at how you operationalise accountability at the International level. I think this is very important. So, collectively, Governments have to shape the political enormity of environment related to spyware, particularly where spyware is now being carried out as a service to abusing Human Rights.

That needs to have a coordinated response to ensure responsible State behavior at the International level, and to promote accountability between States because of, obviously, there is a lot of cross‑border issues that are critical here.

So, States will have to act on their responsibilities in order to engage individually and collectively to bring perpetrators to, and hold them accountable.

Accountability also requires transparency. So that is about surveillance and spyware.

There has to be a willingness to be much more transparent about what is today a very opaque market about the supply and demand and the use.

So, transparency is a really important step. And then, yes, as I say, I think there are a number of laws norms that can be brought to ‑‑ that can be invoked, and I think that will be very important to lack at where Human Rights of individuals have been breached, holding them to account, that can't be armed or something like the International Covenant on international and civil and political rights and the economic association on economic and cultural rights.

I would like to conclude there is a collaboration ongoing during a number of Civil Society Organisations at the moment. And I am Co‑chaired by the Paris accord and the Cyber Peace Institute where we are working on a multi‑stakeholder agreement for transparency around the spyware and Cyber Mercenaries market.

The first iteration of this will be brought to the Paris peace Forum in November.

>> LOUISE MARIE HUREL: Wonderful. I see you want to chip in.

>> JOHN HERING: Two quick points because I saw a colleague that said, oh my goodness, we are having the same conversation on Cybersecurity when I left Cybersecurity five years ago. But I want to relate, things are moving forward, especially as it relates to accountability via attribution statements. One thing exciting in the last year‑and‑a‑half is to see Governments include for the first time norms violations explicitly in attribution statements they have released publicly, which has been first innovations in a public attribution statement that I have seen in a while, and my jaw dropped when I saw it, so I hope yours can now, too.

And the second piece has to do with the innovation of the use of Cyber Operations in the context of cyber armed conflict. We saw the ICC operator say publicly his office has a mandate to and will be investigating cyber‑enabled war crimes. If you think of what that means to uphold expectations in the context of peacetime and warfare, that is important evolution, as well.

>> LOUISE MARIE HUREL: And, you know, any of the other panelists would like to chime in or have a tweet of a last remark? No? I will trigger then Regine and Pablo quickly if they want to respond to this.

I think in terms of the last point on thinking about transparency measures and accountability, over at the OAWG, there has been a lot of discussions, as well, as to whether to include the Actors, like Cyber Mercenaries or spyware, more explicitly defined or made recognizable in the emerging threats discussion there.

How can we involve that particular kind of discussion? Is it ripe for inclusion? Or is it ripe for further kind of elaboration or discussion on these kinds of emerging threats right now over there?

I know this was a key point of contention. I don't know if, like again, a tweet. From either Regine, if you are still online, if you can hear us, or Pablo, in the last spot over there?

>> PABLO: It is a good question. I think in my point of view, maybe personal point of view, when it comes to our conversation on how to move on at the end of the Working Group and the different intersections, sometimes we have to be very careful on what exactly we want to put there, because we have to agree by consensus.

That is the point, you know, how you can start a conversation, discussion, and things of importance there.

But the other point is, if we start some conversation, things will probably create maybe not the consensus we want. It will make our conversation difficult, so it is a difficult balance.

Now it is true, especially on the threats over in Korea, for example, the Artificial Intelligence, new techniques, we still need to be careful, especially with AI, for example.

Other conversations, other discussion. I think it is probably one of the challenges we have with emerging technology, where exactly we discuss one thing or another.

But still, it is up to the State, in a way to try to see how we can address this one. The Cyber Mercenary can be challenging. A mercenary years ago, a concept I have never seen before, but it is something in a way reflected, the concern of the State, in that case, of course, is to discuss this in that Forum because that is a place we have right now this conversation, so in a way we cannot stop it, but again, how can we see if we cannot create this problem, especially here on a Friday with the United Nations when everyone wants to go back home and try to get this consensus. Thank you.

>> LOUISE MARIE HUREL: Thank you for taking this last curve ball over there. I wanted to thank you all for sticking over here. I think having a slightly kind of full room at the end of the IGF is not trivial at all. I hope you can stay in touch, the Global Partnership for Responsible Cyber Behaviour has its website where you can access more information on our institutions, global partners and get in touch if you want to get involved in research.

I want to thank my panelists, Regine and Charlotte online. Thanks to you and all of you. Keep in touch.

(Applause)