FINAL TRANSCRIPT
EIGHTH INTERNET GOVERNANCE FORUM
BALI
BUILDING BRIDGES ‑ ENHANCING MULTI‑STAKEHOLDER COOPERATION FOR GROWTH AND SUSTAINABLE DEVELOPMENT
THURSDAY, OCTOBER 24, 2013,
2:30 P.M. ‑ 4:00 P.M.
WORKSHOP 175
INTERNET SECURITY THROUGH MULTI‑STAKEHOLDER COOPERATION
The following is the output of the real-time captioning taken during the Eigth Meeting of the IGF, in Bali, Indonesia. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>> MARCO HOGEWONING: Hello, my name is Marco Hogewoning, I work for the ‑‑ I will be moderating the session, together with Nurani Nimpuno, and I'll let her introduce herself first.
>> NURANI NIMPUNO: Good afternoon, everyone. My name is Nurani Nimpuno and I work for Netnod. We're based in Sweden and Marco and I will be moderating the session. So the name of the session is Internet Security Through Multi‑Stakeholder Cooperation. So the aim of the session is to explore, basically, all the components in this Internet ecosystem and different roles when it comes to ensuring security in the various aspects of security.
So we have a great panel today. We have four people here physically present and we have one participating remotely. And we want it to be an interactive session, so feel free to stand up, and maybe not throw things, but throw questions at us.
So I'm going to say who we have on the panel and then Marco is going to give an introduction.
That wasn't just me, right?
So I'm just going to mention the names of who we have on the panel and Marco is going to give introduction and set the scene a little bit, then I'm going to throw a few introductory and tell us about all the various hats you have. Say a few words about those questions.
Okay. So we have Pete Resnick. We have Merike Kaeo, Constantine, and Robert Guerra, and participating remotely, Tatiana Tropina.
So, Marco.
>> MARCO HOGEWONING: So before we have the panel introduce themselves and explain why they're in the panel, just a quick sketch of the landscape we're operating in. This is multistakeholder and we hope we found people from multiple stakeholders for this panel. And security landscape, and it's quite broad and a lot of people involved. So, of course, we have the standardization organizations with, in Internet terms, the IETF being one of the leads there. Of course, in IETF, there's a lot of security work being done and essentially it's always considered security by design. Of course, they're not allowed in this field. We have the W3C and IEEE equally involved and coming from the same area in the technical community and building secure standards and offering people that line of work.
Of course, technical community the operators there to implement those technical standards, that's where it all starts. And not only they're the ones implementing the standards, but from basically the early start of the Internet they were also involved in making secure and responding to incidents. For instance, in spam and everything that sort of grew into the operational community, then as that world got bigger and more important, we saw within the industry specific organizations incorporating on this area and exchanging information to deal with incidents to deal with certain forms of abuse exchanging experience and together coming up with solutions.
From that you've seen things like team comery and ‑‑ dedicated industry bodies that talk about security. But, of course, also groups like RIPE or NANO, I've got security threats, I've got anti‑abuse working group, and things like that. So there's a huge participation from the technical community. And, of course, I'm inclined to say the other side, that's we're looking incorporation here. But from public sector, of course, the traditional sense, law enforcement always involved in security. Of course, when things illegal happen, ultimately, you need law enforcement there to take action. But also more recently, more dedicated units more dedicated teams to focus on cybersecurity, cyberdefense, et cetera. There you see cooperation in national levels, cooperation in international levels.
Now, unfortunately, we were expecting a participant from Interpol, but he can't join us for now.
And then somewhere in between, I think are the surge where you see a good example of public/private cooperation where surge incidents, response teams that again are primarily focused on exchanging data and protection. The moment you seeing something happening on the Internet, what's vital is you take action immediately. You want to get ‑‑ if you see your host spreading viruses, you want to take it offline. If you see mal ware being distributed, you want to act upon it, you want to update your virus scanner et cetera.
So just to introduce you to the field, the players ‑‑ I can keep going. More recently what we also see is, yeah, what I would describe as data or information clearing houses. You may have heard of the ACDC project that's being funded by the ‑‑ starting off in Germany and exchanging information about it. More local initiatives like the Dutch ‑‑ all sort of try to bring together different groups and exchanging information and together trying to make the Internet a secure place. That's sort of the take we want to have for this workshop is to let's see how we can further enhance that cooperation.
So I will leave now to I think Nurani to coordinate the panel introductions.
>> NURANI NIMPUNO: Thank you. We're not going to hog this space, though, because we've got actual experts here. But so as Marco mapped out two of the efforts and we're hoping that this will be an educational panel because we find that security is such a big bucket of things and it's hard to talk about security as just one thing, unless you go in and speak about specific issues. Also when doing so it might be good to know what existing efforts are going on because there's a lot of work going on in various parts of the Internet community. So we're hoping that the panelists in their different roles can contribute there.
As we know, the Internet is growing a lot from this very small research network to a network of two and a half billion users. There will be another billion users in 2017. That's mind boggling. That's a few years away, four years away, and there will be one more billion users. 8.2 billion global mobile connections. Alone in China, India and Indonesia there will be 3 billion connections, and Africa will be the fastest growing region. So clearly, the Internet has faced challenges in terms of growth, certainly in terms of security in the past. So it's a system that's going to have to continue to evolve.
So, what I'd like to ask the panelists as I ask you to introduce yourself is, first of all, what do we mean with security? You know, so let's ‑‑ if we're going to talk about security, let's try to go into specifics. It's often in a very broadly used term it can be entertaining to talk about, but it's not until you go into the specifics that it's helpful. You know, are we talking about someone losing their password? Are we talking about spam? Are we talking about data protect? Architectural vulnerabilities? So for you, what do you see as the most important security questions that you'd like to raise now? Are they work that's ongoing that you think is good and you'd like to share, or challenges that we need to address? What is your role in this? In what way are you involved in this? And also, what can other stakeholders in this ecosystem do? What do you see a need to talk to each other where they might not be doing so at the moment?
So those are three questions.
>> PETE RESNICK: Hello, I'm Pete Resnick. I always have this problem with which hat I'm wearing today. I am an employee of a company called Qual Com for which I do scant little work lately. I am the Applications Area Director at the IETF, which means I'm sort of out of the direct security business at the IETF. I'm not a cryptography expert or secure protocol expert, but I am in effect leading the area that uses all of that security infrastructure. And then on the side ‑‑ well, my involvement originally in the IETF was through electronic mail protocols, so I've had some experience with spam and other aspects of unsolicited commercial e‑mail.
So Nurani asked what I view security as and what are the most important security questions. Jari Arkko in his introductory remarks in the opening ceremony said something I thought was very poignant; when it comes to protocols on the Internet, the IETF builds things with security off by default. That is specific action to turn the security features of our protocols on when we decide that's important. We go to a website and we say we want to use HTTPS, secure HTTP, that is encrypted only when we're going to our bank or something that deserves security.
When we use e‑mail, it is almost always in the clear. It is plain text and we only use encryption in the most extreme of circumstances. And I would venture a guess that most people in this room, including myself, don't use encrypted e‑mail most of the time, let alone signed e‑mail, cryptographically signed. I think when I think about those important security questions, I'm thing about do we want to change those assumptions? Do we want to start moving in a way that makes us use security, use those secure protocols as a default way of dealing with the world? And some of the reason we don't do that is I think for basic principle; that we in the IETF and a lot of the technical folks have sort of made the perfect the enemy of the good. We tend to build protocols where we want to be absolutely sure they're secure, instead of ‑‑ and we can talk about this as the discussion goes on, building protocols where you get a good amount of security and if you need perfection, we give you the ability to do that. But if you don't, you still get some good amount of security out of it. And so I think those are the topics that I've been thinking about lately and that folks in the IETF have been thinking about quite a bit.
I could go on forever, so I'll leave more to the discussion.
>> MERIKE KAEO: Thank you. My name is Merike Kaeo and I currently have the title of Security Evangelist at a company called Internet Identity, also known as IID, who has been primarily for a decade doing phishing takedowns and also managing intelligence for people and is very much involved in data sharing.
Personally, I've been involved in many various aspects. So I used to build networks. I used to work for a vendor and actually wrote a book on how to create secure networks. It's a Cisco Press book. And I've also helped educate a lot of global constituents about what does security mean in their environments.
I'm also currently on the Security Advisor Council for ICANN. So when I look at security and what does it actually mean, it's a hard thing to define in a very clear manner because there's so many aspects to it. So if you look at it from businesses of critical infrastructure, it's really about risk management. And the thing with security is that it encompasses absolutely everything that deals with electronic data. So it comes down to the physical aspects; right? Who has access to the physical equipment rooms or the devices themselves. And then also it speaks to a large number of areas in terms of access control, how do you authenticate somebody? Do you want integrity? Which means if I'm sending data to somebody, that nobody can take the data and change it on route. Do I want privacy and what do you do with auditing? So the process of actually looking at all of that is everything that encompasses, quote/unquote, security, which I really look at risk management.
And then if I look at it from a technical perspective, it's really ‑‑ when you're creating protocols, what you're trying to do is you're mitigating, you're trying to mitigate abusive behavior from a technology protocol level or technology level with trade offs for performance and usability. The reason why you don't always ship everything with encryption on and all the security functionality is because there are tradeoffs with performance and usability. So you have to take all of that into account.
>> KONSTANTINOS KOMAITIS: Good afternoon. My name is Konstantinos Komaitis and I am a policy advisor at the Internet Society. I am not a techie, but I am in great company so I feel quite secure. My previously, before I joined the Internet Society I used to be an academic working especially in the field of regulation. And partly of the reason why I think I am here is to talk about the challenges of actually regulation in the context of the Internet and about this multistate called a framework that we keep referring to, especially in relation to security issues.
So, considering the definition of security, I will not even attempt to provide a technical definition. I think that what we can identify is that security as a concept is in constant transition. It changes all the time. Thus understands about security change all the time because they get carried away, if you want, from technology and the challenges that we see. What we also know is the fact that the landscape covered by the term cybersecurity includes many types of problems and it certainly includes a great number of solutions. And some of them, of these solutions can be found in the technical sphere, and I'm sure that Pete and ‑‑ I'm sure our techies will speak about it. And also can be involved through education, through policy or through regulation. However, at the same time it is very important to understand that regulation is not always the answer. And I ‑‑ it is very tempting and I understand the need of the nation state if you want to proceed to regulatory frameworks in relation to security. However, because of the fast evolving and the fast paced, actually, changes that we see, we really need at the same time to be very cautious.
I really think that cooperation and shared responsibility is crucial in the context of security issues. We are all part of the network. I mean, for me security, for example, a couple of year ago only included password and somebody stealing my password. I'm sure that this is not even now a basic. I mean, it's a stupid way of thinking of things. But a lot of people do not know what are the security risks. They don't realize what they're engaging in when they're using the Internet. And I'm not talking about first‑time users. I'm even referring to users like myself who have been using the Internet for many, many years. So it is very important that there is a consistent and dialogue that takes place in the context of security because of the technical difficulties in the complexity, we need to start bringing together closer the communities that are dealing with security issues. We mentioned the IETF, the Internet Society provides institutional home for the IETF and there's a lot of work being done here that it doesn't get the exposure that it should be getting, not only at the level of users, but also at the level of policy makers.
So I will stop here and just want to say that, you know, as a first step, let's start, folks, the cooperation and we'll, of course, continue this discussion. Thank you.
>> ROBERT GUERRA: So good afternoon, everyone. My name is Robert Guerra, I'm with Citizen Lab from University of Toronto. So for those of you not familiar with the Citizen Lab, I can speak in more detail. Suffice it to say that it's an inter‑disciplinary laboratory that's working at the nexus of ITT's, human rights and global security. That's kind of institutional hat. Long before then been working on issues of, you could say, kind of digital security for human rights organizations and kind of NGOs. And so that's kind of the framing in terms of the, what I would say kind of the least resource actor at the table that works on slightly different issues, but also is using technology and using very sensitive data.
In terms of ‑‑ in terms of the definition based on the type of stakeholders or subtypes of stakeholders which are groups really working with time sensitive data for a variety of reasons, they can be for legal cases, corruption cases, a lot of times it's data that if in the wrong hands could lead to serious consequences on people's lives. Then if one uses the definition from that perspective, it could be security for them is making sure when they use technology and the Internet that they can be safe from harm, safe from danger, and they can be protected in either with protocols or with procedures in place to make sure that stays safe and confidential.
In terms of the role of the citizen lab, as I mentioned earlier, it does work on a couple different things. But in this context is we've been working for many years on advanced research, don cybersecurity, particularly mal ware. We had a study several years ago that discovered that the office of His Holiness, the Dalai Lama, was affected by male ware but so were a variety of different governments, companies around the world, and other involved in this made headlines in the New York Times and many other press. So we've been really following how this resource factor gets attacked and we study and work with a variety of organizations, do forensic analysis ourselves.
And the importance to that I think is how we can contribute, a lot of times there are a lot of assumptions in terms of what the challenges different organizations are. There's a lot of training that takes place for NGOs. U.S. alone spent well over $150 million supporting initiatives. But where's the data? Where's the research to try and drive that? So we in our humble way try to do that. We'll be coming out with a report later this year. So I think the importance there is what I would say is working on research‑based policy and getting into the question in terms of how, so how I contribute, well, the organization works with a variety of different sectors. Because we're at university, we do something that governments and many others can do is we help convene and we help try to bring different stakeholders together.
The major issue right now, I think it varies. Had you asked me six months ago, I would say targeted threats and the huge growth of the zero day industry. I think after the revelations of the summer, I think it's the erosion of trust and the changing in terms of the issue of SERTs came up earlier. What we heard earlier in the sessions, I think yesterday at the IGF, is because of national security, the trust is not as realtime, the conversation is realtime, there's a lot of national security agencies that are now being involved in SERTs more and a lot more vulnerabilities I think are in the system.
And I think another thing in terms of how we contribute, we've been discussing over the last couple months, recently in terms of that it's really important to bridge and create bridges between the technical community and the NGO or research community as well. So we've been saying that and you put me on a panel that bridges the technical community and the research community and the IGF is about bridging. So I'll leave it with that and look forward to the conversation.
>> MARCO HOGEWONING: Okay. We've got ‑‑ in the meantime we've got our second remote panelist, which I'll introduce you in a second. But I'll leave it to Tatiana Tropina now.
Tatiana, if can you still hear me, you can briefly introduce yourself.
We can see you, but I can't hear you yet.
>> TATIANA TROPINA: (Audio difficulties.)
>> MARCO HOGEWONING: She is speaking. Tatiana, I can't hear you.
>> TATIANA TROPINA: (Audio difficulties.)
>> MARCO HOGEWONING: This goes nowhere.
Apart from we are on right track building the next rage in music, may I suggest our remote panelist use the chat and hopefully Chris can relay it without echoing.
Who do we have online? We've got the channel line from the Max‑Planck Institute and the other one who joined and who already admitted he had audio problems is Kimmo who works in the outreach Department of Interpol. Maybe you both can give a brief opening statement on chat and we'll have ‑‑ we'll come back as soon as Chris has them in, if that's okay.
Shall we just kick off? Your question?
>> NURANI NIMPUNO: All right. I have a few questions I think a few people touched upon. So one is this multi‑set. You can't say that multistakeholderism; right? It's like swearing in church. Of course, we're into multistakeholderism. But aren't there challenges with that? Really, I mean security is a really complex thing. Sometimes you need bigger responses. What's good about multistakeholderism is you get several different views, but it's not always the most efficient process. I think anyone that has been involved with the idea knows that it's about ‑‑ yeah, it can be quite a painful process.
Do we really need that? Isn't it better if we leave to it one party to fix these things for us?
>> PETE RESNICK: I'm happy to jump into the fray, because as Konstantinos was talking about this, I was scribbling some notes. One of the things I think is really important about the multi‑stakeholder model is that you're bringing together not just people with different stakes which is, of course, definitionally true, but different expertise. So really has scant little expertise in what it is to make a proper regulation and how to enforce those laws.
The government has scant little expertise in the technology, and maybe even at different levels what the business community needs out of security.
One of the things that ‑‑ and we've seen in both directions, one of the things that we run into trouble with is that we either jump into each other’s pools, or we expect the other group, the other stakeholder to take care of everything. And I think neither is useful. So, for instance, government needs to understand when they're making a regulation what technologies are available, and needs to know what they can address and what they can't. And going to the IETF, for instance, and saying why haven't you solved the spam problem? Why haven't you solved the Botnet problem? Is a little silly to us. The answer is because we can't. You're missing ‑‑ we can provide you tools and those tools can help a lot, but someone else has to provide the economic incentives, the regulations, the rest of the things that go with that.
So I think, yes, there is a problem with trying to make a decision collectively as a multi‑stakeholder group. But understanding each of the groups individual ‑‑ each of the stakeholders individual expertise and using those strengths is the way to accomplish that.
>> MERIKE KAEO: Whatever happened to women first?
Yeah, I will ‑‑ actually, want to make two comments here. I absolutely agree with my colleague Pete here about the multi‑stakeholder model just absolutely needs to happen. What is quite interesting, that lawyers spent many, many years understanding the legal frameworks and their policies. Technical people spent many, many, many years understanding the fundamentals of the technologies and creating them. You know, politician, same thing. So we all have our fields of expertise and I think sometimes the challenge is having the patience to understand each other's viewpoints. You can always say, oh, they don't get it, they don't get me. It's okay.
What I have found, personally, is that I have learned a lot about human rights issues. You know, some of the legislative issues that varying geographic areas have to deal with. That's another point that is extremely challenging from a security perspective when you start talking about different geographic areas because different countries have different laws, you know, sometimes tied to cultural issues. So even, you know, trying to figure out what is actually cybercrime across different countries may be challenging as a definition.
So I think bringing together multi‑stakeholder model we're educating each other on all of these issues and then collectively in some forms we have to come to some kind of agreement in terms of what is best for all of us. We're not going to have the best solution, but step by step hopefully we'll get there. That's ‑‑ I think the model so far is really working and this is my very first Internet governance forum meeting and I can say I've learned a lot already.
>> KONSTANTINOS KOMAITIS: So what's the alternative if it's not multistakeholder? The alternative is for additional regulation. We have already seen that this is really not working in the context of the Internet. So, that's the first thing. And it's not working because the nation state as an entity really wants to preserve what they feel are their priorities. And the priorities of one country are not necessarily the priorities of the other country. And the understanding of security of one country is not necessarily the same as understanding security of the other country. So regulation ‑‑ and by regulation we are referring to this traditional form of regulation ‑‑ has a tendency of being trapped and should be on subjectivity and be based on national needs. And we're talking here about the Internet which is global.
The second thing, multi ‑‑ so, by default, we are thinking of multistakeholder, government structures that are anxious to discuss those issues. We also need to understand that just because we mention multistakeholderism it doesn't mean automatically we get solutions. Multistakeholderism is not an all‑inclusive concept and it doesn't come with a magic wand that we just wave and suddenly everything is fixed. But one of the great things that it does is that it brings people together that share a common value. And through this common value they share also responsibility. And in the context of the Internet and multistakeholder, this nexus, is the fact this common value is preserving the Internet. It's preserving the open, and interoperable and the generic nature of the Internet. This is a good starting point to bring parties together, us, we've just heard and actually make them sit down and work with one another because there is a lot ‑‑ and governments do not necessarily get it. And I hear it all the time.
But my response, my automatic response is because I am a policy person, why should they to begin with? The same way that the technical community doesn't really understand the way regulation and policy making is working, governments ‑‑ we cannot expect governments to automatically understand the challenges, the technical especially challenges, surrounding security. That's why we need the technical community to come and explain what these challenges are.
We saw this happening. Unless we start working together, we will see this happening all the time. Just, you know, a little bit of security, a very clear example has been in the digital context in IPR. Suddenly we saw loss coming about but were endangering things and it's simply the nature of the architect of the Internet simply because policy makers do not understand what those challenges were. So we really need multi‑stakeholder participation. I know it's slow. I know it's occasionally tedious and I know it can be very frustrating. But the alternative positions, I personally believe, are ‑‑ may lead us to paths that might be more challenging and tricky than what we're facing now.
>> ROBERT GUERRA: So I may be a little bit of devil's advocate here. I'm a supporter of the multi‑stakeholder model, but I think we've been talking about it since the very first IGF and kind of where we ‑‑ and what are some of the challenges? So I think in an ideal world, I would say ‑‑ and I hate to use this word, in a kumbaya world ‑‑ we're all talking about multistakeholder and it means that we can all come to the table even though we have different views and different ideas. You say the word and magically we all talk together.
We've been talking together for six or seven years, and in some cases that then comes back in a national and regional level and it cause ‑‑ it creates a window of opportunity for dialogue and conversation. So I think that's a good thing. But let's not forget there are other factors and other tendencies also that are pushing back not against the multi‑stakeholder model, but national security is the big elephant in the room as was discussed in the high‑level meeting and throughout as well, too. I think where we need to see that is that there are a lot of great challenges to make the multi‑stakeholder model work. We just can't invoke it.
So I think what organizations here, and I would say a recommendation going forward, is we have to practice what we preach. If we're saying we're going to be working together with different stakeholders, then the technical sector, the government and the one stakeholder group that has not been mentioned by my previous colleagues is the Civil Society. Other than Konstantinos, but everyone else all needs to work together. They're all different skill levels and practical things, whether it's skill share, it's not inviting just folks here. So, for example, from a research perspective what we do is we realize there's been a gap that some of the research that we do around mal ware or attacks, realize that there's a great wealth of knowledge, but also analytical tools and an approach that would help us understand what we're doing.
I would say the flip side for the technical community is how are tools going to be deployed? Or if you see certain traffic taking place, if you had a better sense of the context, you would realize. I'm just remembering something from a conversation or a discussion on the S‑AK list about a week ago is there's a whole issue with Katari Top Level Domain kind of went down. For a long time everyone was talking about, oh, it's down and just kind of a reaction around it. I think other communities, other parts of the technical community were talking the same thing. Had you been looking at this in a multi‑stakeholder lens, we would have realized there was a set of geo‑political events taking place at the same time and there was a context that was feeling that.
So that would have better understood that it had to do with something far more nuance and complex.
So I'll finish and the thing is that the challenge is that we have to put it into practice. And it's hard. And it has to make ‑‑ and there has to be a way to audit. And I would say that so the role of government might be to enforce the multi‑stakeholder model. I'll challenge that because in a lot of panelists who are having places that's not taking place and maybe a regulation says, yes, all the stakeholders have to get together. If you don't, don't call it multistakeholder, just call it a meeting of private sector and the government.
>> MARCO HOGEWONING: Thank you, Robert.
I believe we have some comments from our online panelist then, Chris.
>> CHRIS BUCKRIDGE: So we do have two online panelists who are having trouble hearing the audio and seeing the video but are bravely following the transcript live. So this is a bit out of order of discussion. They both asked me to read their introductory statements here. First is Kimmo Ulkuniemi and he says, "Hello, everyone. My name is Kimmo Ulkuniemi and I'm working for Interpol Global Complex for Innovation in Singapore. IGCI is the only global law enforcement organization responsible of supporting cybercrime investigation. I'm Assistant Director of Strategy and Outreach and my subdirector is responsible for all the public‑private partnerships regarding cybersecurity in Interpol."
And then Tatiana Tropina has her opening statement. "I wanted to say, so about multi‑stakeholder models in cybersecurity, I think we need to understand that there are several fields or pillars of cybersecurity, and depending on the pillars, the players' interactions between them would be very different. For me those pillars are cybercrime, prevention, detection and investigation, critical information infrastructure protection, and national security.
"We will have different models in each area because they do overlap. I doubt we can extend what we've already achieved in multi‑stakeholder cooperation in fighting cybercrime. We cannot achieve the same cooperation in national security issues where fewer stakeholders are participating and governments are not willing to collaborate but rather to regulate. And because of the blurred borders between these areas and the absence of clear legal frameworks, we have some gray areas and problems with trust between government industry and Civil Society.
"So basically I wanted to say that the cooperation and participation of different stakeholders will depend on the area we are operating in. And if in some areas governments would be willing to collaborate, in others we will have strict requirements, security clearances, regulation, lack of transparency and trust, and possible abuse."
>> MARCO HOGEWONING: Thank you. I was about to ask this of Konstantinos. And it's nice, a nice way to channel. You mentioned ‑‑ you sort of dropped the word trust into your statement. And then now to challenge, to make it much clearer is, yes, we cannot expect governments to understand everything and we cannot ‑‑ we cannot expect them to solve everything. At the same time, Peter in his opening statement said yeah, the default measure at the IETF was to by default switch security off. And as he already mentioned in his opening statement, that's likely to change.
But what can we do or what should be done? Or where can we do ‑‑ where can we go in restoring the trust? Is there a need to restore the trust in this field?
>> PETE RESNICK: There's something ‑‑ I'm trying to collect together a couple of different threads here because some folks did set this up as the technical community versus or most communities even versus the government community. And I don't think that's exactly the only opposition. So, let's talk about that security owned by default.
There are loads of interesting ways, technically, that we can address things like people snooping at our traffic, including governments. But those things ‑‑ those technical solutions have very interesting consequences, not just for governments and not ‑‑ but also for businesses and for the Civil Society. So, for instance, it would be very straightforward for us to re‑jigger the protocols so that all electronic mail was end‑to‑end encrypted by default. And, yes, there could be man‑in‑the‑middle attacks where people can sniff at that stuff. But we can start out with the bar being quite high. There's a problem. First of all, there's some governments who are happy to have that security on by default, so as long as it's not their ability to sniff their own citizens e‑mail. So, yes, the governments probably have some of their own stake that they're worried about there.
But, for instance, think about Google's business model. Everybody with a G‑mail account, that e‑mail becomes part of Google's very important data to figure out what they can give you advertising for. Well, if we start saying to Google, all of the e‑mail is going to be end‑to‑end encrypted from the user to their destination and you at Google don't get to see the contents of that e‑mail, that changes an entire business model.
Think about the companies that track their employees' e‑mail. And if things started getting encrypted end to end, the companies would not be able to, by default, see their employees e‑mail.
And does Civil Society really want to go all the way down that path? Many people like the idea that they are having some of this information from other people, generally, not from themselves, reviewed by government agencies to see if there is terrorism going on that is being ‑‑ for which e‑mail is being used.
There are civil liberty issues that are clearly at stake here. So I think we want to be careful, A, about pointing to one particular stakeholder, but also be concerned that these things are doing the kinds of things technically that we could do, might start to wash over into all of the stakeholders in very interesting ways.
>> ROBERT GUERRA: So just a quick follow‑up in the work that we've done, and I've done around security for NGOs, the simplistic view, and that's what a lot of the funding was a couple years back, was all around just secure e‑mail or secure browsing, and it totally disregarded habits. It totally disregarded the change in the threat landscape moving from surveillance to targeted mal ware. You can have the most sophisticated end‑to‑end encryption system, but if you have a target mal ware exploit in your computer, they'll see everything. And so I think what the technical community ‑‑ and I would say, you know, government and private sector they have best practices in regards to non‑digital security issues and being able to have the different groups actually share those best practices. I mean, one thing I did mention in terms of the big challenge for the multistakeholder is actually the culture and the language of each of the different stakeholders is very, very different at times and to build trust to be able just to talk. So you can tell everyone, go in the room and talk. But if they're having a different discourse, you know, some of the ‑‑ even the Internet governance community, as well. Imagine someone new coming to the IGF or ICANN meeting for the first time, the amount of acronyms alone is incredible, at IETF with all the RFCs even more so. So I think what we can do is we can realize that that is ‑‑ that's a challenge. And in our own stakeholder groups we've been working on that and trying to figure out ways to share that.
And, you know, something that might be possible is are there mentors from one stakeholder group to the other that could be useful? Some of the outreach efforts. Again, there's probably a lot of stuff that's been done. And I would say for the e‑mail, you know, it ‑‑ I can't agree with you more in terms of that being a simplistic view, but sometimes the simplistic message wins the day. And it creates a false sense of security in that we've seen, particularly, you know, in the developments not over ‑‑ not only over the last six months, but since all of the kind of uprising in the Middle East over the last couple years is that false sense of security has led people to communicate on a variety of different platforms, then they've been shocked and they realize when they're picked up, taken to court and their complete transcripts of all their chats have been presented to them as evidence and they've had to spend 50‑plus years. So they thought that it was safe and it wasn't.
I think where we can work is just on the perceptions and helping people understand risk and threats, more so than this tool is the panacea.
>> MARCO HOGEWONING: Okay. Thank you.
Yes, I was about to say we're about to open to the floor. But I'll leave the next comment to Merike.
>> MERIKE KAEO: Yeah, I want to bring it to trust and transparency. One of the questions in my mind, I'm not a very huge proponent of regulation, but I'm a huge proponent for measurements. Also what I see is even when protocols are designed very securely, okay, it's not necessarily the protocols that get circumvented but equipment manufacturers who are actually building equipment that may not be as technical savvy as one would hope. So how they've implemented the protocol that is supposed to be secure, but they've implemented it in a way that is not secure. And also when equipment vendors ship with certain defaults, default behavior, that is not very transparent to users of this equipment. So I think trust is really at the heart of security at all levels.
You know, just understanding exactly how things work, either from a protocol level, why certain choices have been made, there's always in the IETF a security section, security considerations that actually discusses where some protocols may not be as secure as they could be, but the tradeoffs from an engineering level were made looking at what's best for the overall community with everybody involved in these IETF working groups. So it is a very complex problem. But I think we do have to really work on the transparency as well.
>> MARCO HOGEWONING: Konstantinos.
>> KONSTANTINOS KOMAITIS: Yeah, it's all about using different words. It's all about contextualizing this thing. It's all about trying to make everybody understand what it is. I would like to go back to what Merike say, if we are to judge a little bit the past few months, what has been happening, the issue of transparency has been manifested as a key driver behind all this. People need, to the extent that it is feasible, understand and know what is happening. And because you have this medium right in front of me right now where we are all used to getting information, having access to information, when suddenly that stops due to a curtain or whatever, a wall, then this creates more issues.
So it is very important that we try to ‑‑ we save face. As far as I'm concerned, we see this as opportunity to restore trust. Also go beyond the trust as we had before and also do the same with transparency.
>> MARCO HOGEWONING: Thank you.
What I would like to do is collect a few questions from the floor and then after we'll give the panel a chance to respond. Raj, I see your hand up. Please state your name and the affiliation, if you have comments.
>> NURANI NIMPUNO: And just maybe to make it a little bit more interactive, instead of having one question, one answer, one question, one answer, if we can get a handful of questions, we can throw all those on the panel.
>> RAJ: Thank you, my name is Raj ‑‑ we just did a similar panel like this just before the break and I think some of the people were in the room also. I have one comment, two questions. The first one, I think that we say about common values, Konstantinos, I think perhaps we don't have common values here in the IGF because you hear very descending voices and I think there are two major countries that just don't show up here and say anything anymore because they've stated we want to be this different model in the U.N. or whatever and we're not coming here anymore. So I think it's important to understand that perhaps we don't have common values. But from there, we're in the room and we still discuss things.
One is that the way of discussion when Jari Arkko presented as Chairman of the IETF last week in Athens at the RIPE meeting, at center stage asked him, who is your enemy? Because there were all these things going on. In the room we have Google, et cetera, all the sudden that became an enemy because of all the data mining they do. Then we had the governments that were definitely not a white elephant, but they were definitely discussed there. And the third one was the ‑‑ now I'm forgetting what the third one is. Can you help me, Marco, remember?
>> MARCO HOGEWONING: Sorry, I'm not wrapping it up here.
>> RAJ: I'll come back to it later and go back to the other question.
The other one is that we have so many different layers responsible for products on ICT and the Internet and et cetera, so many layers in the communication that when I start to contemplate the session I was going to have, I imagined a row of a table that would belong to the end of the conference hall and we still would not have them all, and half of them we could not reach because nobody knows who they are. There's just app makers somewhere in the world that shoots something into nobody knows each other. You have a new app that may be vulnerable enough. And that goes just from play things to very serious things. Is it possible to look at the chain of the Internet and see who is the dominant key player here that could actually be somehow made responsible for the security of that part of the chain?
And, of course, that is going to be the hardest thing possible, but could that be some sort of product driver we were talking about in the previous panel that actually said, well, if the government says this is the product it wants to have, a lot of people will follow that and then you have a higher standard because of it. But then you have to know who the key drivers are.
If I think of what number three is, I'll come back. But it's about who is your enemy and who are you actually going to deal with first? The criminals ‑‑ yes, I got it. The third one are the criminals. So we have the Googles, the criminals, and the government. Who is your enemy? And who would you want to tackle first?
And perhaps by tackling the first one, you'll discipline the rest in the direction you actually wanted to go. So your thoughts on that, please.
>> NURANI NIMPUNO: Maybe we can do Google this week, government next week, and the criminals.
Okay. So let's get a few more questions and we can throw them at the panel. Anyone else?
>> MARCO HOGEWONING: I thought I saw more hands earlier on.
>> NURANI NIMPUNO: They look shy.
>> MARCO HOGEWONING: Ah, yes, Meredith.
>> MEREDITH WHITTAKER: Hi, great panel. This is Meredith Whittaker from Google Research. I just have a quick comment, and this might get to Robert's sort of kumbaya proscription, so I apologize. One of the things I love about this discussion, the discussions that bubble up from the technical community who are familiar with those processes is this sort of approach to transparency and self‑correction. So built into these processes is constant self‑correction, is constant, you know, steering and recalibrating based on models that are assessed, you know, in reality in realtime. And I think part of what is important there is ability for being wrong not to be a crisis. So you have to be able to say I don't know, to say I was incorrect to say that doesn't make sense to look at the data, to measure that as Merike said, and to recalibrate your assumptions based on that. I think thinking about how that could work in a multi‑stakeholder, whatever that means, framework, is a really, you know, I don't have an answer to that, but a really salutary exercise. How do governments, how do regulators, how do people whose careers may be based on some prescriptive idea of what needs to be done be integrated into a process that's constantly recalibrating, that needs to adjust. In June 2013, there's before and after. Adjustments need to be made and that needs to be realistic and timely. That's not a question, but that's something that I think you guys were pointing to and I really appreciate it.
>> MARCO HOGEWONING: Thank you.
I see this gentleman here.
>> PATRICK JONES: Patrick Jones from ICANN's security team. This has been good. And I wanted to raise a point that I wanted to raise in the Dutch session before lunch and didn't have a chance to raise it then, so I'm going to raise it now.
With national cybersecurity strategies and the European commission's efforts, potentially bringing in Internet technical operations that are globally distributed, having these regional types of regulations raise challenges, so it would be good for the panel to talk about the impact of national strategies on global technical operations and globally distributed resource.
>> MARCO HOGEWONING: Thank you.
And the lady behind you also had a question, then we'll fall back to the panel to gather some responses.
>> CHRISTINE: Hi, I'm Christine from ‑‑
I think two questions. This morning I was in multistakeholder panel. We're talking a lot about security and that area. But I think one stakeholder always missing in all these areas are the software developers. We don't see them here and they are the real cause we are all here trying to correct something. And every time we think about software vulnerabilities and problems in software, we always ‑‑ the technical community, IETF developers, and people from networking, all have created a standard trying to cope with that. But then a standard is, again, developed by a software developer and more vulnerabilities are inserted. It's just to think about the whole community, whole software engineering community, they don't want to talk about security and they are just creating now. What we were talking about the right incentives and one of the incentives is right; the first software out is the one that is going to be adopted. The first standard out is the one to be adopted. People in universities are being taught or not taught about software security and you have just a mobile getting worse and worse and worse.
So I think this is one area that, from my perspective as a sir‑perspective, we try to reach but is one of the hardest. We have been talking to people from legal area, from policy makers, and I think it's easier to reach to them than even to reach to developers.
Then just as a point maybe to have a take from people from the panel, something that worries me a lot is that we are seeing more and more security as a scapegoat for different agendas and as a scapegoat for control measures and not for something that would actually improve security, but just not really to implement different and weird things. As you said in the opening, it's very complex. Security is not an easy area. It's very complex for people to understand, then it's very complex and easy for people to manipulate. So I think we're in a very worrying time now that we really need to work as a community how not to let ‑‑ actually not have security, but have a worse Internet in name of security. I think this is something that could come up a lot in the next few months and years.
>> NURANI NIMPUNO: Very interesting, thank you.
>> JAN MALINOWSKI: Yes. Hello, Jan Malinowski from the Council of Europe. I would like to make three quick points. I hope they are quick.
Yes, I hope they are quick.
The first one is that total security doesn't exist. It always comes at the ‑‑ the higher security comes at the expense of a reduction in freedom and liberty. So if you want more security, you will trade off certain things that you may not always want to trade off. That's a blanket statement. One can moderate it, but at least it is ‑‑ it does give an indication of the thinking.
The second one is that multistakeholderism is about dialogue. It's not about co‑decision making. It's about ‑‑ not even about common values. There may be certain common areas of agreement, but at the end of the day multistakeholderism is about good governance, which is about listening to the others. It's about taking into account what the others have to say in order to be better informed when making a decision. Whoever is the relevant body or person or community that will take the decision at the end of the day. So it is a good governance issue.
And the final one is related to the question of security and so on. Going into an example, to show a bit what I mean.
Crime, cybercrime, for example, it is a security issue. Now, normally, traditionally, the repression of crime is the monopoly of the state. We are talking multistakeholderism; how to incorporate the multi‑stakeholder dialogue and identifying the roles and responsibilities of different parts of the community, of the Internet community or different communities within the broader world of the Internet in respect of combatting cybercrime.
What I would say is, if I can give an example of a tricky area where more debate needs to be had ‑‑ sorry, before I go into that, criminal law will never resolve crime. We know that. Criminal law puts a few people in prison. It dissuades others from doing and it educates others ‑‑ it dissuades some that would be minded to engage in crime not to do it. And then it educates others that might have wanted to engage in criminality that it's perhaps better not to do it. So that is a bit the background. We know that in any community the vast majority of criminal activity is not tackled by the criminal law system and it will be the same in the cyberspace area.
One concrete example in the criminal activity area on the Internet. We have the question of peaceful protest. In the physical world, peaceful protest has been addressed and has been regulated and teased out by the courts and interpreted and so on. It has evolved over time. Peaceful protest can be disruptive and can be very annoying for some, and it can even carry a price tag for those who protest and for those who are at the targets of the protest. Now, that is an area which for the time being in the cyberspace is considered automatically to be a criminal activity. So any intervention, interference with someone else's transit or website or whatever, even if it is simply to make a political statement, it is immediately considered cybercrime. Now that ‑‑ I'm not trying to suggest an answer to that. It's simply to indicate that the answer is not yet there and that more dialogue is needed. And we need to listen to each other more in order to come up with the right answer. Thank you.
>> NURANI NIMPUNO: Great set of questions. If other people have questions, please hold them. We'll throw them to the panelists, because there are so many questions. I'm going to try to throw out some of the issues there.
So the idea about multistakeholderism not being a question of common values, but I love the part he said about despite good governance, but listening to each other. But also the part about the ‑‑ I guess the relationship between governments and those, for example, in the operational community and how you get that ‑‑ how you get governments and decisions they make into an ever‑changing operational world.
The part about trust, I think we've touched upon that, but I think you might have some interesting things to say about that. But then I'd also like to put the thing about so we often talk about security versus privacy. And, you know, we have to find a balance. But I think some of the things that Robert touched upon was also about security and anonymity in terms of privacy and that it can it protect civil rights. So security in what sense? For who? To what end?
Yeah, I think you're ready to pounce, so I'll let you go.
>> ROBERT GUERRA: Just maybe add something in regards to kind of trade‑offs as well that haven't been mentioned going back to e‑mail analogy and making it difficult or not. I would say it's not just about freedom and the balance of security and freedom, but from a user perspective in just using the technology, you have to factor in usability and convenience. There's some wonderful tools out there but they're so hard or so geeky that your average user or, as the trainers say, the grand mums can't use the tool. So it makes it difficult. So this may be one thing to add.
Another thing is someone mentioned earlier something about enemies and which is the enemy of the week, but then earlier we talked about an ecosystem, so we're all in the same bounded space together. So I think if we can talk about the environment and even though there are actors, I think there might be a need sometimes to have regulation to just regulate how the ‑‑ if there's something deemed an activity but it's also the community working together.
And then I'm maybe going to add an explosive comment or a question. Just going back in terms of offline and online, so you're talking about protests and all those consequences, it reminds me of something I don't prescribe to, but someone in Civil Society if you're thinking of digital equivalence of online space, then the offline space when those that want to have some sort of action and get the attention of others, they'll strike, they'll protest, and they'll barricade. So something that's come up in the past that the technical community quivers about is D‑DOS a protest measure? If you're going to say that or not. I think that's something else that if you're going to bring that up brings up a whole bunch of other things. Something you mentioned, I think you quoted in the multi‑stakeholder model, you defined it well, but I think, too, it's how do we bring traditional offline expressions and rights that we have and not just have it by default being secured, going to prison if it's in digital?
So I'll maybe put that and hopefully it will be an interesting set of answers.
>> MERIKE KAEO: All right. I'm going to address the question like primarily does somebody own security, should somebody be in charge? Just really quickly, I made a list, from a technical perspective, what's all involved. You have to deal with equipment vendors, these are your home routers, firewalls, switches, routers what have you. Then consumer electronics, my dryer will tell me whether or not, you know, it needs to be repaired. Your TVs, your music systems, your refrigerators; right, all of them are going to be on the Internet. Somebody has written their software. Do we know whether or not somebody can use that in a service attack? Then you have the chip vendors, your hardware. You have software writers. You have mobile application creators. You have protocols themselves. You have the Internet service providers. You have the businesses. You have the end users; right? There's probably a lot that I've missed. So I think you get the point that there are a lot of people involved. And they are all responsible. We are all responsible. And if I'm at home and I have, you know, I have to be cognizant what my device does. Whoever I buy my electronics from, I drive them crazy, because, first of all, I ask if they support IPv6, but I do. You're trying to figure out, well can I filter anything? What? Can I upgrade my software on this television? What? Right? This is part of the growing problem that we have to look at.
So it's an expanding problem because everything is going to be on the Internet. I mean, there's just more and more things on it. And so, you know, I don't think that there's one entity that can be responsible. I think collectively; right, as technologists, as policy makers, as law enforcement, we have to try and figure out how to mitigate the risk as much as possible.
I will also echo the point about software development.
So I have an engineering degree and I have to take some software classes. I got a very good grade when the program gave the result that it needed, not that I did error checking. All right. I believe that this is still true today. This is the problem. Okay. It starts with the education where I wish you would get a lot of extra points the more error checking you did.
So anyway, that's it.
>> NURANI NIMPUNO: Could I just quickly follow‑up on that. So you're saying you do not want to be responsible for all these different ‑‑ you personally. You seem like a very reasonable person. But if ‑‑ so basically you're talking about this shared responsibility that we also hear about in various context. We have a shared responsibility as end user. As a consumer you have a responsibility to do certain ‑‑ to be aware of what tools you're using and what you are doing and everyone through the whole value chain has a responsibility. But ‑‑ and that sounds great, but really, how realistic is that?
My mother‑in‑law is 80 something. She's got an iPad. She doesn't know what she's doing. How ‑‑ you know, governance are not techies, you can expect some dialogue, but, really, how much responsibility can you expect them to take? And how much can you expect the technical community to take?
>> MERIKE KAEO: And I think this has no clear delineation, but I will bring it back to education. I know a few countries that have actually spent a lot of time educating their constituents. My mother is 80 years old and she has to do a lot of things online. I will mention that my background is that I'm Estonian. So whenever she goes to Estonia, she has to renew her insurance. She has to do her banking online. She has national ID card which she has to know every five years she has to go to bank and get new certificate. She is able to do that without calling me. I can definitively say that I have 90 gigabytes. I have a lot of data that shows all the TV shows and advertisements that they have done to educate children, older people. Usually we're not good at doing that, there's too much jargon. So I think educating at the level that people can comprehend, not that they need to learn the technical jargon, but we bring it into terms that they will understand.
I think that's really needed.
>> MARCO HOGEWONING: I have a few comments online, Chris.
>> CHRIS BUCKRIDGE: We have one coming in from Tatiana Tropina. It's responding to Mr. Malinowski's question, comment from the Council of Europe. She says, "The response is that I disagree with Mr. Malinowski. I agree that criminal law cannot solve the problems, but the absence of clear substantive and procedural frameworks in this field is bringing us to the problems. If we do not regulate there, if we do not have, let's say, a framework for access to measure data or content of communication for investigation, then certain types of crime we will end up with gray area where governments and LEAs can collect little data with little or no judicial oversight. And, as in Mr. Malinowski's example, make it a crime to protest.
"This is the issue about criminal law. It does not solve a problem, but we need clear frameworks to separate crime from other activities and to implement safeguards protecting rights of the citizens during crime investigation and, which is even more important now, during crime detection and crime prevention. It's about the prime ‑‑ entity primarily responsible for security. We know that the value chain transferred to value networks and there are so many players on the ICT markets from the software developers to vendors, operators, app developers, et cetera, et cetera, et cetera. This is not the value chain anymore, this is a value network and that is why we're talking about multistakeholder actually.
>> MARCO HOGEWONING: Okay. Thank you.
Pete and Konstantinos, then we will go back to get our responses.
>> PETE RESNICK: I would love to go on about software developers, but it's my day job. It would take too long, so I will take that outside of the room.
The two comments I think that tie together, who is your enemy issue and the thing that Meredith brought up about the self‑correction built into the process. In the engineering end of the world, in the standards making and tech community, one of the things we've been pushing for with recent revelations, with all of these issues is we have to separate out some of the panic and some of the screaming from what needs to be done. One of the things I think that's important is actually ignoring who the enemy is and focusing on what's the threat we're trying to avoid.
And because noting who the enemy is sort of focuses everybody on that darned U.S. government which is doing all that evil stuff. That's not a way to move forward the technology. What is is, okay, do we want to avoid active, passive sniffing of our data? Do we want to avoid folks who are willing to infiltrate our computers as opposed to just look at the network? Those are the kinds of questions that we need to ask and hopefully those protocols are built in such a way where we can say, oh, new threats. Okay. We adjust the protocol in this particular way and make that correction. So I think those kinds of abilities are what the technical community is good at to avoid some of the hysteria.
The other comment I wanted to get at, the poor chap in the corner who everybody is going to disagree with. There was a comment that I found very odd. He said, "Total security doesn't exist." I agree with that. That's certain. I think trying to build that perfect security protocol is a horrible failure every time. Then he said, "You always have to trade off ‑‑ and I was expecting the next word to be performance or something else, which I have some disagreements with, but he said "You have to trade off freedom." And I thought, my, depends on what you mean by "freedom". Because, of course, increasing security preserves many freedoms. And so I think a lot of that has to do with the framing of what the problem is.
Okay. So we may be in violent agreement as he shakes his head up and down. Violent agreement is something in the IETF we do quite often. And I think one of the things that the technical community needs to keep in mind is that, again, these are tools that we are providing to folks for different uses. The lack of encryption helps certain folks for certain ‑‑ sometimes very important things. We, you know, businesses for whom they want to do mass searches over data in order to prove that they are the owner of this, you know, particular piece of information, or that they are the ‑‑ you know, they can prove that they said this sometime ago in court. Having that all encrypted makes it all that much more difficult. So it's important for people to quickly find things and not rely on do I still have the keys? But, we need to provide the tools such that when I do want to lock this stuff down so no one else can view it but me, when I do want perfect thwart secrecy so no one can prove I said it, these are the tools and things we have to provide for people when they want to use them.
>> MARCO HOGEWONING: Konstantinos.
>> KONSTANTINOS KOMAITIS: Yes, very quickly. I want to respond to mainly the issue of common values. I would respectfully disagree. I think we do have one common value. And, yes, maybe not every single one of us, but to use an IETF term, we have consensus that we need to protect the Internet the way it works. On that basis we also need to understand that we are living very challenging times. And I don't think that assigning key players to deal with security are going to solve this. And I think that production is something that I noted down. We haven't seen the technical community through all this process panicking. And I think this is wonderful because they actually are the ones that they understand better the ins and outs, the technical details of what has actually happened. And the fact that we have a community that really understands the issue, yet again they maintain their calmness, for me I feel secure because I know they are thinking of things, they are deliberating, they are discussing them, and they are going to bring them back because of this need to actually find solutions and for the ‑‑ and for ensuring this common values.
So I would like to, I said it before and I would like to repeat myself, that this is a great opportunity. It provides us, if you want a gateway to greater means of cooperation, to strengthen the cooperation, because I don't believe that there's no cooperation. I just believe that it provides the gateway to strengthening the cooperation and actually building those bridges. As we say at IGF, it's meant to be talking about.
>> MARCO HOGEWONING: Okay. Thank you.
I'm going to do a quick round of responses from the floor. Please do keep in mind we're under a time constraint.
>> NURANI NIMPUNO: I want to throw in a quick question, if I may.
It's almost like you sitting singing kumbaya together. I'm going to be the voice of dissent. So everyone agrees that security is a great thing. But is it really? I mean, security ‑‑ do we really need security? Isn't there a risk that by, you know, trying to secure parts of the Internet more and more we give the illusion that it's secure. We talked about this thing that there's no perfect ‑‑ there's no total security, if you can use that term. But securities, it's not all great. It's difficult. It's hard to use. It costs a lot of money. Isn't it better that we just all agree that what's on the Internet is public? People happily share all sorts of things on Facebook. If we just all agree that if it's on the Internet it's public, so it's not secure. And as long as people are educated on that, you know, we're all fine.
>> KONSTANTINOS KOMAITIS: Very quickly, I would like to add something as well on your list of things, expansive, whatever. It can also be misused. Tools that we're creating to secure communications to what's happening on the Internet have a flip side. They can be taken by whoever and be misused and used as tools for censorship, for many, many things that we really do not want to see. So, yes, security comes with its own tricks and challenges.
>> NURANI NIMPUNO: You're not supposed to agree with me, you're supposed to disagree.
>> KONSTANTINOS KOMAITIS: At the same time, I cannot accept that we don't need security. And I keep hearing all the time the Facebook story, yes, we're giving away information. I think one of the things the Internet has done is the fact that it has actually loosened up and at the same time made it stronger what we mean by privacy and how each one of us define privacy. So, yes, the younger generation that is using Facebook have no understanding of the kind of privacy that I have. So we make different uses. For them this is okay because that's how they're growing up. Whether it's good or bad, only history can tell. Depending on where you come, your persuasions, you're use of privacy, things might change. But the idea of giving up security or not even trying to address the security challenges for me rests in a little bit uncomfortable place.
>> MERIKE KAEO: I will disagree with you. I love to disagree with you. And the reason why is because what people don't understand is that security is only really complex if you put more and more mitigation techniques in there. Because of the fact that Pete is not giving me his laptop and letting me type on it, he's creating some security around that. Okay? So we, when we think about it; right, we actually do provide security. The people that are creating our networks, they don't let it just be a free for all. They usually have people authenticate before they get access somewhere. And while these are minimal risk mitigation techniques, they are risk mitigation techniques. And the thing around security and what makes it so complex is that you have to understand all of the ways that somebody can circumvent the techniques that you're putting in so that they can get access to the data, or impersonate you, or, you know, make services unavailable. And the details are what's complex.
So you don't have a free for all, no matter what you do. Even your TV vendors; right? It's not like I can go and reprogram some of the parameters. The vendor will do that for me, very happily; right? So you don't have a free, no secure Internet just at the get go.
>> MARCO HOGEWONING: I have three flags in the room and Robert wants to comment.
>> ROBERT GUERRA: Just a quick comment. I heard your question and I kind of heard it translated in my mind to what do we have to hide? Why do we need security, it should all be open. I was trying to think in another way to answer it. I think if that's your premise, then you're expecting that we're not going to do anything with the data, that it will just sit out there. So you're assuming perhaps that there's no malevolent actors, that people won't care in terms of the sensitivity of the data. But people do expect some sort of protections.
Again, going back to some of the earlier definition which was they ‑‑ people sometimes expect to be safe from danger and threats. And so if you want your on ‑‑ your offline protections that we all have because they're universal, of privacy, freedom of expression, association, you do realize that just, you know, when you want to have a conversation with a, you know, about a business deal. So, for example, it would be very different. And, for example, bringing an ICANN, in an interesting way, there's a lot about the GOT process, there's a lot of companies bidding. Imagine if every single part of that process was completely public, including the negotiations. You'd be in a different position right now. So there's an expectation that certain things need to be private. So I think the same thing is just that if you want certain rights then you deserve a certain level of security and they can go hand in hand and not one against the other.
>> NURANI NIMPUNO: Okay. I'll sing kumbaya on my own then.
A few more questions.
>> MARCO HOGEWONING: For the sake of time, please try to be brief. ‑‑ unless somebody else has anything urgent, then we'll follow back. Then somebody in the back, and we'll leave the last words to the panel.
Yeah, go ahead.
>> AUDIENCE: Yeah, I said that I was going to be very short and because of that I didn't say the elements that you complimented, that Tatiana, Robert and yourself supplemented, added to what I would have wanted to say. I would have wanted to say much more in addition to that.
>> MARCO HOGEWONING: Thank you.
Filiz, please. Please state your name and affiliation for the your comments.
>> FILIZ YILMAZ: Sure. Filiz Yilmaz, ISOC Ambassador. I am speaking on behalf of herself, obviously. I don't want answers really, I just want to throw this out there, because this is the end session that I'm attending that these issues are being talked about and they all, obviously, tangential to each other. One thing was raised, I truly believe in the trust issue. I think there is a long way there to build up. But it seems to me like then people are talking. There seems to be trust issue towards ‑‑ to the governments from technical committee, from governments towards technical community, I think there is one issue, angle there or in between the users. At the moment the users, I don't know how they are to trust those users. We don't know where to trust.
I might be given under ‑‑ after all this, I might be given some piece of protection mechanism on my laptop which will assure me by some techie that I will be protected, but how do I know it is not serving to peace officer surveillance act? Fair enough, there is some talk that needs to be put on the government level, but I think technical community, and I'm part of that, I see myself as part of that, we have a long way to think through about this issue, too. How do we have that trust being put back towards our side, as well? Thank you.
>> MARCO HOGEWONING: Thank you.
Walt.
>> WALT: Well, Walt ‑‑ representing myself at the moment. I think a final question, I think we talked about white elephants, there's a major white elephant in the room that nobody has mentioned. Half of the questions and half of the answers go to government. Why isn't there a government representative in the panel because then they could answer the questions and the comments.
>> NURANI NIMPUNO: We do. We do have some governments to participate. And I know, without putting anyone on the spot, I asked some government representatives to be in the room. Maybe if they want to comment, I can just leave it open to them.
>> MARCO HOGEWONING: I see somebody in the back of the room now. But let me take the question from the gentleman in the back first.
Yes.
>> AUDIENCE: Thank you. I am Bene from ‑‑ political justice and security affair. But I'm sorry because my English is not good. But I try to make a question. How to draw a system back on about cybersecurity, although in this meeting we say about Internet security. Where ‑‑ when I follow every meeting or seminar in my country, the important things is how to draw system pattern about cybersecurity. Why? Because all ministry, all institution in my country say that this is private domain. Like the Science Ministry, the cyber is defense is his domain and cybercrime, police department, say his domain. But when we try to analyze because ministry according to political justice and security affair always look the policy. This is already criminal or no, because we ‑‑ if we didn't have no ‑‑ how to draw the same way about pattern cybersecurity, this is affiliation with how to make education, policy or ‑‑ this is three factors. Maybe I want to know from this meeting how should we know ‑‑ how we have same view about cybersecurity pattern. Thank you.
>> NURANI NIMPUNO: Great comment. Maybe not just multistakeholder cooperation by within the same stakeholder group.
We are ‑‑ we have one last comment I think. We are running out of time. I hate to cut this discussion, because I think this is just starting to get interesting. We'll take the comment and then we'll let the panelists do a final quick ‑‑
>> KIMMO ULKUNIEMI: Last comment is from Kimmo Ulkuniemi, LL, absent panelist, online panelist he says, "Quick comment. We're talking about cyberspace and crimes in Internet forgetting that they're, in fact, happening somewhere and that place usually has laws. The problem with cybercrimes is that not every country has a national legislation about cybercrimes and all countries don't want to regulate cybercrimes the same way. I think there is a good question, should we try to secure Internet or not? Although there is the same question should we secure our daily life outside the Internet?
"I think no one is giving up in securing the Internet. More and more our daily life will be the on the Internet; shopping schools have tests and grades; cars are connected on the Internet. People are more and more dependent on the Internet and we should try and make it safer for all the people. Governments and private sector are motivated to work together for safer cyberspace."
>> MARCO HOGEWONING: Thank you.
Last round of comments from the panel. Shall we just start with Robert and work towards you, Nurani?
>> NURANI NIMPUNO: If you could all just use minus three minutes each.
>> ROBERT GUERRA: Maybe a tweet. Great conversation. Good dialogue. I think a lot of things have been said, so I'll just finish in saying ways ‑‑ the other thing for the multi‑stakeholder model that's key around these issues is that the conversation needs to take place on a continuing basis, not just once a year.
>> KONSTANTINOS KOMAITIS: I think you've nailed it. You hit the nail on the head when you said this is what, the tenth, 20th, cybersecurity session, without this platform none of these discussions would be taking place. So please, I want to believe that this is shaping forum of ideas that you all can take and start working through cooperation and through collaborative channels in order to instill the trust, go back and make things more transparent and start understanding better cybersecurity issues.
>> MERIKE KAEO: We're going to be mimicking each other. I think we need to continue the collaboration. I also think there's not just one owner in security in every country. So I think dialogue needs to continue. Thank you.
>> PETE RESNICK: I think ‑‑ it's always terrible when the last few comments from the floor are exactly the ones you could go on for hours about. I think one of the interesting things that came out of the spam and cybercrime session yesterday was that there are great opportunities for education. Some of those are very straightforward; how to use the tools that are available, what to do. But some of the other education that I think needs to take place is educating each other, each of the stakeholders, on what their particular expertise is and how to transfer that. I think Merike said ‑‑ I'll mush your two names together, it's much easier that way. I think Merike said earlier that the idea of figuring out whose responsibility each piece was is an important piece of the educational process that the technical people have to educate, the government people have to educate, the user community, the civil society, in effect, and the education has to go back the other way. How are your tools being used? What are they being used for by whom? I think that gets at some of the answer, which I wish we could go into more about how do you get these different parts of even government to agree on which parts they have responsibility for. These are wonderful questions.
>> MARCO HOGEWONING: Chris.
>> CHRIS BUCKRIDGE: We have this, I don't know if it's quite a conclusion, but we're working with bit of time difference here. Tatiana says, and this is in reference to I think Kimmo's statement a little earlier.
"I disagree. It's a stand of criminal law, many countries, almost every country has legislation on cybercrime and it is more or less harmonized. The problem is procedural frameworks and that's where we have to put our efforts."
She notes, "This is a comment coming from someone who did a study from UIC and analyzed legislation in more than 130 countries. We do have legislation on what crime is. We do even have it harmonized. We need to protect rights and implement safeguards during the crime investigations and implement the frameworks that we use for investigation. Because it was surprising for me, for example, that Europol Interpol conference that even the police don't know what instruments they have, according to the cybercrime convention."
>> MARCO HOGEWONING: Thank you.
I think we're going to wrap it up here. So, and I would like to add in one final closing comment indeed, let's continue this dialogue during coffee, and tonight during dinner, and everywhere else we can.
Thank you all for being here. Special thanks to our panelists for joining, sometimes at last minute. Thank you for Tatiana and Kimmo for your online participation. For you, it's quite an early hour. So thank you all and hope to meet you around. Thanks.
(Applause.)
********
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.